January 27, 2012
Top Internet Law Developments of 2011
By Eric Goldman
As usual, I'm running late with my year-end recap. This post begins with my countdown of the top 5 Internet Law developments of 2011, then it lists other interesting developments and cases. It concludes with some of the most linked posts and then my editor's choice of some posts in 2011 that might have been a little overlooked. As usual, thanks for reading the blog in 2011!
Countdown: My Top 5 List of Developments in 2011
#5: Righthaven Implodes. Since the beginning, I've been skeptical of Righthaven's business model. Seriously, who else thinks it's a good idea to sue small-time mom-and-pop bloggers and non-profits on a one-by-one basis? However, even I had no idea that Righthaven would accelerate their own demise by routinely making basic litigation errors. A sketchy business model + a litigation shop that isn't very good at litigation = one dead start-up. It's always fun (in a bloodsporty way) to watch hubristic bullies get their just desserts, but watching the Randazza firm school the Righthaven litigators in Litigation 101 has been amazing. THAT'S how you litigate.
Righthaven lost often in 2011 (see my August reset). They lost fair use rulings (e.g., CIO, Choudry). They lost on standing grounds (e.g., Democratic Underground, Wolf). They were hit with sanctions. They were hit with hundreds of thousands of dollars of attorney fee shifts (e.g., Leon, Wolf, DiBiase). They even lost their domain name in an auction--a delicious irony given that Righthaven's complaints improperly demanded its defendants' domain names on the theory that it might need the domain name to satisfy a judgment against the defendant, when in fact it was Righthaven's domain name that was used to help satisfy a judgment against it!
Righthaven ended 2011 on death's door, but the trend of newspapers trolling for copyright litigation isn't going away. I'll be watching NewsRight closely in 2012.
#4: Medical Justice Gives Up. Speaking of hubristic bullies... You recall Medical Justice, the organization that helped doctors and other medical service providers take copyright assignments from patients in their as-yet-unwritten reviews so that the doctors could expeditiously remove unwanted reviews by sending 512(c)(3) takedown notices to review sites. It's an interesting legal hack, but it has some bad side-effects, including the fact that patients hated it, the copyright assignments almost certainly were void (for public policy reasons and others), doctors were hurting themselves by discouraging patient reviews (patients prefer to choose doctors when there's a critical mass of patient reviews), and (as our research uncovered) most consumer review sites ignored the doctors' 512(c)(3) takedown notices. Obviously, with those defects, Medical Justice wasn't exactly adding a ton of value to its clients. Medical Justice finally gave up, but too late to prevent a lawsuit against one of its clients and a complaint to the FTC. Chances are Medical Justice will be living with a long-term hangover from this entrepreneurial foray.
Seeing Medical Justice stop peddling anti-patient review tools was slightly satisfying, but that result was always a fait accompli. The reason Medical Justice's change of heart matters is that shady or clueless vendors keep developing new ways to suppress unwanted consumer reviews, and I hope Medical Justice's experiences will discourage other vendors from trying the copyright hack. I talk about these dynamics more in my paper on regulating reputational information.
#3: gTLD Expansion. It remains unclear exactly what ICANN's rollout of unlimited top level domains will do. Due to the expansion of new namespaces, brand owners face a long list of complicated--and potentially expensive--choices to make. Unfortunately, these choices don't really benefit society; instead, the gTLDs tax businesses while the benefits accrue to a small number of service providers (and, of course, ICANN itself). I think many businesses will reserve their name in multiple new gTLDs to prevent squatting--with the net effect that businesses will spend more money just to preserve the status quo. Meanwhile, most consumers are likely to be bewildered by the unlimited number of TLDs, which is just going to increase their tendency to rely on search engines and link directories rather than domain names to navigate to their desired destinations.
#2: Internet Consumer Privacy Lawsuits Tank. 2011 initially looked like the year of the Privacy Plaintiff. A torrent of privacy lawsuits had been filed, plaintiffs had wrested a few important and lucrative settlements, and Internet companies continue to make questionable privacy decisions that create a steady supply of potential new lawsuits.
But the path to riches didn't materialize. Instead, 2011 emerged as the year when privacy class action lawsuits mostly failed miserably. Courts principally rejected the lawsuits on standing grounds for lack of cognizable harm, but plaintiffs failed on other related grounds, such as a lack of damages negating the prima facie case. There were some exceptions where plaintiffs made a little progress (see, e.g., Claridge v. RockYou, Anderson v. Hannaford, Fraley v. Facebook). I'm sure the privacy plaintiffs' bar will be studying those rare successes to formulate a better battle plan--and to better prepare their cases and find strong named plaintiffs, a recurring omission that hasn't gotten a lot better over the year. However, for now, it's clear that the privacy plaintiffs' bar can't just show up in court and hold out their hands for a payday.
#1: Regulators Broke the Internet. We've always known that regulators could combat bad online activity by working "up the chain," i.e., by making upstream service providers liable for the bad acts or obligated to cut off the activity. However, for the most part, we've shared a tacit understanding that systematically going up the chain was a "nuclear" option--it would fix the specific problem but only at significant collateral cost that, on balance, makes the option unattractive.
I think we'll look back at 2011 as the year that tacit understanding broke down. In 2011, regulators around the world showed a seemingly insatiable demand for working up the chain. Although we in the USA like to think we're different from other repressive regimes, the evidence suggests otherwise. Some examples of "up the chain" activity in 2011:
* Arab Spring. Repressive regimes got local Internet access providers to turn off Internet access in the country.
* Operation in Our Sites. The Immigrations and Customs Enforcement (ICE) agency keeps seizing domain names of suspected foreign rogue websites on an ex parte basis, making errors and breaking the law in the process. Mike Masnick blew open the story on Dajaz1.com, which ICE seized on an ex parte basis, conducted secret proceedings for a year, and then gave back the domain name with no explanation.
* Graduated Response. Copyright owners got Internet access providers to voluntarily (?) agree to restrict, and eventually terminate, their users' accounts.
* Secondary liability against intermediaries. Rightowners keep expanding their intermediary targets, including lawsuits against ad networks and SEOs/web designers. To be fair, some of these lawsuits aren't going very far, and expansive secondary liability theories aren't new in 2011.
* Ex Parte Seizures. Rightsowners are asking for the moon against third party service providers in ex parte proceedings, and courts are giving it to them because the third parties aren't there to represent their own interests. We recap this epidemic in this post.
* SOPA and PIPA. These proposed bills were the finest examples of rightsowners pursuing the nuclear option regardless of the collateral damage. The bills' basic architecture was to attack a wide range of intermediaries for third party actions--domain name registrars, search engines, payment service providers, ad networks. By seeking to deputize the intermediaries, the bills sought to instantiate "up the chain" duties across virtually the entire Internet. Putting aside their other policy deficiencies, I think we should resist all laws predicated on that fundamental assumption of intermediary deputization. See my post on the OPEN bill for why I reject the compromise "follow the money" solution. Sadly, I stand virtually alone in my stance.
Other Interesting Developments.
Some other interesting developments this year:
* Patent Reform. The America Invents Act is the most dramatic patent reform bill in years, and it has many provisions that may affect Internet companies, including the joinder standards, the prior user defense, and the novelty/priority standards. The law doesn't fix the overall problems with bad Internet patents or unmeritorious assertions of those patents, but it nevertheless could make some dramatic changes in what Internet companies do.
* Google and Antitrust. Google has become the incumbent in search, and all of its rivals--especially the companies Google is disintermediating--are desperately seeking to knock it off its perch. I believe Google and antitrust was the #1 topic prompting reporter phone calls to me in 2011. We are waiting to see what comes from the FTC investigation into Google's practices, and the list of Google-haters keeps growing daily. At the same time, the anti-Google forces made surprisingly little actual progress in 2011, including suffering a conspicuous (and not even close) loss in the myTriggers case. See my paper on why I am so over the Google antitrust battles.
* DC's Obsession with Busting Silicon Valley Companies. Sometimes, it feels like DC insiders wake up in the morning and wonder, "What Silicon Valley company do I feel like busting today?" Drive down the 101 from San Francisco to San Jose and play the "Spot the FTC/DOJ Bust" bingo game. Some of DC's targets in 2011: Google Buzz, Twitter (finalized in 2011), Facebook, Google pharma ads, Apple and others for no-poaching restrictions, and others. Good times!
* Judges Order Litigants to Hand Over Passwords to Social Networking Sites. This year, several judges ordered litigants to turn over their Facebook passwords to their litigation opponents for discovery purposes. See, e.g., Zimmerman v. Weis (which I added to my Internet Law reader this year). In 10 years, we'll look back at this mini-trend and shake our heads at the judicial cluelessness. Social networking sites contain a mix of public and private information, and letting a litigation opponent root around the account is just as objectionable as making a litigant hand over the keys to his/her house so the opponent can rummage around.
Other Key Court Rulings in 2011
Some other interesting court decisions this year:
* Author's Guild v. Google. The court rejected the Google Book Search settlement agreement for good reasons, but it sent the parties back to square 1. Why the parties haven't been able to broker a legislative compromise is beyond me.
* Barclays v. theflyonthewall. The Second Circuit took a big bite out of the hot news doctrine. Unfortunately, the Second Circuit didn't kill the hot news doctrine outright, but the opinion leaves open very little room for hot news plaintiffs.
* Network Automation v. Advanced System Concepts. The most important keyword advertising ruling to come out in several years. While the ruling itself was a mixed bag for the litigants, the opinion tore down a number of crusty plaintiff-favorable legal doctrines that had cluttered up trademark jurisprudence for years--including virtually mooting the initial interest confusion doctrine and killing the "Internet trinity" bypass to the standard multi-factor likelihood of consumer confusion test. I've noticed that the opinion has already noticeably tilted courts towards more defense-favorable rulings.
* Betty Boop case (Fleischer Studio v. AVELA). For a few months, it looked like the Ninth Circuit had eliminated trademark merchandising rights in characters that were out-of-copyright. Then it changed its mind; but still it liberated Betty Boop to the world.
* PhoneDog v Kravitz. An interesting battle over ownership of a Twitter account.
* Levitt v Yelp/Ascentive v. PissedConsumer. 47 USC 230 still works really, really well as an immunity. In Levitt, Yelp got a 230 dismissal that Yelp had tried to get advertisers to pay to manage consumer reviews. In Ascentive, the court rebuffed a plaintiff's effort to use a trademark infringement claim against a consumer review website to work around 230.
* Habush v Cannon. Buying a person's name as the trigger for keyword advertising doesn't violate their publicity rights.
* UMG v. Shelter Capital. While everyone waits for the Second Circuit's decision in Viacom v. YouTube, the Ninth Circuit stole some of that thunder with a powerful endorsement of the 17 USC 512 safe harbor. Too bad Veoh didn't live long enough to enjoy the win.
* In re Rolando S. Rolando was convicted of felony identity theft for taking a classmate's Facebook page for a joyride. My vote for the most interesting Internet Law case of 2011, and an instant cyberlaw classic. I've already added it to my Internet Law reader, and the students seemed to enjoy discussing the case.
Some of the Most Linked Blog Posts in 2011 (Per Topsy)
* New Advertising & Marketing Law Casebook Available for Review
* Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
* "App Store" Isn't Generic, But Apple Can't Enforce Its Purported Trademark in the Term--Apple v. Amazon (Apple legal issues are always good link bait)
* Twitpic Modifies Terms and Claims Exclusive Rights to Distribute Photos Uploaded to Twitpic
* Republishing Entire Newspaper Story is Fair Use--Righthaven v. CIO
* Court Rules That Instant Message Conversation Modified the Terms of a Written Contract -- CX Digital v. Smoking Everywhere (the most popular post of the year by far--a modern Contract Law classic)
* Second Life Ordered to Stop Honoring a Copyright Owner's Takedown Notices--Amaretto Ranch Breedables v. Ozimals
Favorite "Overlooked" Posts
A few posts that maybe got overlooked a little:
* Cyberbullying and Restorative Justice [a Long-Delayed Post on DC v. RR]
* Racy Teen Photos Posted to Facebook Are Constitutionally Protected Speech--TV v. Smith-Green
* Marijuana Activist Can't Change His Name to "NJWeedman.com" -- In re Forchion
* Free-to-Consumers Ad-Supported Website Isn't Illegally Priced--Cammarata v. Bright Imperial
* What Would a Government-Operated Search Engine Look Like in the US?
Lists of Yore
Previous top 10 lists from 2010, 2009, 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.
Posted by Eric at 09:45 AM | Copyright , Derivative Liability , Domain Names , Evidence/Discovery , Internet History , Patents , Privacy/Security , Search Engines , Trademark | TrackBack
January 24, 2012
Comments on United States vs. Jones: What's Old is New Again (Guest Blog Post)
By Ethan Ackerman with comments from Eric
U.S. v. Jones No. 10–1259 (U.S. Supreme Court; Jan 23, 2012)
In 2005 federal agents convinced a judge to issue a warrant so they could affix a cellular-based GPS tracker to the underside of Antoine Jones' wife's car, which the agents then tracked constantly for almost a month. Unfortunately for the federal agents' subsequent criminal prosecution of Jones on cocaine distribution and conspiracy charges, the agents did so after the warrant had expired, and in a different state than the warrant permitted. After an unsuccessful trial, Jones appealed his conviction to the D.C Circuit, which suppressed the warrantless surveillance, finding it was obtained through a Fourth Amendment violation.
In so holding, the D.C. Circuit split with the Seventh, Eighth and Ninth Circuits on the matter. Importantly for the Supreme Court, each of these Circuits found no search occurred (or in the case of the D.C. Circuit, a search had occurred) when analyzing the 'search' under the 'reasonableness' test of Fourth Amendment law developed from Katz v. United States.
Yesterday, the Supreme Court held that the government's search was a Fourth Amendment violation. Importantly, the five-member majority opinion by Justice Scalia reaches that result by effectively resurrecting the 'trespass' element of Fourth Amendment law that has been dormant for almost 50 years--and wasn't a part of any of the underlying Circuits' opinions. I don't want to denigrate the significance of that holding, and I suspect it will dominate much of the scholarly commentary about the ruling. Already, the universally-cited Orin Kerr, blogging at the Volokh Conspiracy, has several posts up already about the trespass and mosaic theories aspects of Jones.]
However, my biggest surprises from the opinions were the unanimity of support for the idea that this was a constitutionally-suspect search, and the numerical majority that also found this search unreasonable for non-tresspassory "reasonableness" reasons. It's kind of a big deal that all nine Justices found this case to be a Constitutionally-infirm search, disagreeing with a significant portion (probably a majority) of the Circuit Courts' benches. Even more so, it's truly a big deal that five (a numerical majority) found this search "unreasonable" under a reasonableness test that looked to the intent of the searching officers and so casually dismissed the atomistic arguments of the government that at each moment the searching was being done in a public place. Both of these arguments have been mainstays in earlier Fourth Amendment decisions.
Additionally, much of the earlier commentary on the D.C. Circuit's unreasonableness rationale, somewhat pejoratively nicknamed a "mosaic theory," had focused on its novelty and un-testedness. However, five justices appear ready to apply it in this case. In particular, Justice Sotomayor 's concurrence makes clear that she agrees with Justice Alito's four-member opinion adopting the D.C. Circuit's reasonableness rationale. In that concurrence, she amplifies the majority opinion's holding relying on trespass principles, but indicates this is an "irreducible constitutional minimum," above which Katz's reasonableness rationale (which Justice Scalia's majority opinion doesn't denigrate, even if it declines to evaluate the applicability of) still controls. Tom Goldstein shares my conclusion that there are effectively two majority opinions in this case. His excellent observations are here and also illuminate just how much was not resolved in the decision.
Eric's Comments
I really only learned two things in my Criminal Procedure class from law school: (1) every fact matters, and (2) the Supreme Court makes up the rules from case-to-case. At the time, I didn't feel I got very much from my class, but in retrospect, perhaps I actually learned everything that really mattered in Fourth Amendment jurisprudence. As Ethan recaps and as Paul Ohm indicated (United States v. Jones is a Near-Optimal Result), this opinion is a mix of good news (get a warrant before GPSing my car) and unresolved issues (basically everything else--ranging from practical questions like the legitimacy of warrantless tracking of cellphone movements to theory battles over whether the Fourth Amendment protects against trespass, violations of reasonable expectations of privacy or both).
Putting aside those important questions, the opinions articulated some deep distrust of government motives. I am always perplexed when the privacy community loses sight that the government is the real privacy threat, not the private sector. It also seemed that the judges did, in fact, internalize the personal threat that police could monitor their own cars without a warrant. It reminded me a little of the RIM case where the judges tried to envision their personal situation without their Crackberries.
Posted by Ethan Ackerman at 03:37 PM | Privacy/Security | TrackBack
January 18, 2012
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
[Post by Venkat Balasubramani]
Reilly v. Ceridian Corp, 11-1738 (3rd Cir. Dec. 12, 2011)
Ceridian is a payroll processing firm. Reilly and Pluemacher were employees of a law firm that was a Ceridian customer. In December 2009, Ceridian suffered a “security breach.” A hacker infiltrated Ceridian’s system and gained access to information belonging to 27,000 employees at 1,900 companies. After investigating, Ceridian sent a letter to the affected individuals, letting them know that their personal information, including “first name, last name, social security number and, in several cases, birth date and/or bank account” information was accessed. Ceridian provided the affected inviduals one year of free credit monitoring and identity theft protection. (It’s unclear as to whether plaintiffs took advantage of this, but they alleged that they spent money for monitoring efforts.)
The Third Circuit focuses on the issue of whether plaintiffs have standing. The court canvasses the precedent and says most courts addressing standing for data breach plaintiffs have concluded that plaintiffs lack standing because the harm is too speculative. The court agrees:
Here, no evidence suggests that the data has been--or will ever be--misused. The present test is actuality, not hypothetical speculations concerning the possiblity of future injury.
Plaintiffs relied on Pisciotta v. Old National Bancorp and Krottner v. Starbucks for the proposition that the increased risk of identity theft is sufficient to confer Article III standing. The court distinguishes these cases on the basis that, in those cases, the threatened harms were “more imminent”. In Pisciotta there was evidence that the hacker’s intrusion was sophisticated, and in Krottner, there was evidence that someone attempted to misuse the purloined information.
Plaintiffs also cited, by analogy, where courts have broadened standing requirements in other contexts (toxic tort, defective medical devices, and environmental injury). The court is not persuaded. The court says that, in those cases, an injury has occurred, even if it has not manifested itself and it cannot be presently quantified. In contrast, in the data breach context, “any damages that may occur here are entirely speculative and dependent on the skill and intent of the hacker.” Second, the court says that the medical device and toxic tort cases raise “human health concerns.” Courts relax the test for standing where human “suffering” is involved. The injury in those cases cannot be remedied by money. This is similar to the environmental injury cases where courts say that plaintiffs challenging actions on the basis of environmental regulation should be allowed to proceed because monetary compensation may not fix the harm that will occur:
unlike priceless “mountains majesty,” the thing feared lost here is simple cash, which is easily and precisely compensable with a monetary award.
The court finally says that the amounts expended by plaintiffs is not sufficient to confer standing because the money was not spent to avert or deal with any “actual injuries.”
__
Courts have pretty uniformly rejected data breach lawsuits, but the recent trend is to do so on the basis of Article III standing, rather than on the merits. This case looks like it's on the more restrictive end of the spectrum as far as standing goes.
The court’s attempt to distinguish other data breach cases on the basis that the harms in other cases were imminent or more obviously likely to occur isn’t the most convincing. Hackers have been known to compromise data in order to demonstrate security vulnerabilities, but if this is not the case, isn’t it fair to assume that data will be misused in some way? Aren't all hackers by definition sophisticated? Aren't all data breaches presumptively malicious? On the other hand, the data breach plaintiffs never seem to have adequate data to present to the court that the information in question is being misused. Even data pointing to the frequency of misuse in other breach cases would be useful to sway a court, but it's either not available or not being highlighted by plaintiffs. It's also surprising to see plaintiffs' counsel not include someone in the lawsuit who has had their information misused. (Maybe data breach cases are not well suited to resolution on a class basis?)
Some courts (In re Hannaford; Ruiz v. Gap) have said that basic monitoring services are reasonable mitigation efforts and as a result, companies that suffer breaches are offering to affected individuals this as a matter of course. Here it’s unclear as to whether plaintiffs took advantage of this but also took efforts of their own. Although it's not clear, it looks like in this court's view, even basic monitoring is not necessary and a failure to provide it would not form the basis for standing.
While the cases are across the board in how they get there, one thing is for sure. Data breach plaintiffs have gotten little or no relief in the courts.
Other coverage:
Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit
Previous posts:
"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
"When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue"
"Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks"
"In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable--Anderson v. Hannaford Bros"
Posted by Venkat at 09:31 AM | Privacy/Security
January 16, 2012
Copyright Doe Defendant Can’t Quash Disclosure Subpoena Anonymously—Hard Drive Productions v. Does (Guest Blog Post)
By Guest Blogger Elliott Alderman with brief comments from Eric
[Eric’s introductory note: Elliott Alderman is an IP attorney in Washington DC. I asked if he could guest-blog this opinion after calling it to my attention.]
Hard Drive Productions, Inc. v. Does 1-1,495, Civil Action No. 11-1741 (D.C. D.C. Dec. 21, 2011)
Overview: A DC Magistrate Judge recently ruled that a defendant cannot file anonymous motions to quash disclosure subpoenas in copyright file-sharing case. This ruling invites discovery abuses--and kicks due process.
The fragile balance between copyright owners enforcing their rights and the privacy interests of IP address owners was upended recently in Hard Drive Productions, Inc. v. Does 1-1,495, Civil Action No. 11-1741 (2011). There, the magistrate held that individuals who subscribe to the Internet through ISPs have no expectation of privacy in their subscriber information, since they have already disclosed this information to their service providers. So when copyright owners file disclosure subpoenas seeking subscriber information, local district court rules require that responding IP address owners must publicly identify themselves as part of filing a motion to quash.
There are two separate levels of privacy involved here: (1) public knowledge (including opposing counsel) of the IP address owner’s identity, and (2) the court’s knowledge of the parties involved in an action before it. A simple solution to the considerable detriment posed to subpoenaed parties is to allow motions to be filed under seal. At this stage, it is only discovery, not adjudication on the merits of the underlying claims, and there is no public benefit to disclosure before consideration of the motions.
Some background: As content owners move from suing download sites for inducement liability to a model of filing reverse class actions against unnamed individual users of P2P networks, discovery of infringers becomes crucial. However, content monitoring software, at best, may associate a digitally marked file with an IP address, but does not identify the owner of the account. And, significantly, the owner of the account is not, by definition, an infringer. So with IP addresses in hand, copyright owners must file disclosure subpoenas with ISPs to get the subscriber information associated with the identified IP addresses.
Typically, consistent with due process (and common sense), IP address owners responding to a disclosure subpoena have the right to preserve their anonymity while a judge reviews the propriety of the class action and the corresponding subpoena. Without the protection of anonymity, a motion to quash a disclosure subpoena is rendered moot, since disclosure of personal information on a public docket reveals the name and address information sought by the subpoena. See Achte/Neunte Boll Kino Beteiligungs GMBH & Co. v. Does 1-4,577, 736 F. Supp. 2d 212, 215 (D.D.C. 2010). Ironically, Achte/Neunte is one of the cases cited by the magistrate in support of public disclosure.
For a number of reasons, Hard Drive makes no sense. A subpoenaed owner essentially no longer has a right to contest disclosure, since challenging the merits of the discovery process reveals the very thing sought in discovery – his identity. And even if the judge later holds that the owner was misjoined, that an IP address is not an infringer, or any of the other bases that courts throughout the country are using to dismiss file-sharing defendants and kill these suits, plaintiffs have the personal information that they need to harass presumptively innocent parties. Worse still, plaintiffs will be encouraged to withdraw subpoenas before judges evaluate their merits, since the subpoenaed information will already be in hand.
As noted above, the Hard Drive magistrate also based his holding on Local Rule 5.1, which requires that all parties who file pleadings and papers with the district court must provide their name and full residence address, even if they are seeking to proceed anonymously. Judge Bates, who had assigned the case to the magistrate, originally ordered that motions to quash would remain under seal even if the moving party lost. How about a Solomonic compromise? Allow motions to be filed under seal, then only if the motion is denied would subscriber information be released, since the ISP is going to disclose the information anyway. Certainly there are policy reasons supporting the requirement that parties identify themselves to the court -- not the least of which is that it has no way of communicating with unrepresented Does – but permitting sealed motions balances the interests of copyright owners seeking to vindicate their rights against the privacy rights of IP address owners.
Moreover, the central premise of the decision, that there is no expectation of privacy in business transactions where information is disclosed to a third party, defies logic. One also shares information with telephone and insurance companies, and medical doctors – third parties all – but an expectation of privacy remains. Moreover, courts have implicitly recognized a privacy interest in ISP subscriber information, holding that copyright owners may not use the DMCA’s takedown notice-subpoena provisions to discover subscriber identities. See Recording Industry Association of America v. Verizon Internet Services, Inc., 351 F.3d 1299 (D.C. Cir 2003); In re Charter Communications, Inc., 393 F.3d 771 (8th Cir. 2005). And although it may be argued that when copyright infringement is at issue there is no free speech right to anonymity, see e.g. Sony Music Entertainment, Inc. v. Does, 326 F. Supp. 2d 556 (S.D.N.Y. 2004), the extortionate nature of the file-sharing cases is such that fairness would dictate that IP address owners should be able to anonymously defend against inclusion in classes of unrelated others.
Further, even assuming that an individual has no reasonable expectation of privacy in his subscriber information, he certainly does in his choice of movies. Part of the copyright troll business model, particularly for pornographic films, is the threat of publicly associating an individual with his private tastes. I have represented a number of owners who have had their routers hacked or had tenants or other unauthorized parties who used their Wi-Fi connections. With or without legal liability, too many of these parties have settled because privacy is a more expensive currency than cash.
In fact, in other contexts where there is the potential for stigma or embarrassment, courts typically evaluate the merits of the underlying case before requiring disclosure of confidential information, like a person’s identity. See, e.g. Doe v. Smith, 429 F3d 706 (7th Cir. 2005). The potential for harm to defendants in file-sharing cases is worse, however, because in addition to whatever shame or stigma attaches to being labeled an infringer or, worse, a porn hound (I think that’s the legal term), there are immediate legal consequences to stripping anonymity. Not permitting sealed motions is like having discovery first, then later evaluating its legitimacy.
Finally, the importance of the anonymous motion is intertwined with the architectural problems with the reverse class action model generally. This is not a white hat/black hat debate between content creators and piracy. Rather, the file-sharing cases are about the economics of joining unrelated parties in a class as a cost-effective way to pursue often non-meritorious actions, where secondary parties who are not infringers become the collateral damage. A number of court have dismissed these actions on a variety of grounds, including that:
* IP address owners are not intrinsically infringers. See VPR Internationale v. Does 1-1017, 2:2011cv02068 (C.D. Ill. 2011) (an IP address is not a person)
* different owners have different defenses; and
* unrelated owners do not act in concert by using a P2P program. K-Beech, Inc. v. John Does 1-85, Civil Action No. 3:11cv469 (E.D. Va. 2011); Raw Films, Ltd. V. John Does 1-32, Civil Action No. 3:11cv532 (E.D. Va. 2011); Hard Drive Productions, Inc. v. Does, No. C-11-01566 (N.D. Cal. 2011).
Moreover, the reliability of monitoring programs is suspect, Challenges and directions for monitoring P2P File Sharing Networks, University of Washington Technical Report, UW-CSE-08-06-01, and because a number of ISPs use dynamic IP addresses (where an IP address is rotated between several users) and “infringements” are generally date- and time-stamped, the odds of mistakenly associating a particular IP address with the “infringement” is greatly increased.
All this for want of a sealing motion!
___________
Eric’s Comments
This is a bad ruling. The court has guaranteed that the copyright plaintiff can unmask defendants simply by asking for a subpoena—either the subpoena is granted or the defendant reveals him/herself to fight the subpoena. That’s not the way the system is supposed to work. By creating a no-recourse situation for anonymous/pseudonymous defendants, the court has stripped them of essential due process rights. And, as we know, plaintiffs able to unmask defendants often can take advantage of substantial extra-judicial remedies, such as the public embarrassment factor in porn copyright cases. Thus, this ruling unfairly screws over anonymous defendants in these cases. It needs to be fixed.
For more on the topic, see Lior Strahilevitz’s paper Pseudonymous Litigation.
Posted by Eric at 10:00 AM | Copyright , Evidence/Discovery , Privacy/Security | TrackBack
January 10, 2012
Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm -- Tyler v. Michaels Stores
[Post by Venkat Balasubramani]
Tyler v. Michaels Stores, Inc., 2012 WL 32208 (D. Mass.; Jan. 6, 2012)
Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute which restricted the type of information a retailer could collect: "California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma." A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons. But having found that the retailer in this case technically violated the statute, the court dismisses the case on the basis that the plaintiff failed to allege a cognizable injury.
Is a ZIP Code Personal Identification Information?: Section 105(a) of Massachusetts General Laws provides:
No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.
The court looks to the legislative history behind the statute and says that the Massachusetts legislature’s intent was different from California’s. While the California legislature was concerned with retailers obtaining personal identification information and using it for marketing purposes, the Massachusetts legislature was more concerned about security and fraud prevention. Thus, while Pineda looked to whether a ZIP Code could be used (together with the customer’s name) to locate the individual, the court in this case focused on whether recordation of this information by a retailer poses the risk of identity theft or fraud. The court looks to Massachusetts’ identity theft statute, which defines personal identifying information as “any name or number that may be used . . . to assume the identity of an individual.” The court says that inputting a ZIP code in the context of a credit card transaction is similar to inputting a PIN number in the context of a debit card transaction. Because the ZIP code is information that can be used along with other card holder information to commit identity theft and criminal fraud, the court says that the ZIP code is personal identification information for purposes of the statute.
Did the Retailer Write the Information on a Transaction Form?: Michaels argued that the statute does not cover electronically stored information and that the transaction form has to be a paper document. The court rejects this argument for several reasons. First, the statute applies to all credit card transactions, whether they are processed manually, electronically, or through other means. The act does not distinguish between paper and electronic forms, and the court says that the risk of identity theft is present regardless of the type of transaction. The statute also permits the retailer to include information in the transaction form that is required by the credit card issuer. The retailer collects information during the transaction process (as required by the credit card issuer) and then issues the receipt, which may contain information different from the transaction form. (For example, the card number has to be truncated on the receipt under FACTA.) “The receipt is a printout of the permissible information on the transaction form, but it is not the transaction form itself.” (For what it’s worth, FACTA is also a statute aimed at curbing identity theft, but does not cover emailed receipts: “FACTA Does Not Cover Emailed Receipts.”)
Has Plaintiff Alleged Cognizable Injury?: The statute in question does not provide for statutory damages. It only says that a violation of the statute is “deemed to be an unfair and deceptive trade practice.” A claim for unfair and deceptive trade practice requires a showing of “injury and loss” and a causal connection between defendant's practices and plaintiff's injury. Plaintiff had not been subject to identity theft, so she had to prove injury or loss in other ways. She does not argue that she has an increased risk of identity theft. Instead, she argues that Michaels used her name and ZIP code in conjunction with a commercially available database to determine her address and phone number. The court says that her allegations are insufficient because she does not allege that Michaels acted illegally in accessing the database. She also alleged that she was injured because she received “a deluge of unwanted mail.” The court says that this is not an injury cognizable under the statute since the statute was enacted to prevent fraud. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm.]
Unjust Enrichment: Plaintiff also brought a claim for unjust enrichment. This claim is similar to the "PII-as-valuable-property" claim brought by the RockYou plaintiffs. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou.") Under this theory, her personal information is a valuable piece of property so plaintiff should receive some compensation when she 'exchanges' this information with the retailer. The court says there are two problems with this argument. First, the ZIP code is not itself valuable to Michaels. It derives value only due to “the independent work and cross-referencing necessary to obtain the full address.” Second, the court says that reasonable people would not expect compensation for turning over their ZIP code, and plaintiff did not allege that, had she known all the facts, she would have “charged” Michaels for the ZIP code.
__
The conclusion that plaintiff did not state a cognizable injury was the most interesting. The court drops a giant footnote saying that it’s not deciding this case the basis of Article III standing, but even if it were, the result would be the same (citing In re iPhone App Litigation; Specific Media; In re Facebook Privacy Litigation). There is a big grey area here, which is whether a violation of a state law alone is enough to support standing, or whether even when plaintiff makes out a prima facie violation of a state statute, a plaintiff has to separately prove damages as a threshold matter. Can state legislatures circumvent Article III standing requirements? Can Congress? The court says that these issues are not implicated since the unfair trade practice statute only confers standing upon those who show that they have been injured. (My gut feeling is that Congress and state legislatures should have the power to define when a plaintiff can sue; at least they do so routinely. The court says that clarity on the standing question is forthcoming, since the Supreme Court granted cert. in Edwards v. First Am. Corp.)
The court’s conclusion on the unjust enrichment claim is also interesting. While one or two decisions accepted (at the motion to dismiss stage) the theory that personal information must be valuable because the defendant monetized it, later decisions, like this one, require plaintiff to more clearly articulate their misappropriation theories. Just because information is valuable in someone else’s hands, does not mean that their use of that information is a misappropriation of your property.
It’s unclear whether the court’s rejection of plaintiff’s injuries is a result of the court’s construction of the credit card statute as aimed to combat identity theft and fraud, or whether it’s because Massachusetts unfair trade practices statute (like California’s) requires some out of pocket loss.
Overall, this decision, like many of the privacy lawsuits we’ve blogged about reflects a reluctance by courts to recognize informational privacy claims where they don't easily see out-of-pocket losses. The risk of future identity theft is not getting much traction in courts. (See also, Reilly v. Ceridian, a recent 3rd Circuit case which is in the blogging queue.) The “personal information as currency” is also not getting much traction in courts either. When those two theories are taken out of the mix, the plaintiff is left only to allege that the defendant violated the statute and therefore plaintiff is entitled to damages. Courts are requiring privacy plaintiffs to allege more than this.
Posted by Venkat at 07:51 AM | Privacy/Security
January 06, 2012
Did a Court Eliminate 512(h) Subpoenas?--Maximized Living v. Google
By Eric Goldman with additional comments from David Gingras
Maximized Living, Inc. v. Google, Inc., 2011 WL 6749017 (N.D. Cal. Dec. 22, 2011). The initial 512(h) subpoena. The Justia page.
17 USC 512(h) is a relic of a different era. The basic architecture of 17 USC 512 seeks to put copyright liability on users instead of their service providers. However, for that scheme to work, anonymous/pseudonymous infringers must be identifiable so the copyright owners can sue them instead of the intermediaries. 512(h) seeks to expedite the identification of alleged infringers by allowing copyright owners to get an unmasking subpoena super-easily. All copyright owners need to do is file a subpoena request with a court clerk, and in response the court clerk *must* issue the subpoena--the copyright owners don't need to file a lawsuit, and no judge reviews or approves the subpoena's issuance.
Indeed, neither the clerk nor a judge have any statutorily provided discretion to refuse the subpoena. As a result, 512(h) is now badly out-of-step with the law governing anonymous/pseudonymous online defendants that has developed over the past decade in response to unmasking abuses. In other areas than copyright, plaintiffs usually must make some showing that their substantive claims are meritorious before a judge will issue an unmasking subpoena. (The level of the plaintiff's showing depends on a variety of factors). In contrast, a 512(h) subpoena issues irrespective of the substantive merits of the plaintiff's claims--thus opening up a backdoor channel to unmasking abuses. For example, last year I got anecdotal reports that doctors used 512(h) to unmask patients that anonymously/pseudonymously reviewed doctors in contravention of the Medical Justice-supplied contract. If we were redrafting 17 USC 512 today, we would pay a lot more attention to 512(h) and its privacy implications than we did in 1998. [On that front, I have a latent empirical research project to investigate what happened after 512(h) subpoenas issued, but this case may have mooted it.]
With that background, let me turn to this case. Maximized Living sells copyrighted material to chiropractors. Anonymous blogger Doe allegedly infringed Maximized Living's copyrights via a Blogspot blog post. Maximized Living submitted an apparently overbroad 512(h) subpoena request to Google to identify Doe, and Doe successfully quashed the subpoena for its irregularities. Nevertheless, Doe apparently removed the infringing material from the blog. After that removal, Maximized Living sent Google a putatively corrected 512(h) subpoena request to unmask Doe. In this ruling, the court quashes Maximized Living's 512(h) subpoena for a second time.
The court does something goofy to reach this result. The court holds "that the subpoena power of s 512(h) is limited to currently infringing activity and does not reach former infringing activity that has ceased and thus can no longer be removed or disabled." Thus, because Doe had removed the infringing material after the first 512(h) subpoena was quashed, there was no infringing activity taking place when the second 512(h) subpoena request was made.
The problem with this result is that copyright owners must submit a 512(c)(3) takedown notice to service providers before seeking a 512(h) subpoena. Most service providers will take down the allegedly infringing material in response to the 512(c)(3) notice, so unless the copyright owner moves really fast to make its 512(h) request, the infringing material invariably will be down before the 512(h) subpoena request gets filed with the court--leaving those copyright owner in the same place as this one (i.e., submitting a 512(h) request when there's no current infringement). Below, David Gingras explains why the court may have misread the statute.
As a practical matter, this case's result may not be earth-shattering even if it survives appeal. I believe most service providers honor 512(h) subpoenas without much scrutiny and perhaps without notifying the targeted individual. This case will only help if the targeted individual challenges the subpoena, which will only happen if the service provider notifies the individual before releasing the unmasking information and the individual gets to court quickly enough. Because the service providers are a critical player in this process, how they handle 512(h) subpoenas warrants careful attention. I'd be game to work with you to try to get service providers to tell us more about their 512(h) handling procedure and if they give notice to the users--and wait for any quashing effort to materialize--before forking over unmasking info. [FWIW, Google appears to have done both, so they get a gold star for the day.]
Copyright owners also can avoid this result by filing the 512(h) subpoena request basically at the same time as they send the 512(c)(3) notice. That way, when the 512(h) subpoena is filed, there is still infringing activity occurring, even if it's quickly eliminated by the service provider responding to the 512(c)(3) notice. My guess is that many copyright owners will be reluctant to do this because it will increase the cost and time required to target infringing material when quick-filing of a 512(h) request will help in only a small number of situations. Thus, changing the takedown protocol to add a 512(h) filing probably isn't cost-effective.
Finally, even if 512(h) isn't available, the copyright owner can still seek unmasking through a John Doe lawsuit. This isn't as low-cost as 512(h) and will trigger judicial screening of the subpoena request before issuance, so 512(h) is better for copyright owners if they qualify. Nevertheless, copyright owners can still achieve unmasking, and perhaps this case simply indicates that 512(h) is a much more highly specialized solution than we thought.
Finally, a personnel note: one of the plaintiff's lawyers is Kenton Hutcherson. You may recall that last year I blasted an article by Kenton for advocating that plaintiffs scrub search results by taking advantage of Google's apparently lax policy towards court orders. Here, it looks like the judge didn't respond well to at least two of the plaintiff counsels' choices:
1) the overreach in the initial 512(h) subpoena request
2) the submission of a second 512(h) without the court's permission, as specified when the court quashed the first subpoena
One possibility is that the court reached its odd substantive conclusion in response to the plaintiff lawyers' errors.
________________
Comments by David Gingras
[Eric's introduction: Many of you already know David Gingras due to his positions as General Counsel for Ripoff Report and litigation counsel for thedirty.com. While drafting this post, I sent this opinion to David for his thoughts, and his statutory analysis in response was so useful that I asked his permission to share it]
I think it’s extremely clear the court make the wrong decision here. I think the court should have found that the subpoena was entirely appropriate under § 512(h) even if the allegedly infringing material had been removed and the infringing activity stopped.
The court’s premise seemed to be that you could only use a pre-suit subpoena under § 512(h) to identify current infringers, not a former infringer who had stopped infringing. By itself, this seems like a very dubious distinction. What’s the difference?
As far as I can see, the conclusion was based on the fact that you obviously can only use what is commonly referred to as a “DMCA notice” (i.e., a takedown demand under § 512(c)(3)(A)) to address active infringements. In turn, that sounded correct because § 512(c)(3)(A) requires the party submitting the notice to identify, inter alia: “the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled." By using the present and future tenses here, it’s beyond obvious that this section doesn’t apply to past acts of infringement. In other words, you can only use a § 512(c)(3)(A) notice to address current/ongoing infringements (DUH – if the material was already removed, you wouldn’t need to a send a takedown notice anyway, right?)
Up to this point, the court interprets the DMCA in a common sense way, but then it erred when it assumed (incorrectly), that because § 512(h) subpoenas are necessarily premised on a § 512(c)(3)(A) takedown notice, that requires the court to find that where the infringement has stopped, the right to pursue a § 512(h) subpoena also stops. That’s just totally inconsistent with the plain language of § 512(h)(5) which talks about the duties of a party on the receiving end of a DMCA notice (like Google) once they receive the follow-up subpoena:
(5) Actions of service provider receiving subpoena.--Upon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a notification described in subsection (c)(3)(A), the service provider shall expeditiously disclose to the copyright owner or person authorized by the copyright owner the information required by the subpoena, notwithstanding any other provision of law and regardless of whether the service provider responds to the notification. [italics added]
The way I read that section, it seems pretty simple – you can get and serve a § 512(h) subpoena either contemporaneously with the § 512(c)(3)(A) takedown notice, or the subpoena may be issued subsequent to that notice; i.e., at a later time when the infringement has already stopped. Either way is perfectly fine, which makes sense.
In this instance, the way the court interpreted § 512(h) makes the words “or subsequent to” totally superfluous, so we know the court’s conclusion is incorrect. Furthermore, the last few words of § 512(h)(5) seem to suggest that § 512(h) subpoenas may or may not come after a service provider has already “responded” to the takedown demand; i.e., after the material has already been removed – that’s another strong indicator that the right to pursue a § 512(h) subpoena may start with a § 512(c)(3)(A) takedown notice, but it does not stop simply because the infringing material was removed.
Posted by Eric at 09:18 AM | Copyright , Derivative Liability , Privacy/Security | TrackBack
January 04, 2012
Nov.-Dec. 2011 Quick Links, Part 3
By Eric Goldman
Marketing and Advertising
* Facebook is putting Sponsored Stories in user newsfeeds. Naturally, they will make the ad label almost invisible. Yet another reason to hate Facebook, and what a desperate act of financial overreaching to goose their IPO. FWIW, I absolutely hate that Twitter does the same thing. It's terribly marked as an ad, and it takes me more time than it should to figure out why it's appearing in my stream. Boo for Twitter, and boo for Facebook.
* Then again, not all Twitter ads are objectionable. The most popular tweet of 2011? An ad from Wendy’s.
* Interesting NAD decision involving Coastal Contacts' offer of "free" glasses in exchange for Facebook likes. Compare the subsequent ruling in Fraley v. Facebook.
* FTC does another bust of health marketers who allegedly used affiliates to create fake news sites. Prior blog post.
* Rebecca reports on a lawsuit over marketing that chickens were “raised humanely.” Note to meat eaters: there's no such thing as mass-raising of animals "humanely" for our food consumption. Invariably, meat-eaters who actually take the effort to understand the process of manufacturing meat decide to reduce their meat consumption.
* NYT on caller ID spoofing. The FTC just announced another bust on this front.
* AdAge: FDA's Social-Media 'Guidelines' Befuddle Big Pharma.
* Yahoo Inc. v. XYZ Companies, 2011 WL 6072263 (S.D.N.Y. Dec 5, 2011). Yahoo gets a huge and uncollectable default judgment of $610M under CAN-SPAM against Nigerian spammers.
* Adware déjà vu: Facebook bitches about adware. Prior blog post.
* A table manufacturer tinkers with his AdWords account and discovers a correlation between AdWords and clicks on his organic links (1, 2). Prior blog post.
* Pom loses a jury trial against Ocean Spray over false advertising.
* Washington Post: An inside look at the world of TV news payola/“plugola.”
* Ad Naseum on reverse product placement, i.e., manufacturing virtual brands created for TVs and movies.
* NYT: In China, car brands have very different meanings to consumers than they do in the US (except for BMW, where the brand attributes are surprisingly the same).
* Cracked: 5 Black Friday Myths The Media Wants You to Believe.
Privacy
* In re Facebook Privacy Litigation, 2011 WL 6176208 (N.D. Cal. Nov. 22, 2011). Prior blog post. Judge Ware dismisses the Facebook/Zynga referrer ID case with prejudice. Wendy Davis' coverage. It appears the plaintiffs have appealed (sub nom Graf v. Zynga) to the Ninth Circuit.
* Facebook will make 45 privacy-related changes—almost none of them “important”—to appease the Irish Data Protection bureaucrats.
* Mark Zuckerberg has extensive experience apologizing to Facebook users for Facebook's privacy transgressions.
* USA Today on how Facebook tracks user activity at websites other than its own.
* Cohen v. Facebook appealed to the Ninth Circuit. I'm not sure how the Fraley v. Facebook ruling affects this. Prior blog post.
* Interesting visualization of Facebook’s creeping degradation of privacy for user-provided info.
* In the Matter of ScanScout, Inc., FTC File No. 1023185:
According to the FTC complaint, from at least April 2007 to December 2010, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout, the FTC charged. The claims by ScanScout were deceptive and violated the FTC Act, the complaint alleged.
* FTC bust of Skid-e-Kids for COPPA violations.
* Another cookie litigation settlement where the lawyers get almost all of the settlement value. PaidContent and MediaPost coverage.
* Weber v. Google, over Google toolbar snooping, was quietly dropped.
* Incorp Services, Inc. v. Does 1-10, 2011 WL 5444789 (N.D. Cal. Nov. 9, 2011). The court orders unmasking of alleged click fraudders:
By tracking the clicks over the course of several weeks and narrowing a substantial portion of the activity to only two IP addresses—both owned by the same ISP—Incorp has provided sufficient information to indicate that the responsible parties are “real person(s)” who may be sued in federal court. Incorp also has demonstrated that it took reasonable steps to identify Defendants. Because information pertaining to the assignee of an IP address is maintained by the third-party ISP, the only way in which Incorp is able to identify definitively the parties associated with the suspect IP addresses is by subpoena to the ISP.
* In re Application of the USA for an Order Pursuant to 2703(d), 1:11-dm-00003-TCB –LO (E.D. Va. Nov. 10, 2011). No Fourth Amendment privacy protection for IP addresses.
* NYT provides yet another update on some European regulators' efforts to kill Silicon Valley.
* Peter Fleischer: Harsher data protection sanctions are coming.
Contracts
* Stebbins v. Texas, 2011 WL 6130403 (N.D. Tex. October 24, 2011). Another court calls David Stebbins’ attempt to manufacture an arbitration award “frivolous,” saying “his factual assertions that the alleged contract was formed when Plaintiff sent an e-mail to Defendant with a blog link and a dollar bill describe fantastic or delusional scenarios that are clearly irrational and incredible.” Prior blog coverage (1, 2).
* Garon v. eBay, Inc., 2011 WL 6329089 (N.D.Cal. Nov. 30, 2011). No antitrust claims for vendors who eBay terminated for low ratings. I think eBay should have been able to use 47 USC 230(c)(2) (not discussed by the judge).
* Fadal Machining Centers, LLC v. Compumachine, Inc., 2011 WL 6254979 (9th Cir. Dec.15, 2011). In a B2B context, enforcing an arbitration clause posted to the web that was incorporated by reference in the vendor’s invoices.
* Spam Arrest v. Marketingesquire complaint: Spam Arrest sues an email marketer for violating its TOS by sending "spam."
* Wofford v. Apple Inc. (S.D. Cal. Nov. 9, 2011). Free software update to iPhone software did not constitute a "tangible good or service" for California CLRA purposes.
* How plaintiff firms are adapting to Concepcion.
* WSJ: Are We All Online Criminals?
Posted by Eric at 03:04 PM | Marketing , Privacy/Security , Spam | TrackBack
January 02, 2012
UGC Website Hit With Spoliation Sanctions--Io v. GLBT
By Eric Goldman
[This is one of those blog posts that got stuck in queue. It's still pretty interesting, so I'm sharing at this relatively late date. Happy new year!]
Io Group Inc. v. GLBT Ltd., 2011 WL 4974337 (N.D. Cal. Oct. 19, 2011)
This case involves Io, the pornography company that lost Io v. Veoh, the main 17 USC 512 case I teach in my Internet law course. The defendants in this case are British. They run a series of UGC porn websites where users can get some porn for free and then must pay for additional access either with cash or by uploading their own content. The plaintiffs seek to hold the defendants liable for copyright and trademark infringement because users are allegedly committing copyright infringement by uploading the plaintiffs' porn. The defendants are defending on 17 USC 512 and other grounds.
Being in Britain, the defendants are governed by the Data Protection Act. They interpreted that act to require them to flush lots of data very quickly. Perhaps they have been overly zealous about implementing the DPA such that their interpretation isn't so credible. For example, they automatically deleted all incoming and outgoing email after 3-4 days, and they didn't change this for more than a year into the lawsuit. They also completely deleted all files that were subject to a takedown notice, so it wasn't possible for plaintiffs to see which files had been removed. Their answers to the judge's pointed questions apparently weren't very satisfying, and eventually the defendants went AWOL. So it's a little hard to tease out any legitimate DPA-based objections the defendants might have had from their other questionable choices.
FWIW, I'm not a DPA expert, but the DPA requires that the service provider keep data only so long as reasonably necessary. I would think legal obligations/discovery rules satisfy that standard.
The court's opinion gives some insights into the evidence that would be useful for the 512 safe harbor. The defendants completely wiped away any UGC files they disabled. The court says:
With respect to the deleted audiovisual files, Plaintiffs are prejudiced by not being able to examine the files and related metadata for any "red flags" indicating that infringement was likely. Such red flags could render Defendants ineligible for safe harbor protections of the Copyright Act.
This is consistent with language in the Ninth Circuit's subsequent ruling in UMG v. Shelter Capital. The court continues:
The loss of takedown notices and corresponding removal notification emails also prejudices Plaintiffs. First, the trier of fact may consider the extent of copyright infringement on Defendants' websites when analyzing a claim of inducement to infringe....Although the number of takedown notices does not alone determine the amount of actual infringement on the site, a large number of notices could indicate that a large portion of the material on the site is infringing. In addition, in order to be eligible for safe harbor protection, Defendants must show that they have policy in place providing for the termination of repeat infringers. 17 U.S.C. § 512(i)(1)(A). Defendants claim that they have such a policy in place, but without the ability to examine the takedown notices and corresponding emails, Plaintiffs have no way of challenging the implementation and enforcement of the policy because they cannot examine whether Defendants actually terminated individual users who repeatedly posted infringing material.
I'm not clear about the relevance of the percentage of infringing activity, but for more on the evidentiary issues associated with inducement, see the Grokster ruling. Finally, the court says:
the destruction of Defendants' internal emails renders it impossible for Plaintiffs to explore Defendants' motivation and state of mind in operating their websites; this is key to Plaintiffs' claim of secondary infringement based on inducement
For the evidence spoliation, the court hits the defendants with adverse inference sanctions:
Plaintiffs are entitled to adverse inference instructions in the form of rebuttable presumptions. Given the specific evidence destroyed by Defendants, the court orders the following rebuttable factual presumptions: 1) third parties posted material on Defendants' websites that infringed Plaintiffs' copyrights; 2) Plaintiffs submitted takedown notices to Defendants regarding the infringing material; and 3) Defendants did not take steps to remove Plaintiffs' infringing material from their websites.
Unless the defendants magically find some exculpatory evidence, it sounds like those inferences will nail them on the substantive rulings. The court also awarded $15,000 in attorneys' fees.
This case raises a number of interesting issues.
First, exactly what evidence is plaintiffs entitled to when trying to overcome a service provider's 512 defense? As far as I can tell, there are few limits because just about anything might support an inducement finding. The otherwise defense-favorable ruling in UMG v. Shelter Capital provides some other ideas about information that plaintiffs can seek. Summing all this up, as a practical matter, 512's safe harbor is nifty, but it's an increasingly expensive proposition for both parties. Contrast this with 47 USC 230, where many immunized lawsuits are tossed on a motion to dismiss without any discovery at all. Not only does that allow judges to issue clean and quick rulings, but it saves both plaintiffs and defendants a lot of coin. Note to statutory drafters: it's so important to consider the evidentiary implications of your legislative drafting. The way the statute implicitly allocates discovery costs has a huge substantive effect--especially if the goal is to create a safe harbor or immunity. On this point, even if 512 usually gets to the right result, the safe harbor is miscalibrated from an evidentiary standpoint.
Second, service providers hoping for a 512 safe harbor are often uncertain about what data they should or must retain. After Grokster, UGC sites became nervous about potential inducement liability. As a result, I believe it's become common to recommend that UGC sites flush as much material as quickly as possible (and before litigation becomes "reasonably anticipatable") to reduce the risk that the material will be cited as evidence of inducement or otherwise disqualify the 512 safe harbor. However, UGC sites don't want to look like they are trying to evade the truth or, worse, disrespecting the court (as the defendants in this case might be perceived as doing) or engaged in evidence spoliation, so how should UGC sites strike an appropriate balance? I'd welcome your thoughts about that.
Third, irrespective of how we feel about these particular defendants, their underlying point about the intersection between 17 USC 512 and user privacy is worth considering. 17 USC 512(m) is entitled "Protection of Privacy," so the drafters of 512 recognized the push-pull issue here. Assume for a moment that the defendants in this case honestly wanted to provide their users with private browsing/uploading/downloading, something that might be desirable in the context of these defendants' service. It seems logical that the service provider seeking a privacy-enhanced UGC service would flush its logs, email and disabled files promptly and make those representations to its users. Here, it appears the court would undo those promises, forcing the service provider to retain data it didn't want to keep for the benefit of copyright plaintiffs. I understand that may be our current state of play, but I see the potential for mischief too.
Posted by Eric at 08:20 AM | Copyright , Derivative Liability , Evidence/Discovery , Privacy/Security | TrackBack
December 23, 2011
Academic Literature Recap, Q4 2011
By Eric Goldman
I'm mired in grading heck, slogging my way through 146 exams. As a result, blogging has taken a back seat. I have several key items to blog, including the UMG v. Shelter Capital and Ascentive v. Opinion Corp. rulings. I'll get to these and other topics soon.
In the interim, just in time for the holidays, let me call your attention to some recent academic articles that caught my eye this quarter. They may be worth checking out during your holidays. Happy reading!
____________
Bevin Ashenmiller and Catherine Shelley Norman, Measuring the Impact of Anti-SLAPP Legislation on Monitoring and Enforcement, The B.E. Journal of Economic Analysis & Policy: Vol. 11: Iss. 1 (Topics), Article 67 (2011). The abstract:
We examine changes in environmental monitoring and enforcement activity in the presence of state legislation prohibiting Strategic Lawsuits Against Public Participation (anti-SLAPP laws). Using data on the Clean Air Act from the Environmental Protection Agency’s ECHO database, we find evidence that state inspections increase by almost 50% after a state passes anti-SLAPP legislation. In addition, we find strong evidence that the ratio of findings of noncompliance to inspections more than doubles in the presence of anti-SLAPP legislation.____________
danah boyd, Eszter Hargittai, Jason Schultz & John Palfrey, Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act’, First Monday, Volume 16, Number 11 - 7 November 2011. The abstract:
Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general–purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy–makers, particularly in light of ongoing discussions surrounding COPPA and other age–based privacy laws.
This article stirred up a fair amount of discussion. See, e.g., the CNET coverage.
Some notes about this article:
* no one looks good here: not the kids, parents, Facebook or Congress.
- Parents teach children how to lie to get what they want online
- Gilmore’s law that the Internet interprets censorship as damage and routes around it. COPPA has been a success at getting websites to shun kids 12 and under, but it’s been a complete failure at protecting kids online.
- all of the lying kids are presumptively engaged in criminal activity
* when kids are asked to represent themselves as older than they actually are, do they inadvertently put themselves in more adult situations than they can handle? See my post on mistake of age defenses.
* the policy implications of this report cut in both directions. Pro-regulation: the only way to keep kids off Facebook is to do mandatory age authentication that parents can’t game; or do comprehensive privacy regulation. Anti-regulation: COPPA was a bust, so we should repeal it or structurally modify it.
____________
Felix T. Wu, Collateral Censorship and the Limits of Intermediary Immunity, 87 Notre Dame L. Rev. 101 (2011). We don't have too many law professor papers really grokking 47 USC 230, which makes this paper instantly noteworthy. Felix presented this paper at our 47 USC 230 fiesta earlier this year. His conclusion:
Intermediary immunity can and should play an important role in protecting speech on the Internet. Immunity prevents the application of laws targeted at original speakers to intermediaries that lack the incentives of original speakers to speak. Immunity can thus be used to avoid the collateral censorship of lawful, socially desirable speech that poses a real or perceived risk of liability to intermediaries. At the same time, immunity can and should be limited. When intermediaries are actually original speakers, and have the incentives of original speakers, immunity is no longer appropriate. Similarly, immunity as to causes of action that are specifically targeted at intermediaries inappropriately prejudges the reasonableness of such liability.
Even ardent supporters of intermediary immunity would be well-served to recognize its limits. When immunity becomes unbounded, it begins to seem increasingly unfair, stimulating calls to cut back on the immunity, or even eliminate it entirely. The framework developed here demonstrates how, without any need to amend current law, we can limit the immunity, while still serving its core purposes.
James Grimmelmann's comments about the paper.
____________
Sandra L. Rierson, The Myth and Reality of Dilution, 2012 Duke Law & Tech. Rev. ___ (forthcoming 2012). From the introduction:
This Article advances three claims. First, statutory dilution erroneously assumes that the source-identifying function of a trademark is a rivalrous good and one that is dissipated by use. This assumption lacks empirical support, and is assuredly not categorically true despite the contrary principle that underlies the federal dilution statute. If marks are nonrivalrous, as they often are, no cause of action for dilution should exist.
Second, even were particular marks indeed rivalrous, the social and transaction costs imposed by the federal dilution statute would still outweigh the supposed harm to trademark holders. Dilution claims inflict profound anticompetitive burdens, preclude beneficial comparative advertising, and entrench dominant (often oligopolist) firms at the expense of market entrants. Dilution has serious non-economic costs as well and prohibits protected First Amendment speech without justification. For these reasons and others, the federal dilution statute imposes substantially more harm than it (allegedly) prevents.
Finally, the true foundation for the federal dilution statute lies not in alleged economic harms, but rather results from an entirely misplaced fiction of corporate personality. We do not require trademark holders to prove actual economic injury in the context of a dilution claim because, in truth, there is none. Instead, we have granted the holders of famous trademarks the equivalent of a “moral” right to these marks: an extension of the rights granted to a creator of an expressive work in the copyright context. Trademark owners feel vested in their brands, many of which are deliberately anthropomorphized, and the dilution statute reifies and protects these rights as a matter of federal law.
Stacey Dogan's cogent critique of the article. You may recall that in 2007, SCU convened a major academic conference on trademark dilution.
____________
Lydia Pallas Loren, Deterring Abuse of the Copyright Takedown Regime by Taking Misrepresentation Claims Seriously, 46 Wake Forest L. Rev. ___ (forthcoming 2011). A nice in-depth look into one of my favorite topics, 17 USC 512(f), by one of my favorite authors. The conclusion:
The takedown provisions of the Copyright Act are a powerful tool that copyright owners may use to obtain prompt removal of infringing material from the Internet without judicial assessment of the assertion of infringement. Congress provided a mechanism to deter abuse of this extrajudicial enforcement mechanism in the form of a new cause of action for material misrepresentation. Courts should interpret the requirements for prevailing on a claim of misrepresentation with an eye toward fulfilling Congressional intent. This means using a standard that would hold copyright owners liable not only when they had actual knowledge that the material targeted for takedown was not infringing, but also when the copyright owner should have known if it acted with reasonable care or diligence that the material was lawful. It also means interpreting the injury requirement broadly and awarding attorney’s fees to prevailing plaintiffs. Taking the claims of misrepresentation seriously will shape the behavior of copyright owners who seek removal of material through takedown notices.
Posted by Eric at 07:55 AM | Content Regulation , Copyright , Derivative Liability , Privacy/Security , Trademark | TrackBack
December 12, 2011
“Economics of Privacy” Conference Recap
By Eric Goldman
Earlier this month, I attended an event at University of Colorado Boulder called “The Economics of Privacy,” sponsored by the Silicon Flatirons center. A couple photos from the event: 1, 2. As usual, these notes reflect my impressions of the discussion. They aren’t verbatim transcriptions, so please double-check before attributing anything to anyone.
Paul Ohm was the principal event organizer. He offered a thesis: the legal academy has ignored economics and markets in its privacy scholarship. This is because a decade ago, privacy scholarship got rooted in consumer autonomy. As a result, we are letting waves of new economics discussions go past without incorporating into the privacy scholarship. He thinks this is a missed opportunity. This conference was intended to fix that.
Keynote: Alessandro Acquisti
Can market forces adequately “protect” information privacy? Answer: a resounding “it depends.”
Notifying consumers isn’t good enough. Less than 3% read privacy policies; people don’t understand them; people assume “privacy policy” implies privacy protection; if people actually read the policies, we lose significant social resources in the opportunity costs of their time; and outright deceptive bypassing of policies can go unpunished.
Consumer control is illusory. In fact, by making people feel more in control, consumers may take greater privacy risks.
Can self-regulation protect privacy? Alessandro thinks probably not. Hyperbolic discounting means consumers will take the immediate benefits and ignore future costs/risks. Further, technology keeps changing. Consumers who try to optimize for current technology are required to learn the newer technology. It’s overwhelming for consumers. Thus, the empirics of privacy shows that hurdles in decision-making render self-regulatory solutions untenable.
Where do we go from here? Currently, unless there’s a quantifiable economic harm, there’s no legally recognizable harm. However, by focusing on tradeoffs, we’ve lost the non-economic benefits of privacy, like personal autonomy. The lack of adequate consumer protection also leads to socially wasteful investments, ex post damages, shrinking share of consumer surplus, others. We can do better than telling consumers that they need “quantify the privacy costs incurred or be quiet.” Privacy enhancing technologies allow both data sharing and data protection. We should put burden of proof on data holders: prove you can’t provide same services with less data, or be quiet. Finally, he rejects the privacy fatalism that “data is price for content.” In fact, consumers pay when advertisers use the data to develop manipulative marketing.
First Panel
Lior Strahilevitz. Information asymmetries led to19th century English workhouses (like homeless shelters). The government wouldn’t provide welfare payments because recipients knew better than the government if they were worthy, so workhouses were an alternative to providing wasted welfare. The consequence of this information asymmetry was the growth of government services and poor living conditions.
India is experiencing something similar. To address this, India is collecting biometric information on its poor (the “AADHAAR”). Some Indians feel this data collection is empowering—it gives them an identity.
Homogeneity enables mass-market products, but precludes catering to idiosyncratic needs. On the other hand, we should favor serendipitous exchanges between disparate people, and that’s essential for us to function as a society.
Lior is concerned that people will buy products for signaling purposes, not because they want the goods. For example, it turns out that people who buy felt pads for their furniture are good credit risks. Knowing this, people might buy felt pads to send false signals. Peppet’s comment: signaling is exhausting. We’re always communicating through our actions, and that’s tiring. It’s rational for consumers to respond by just deleting their Facebook accounts entirely.
Alessandro’s comment: matching systems will never be perfect; they will always make errors. But if decision-makers overly rely on the technologies, we may not be able to protect ourselves from these errors.
Lorrie Cranor. In 1996, there was a lot of talk about notice-and-choice and that privacy policies were unreadable, but the thought was that privacy seals and P3P could save privacy policies. We're at that exact same place today, but the technology hasn’t changed much. In fact, the current Do-Not-Track technology is lower-tech than P3P was.
What went wrong with P3P? 5 years of haggling led to a computer-readable language for privacy policies. It’s still incorporated into Microsoft Internet Explorer, but it only focuses on cookie-blocking decisions. To avoid Microsoft’s cookie blocking, sites enacted P3P policies. At least a third of P3P policies had errors, including major sites (Amazon, Facebook), so P3P may be counterproductive (i.e., consumers relying on P3P will not have their preferences effectuated). She hopes regulators will investigate.
Based on our experiences with P3P, online behavioral advertising tools aren’t promising. Companies aren’t providing clear policies to consumers or working opt-outs; consumers don’t recognize the icon; and consumers won’t click on it because they expect to get more ads, not to opt-out. She has a feeling of déjà vu: privacy tools empower consumers, but when people inevitably lose interest in developing the tools, privacy issues will become moribund again.
In contrast, incorporating automated privacy information into search results made consumers more aware of privacy concerns, and consumers showed they were willing to pay extra for additional privacy benefits.
Julie Cohen. The term “information privacy market” is weird. The market doesn’t produce information privacy; it produces information that’s used for market segmentation and risk management. There are social costs of information privacy markets—do we need less of the outputs from this markets?
Deeply-held ideological considerations drives privacy norms. Many of us are socialized to believe that more information is better. This skews the discussion as privacy advocates try to get around this norm.
We should be skeptical of information collection practices. Social benefits don’t necessarily grow as information becomes more precise. Gaps in knowledge lead to serendipitous matches that benefit society.
Innovation is used as an excuse to stiff-arm regulators because it’s too complicated for regulators. We’re bad at valuing systemic risks.
Scott Peppet. He sees parallels between Occupy Wall Street and the concerns about privacy. We don’t know how companies are tracking us, and that lack of knowledge makes us uncomfortable. Our economy is built on data, but we don’t understand how that system works. Data collectors are getting big, and we don’t know what they are doing. Perhaps some data collectors get too big to fail—we couldn’t let Facebook’s database go through bankruptcy.
Q from Berin Szoka: why isn’t the common law system adequate to deal with exigencies? For example, the FTC can enforce P3P misrepresentations even if the private lawsuit fails in court? Why do we need additional regulation?
Q&A on self-regulation
Lorrie: self-regulatory model requires enforcement. We have some leaders in the industry doing a great job, but they aren’t getting the requisite enforcement backup.
Alessandro: self-regulation doesn’t work because it relies on notice-and-consent, and that doesn’t work. Instead, he would like to see self-regulation include broader deployment of PETs.
Peppet: he expected, but has failed, to find role-modeling privacy intermediaries such as infomediaries (see my 2005 blog post on the absence of infomediaries). Even companies that are leaders on privacy have unreadable privacy policies. His hypothesis: it’s more profitable to disrespect privacy.
Strahilevitz: self-regulation is best for handling data that’s been recently collected, not on historical data. No one has a good response to deal with new data uses enabled by evolving technologies. Data retention may be an appropriate place for government regulation.
Keynote: Joe Farrell (speaking for himself, not the FTC)
Economics assumes consumer sovereignty. Consumers have wants; the marketplace supplies them. His starting point: consumers value privacy. It’s hard to measure how much. We shouldn’t ask why or how much. We should ensure the market doesn’t thwart their desires.
If we focus on consumer sovereignty, notice-and-choice should work. This minimizes the need to figure out how much consumers value privacy and why; it enables competition on privacy; and the market can cater to consumers’ preference heterogeneity. Notice-and-choice is difficult, but we should try to fix it. However, even experts can’t tell what will happen to privacy in the future; and consumers can’t tell how their information disclosures are affected by information disclosures of other consumers.
Taxonomy of consumer data uses:
• order fulfillment (responding to consumer request). For consumers’ mail orders, it’s not surprising that retailer will tell shipper your address. This directly serves the transaction the consumer wanted, and it’s unthreatening. Leave this out of the regulation.
• Profitable re-uses that consumer may not directly like. Need to distinguish between deals consumer would be willing to strike (data-for-content) and unacceptable deals.
When marketers deceives consumers, it trains them not to trust anyone. This is a harm to society. Ad hoc case-based enforcement doesn’t fix this harm.
Teaching consumers is hard, even if both parties are motivated. This is the basic problem with “disclosures.” But when advertisers don’t have full incentive to be forthcoming, consumers are even less likely to learn.
When the market price is zero, it’s hard for consumers to discount the price further to reflect the costs of privacy risks. Micro-payments actually solve this problem (we saw some of these advantages with the move from broadcast TV to cable TV) but micro-payment service providers create their own privacy paradox.
We should be open to private law solutions, such as trustworthy intermediaries or the adoption of liability-type commitments.
Panel 2
Ryan Calo moderated this discussion, which didn’t have presentations. Because I was part of the panel, my notes are a little sketchy.
Aleecia McDonald: Definition of behavioral advertising = advertising that’s based on data collected about individuals about the websites they visited and their search terms and used to create a profile to trigger ads. Behavioral advertising can be done on a third-party or first-party (e.g., Amazon) basis. Some folks believe that online behavioral advertising only means third party behavior.
Laura Kornish: Can self-regulation work? The Behavioral Advertising icon has been around a year. The icon and linked information doesn’t answer the Qs very well of why the ads are appearing. It’s not working so well, and she’s not sure why. It depends on whether educating consumers about behavioral advertising is a technical challenge. If it is, the icon probably isn’t salvageable. In contrast, it would work if consumers get clear information about why they are getting the ads.
Eric Goldman: the point of advertising is a conversation between marketers who want to sell and consumers who want to buy. If behavioral advertising improves the conversation, there’s no problem that regulation needs to fix.
Seth Levine: He doesn’t favor regulation. As an investor, we don’t see companies trying to create containers for consumer data to give marketers. He does see entrepreneurs trying to fix the fact that publishers let a lot of data leak out to advertisers.
Eric: publishers need to manage the trust relationship on behalf of readers. It’s weird to me how few publishers take this responsibility seriously.
Aleecia: There's currently a schism between EU and US about holding first party data controllers responsible for third party actions.
Catherine Tucker discussed her paper. The punchline: EU advertising effectiveness decreased by 65% compared to the US due to privacy regulations. Small unobtrusive ads were particularly affected because these are more informational and need to be more relevant. Blaring intrusive ads weren’t affected. Most adversely affected websites: general news sites, not niche-y sites (probably because contextual targeting on niche sites was a passable substitute for behavioral advertising).
Seth: an ad impression based on data about the consumer is 3x-10x more valuable than an ad impression without consumer data. Online brand advertising isn’t very effective, so the Internet relies on direct response advertising. If brand advertising worked online, there would be less motivation for behavioral advertising.
Aleecia: Q to Catherine. What legislation caused the difference in ad performance, especially because the EU directive isn’t being enforced?
Catherine: She focused on the 2002 EU directive but the rules were rolled in over time, and advertisers were uncertain about its implementation. Some advertisers pulled away from using cookies due to the uncertainty. Health ads, in particularly, were much less effective.
Aleecia: Catherine’s study is good news for privacy advocates. It shows regulation can work.
Eric: it “worked” how? Some of the adverse consequences from privacy regulation: more intrusive ads, and some matches were foreclosed in the marketplace.
Aleecia: if regulation results in fewer beacons and tracking, this is a good result for healthcare data.
Seth: the advertising marketplace is big enough to incent investment in innovation.
Eric: the best way to spur innovation: give immunities and safe harbors. [I have a more detailed blog post in process making this point in greater detail.] The privacy plaintiffs’ bar is imposing a huge tax on advertising privacy innovation today.
Seth: existing technologies allow private/anonymous browsing. Less than 5% turn it on, and usually turn it on in the middle of the day, perhaps to hide information from their employers.
Aleecia: some consumers want to block ads, but the dominant reason for blocking ads is privacy concerns. Many of the tools are flat-out unusable. 6% of browsers have adopted DNT. On mobile, 17% have adopted DNT (and this is hard for them to do). Definition of DNT = allows users to put up their hand and request privacy. It’s not a technical mechanism; it’s just an HTTP header. What should websites do when the header is present? That's still being discussed.
Eric: the devil of DNT is in the details. We’ll know how important/useful DNT is when we see what websites do when they know consumers have raised their hand.
Catherine: consumers don’t understand online behavioral advertising, so they need protection, but maybe consumers are ahead of regulation and thus regulation would be redundant.
Seth: Solutions to privacy issues should be technology-based. If you’re 18 and don’t have a Facebook account, you’re dead. But Facebook does a terrible job with monetization: they have a huge audience and but get only a small percentage of online ad dollars.
Peter Swire Q: getting consumers adopt PETs is hard, so 5%-17% adoption is huge. Also, Julie Cohen’s right to read anonymously.
Seth: we would all agree that we should have user-driven right to read anonymously.
Panel 3
Scott Peppet. Ways to connect digital identity to physical identity:
• facial recognition. We can now do searches using a face as the search query.
• iris recognition. The technology can read irises on the run. If the technology became widely installed, it can do highly accurate individual identification.
• Car chips measure usage of cars. Insurance companies will find this information useful.
• Biometric. Your scale can broadcast your weight; it can even post to Twitter. It may be entertaining to measure oneself; but that data has substantial commercial value, and marketers may be willing to pay to get it.
• Smart goods. A sweater has been chipped to provide interested consumers background information about the exact sheep whose wool was used.
Ways to tie Digital Space to Physical Space
• Augmented reality. Smartphone can provide this functionality. Car can display information on the windshield.
• Pranav Mistry’s Sixth Sense.
Berin Szoka. Lessig outlined a dystopian view that code will become a perfect form of control. In contrast, the Supreme Court has said that technology expands consumers’ capacity to choose. So, does technology empower or enslave?
First Amendment is baseline for the (lack of) regulation of information. Government can and should punish fraud and deception. Government can validly compel disclosure of objective factual statements (Cass Sunstein’s “smart disclosure”). With proper narrow tailoring, government can intervene in other situations—user empowerment tools, limiting government, educating consumers.
Chris Hoofnagle. He favors competition-enhancing enforcement. Problem: privacy policies that are internally inconsistent; they say “we don’t share” and then say they work with third-party marketers. He also favors an enforcement action that says companies can’t force tracking onto consumers. If consumer manifested their intent not to be tracked, companies can’t undo that. Also, companies are resistant to working with privacy agents where consumers pay someone to help them opt-out; they want to confirm this intent. Companies can’t imagine that consumers don’t want their advertising.
Peter Swire. He worries about security. There’s no way to fix theft of biometrics. Iris scans can be defeated by high-quality print of a third party’s iris.
What if data = speech? (IMS v. Sorrell). He reads Sorrell to say that many privacy laws are subject to heightened scrutiny. Ex: the FCRA says CRAs can’t report credit data more than 7 years old. This limits speech by limiting data. Thus, arguably it’s both a speaker- and content-based restriction.
Berin: he hopes Sorrell will bring more rigor to legislative drafting. The Vermont statute didn’t have any showing of harm. He doesn’t think all privacy statutes are dead, but he hopes the ruling will encourage an emphasis on less restrictive measures.
Chris: Sorrell involved a dumb law, but most privacy laws are dumb because corporate lobbyists muck up well-meaning legislative proposals. He thinks libertarians should hate the Sorrell ruling—the government forced the collection of information and then it was shared with the private sector.
Berin: He doesn’t mind the government data collection in Sorrell because he believes the private sector would have generated the information anyway. Sorrell has no bearing on government-compelled disclosure.
Fernando Laguarda. The Sorrell decision was a reaction to a poorly drafted statute. Information dissemination is speech.
Paul Ohm Conversation with Julie Brill
Paul: it’s the 1 year anniversary of the FTC’s privacy report. What’s happened since then?
Julie: the FTC has spoken loud and clear on social networks (Facebook, Google Buzz). It’s brought some good cases on behavioral advertising and COPPA. The report didn’t preview the FTC’s directions; instead, it describes the problems the FTC has been running into when it brings enforcement actions, especially with notice-and-choice and consumer harm. It sums up where the FTC has been.
The report’s basic principles:
• Companies should build privacy into their foundation
• Simplify notice-and-choice. For example, on mobile devices, privacy policies are too long and not readable. Give more layered notices. Companies are burying the most important disclosures in the policy.
• Transparency. Give consumers more information about the company’s practices, but also show the data that the company has collected about the consumer and give them the right to correct. Analogy: FCRA. Data brokers that don’t come under FCRA should still give access to consumers.
What’s happened since the report? A majority of commissioners have embraced “Do Not Track.” A lot of technological development has occurred in a year—DNT technology, browser-based restrictions, BA icon.
Paul: What does Do Not Track mean, and who enforces any violations?
Julie: there isn’t consensus of what “do not track” means. A header-based solution is one way for consumers to express their preferences. But will websites honor the header? Another solution: the blacklist/whitelist built into Microsoft browser. Advertisers feel that is more draconian. The icon-based system is another solution.
She believes Do Not Track efforts have to cover data collection and retention in addition to tracking. When issue final report (maybe by end of 2011), she hopes it will include data collection.
Who decides—self-regulatory groups or browser companies? Once promises are made to consumers, FTC and state AGs need to enforce.
Paul: academics like Alessandro and Lorrie expressed a lot of skepticism about notice-and-choice. Should the FTC still be pushing it?
Julie: FTC commissioners typically agree about the FTC’s specific enforcement actions. Most opinions are unanimous, especially on privacy and consumer enforcements. When commissioners are debating theory, as opposed to a specific enforcement action involving a particular company, the commissioners disagree more. She thinks the commissioners disagree about notice-and-choice. We shouldn’t throw out notice-and-choice, nor should we throw out PII, but Julie is a skeptic on notice-and-choice. Consumers aren’t the least cost avoiders. The safety analogy is useful—just like we don’t want consumers policing aircraft, consumers shouldn’t be policing privacy. She would like more dashboards for consumers.
Paul: how do we resolve any specific privacy problem—self-regulation, FTC, Congress—who?
Julie: this is a big question, and there’s no single answer. She likes the bully pulpit; she raises her eyebrows a lot! This can lead with a lot of dialogue between industry and the FTC. The FTC has to account for the political environment. Legislative discussions look different now than a year ago; Congressional-enacted regulation isn’t realistic right now because Congress doesn’t have the bandwidth. The industry is a little emboldened because it knows the FTC can’t get Congress to act.
Eric’s Q: there have been lots of Internet privacy lawsuits, but they are routinely getting tossed. How does this affect the FTC’s calculation about whether or not to intervene?
Julie: privacy lawsuits based on deception still require the plaintiffs to show consumer damages. FTC/state AGs aren’t bound by this restriction. The FTC also has authority under unfair acts. Unfairness requires balancing of economic interests. Harm is essential to the balancing. But what about embarrassment, such as an unwanted outing or unwanted Facebook photo posting? The FTC report argues that they should expand the harms. About a decade ago, Eli Lilly had a website for Prozac users. When it decided to shut down the website, it included everyone’s email address in their announcement. This was a huge breach. FTC said it was either a deceptive or unfair act. She thinks it was really an unfairness case; it was wedged into the deception prong.
Posted by Eric at 09:17 AM | Privacy/Security | TrackBack
December 08, 2011
Employee's Claims Against Employer for Unauthorized Use of Social Media Accounts Move Forward--Maremont v. SF Design Group
[Post by Venkat Balasubramani]
Maremont v. Susan Fredman Design Group, Ltd., et al., 10 C 7811 (N.D. Ill.; Dec. 7, 2011)
I blogged about a case earlier this year where a plaintiff sued her former employer for improperly accessing the plaintiff's social media accounts. (Here's my earlier post on the case: "Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward.") I thought the case was dismissed due to plaintiff's inaction, but it looks like the case is still trudging along.
The basic facts: Susan Maremont worked for the Susan Fredman Design Group as the director of marketing. Maremont created a blog and Facebook account for SFGD. She also created Facebook and Twitter accounts that the court says are undisputedly her personal accounts. Maremont suffered an accident. While she was in the hospital, SFDG continued to access and post from Maremont's accounts. (The court is never 100% clear on which of the two Facebook accounts SFDG posted from.) Maremont returned to work briefly on a part-time basis, and during this time she thanked her temporary replacements "for their amazing posts on [the blog] in [her] absence." Subsequently, Maremont apparently changed her mind and sued for alleged misuse of her personal accounts. [The order says that Maremont stored her account access info on the SFDG server, although the folder in which she stored this info was ‘locked’ and she never gave authority to anyone to access it. This was Maremont’s version of the facts. The order does not say exactly how SFDG got access to the passwords (SFDG could have obtained the passwords through accessing the folder on the SFDG server, or it's possible that the computer Maremont used to create the accounts--which were SFDG computers--remembered them).]
SFDG brings a motion for summary judgment, which the court largely punts for lack of evidence on damages.
Lanham Act claim: Maremont's Lanham Act claim requires her to show that she had an intent to commercialize her identity. The court says that she satisfies this requirement, noting that "it is undisputed that Maremont created a personal following on Twitter and Facebook for her own economic benefit . . . " However, Maremont also must show that she was somehow damaged by her unauthorized affiliation with SFDG. The court gives Maremont additional time to marshal evidence as to how she was damaged. Maremont tells the court that she will bring an expert to testify as to the damages issue.
Stored Communications Act claim: As to the Stored Communications Act claim (which Maremont added later on in the lawsuit) there is no dispute that SFDG accessed Maremont's accounts:
there is undisputed evidence in the record that Defendants accessed Maremont's personal Facebook account and accepted friend requests at least five times from September 23, 2009 through November 24, 2009. Moreover, evidence in the record reveals that Defendants posted seventeen Tweets to Maremont's personal Twitter account during the relevant time period.
This probably amounts to unauthorized access of "a facility through which an electronic communication service is provided." However, the court says that in order to be entitled to statutory damages under the SCA, Maremont has to show that she suffered some "actual damages." (See Van Alstyne v. Electronic Scriptorium.) Because of the dearth of evidence on the damages issue, the court declines to grant summary judgment at this juncture. (Although the court's discussion of whether the SCA requires actual damages as a prerequisite to relief is not extensive--and as Van Alstyne acknowledges, there is mixed authority on the issue--the ruling is significant in this regard.)
Right of Publicity claim: The right of publicity claim fails because SFDG did not pass itself off as Maremont, even though it posted tweets through Maremont's Twitter account. The first of the objectionable tweets explained Maremont's absence and linked to a blog post by Susan Fredman. Additionally, upon returning to work on a part-time basis, Maremont "thanked" SFDG's guest editors for their efforts. Thus, the court concludes that SFDG did not misappropriate Maremont's likeness.
Common Law Privacy claim: Maremont also brought a common law privacy claim, which appeared to be based on the "intrusion of seclusion" tort. The court says that she has to show that defendants intruded into a matter that was private and which the plaintiff attempted to keep private. The court says that Maremont cannot satisfy these elements:
there is no dispute [that] . . . the matters discussed in Maremont's Facebook and Twitter posts were not private and that Maremont did not try to keep any such facts private. In short, Maremont fails to point to any private information upon which Defendants intruded.
Cf. Moreno v. Hanford Sentinel.
__
This is a messy dispute, and some of the facts don't seem clearly developed by either the court or the parties. For example, there were two Facebook accounts involved (one for SFDG and one which Maremont uses personally), but later in the discussion, the court doesn't specify which Facebook account it is talking about. Second, the court notes that "there is no evidence in the record concerning the actual Facebook postings and their content." This is a strange evidentiary omission by the plaintiff.
Then there's the issue of actual damages. Maremont has a Herculean task in proving that her affiliation with SFDG as a result of a smattering of social media posts somehow had a negative financial effect on her. How exactly was she damaged by this association? It's not as if SFDG said anything negative about her. Maremont's claim is that while she was in the hospital, SFDG continued to post and make it look (to the untrained eye) that Maremont continued to handle SFDG's social media efforts. Would a prospective client really refuse to hire Maremont because of these posts? Did this somehow diminish Maremont's earning capacity? I'm not sure what Maremont's expert is going to say, but he or she better come up with something good.
The court's analysis of the invasion of privacy issue also threw me for a loop. The court concludes that the information contained in the posts were public, so there's no violation by SFDG when it posted to Maremont's accounts, but this didn't seem to be the crux of Maremont's invasion of privacy claims. Maremont should be arguing that when SFDG accessed Maremont's accounts, SFDG could also have accessed private facts stored in the account, such as private messages, DMs, photos, and other information in the Twitter/Facebook accounts that were not public. The court's analysis makes me think that the court didn't understand that Twitter or Facebook accounts can contain other information than what's actually publicly "posted" through the account. (Of course, Maremont would have faced a challenge when it comes to damages. She may not have had a standing problem, but she would have to show that she suffered damage as a result of the intrusion, and it's fair to presume from the court's dismissal of her claim that she failed to put forth adequate evidence on this issue.)
This case, along with the PhoneDog case (and Ardis Health) highlight the inherent ambiguity in ownership over social media accounts. Property-wise, it's tough to slot the accounts in a particular box. There also seems to be differing expectations on the part of the employer and employee. The employee obviously wants to take the account with her when she leaves, but the employer would like to continue to take advantage of the goodwill built by the account. There is a solution, and that's to have a written policy in place! A policy is not a cure-all, and I think it's equally important to have a discussion up front about whose account this is and what happens when the relationship terminates. (This is a mini-version of the "blog ownership question" that Eric has harped on.)
As with the PhoneDog case, this is another dispute where the attorney's fees expended could eclipse the value of the case. If the facts as alleged are true, SFDG stepped way over the line in accessing Maremont's accounts, but Maremont's damages are probably minimal. (Ironically, I would think the invasion of privacy claim would be one of the strongest, but the court kicks this claim.)
As a final note, it's worth comparing the result in this case to In re Rolando S., the case where a California appeals court found that a juvenile violated California's identity theft statute when he took someone's Facebook account for a joyride. Here, SFDG gets dangerously close to this line, although it was not clear that the posts in question purported to be from Maremont. As I mentioned in my initial post on the case, depending on what jurisdiction you are in, meddling with someone's social media account in this context could result in e-personation liability.
Related posts:
Employee's Twitter and Facebook Impersonation Claims Against Employer Move Forward
Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Account can Proceed--PhoneDog v. Kravitz
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell.
Court Declines to Dismiss or Transfer Lawsuit Over @OMGFacts Twitter Account -- Deck v. Spartz, Inc.
Posted by Venkat at 03:45 PM | Privacy/Security , Publicity/Privacy Rights , Trademark
December 02, 2011
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
[Post by Venkat Balasubramani]
Del Vecchio v. Amazon, C11-366-RSL (W.D. Wash.; Dec. 1, 2011)
Plaintiffs sued Amazon, alleging that Amazon’s use of “flash” cookies and certain browser “tokens” was misleading. In a putative class action, Del Vecchio asserted claims against Amazon under the Computer Fraud and Abuse Act, and the Washington Consumer Protection Act, along with claims for trespass and unjust enrichment. The court dismisses the lawsuit, and although it grants leave to amend, it sends a pretty clear message to plaintiffs that they face a high (and likely insurmountable) hurdle.
CFAA Claim: The court identifies two problems with the CFAA claim. First, plaintiffs fail to satisfy the $5,000 damage threshold. Plaintiffs argued that Amazon’s use of cookies “devalued” their personal information but the court says that this allegation is entirely speculative. Did the plaintiffs really lose the ability to exchange their personal information with third parties as a result of Amazon’s use of cookies or was this ability somehow lessened? Negative, says the court. The second category of possible loss was diminished performance to the plaintiffs' computers. The court rejects this allegation as well, noting that “not one of the Plaintiffs alleges that he or she discerned any difference whatsoever in the performance of his or her computer while visiting [Amazon’s] site.”
Although the failure to meet the five thousand dollar threshold is sufficient to dismiss the CFAA claim, the court goes on to address the issue of authorization and says that Amazon’s terms of use and privacy notice disclosed to end users that Amazon uses “Flash cookies” and uses these cookies to track and serve advertisements. (Thus, the access by Amazon was not "without authorization".) Plaintiffs made the clever argument that their injury occurred at the very moment they accessed Amazon’s site (i.e., before they had the chance to read and agree to the policy) but the court rejects this, saying that any information collection only occurred as a result of plaintiffs’ use of Amazon’s site.
Consumer Protection Act: Plaintiffs’ CPA claim suffered from two similar flaws. The court says plaintiffs failed to allege any “non-speculative” injury. One of the plaintiffs claimed that after she purchased pet supplies through Amazon, she received advertisements and junk mail from companies selling pet products. The court says this allegation is too speculative. In a footnote the court notes that this type of tracking and marketing is disclosed in Amazon’s privacy policy. The court also says that Plaintiffs failed to satisfy the requirement that Amazon’s conduct be unfair or deceptive—plaintiffs did not allege any actions that were inconsistent with Amazon’s privacy policy. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm. I would assume the same is true of junk mail as well.]
Trespass to Chattels: The court dismisses the trespass argument on the basis that trespass to chattels requires an allegation that the defendant’s actions interfered with a plaintiff’s property interest in a way that affects the physical condition or plaintiff's use of the chattel, and plaintiffs failed to adequately make out this allegation.
Unjust Enrichment: Relying on the plaintiffs’ failure to allege any improprieties in Amazon’s use of cookies or collection of information, the court also dismisses the unjust enrichment claim. The court cites to In re DoubleClick case and says:
Although demographic information is valued highly . . . the value of its collection has never been considered an economic loss to the subject. Demographic information is constantly collected on all consumers by marketers, mail-order catalogues and retailers . . . we are unaware of any court that has held the value of this collected information constitutes damage to consumers or unjust enrichment to collectors.
__
Yet another decision rejecting claims by plaintiffs who sued over the use of cookies. (See the Specific Media and Interclick cases for other recent examples.) Some courts dismiss on the basis of Article III standing, while others (as in this case) find that plaintiffs failed to allege the requisite elements of causes of action. Whichever route the courts end up taking, they have overwhelmingly rejected these lawsuits. The "personal information as property" argument ends up going nowhere--in the context of tracking, courts don't seem enthusiastic about claims where the damages are premised on loss of value to personal information.
There was an element of plaintiffs’ allegations which did not receive as much attention as I expected. Plaintiffs alleged that Amazon used a piece of code, or a “token” (a P3P "Compact Policy"), which told the user’s browser that no personal information is collected and thus allegedly “tricked” the browser into accepting Amazon’s cookies. (Here is a link to plaintiffs' complaint, which details these allegations.) The court does not get into the issue of whether even if Amazon did "trick" the user’s browser this translates into misleading the user, or whether there was some sort of implied contractual promise in the P3P Compact Policy in the first place, given that it is a string of code directed at a machine, rather than a human. The court instead relies on the fact that plaintiffs’ have not alleged any harm. In any event, the court cites to the broad disclosures in Amazon’s privacy policy, indicating that the disclosures in the policy will likely trump any claim based on Amazon's allegedly misleading use of the P3P Compact Policy.
Plaintiffs (and their lawyers) who have brought the latest wave of cookie lawsuits must be feeling pretty discouraged at this point. They’ve tried every conceivable variation of every possible argument and have gotten nowhere in the courts. We will see if they have better luck on appeal.
Related posts:
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Posted by Venkat at 07:00 AM | Privacy/Security
December 01, 2011
Spiritual Group's Attempt to Unmask Online Critics Goes South--Art of Living Foundation v. Does
[Post by Venkat Balasubramani]
Art of Living Foundation v. Does, 10-cv-05022-LHK (N.D. Ca.; Nov. 9, 2011)
Art of Living Foundation is an organization based in India that is dedicated to teaching the spiritual lessons of “His Holiness Ravi Shankar.” Defendants are disgruntled former “student-teachers and students” of plaintiff who want to bring to light their view that AOLF is a “manipulative and abusive cult.” Defendants posted blogs under the pseudonyms “Skywalker” and “Klim.”
AOLF sued, alleging various claims including defamation, misappropriation of trade secrets, copyright infringement and trade libel. AOLF also alleged that defendants published AOLF’s copyrighted “Breathe Sound Water Manual.” AOLF sought leave to conduct expedited discovery. This request was approved and AOLF issued subpoenas to Google and Automattic. Before Google and Auttomatic complied with the subpoenas, defendants appeared through counsel and moved to dismiss AOLF’s defamation claim, strike its trade secrets claim, and also moved to quash the discovery. Skywalker acknowledged that he published the manual, but said that he posted this solely as part of his larger campaign to bring awareness to his views about AOLF.
While the motion to quash was pending, the court granted defendants’ request to dismiss the defamation claim, and struck the trade secrets claim. AOLF filed an amended complaint limiting its claims to copyright infringement and misappropriation of trade secrets. Magistrate Judge Beller granted the motion to quash as to Klim but denied it as to Skywalker, relying largely on the fact that a prima facie claim of copyright infringement is sufficient to overcome the right to anonymity. Judge Koh, reviewing Magistrate Judge Beller’s order, finds that AOLF failed to overcome Skywalker’s right to remain anonymous and quashes the subpoena as to Skywalker.
In a characteristically excellent order, Judge Koh canvasses the various standards courts apply in resolving anonymity issues. Some courts have required plaintiffs to make a prima facie showing before ordering disclosure, while others have demanded admissible evidence establishing each element of a claim. The Ninth Circuit recently held that in resolving the disclosure issue, courts should keep in mind the nature of the speech (e.g., purely commercial versus purely political) as well as the potential chilling effect of ordering disclosure (In re Anynomous Online Speakers). Finally, and most troubling for the defendants, a widely cited 2004 decision from the Southern District of New York found that a prima facie allegation of copyright infringement entitles the plaintiff to identify doe defendants (Sony Music v. Does).
Defendant raised a fair use argument, but the court does not rely on the possibility of non-infringement in resolving the disclosure issue. The court notes that “evidence of copyright infringement does not automatically remove the speech at issue from the scope of the First Amendment.”
The court employs a balancing test where it weighs the harm to plaintiff and defendants. Disclosure of Skywalker’s identity would have a chilling effect on other bloggers, and this weighed heavily in favor of defendants. With respect to harm to the plaintiff from quashing the subpoena, the court finds that AOLF would not suffer a comparable harm. AOLF could proceed in the litigation without knowing Skywalker's identity—Skywalker had responded to written discovery, and if necessary, AOLF’s counsel could even conduct a deposition via telephone (or alternatively, Skywalker’s identity could be revealed on an attorneys’ eyes only basis). Ultimately, AOLF was unable to make a compelling argument that it needed to discover Skywalker’s identity at this point in the litigation. It raised a weak argument that it needed to find out the revenues generated from Skywalker’s blog but the court notes that this information could be gleaned through other sources, such as Google and Automattic.
__
This is a nuanced result. The court recognizes that the copyright claim is not particularly strong and there is a good chance, this is the end of the road for Art of Living Foundation. The earlier dismissal of its defamation claim (and accompanying liability for attorney's fees) is a serious blow, but the court's rejection of its request to unmask Skywalker deprives AOLF of what it was looking to get out of this lawsuit--early identification of a pseudonymous blogger. On the merits of his copyright claim, Skywalker may win on his claim for fair use or successfully argue that the damages are minimal at best. (See generally, the Righthaven debacle.)
The overall takeaway is that if you as a blogger face a claim for garden-variety copyright infringement, this type of a ruling shouldn't give you much hope. Courts will readily cite to Sony Music v. Does and order compliance with a subpoena seeking your identification. If, on the other hand, a plaintiff is using a weak copyright claim to get at you for bad-mouthing the plaintiff, a court may see it for what it is, and deny the requested discovery. Of course, this depends on your luck of the draw and requires you to be in front of a thoughtful judge and have good representation. (The ACLU, EFF, and Public Citizen weighed in as amici, which didn't hurt.) It also requires that service providers don't jump the gun when responding to subpoenas seeking identification. I'm sure on a daily basis, numerous posters and bloggers are unmasked because the circumstances are different from those in this case. Additionally, "garden-variety" copyright infringement unmaskings never get to court at all; service providers routinely make disclosures under section 512(h) without the alleged infringer even knowing it.
Added: Art of Living approached me and asked if I would add a link to an explanatory letter from them explaining their motivations in bringing the lawsuit. I've uploaded it to Scribd here.
Other coverage:
Public Citizen: Federal Judge Protects Anonymity of Blogger Despite the Allegedly Infringing Posting of a Copyrighted Teaching Manual
Techdirt: Courts Can't Ignore Free Speech Concerns Just Because Someone Claims Copyright Infringement
Wendy Davis: Court Rejects Bid To Unmask "Art of Living" Critic
RCFP: Federal judge preserves blogger's anonymity
Posted by Venkat at 04:45 PM | Copyright , Privacy/Security
November 30, 2011
Pennsylvania Court Orders Personal Injury Plaintiff to Turn Over Facebook Password to Defendant -- Largent v. Reed
[Post by Venkat Balasubramani]
Largent v. Reed, 2009-1823 (Pa. Ct. of Common Pleas; Nov. 8, 2011)
Keith and Jessica Largent were involved in an accident in 2007. They sued Jessica Rosko and Sagrario Pena alleging negligence and loss of consortium. During Ms. Largent’s deposition, defense counsel realized that Ms. Largent had a Facebook profile and she “used it regularly to play a game called FrontierVille.” Largent refused to turn over any information about the account, and Rosko moved to compel Largent to disclose her Facebook username and password.
Rosko argued that Largent’s profile was “public,” and certain posts to Largent’s Facebook account contradicted her claims of “serious and severe injury.” Specifically, Rosko claimed that Largent posted photographers that depict her “enjoying life with her family and a status update about going to the gym.”
The court starts by noting that Pennsylvania discovery rules are broad and “the relevancy threshold is slight.” The court also notes that Rosko claimed a “good faith” basis for seeking the material in question: “[t]he information sought by Rosko might prove that Largent’s injuries don’t exist, or that they are exaggerated.”
If there is no applicable privilege or statutory bar, the information must be turned over. On the privilege issue, the court says:
[t]here is no confidential social networking privilege under existing Pennsylvania law. There is no reasonable expectation of privacy in material posted on Facebook. Almost all information on Facebook is shared with third parties, and there is no reasonable privacy expectation in such information.
As far as a statutory bar, the Stored Communications Act was the obvious possibility. The court recognizes the complexity around the statute and its applicability to the types of communications at issue, but says that “the minutae are irrelevant for [the present] purposes.” Only one court has addressed whether Facebook communications are covered by the SCA (Crispin v. Audigier) and the court distinguishes that case on the basis that in that case the information was sought directly from the provider. In this case, Rosko is seeking the information from Largent directly:
[t]he SCA does not apply because Largent is not an entity regulated by the SCA. She is neither a RCS nor an ECS, and accessing Facebook or the internet via a home computer, smartphone, laptop, or other means does not render her an RCS or ECS.
Largent argued that granting Rosko’s motion was akin to “asking her to turn over . . . her private photo albums and requesting to view her personal email,” and would cause embarrassment and annoyance, but the court rejects these arguments. With respect to the possibility of embarrassment, the court says that because the posts are not truly private anyway, there can be no credible argument that disclosing the information would cause unreasonable embarrassment. As to the issue of annoyance to Largent the court says, the costs will be borne by Rosko, and:
Largent can still access her account while Rosko is investigating.
The court orders Largent to turn over her Facebook login information to defense counsel within 14 days of the date of the order. Defense counsel then has a 21 day window in which to inspect Largent's profile. After this window elapses, the court says that Largent may change her password.
__
I think we can all agree that the court's reminder that just because you posted something on a social network does not mean that it's privileged or off-limits is useful. The court is also right that it is folly to assume that anything posted to a social network (or for that matter, anywhere) is truly "private." These points can't be made often enough. That said, I think as with other Facebook discovery disputes, the resolution here is clunky and fails to account for the varied nature of the information that is stored in someone's Facebook account. This may range from private, e-mail-like communications with someone's lawyer or psychologist (should be privileged) to pictures of you frolicking on the beach which are published without any privacy restrictions at all (which are not privileged and undoubtedly relevant). Under the court's order, this distinction does not matter, and defense counsel is free to rummage around in Largent's Facebook account freely. (Kash Hill blogged about a discovery dispute with a similar result. A divorcing couple was forced to swap Facebook and dating site log-ins: "Judge Orders Divorcing Couple To Swap Facebook And Dating Site Passwords.") Some intrusion is expected and tolerated when you bring a claim for personal injury and maybe this is the cyber version of the independent medical examination. [As a sidenote, while it's problematic to delete any profiles while litigation is pending, if you are the plaintiff and you assert a claim for personal injury, you may want to delete your profile or deactivate it before you file suit. Added: check with your lawyer before you delete any profiles. Someone pointed out that the duty to preserve evidence arises before you file suit, so the pre-suit deletion of profiles may be ill advised.]
Of course, sharing your Facebook credentials with a third party is a violation of Facebook's terms of service--we all know that accessing a site in violation of its terms of service can come with stiff criminal penalties (the court even cites to US v. Drew in its order).
I don't have a great solution for this. It would be nice if Facebook allowed you to generate some sort of log of all of the items you have posted or sent around. This way the parties and the court can focus in on what's relevant without an opponent having to rummage around in your account.
In the meantime, if you are a litigant in a civil lawsuit and you post something online that you hope some folks don't see, just as with email, or any electronic media for that matter, realize that IT WILL COME BACK TO HAUNT YOU.
[NB: the court's order has some nice snark, including footnote 3: "Facebook currently does not allow a person to "dislike" (or in Facebook parlance, "un-like") a friend's post, probably for good reason."]
[Added: Lance Peterman suggests the ThnkUp app from Gina Trapani. I have not checked it out, but if it allows you to produce a comprehensive log of your Facebook posts, communications, and other activity, it may be useful for these types of discovery disputes. Another alternative may be the "download your information" feature which Facebook offers.]
Other coverage:
Drug & Device law: Another Excellent Facebook E-Discovery Opinion
Law.com No Reasonable Expectation of Privacy on Facebook, Pa. Judge Says
Previous posts:
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
"Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc."
Posted by Venkat at 09:24 AM | Evidence/Discovery , Privacy/Security
November 29, 2011
Facebook Settles With the FTC -- In re Facebook, Inc.
[Post by Venkat Balasubramani, with comments from Eric]
In re Facebook, Inc. (Nov. 29, 2011) (Settlement & Proposed Consent Decree [pdf]) (Mark Zuckerberg's blog post)
The FTC announced its long-rumored settlement with Facebook. The key terms:
• Facebook is barred from making representations about the “privacy or security” of consumers’ personal information;
• Facebook must get end user approval before it enacts changes which “override” consumer preferences;
• Facebook is required to prevent anyone from accessing a “user’s material” within 30 days of a user’s deletion of his or her account;
• Facebook must enact a “comprehensive privacy program”;
• Facebook must undergo periodic privacy audits conducted by independent third parties.
Facebook is under the FTC’s jurisdiction for 20 years.
__
The FTC’s complaint and its explanation sheds some light on the scope of the settlement. Among other things, the complaint alleged: (1) Facebook shared informormation such as “friends lists” without warning users that it would change the default; (2) shoddy security practices around third party apps, which were permitted to access information beyond what was necessary to operate the apps; (3) Facebook shared personal information with advertisers when it said it wouldn’t; (4) Facebook continued to allow access to profiles after end users had deleted them; and (5) Facebook claimed it complied with EU Safe Harbors when it didn’t.
Given the numerous missteps (or some would say, overt disregard for user privacy) by Facebook, this was inevitable. As Eric mentions in his comments, Twitter and Google are both under similar consent decrees, and now with Facebook having agreed to a proposed settlement, the FTC has achieved de facto regulation of the biggest social networks.
The big question is what this will mean for Facebook’s advertising practices. It will undoubtedly make it harder to Facebook to permeate as a platform without clearly disclosing changes to users (the Facebook feature that alerts your friends when you are reading an article probably warrants more robust disclosure as a result of this decree), but will Facebook’s garden-variety targeting be affected in any way? I’m guessing not. (The definition of “third party” in the settlement carves out a “service provider . . . [who] uses the . . . information for and at the direction of [Facebook] and no other individual or entity and for no other purpose [and] does not disclose the . . . information, or any individually identifiable information derived from such information, except for, and at the direction of, [Facebook], for the purpose of providing services requested by a user . . . .” Query as to how this carve out affects Facebook’s advertising practices.)
The provisions about “privacy changes” seem to apply prospectively. I assume Facebook rolled back all of the objectionable changes which precipitated consumer complaints in the first place, so it's not as if Facebook gets a free pass on its overreaches to date. Still, it’s interesting that the settlement did not specify the various changes over the past couple of years that spurred the FTC into action.
The part about deleted profiles was interesting in that the settlement only says that Facebook agrees to not “allow third party access” to profile information. There’s nothing about Facebook purging the information, so I assume it can still be subpoenaed.
I question whether the settlement comes too late for Facebook. It has fooled users not once, or twice, but on a regular basis. (Facebook is like the stereotypical person in an abusive relationship. It doles out the punishment and people keep coming on hearing a promise that it will make things right.) In a way, the settlement may be a boon to Facebook. It has failed to keep its promises of its own accord, but now it can point to the imprimatur of the FTC settlement and say: “like Twitter and Google, we too are under the tumb of the FTC…you don’t have to take our word for it that we will make good on our privacy promises!”
[NB: the numerous privacy class actions against Facebook have all been dismissed or are otherwise languishing and are likely to be dismissed. This settlement should not have any effect on those lawsuits one way or another, although Zuckerberg’s blog post contains a broad mea culpa that may sway a judge or a factfinder. If plaintiffs can get past the damages/standing issue, they are sure to wave that around.]
____
Eric's Comments
1) The FTC's privacy rules are quite easy to follow. Tell users the truth, and don't change the rules mid-stream without users' consent. We've all known that Facebook repeatedly cuts corners when it comes to its privacy promises. Like most Internet companies, they thought they could get away with it. They didn't.
2) The fact Facebook violated these rules is bad legally, but it's even worse for Facebook’s user relations. Few Internet brands as big as Facebook have so many users that feel apathetic—or downright antagonistic—towards the service. This isn't a recipe for long-term success.
3) Surprisingly, although the collateral material discusses third party apps, the settlement doesn’t crack down on Facebook's API and the stunning amount of personal data (about both users and their friends) that third parties can pull from Facebook without any meaningful supervision. Even so, I can't imagine Facebook's API will continue to work as it's currently working for the indefinite future.
4) The FTC is on the way to making a clean sweep of settlements with major Silicon Valley Internet players. See our blog posts on the Twitter and Google Buzz settlements. It seems inevitable that the FTC will eventually put all of them under a monitoring program. In effect, the FTC is manufacturing de facto legislation through its Silicon Valley tour-de-force.
5) Add in the DOJ's extraordinary attention to the Silicon Valley, especially Google, and it's clear that DC regulators intend to have the final word about Silicon Valley business practices.
Posted by Venkat at 11:42 AM | Privacy/Security
November 27, 2011
Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records -- Sterk v. Redbox
[Post by Venkat Balasubramani]
Sterk v. Redbox, 11 c 1729 (N.D. Ill. Aug 19, 2011)
Redbox is a company which rents DVDs to customers from automated, self-service kiosks, typically charging $1 per rental. The customer is required to return the DVD the following day and, if the customer fails to do so, the customer is charged a late fee. If the customer is twenty five days late, then the customer is charged the price of the DVD (at which point the customer owns the DVD).
Plaintiffs filed a putative class action, alleging that Redbox maintained customers' credit card billing information, along with their "video programming viewing histories," in violation of the provisions of the Video Privacy Protection Act. The VPPA has a section ("subsection 2710(e)") which says that:
a person subject to this section shall destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (b)(2) or (c)(2) or pursuant to a court order.
Plaintiffs alleged that Redbox violated subsection 2710(e).
Does the VPPA Create a Private Cause of Action for Wrongful Retention of Video Rental Records: Redbox argued that the statute only provides for a private action for wrongful disclosure, not for the "wrongful retention" of video rental records. The court rejects this argument, noting that the subsection authorizing a private right of action (subsection 2710(c)) says that any person aggrieved by a violation of "this section" may file a suit.
The court interpreted the language referring to "this section" as a reference to section 2710--i.e., the entire statute. The court looks to the "House Legislative Counsel's Manual on Drafting Style," which provides a hierachical breakdown of statutes (by sections, subsections, paragraphs, subparagraphs, and clauses) and the fact that Congress adhered to this hierarchy in other parts of the statute. Redbox pointed to another part of the statute dealing with court-ordered disclosures where Congress used the term "section" arguably somewhat imprecisely to argue that Congress did not consistently use the term "section" in the statute. The court rejects this argument on the basis that provisions dealing with court ordered disclosures are contained in several different subsections, so the use of the term "section" in section 2710(b)(3) is not a mistake, or alternatively does not support the argument that Congress used the term "section" ambiguously in subsection (e).
The court also distinguished a Sixth Circuit decision (Daniel v. Cantrell) which held that only subsection (b) can form the basis of liability under the VPPA. In that case, the court held that only subsection (b) "includes language relating to liability," and if Congress intended a private right of action for violations of subsections (d) and (e), it would have included the private right of action language at the end of the statute, rather than preceding subsections (d) and (e).
Redbox also argued that the legislative history of the VPPA supported its theory that Congress did not provide for a private right of action for the wrongful retention of records, pointing to the Senate Report, which stated that the goal of the statute was to "reduce the chances that an individual's privacy will be invaded, by requiring the destruction of information in an expeditious fashion." The court says that the legislative history is inconclusive, and in any event, the court need not resort to it since the statute is not ambiguous.
Did Plaintiffs State a Claim for Wrongful Retention Under the Statute: Redbox also argued that it collected the information for the purpose of "recouping late fees," and at worst, Redbox had one year from the date of collection to purge the information. The court disagrees with Redbox and says that the statute does not say that a provider always has at least 1 year to purge the information. According to the court, this interpretation of the statute reads the phrase "as soon as practicable" out of the statute. Redbox argued alternatively that it collected the information for marketing and advertising purposes, but this is only allowed if the provider gives the customer the opportunity to opt out "in a clear and conspicuous manner." Sterk alleged that the opt-out was not conspicuous, and the court treats this as a factual dispute which cannot be resolved at the motion to dismiss stage. [Although the court does not rely on this allegation in resolving the motion to dismiss, plaintiffs alleged that Redbox changed its disclosure practices and included a more prominent link to Redbox's terms of use and privacy policy after the lawsuit was filed.]
__
Oy. I'm guessing Congressional staffers who were involved in drafting the Video Privacy Protection Act are cringing as they read this decision.
It's interesting that video rental records are carved out for such special protection under the law. (The VPPA was passed in 1988, in the wake of then-judge Robert Bork's confirmation hearings.) Imagine if we had a similar law in place for book records or web-surfing records!
At any rate, Redbox is potentially on the hook for statutory damages under the VPPA, regardless of whether it used or misused its customers' video rental records in any way. It's unclear as to whether other online "video tape service providers" are going to be tagged with similar lawsuits. Netflix is in the firing line. (See "Close-Up: Netflix Hit With Privacy Suit.") Are Amazon, Apple, and Hulu next?
The craziest part of the lawsuit is that video rental companies can avoid liability by taking the largely ministerial step of procuring their customers' consent to the disclosure of rental records. (Given that Redbox is not some bootstrapped start-up, it's surprising that it did not take this step in the first place.) Although the consent provisions don't appear to expressly insulate records retention, consent needs to be "written" if the provider wants to disclose the information in question. Recently introduced legislation, supported by Netflix, would allow consumers to give blanket authorization to disclosure by video rental companies and to provide such disclosure online. (See Tech Daily Dose: "Calling Robert Bork" (reporting on H.R. 2471.) Interestingly, the proposed legislation does not clearly cover the retention of records and only covers their use and disclosure.
[Since this ruling, Redbox move to reconsider or, in the alternative, sought permission to take an interlocutory appeal, and this motion is pending. In the meantime, the court also denied Redbox's motion to dismiss plaintiffs' consolidated amended complaint. (Here is a copy of the court's minute order denying Redbox's motion.) Redbox in its answer also asserted the affirmative defense that the statute is unconstitutional.
Also, note that the ruling is from August of this year. This one languished in the queue.]
Additional coverage:
N.D. of Ill. Judge Allows VPPA Privacy Lawsuit to Go Forward (Sedgwick)
Posted by Venkat at 08:10 AM | Privacy/Security
November 17, 2011
App Developer RockYou Settles Privacy Lawsuit--Claridge v. RockYou
[Post by Venkat Balasubramani with comments from Eric]
Claridge v. RockYou, 09-CV-6032-PJH (N.D. Cal.; Nov. 14, 2011) (settlement pending court approval)
Eric and I previously blogged about the opinion in Claridge v. RockYou, where the court tentatively recognized the theory that personal information may be an end user's property and thus a misappropriation of that data can satisfy Article III standing. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.") RockYou is an app developer who claimed to have 130 million unique customers using its apps on a monthly basis. It was hit with a security breach, which allegedly affected the log-in credentials of 32 million RockYou users. Claridge sued, and RockYou and Claridge settled the dispute.
The principal terms of the settlement:
- RockYou consents to an injunction for 36 months, requiring it to undergo two audits during this time (the audits will be conducted by an independent third party selected by "defendant") [i.e., RockYou];
- RockYou is bound by the injunction to the extent it continues to collect consumer information "as alleged in the" lawsuit;
- Claridge gets $2,000 for his time and efforts, and plaintiff's counsel gets $290,000;
- RockYou "represents and warrants that it is financially unable to provide the monetary relief sought by [Claridge]".
The settlement is subject to court approval and only resolves the claims for injunctive and declaratory relief with prejudice as to the proposed class. Someone else is not precluded from bringing another class action, but they have to seek money damages and cannot rely on injunctive relief.
__
The court/agency-monitored audit requirement is in vogue. Soon, it's possible that every single network will have a court or agency imposed requirement to undergo periodic privacy/security audits. (As part of settlements with the FTC, Twitter and Google agreed to periodic audits.) The efficacy of these audits is not clear and surely depends on the scope of the audit and who conducts it. In this case, the audit requirement is toothless since RockYou chooses its auditor. There is also no discussion of what action on RockYou's part facilitated the breach and what corrective steps it would take.
Paragraph 2 of the settlement was confusing. RockYou is only bound by the injunction to the extent it continues to collect and maintain information as alleged in the complaint? Or is RockYou indefinitely subject to the injunction if it continues to collect and maintain such information? How much does RockYou have to change its business practices such that it's not bound by the injunction? Something broader, that required RockYou to be bound any time it collected consumer information, makes more sense. Also, what happens to the information RockYou previously collected if it "exits the business"?
The attorneys' fees figure in this settlement ($290,000) is significantly less than what has been paid in previous cases (Google Buzz: $2.5mm; TD Ameritrade: $500K, knocked down from $1.8mm; Facebook Beacon: $2.8mm, currently on appeal to the 9th Circuit).
I'm not sure if the attorneys' fees figure is related to this, but RockYou's representation that it is "financially unable" to shell out money to the Proposed Class was worth noting. Does this mean it's on the ropes financially? It's interesting that Claridge did not go after the platforms the RockYou apps were run on top of. The responsibility of networks and platforms to police the conduct of app developers is a brewing issue.
Of course, one downside of the settlement is that the court's earlier order remains on the books.
Related posts:
Beacon Class Action Settlement Approved -- Lane v. Facebook
The FTC's Proposed Settlement With Google Over Buzz Privacy Breaches
The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?
Court Approves TD Ameritrade Data Breach Settlement -- In re TD Ameritrade
Google Settles Buzz User Privacy Litigation
_____________
Eric's comments
This is an odd settlement. The plaintiff class got virtually nothing from RockYou--no relief for the class and de minimis promises from RockYou. The plaintiff's lawyer didn't even get a particularly big payday, although they do expect to get paid even if the "victims" don't get a dime. This financial dichotomy makes me wonder if the judge will approve this settlement. I would expect the judge to ask more questions about RockYou's purported poverty (see Paragraph 5) given it's the excuse for not paying anything to the class. Paragraph 5 sounded to me more like a preference (RockYou would prefer not to pay out more money) than a necessity (RockYou is on death's door). RockYou clearly isn't raking in the dough--it just laid off over half its staff--but they are claiming they'll be profitable within the next year, they have raised nearly $130M in financings, and they surely have cash remaining in the bank.
Because the lawyers are getting paid while the class is getting bubkus, the judge surely can't miss the possibility that the lawyers sold out the class to advance their own profit-seeking interests. That would be a good basis to reject the settlement. Personally, I hope the judge does reject it so that the plaintiff's lawyers don't even get these crumbs and so that RockYou will keep litigating to demonstrate the lack of merit to the plaintiffs' claims.
The ongoing promises by RockYou are ambiguous. There's a fatal typo in the settlement agreement. Paragraph 2 reads "RockYou’s shall be bound by the injunction described in Section 2.1 above, so long as it is engaged in the business of collecting and maintaining consumer records as alleged in the Action." Putting aside the minor typo (the possessive "RockYou's"), the provision references "Section 2.1 above," which doesn't exist. Unlike Venkat, I have no idea what additional obligations RockYou is undertaking other than the 2 audits referenced in Paragraph 1.
It's a bummer the agreement leaves the existing opinion in place. I wish the parties had agreed to ask the judge to vacate it. Even though other courts haven't embraced the judge's data-as-valuable-property argument (see, e.g., the Low v. LinkedIn opinion), with the opinion still on the books, plaintiffs will keep citing it (and clearing the Rule 11 bar) until an appellate court wipes it away--a result that could take years. Until then, the existing opinion gives plaintiffs false hope, spurring many more meritless actions. Just what we need.
Posted by Venkat at 03:08 PM | Privacy/Security
November 14, 2011
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
[Post by Venkat Balasubramani with comments from Eric]
Low v. LinkedIn, 2011 WL 5509848 (N.D. Ca.; Nov. 11, 2011)
Low brought a putative class action against LinkedIn, complaining about the fact that LinkedIn "allows transmission of users' personally identifiable browsing history and other personal information to third parties, including advertisers, marketing companies, data brokers, and web tracking companies . . . " He asserted a variety of different claims, including under the Stored Communications Act, the California Constitution, breach of contract, conversion, and California consumer protection statutes. The Court finds that Low failed to satisfy Article III standing and dismisses (with leave to amend).
The complaint alleged that LinkedIn assigned users unique user IDs, and LinkedIn "links and transmits the user ID number to third party tracking IDs ('cookies')." This allows third parties to track the online browsing histories of users, which is linked to LinkedIn's unique user ID (using which third parties can probably determine the identity of the user). [It's unclear from the ruling whether transmitting the user ID is a mistake on LinkedIn's part or whether it was all part of some nefarious Orwellian scheme to track everything and everyone. It was also unclear whether LinkedIn was allegedly compensated for this. I didn't check, but I presume LinkedIn has taken corrective measures.]
Emotional harm: Low argued that he suffered "embarrassment and humiliation caused by the disclosure of his personally identifiable browsing history." But apart from a general allegation that the disclosure of someone's browsing history to third parties would be embarrassing, Low failed to highlight what information was actually disclosed. Additionally, Low also failed to allege that a third party actually linked the browsing history with his identity, as opposed to his LinkedIn unique ID. To the extent Low tried to rely on the future disclosure of information the court says that this is too conjectural and hypothetical.
Economic harm: Low's argument for how he had been economically harmed by LinkedIn's practices was that his browsing history was a marketable piece of property and he was not compensated for LinkedIn's transfer of this property to third parties. The court recaps the cases on this issue (Specific Media; In re iPhone App Litigation; DoubleClick; In re JetBlue) and says Low failed to allege how he was economically harmed by LinkedIn's practices. In particular, the court says Low failed to allege how he was prevented from capitalizing on the value of his personal data. Low cited to Krottner v. Starbucks and Doe 1 v. AOL and argued that the mere disclosure of personal information may create standing. The court says that these cases are distinguishable in that they involved the disclosure of sensitive or private information. Krottner involved the theft of a laptop which contained the private information of employees, including names, addresses, and social security numbers. Although the Ninth Circuit said that plaintiffs were not entitled to relief since they were provided credit monitoring, the court found that loss of sensitive information was enough to satisfy standing. The AOL ('search Valdez') case involved the packaging and distribution of a huge quantity of search data, which included similarly sensitive information, along with sensitive search information. In this case, the court says that Low's allegations are easily distinguishable from Krottner and AOL, and are not sufficient:
Low has not alleged that his credit card number, address, and social security number have been stolen or published or that he is a likely target of identity theft as a result of LinkedIn's practices. Nor has Low alleged that his sensitive personal information has been exposed to the public. Indeed, the Plaintiff has failed to put forth a coherent theory of how his personal information was disclosed or transferred to third parties, and how it has harmed him. Accordingly, Low has failed to allege an injury-in-fact.
The court also footnotes the issue that violation of a statutory right may in some cases confer standing on a plaintiff, but does not delve into it since plaintiff did not raise this issue and plaintiff was given leave to amend.
__
This is a helpful order because it recaps many of the recent cases dealing with the issue of what type of harm a plaintiff must allege. Judge Koh, who wrote the order dismissing plaintiff's claims, also authored the iPhone Privacy opinion, where she methodically picked apart plaintiff's claims. (See iPhone Privacy Class Action Dismissed for Lack of Standing -- In re iPhone App. Litigation.) Judges in the Northern District of California have heard a slew of potential class action privacy lawsuits over the last couple of years and have almost uniformly rejected them. One of the common problems in these cases is that the plaintiffs are not able to articulate with much clarity what practices they are complaining of and how exactly the practices harmed the plaintiff. What often spurs these lawsuits is a research finding or a media report about a company's practice. The lawsuit does not start with the plaintiff who suffers an injury or a negative consequence.
The idea that a company's exploitation of your browsing history or viewing habits causes you economic injury is not getting much traction. Courts are mostly saying that in order to allege economic damages, it's not sufficient to argue that the information has some value in an advertiser or a network's hands--you have to allege that their use of the information somehow impeded your ability to exploit the information. To my knowledge, the RockYou case is the only one to accept the "PII as property" argument, but the court did so reluctantly, and expressed skepticism over the ultimate fate of this theory. (Here's my earlier blog post on the RockYou case: "Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.")
This is not the end of the road for this case, as the court grants leave to amend the complaint, but the court says clearly what type of injury the plaintiff has to allege, and I'm somewhat skeptical that the plaintiff will achieve a better result in round 2.
Related Posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
AOL's Disclosure of Search Data May Support Claims Under California Law
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
iPhone Privacy Class Action Dismissed for Lack of Standing -- In re iPhone App. Litigation
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
_____
Eric's Comments
1) LinkedIn should never have included a unique ID in its referrer URLs. Same with the other websites that undertook the practice. That was an avoidable error on their parts.
2) Article III standing is an awkward way of disposing of the referrer URL cases. However, at this point, knowing that defendants are going to bring an Article III challenge, it's becoming embarrassing for plaintiffs' lawyers to bring such weak arguments about the plaintiffs' harms. If you're going to bring a privacy lawsuit, find a plaintiff who actually suffered tangible harms and then allege those harms. If you can't, let it go.
3) Allegations of "embarrassment and humiliation" as the harm for Article III standing in a privacy class action suit, without specific facts explaining how, should always fail.
4) I thought the whole "data as property" meme died a decade ago. I agree with Venkat that the RockYou case hasn't opened up a hole for the plaintiffs, but it's too bad that court gave the glimmer of hope to the plaintiffs.
5) I know why Judge Koh gave the plaintiffs another chance, but I'll be surprised if they do any better on round 2. I hope future judges will squelch these low-merit privacy suits even more quickly as the plaintiffs continue to make the same pleading errors over and over again.
Posted by Venkat at 01:20 PM | Privacy/Security
November 04, 2011
Minnesota Appeals Court Says Tracking Statute Excludes Use of GPS to Track Jointly Owned Vehicle -- State v. Hormann
[Post by Venkat Balasubramani]
State v. Hormann, A10-18722 (Minn. Ct. App. October 19, 2011)
Hormann was charged with installing a tracking device on his then-wife's car, in violation of a Minnesota statute prohibiting the use of, among other things, tracking devices without a court order. (Minn. Stat. 626A.35.)
As recounted in the order, in March 2010, the victim had a mechanic inspect the car, and the mechanic found a tracking device magnetically attached to the underside of the car. In January of that year, the victim testified about an incident involving domestic violence. In response, the victim moved out, but the defendant sent her text messages "commenting on where she had been and otherwise indicating that he was . . . monitoring her movements." She also testified that the defendant allegedly put spyware on her cell phone that "allowed him to intercept her text messages and that he also seemed to know everything she was doing on the family computer." The defendant was also involved in an incident where the defendant allegedly located the victim in a lakeside cabin, "entered the cabin, and physically attacked an acquaintance of [the victim's]."
The statute excluded the use of a mobile tracking device when it was used to track an object with the "consent of the owner." Hormann argued that because he had an ownership interest in the vehicle, the statute could not be used to convict him.
The court finds that the statute's use of the word "owner" is ambiguous in this context, and the drafters did not anticipate the scenario where an object has more than one owner. The court looks to Minnesota's vehicle-title rule for the definition of "owner." The vehicle-title statute defined owner to include a person who has "property in [sic] or title to a vehicle." A person entitled to "use" the vehicle was encompassed within the definition of "owner."
The court found that Hormann was entitled to use the vehicle. The vehicle was purchased with marital funds and thus presumptively marital property. There was also evidence in the record that Hormann used the vehicle on occasion. (At oral argument, the state conceded that it would not prosecute Hormann for auto theft if Hormann was found to be driving the vehicle, even without the victim's consent.) The evidence with respect to title to the vehicle was also favorable to Hormann. While the victim was shown to be the sole registered owner, Hormann produced evidence that the victim signed title over to Hormann (the testimony at trial showed that this transfer was done to facilitate the sale of the vehicle and the transfer was never recorded). According to the court, this transfer demonstrates how "incidents of formal ownership of marital property may not accurately reflect who is using a vehicle."
The court applies the rule of lenity to construe the statutory ambiguity narrowly, and holds that the exception applies where the vehicle or object has multiple owners, and one of the owners consents to the tracking device.
__
Divorces are fertile ground for privacy issues, and in previous posts I've speculated about the effect of joint ownership rules on privacy violations. A New Jersey (civil) case involved GPS tracking, and although the court did not raise the issue and there was no statute expressly aimed at tracking, I wondered about the fact that "since the wife owned the car, she could have argued that she had the right to track its movements." (The New Jersey case was decided largely on the grounds that the vehicle in question was on publicly visible roadways, where the driver enjoyed a diminished expectation of privacy.) The issues can be less clear when it comes to emails, since spouses sometimes maintain joint email accounts, and there's not always a clear "owner" of a particular account. On the other hand, statutes which are aimed at communications provide for exceptions based on the consent of the parties to the communications, and ownership of a phone or an email account will not provide an easy out under those statutes. In this case, the victim alleged that the now-former husband infringed on her privacy in other ways (e.g., installing spyware on her computer and her cell phone), but the focus of the charge was the tracking.
It may be too early to have a meaningful tally, but I wonder if courts are more tolerant of spouses who engage in tracking while in the midst of a divorce or separation. As always, soon-to-be ex spouses who track and listen in should beware.
Additional coverage:
Kashmir Hill: "Scary Stalker Husband In The Legal Clear To Track Wife's Car" ("If you co-own it, you can track it.")
Topically related posts:
Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft
Court: Husband's Access of Wife's Email to Obtain Information for Divorce Proceeding is not Outrageous
NJ Appeals Court: No Privacy Violation When Spouse Uses GPS to Track Vehicle -- Villanova v. Innovative Investigations, Inc.
Posted by Venkat at 09:45 AM | Privacy/Security
November 02, 2011
Yahoo Partially Defeats Lawsuit Over Wrongful Account Termination--Buza v. Yahoo
By Eric Goldman
Buza v. Yahoo, Inc., 2011 WL 5041174 (N.D. Cal. Oct. 24, 2011). The complaint.
Buza claims Yahoo terminated two GeoCities accounts related to his advocacy efforts. Buza is proceeding pro se, which is typical for user lawsuits over wrongful account termination. He sued Yahoo in state court. Yahoo tried to remove to federal court. In this ruling, Judge Seeborg dismisses the federal claims and sends the others back to state court. I'm sure Yahoo wished Judge Seeborg had cleaned out the case entirely, but I bet Yahoo will get there soon enough.
Buza claimed that Yahoo violated his First Amendment rights. As I explain in my article on wrongful account termination, plaintiffs often invoke the Constitution to get around any statutory immunities, but Constitutional claims routinely go nowhere. It's 100% clear that privately owned online service providers like Yahoo aren't state actors and therefore aren't restricted by the Constitution. The court says:
Buza's response that Yahoo!'s services should be seen as a "public forum" in which the guarantees of the First Amendment apply is not tenable under federal law. As a private actor, Yahoo! has every right to control the content of material on its servers, and appearing on websites that it hosts.
Similar recent cases in this vein include Young v. Facebook, Estavillo v. Sony and Jayne v. Google Founders.
Buza also brought an ECPA/SCA (18 USC 2701) claim for unlawful access to stored communications. The court dismisses because the restrictions don't apply to the service provider's access of those communications.
Having disposed of the federal claims, Judge Seeborg sends the case back to state court to deal with the remaining claims, which include a violation of California's state constitution, "intellectual property," trespass to chattels and breach of contract. The judge expresses some skepticism about some of these claims, but having decided he could quickly clean his docket of the case, he doesn't go any further than necessary to send the case back to state court.
My understanding is that Yahoo didn't raise a 47 USC 230(c)(2) defense, the federal immunity for service providers' filtering decisions. I explore this point in detail in ">my recent 230(c)(2) article. 230(c)(2) can't trump federal constitutional claims, but it should (?) trump state constitutional claims. 230(c)(2) doesn't apply to IP claims per a statutory exclusion, but the Ninth Circuit in Perfect 10 v. ccBill said that 230 trumps state IP claims (the judge says no federal IPs are at issue). The immunity likely trumps the trespass to chattels claim, although I don't recall seeing that issue tested before. And I explain in my article, 230(c)(2) could very well trump the contract breach claim. (This judge could have also disposed of the contract claim based on express terms giving Yahoo the power to pull the plug on websites, but the state court judge will have do that).
Because the immunity is a federal statute, it would have been appropriate for the federal court to interpret its application to the state claims before remanding. This discussion suggests that had the immunity been raised, Judge Seeborg might have completely ended the case on 230(c)(2) grounds without sending anything back to state court.
Posted by Eric at 09:33 AM | Derivative Liability , Licensing/Contracts , Privacy/Security , Trespass to Chattels | TrackBack
October 27, 2011
In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable--Anderson v. Hannaford Bros.
[Post by Venkat Balasubramani]
Anderson v. Hannaford Brothers Co., 10-2384; 2450 (1st Cir. Oct. 20, 2011)
Background: Plaintiffs sued Hannaford based on a massive data breach in 2007. In this ruling, the First Circuit said that money spent by plaintiffs to obtain replacement credit cards and for credit monitoring could be considered reasonable mitigation efforts and was therefore legally compensable.
The court recounts the facts underlying the data breach, which is reportedly one of the largest ever. In late 2007, hackers stole up to 4.2 million credit card numbers, expiration, and security codes. Visa notified Hannaford in February 2008, and Hannaford publicly announced the breach on March 17, 2008. At the time it made the announcement, Hannaford knew of some 1,800 cases of fraud resulting from the breach--the unauthorized charges in question "originated in locations across the globe, including New York, Spain, and France."
Affected customers fell into a few different categories. Some financial institutions immediately cancelled their customers' cards and issued replacements. Others did not cancel the card but monitored accounts. Some customers requested that their cards be cancelled but had to pay fees. Other customers also purchased identity theft insurance.
Twenty six different lawsuits were filed against Hannaford, which were consolidated in the District of Maine. The consolidated complaint alleged that fourteen of the named plaintiffs had unauthorized charges on their accounts, seventeen of the named plaintiffs had their cards cancelled, and two of the plaintiffs requested that their issuers give them replacement cards. Plaintiffs alleged seven causes of action, including breach of contract, breach of an implied warranty, negligence and unfair trade practices. They also alleged a variety of different injuries, including:
the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud.
Plaintiffs also claimed damages for "the cost of purchasing identity theft/card protection and credit monitoring services."
District Court Proceedings: The district court split the plaintiffs into three different categories. The first category was composed of customers who did not have fraudulent charges posted to their account and the district court held that they were not entitled to relief. The second group was composed of plaintiffs who incurred unreimbursed financial charges. The court said that these plaintiffs could recover. However, during the pendency of the litigation, the single plaintiff who had an unreimbursed charge advised that the charge was reversed.
The last category was composed of customers who experienced unauthorized charges but whose charges were reversed. The district court said that the losses suffered by these customers were "too remote, not reasonably foreseeable, and/or speculative (and under the [trade practices statute] not a 'substantial injury')." (Here's my earlier blog post on the district court ruling: "Hannaford Data Breach Plaintiffs Rebuffed in Maine.") After the court's ruling, plaintiffs moved to certify several questions to the Maine Supreme Judicial Court. The key question, which the court answered in the negative, was whether "time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm" was a cognizable injury under negligence or breach of contract theories. (Here's a brief post discussing this ruling: "Two More Courts Close the Doors on Data Breach Plaintiffs.")
First Circuit: The court rejects plaintiffs' cause of action for breach of fiduciary duty, finding that the relationship between a grocery store and customer is not sufficiently imbued with trust or unequal bargaining power for the court to impose fiduciary obligations on Hannaford. The court also rejects plaintiffs' claims under Maine's unfair trade practices act, finding that the statute does not provide for a private cause of action in these circumstances. The court does recognize plaintiffs' implied contract and negligence claims. Although the court finds that plaintiffs can assert two different bases for recovery (negligence and implied contract), the court focuses on what types of damages are recoverable.
The court says that the costs of procuring replacement cards and credit insurance are recoverable as reasonable mitigation damages. The court looks to the Restatement of Torts (section 919) and its treatment in other contexts (construction and environmental cases) and says that the key question is whether the amounts expended are reasonable when made, even if they turn out to be excessive when viewed in hindsight. In the context of this case, plaintiffs' mitigation efforts were reasonable. Plaintiffs' credit card data was stolen by a sophisticated group of thieves who not only intended to misuse the data, they actually did. The court contrasts these facts with other data breach cases where there had been no obvious malfeasance or no actual misuse of the data. Further evidence of the reasonableness of plaintiffs' efforts was the fact that some banks actually issued replacement cards. The court holds that even if plaintiffs did not experience any unauthorized charges, it was reasonable under the circumstances to pay to have their card replaced.
While the court finds that the replacement card and identity theft fees are recoverable, the court affirms the district court ruling with respect to the remaining categories of damages. These include the claims based on loss of rewards points, fees for pre-authorization charges (etc.).
__
This is not the first court to say that credit monitoring may be an appropriate response to a data breach. In Ruiz v. Gap, the Ninth Circuit analogized to toxic chemical exposure and noted that in certain circumstances, the costs for monitoring credit activity following a data breach may be recoverable. ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap.") In that case, defendant had offered credit monitoring services and plaintiffs failed to explain why they were inadequate, so the Ninth Circuit did not end up expressly deciding the issue.
Although I'd chalk this up as a win for data breach plaintiffs, it's a slight one. The court's ruling appears limited to credit cards and the court relies heavily on the fact that the prospects of misuse were significant and had actually occurred. The court notes: "where neither the plaintiff nor those similarly situated have experienced fraudulent charges resulting from a theft or loss of data, the purchase of credit monitoring services may be unreasonable and not recoverable." The court also ends up disapproving the bulk of the requested damages. At a minimum, the fact that the court disapproves of damages such as time spent dealing with remedial efforts, damages relating to rewards programs, and for emotional distress is significant. There's no prospect of a damage free-for-all. In fact, in the event of this type of a breach, the prospective defendant(s) can limit their liability by covering the costs of free credit monitoring services and the costs of replacement cards.
The court mentions in a footnote that cardholders are probably limited in their exposure to unauthorized charges due to the Truth in Lending Act. Hannaford argued that the card issuers have instituted "zero-liability protection," which means that customers are not liable for unauthorized charges, but the court says that this does not matter. It would still be reasonable for customers to attempt to mitigate harm to themselves in these circumstances.
A big question is what this means for other privacy plaintiffs in terms of Article III standing. In concluding that plaintiffs may move forward, the court points out the fact that plaintiffs suffered "actual financial losses." Thus, plaintiffs who allege anything other than actual financial losses (e.g., Facebook privacy plaintiffs) would still face an Article III standing hurdle under this case.
Additional coverage:
David Navetta: "Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute "Damages" in Hannaford Breach Case"
Earlier posts on Hannaford:
"Hannaford Data Breach Plaintiffs Rebuffed in Maine"
"Two More Courts Close the Doors on Data Breach Plaintiffs."
Related (data breach) posts:
"Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks"
"Two More Courts Close the Doors on Data Breach Plaintiffs"
"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
Posted by Venkat at 08:38 AM | Privacy/Security
October 26, 2011
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell
[Post by Venkat, with comments from Eric]
Ardis Health, LLC, Curb Your Cravings, LLC and USA Herbals, LLC v. Ashleigh Nankivell, 2011 WL 4965172 (S.D.N.Y. Oct. 19, 2011)
Nenkivell worked for CYC as a "video and social media producer." Her work included producing videos, "websites, blogs, and social media pages" for CYC and the other two plaintiffs, which were founded by Jordan Finger. Her responsibilities included:
maintaining passwords and other login information for websites, email account, and social media accounts, a well as for third-party servers where plaintiffs stores content
Fortunately for plaintiffs, Nenkivell signed an agreement with CYC which vested ownership in her work product to CYC and required Nenkivell to return all confidential information at CYC's request.
In 2010, Finger and Nenkivell developed a service called "whatsinurs," which the court described as a "social media website for cosmetic products." Ardis applied for a trademark in Whatsinurs and registered the copyright for the website. Finger sent Nenkivell an agreement for the organization and ownership of the new site, which Nenkivell never signed. Nenkivell was restless and looked around for alternate employment. Plaintiffs were unhappy about this and fired Nenkivell in June 2011. After the termination, Finger requested the laptop, which plaintiffs had provided her, and the access information for the various websites. She declined to provide this. Plaintiffs sued and sought injunctive relief.
The Access Information: The court says that it's "uncontested that plaintiffs own the rights to the Access Information," and as a result, Nenkivell's retention of this information can form the basis of a conversion claim. The court also says that plaintiffs' inability to access and update their site ("to react to online trends" and effect a new initiative to participate in "'daily deal' promotions") constitutes irreparable harm. The court orders the information turned over to plaintiffs pending resolution of the dispute.
The Laptop: The court declines to order the laptop returned, saying that the laptop is a "mass-produced object," the loss of which can be compensated by money damages. Plaintiffs also argued that they were entitled to the information on the laptop but the court faults plaintiffs for not fully developing their argument--they relied on confidentiality terms in the agreement and nothing more. Nenkivell also argued that the laptop had continuously synched to plaintiffs' computer. Plaintiffs argued that they could not be sure of this without seeing the laptop, but this argument does not get much traction with the court.
Display of Whatsinurs Content on Defendant's Website: Plaintiffs also argued that they suffered irreparable harm from the display of the whatsinurs site's content on her personal website (as an example of her work). Plaintiffs' key argument on this score was that a search for "whatsinurs" would display both defendants' website and the same contents, as displayed on Nenkivell's personal website. Plaintiffs argued that consumers would be confused as to the source of the website and this would dilute plaintiffs' "whatsinur" brand.
The court says this argument "is preposterous on its face":
Not only do defendant's websites appear below plaintiffs' in search results, defendant's [sic] do not purport to be, or in any way give the impression of being, portals for the sale of commercial goods. On both of defendant's websites, the Whatsinurs content is wholly non-functional, little more than dressed-up image captures. It is clearly labeled as an example of defendant's "Design" capabilities and surrounded by content from other projects defendant has worked on. It does not compete with plaintiffs' websites or pose potential issues of confusion.
Plaintiffs argued that Nenkivell's bad faith raises a presumption of confusion, but the court says that Nenkivell has an innocent explanation and there's no bad faith. Even assuming that there is a presumption of confusion, the court says that this is alone insufficient to warrant injunctive relief.
__
Yet another dispute over access to websites and social media profiles. It look like plaintiffs half-followed the basic advice of having a written agreement in place that documents the relationship between the company and the individual who manages the company's website and social media profiles. But the agreement in this case was not necessarily clean--the agreement was between Nenkivell and CYC, but one of the other plaintiff entities actually (Ardis) asserted ownership over the "whatsinurs" website. The court does not get into the issue of whether Nenkivell's development of the "whatsinurs" website was outside the scope of her relationship with CYC and therefore not subject to the agreement, but this seems like an issue that should come up. Social media accounts do not neatly fit into existing categories of property and we haven't seen many disputes over account ownership fully play out. (See the OMG Facts case for one ongoing dispute.) While an agreement that expressly covers ownership is ideal, it's interesting to note that the confidentiality provisions of the agreement do the job in this case.
On the web developer/social media producer side, holding any sort of website or social media credentials (or domain names) hostage is legally risky behavior. We've seen a slew of cases where this type of behavior resulted in possible liability. In DSPT Int'l v. Nahum, the Ninth Circuit held that holding domain name hostage may be bad faith under the ACPA. Maremont v. Susan Fredman Design Group involved a social media manager who continued to post on the Twitter and Facebook accounts following termination (this case was dismissed for lack of prosecution). Finally, the Ohio Court of Appeals held earlier this year in Eyesoldt v. Proscan that obstructing access to a website and email account can constitute conversion. The contours of legal liability are far from clear, but there is definitely risk when you hold website, email, or social media credentials hostage! Courts have shown a willingness to treat these credentials as intangible personal property that can support a claim for conversion. We all know how important it is to constantly update our social media accounts. It looks like the courts get this.
[Eric adds: some other analogous cases include New Mexico v. Kirby, Mikhlyn v. Bove, In re Rolando S., Ground Zero Museum v. Wilson and TEG v. Phelps.]
The court's rejection of plaintiffs' request to have Nenkivell's "portfolio copy" of the site taken down was interesting. Courts have moved away from automatically granting injunctive relief based on copyright or trademark claims. You have to show actual irreparable harm now. Plaintiffs proceeded primarily based on a trademark theory, and the court's rejection of their argument that the portfolio copy of the site appearing in search results would cause them irreparable harm will get Eric's resounding endorsement. Any time a court credits an end user with the shred of common sense necessary to parse the origin of content on the internet is a cause for celebration in his book (and rightfully so).
_______
Eric's Comments
1) Kudos to the plaintiffs for having a written agreement that governed the social media credentials, but demerits to them for not learning those credentials before they needed them. If an employee has login credentials to an account that they use for the company, at minimum that employee's manager should get those credentials too.
2) The judge's references to the employee "converting" those credentials makes me want to cry. The court had a half-dozen other legal doctrines easily available to order the defendant to turn the credentials over. Calling her retention of those intangible data strings "conversion" was completely unnecessary and adds to the growing confusion on what it means to "convert" electronic information. Perhaps that ship is sailed, but I continue to insist that "conversion" only applies to physical chattel, not intangible assets, and conflating the two inevitably leads to doctrinal meltdowns.
3) As Venkat predicts, I do cheer that mere appearance in search results should be legally irrelevant. However, I definitely don't like the judge's reference to the relative placement of the search results. I last "bitched" about that issue in my post on the Bitchen Kitchen case, so check that out.
Posted by Venkat at 06:42 AM | Copyright , Privacy/Security , Search Engines , Trespass to Chattels
October 21, 2011
Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act
By Eric Goldman
California recently enacted the Reader Privacy Act, SB 602. See the EFF announcement.
This new California law seeks to protect online book reader privacy to the same extent reader privacy is protected by libraries, by requiring heightened process before the government or private litigants can get certain types of information about book readers/buyers. As a restriction on government action, I support the concept enthusiastically. Indeed, I count many supporters of this bill as friends (well, maybe not after they read this post). At minimum, I know the effort was well-intentioned. However, I continue to believe this law was misarchitected for the reasons I expressed in my prior blog post on the proposed legislation.
My concerns from my prior post still apply, but this post will walk you through a specific reason why this law could be bad news for people who don't realize their conduct is now regulated. Let's look closely at who is required to comply with the law--recognizing that the statute has a private cause of action that will be enforced by a rapacious privacy plaintiffs' bar. The law's requirements applies to "any commercial entity offering a book service to the public." A "book service" means "a service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books."
OK, clearly this covers Amazon and other online book retailers. But in this day and age, what is a "book" and, more importantly, what isn’t? The statute defines a book as:
paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or finite number of volumes, excluding serial publications such as a magazine or newspaper
So, let's play a game and try to spot some book services in the field. Is YouTube a book service? It definitely has "electronic" books, but maybe that's not its "primary" purpose. Scribd? It has lots of books too and plenty of other long-form "book-like" content. iTunes? It has lots of audiobooks. Wikipedia? It markets itself as an online encyclopedia, but maybe it isn't commercial enough? Hmmm....this is a tough game.
But what about blogs? Are they "book services"? Before you discount the latter, consider that many blogs are, in fact, paginated (at least in the URL--see Blog Law Blog as an example). Perhaps mere pagination alone isn't enough; maybe the pagination needs to be essential to the content's organization. Perhaps many bloggers aren't "commercial entities," although I'm sure plaintiff lawyers will argue that a blog with AdSense and some Amazon affiliate links would satisfy that standard. Or perhaps bloggers will be excluded as "serial publications," although the statute could have--and should have--made clear that blogs fit into that exception. In fact, cases like the old It’s in the Cards v. Fuschetto suggest that courts might read the statutory exclusion narrowly on the theory that the legislature knew what blogs were but didn't mention them.
The ambiguity of blogs as "book services" means it’s possible California has imposed a new statutory obligation on bloggers (at least those based in California, but who knows if it will be so limited), and this obligation effectively puts bloggers' houses on the line if they don’t hire lawyers to properly navigate through the statute when the government or private litigants ask for information. Gee, thanks.
Indeed, this law could do more than just sweep in bloggers; it might cover *every* website because of the ambiguity of the term "book" and the concept of pagination. I don't know what "pagination" means in the online environment, but the concept may become more problematic in the near future. See News.com, "Opera proposal brings a book look to the Web." Thus, it seems like the law's attempt to carve out books from the universe of online content could fail, in which case large swaths of web operators become unexpectedly governed by the law--with a swarming privacy plaintiffs’ bar as the reward for the uninformed.
I have long believed that states categorically should not try to regulate the Internet. A law like this, as laudatory as its goals are, helps confirm my beliefs.
UPDATE: Paul Levy doesn't agree with my analysis.
On his point about commercial entities, I'm not sure I agree with Paul that courts will exclude individual operators. After all, we call those folks "sole proprietors." But if it definitely includes "partnerships," does that mean it will include co-bloggers? See my article on co-blogging. UPDATE: Eric Johnson parses the statutory language on this point with some care.
My broader point is that this statute is riddled with ambiguities that raise questions about its coverage. If you think my statutory reading is tendentious, it's my position that a typical Internet privacy lawsuit involves a far more tendentious reading of the applicable statute than anything I could ever imagine.
UPDATE 2: In another example of a possible ambiguity, Eugene Volokh asks if the statute makes it illegal for bookstore owners to tell the police about patron-on-patron crime.
UPDATE: Eric Johnson explains why the statute is "crazy."
Posted by Eric at 09:57 AM | Content Regulation , Privacy/Security | TrackBack
October 19, 2011
Comments on Doe v. IMDB Privacy Lawsuit
[Post by Venkat Balasubramani]
Doe v. Amazon.com, Inc. and IMDB.com, Inc., 11-cv-1709 (W.D. Wash.; Oct. 13, 2011)
An actress who goes by a stage name sued IMDB and Amazon for disclosing her birthdate, which IMDB allegedly obtained through the payment process. The allegations of the lawsuit are straightforward. Doe is an actress who "has a given legal name that is extremely difficult for Americans to spell and pronounce." [Definite sympathy points from me on that score.] As a result, she adopted a stage name. She listed herself on IMDB, which, apart from being a widely used information source for movie trivia, is also an industry resource. She did not list her age on her IMDB profile. She signed up for "IMDB pro," and in the process IMDB charged her credit card. Doe alleges that IMDB associated her birthdate, and listed this information on her IMDB profile. Noting that "in the entertainment industry, youth is king," Doe alleges that disclosure of her birthdate by IMDB harmed her. She requested IMDB to remove her birthdate, and apparently IMDB refused. She sued.
A few observations about the complaint:
You may or may not quibble with the extent of Doe's damages, but unlike other privacy lawsuits where harm is speculative, Doe has a much better chance at getting over any damages hurdles. There is definitely no standing issue here, and the lawsuit will not be kicked on the basis of standing.
Unlike the privacy class actions which usually allege violations of federal law, Doe alleges violations of state law. There are no federal causes of action in the complaint. This is obviously a strategic decision and in part could have been made to avoid the statutory hoops that a plaintiff alleging causes of action under federal statutes have to jump through. There's a possible preemption argument lurking in the background, but there's not much precedent and tough to say whether defendants will raise the argument and whether it will get any traction.
The biggest threat to IMDB may not be the prospect of damages, although that's surely lurking in the background. What could end up being a fiasco is discovery. Doe's complaint implies that IMDB had some sort of system where it matched information obtained during the payment process with information in its public database. It's a good bet that IMDB (and Amazon) does not want this process to become public, but this is sure to be one of the key aspects of the discovery sought by Doe. A follow up question is whether there is any additional information sharing going on (e.g., between IMDB and Amazon). This is also something that Amazon probably wants to keep under wraps.
PogoWasRight takes a look at IMDB's privacy policy: "Aspiring actress sues IMDB and Amazon for revealing her true age and for misusing her credit card details to obtain it." Unfortunately for IMDB, the privacy policy does not clearly insulate its actions here. On the other hand, the privacy policy does not say anything about information such as an IMDB pro user's birthdate. Doe has a reasonable chance at pointing to IMDB's extra-contractual statements and statements in the subscriber agreement itself, and arguing that these constitute promises or assurances.
IMDB was previously sued on a similar theory. ("Actress Blames Fear of Fan Attacks on Web Site.") That plaintiff did not have much success, but we'll see what happens with Doe.
Additional coverage:
Eriq Gardner (THR): Actress Sues IMDb for $1 Million for Revealing Her Age
PogoWasRight: "Aspiring actress sues IMDB and Amazon for revealing her true age and for misusing her credit card details to obtain it
Seattle Weekly: Mystery Actress Files Lawsuit Against IMDb for Revealing Her 'True Age and Name' (offering to "buy beers for anyone who can figure . . . out [the identity of the actress]")
GeekWire: Texas actress sues Amazon for displaying age in IMDb listing
Posted by Venkat at 01:12 PM | Privacy/Security
October 14, 2011
Court Disregards Check-the-Box Agreement and Doesn't Enforce Venue Clause -- Dunstan v. comScore
[Post by Venkat Balasubramani with additional comments from Eric]
Dunstan v. comScore, Inc., 11-cv-05807 (N.D. Ill. Oct. 7, 2011)
Plaintiffs sued comScore, alleging that comScore improperly obtained and misused plaintiff's personal information, after plaintiffs downloaded and used comScore's software. comScore sought to have the lawsuit transferred to Virginia, which was the forum specified in a forum-selection clause in the software terms of use/EULA. The court denies comScore's motion.
A comScore Vice President testified that "before a user can install comScore software," a customer must "click the box acknowledging" that the customer read and agreed to the terms. Plaintiffs, on the other hand, alleged that the forum-selection clause was not "apparent" when they downloaded the software. They also alleged that the terms of service were "obscured" during the installation process. From the court's order, it seems like plaintiffs did not deny that they checked the box. The court resolves the apparent factual dispute as follows:
the court declines to infer that clicking a box acknowledging that a user has read an agreement indicates that the agreement was reasonably available to the user, particularly when the plaintiffs have alleged that the hyperlink to the agreement was obscured.
Whoa. Let's take another look at this sentence. The court is saying that just because a user checked a box acknowledging the user had read the agreement, this does not mean that the court can infer that the user was able to read the agreement. (???)
comScore cited to several cases where courts enforced "click-through" agreements, including Specht v. Netscape. The court says that none of the cases involved an allegation of an obscured hyperlink. According to the court, Specht acknowledged the possibility that "a click-through agreement is not enforceable if its terms are not reasonably apparent to the user." The court goes on to note:
it is not reasonable to expect a user casually downloading free software to search for such an agreement if it is not immediately available and obvious where to obtain it. As the Second Circuit noted, 'when products are 'free' and users are invited to download them in the absence of reasonably conspicuous notice that they are about to bind themselves to contract terms, the transactional circumstances cannot be fully analogized to those in the paper world of arm's-length bargaining.' [U]nder the circumstances alleged here, including that the location of the license agreement was not readily apparent, the court concludes that the forum-selection clause was not reasonably communicated to the plaintiffs . . . .
This is definitely a double-take-worthy decision. The court relies on Specht v. Netscape, but Specht is a browsewrap case, where the user did not have to indicate assent to the terms before downloading the software. Given the circumstances (free download) and the fact that the terms were not in an obvious location, the court in Specht declined to enforce the terms.
There's an easy way to solve the problem presented by Specht: have a mechanism to require the user to unequivocally indicate assent to the terms before downloading the software. Courts have upheld this type of contract formation because there is no ambiguity as to the user's assent to the terms, and this was the type of agreement comScore had in place here. The consumer cannot say that he or she did not read the terms because prior to downloading, the user has to indicate that they read the terms. (See for example Feldman v. Google, which Eric discusses in this blog post: "Google Adwords Contract Upheld (Again)".)
It's tough to understate the importance of certainty in online contracting and the predictability of online agreement enforceability. They're among the cornerstones of online commerce. Courts struggled with the enforceability of browsewrap terms, but check the box terms are widely acknowledged to be enforceable; at least there should be no bar as to mutual assent and basic contract formation. I'm not sure whether the formation process or the court went astray here (see Eric's comments below regarding the former--he makes good points regarding implementation). If there were no issues with the UI implementation or the browser, then the court's decision is off base.
[Interestingly, comScore did not argue that the dispute is subject to arbitration, which tends to indicate that the agreement did not have an arbitration clause.]
______
Eric's comments
I have a couple theories about what went wrong here. Theory #1 is that the judge was overly willing to accept a plaintiff's bald factual assertion that comScore didn't adequately present the contract. (The judge says, "At this stage, however, the court must take the plaintiffs’ word for it."). As Venkat indicates, judges have to do a little more gatekeeping than this, because plaintiffs will assert this defect in every lawsuit. If all it takes to survive a motion to dismiss is the plaintiff's bald assertion, the contracts are nearly worthless.
Theory #2 is that comScore didn't do its formation process properly. I think there is truth to this theory even if comScore went "by the book" and used what seemed like a mandatory non-leaky clickthrough agreement. It's the responsibility of software vendors/website vendors to present the contract in such an unambiguous/can't-miss-it process that NO ONE--plaintiffs' lawyers, judges, Grandma--could possibly fail to see it. The fact that the judge gave the plaintiffs the benefit of the doubt is prima facie evidence that comScore failed to do this well enough.
The case might remind us of two key lessons for lawyers advising companies implementing user agreements:
1) I don't care how brilliantly you draft your user agreement. It's also your job as a lawyer to advise your clients HOW to form the contract and to ensure they follow your advice. If your brilliant contract isn't properly formed, who cares what it says?
2) You need to look at the UI implementation across multiple browsers with a variety of settings. Even if your browser renders the agreement formation process just fine, another browser may chunk the display. This is even more crucial in the mobile environment, where UIs are even more constrained.
Posted by Venkat at 12:55 PM | Adware/Spyware , Licensing/Contracts , Privacy/Security
Q3 2011 Quick Links, Part 4
By Eric Goldman
Content Regulation
* Lawmakers are putting the squeeze on advertisers to be content police. Meanwhile, VeriSign begged for the right to act as content police before changing its mind.
* Kowalski v. Koster, 2011 WL 4349365 (W.D. Mo. Sept. 15, 2011): “the CDA immunizes Internet service providers and does not create any cause of action under 42 U.S.C. § 1983.”
* SC v Dirty World, 4:11-cv-00392-DW (ED Mo. Sept. 22, 2011). Defendant posting a complaint filed against him & saying "game on" doesn't create an intentional infliction of emotional distress claim.
* Obsidian Finance Group, LLC v. Cox, 2011 WL 2745849 (D. Or. July 7, 2011). Allegedly defamatory statements at obsidianfinancesucks.com are "expressions of opinion protected by the First Amendment"
* Calibra Pictures LLC v Variety, 2011 WL 3612209 (Cal. App. Ct. Aug. 17, 2011). A negative newspaper review is protected by anti-SLAPP laws, even when the newspaper had enticed the plaintiff to spend substantial amounts of money to advertise with it. The allegations in this lawsuit were quite troubling about Variety’s peddling its insider influence and selling movie producers on results it could deliver. Rebecca's coverage.
* BCG Attorney Search v. Kinney, 2011 WL 2936773 (Cal. App. Ct. July 21, 2011). Lawsuit over a Ripoff Report post leads to a successful anti-SLAPP defense.
* US poker players turned into refugees by online gaming ban. Partially related: was Full Tilt Poker a Ponzi scheme?
* Carleton Hotel v Gladstone (complaint filed June 15, 2011). Hotel sues author of TripAdvisor review (for accusing the hotel of a bedbug infestation).
* Parisi v Sinclair appealed. Prior blog post. In addition, in Parisi v. Sinclair, 2011 WL 3705141(D.D.C. Aug 23, 2011) (NO. CIV. 10-897 RJL), one of the book authors was dismissed from the case for lack of personal jurisdiction.
* Useful primer on how to identify John Doe defendants.
* Hollywood, Esq.: Hot New Hollywood Trend: Crazy Defamation Lawsuits.
* Aaron Swartz is being prosecuted for a mass download from the JSTOR database.
* American Booksellers Foundation for Free Expression v. Sullivan, No. 10-193 (D. Alaska June 30, 2011). Alaska's baby-COPA law unconstitutional.
Social Networking Sites
* Bemis v. Bemis, 2011 WL 3335202 (Conn. Super. Ct. July 12, 2011). In a custody dispute involving 13 year old Alyssa, the court order imposed the following requirement: "Each parent shall view Alyssa's Facebook page once per week. If Alyssa is unwilling to share 100% access, she shall be denied computer and smart phone access except for use of a computer for schoolwork which shall be supervised."
* Held v. Ferrellgas, Inc., 2011 WL 3896513 (D. Kan. Aug. 31, 2011): “Plaintiff testified at his deposition that his coworker began subjecting him to a hostile environment prior to his termination in April 2009. At his deposition, Plaintiff could not recall whether he posted anything on Facebook that may be relevant to this case. Defendant claims that information from Plaintiff's Facebook page during Plaintiff's tenure at Ferrellgas is relevant. This court agrees. Further, it appears that Defendant is attempting to mitigate Plaintiff's privacy concerns by allowing Plaintiff to download and produce the information himself, rather than providing login information. Indeed, Defendant itself notes that it is not seeking unfettered or unlimited access to Plaintiff's Facebook, but rather limited access during the relevant time frame. As such, Defendant's motion to compel regarding the Facebook information is granted.”
* U.S. v. Fumo, 2011 WL 3672774 (3rd Cir. Aug. 23, 2011):
Not unlike a juror who speaks with friends or family members about a trial before the verdict is returned, a juror who comments about a case on the internet or social media may engender responses that include extraneous information about the case, or attempts to exercise persuasion and influence. If anything, the risk of such prejudicial communication may be greater when a juror comments on a blog or social media website than when she has a discussion about the case in person, given that the universe of individuals who are able to see and respond to a comment on Facebook or a blog is significantly larger.
Yet while prohibiting and admonishing jurors from commenting—even obliquely—about a trial on social networking websites and other internet mediums is the preferred and highly recommended practice, it does not follow that every failure of a juror to abide by that prohibition will result in a new trial. Rather, as with other claims of juror partiality and exposure to extraneous information, courts must look to determine if the defendant was substantially prejudiced.
* Missouri State Teachers Association v. Missouri (Mo. Cir. Ct. Aug. 26, 2011). Enjoining part of Missouri's Amy Hestir Student Protection Act. Prior blog post.
* D.J.M. v. Hannibal Public School District #60 (8th Cir. Aug. 1, 2011). A student's IM messages threatening to harm other students supported school discipline of the student, even if the messages were exchanged off school property.
* Kowalski v. Berkeley County Schools, 2011 WL 3132523 (4th Cir. July 27, 2011):
school administrators suspended [Kowalski] from school for five days for creating and posting to a MySpace.com webpage called "S.A.S.H.," which Kowalski claims stood for "Students Against Sluts Herpes" and which was largely dedicated to ridiculing a fellow student....we conclude that in the circumstances of this case, the School District’s imposition of sanctions was permissible. Kowalski used the Internet to orchestrate a targeted attack on a classmate, and did so in a manner that was sufficiently connected to the school environment as to implicate the School District’s recognized authority to discipline speech which "materially and substantially interfere[es] with the requirements of appropriate discipline in the operation of the school and collid[es] with the rights of others."
* Oddee: 9 Most Bizarre Facebook Related Crimes
* NYPD puts cops on the Facebook beat.
Wikipedia
* Wikimedia released its 2011-12 annual plan. One of its seven big goals: "The declining participation of seasoned Wikipedia editors must be reversed." As the the detailed report explained: "Declining participation is by far the most serious problem facing the Wikimedia projects: the success of the projects is entirely dependent upon a thriving, healthy editing community." To explain why that's such a challenge, see my article, Wikipedia’s Labor Squeeze and its Consequences. The plan also notes: "Recently we have seen a general decline online in the growth of unique visitors and in page views in the United States."
* In partially related news, Wikipedia is doing a broader rollout of its AbuseFilter tool.
* The Wikipedia Editor Survey from April 2011 provides more evidence of the challenges to replenishing the ranks of active editors.
Posted by Eric at 07:00 AM | Content Regulation , Evidence/Discovery , Privacy/Security | TrackBack
October 13, 2011
Q3 2011 Quick Links, Part 3
By Eric Goldman
Advertising
Search Marketing
* Search Engine Land: "In many cases, it is worth buying keywords even if you rank organically for them." Similarly, a Google study indicates that PPC advertising lifts clicks on organic results. Prior blog post.
* NJ Supreme Court Opinion 43 from the Committee on Attorney Advertising: "attorneys are not flatly prohibited from paying “perlead” Internet advertising charges provided the marketing scheme is advertising and not an impermissible referral service. Just as “pay-per-click” has become more prevalent in the Internet advertising community, “pay-per-lead” or “pay-per-contact” for Internet advertising is likely to become a more common model due to its inherent reward for effective advertising."
* Most Expensive Keywords in Google
* Confusing developments in SF Comprehensive Tours v Groupon. Reuters article. The opaque ruling. Prior blog post.
* Google quietly liberalizes its policy on buying keyword ads on people's names.
* Lawsuit over Paxfire's role in allegedly redirecting some IAPs' search traffic. In slightly related news, Nebuad settled its case.
* ClickZ: Why isn't Google letting display advertisers do retargeting using search data?
False Advertising
* AdAge on the Great Wiener Wars. The case settled.
* WSJ: Litigation battles over the use of “all natural.”
* Nabors v. Google, 2011 WL 3861893 (N.D. Cal. Aug. 30, 2011) and McKinney v. Google, 2011 WL 3862120 (N.D. Cal. Aug. 30, 2011). Court dismisses false advertising lawsuits over the Google Phone allegedly not running at 3G speed.
Endorsements and Testimonials
* WSJ: "Digital Technology and the Re-Birth of Product Placement": "Given the choice, the majority prefer placement to commercial breaks."
* Car company Scion is forming its own record label. Remind me again, where’s the line between ads and editorial content?
* The FTC did a bizarre flipflop on the legitimacy of disclosures by Ashton Kutcher. Like everyone else, the FTC doesn't understand its endorsement/testimonial guidelines.
* ConAgra invited bloggers to a free dinner where they surreptitiously served frozen food and videotaped their surprised reactions. This is great when it works; but if it doesn’t work, you’ve got a group of angry bloggers on your hands. It didn’t work.
* Brooke Burke’s contract gives a little insight into the insidious nature of an endorsement contract.
Other Topics
* AdAge on how Campbell Soups did eye-tracking studies and ethnographic research to improve the way its soups displayed on grocery store shelves.
* AdAge: Meredith, a large print publisher, is guaranteeing its largest advertisers that they will see a sales lift from their ads. It's unusual for a print publisher to make such a guarantee given how much of the sales process is out of their control. On the other hand, advertisers are almost always seeking sales lifts from advertising, but usually they have to rely on weaker proxies to guess whether or not they'll get it.
In related news, Time Inc. is going to try to measure its sales lift for advertisers. This is not quite as aggressive as Meredith’s guaranteed sales lift, but it’s a sign that traditional print publishers recognize that advertisers are buying results.
* Cracked: The 5 Biggest Disasters in the History of Marketing Ideas. Classic, especially the "bananas" one.
Search Engines
* Search Engine Land on a Searchmetrics study showing that: "YouTube is the number one video site that shows up for video results; Google Maps is the number one map site that shows up for map results; Google Product Search is the number one shopping site that shows up for shopping results; Google’s Blogger is the number one image site that shows up for image results."
* Ugh. From Wired: Entrepreneurs scrape mug shots from public sites, SEO them and then charge the depicted individual money to have the photos removed.
* Google bought Zagat. The $125M price tag is incredible. It makes sense only if Zagat becomes Google's foundation for its Places offering. This has to be a signal that Google will be more than happy to honor any de-indexing requests from Yelp. Expect plenty more howling about Google favoriting its own properties over third party sites.
On a related matter, I can’t imagine Orbitz/Travelocity/Expedia/Kayak are thrilled about the ITA implementation either.
* Google's +1 apparently is going to influence search rankings. The story started at Kash Hill's Forbes blog, but it appears Forbes spiked the story (at Google's request...?), so that story is down. Now you have to read both the story, and the possible coverup, at Wired.
* Google killed Sidewiki. I doubt anyone misses it (it was one of Google's many failed UGC/social efforts), but do you remember just how much angst was spilled when Sidewiki first launched?
* I'm sure you're shocked to learn that Bev Stayart is headed to the Seventh Circuit...again... Prior blog post.
* NYT on Europe's love affair with the "right to be forgotten."
* My hometown, Mountain View, is becoming a one-company town. While we love Google, naturally this evolution will create some tension. Then again, the Mercury News declares Mountain View a good city for start-ups.
* ShopCity (not surprisingly, working with Gary Reback) has entered the bitchfest about Google rankings. As John McClane would say, "Welcome to the party, pal."
* Findwhat Investor Group v. Findwhat.com, 2011 WL 4506180 (11th Cir. Sept. 30, 2011):
The Form 10-K contains affirmative statements of present fact—"[w]e employ an integrated system ... that continually monitor[s] traffic quality," and "[w]e enforce strict guidelines ...to ensure the quality of traffic," (Compl.75) (emphases added)—that unquestionably create the impression that MIVA maintains an active and sophisticated monitoring system for screening fraudulent traffic. Accepting the Plaintiffs' allegations as true, these statements are misleading because they could mislead a reasonable investor into believing that the Defendants had systems in place that would detect and remove distribution partners engaged in extensive fraudulent revenue-generating practices, when in truth and in fact they did not.
However, management lacked the requisite scienter for securities fraud liability for those statements. Nevertheless, the 11th Circuit held that management’s failure to disclose information about rogue affiliates after it learned the news could constitute securities fraud. Rebecca’s coverage.
Privacy
* The FTC has proposed revisions to COPPA's regulations. The two most important points:
1) The FTC rejected that websites could have constructive knowledge that they are dealing with kids under 13. As a result, so long as the site doesn’t know a user is under 13 or market to kids under 13, the site can ignore COPPA.
2) The FTC is including geolocation and IP address information as PII. Does this signal that the FTC is taking an expansive view of PII across-the-board, not just in the COPPA arena?
In partially related news, the FTC scored a rare COPPA bust, this time from a mobile app developer.
* FTC settlement with FrostWire: the FTC takes the position that a software default setting that enables too much data sharing is unfair to consumers. This is similar to the LimeWire settlement with the Maryland AG. However, it raises the Q: is the FTC going to take the position that any service that enables too much sharing by default is engaged in unfair practices? If so, it will be taking quite an active role in telling software developers how to code, and the FTC will face an overwhelmingly large list of potential targets!
* Facebook is tracking logged-out users. Mostly this is due to the distributed Facebook “like” button, which acts as a driftnet for collecting lots of information from third party websites. Some members of Congress are unhappy. In contrast, the privacy plaintiffs' bar is rejoicing! Named plaintiffs include Davis, Thompson, Graham, Singley, Howard, Seamon, Beatty, Parrish, Rutledge, Brkic and Hoffman.
* Pandora got sued for privacy breaches too. I'm surprised this took so long.
* OnStar had its own brush with privacy problems when it announced it would track non-customers, but it soon backed down.
* Specific Media settled its lawsuit. Prior blog post.
* Sams v. Yahoo appealed to the 9th Circuit. Prior blog post. Related blog post.
* The Lares Institute, Data Breaches and the Phantom Damage Allegation, July 2011: 97% of those surveyed had not “experience[d] any unreimbursed losses that you could trace to a security breach that occurred in the last 12 months.” [link may be down]
* WSJ on the growth of “corporate privacy” positions.
* Zynga gamified its privacy policy.
Posted by Eric at 11:43 AM | Marketing , Privacy/Security | TrackBack
October 07, 2011
Massachusetts Court Dismisses Lawsuit Alleging Failure to Adequately Safeguard Personal Information -- Katz v. Pershing
[Post by Venkat Balasubramani]
Katz v. Pershing, LLC, 10-12227-RGS (D. Mass. Aug 23, 2011)
Background: Katz maintained an account at National Planning Corporation, an "introducing firm" for which Pershing provides brokerage clearing services. Pershing's services are provided on a proprietary exchange known as "NetExchange Pro," and this platform allows firms and their customers to access account information, stock quotes, etc. Katz alleged that up to 100,000 users have electronic access to customers' non-public personal information, including social security numbers, taxpayer identification numbers, and bank account numbers. Katz alleged that the security deficiencies rendered this information susceptible to being compromised. She claimed that NPC paid Pershing fees to protect the data and these fees were passed on by NPC to Katz and other putative class members.
She filed a lawsuit bringing claims under the Massachusetts deceptive trade practices statute, breach of contract, negligence, and unjust enrichment. Pershing initially moved to dismiss and the court granted the motion before Katz had an opportunity to respond. Katz filed a motion to reconsider. On reconsideration, the court dismisses the case.
Discussion: The court dismisses the based on standing (lack or jurisdiction) and on the merits.
Standing: Pershing argued that Katz did not allege that any of her protected data was actually compromised. The court agrees, noting that several cases have dismissed data loss claims on Article III standing grounds, finding that the increased risk of identity theft is insufficient to create standing. Katz argued that her claims were distinguishable from the other increased risk cases because she brought claims under Massachusetts statutes and for breach of contract.
Massachusetts Data breach statute: The court pointed out that Katz's claims under the Massachusetts unfair trade practices statute needed a statutory predicate--some statute or policy which was enacted for the benefit of the public which the defendant failed to comply with. Katz argued that here, Pershing failed to comply with Massachusetts' data breach statute, which was enacted in the wake of the well-publicized TJX data breach. The court rejects this argument, finding that the data breach statute defines a "breach of security" to include an "unauthorized acquisition or unauthorized use" of encrypted data. While breaches that create a substantial risk of identity theft trigger the statute, there must be a breach in the first place, and there was none alleged by Katz here. There was a second problem with Katz's argument. The Massachusetts data breach statute does not provide for a private cause of action. The statute is intended to be enforced by the attorney general. Therefore, Katz's claim of unfair trade practice based on a violation of the Massachusetts data breach statute fails.
Breach of contract claim: The court rejects Katz's breach of contract claim because it is based on the agreement between NPC and Pershing, and Katz argued that she was an intended third party beneficiary to this agreement. The court pointed to language in the NPC-Pershing agreement which states that the agreement was "not intended to confer any benefits on third-parties including, but not limited to, customers of [NPC]." Katz argued that the contract was superseded by marketing representations made by Pershing, but the NPC-Pershing agreement contained an integration clause, and Katz could not introduce additional terms to vary the agreement. The court also rejects Katz's implied contract claim because it was not supported by valid consideration. If, as Katz alleged, Pershing promised to NPC to safeguard Katz's personal information, "any alleged promise to Katz to do the same would not amount to valid consideration."
Unjust enrichment: The court also rejects Katz's claim for unjust enrichment on the basis that Katz did not allege that she conferred a specific benefit on Pershing or that Pershing was ever aware of this benefit.
__
Courts have rejected claims from data breach plaintiffs where the plaintiffs have not suffered any out of pocket loss. Here, the plaintiff sued before the breach even occurred, and the court rejects the claims. Out of necessity, plaintiffs have gotten creative and tried every angle imaginable, but so far they have had no luck.
As in the Ikon Solutions case, the plaintiff in this case tried to rely on the data breach statute but the court found that it was inapplicable. To my knowledge, no state has enacted a data breach statute which provides for a private cause of action or damages. The Massachusetts statute primarily requires notification of an alleged breach. The court's two conclusions with respect to the data breach statute are not surprising, but they are significant.
Related posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit
9th Circuit Affirms Rejection of Data Breach Claims Against Gap
The [Non]enforceability of Privacy Promises
Acxiom Not Liable for Security Breach
When Does a Privacy Policy Breach Support a Breach of Contract Claim?
Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data
Posted by Venkat at 01:36 PM | Licensing/Contracts , Privacy/Security
October 06, 2011
Court Nukes Another Mass Defendant File-Sharing Lawsuit -- Digiprotect v. Does
[Post by Venkat Balasubramani]
DigiProtect USA v. Does, 10 Civ. 8760 (S.D.N.Y.; Sept. 26, 2011)
Plenty of bad news for copyright plaintiffs lately. Righthaven is getting hammered left and right and is struggling (to say the least) to keep any momentum going. (See Eric's most helpful recap: "Resetting the Righthaven Fiasco," in which he notes that '[t]he Righthaven empire is in tatters.") The mass defendant file-sharing lawsuits have mostly spiraled downward as well. So many of these lawsuits have been dismissed on procedural grounds that I've lost track. Here's another one to add to the list.
Background: This was one of two lawsuits filed by DigiProtect in the Southern District of New York. In late 2009, the court granted DigiProtect's request to conduct limited discovery, although the court put in place some procedural safeguards. In December 2010, Time Warner and Comcast moved for a protective order, claiming that compliance with DigiProtect's subpoenas would be unduly burdensome. They sought an order requiring DigiProtect to compensate the ISPs for processing subpoenas and to limit the scope of information sought. In January 2011, the court raised the issue that the 240 Doe defendants may not be subject to personal jurisdiction in New York, and joinder may not have been proper. After considering DigiProtect's response, the court dismisses the lawsuit, with leave to replead and name only those Doe defendants who are properly subject to personal jurisdiction in New York.
Personal jurisdiction: The court runs through the Due Process/long-arm statute analysis to determine whether jurisdiction is proper. Although a recent New York state court case construed its long-arm statute broadly to allow for lawsuits against non-resident defendants where the plaintiff/copyright-owner is located in New York, that analysis does not apply in this case. Here, DigiProtect was a New York resident, but the actual copyright holder (Patrick Collins Inc.) was a California company. In passing, the court notes that although DigiProtect is authorized to pursue claims, Patrick Collins "retains most of the bundle of rights as copyright holder." [Houston, we may have a Righthaven-style standing problem!] The court says DigiProtect can't sue based on the fact that the harm from the infringement would be felt in New York, because this is not the case.
DigiProtect also argues for a "swarm" theory of jurisdiction, under which infringers are viewed as agents or co-conspirators of each other. According to DigiProtect, if one participant in a P2P swarm is located in New York, then this is sufficient to assert jurisdiction over the remainder of the group. The court also rejects this argument, noting that the complaint does not connect the Doe defendants to the same "swarm" transaction. Just because the defendants may have downloaded the same media does not mean that there was any connection between the downloads. (See Pacific Century International v. Does, discussed in this blog post: "P2P Swarm Defendants Can't Be Joined in the Same Lawsuit.")
The court expresses a reluctance to
ensnare unsophisticated individuals from around the country in a lawsuit based in New York [where the individuals would] likely be encouraged to settle rather than incur the burden and embarrassment of contesting the litigation.
The fact that the individuals whose IP addresses associated with infringing activity are located in New York is sufficient to establish jurisdiction in the court's view, and the lawsuit may proceed against those individuals only. However, the court notes that this is not the case for the bulk of the Doe defendants in question. Comcast reported to the court that none of the Comcast-associated IP addresses were for New York residents, and Comcast argued that this information could be obtained using a "free, publicly-available website that matches an IP address with the internet service provider . . . and lists the geographic region in which the provider uses the address."
As Comcast notes, this "could easily have been done by Plaintiff at the outset." The court's discussion of this was somewhat confusing to me, as I was under the impression that you cannot reliably "look up" an Internet user's geography using just an IP address. Comcast says that Digiprotect can find the geography of the provider. The court seems to think this means Digiprotect can identify the geography of the accountholder, but of course many Internet access providers have customers in more than one state. In any event, the fact that the court makes this statement shows that it's not excited about plaintiff and its claims.
Costs of compliance: The court also grants the ISPs' request for reimbursement and limitations on plaintiff's requests for information. Plaintiff argued that the ISPs were required to turn over the information anyway based on the DMCA-subpoena provisions, but the DMCA subpoenas don't help when the entity is just providing connectivity and not storing the user files on its servers. (See the Verizon DMCA subpoena case.) In granting the request of the ISPs, the court says:
- DigiProtect must reimburse the ISPs for IP address look-ups and for notifying subscribers;
- this amounts to $120 per IP address (not per subscriber);
- the lookups are limited to 25 IP addresses per month.
__
Oy vey. A few quick observations.
I'm surprised at the procedural gaffes which have derailed the latest round of mass-defendant P2P lawsuits. I was even more surprised when I saw the large national law firm, Foley & Lardner, was representing DigiProtect. Somewhat surprising to see them involved in a lawsuit over "Let Me Jerk You 2." Even more surprising to see them get smacked down by the court on relatively obvious procedural grounds.
What bogs down these lawsuits are the way they are pursued. You could use the IP addresses and pursue actions in individual jurisdictions (subject to discovery and subpoena limitations), or pursue one identified component of an alleged "swarm" and go after the remaining people involved (subpoena their information from the initial defendant and then go after them in other jurisdictions, if necessary). DigiProtect did not do that, and there's a reason why. It wants to obtain the list of everyone whose IP addresses they have, and send every single one of these people a letter. The same letter. DigiProtect is pursuing the settlement mill model, and more often than not, this model is blowing up in the face of plaintiff and its counsel.
I don't recall whether other courts have expressly approved ISP requests for processing costs, but the court does so here and this may end up effectively putting the kibosh on the lawsuit. I don't get the sense that the plaintiff has invested significant dollars into the dispute or is willing to do so. Plaintiff may balk at the prospect of having to shell out cash upfront to learn the identity of the Doe defendants who may or may not pay off. The limitation on the number of lookups is also a significant limitation. It is at least going to slow things down
To people who are on the receiving end of subpoenas in Doe cases: take the lawsuit seriously, retain counsel, and if you don't have the resources to defend and push back, consider settling for a nominal amount, if possible. But definitely check to see if the case has been blown up by the judge. There's a good chance it has.
Posted by Venkat at 08:48 AM | Copyright , Privacy/Security
October 05, 2011
Ca. Court of Appeal Vacates $100,000 Non-Party Discovery Sanction Against Facebook -- In re J.G.
[Post by Venkat Balasubramani]
In re J.G., A128898; A129157 (Ca Ct. App.; Sept. 30, 2011)
Background: This involved a juvenile proceeding where J.G., a minor, was charged with the offenses of forcible sexual penetration and false imprisonment. During the proceedings, J.G.'s counsel served three subpoenas on Facebook, seeking information "relating to the victim's Facebook user account, including electronic messages sent to and from the account, and other data."
The first subpoena was issued on March 3, 2010 and demanded the production of documents within five days, or alternatively, Facebook's appearance at a court hearing on March 12. On March 17, Facebook served objections on J.G.'s counsel, and among other bases, Facebook argued that the Stored Communications Act precluded the production at issue. Facebook went back and forth with J.G.'s counsel, but did not appear at the scheduled hearing. At the hearing, J.G.'s counsel requested an order requiring Facebook's appearance in court on a new date: April 5, 2010.
On March 29, 2010 and April 7, 2010, the private investigator working for J.G.'s counsel served two additional subpoenas, the latter of which set a hearing date of April 13, 2010. While the first subpoena was signed by J.G.'s counsel, these two subpoenas were signed by the juvenile court commissioner. On April 9, 2010, Facebook served objections to these two subpoenas on counsel but did not file these objections with the court.
On April 12, 2010, Facebook's representatives discussed with J.G.'s counsel the possibility of having the victim execute a consent form. Facebook provided J.G.'s counsel the consent form, and counsel acknowledged receiving the form and advised Facebook: "You don't need to go to court tomorrow."
Facebook did not appear at the April 13 hearing. The investigator emailed a consent form purporting to be signed by the victim but it was actually signed by a representative of the district attorney's office. (??) The investigator further advised Facebook that there was a hearing and a further hearing on Facebook's "handling of the subpoenas" was set for April 20, 2010.
Prior to the April 20th hearing, Facebook's outside counsel arranged for a paralegal to contact the court. The court clerk advised that the hearing was scheduled to occur, but J.G.'s counsel advised Facebook's counsel that the hearing was cancelled. Facebook's counsel appeared at the April 20th hearing where he found out that the court was considering imposing a sanction on Facebook "for failing to comply with court orders relating to the subpoenas." Facebook's counsel advised that the Stored Communications Act restricted Facebook's ability to disclose the information in question. Following the hearing, the court imposed a sanction on Facebook in the amount of $100,000, payable to the Alameda County Superior Court. At the hearing, the court drops the gem of a line, that:
[the judge] saw in the [newspaper] two weeks ago that [Facebook's CEO] made three billion dollars in 19-- excuse me, 2009, three billion dollars . . . .
Shortly after the hearing, J.G.'s counsel provided Facebook with the signed waiver, Facebook produced the information in question, and the juvenile court released J.G. to home supervision. Facebook then moved to vacate the sanctions order.
Discussion: Facebook made three arguments for why the sanction should be vacated. The court rejects the first two, but agrees with the third.
Due Process/notice: Facebook argued that it did not have adequate notice of the court's intent to impose a sanction. The court disagrees, noting that Facebook's counsel appeared at and participated in the hearing. In fact:
counsel acknowledged that Facebook was aware of the court's displeasure with its compliance efforts, and [admitted] that 'it's entirely possible that some things may have fallen through the crack [sic].'
Even if there was some irregularity in the procedures, the court concluded that Facebook did not suffer any prejudice--it participated in the hearing fully and filed papers after the hearing.
Consent to commissioner acting as judge pro tempore: Facebook contended that it did not consent to the commissioner acting as judge pro tempore "for purposes of the sanctions proceedings." The court says Facebook's conduct at the sanctions hearing was implied consent.
Court's authority to impose sanctions: The final argument gets traction with the court. The court says that while the juvenile court has inherent authority to manage its proceedings, the juvenile court does not have inherent authority to impose punitive monetary sanctions. Several different statutes authorize the court to impose sanctions, but none of these come close to authorizing an award of $100,000. While a statute authorizing broader sanctions is on the books, it's limited to parties and not directed at the conduct of nonparty witnesses.
__
The court vacates the sanctions award as unauthorized and sends the matter back to juvenile court for further consideration in light of its opinion. The court does not reach the issue of whether Facebook "acted reasonably and in good faith," and it looks like the juvenile court is directed to not address this issue either. (The court's order is unclear on this last point.)
Service providers have to walk a fine line when responding to requests for communications. Although both lawsuits were dismissed, MySpace and Yahoo were both sued for disclosing information and communications in response to subpoenas that plaintiffs claimed did not fall under the specific exceptions in the Stored Communications Act. (See Sams v. Yahoo! and Hubbard v. Myspace.) Providers also have to worry about statutes such as the Video Privacy Protection Act and the newly-enacted California Reader Privacy Protection Act [pdf]. I haven't looked at it in detail, but my instinct is that the communications in this case could not be disclosed by Facebook, and it was correct in asserting that the Stored Communications Act barred disclosure. (The DOJ's Cybercrime division lays out the circumstances in which information can be disclosed by service providers. Even wading through this summary will make your head hurt.)
I'm sure Facebook is breathing a sigh of relief over having avoided the sanctions order, although it must not be looking forward to dealing with these discovery issues on an ongoing basis. Dealing with a subpoena in federal court is somewhat more straightforward than dealing with it in other fora, such as in a juvenile criminal proceeding.
It's unfortunate that the court did not discuss the merits of Facebook's objection based on the Stored Communications Act. Litigants also continue to grapple with the issue of how to get Facebook profile information in discovery. As far as recommendations for litigants trying to get Facebook-related information, I would familiarize yourself with what information is covered by the SCA and tailor your request for information accordingly. Second, whenever possible, I would try to seek the information from the litigant rather than from the network directly, and try to obtain a waiver, to the extent there are logistical issues preventing discovery of the information from the litigant. (Of course, courts have not resolved the issue of whether someone can be forced to execute a waiver, but I'm guessing we'll see some decisions on that soon enough.)
Posted by Venkat at 02:08 PM | Evidence/Discovery , Privacy/Security
October 04, 2011
9th Cir.: ECPA Protects Non-Citizen Communications Stored in the US -- Suzlon Energy v. Microsoft
[Post by Venkat Balasubramani]
Suzlon Energy Ltd. v. Microsoft Corp., 10-35793 (9th Cir. Oct. 3, 2011) [pdf]
Suzlon Energy sought emails from Microsoft for use against Sridhar, an Indian citizen, in a civil lawsuit pending in Australia. It filed a petition for the production of documents, which the district court initially granted. In response, Microsoft and Sridhar filed objections. The district court agreed with Microsoft and Sridhar and held that, although Sridhar was not a United States citizen, the Electronic Communications Privacy Act precluded Microsoft's disclosure of the emails.
The Ninth Circuit affirmed, finding that the text of the statute answers the question of whether the protections of the ECPA are limited to United States citizens. The statute prohibits disclosure of communications which fall under the statute and contains numerous exceptions, but citizenship is not listed as an exception. Additionally, the statute defines a user as "any person or entity" who uses an electronic communications service with authorization:
The Court finds that the plain language of the ECPA extends its protections to non-citizens. The Court is therefore obligated to enforce the statute as written.
Although the court found that the text of the statute answered the question, it nevertheless analyzed the legislative history of the statute "for its instructive value." The court notes that Congress' intent in passing the ECPA is to protect the privacy interests of American citizens. But nothing indicates an intent to protect the privacy rights of only American citizens. Although the language of the legislative history is inconclusive, the passage quoted by the court is interesting and one that Congress may want to take a look at when thinking whether and how to revamp the ECPA:
With the advent of computerized record keeping systems Americans have the ability to lock away a great deal of personal and business information. . . . [T]he law must advance with technology to ensure the continued validity of the fourth amendment.
The court makes clear (citing to Zheng v. Yahoo!) that it's only deciding that ECPA protections apply to information stored in the United States. (Zheng was a case where the district court concluded that a dissident in China could not sue Yahoo! for allegedly turning over email messages to the Chinese government.)
The court also addresses the issue of consent, finding that Sridhar did not impliedly consent by being involved in the Australian litigation. The court does not see the logic in Suzlon's consent argument. The court also says that he did not consent to Microsoft producing the emails on his behalf. Microsoft's terms of service only say that any emails would be disclosed in accordance with United States law and in other circumstances not relevant to the case. Microsoft "never told Sridhar that his communications might be monitored or disclosed." There are no facts supporting an implied consent based on waiver.
__
It's tough to quibble with the court's interpretation of the statute, but it's interesting that the court specifically carved out and reserved judgment on communications that are not stored in the United States. Zheng v. Yahoo! didn't expressly rely on the storage issue; the court determined that the predicate acts occurred abroad and therefore the ECPA did not apply.
Is the location of the server where the email is stored a workable basis to determine whether ECPA protection should be lost? Does this type of a rule allow an ISP to play games as to what emails are subject to ECPA protection and which are not? If an ISP decides to change its storage practices and decides to store emails offshore, does this suddenly mean that those emails are no longer entitled to protection under the ECPA? (I recall some proposed legislation which would prohibit US companies from storing data outside the United States to avoid foreign governments being able to impose different rules.) From a consumer standpoint, the location of storage doesn't offer much clarity. I imagine customers have no idea what jurisdiction the servers which house their communications are located in.
[Clarification: I revised the post to indicate that the court did not hold that foreign-stored communications are outside the scope of ECPA protection. My zeal to highlight an interesting issue got the better of me! Thanks to the emailer who pointed this out.]
Additional coverage: Ninth Circuit Says ECPA Protects Foreign Citizens (Tom O'Toole/BNA)
Posted by Venkat at 03:35 PM | Privacy/Security
September 23, 2011
iPhone Privacy Class Action Dismissed for Lack of Standing -- In re iPhone App. Litigation
[Post by Venkat Balasubramani]
In re iPhone Application Litigation, 2011 WL 4403963 (N.D. Cal.; Sept. 20, 2011)
iPhone users sued Apple and various advertising networks alleging that defendants violated their privacy rights "by . . . allowing third party applications that run on [iOS devices] to collect and make use of . . . personal information without user consent or knowledge." The court dismisses the claims but grants leave to amend. Judge Koh's order has the feel of a professor grading an exam, and it covers a lot of ground, including many cases we've blogged about. (It's well worth the read.)
Plaintiffs alleged that Apple made public statements about protecting user privacy but the design of its iOS system "permit[ted] apps that subject consumers to privacy exploits and security vulnerabilities." Plaintiffs alleged that Apple devices allow apps to track, access and use the following customer information:
address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique device identifier (UDID).
Plaintiffs claimed that they were not put on notice of this tracking. Plaintiffs also alleged that the "Mobile Industry Defendants" exploited this information and "use[d] the merger of personal information to effectively or actually de-anonymize consumers." Despite being put on notice, Plaintiffs claimed Apple did not take any action to prevent this tracking and use of information.
Standing: Plaintiffs argued that they suffered three types of injury: (1) their personal information was misappropriated; (2) the personal information diminished in value; and (3) they suffered lost "opportunity costs" in having installed the apps and suffered a diminution in value of their devices because the devices are "less secure" and "less valuable." The court says that the complaint has a deeper standing issue. Plaintiffs failed to allege what injury they suffered personally (or as a class). They fail to identify what apps they used, what personal information was accessed, and what harm resulted. The court also says that the allegations are "especially slim with respect to . . . Apple."
The court also says that there's another issue with the complaint. Plaintiffs fail to allege a "concrete harm." Citing to Specific Media, JetBlue, and Doubleclick, the court says:
[as in Specific media, plaintiffs have] not alleged any 'particularized example' of economic injury or harm to their computers, but instead offer only abstract concepts, such as 'opportunity costs,' 'value-for-value exchanges,' 'consumer choice,' and 'diminished performance.'
Plaintiffs pointed to Doe v. AOL, but the court distinguishes it on the basis that in that case there were "specific allegations" of the danger of public disclosure of "highly sensitive information." Plaintiffs' allegations in this case "come nowhere close" to the allegations in AOL. Plaintiffs also cite to the Facebook privacy case, but the court distinguishes it on the basis that the Facebook privacy case involved Wiretap Act claims which only require a showing that a person's communication was "intercepted, disclosed or used" in violation of the statute. Here, there's no analogous statute.
The court also says that the alleged injuries are not "fairly traceable" to defendants. There is no allegation that Apple misappropriated the data, and plaintiffs did not distinguish between the "mobile industry defendants," which made it tough to figure out who plaintiffs were trying to hold liable for what misappropriation. The court dismisses on the basis of standing with a cautionary note to plaintiffs:
any amended complaint must provide specific allegations with respect to the causal connection between the exact harm alleged (whatever it is) and each Defendants' conduct or role in that harm.
Although the court dismisses on standing grounds, it goes on to address alternate arguments raised by defendants and other issues in the case.
End user agreements: Apple argued that various end user agreements barred claims for the alleged injuries. Plaintiffs argued that the agreements were contracts of adhesion. The court says that plaintiffs will have trouble with both prongs of the adhesion argument. Plaintiffs have alternatives available, and the contract in question is for a recreational activity. The court does not outright reject plaintiffs' adhesion argument, but it sends plaintiffs a signal that they should articulate in their amended complaint why Apple should be held responsible despite any terms in the agreements.
Particularity and the absence of app developers: The court says that, as to the mobile industry defendants, the complaint fails to allege what role each of the defendants played in the alleged harm. This needs to be fixed in any amended complaint. Apple also raised the argument that the app developers were necessary parties but the court rejects this argument. At this stage, the court declines to dismiss the lawsuit for failure to join the developers.
Negligence: The court identifies two problems with the negligence claims. Apple does not necessarily have a legal duty to protect end user information from third party app developers and damages are speculative.
Breach of the duty of good faith: The court tells plaintiffs to identify which of the end user agreements and privacy agreements plaintiffs are using to support their duty of good faith claim.
Consumer Legal Remedies Act: The court questions whether the statute is applicable at all to software--it covers the sale of goods and services (citing to Ferrington v. McAfee).
Consumer Fraud and Abuse Act: The court says that plaintiffs' Computer Fraud and Abuse Act claims are deficient for three reasons. First, there is no allegation that Apple acted "knowingly." Plaintiffs only allege that Apple failed to take "meaningful steps" to police third party developers. Second, since the software was downloaded voluntarily, this tends to undermine a claim that the access was "without authorization" or "exceeded authorized access." Finally, there's the damages issue. The court says that only economic damages are available and damages for "death, personal injury, mental distress, and the like" are not available. There are no allegations of economic harm. Although damages can be aggregated where the violation can be described as "one act," plaintiffs failed to point to any "single act" of harm by defendants.
California's anti-hacking statute: The court says (citing to Facebook v. Power Ventures) that the phrase "without permission" in the statute is more narrowly construed that in the Computer Fraud and Abuse Act. In Power Ventures, the court held that the mere violation of a terms of use does not violate the statute. In that case, the court held that Facebook would have to show that Power Ventures circumvented technical barriers of some sort. The court says that plaintiffs fail to articulate how access falls into this category. Plaintiffs also pointed to a section of the statute which imposes liability for the introduction of "computer contaminants." The court says that this section also contains a requirement that the introduction of the contaminant be without permission. The court also says that the subsection addressing computer contaminants is aimed at "viruses or worms," and it does not look like the apps in question fall into this category.
Trespass to chattels: Under Intel v. Hamidi, a trespass to chattels claim based on access to a computer server requires impairment or loss of use. The court says plaintiffs have not adequately pled this element.
Unfair competition: In order to bring an unfair competition claim, a plaintiff needs to have suffered damage or lost money or other property. The court says it is skeptical of the "personal information as currency" argument (citing to the recent Facebook privacy ruling). The court also says that it's unclear as to whether plaintiffs paid money for the apps in question.
Unjust enrichment: There is no separate cause of action for unjust enrichment under California law. The court says that restitution may be available as an equitable remedy in lieu of contract damages. If plaintiffs amend their complaint, they are directed to clarify that they are looking for as far as restitution.
__
Judge Koh goes through and basically shreds the complaint. A consistent theme is plaintiffs' lack of specificity. This is not surprising, because the trigger for the complaint is a news story or a scholarly study, rather than a specific event that a plaintiff had awareness of when it happened. The court's order makes clear that, even if plaintiffs get past the allegation of harm issue, there are numerous other hurdles that stand in the way of holding defendants liable. In particular, she says that Apple as the third party is somewhat removed from the information collection, and plaintiffs are not going to have an easy time holding Apple liable. Apple may also have a robust defense in its end user agreement(s). Other than knocking down plaintiffs' unconscionability argument, the court did not get into specifics of what those agreements contain that may limit Apple's liability, but the agreements are sure to contain a few. All of this has to be good news for Apple. [I'm somewhat surprised the issue of arbitration has not come up. Also, Apple may be able to assert a Section 230 defense, either based on section (c)(1) for its putative liability based on the developers' actions, or under (c)(2) for the negligence claim that it failed to police its app store properly.]
Lower courts have overwhelmingly rejected the latest wave of privacy class actions, and evinced deep skepticism towards the theory that the collection of personal information alone by a private entity constitutes harm. Courts also do not seem excited about the theory that tracking somehow harms end users because it diminishes the value of their personal information. Nor do they seem excited about the "information as currency" argument. I think it's fair to say that, while the case law leans towards the defendants, there's not necessarily a ton of Ninth Circuit precedent that directly speaks to the issues raised by tracking cases. It's possible that some set of plaintiffs may have better luck in the Ninth Circuit.
Posted by Venkat at 10:31 AM | Privacy/Security
September 22, 2011
Court Revisits and Dismisses Fair Credit Reporting Act Lawsuit Against Spokeo -- Robins v. Spokeo, Inc.
[Post by Venkat Balasubramani]
Robins v. Spokeo, Inc., 10-CV-05306 (C.D. Cal.; Sept. 19, 2011)
Spokeo collects information about individuals and allegedly markets this information to employers and HR professionals. Robins sued Spokeo in a putative class action, alleging violations of the Fair Credit Reporting Act. The court initially dismissed the lawsuit for lack of standing, due to Robins's failure to allege actual harm. ("Court Dismisses Class Action Against Spokeo for Lack of Standing.") Robins filed an amended complaint and the court found that Robins adequately alleged injury and standing. ("Court Allows Fair Credit Reporting Act Claims Against Spokeo to Move Forward.")
The court revisits the ruling and finds that plaintiffs failed to adequately allege harm:
the Court reinstates the January 27, 2011 Order, which found that Plaintiff fails to establish standing. Among other things, the alleged harm to Plaintiff's employment prospects is speculative, attenuated and implausible. Mere violation of the Fair Credit Reporting Act does not confer Article III standing, moreover, where no injury in fact is properly pled. Otherwise, federal courts will be inundated by web surfers' endless complaints. Plaintiff also fails to allege facts sufficient to trace his alleged harm to Spokeo's alleged violations. In short, Plaintiff fails to establish his standing before this Court. This action is therefore DISMISSED.
Is it sufficient for a plaintiff to plead a violation of a statute or does the plaintiff have to allege harm for Article III purposes separately? Does a statutory violation automatically confer Article III standing? I'm guessing Robins will appeal this ruling and we will get to see what the Ninth Circuit says about the standing issue. [For what it's worth, I predict a reversal.]
Previous posts:
Court Dismisses Class Action Against Spokeo for Lack of Standing.
Court Allows Fair Credit Reporting Act Claims Against Spokeo to Move Forward
Posted by Venkat at 12:05 PM | Privacy/Security
August 24, 2011
Mixed DMCA Online Safe Harbor Ruling in Cloud-Based Music Locker Case--Capitol v. MP3Tunes
By Eric Goldman
Capitol Records, Inc. v. MP3Tunes, LLC, 2011 WL 3667335 (SDNY Aug. 22, 2011).
Background. This case involves MP3Tunes.com and Sideload.com. MP3Tunes is a music storage locker. Small lockers are free, but more storage is available at a price. The system doesn't store redundant copies; if the system recognizes an identical bit stream coming from a second user, it just records the hashtag. Sideload is a music search engine that lets users find free music on the Internet. (It was also a browser plug-in). If users find a music file they like, they can "sideload" the music file into their MP3Tunes' locker as a personal archive copy. MP3Tunes' database tracks the sources of these personally archived files.
Due to other issues being addressed in prior proceedings, this ruling primarily focuses on the applicability of the 17 USC 512 safe harbor. This court expressly interprets 512(d), the safe harbor for linking to infringing content--one of the rare opinions to do so. Like most 512 rulings, this ruling is lengthy and detailed, reflecting the fact that the plaintiff contested a long list of safe harbor elements. As I recently mentioned, god bless the pithy 47 USC 230 immunity and the short opinions it produces.
Result. The net effect is that most of MP3Tunes' operations got a 512 safe harbor defense, but it is contributorily liable for any infringing sideloaded files it didn't remove following a takedown notice, and MP3Tunes' CEO (the persistent Michael Robertson) may be personally liable for any infringing files he personally loaded into his locker. These rulings leave the defendants on the hook for potentially millions in damages. Other questions, such as liability for employees' uploads, were rolled over to trial. Because of this mixed ruling, both sides issued public statements touting their wins. As I'll explain momentarily, both sides also earn some brickbats from me.
Some of the post-ruling punditry has suggested this ruling provides a roadmap for other cloud-based music lockers, including the offerings from Apple, Amazon and Google. While that's partially true, the guidance is limited at best due to the fact-specific nature of the ruling. Perhaps the best news for the other services is that lockers may not have to store redundant copies of user-uploaded files to qualify for a Cablevision defense (see the EFF post for more on this). However, as the Zediva ruling recently showed, it remains uncertain how broadly other courts will read the Cablevision case. Otherwise, I think this case mostly tells us things we already knew but that copyright owners refuse to believe.
Out of this dense and slightly inscrutable ruling, some of the points that I found most interesting:
Bogus Takedown Notices (Yet Again...) EMI sent MP3Tunes overbroad takedown notices. The court says EMI affiliates "provided a list of EMI artists and demanded that MP3Tunes 'remove all of EMI's copyrighted works, even those not specifically identified.'" This was in 2007, NINE YEARS after the DMCA came into effect. Seriously, guys? 512(c)(3) isn't that complicated, and major copyright owners that send notices vastly in excess of 512(c)(3) look like greedy or clueless SOBs.
With the hope that we can avoid future SOBness, here's an offer I extend to any and all major copyright owners. I will happily give you a FREE tutorial on how to draft proper 512(c)(3) takedown notices so that you don't look as asinine as EMI looked here. I'm not worried about these trainings being too much of a drain on my time--they should only take about FIVE MINUTES and involve a variation of RTFM.
Needless to say, the court wasn't impressed by EMI's overreaching takedown notuices. It reminds EMI that a proper 512(c)(3) takedown notice requires the copyright owner to provide sufficient information to locate the infringing files (cite to Wolk v. Photobucket).
MP3Tunes' Takedown Policy. MP3Tunes took the puzzling position that, in response to the overreaching 512(c)(3) notices, it only had to remove specified links from Sideload and not any files downloaded from those URLs into personal lockers--even though MP3Tunes kept the source URLs in its database and could therefore trace those files. Now, if the users had downloaded the files to their hard drives, that wouldn't be MP3Tunes' issue--though, to be clear, the users probably don't have a fair use defense if the files are actually infringing (see, e.g,. the BMG v. Gonzalez case). However, as a cloud service provider, MP3Tunes needs to respond to 512(c)(3) notices when they meet the statutory requirements, even if the locker is supposed to be the user's "private" space. MP3Tunes loses the 512 safe harbor for these files because EMI's 512(c)(3) notices provided adequate information for MP3Tunes to locate the files, and the court says MP3Tunes is contributorily liable for these infringements. MP3Tunes argued a Sony defense that its lockers had substantial non-infringing uses, but the court says Sony applies only to products, not services.
It's unclear how this discussion applies to other cloud-based music lockers. The court distinguishes Viacom v. YouTube because Viacom could easily search YouTube for infringements--which isn't possible with private cloud-based lockers (just as it isn't possible with user hard drives). The court also asserts that any other lockers letting users "sideload" from the Internet must trace URL source and disable all files from that URL in response to a 512(c)(3) notice. But what if the music locker allows users to upload files from their hard drives and don't allow those to be searched? The opinion seems to deliberately avoid addressing that situation. [A related unresolved Q: how copyright owners can find private YouTube videos. I've posted a few myself for use in my Advertising Law course.]
The court dismisses MP3Tunes' seemingly overstated concerns about its liability to users for disabling files in their "private" lockers. MP3Tunes' user agreement expressly allowed this, as I would expect every other cloud service providers' user agreements to do.
Even so, it's 100% clear that cloud storage is different from hard drive storage, and some users are going to get quite a surprise when they learn that third parties can zap files from their cloud storage. (Recall the hubbub over Amazon's zapping of books from Kindle). If Congress weren't so dysfunctional, this would be a good place for a statutory fix. It would make a nice complement to the Digital Due Process initiative to fix the ECPA's application to the cloud.
It's worth noting that users weren't represented in this litigation and had no ability to show that their uses were fair, notwithstanding BMG v. Gonzalez and similar cases. If cloud-based music lockers simply pull the trigger on 512(c)(3) notices on an "ex parte" basis (i.e., without any input from the affected users), their fair use rights become effectively irrelevant unless the sites honor users' putback notices. I think it's critical for cloud-based music lockers enabling "private" lockers to address how they will deal with 512(c)(3) notices and if they will honor 512(g) putback notices. I'd welcome your thoughts on ways that we collectively can monitor cloud service providers' policies and practices on this topic.
Repeat Infringer Policy. MP3Tunes had an adequate repeat infringer policy because, among other things, its users weren't "blatant infringers" (they were just downloading files for personal use and may not have known better) and "MP3Tunes does not purposely blind itself to its users' identities and activities."
Red Flags of Infringement. I continue to assert that "red flags of infringement" is no longer possible given copyright owners' widespread practices of freely seeding their content on the Internet as marketing. EMI did that too. Indeed, the court says "EMI executives concede that internet users, including MP3tunes' users and executives, have no way of knowing for sure whether free songs on the internet are unauthorized." The court further dismisses EMI's mockable argument that the terms "free," "mp3" and "file-sharing" automatically confer red flags knowledge. EMI's takedown notices that didn't comply with 512(c)(3) didn't contribute to any red flags knowledge either.
Vicarious Infringement Standards. The court rejects that the sideloading feature contributed to "financial benefit" because, even if it was a "draw," it had non-infringing uses, and MP3Tunes didn't charge for its usage. MP3Tunes lacked the requisite "control" because it was a cloud storage solution.
Public Performance. EMI argued that MP3Tunes publicly performed the files in users' lockers. MP3Tunes responded with a Cablevision defense. The court explains that MP3Tunes doesn't deliver files from a "master copy" (even though redundant copies aren't made) but instead "uses a standard data compression algorithm that eliminates redundant digital data" and therefore preserves exact digital copies. Thus, MP3Tunes wasn't publicly performing. I didn't understand the technological distinction the court was making, but I didn't find it persuasive at all. The court also distinguished Cablevision because it couldn't qualify for 512, while MP3Tunes does.
DMCA's Applicability to pre-72 Sound Recordings. FN1 says that 512 applies to pre-1972 sound recordings:
The Court agrees with Defendants that the plain meaning of the statutory language makes the DMCA safe harbors applicable to both state and federal copyright claims. Thus, the DMCA applies to sound recordings fixed prior to February 15, 1972.
I believe this is the first ruling reaching this conclusion (am I forgetting one?). The court didn't offer any citations or analysis in support of this conclusion, and I anticipate this issue will continue to be litigated fiercely.
Reminder: in case you missed it, I recently caught up on 4 months worth of online copyright rulings, including several addressing the same or similar issues as this case.
Other comments on this ruling: Techdirt, EFF, CNET News.com
Posted by Eric at 02:26 PM | Copyright , Derivative Liability , Licensing/Contracts , Privacy/Security | TrackBack
August 22, 2011
Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment -- Kirch v. Embarq
[Post by Venkat Balasubramani with comments from Eric]
Kirch v. Embarq, 10-2047-JAR (D. Kan. Aug. 19, 2011)
The fallout from Nebuad's ill-fated deep packet inspection continues to percolate through the courts. Plaintiffs sued NebuAd and ISPs in the same forum in Northern California, but the ISPs were dismissed on jurisdictional grounds, requiring plaintiffs to pursue them through local lawsuits. NebuAd reportedly shut down, but lawyers recently announced a settlement over claims against NebuAd. (See: "NebuAd Settles Lawsuit Over Behavioral Targeting Tests.") Interestingly, the $2.4M from the proposed settlement will go to public interest organizations and the lawyers--there's no class payout, and just small payments to the named plaintiffs. This is fairly typical in privacy lawsuits, but settlements like these have elicited a few challenges, most prominently in Facebook's Beacon settlement (which is currently on appeal to the Ninth Circuit).
This particular case is one of the end users' cases against ISPs. They brought claims for violation of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, invasion of privacy and trespass to chattels. They voluntarily dismissed the invasion of privacy, trespass and CFAA claims. This left the ECPA claim. (The court says the claims were dismissed pursuant to "stipulation," but does not get into detail as to whether there was any settlement associated with this dismissal.)
No derivative liability: The court found for summary judgment purposes that Embarq did not have access to the contents of user communications. Embarq admittedly facilitated NebuAd's tracking and targeting, but this is not enough for plaintiffs to hold Embarq liable:
As plaintiffs' expert testified, Embarq's role was to install the NebuAd device so as to furnish the UTA connection to NebuAd. In other words, the NebuAd device . . . goes into place, then all of the raw data that flows through Embarq is directed to that device, where NebuAd does the analysis and, apparently, separates out the Port 80 traffic. Moreover, plaintiffs cite no authority that Embarq's access to the raw data that flowed through its network constitutes a violation of the ECPA, which requires an entity to actually acquire the contents of those communications. There is nothing in the record that Embarq itself acquired the contents of any communications as they flowed through its network; instead, plaintiffs' theory rests on the notion that the NebuAd System extracted the contents of the communications. Plaintiffs' assertion that Embarq 'endeavored to intercept' communications falls short of creating civil liability under the ECPA, which creates liability for actual interception.
Plaintiffs pointed to the contractual relationship between Embarq and NebuAd as a basis for holding Embarq indirectly liable. The court says clearly that the "civil liability provision of the ECPA . . . does not provide for secondary liability."
User consent: The court also grants Embarq summary judgment on the basis that to the extent there was improper interception, the users consented to it. Embarq's "activation agreement" pointed to its privacy policy and said Embarq could revise it. Prior to deployment of NebuAd, Embarq posted a new paragraph in its privacy policy entitled "preference advertising." This paragraph informed subscribers that:
Embarq may use information such as the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements. The delivery of these advertisements will be based on anonymous surfing behavior and will not include users' names, email addresses, telephone numbers, or any other Personally Identifiable Information.
You may choose to opt out of this preference advertising service. By opting out, you will continue to receive advertisements as normal; but these advertisements will be less relevant and less useful to you. If you would like to opt out, click here. (embarq.com/options)
Subscribers were given an opportunity to opt-out by clicking on a link. Plaintiffs made three arguments as to why this consent should not be viewed as being effective, but the court summarily rejects them all, relying in part on Mortensen v. Bresnan: (1) the scope of the disclosure was inadequate and did not identify NebuAd; (2) the notice was not conspicuous enough; and (3) the opt-out mechanism was insufficient.
__
The NebuAd deep packet inspection idea was ill-fated, but it's interesting to see the litigation play out as it has. NebuAd's insurers settled for a relatively small amount. The claims against the individual ISPs are struggling, and when you throw requests to compel arbitration based on the Supreme Court's decision in Concepcion into the mix, it's going to end up being a long road for plaintiffs.
I'm not sure I can think of a principled reason for this, but I've always viewed deep packet inspection as something that crossed the line. But under existing privacy laws, it's not easy to hold ISPs who partnered with NebuAd liable. Privacy plaintiffs continue to push the envelope but they are repeatedly rebuffed by the courts. As Eric notes, the statutes under which plaintiffs assert causes of action in privacy class actions are convoluted, confusing, and in need of a much-anticipated revamp.
As with the flash cookie cases, I'm curious about the FTC's role in the regulatory quagmire. I would think they could have a significant effect in the area if they came in and took type of action they took against the likes of Google and Twitter against the players in this space. Maybe I'm missing something or there are institutional factors at play (or activities going on behind the scenes), but it certainly seems like the FTC has extracted a large quantity of blood in some situations but is ineffectual or slow to act in others.
Previous posts on NebuAd:
Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues
NebuAd Deep Packet Inspection Lawsuits Sputter -- Deering v. CenturyTel & Green v. Cable One
Additional coverage:
Wendy Davis: "Embarq Wins Privacy Suit Stemming From NebuAd Tests"
__
Eric's comments
1) For sake of completeness, I note that a 47 USC 230 defense wouldn't have helped Embarq against the derivative ECPA claim because 230's immunity expressly excludes ECPA claims. See 47 USC 230(e)(4). Thus, this case failed on the prima facie elements. The court says confidently (cites omitted):
The civil liability provision of the ECPA, however, does not provide for secondary liability, as liability attaches only to the party that actually intercepted a communication. As numerous courts have consistently held, a defendant does not “intercept” a communication merely by allowing or enabling, or even directing, another party to intercept communications.
2) The court's conclusion about consent is interesting:
plaintiffs were required to agree to the terms of the Activation Agreement in order to use Embarq’s Internet service; that Agreement incorporated the terms of the Privacy Policy, which informed subscribers that their de-identified data could be shared with third parties; that Agreement informed subscribers that the terms could be changed at any time through posting a new policy at Embarq’s website; and Embarq modified those terms in advance of the NebuAd test to add a paragraph regarding preference advertising, with an opt-out mechanism.
This summary, very much in line with the Mortensen case, shows an extreme judicial deference to Embarq's contract--both in terms of letting broad opaque language serve as user "consent" and letting Embarq unilaterally amend the contract to add new and different terms. We've seen other courts push back on both practices, so I wouldn't recommend Embarq's approach as an industry best practice. It seems especially odd that courts have been so deferential on consent issues given the inherent disagreeability of NebuAd's DPI practices.
3) Along with last week's Bose v. Interclick ruling, chalk this up as another plaintiff loss in a privacy case that most people probably thought was a slam dunk. So many of the pending privacy lawsuits are filed solely because defendants will pay to avoid the adjudication costs of defending their practices under poorly drafted statutes, not because there's any fundamental merit to the cases. We desperately need a complete rewrite of the CFAA and ECPA simply to put them in English so that everyone has a better sense of which cases are meritorious from the outset.
4) An interesting factoid: NebuAd paid less than $30k to Embarq for the trial period. Note to future IAPs who want to experiment with potentially privacy-invasive technologies: it isn't a good financial deal for you! Or, at minimum, get the vendor's insurer to stand behind the vendor's indemnity clause so that you won't spend many multiples of the associated revenue defending yourself when the vendor goes belly-up.
Posted by Venkat at 04:27 PM | Derivative Liability , Licensing/Contracts , Privacy/Security
Federal Geolocation Bills Differ on Scope and Damages (Guest Blog Post)
By Sonya Ziaja
[Sonya is an American attorney and MSc. candidate at University of Oxford. She writes regularly for LegalMatch and Shark. Laser. Blawg.]
Congress will be considering at least two geolocation privacy bills this term. The bipartisan Geolocation Privacy and Surveillance Act (“GPS Act”) tries to tackle both the Fourth Amendment problems with law enforcement's widespread unwarranted use of GPS as well as the pesky consumer privacy issues with data collection. Senator Al Franken's Location Privacy Protection Act separates those issues, and focuses instead only on consumer privacy.
The GPS Act's comprehensive approach to geolocation privacy is admirable. But, in its attempt to regulate such disparate actors as the F.B.I. and Apple, the bill looks like it bit off more than it could chew and lost some teeth—especially with regards to consumer protection. A comparison of the bills highlights a weakness in the GPS Act's enforcement mechanism.
In both bills, enforcement means litigation. Both bills allow for a private right to civil action against non-government entities and individuals that intercept, use or disclose geolocation information. Both bills also provide for equitable relief. So, under either bill, you could sue to stop an entity from collecting or selling your geolocation information. And both bills include a fee-shifting provision, so hiring an attorney shouldn't be too much of a barrier to seeking relief. There are significant differences, though, in how damages are calculated and the limitations on relief in the bills.
On the surface, the GPS Act’s remedies appears stronger. It gives courts two options to assess damages and instructs the courts to use the greater of the two. Either the plaintiff is awarded actual damages plus any profits the offending party gained through the violation; or the plaintiff is granted statutory damages of $100 a day for each day of violation or $10,000, whichever is greater. The first option seems unlikely to act as a deterrent, unless the case is brought as a class action suit, or the individual was in a unique position to lose money from having their location known. So for an ordinary individual bringing suit, statutory damages likely make the most sense under this plan. Successful plaintiffs are guaranteed a minimum $10,000. In addition a plaintiff can sue for punitive damages in “appropriate cases.” What exactly constitutes an “appropriate case” is not described in the bill and is left to the courts to decide.
The Location Privacy and Protection Act takes a more modest and straightforward approach. Potential damages include actual damages (assuming they're beyond a $2,500 threshold) and punitive damages. So an ordinary individual plaintiff could get less under this bill than the $10,000 minimum in the GPS Act.
But while the GPS Act provides for potentially steeper penalties than the Location Privacy and Protection Action, it also contains significant barriers to bringing a successful suit. Chief among these is its statute of limitations. It requires that a plaintiff bring a case within “two years after the date upon which the claimant first has a reasonable opportunity to discover the violation” or the plaintiff loses the right to bring a suit. In other words, if you fail to realize that an entity is intercepting, using or distributing your geolocation information, you're in danger of losing your right to sue and stop that entity from continuing to track you.
The statute of limitation in the Location Privacy and Protection Act is more reasonable. It's still a two-year limit, which would protect corporations from unanticipated lawsuits far into the future. But, where the GPS Act starts the two-year count from the moment that you could have possibly known you were being tracked, this bill starts the two-year count from the date the violation actually happened or the date that you actually learned the violation had taken place.
The GPS Act does take positive steps to protect citizens' privacy rights from law enforcement. But from the point of view of the bill, when those same citizens are viewed as consumers, their privacy no longer seem to be as much of a concern. I would hope that the barriers to enforcement included in the GPS Act are simply oversights and will be remedied in future versions of the bill. Absent changes, however, Franken's Location Privacy Protection Act looks to be the better bet for protecting consumer privacy rights. You might not get the same returns on it as you might from the GPS Act, but at least you have a better chance of being able to sue to stop companies from surrepticiously tracking you.
Posted by Eric at 07:22 AM | Privacy/Security | TrackBack
August 18, 2011
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
[Post by Venkat Balasubramani, with comments from Eric]
Bose v. Interclick, Inc., et al., 10-cv-09183-DAB (S.D.N.Y. Aug. 17, 2011)
Bose sued Interclick, an advertising network, and various advertisers (including McDonald's, Mazda and Microsoft) over "flash cookies" and "history sniffing." As described the court:
[w]hen a user deletes a browser cookie, the flash cookie "respawns" the browser cookie without notice to or consent of the user....
"history sniffing" code, which [contains] a list of web page hyperlinks . . . [uses] the computer's browser to determine whether the computer had previously visited those hyperlinks, and [transmits] the results to [the advertising network's] servers. Interclick used data on the computer's browsing history to select particular advertisements to display on that computer.
Plaintiff asserted putative class claims under the Computer Fraud and Abuse Act, New York's unfair competition statute, and common law trespass.
CFAA claims: Bose asserted three types of damages to support her CFAA claims: (1) impairment of her computer; (2) "loss" based on the collection of personal information; and (3) loss due to "interruption of internet service."
Damage to the computer system: The court canvassed the broad array of losses that can support a CFAA claim, but focused on the issue of whether the loss alleged by Bose satisfied the $5,000 jurisdictional threshold. Boss "[failed] to quantify any damage Interclick caused to her computer . . . ." and what it would cost to remedy this supposed damage.
Collection of personal information: The court rejects Bose's attempt to satisfy the loss threshold by pointing to the alleged misappropriation of her personal information. The court notes that the CFAA provides recovery for "economic damages," and misappropriation of personal information does not qualify. In re DoubleClick arrived at the same result in 2001, and the court rejects her attempt to distinguish DoubleClick on the basis that in this case the network "circumvented" privacy controls that the plaintiff put in place.
Interruption of service: The court also rejects Bose's attempt to argue that the flash cookies caused a slowdown sufficient to invoke the CFAA:
Bose . . . fails to allege specific damage or loss incurred due to alleged interruption of service, or costs incurred to remedy the alleged interruption of service. Even if a flash cookie may reach up to 100 kilobytes in size and may occupy space on Bose's hard drive, Bose fails to demonstrate that the flash cookie caused damage, a slowdown, or a shutdown to her computer.
Aggregation: Finally, the court addressed the issue of whether the damages could be aggregated under the CFAA to meet the $5,000 jurisdictional threshold. The court notes some divergent authority on the issue of whether losses can be aggregated among multiple plaintiffs (as opposed to multiple computers or events) and concludes that each plaintiff has to satisfy the damages threshold individually.
Deceptive business practices: The deceptive business practice requires a consumer-oriented practice that was misleading and that caused injury. The court rejects the defendants' argument that there was no misleading practice. With respect to injury, the court notes that New York law does not require pecuniary injury to maintain a claim; a bare claim for invasion of privacy is sufficient. The deceptive business practices claim against Interclick moves forward. With respect to the advertisers, the court finds that there is no allegation that the advertisers were involved in any way with the misleading practices.
Trespass: Bose claimed that she was "dispossessed of the economic value of her personal information," but the court says this type of a trespass claim is of "dubious merit." Bose also asserted a more conventional trespass claim (a la Intel v. Hamidi). Although the court notes that "there is no allegation that the devices materially affected the condition, quality or value of the computer," the court nevertheless says that her allegations are sufficient to state a trespass claim.
Contract claims: Bose also asserted contract claims, but the court doesn't spend much time before dismissing those claims.
Dismissal with prejudice: The court dismisses the claims against the advertisers with prejudice, finding that any amendments against these defendants would be futile. The court also dismisses the CFAA and contract claims with prejudice.
__
This is the second lawsuit over flash cookies to meet a chilly reception in court. Eric blogged about the Specific Media case (repeatedly cited by this court) earlier this year: "Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media." Cookie plaintiffs just don't seem to have compelling facts in the eyes of the courts. Part of it, no doubt, is the courts' skepticism that anyone who got cookied would care enough about the damage to actually spend money fixing damage to their computers. Plaintiffs rarely allege that they do.
Interestingly, there is mixed authority on whether you can aggregate damages for loss purposes and whether you can assert claims premised on non-economic damages. To my knowledge, some courts had answered these questions in the affirmative, in part based on changes to the CFAA since the DoubleClick decision. But the court here was clearly unwilling to explore the outer reaches of the statute for the sake of these plaintiffs. The tenor of the court's opinion is one of deep skepticism that the plaintiffs is complaining about something that is truly injurious and which warrants judicial intervention:
personal data and demographic information concerning consumers are constantly collected by marketers, mail-order catalogs and retailers. The collection of demographic information does not 'constitute damage' to consumers or unjust enrichment to collectors. Advertising on the internet is no different from advertising on television or in newspapers. Even if Bose took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold.
It's interesting that the court comes right out and says that even if Bose took steps to prevent the collection, her injury isn't enough to get the court's attention. Not a very privacy-friendly judge here.
In some cases, plaintiffs have sued the advertisers as additional defendants, but the judge here clearly did not see them as appropriate defendants. It's helpful from an advertiser standpoint to get a clear ruling that their mere purchase of advertising on an ad network will not get them sucked into a privacy lawsuit. I wouldn't characterize this scenario as risk-free, but it's still nice that the court made clear that advertisers should not be a part of this lawsuit.
On the other hand, regardless of the legal rules and court decisions, there's little excuse for advertisers to not conduct some due diligence on the networks they deal with. The companies are off the hook in this particular decision, but the advertisers named are established companies, and I would be curious to know the background on how they ended up becoming entangled in a privacy-unfriendly practice that has recently been the focus of a huge negative spotlight.
The court's conclusion on the trespass claim was a little awkward. The court says that a slowdown is required, but despite noting the lack of this allegation, allows the claim to move forward.
It was also somewhat awkward that the court doesn't discuss plaintiff's "history sniffing" allegation at all. The omission is somewhat strange, but it looks like the court just treated Interclick's information collection practices generically. Here's a post from Kash Hill that explains the practice.
It may be too early to tell, but the early indication is that this wave of tracking lawsuits will have a long slog in the courts. This one suffered a pretty big hit at the judge's hands. Both this and the Specific Media case will likely be cited by privacy advocates as to why the current regulatory scheme is broken. I agree that consumers being tracked despite their stated preferences is problematic, but I'm not sure that creating a private right of action is the best solution. A final question. Where is the FTC in all of this? They seem pretty behind the curve in comparison to class action lawyers in the push to regulate privacy.
____________
Eric's comments:
Hey, ad networks: it's not nice to ignore people's expressed preferences about cookies. (I'm not saying the defendants did so in this case; I'm just speaking generally). There may not be legally recognizable harm from placing unwanted cookies, but your consumers are trying to tell you something, and you really ought to listen. Contravening their wishes ticks people off, and it invites legislative bodies to pursue crackdowns like "Do-Not-Track" legislation (whatever that means). If Congress enacts some type of anti-cookie/anti-tracking measure, the ad network industry will have no one to blame but itself (and the Wall Street Journal "What They Know" series).
Hey, plaintiffs: lawsuits over cookies are stupid. The vast majority of us learned that from In re Doubleclick--a decade ago. Cookie lawsuits haven't gotten any more meritorious in the intervening years. So please, just get over it. Meritless privacy lawsuits over advertiser/ad network practices that don't actually harm consumers give legislators some reasons to make privacy lawsuits harder to bring.
Earlier posts:
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Posted by Venkat at 08:55 AM | Privacy/Security , Trespass to Chattels
August 17, 2011
Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data -- Putnam Bank v. Ikon Office Solutions
[Post by Venkat Balasubramani]
Putnam Bank v. Ikon Office Solutions, Inc., 10-cv-1067 (WWE) (D. Conn.; July 5, 2011)
Putnam Bank filed a putative class action on behalf of those who purchased and leased office equipment from Ikon, alleging that Ikon improperly failed to disclose that this type of equipment automatically saved images of documents that had been printed, faxed, scanned, or copied. The complaint alleged that not only did Ikon failed to disclose this, Ikon failed to destroy the data when such equipment is returned. The complaint further alleged that Ikon knew or should have known that the equipment would be used to fax, print, scan and copy documents which contained sensitive information (e.g., social security numbers, birthdates, medical records, and business data). Putnam sued under Connecticut's unfair trade practices statute, under general negligence and breach of contract theories, and under Connecticut's data breach statute.
Did Ikon Have a Duty to Disclose? A key question relevant to the negligence, unfair trade practice and data breach statute claims: did Ikon have a duty to disclose in the first place? Negative, says the court. According to the court, the data breach statute "is directed to businesses that collect or keep personal information." Ikon does neither by incidentally coming into contact with personal information that their customers have placed on office equipment that Ikon leased out. Additionally, the data breach statute only kicks in where there has been a breach, and Putnam failed to allege that "a breach of security [had] occurred."
The allegations regarding identity theft were, as usual, too speculative:
The amended complaint does not allege facts establishing a reasonable belief that an unauthorized person has accessed personal information from the office equipment used by Putnam. The allegations are confined to an undetermined degree of risk of identity theft.
Was Ikon bound to disclose by its implied duty to act in good faith? Putnam pointed to the implied duty of good faith and fair dealing as a basis for Ikon's duty to disclose. This duty requires a party to not take action that "would injure the other party's right to receive the benefits of the contract." The court found that the complaint did not include allegations of bad faith on Ikon's part. Putnam argued that the lease agreement did not address "the storage devices in office equipment," but the court says that this is not indicative of bad faith.
Was there a common law duty to disclose? Putnam also argued that Ikon had a common law duty to disclose. The key question on this issue was whether it was foreseeable to Ikon that leasing equipment would create a risk of its customers having to incur expenses associated with credit monitoring and ID-theft prevention. This turned on whether reasonable business persons in Ikon's position would expect disclosure of the risk in question. The court says no. The "essence of the transactions between Putnam and Ikon was the lease of office equipment, not the protection of data that would be saved on the equipment." There was no allegation that Ikon knew that Putnam was unfamiliar with the data storage aspect of the equipment or that Putnam expected digital storage to be covered by the lease.
Did Ikon have a contractual obligation to disclose? Finally, the court dismisses Putnam's contract-based argument. The agreement was silent on the issue of data security. Putnam tried to argue that "common trade practice" was to imply a term as to data security but the court is unswayed.
__
It's become entirely predictable that data breach plaintiffs will be rebuffed if they don't assert any out-of-pocket losses. Courts have said time and time again that data breach plaintiffs who don't suffer out of pocket costs cannot maintain a claim, and that the costs of monitoring is not damage that the law typically provides compensation for. Here, the plaintiff tried to argue that the data breach statute required disclosure. Not only was there no breach to speak of, the court questioned whether the statute applied to Ikon at all, since it did not collect any information.
Users of office equipment should obviously have some control over whether data is stored and erased when this equipment is returned to vendors such as Ikon. In some instances, the users may not want their data to be stored at all. But for some reason, many machines are manufactured to store such data. I wondered about whether manufacturers provide a mechanism and instructions on how to wipe hard drives on office equipment. A quick Google search unearthed this LifeHacker post which advised on erasing a copy machine's hard drive ("Erase Your Copy Machine’s Hard Drive to Wipe Important Documents"):
most manufacturers provide exact instructions on how to clear this data, so check your machine's manual before you get rid of it.
It looks like many manufacturers or vendors provide some instructions and a mechanism for making sure data is wiped from the equipment. But the court did not place responsibility on the vendor in this case to make sure this issue was addressed. It would have been nice to see some details around manufacturer/vendor practices and whether information on how to wipe the particular pieces of equipment in question was readily available (i.e., in the equipment manuals) but the court did not delve into this issue. Obviously individual employees may not have much control over storage and deletion of digital images, so they may want to avoid using office equipment to copy highly personal documents.
Related posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt
Acxiom Not Liable for Security Breach--Bell v. Acxiom
When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue
Posted by Venkat at 11:14 AM | Privacy/Security
August 04, 2011
Sixth Circuit: Email and Phone Advocacy Campaign Can Violate the Computer Fraud & Abuse Act -- Pulte Homes v. LIUNA
[Post by Venkat Balasubramani]
Pulte Homes, Inc. v. Laborers' Int'l Union, et al., 09-2245; 10-1673 (6th Cir. Aug 2, 2011)
I blogged about a case involving a labor dispute between Pulte Homes and Laborers' International Union of North America (LIUNA). After Pulte terminated a LIUNA member for alleged misconduct and poor performance, LIUNA became embroiled in a labor-relations dispute with Pulte. LIUNA allegedly exhorted its members and others to "bombard Pulte's sales offices and three of its executives with thousands of phone calls and e-mails." LIUNA allegedly hired an auto-dialing service and encouraged its members to call Pulte. It also used engaged in a web-based email campaign where it encouraged visitors to its website to "fight back" and send e-mails to "specific Pulte executives."
Pulte sued LIUNA, asserting claims under the Computer Fraud and Abuse Act and state law. The district court denied Pulte's request for an injunction and dismissed Pulte's claims. Here is my blog post covering the district court's ruling: "Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act." The Sixth Circuit reversed the district court's ruling, finding that a phone or email bombardment campaign can constitute a violation of the Computer Fraud and Abuse Act. Pulte asserted two claims under the CFAA, one for unauthorized access which causes damage and the other for transmission of information, code, or a program which caused damage.
Access claim: The CFAA creates a cause of action based on the unauthorized access, or access in excess of authorization, of a protected computer. While acknowledging grey area in the statute over when conduct crosses the line from authorized to unauthorized access, the court holds that there's no grey area in this case, because the phone and email systems were set up to receive calls and emails without restriction:
LIUNA used unprotected public communications systems, which defeats Pulte's allegation that LIUNA accessed its computers "without authorization." Pulte allows all members of the public to contact its offices and executives: it does not allege, for example, that LIUNA, or anyone else, needs a password or code to call or email its business. Rather, like an unprotected website, Pulte's phone and email systems 'were open to the public, so LIUNA was authorized to use them.'
So far, so good.
Transmission claim: The court's resolution of the transmission claim was a little more problematic. The court assumes that LIUNA's communications constitute transmissions and that Pulte's phone and email systems qualify as "protected computers." This leaves two questions: (1) whether the transmissions caused "damage" and (2) whether LIUNA intended to cause damage.
The court notes that the statute only defines damage as "impairment to the integrity or availability of data, a program, a system, or information." Because the statute did not further define "impairment," "integrity," or "availability," the court looked to the ordinary meaning of these words:
'Impairment' means a 'deterioration' or an 'injurious lessening or weakening.' The definition of 'integrity' includes an 'uncorrupted condition,' an 'original perfect state,' and 'soundness.' And 'availability' is the 'capability of being employed or made use of.'
Applying these ordinary meanings, the court concludes that a transmission that weakens a sound computer system--or, similarly, one that diminishes a plaintiff's ability to use data or a system--causes damage. The court further concludes that taking Pulte's allegations as true:
LIUNA's barrage of calls and e-mails allegedly did just that. At a minimum, according to the complaint's well-pled allegations, the transmission diminished Pulte's ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some emails.
With respect to the intent element, the district court found that LIUNA did not intent to damage Pulte's systems because LIUNA did not fully "grasp . . . the actual consequences of its email campaign." The Sixth Circuit says this is too strict a standard. As long as LIUNA intended to cause a denigration of Pulte's systems, this is sufficient. The court looked to several of the allegations and found this intent satisfied: (1) LIUNA instructed its members to send thousands of emails to specific Pulte executives; (2) the emails came from LIUNA's server; (3) LIUNA encouraged its members to "fight back" after Pulte terminated several employees; (4) LIUNA used an auto-dialing service; and (5) some of the messages included threats and obscenity.
[Interestingly, after concluding that Pulte satisfied the elements of a CFAA claim, the court concludes that the district court properly denied the injunction on the basis that Pulte failed to comply with certain provisions of a statute relating to labor disputes: the Norris-Laguardia Act.]
__
This case is Intel v. Hamidi revisited. That case involved a departed employee who engaged in an email bombardment campaign, and although the California Supreme Court rejected Intel's claims, it held that if a sufficient quantity of emails were sent which caused damage or disruption to Intel's system, this could state a claim for trespass. (I'm not sure what's up with email bombardment, but there have been several cases which address legal liability for this. Television pitchman Kevin Trudeau was hit with a contempt order after encouraging his supporters to send email to the judge hearing his case. The Seventh Circuit vacated this contempt order on procedural grounds. See "Seventh Circuit Vacates Contempt for E-Mail Barrage.")
Neither of the cases are perfectly analogous because in this case the plaintiff was proceeding under the Computer Fraud and Abuse Act. This is a statute that provides for civil and criminal liability, and is widely acknowledged as intended to deal with hacking.
The court cites to AOL v. National Health Care Disc., Inc., 121 F. Supp.2d 1255, 1274 (N.D. Iowa 2000) for the proposition that if "a large volume of [spam messages] cause slowdowns . . . [to AOL's servers] an impairment has occurred." However, this case relied in part on AOL's zany argument that by transmitting email to AOL members through AOL's servers, defendants were engaged in unauthorized access because spam violated AOL's member agreement. AOL argued also that the emailers extracted information in the form of email addresses, but the court denies AOL's motion for summary judgment finding that it's unclear whether the emailers were AOL members or third parties and whether the emails caused damage. The court in that case pointedly questioned whether the CFAA applied to the transmission of spam at all: "realistically, no federal statute currently exists which would prohibit a non-AOL member from sending UBE to any number of AOL members' e-mail addresses, without ever accessing AOL directly." Since the date of that ruling, a federal statute now exists (CAN-SPAM) but this statute would not cover LIUNA's actions in this case since none of the messages in question appear to be commercial email messages.
What's problematic about this case to me is that there were scant allegations that LIUNA engaged in any technical measures designed to slow down or cause "damage" to Pulte's website. The sole allegation was that LIUNA used an auto-dialer, but I wasn't swayed by the court's summary conclusion that the telephone lines were necessarily 'protected computers' or there had been a real 'slowdown' to the phone lines. Indeed, LIUNA's conduct--encouraging supporters to contact a third party to influence action--is something that others engage in with some regularity in the context of political and consumer advocacy. There's nothing in this case which distinguishes LIUNA's conduct from any other web-based action campaign. If you encourage people to flood someone's office with phone calls, you can be liable under the Computer Fraud and Abuse Act? Say what?
Given the fact that LIUNA lacked an obvious commercial purpose, and given the First Amendment interests involved, this decision is somewhat troubling.
Previous posts:
Posted by Venkat at 03:00 PM | Privacy/Security
August 01, 2011
Logging Into Someone Else's Facebook Account and Posting Messages on Their Friends' Walls Could Be Identity Theft -- In re Rolando S.
[Post by Venkat Balasubramani, with comments from Eric]
In re Rolando S., 2011 WL 3212879 (Ca. Ct. App.; July 21, 2011)
Background: Rolando was a juvenile who received an unsolicited text message with the victim's email password. According to the court, he used the password to gain access to the victim's Facebook account and posted several sexually inappropriate messages from the victim's account. The Facebook posts included posts on the walls of the victim's friends and the following change to the victim's profile:
Hey, Face Bookers, [sic] I'm [S.], a junior in high school . . . I want to be a pediatrician but I'm not sure where I want to go to college. I have high standards for myself and plan to meet them all. I love to suck dick.
The victim testified that she suffered stigma as a result of these and other posts. She said:
I used to love going to school. Now, I dread dealing with this every day.
The juvenile was prosecuted under a California statute (section 530.55) which applies to anyone who:
wilfully obtains personal identifying information [of the victim and] uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medication information.
Discussion
Did the defendant willfully obtain the victim's "personal identifying information"? The court holds that despite his argument that he "passively receiv[ed] the text message" which contained the victim's password information, he "willfully" obtained it because he remembered it or otherwise recorded it so he could use it later. Moreover, the court concludes that defendant willfully obtained the victim's Facebook account password. The record was devoid of evidence as to how exactly the defenant accessed the victim's Facebook account, and in the absence of any such evidence, the court says it's "reasonable to infer" that the defendant reset the victim's Facebook password using her email password, and then gained access to the victim's Facebook account.
Did the defendant use the victim's information for an unlawful purpose? In addition to obtaining the information willfully, the perpetrator has to use the information for an "unlawful purpose." The first possibility was that the defendant violated section 647.6, which applies when someone "annoys or molests any child under 18." However, under California Supreme Court precedent, this statute requires a motivation by "an unnatural or abnormal sexual interest in the victim." [emphasis added] The court concluded that the facts did not fit into this statute because the defendant had no real contact with the victim other than the Facebook posts and he also testified that he "intended his comments to be taken as a joke."
The second possibility was that the defendant used the victim's personal information to commit a tortious act. The defendant argued that "unlawful purpose" as used in the statute should be restricted to criminal conduct, but the court disagreed, noting legislative intent to expand the scope of the statute in amending it. The court also pointed to the fact that the definitions section of the statute included the term "crime," and the legislature chose instead to use "any unlawful purpose." The defendant practically conceded that his conduct satisfied the requirements of a civil defamation claim. The court therefore finds that defendant's act constituted libel and constituted an "unlawful purpose" under the statute. Alternatively, the court held that defendant's conduct satisfied the statute because it also constituted a criminal offense. Defendant's actions violated section 653m, which makes any contact with another person using "obscene language . . . by means of an electronic communication device . . . with [the] intent to annoy."
___
It's tough to muster much sympathy for the defendant, who was previously in trouble for reckless driving when he drove his car "at three girls in the school parking lot, but stopped abruptly several feet away from them in an attempt to scare them."
The definition of "personal identifying information" in the statute is broad. (We ran into an analogous problem in the Pineda case). It looks like the court focused on the Facebook password as being the PII in question that supported the violation of the statute, but the opinion is not totally clear on this. A broad definition of personal identifying information coupled with the court's decision to allow tortious conduct to satisfy the "unlawful purpose" could lead to a statute that is expansive in scope and which should raise everyone's First Amendment hackles. Given that the defendant used the email password to access Facebook, this does not feel to me like a case that pushed the statute to the limit.
Interestingly, the defendant argued that his conduct would violate California's newly enacted e-personation statute (section 528.5) which was effective January 1, 2011, and the fact that this statute was passed demonstrates that the legislature did not view his conduct to violate the previously existing statute. The court disagrees with this argument, noting that the newly enacted e-personation statute has different elements from section 530.5:
Section 528.5 does not include a requirement that a perpetrator obtain personal identifying information. As a result, a person could violate section 528.5 by merely posting comments on a blog impersonating another person. There is no requirement, under these circumstances, that the person obtain a password -- a key distinction.
Yikes. This is precisely what is wrong with California's e-personation statute.
_______
Eric's comments
This case plays out as a Greek-style tragedy in three parts.
Part #1: Someone sent the victim's email password to the defendant. The court is vague about who did this or how that person got the victim's password.
This prompts one of my modern rules for clean living: never tell anyone else your passwords. EVER. (Another rule for clean living is to constantly change your passwords, but this is harder to obey). I am such a stickler about my passwords that I don't tell them to ANYONE. Certainly not to campus IT when they want to muck with my computer, but I don't even tell my passwords to my wife. (FWIW, my wife has told me many of her passwords, but I would never use them without her express instructions). I know there's a debate about the spouse-and-passwords dilemma. It's not that I don't trust my wife. I do, completely. But my rule is clean and simple. If someone other than me types in my password, then they ripped it off. (We'll revisit the problem of accessing a logged-in computer in a bit).
In this case, we don't know why the password-obtainer had the victim's password. Perhaps it was hacked. More likely, the victim made an error in judgment. Either way, the defendant apparently used the email password to help reset the Facebook password and access the Facebook account.
Part #2: The defendant misused the victim's password. It goes without saying that the defendant had no business logging into the victim's email or Facebook account. Doing so was inappropriate even if the defendant merely just looks around, given the amount of private information stored in email and Facebook accounts. It was even worse to publish content under that person's name, and worse still to post fake come-ons for sex.
Having said this, once a juvenile finds out he/she can access to a peer's Facebook account, it seems like it would be almost irresistible not to muck around with it. I don't want to dismiss this entirely as "kids will be kids," but I'm sure a non-trivial percentage of kids would take advantage of a peer's password if the circumstance presented itself. Perhaps it's like the joyriding of days of old. If people left keys in their cars, some kids will take the cars for a spin. We can enact draconian laws to discourage joyriding, but if keys are left in cars, joyrides are inevitable. Here, the defendant basically took the victim's Facebook account for a joyride. It was unquestionably wrong behavior, but given its inevitability, it probably shouldn't be felonious.
The defendant's behavior here is analogous to the fake online profiles that teens set up for school officials. I blogged in more detail about that phenomenon last year. In connection with the DC v. RR case, I also blogged on the problems of kids saying hyperbolicly outrageous things online that aren't amenable to punishment under traditional defamation or bullying laws. All of these examples remind us that kids are going to push limits with electronic tools just like they do offline. We need to find safer ways to let kids be kids online without ruining their lives.
Part #3: The court stretched the identity theft statute too far. As Venkat recaps, the court confronted several statutory ambiguities without any good common law precedent. The court also didn't acknowledge or consider any constitutional concerns with its ruling. Instead, the court reaches the counterintuitive and potentially troubling result that publishing fake content through someone else's account steals their identity. Obviously that takes us a pretty far distance from a paradigmatic case of pretending to be someone for commercial benefit (i.e., what I typically think of as "theft").
As Venkat indicates, the ruling reinforces why we should be nervous about California's recent "e-personation" law, which is even more broadly written and applies even when there's no password misuse. It also shows why expansive identity theft laws should be feared, not encouraged. For more on that point, see my post about Illinois' identity theft law.
This ruling leaves open two obvious questions:
1) will it always be identity theft to use a third party password to publish fake content via someone else's account?
2) will it be identity theft to access a third party or shared computer and publish fake content via someone else's account? In that case, the password isn't obtained at all. Given how many people always leave their computers logged-in to various services, I imagine this happens with some frequency.
Posted by Venkat at 03:06 PM | Privacy/Security
July 27, 2011
Power.com Up For Auction -- Facebook v. Power Ventures
[Post by Venkat Balasubramani]
Facebook v. Power Ventures, Case No. 5:08-cv-05780 JW (N.D. Cal.)
[Update/Clarification: I received an email from the CEO of RokMe Inc. (who is handling the power.com auction) to this effect:
Power.com is being sold by its owner Power Assist Inc. The domain was never owned by Power Ventures. According to Scott Smith (CEO of RokMe Inc. who is handling the auction) the domain was always owned by Power Assist Inc. (or its beneficial owner). The domain name was only leased to Power Ventures, and when the lease expired, the owner of the domain name decided to sell it.]
We've blogged a bunch about Facebook v. Power Ventures. Power Ventures operated power.com and billed itself as a social network aggregator. Facebook was unhappy with, among other things, the fact that Power.com allowed Facebook users to access their Facebook accounts and extract data (and contacts) through Power.com, which bypassed Facebook's developer program.
The dispute received attention because it raised the issue of data ownership--whether Facebook could prevent a third party from accessing or exporting user data, when the third party engaged in access purportedly on behalf of users (who arguably owned the data). Facebook primarily proceeded under the theory that access of Facebook by Power Ventures violated California's anti-hacking statute. Judge Ware agreed, and held that Facebook could make out a violation of the statute, to the extent Power Ventures circumvented technical barriers in accessing Facebook. (The EFF weighed in on the dispute, arguing that the California statute should be construed narrowly.)
Since then, very little activity has taken place in the dispute. Power Ventures moved for summary judgment, but Facebook successfully resisted the motion on the basis that it had not had an opportunity to conduct sufficient discovery.
Now I see a report from Domain Name News that power.com is listed as being up for auction (minimum bid - $2.5mm!). I'm not sure when power.com shut down its service, but this is certainly a public admission that Power Ventures is not looking to continue the fight with Facebook for the sake of operating the service at power.com. At this point, given that only attorneys' fees are at stake, I'm surprised the parties don't quickly settle. (I would be surprised if Facebook is looking to recover significant damages from Power Ventures. To the extent it is, Facebook may assert some sort of lien on the auction proceeds.) Sidenote: I wonder what happened to the user data from power.com?
Previous posts:
Power.com Counterclaims Dismissed -- Facebook v. Power Ventures
Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims -- Facebook v. Power.com
EFF Weighs in on Facebook v. Power Ventures -- Facebook v. Power Ventures
Posted by Venkat at 09:39 AM | Privacy/Security
July 19, 2011
Judge Ware OKs Immediate Appeal of Street View ECPA Ruling -- In re Google Inc. Street View Electronic Communications Litigation
[Post by Venkat Balasubramani]
In re Google Inc. Street View Electronic Communications Litigation, 2011 WL 2571632 (N.D. Cal. July 18, 2011) (Order granting Google's request to certify and staying case) [pdf]
Judge Ware recently denied Google's request to avail itself of the "Readily Accessible to the General Public" ECPA defense in the Street View litigation. Judge Ware's ruling acknowledged that it was a novel issue, and both Eric and I expressed surprise at the ruling. (See "Judge Ware: Google Not Entitled to "Readily Accessible to the General Public" Defense in Street View Class Action.")
Google sought an interlocutory appeal because of the issue's novelty, the importance to the litigation's outcome, and the possibility that reasonable judges may disagree on the outcome. Judge Ware granted Google's motion and certified the question for interlocutory appeal.
This means that the lawsuit is stayed at the trial court level while the Ninth Circuit hears the appeal. I'm sure Google wants to get this lawsuit resolved, but it would much rather spend a year in the appeals court than being mired in discovery at the trial court level. Plaintiffs can't be too happy about this turn in the lawsuit.
What are the chances of success for Google on appeal? It's anyone's guess, and Judge Ware's opinion was thorough and written with an eye to the appeals court, but I can see a judge or two disagreeing with Judge Ware. [If I could predict the outcome of appeals in the Ninth Circuit, I would be doing something a lot more gainful than lawyering and blogging!] EPIC weighed in as amicus in the trial court, and I would expect that there will be others involved as amici in the Ninth Circuit. In any event, this will be a high stakes, fun-to-watch appeal.
Other coverage:
Judge Grants Google ‘Street View’ Wiretap Appeal (Wired)
Posted by Venkat at 11:19 AM | Privacy/Security
July 15, 2011
Court Denies Injunction in Webcam Case Against Aarons -- Byrd v. Aarons, Inc.
[Post by Venkat Balasubramani]
Byrd, et al. v. Aaron's, Inc., et al., 11-cv-00101-SJM-SPB (W.D. Pa. July 8, 2011). Magistrate report. Judge's approval.
Plaintiffs leased (and then purchased) their computer from Aspen Way, a franchisee of Aaron's. Many of the computers leased by Aspen Way reportedly had a piece of software called "PC Rental Agent" installed on them. This software was designed (by DesignerWare) to purportedly "assist rental companies in the recovery of lost or stolen computers." One feature of this program allowed for the remote capture or recordation of "keystrokes, screenshots, and photographers" from a computer it was installed on.
Crystal and Brian Byrd received a visit from someone who by mistake sought to repossess the laptop which they had purchased from Aspen Way. The repo man showed the Byrds a picture of Brian which was taken from the webcam of the Byrds' computer. The Byrds called the police, who came to investigate. The police took the Byrds' computer (presumably for investigative purposes).
The Byrds sued Aaron's, Aspen Way, Aaron's, and DesignerWare, alleging violations of the Wiretap Act and the Computer Fraud and Abuse Act. They sought an injunction seeking four different items of relief, but resolved the bulk of the issues, leaving for the court the sole issue of whether the court should enjoin "suspension of the Detective Mode of the PC Rental Agreement."
Somewhat surprisingly, the court denies the request for injunctive relief. At oral argument, plaintiffs argued that irreparable harm was a given:
I can't imagine anything more obvious than this prong. You have literally thousands of people who are sitting at their computers right now who have this program on it where detective mode may be enabled today, tomorrow, at any time, and this information, private information, can flow from their kitchen table through the server in Erie and back to the people who they don't know in these local stores. I don't know when a trial will be set in this case, but I do know that this is--there will be irreparable harm if this information, private information will be distributed.
The court finds that because plaintiffs' laptop was no longer in their possession, there is no showing of ongoing irreparable harm as to plaintiffs. With respect to other potential members of the class, the court finds that
it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information.
The court cites to the testimony of the co-owner of DesignerWare that only eleven computers were transmitting information to Aaron's franchises. (Roughly 80 to 100 computers are supposedly reported "stolen" from Aaron's in any given month.) Plaintiffs also submitted the testimony of a former employee of Aspen Way, who was a sales manager and testified that she witnessed Aspen Way employees viewing personal information of Aspen Way customers (including bank accounts, names, addresses, and social security numbers). The court rejects this evidence, finding that it does not speak to the current practices of the particular franchise in question and is thus not relevant to the irreparable harm analysis.
While it is permissible to grant injunctive relief based on the type of testimony adduced by plaintiffs and in protection of as-yet-unnamed class members, the court declines to do so in this case. Along the way, the court drops a footnote, expressing some skepticism as to the merits of the case. The court notes that it's entirely unclear that the information collection at issue constitutes an "electronic communication," because there is no evidence that Mr. Byrd was "online" when the information was collected. The court also says it has "grave doubts" as to whether the communications "affected . . . interstate or foreign commerce." The court also states that it is unclear as to whether the Wiretap Act reaches a person's "communication with his own computer."
__
Yikes! Privacy class actions seem out of control to me, but I'll admit even I was surprised by this result. I'm equally surprised that the Aaron's-affiliated defendants did not all just stipulate to suspending use of the software until things were sorted out. (Aarons, Inc. did, but its franchisee Aspen Way did not. In fact, Aspen Way did not participate in the hearing, which makes the denial of injunctive relief all the more perplexing.) Setting aside whether the court was correct in its view of the merits of the case, the court takes an unduly restrictive view of the facts when it states that no "interception" of an electronic communication occurred because there was no evidence that Mr. Byrd was online or communicating with someone else when the image in question was captured. Surely, given the ex-employee's testimony as to what type of information was viewed through use of the software, it's fair to presume that the Aspen Way employees are not sitting around making sure that the capture only occurred while the computer user was offline or not communicating with another person. The court's skepticism about whether the communications in question affected interstate commerce also seems off-base. The communications of Aspen Way customers probably traveled halfway around the world, even if they were transmitted between computers that were in the same city.
This is not to say that it should be an easy path to finding liability for all defendants. DesignerWare developed the software in question, and it's far from clear that it should face liability as a developer/vendor for what may turn out to be the errant acts of Aspen Way employees. (See the SpectorSoft keylogger case: "Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft.") Similarly, it's also unclear as to whether Aaron's Inc. should face liability for the CFAA and Wiretap Act violations of Aspen Way employees or for the acts of its franchisee. Courts are mixed on whether you can even assert a derivative claim under the CFAA. Regardless, both claims will probably require some showing of knowledge on the part of Aaron's Inc., the deep pocketed defendant.
Another pair of laptop cases which also happened to be out of Pennsylvania involved a school district's use of webcams to allegedly spy on students. Those cases settled, with the school district agreeing to pay a named plaintiff $175,000 along with attorneys' fees of $425,000. I'm guessing this setback will not deter plaintiffs, who probably will soldier on in discovery and see what they can unearth (despite a clearly unsympathetic judge).
Other coverage:
"Injunction Denied in Rental Computer 'Spyware' Case" (Courthouse News)
Posted by Venkat at 12:30 PM | Privacy/Security
July 12, 2011
Court Orders Plaintiff to Turn Over Facebook and MySpace Passwords in Discovery Dispute -- Zimmerman v. Weis Markets, Inc.
[Post by Venkat Balasubramani]
Zimmerman v. Weis Markets, Inc., CV-09-1535 (Pa. Ct. Common Pleas; May 19, 2011)
Courts continue to struggle with the discoverability of social network evidence in civil cases and the logisictal problems posed by these discovery disputes. In this case, the court orders the plaintiff to turn over his Facebook and MySpace passwords to defendant.
This was a personal injury case where plaintiff sued Weis Markets for injuries he suffered on the job. Weis Markets had a contracting relationship with plaintiff's employer. Plaintiff sought damages for physical injuries, but also for "suffering, scarring and 'embarrassment'."
Weis Markets reviewed the publicly available portions of plaintiff's Facebook and MySpace pages and discovered a bunch of clearly relevant evidence: (1) photographs of the plaintiff with a black eye, before and after the accident; (2) photographs of the plaintiff wearing shorts, which he claimed he was too embarrassed to do because of the accident, and (3) the fact that plaintiff listed "ridin" and "bike stunts" as interests.
The court weighs plaintiff's privacy arguments and finds that they are insufficient to overcome defendant's need for the requested information. Quoting Romano v. Steelcase, the court notes that refusing the discovery request would:
condone Plaintiff's attempt to hide relevant information behind self-regulated privacy settings.
The court also relies on the fact that Facebook's terms do not guarantee privacy (regardless of what Facebook may say):
It is well publicized that Facebook's privacy policy and its revisions have been the subject of criticism and controversy that may be never ending. One need only "Google" search the terms "Facebook privacy" for an exhaustive list of . . . articles on the topic.
Ouch! The court also drops in a warning to social networkers everywhere that the details you share with your social circle are not magically off-limits in litigation:
By definition, a social networking site is the interactive sharing of your personal life with others; the recipients are not limited in what they do with such knowledge. With the initiation of litigation to seek a monetary award based upon limitations or harm to one's person, any relevant, non-privileged information about one's life that is shared with others and can be gleaned by defendants from the internet is fair game in today's society.
The court orders plaintiff to turn over his log-in information for all MySpace and Facebook accounts and also orders plaintiff to not delete or alter "existing information and posts" on those accounts.
__
I don't have a good solution to the logistical problem posted by this discovery dispute, but I'm convinced that forcing a party to hand over his or her log-in information is not the correct result. Problems with this approach are legion, starting with the fact that the party seeking discovery will undoubtedly be exposed to irrelevant, non-discoverable information that may be private, intimate, or embarrassing. There's a chance that attorney/client privileged communications can be exposed. There's the possibility that the party who gets access to the profiles may alter or delete information unwittingly, or change settings. Then there's also the thorny Stored Communications Act issue, which prevents the party from seeking any private communications directly from the social networking site by means of a subpoena. Is court ordered disclosure of the log-in information an end-run around the Stored Communications Act?
Interestingly, in the criminal context, a district court is currently considering whether a defendant can be compelled to reveal a decryption password. ("DOJ: We can force you to decrypt that laptop.") Whether the government can force you to reveal your encryption password depends on different standards than those applicable to a civil discovery matter, but there are still interesting parallels.
A better approach is to generate some sort of inventory of the page, similar to a privilege log. Of course, this runs in to the problem that it relies on the good faith of the party who creates the inventory. An alternative is for the court to conduct in camera review. The court rejects that proposal outright here, saying that this would be "an unfair burden to place on the court, which would not only require the time and resources necessary to complete a thorough search of these sites, but also require the court to guess as to what is germane to defenses which may be raised at trial."
Finally, I'm not sure what to make of the court's directive to the plaintiff to not alter or delete "existing information or posts" on his Facebook and MySpace accounts. I guess you could imply a "relevant to the dispute" limitation onto this, but the court does not include such a limitation here, and it's overly broad for the court to order the plaintiff to not delete or alter any of the content in his accounts.
Additional coverage:
Pa. Court Finds Facebook Posts to be Discoverable Evidence
Previous posts:
Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier (June 2, 2010)
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville (June 9, 2010)
Deleted Facebook and MySpace Posts Are Discoverable--Romano v. Steelcase (Sept. 29, 2010)
Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway (Oct. 24, 2010)
Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson (May 19, 2011)
Court Conducts in camera Review of Plaintiff's Facebook Page to Resolve Discovery Dispute -- Offenback v. Bowman (June 24, 2011)
Posted by Venkat at 08:55 AM | Evidence/Discovery , Privacy/Security
July 06, 2011
Supreme Court Strikes Down Statute Restricting Sale and Use of "Prescriber" Data on First Amendment Grounds -- Sorrell v. IMS
[Post by Venkat Balasubramani with comments by Eric]
Sorrell v. IMS Health Inc., 10-779 (June 23, 2011) [pdf]
The Supreme Court struck down a Vermont statute restricting the dissemination of "prescriber-identifiable" information for marketing purposes. While this case was viewed as one that could potentially have far-reaching effects on data-mining and privacy, the majority and dissenting opinions ended disagreeing on the level of protection accorded to commercial speech.
The Vermont statute was aimed at data-mining companies which gather information regarding what drugs doctors prescribed. Drug companies obtained and used this information to better target their marketing efforts to doctors. The statute restricted the sale or transfer this information to make it harder for the drug companies to target. The statute also restricted pharmaceutical manufacturers from using this information for "marketing or promoting a prescription drug" without the prescriber's consent. The statute included an exception which allowed this information for education and research purposes. Finally, the statute set aside funds for a "prescription drug education program," which would inform prescribers as to when generic alternatives became available for drugs which they prescribed. (The statute was not aimed at the dissemination of patient information, which the data-mining companies did not disseminate or sell--as Professor Goldman notes, this case was only nominally about privacy.)
Majority: Justice Kennedy wrote that "speech in aid of pharmaceutical marketing ... is a form of expression protected by the First Amendment." In his view, the statute restricted certain speakers from disseminating certain types of content to particular recipients. Because the statute was discriminatory in this respect, it was subject to a heightened level of scrutiny. Applying this scrutiny, he finds a poor fit between the State's goals and the statute.
The first justification asserted by the State was prescriber privacy. However, the existence of numerous exceptions to the statute, including an exception for educational and research uses, undermined this objective. Wile the State pointed to the fact that the statute contained an exception for prescriber consent, the Court finds that this merely offers a "contrived choice." Either the prescriber withholds consent which allows prescriber-information to be used in support of the State's message, or grants consent and allows for the wide dissemination of the information.
The second justification offered by the State was that the statute would lower the cost of medical care. The Court finds that which this is a laudable and important goal, the State may not accomplish this goal by "restraining certain speech by certain speakers." If the State wants to tip the balance in favor of generic drugs, this is an acceptable goal, but it cannot accomplish this goal by hamstringing the marketing efforts of the drug companies who manufacture brand-name drugs.
Dissent: Justice Breyer wrote in dissent that since commercial speech was at issue the Court should employ a lower standard, and not require a perfect fit between the State's asserted goals and the means. In fact, he even seemed skeptical that speech was at issue at all, since the statute regulated the transfer of data, and not necessarily a particular message. In his view, this was just one aspect of the State's overall regulatory program which the government should have room to pursue.
---
The big question was whether this decision will have broader effect for data mining or behavioral targeting. I'm guessing it will probably have less effect than what people envisioned. More than anything this case represents a victory for commercial speech, which has steadily inched up the scale in the amount of protection it is accorded.
The fact that the sale of data is characterized as speech deserving of a high degree of protection may make it tougher for legislators to enact laws which regulate the transfer of consumer information, but what bothered the majority here is that the purported privacy interest was ill-served by the statute and the fact that the state sought to favor one set of products by suppressing the flow of data to its marketers (while allowing the competition to use the information). To use an analogy, the State went beyond restricting the transfer of information to car manufacturers for marketing purposes. It authorized the use of this information only by manufacturers of electric cars.
Will this opinion affect more general laws aimed at the collection, use, or transfer of information for marketing purposes? Some of these already exist in specific contexts (e.g., COPPA for information collection from children under 13; CAN-SPAM includes provisions restricting the transfer of email address in certain contexts; the Video Privacy Protection Act deals with video tape rental records; and there's of course HIPPA, which deals with patient records). Provided that the regulation is not discriminatory, this case should not present an impediment to enacting this type of legislation.
The Court's treatment of the consent issue was interesting. Are doctors really powerless from a bargaining standpoint that they can't take steps in the market to somehow fix the supposed forced consent issue? The majority opinion had a paternalistic tone to it, which may make sense if the statute was dealing with patient records and patient choices, but I found it odd, given that the statutory scheme was about sales pitches to doctors!
Other coverage:
CDT Statement on Supreme Court Decision in Sorrell v. IMS Health (CDT)
Information is not Beef Jerky (info/law)
Supreme Court Rx Records Case: Not So Bad (info/law)
Court’s data-mining ruling: big change on commercial speech? (First Amendment Center)
_________
Eric's comments:
I agree with Venkat's comments but I wanted to add a few more:
Let's start with two basic premises: (1) healthcare costs have spiraled out of control, and (2) doctors' medical decisions are a big part of that. For example, it turned out that Wisconsin healthcare costs were unusually high because Wisconsin doctors are more likely to require various tests/diagnostics than doctors in other areas. It was unclear if this was because local doctors had a heightened fear of malpractice liability, different regional norms, different assessments of medical best practices or something else. However we get there, the cumulative effect of Wisconsin doctors' choices was dramatic: enormous healthcare insurance premiums (and heaven help you if you didn't have medical insurance).
Therefore, it's quite logical for a state to look more closely at doctors' drug prescribing choices both as a matter of public health and fiscal responsibility. If a state could identify systematic drug prescribing judgment-calls that unnecessarily jack up medical costs, it would be in the public interest to curb those.
The theory behind Vermont's statute (and other states in the Northeast that adopted similar laws) is that doctors are overprescribing branded pharmaceuticals when they could be prescribing generic drugs instead; and that doctors are overweighting branded drugs because drug reps are bending their ears to persuade them to prescribe the branded drug in preference to the generics; and that the drug reps are successfully persuading doctors to make this choice because the drug reps are armed with the doctor's past prescribing practices and therefore can make a more effective but socially unwanted sales pitch that is overriding the doctor's own medical judgment that would otherwise lead the doctor to prescribe the generic drug.
Stated this way, we see that the statute is targeting a problem (high medical costs) through a very indirect means (suppress a doctor's past prescribing practices from drug sales reps). Should any inference in this logic chain be wrong, then the statute is, at best, ineffectual. However, there are a broad range of other ways the state could try to remediate the problems with branded drugs jacking up medical costs, including monkeying with the states' reimbursement policies for branded vs. generic drugs; counter-educating doctors about the merits of generic drugs; educating patients about the bioequivalence of branded and generic drugs so they could make their own substitutions or push their doctors to prescribe generics when available; etc. The state was trying some of these as well.
There are two other aspects of the unique situation of doctors that I feel get lost in the top-line headlines. First, the whole concern here is face-to-face meetings between doctors and drug sales reps. Given how hard it is for us as patients to see our doctors face-to-face, it is a little shocking that doctors are voluntarily choosing to spend discretionary time with the drug reps for meetings that the doctors know are sales pitches. Why are the doctors allocating their time this way?
Putting aside the odds that the drug sales rep is very attractive and charming (have you ever noticed that on the Survivor TV show, the former beauty queens all list their job title as "pharmaceutical sales"?), it's presumably because doctors find the meetings valuable to them. Indeed, even Justice Breyer in dissent acknowledges that the drug sales reps impart valuable information in those meetings. The state statute very explicitly tried to make those meetings less useful to doctors by making the drug sales rep less well-prepared. If the drug sales reps wanted to provide tailored information to the doctor's practice, the drug reps would have to take time out of these meetings to interrogate doctors about their prescribing practices; and if the doctors concluded that the meetings weren't productive because they took too much time on irrelevant or uninteresting chatter, the doctors would simply skip the meetings entirely and perhaps lose the other valuable information being exchanged in the meetings. So before we get too worked up about the evilness of the drug reps working against the consumer interest, we should not forget that very busy doctors are voluntarily choosing to take these meetings, and doctors can and will choose otherwise when it doesn't make sense for them.
Second, the opinions talk a lot about "privacy," and this baffled me. Everyone agrees we're not talking about patient privacy. Instead, there is some back-and-forth on DOCTOR privacy in their prescribing patterns. What??? In this situation, doctors are business operators making business decisions. Tracking their prescribing decisions is similar to tracking how other businesses interact with third party vendors. We might have concerns about how tracking these decisions exposes trade secrets or competitive intelligence, but we wouldn't talk about business decision-making as being covered by "privacy" concerns. So the notion that this case teaches us anything about "privacy" law confuses me greatly.
In the end, what we really want to know is whether this case will enable more First Amendment challenges to behavioral advertising or other privacy statutes. I personally don't feel any more knowledgeable about that question after reading the majority and dissenting opinions. Part of this reflects my cynicism about the Supreme Court's First Amendment's jurisprudence, which still seems to me that it's developed case-by-case instead of forming a coherent body of jurisprudence. Part of this reflects the quirks of Vermont's statute, which suffered from two easily targeted defects. First, it sought to regulate the doctor-drug rep conversation, setting up the possibility of content-based and perhaps even viewpoint-based review. Second, Vermont changed its position about who could get access to the database of prescribing information, and this flip-flopping gave the majority extra reasons to suspect the state's policy rationales. So I suspect that Vermont or other states could find a way to draft around this opinion if they chose to; and I'm skeptical that other behavioral advertising or privacy laws would set off the justices' First Amendment hackles like this statute did.
Posted by Venkat at 12:19 PM | Marketing , Privacy/Security
July 02, 2011
Court Finds That the Value of Bartered-For Services Constitutes Loss Under the Computer Fraud and Abuse Act -- Animators at Law v. Capital Legal Solutions
[Post by Venkat Balasubramani]
Animators at Law, Inc. v. Capital Legal Solutions, 10cv1342 (E.D. Va.; May 10, 2011)
This lawsuit presented an increasingly familiar fact pattern. Employees leave a company and the employer sues the ex-employees under the Computer Fraud and Abuse Act for accessing the employer's computers without authorization. I previously blogged about US v. Nosal, which held that any violation of an employer's network use policy can constitute "unauthorized access" under the CFAA. In addition to proving that the employee engaged in unauthorized access of an employer's computer system, the CFAA contains a $5000 jurisdictional loss threshold. This case focuses on what the employer must show in order to satisfy that jurisdictional threshold. The answer: not much.
The now ex-employees quit and took a company owned laptop. Animators, the employer, realized this a week from when the employees left, and promptly hired a forensic computer security/data recovery firm to assess the damage. The firm performed its services and realized that some files had been deleted from the laptop. Animators also concluded that the employees accessed its Dropbox account where the company stored files. The ex-employees apparently also accessed a time-keeping program which the employer used.
The court denied the ex-employees' motion to dismiss and granted limited discovery on the issue of what "losses" Animators had suffered as a result of the alleged data breach. Following limited discovery, the ex-employees brought a motion for summary judgment. The court denies the motion.
The forensic firm hired by Animators had an engagement letter in place with Animators which said that it would bill Animators on an hourly basis at $0 per hour. After the court denied the motion and allowed discovery, the forensic firm invoiced Animators. The invoice included approximately 63 hours of professional services for $24,000 and hosting services for $29,000. Animators acknowledged that it did not pay the forensic firm in cash for these services. However, the principal of Animators testified that he apparently made available the "Law Prospector" subscription services offered by one of his affiliated entities at no charge to the forensic firm.
The key issue was whether the invoices issued by the forensic firm were a sham or whether Animators actually incurred the costs. Animators explained the belated invoice on the basis of a credit relationship between Animators and the forensic firm. Apparently the parties did not operate on a cash basis. (!) The court agrees with Animators and rejects the ex-employees' position, finding that there is nothing in the Computer Fraud and Abuse Act which requires the aggrieved party to actually shell out cash in the course of taking remedial steps in response to an incident involving unauthorized access to its computers. The court notes that the CFAA expressly states that value of in-house time spent addressing a breach can go towards satisfying the loss requirement and this points in the direction that the CFAA does not restrict plaintiffs to claiming cash-based losses. (The CFAA contains a broad definition of "loss," which includes: (1) the cost of responding to an offense, (2) the cost of conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and (3) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Courts are split on whether lost revenues are recoverable absent an "interruption in service," and whether there has to be a relationship between the lost revenues and the unauthorized access.)
The court was required to take a view of the facts at summary judgment that was most favorable to Animators, but the record as described by the court was littered with red flags. The fact that the invoice was sent by the forensic firm after the court denied the motion to dismiss and the fact that the engagement letter between the forensic firm and Animators required the firm to provide Animators services at "zero dollars per hour" were just some of these red flags. Others included the fact that Animators' principal spent twelve hours setting up a box.net account after the dropbox account used by the ex-employees was determined to have been compromised. The court notes in passing that the Dropbox password "was not disabled" after the ex-employees left. As a final bonus, Animators' counsel spent thirty hours assisting Animators with its remediation efforts. (I'm not suggesting there was anything improper about this, but thirty hours is a lot of time.)
It's tough to get a clear sense of what happened from the record, but the court does not seem to take into account steps Animators could have taken which would have prevented or mitigated against the losses. For example, when the ex-employees left, Animators could have asked them to leave the laptop on their final day. Animators could have also disabled the Dropbox password which the ex-employees used to access Animators' account. The CFAA allows a plaintiff to use costs attributable to "reasonable" steps to satisfy the damages threshold, but the court does not employ a very strict definition of reasonable here. I blogged about US v. Nosal awhile back. ("9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal.") That case held that any violation of an employers network policy--including for example, using internet access for personal reasons--is sufficient to find liability under the CFAA. When you add a lax definition of what's reasonable in response to an alleged breach, employers are virtually guaranteed to be able to make out a prima facie CFAA claim against ex-employees.
The CFAA was a statute that was intended to address hacking. The Lori Drew case was one example of a use of this statute by prosecutors outside its intended scope. Use by employers in this type of a case is another example. The CFAA has become a potent weapon in the hands of employers, who have taken to asserting CFAA claims against ex-employees as a matter of course.
Posted by Venkat at 03:40 PM | Privacy/Security , Trespass to Chattels
July 01, 2011
Judge Ware: Google Not Entitled to "Readily Accessible to the General Public" Defense in Street View Class Action
[Post by Venkat Balasubrmani, with comments from Eric]
In re Google Inc. Street View Electronic Communications Litigation, 2011 WL 2571632 (N.D. Cal. June 29, 2011) (Order) (Google's Motion to Dismiss) (Google's Reply) (Google's Supplemental Brief) (EPIC's Amicus Brief)
The multitudinous consolidated lawsuits over Google's access of plaintiffs' Wi-Fi networks, as part of its Street View data collection, survived an important juncture this week. Judge Ware rejected Google's defense that it cannot be held liable under the Electronic Communications Privacy Act because the Wi-Fi transmissions were "radio communications" which were "readily accessible to the general public."
Background: Google deployed its Street View vehicles to capture 360 degree views of the streets. Google's vehicles were equipped with 3G/GSM/Wi-Fi antennas and "custom-designed software for the capture and storage of wireless signals and data." Google also deployed smaller vehicles known as "Google Trikes," which were outfitted with cameras and Wi-Fi equipment, to "capture photo and Wi-Fi data from areas inaccessible to cars." Although Google issued a press release letting the public know that it intended to use these vehicles to capture photo data, it did not inform the public of its intent to capture Wi-Fi data.
Multiple class action lawsuits were filed across the country, and these were all consolidated and transferred to Judge Ware in the Northern District of California. Plaintiffs brought claims under the ECPA, state wiretap statutes, and Cal. B&P 17200.
Discussion: Google argued that state wiretap law claims were preempted, and there was no "money or other property" taken by Google that the Court could force Google to disgorge under the unfair competition statute. With respect to the ECPA claim, Google argued that since the Wi-Fi networks were configured in a manner that was "readily accessible to the general public," the ECPA claim failed.
ECPA Claim: The ECPA provides for a private right of action but also contains a section which provides exemptions to this. One of the exemptions is a general one for an interception of an "electronic communication" that is readily accessible to the general public (2511(2)(g)(i)):
It shall not be unlawful . . . to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible the general public.
A separate subsection (2511(2)(g)(ii)) also provided an exemption that was applicable to the interception of "radio communications," but this subsection contained a laundry list of the types of "radio communications" which were exempt (none of which were readily applicable in this case). Separately, the statute contains a definition for when something is "readily accessible to the general public," and this definition says that "readily accessible to the general public' means, with respect to a radio communication" that such communication is not (among other exceptions) "scrambled or encrypted."
When I see these three sections of the statute, I see a drafting error, or at least some seriously clunky drafting. The most obvious interpretation to me is that a "radio communication" enumerated in 2511(g)(ii) is exempt. A "radio communication" that is spelled out in 2510(16) is also exempt, because it is "readily accessible to the general public." (Anything that fits 2510(16) would fall within 2511(2)(g)(i).) Judge Ware didn't see it this way. He sees the definitions of 2510(16) as describing exceptions that only apply to "traditional radio broadcast mediums." According to Judge Ware, these definitions "do not address any broader radio-based communications technology of the time," and nor do they address modern technologies--such as Wi-Fi--that were obviously not contemplated by the drafters of the statute. As support for this interpretation, Judge Ware points to the legislative history, which indicates a reluctance to include cell-phone transmissions within the scope of the exception. (This part of the discussion really confused me.) At the end of the day, even though plaintiffs failed to plead that their Wi-Fi networks were scrambled and encrypted (and arguably made admissions to the contrary), Judge Ware concludes that:
the wireless networks were not readily accessible to the general public as defined by the particular communications system at issue, wireless internet networks, which are not "radio communications," as the term was intended by Congress in drafting Section 2510(16).
Google also argued that United States v. Ahrndt [pdf] supported its interpretation of the statute. Ahrndt was a criminal case where a defendant moved to suppress evidence that defendant's neighbor encountered while accessing the defendant's wireless network. When the neighbor accessed the network (which was open), she could view the files in defendant's iTunes account, which included child porn. The court denied defendant's request (citing 2511(g)(i)) to suppress the evidence because defendant had configured his system so "the electronic communications [at issue were] readily accessible to the general public." Judge Ware distinguished Ahrndt because, in the Street View case, the users had only set their Wi-Fi settings so that the networks themselves (and not the content) were accessible to the general public.
State wiretap claims: Google argued that ECPA preempted plaintiffs' claims under state wiretap statute. Judge Ware found that although there was no express preemption in the statute, ECPA demonstrated a Congressional intent to comprehensively regulate the field. Therefore, the state law claims were preempted. The order does not cite to Velentine v. NebuAd [pdf], also recently decided in the Northern District, where Judge Henderson came to a contrary conclusion.
Section 17200 claims: Plaintiff's section 17200 claims suffered a familiar flaw: they were unable to allege that they lost "money or other property" as a result of Google's actions. The court rejects the argument that "data packets" are property for section 17200 purposes, finding that recognizing a property interest in data would undermine the intent of Proposition 64 (which created stricter standing requirements for Section 17200 claims).
__
I'm not sure where to begin with this one. This is yet another case where the statute was written with certain technology in mind, and the court struggles with which box the present day technology belongs in. Is a transmission via open Wi-Fi a "radio transmission"? An "electronic communication"? Both? It's unclear from the order where the court comes out on this issue. There is no dispute that Wi-Fi was not around when the statute was drafted or more recently amended, and the contortions required to figure out what statutory box it fits in are downright painful.
A factual question which did not receive much attention in the order was how difficult it is for the average person to access someone else's content through an open Wi-Fi. Is this the same as picking up a transmission on a ham radio? Is this like picking up police scanner transmissions? Google argued that accessing data through an open Wi-Fi can be easily accomplished using inexpensive (or free) and widely available software, but there wasn't much discussion of this in the court's opinion. The fact that Google reportedly filed for a patent over some aspect of this did not help its argument.
I can see unintended consequences that would flow from either approach. Finding that data transmitted over an open Wi-Fi is not protected under the ECPA would undermine privacy in a big category of communications. On the other hand, by creating a special category of "radio communications" that don't get the benefit of the general exemption, this broadens the scope of a statute which has criminal consequences. Judge Ware decided Power.com, and applied the rule of lenity in that case in construing the statute narrowly. Given that a violation of this statute can result in criminal liability as well, I'm surprised this doctrine did not come into play in interpreting the statute narrowly.
________
Eric's comments:
1) I continue to insist that the ECPA is one of the worst-drafted statutes of all time. As Venkat's confusion indicates, no one really knows what the statute means, which suggests it's hard to advance an implausible interpretation of the statute.
2) This case is a fairly typical "technological convergence" case where we try to interpret technological terms in a statute in light of unanticipated technological evolution. Congress couldn't conceive of private WiFi back in 1986, so the statute doesn't fit the technology very well. Personally, in light of modern sensibilities, I think "radio" most naturally means the entire wireless spectrum. Judge Ware saw it differently and found reasons to separate out pieces of the spectrum for differential statutory application. I could see other judges reading the term more broadly on appeal.
3) Google's loss on the motion to dismiss is surely disappointing to Google, but I don't think the plaintiffs should start cashing their checks yet. There are plenty more interstices of the ECPA for both parties to explore on summary judgment and perhaps at trial.
4) As Congress revisits the ECPA as part of the Digital Due Process initiative (which I support), I desperately hope Congress also reconsiders the ECPA's private cause of action. The class action plaintiffs have gone crazy with the statute, and due to its drafting deficiencies, the plaintiffs claims are rarely clearly wrong on the surface. The result has been a huge tax on innovation with no commensurate social benefits; only the private benefits of a few privacy class action lawyers getting fat and happy while feasting on Silicon Valley companies.
5) The ECPA's preemption of state wiretap laws, if followed by other courts, could be a Very Big Deal. However, Judge Ware didn't cite any caselaw in support of his conclusion, and frankly I'm skeptical that ruling will survive further challenge.
Other coverage:
Judge to Google: sniffing even open WiFi networks may be wiretapping (Ars Technica)
Judge: Google Can Be Sued for Wiretapping in Street View Debacle (Wired/Threat Level)
Posted by Venkat at 11:09 AM | Privacy/Security
June 28, 2011
San Diego County Bar Tackles Lawyer Friend Requests and the Ex Parte Rule
[Post by Venkat Balasubramani]
The San Diego County Bar Association recently tackled the issue of whether a lawyer's friend request to an employee of a party violates the rule barring ex-parte communications by a lawyer with a party whom the lawyer knows or should know is represented by counsel. You can access the opinion on Scribd here, and it's worth a read.
The factual scenario involved a lawyer who represented a plaintiff against a company in a wrongful discharge lawsuit. The lawyer knows the defendant-employer is represented by counsel, but obtained a list of the defendant's current employees. The client provides the list, identifying which of those employees may be disgruntled and therefore likely to provide dirt on the defendant-employer. The lawyer then sends Facebook friend requests to these individuals.
The opinion looks to California Rule 2-100, which provides that:
While representing a client, a [lawyer] shall not communicate directly or indirectly about the subject of the representation with a party the [lawyer] knows to be represented by another lawyer . . . unless [the other lawyer first consents].
The opinion first tackles the issue of whether the employees are "parties" for purposes of the rule. If they exercise discretion and determine the employer's policy, they may be treated as part of the represented corporate-party for purposes of this rule. Consequently, the opinion advises that the lawyer should first check with his or her client as to what role the employees play in the organization before treating the employees as unrepresented parties. Assuming they are policy-making employees and therefore "represented," the opinion looks to whether the lawyer's friend request constitutes a communication "about the subject of the representation." The opinion parses the language of the friend request and the fact that it's initiated by the lawyer but transmitted by Facebook, and concludes that the friend request would violate the rule against ex parte contact:
[i]f the communication to the represented party is motivated by the quest for information about the subject of the representation, the communication . . . is about the subject matter of that representation. . . . This becomes clearer when the request to friend . . . is transferred from the virtual world to the real world. Imagine that instead of making a friend request by computer, opposing counsel instead says to a represented party in person and outside of the presence of his attorney: "Please give me access to your Facebook page so I can learn more about you." That statement on its face is no more "about the subject of the representation" than the robo-message generated by Facebook. That what the attorney is hoping the other person will say in response to that facially innocuous prompt is "Yes, you may have access to my Facebook page. Welcome to my world. These are my interests my likes and dislikes, and this is what I have been doing and thinking recently.
The opinion also addresses a few objections:
The friend request does not refer to the issues raised by the representation: With respect to this objection, the opinion notes that even open-ended questions can "impel the other side to disclose information that is richly relevant to the matter," even if the question itself is directed to a subject relating to the representation. Information "uncovered in the immediate aftermath of a represented party's response to a friend request at least 'might reasonably assist a party in evaluating the case, preparing for trial, or facilitating settlement thereof.'" Although the initial friend request may not relate to the representation, it's the type of open-ended question that is designed to elicit a response that provides useful information. Indeed, the opinion notes that once you have become a person's Facebook friend, you have access to a wealth of information regarding that person, including information that will potentially be advantageous to know in litigation.
Friending a represented party is the same as accessing the opposing party's website: The second objection argued that accessing a publicly available website of a party who is represented is permitted, and this is no different. The opinion states that there is a key difference between the two. In one instance the webpage is publicly accessible, and in the other, you need permission--acceptance of the friend request--in order to access it. The opinion concludes that if a witness or opposing party maintains a profile on a social network that is freely accessible by the general public, there is no ethical bar to its access by a lawyer.
The opinion also dismisses a couple of other objections: (1) statements in a Facebook profile are not necessary protected by the attorney/client privilege (the restriction on ex parte contact goes beyond this information), and (2) courts have rejected deception as the basis for excluding evidence in the criminal context (the standards for when evidence should be excluded in a criminal case are not the same as those which prohibit ex parte contacts in civil cases). The opinion notes that the policy underlying the rule prohibiting ex parte access is to restrict the opposing lawyer from interfering in an existing lawyer/client relationship and exerting undue influence through this interference. The tenor of the opinion is that this risk of undue influence clearly exists in the context of a Facebook "friendship."
The opinion raises some interesting issues and takes a careful look at the rules and other opinions on this issue. (The Philadelphia Bar Association and the New York State Bar Association have both weighed in on this issue as well.) The opinion cites to another case (U.S. v. Sierra Pacific Industries, 2010 WL 4778051 (E.D. Cal. 2010)) where the court held that a lawyer who was litigating a claim against the U.S. Forest Service violated the ex parte rule when he attended a "field trip" organized by the Forest Service and extensively questioned Forest Service employees on their policies. The field trip was open to the public and thus mere attendance did not violate the rule. The court focused on the questioning, rather than the attendance. In contrast, here, the opinion concludes that merely sending a friend request could violate the rule.
I wonder whether the result would have been different if the lawyer in question sent a friend request that expressly addressed the ex parte issue--e.g., "I'm John Doe, counsel for Jane Doe, and I'd like to speak with you about this matter. If you are represented by counsel, please do not accept this friend request."
The opinion serves as a good reminder that despite the treasure trove of evidence that may be contained in social media profiles, accessing this information is another matter.
(h/t ABA Journal: "Facebook Friend Request to Exec of Represented Corp. May Violate Ex Parte Rule, Opinion Says")
Posted by Venkat at 02:25 PM | Evidence/Discovery , Privacy/Security
June 24, 2011
Court Conducts in camera Review of Plaintiff's Facebook Page to Resolve Discovery Dispute -- Offenback v. Bowman
[Post by Venkat Balasubramani]
Offenback v. Bowman, 10-CV-1789 (M.D. Pa.; June 22, 2011)
Background: Discovery disputes over Facebook accounts and whether they are discoverable in civil cases are piling up. Courts and litigants continue to grapple with the central problem that even to the extent the information is properly discoverable, at least some portion of a litigant or party's Facebook's account deserves privacy protection and should also be protected by federal statutes such as the Stored Communications Act. On the other hand, an opposing litigant needs to get access to the Facebook profile in order to determine whether something contained in the account is relevant, in order to articulate a "likely to lead to the discovery of admissible evidence" argument.
Courts have come up with interesting and mostly imperfect ways to solve this problem. In one case, a court suggested that the litigants "friend" the court so the court could review the contents of the account which would be visible to the witness's friends. ("Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute.") In this case, the court conducted an in camera review of the plaintiff's Facebook profile and determined what information was discoverable.
The facts follow a familiar pattern. Plaintiff suffered a car accident, and sued, alleging he suffered physical and psychological injuries. He claimed that these physical injuries limited:
his ability to sit, walk, stand, ride in a vehicle, bend, stoop, push, pull, and lift. He claimed that he could not drive for any period of time and is physically limited as to riding his bicycle or motorcycle.
Defendant sought access to plaintiff's Facebook and MySpace accounts. The court asked for plaintiff's log-in information for these accounts. Plaintiff provided the Facebook password but said "he could no longer locate information related to his MySpace account, since he had neither activated nor used the account since November 2008." [Ouch! Plaintiff is not alone, this BusinessWeek article notes that even one of the co-founders of MySpace no longer checks his MySpace account: "The Rise and Inglorious Fall of MySpace."]
Discussion: The court reviews plaintiff's Facebook page and concludes that the bulk of the material there is unrelated to the accident and not discoverable. There were a few items that were discoverable and these included:
- photos of plaintiff taking numerous motorcycle trips;
- photos of plaintiff hunting;
- photos and comments suggesting that plaintiff "may have recently ridden a mule";
- comments confirming plaintiff's continued interest in riding motorcycles.
The rest of the page contained information that was not discoverable--such as "routine communications" with family and friends, and expressions of plaintiff's interests and hobbies. [The court notes that plaintiff had a passion for the Philadelphia Phillies "which was not dampened after he moved to Kentucky from Pennsylvania."]
___
The court drops a footnote in the order, knocking the parties for getting the court involved in this discovery dispute. Plaintiff conceded that some of the information in the Facebook profile was discoverable. Defendants appeared to have backed away from their initial position that all of the information was discoverable, but they did not actually narrow their discovery requests to the items that plaintiff admitted were discoverable. Translation: the parties ended up wasting the court's time, and should have worked it out themselves.
It still feels awkward that the court took the approach of actually logging in to plaintiff's Facebook account using plaintiff's password. Isn't this a violation of the Facebook terms of service?
There's another issue lurking in the background of these disputes that courts will be forced to confront: can a party be forced to consent to disclosure of information that falls under the Stored Communications Act? No case has directly confronted this question, although one court has held that a party's default and fugitive status is not consent. (See "Being a Fugitive is Not Consent for Production under the Stored Communications Act.")
Earlier related posts:
"Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville"
"Court Orders Disclosure of Facebook and MySpace Passwords in Personal Injury Case -- McMillen v. Hummingbird Speedway"
"Plaintiff Can't be Forced to Accept Defense Counsel's Facebook Friend Request in Personal Injury Case -- Piccolo v. Paterson"
Posted by Venkat at 09:45 AM | Evidence/Discovery , Privacy/Security
June 19, 2011
Employer Who Fails to Consistently Enforce Computer Usage Policy Cannot use the Policy to Justify Dismissal -- Branson v. Harrah's
[Post by Venkat Balasubramani]
Branson v. Harrah's Tunica Corp., et al., 08-cv-02804-BBD-cgc (W.D. Tn; June 3, 2011) (decision)
Background: Branson was an employee with the Grand Casino for over ten years, from 1996 to 2007. Harrah's acquired Grand in 2006. He received uniformly favorable employment ratings. In March 2007, Grand employed three "table games shift managers," Branson, Rob Keene, and Denise Alford, each of whom reported to Darrell Pilant. Each manager had their own computer log-in, password, and Windows account. As Branson described it, he accidentally accessed the email account of one of the other managers and forwarded himself an email:
Plaintiff sat down to use a shared, work computer when he noticed an email from Alford to Pilant. Alford had apparently failed to log out of her email account, and the email appeared on the screen when Plaintiff touched the mouse. The email stated that [Branson] and Keene were speaking in front of Mitch Pate, a pit manager, about the performance of [their] subordinates. . . . Apparently two hours into his shift, [Branson] forwarded a copy of Alford's email first to his business email account and then to his personal email account so that he could access the email from home.
Branson told his boss what he had done, and Pilant looked into it. Pilant had the IT department investigate to verify what happened, and once he did, he informed Branson that Branson "violated several policies and the trust that Pilant had placed in [Branson]." Ultimately, Branson was given the option of resigning or being terminated, and he chose the first option. Although Branson resigned, Harrah's placed a notation in his employee file that he was "eligible for rehire."
Branson brought claims alleging that he was forced to resign because of his age.
Discussion:
Employer status: The first issue the court addressed was whether Harrah's Entertainment, Inc. and Harrah's Operating Company, Inc. were Branson's employer. There was testimony that Harrah's acquired Grand (where Branson originally started working) in 2006. After the acquisition, employees received a Harrah's handbook and W-2's which listed Harrah's as their employer. Additionally, defendants' own witnesses, who purported to be Grand employees, listed Harrah's as their employer on their LinkedIn pages. Based on this evidence, the court held that Harrah's Entertainment, Inc. and Harrah's Operating Company, Inc. were both Branson's employers for purposes of the ADEA. (Coincidentally, Harrah's also got burned by LinkedIn evidence in another case where a different plaintiff asserted age discrimination claims against Harrah's: "Contrary LinkedIn Evidence Crushes Witness' Testimony." The plaintiff in that case testified in this case as well.)
The ADEA claim: Resolution of the ADEA claim was the more interesting part of the ruling. The court found that plaintiff put forth a prima facie case--he was within the protected class, received favorable ratings, and was replaced by someone younger than him. It was up to defendants to put forth a non-discriminatory reason for the termination, and defendants relied on the fact that Branson violated Harrah's computer use policy by improperly accessing his co-worker's email and forwarding an email to his own business and personal account. The court found that this was a sufficient non-discriminatory reason for the termination, and shifted the burden to Branson in order to show pretext. The court concludes that he put forth sufficient evidence to satisfy his burden.
The court found that defendants typically followed a four step disciplinary process before terminating an employee and that "the evidence presented [did] not support the conclusion that [Branson's] conduct was serious enough to justify deviating from this process." In particular, the court found that:
employees did not receive training or instructions on how to use the Grand's computer system. [The witness-employees did not appear] to be familiar . . . with the policies that defendants cite[d] as justification for [Branson's] termination. Furthermore, the proof show[ed] that it was not uncommon for employees to each other's email accounts, and presumably each other's passwords on the shared work computer, without fear of suffering any disciplinary action.
The court also found defendants' explanation was contradictory in that if Branson was terminated for a serious issue, defendants would not have found that he was eligible to be rehired.
As an added bonus, the court finds that defendants' conduct was willful, or at best, with reckless disregard of whether it was in violation of the ADEA. The court smacks defendants with a whopping award of $361,363.42.
___
Accessing someone else's email is risky behavior and a potential violation of federal statutes which protect the privacy in electronic communications. This has gotten a few employers into trouble. In Pure Power Boot Camp v. Warrior Fitness Boot Camp, for example, ex-employees were awarded (admittedly nominal) damages when their former employer accessed their emails. (See "Ex-Employees Awarded $4,000 for Email Snooping by Employer.") You would think when an employee does something like this and admits to doing it, the employer would have no problem firing the employee for this. Defendants even had a written policy in place which the employee in this case violated when he accessed his co-worker's account. One would think that a violation of this policy would put defendants in a position to prevail at summary judgment if not deter the plaintiff from pursuing his claims in the first place. Here, despite having a policy in place, this still didn't allow the employer to use the policy violation to justify the termination. Why? The policy was not taken seriously or consistently enforced. Despite the potential seriousness of plaintiff's act, there was testimony in the case that other employees regularly violated the policy and were not subject to disciplinary measures.
A useful reminder that regardless of what network/social media policies you have in place, if you do not actually implement them, and enforce them in a consistent way, they may not be of much use at the end of the day.
Posted by Venkat at 10:29 AM | Privacy/Security
June 18, 2011
Bank ACH Fraud Victims Get Mixed Rulings -- Experi-Metal v. Comerica Bank & Patco Constr. v. People's United Bank
[Post by Venkat Balasubramani]
We have posted on numerous cases involving data breach plaintiffs who are rebuffed by courts because they have not suffered cognizable harm such as out-of-pocket losses. A pair of recent cases involved businesses whose bank accounts were drained after their log-in credentials were compromised and who sued their banks for the resulting out-of-pocket losses. In one case, the court finds for the customer; in the other, it finds for the bank. (Standing was not an issue in either case, since the plaintiffs suffered out-of-pocket losses.)
Experi-Metal v. Comerica Bank, 09-14890 (E.D. Mich.; June 13, 2011)
Experi-Metal was a victim of a phishing attack, which led to unauthorized wire transfers of $1.9+ million from its bank accounts. Comerica recovered all but $560,000 of this amount, and Experi-Metal sought to hold Comerica liable for this remaining amount. Following a bench trial, the court concludes that Comerica did not act in good faith--i.e., did not observe "reasonable commercial standards of fair dealing."
Here is how the court recounts the phishing incident:
During the morning of January 21, 2009, Comerica was alerted to phishing e-mails sent to its customers by a third-party attempting to lure the customers into providing their confidential identification information . . . . Mr. Kind, Experi-Metal's Vice President of Manufacturing, forwarded [the phishing e-mail he received] to Mr. Maslowski [its controller]. The e-mail instructed the recipient to click on an attached link to complete a "Comerica Business Connect Customer Form." At approximately 7:35 a.m., Mr. Maslowski clicked on the link and was directed to a website where he responded to a request for his confidential secure token identification, Treasury Management Web ID, and login information. By doing so, Mr. Maslowski provided a third-party with immediate online access to Experi-Metal's Comerica bank accounts from which the individual began initiating wire transfer payment orders . . . .
Whether Maslowski was authorized to initiate wire transfers: Experi-Metal first argued that Maslowski was not authorized to initiate wire transfers so the bank should not have processed the requests. The court rejects this argument, finding that on numerous documents, the CEO of Experi-Metal designated appropriate "users," for Experi-Metal's Comerica account, and these documents included herself and Mr. Maslowski. The court finds that the CEO's explanation regarding Maslowski's lack of authority wasn't credible. He had the password and, in the aftermath of the phishing incident, the CEO did not raise a hue and cry about why he had the password.
Whether Comerica processed the payment orders in "good faith": Michigan's version of the Uniform Commercial Code allows the bank to get off the hook for unauthorized wire transfer orders if (1) the bank and customer agree to a security procedure for verifying payments; (2) the security procedure is commercially reasonable; and (3) the bank accepts the orders in "good faith." Even if these conditions are satisfied, the customer may shift the loss to the bank if the customer can show that "the person committing the fraud did not obtain the confidential information [facilitating the breach of the security procedure] from an agent or former agent of the customer or from a source controlled by the customer."
The parties agreed that the burden fell on Comerica to prove that it accepted the payment orders "in good faith." Both sides presented expert testimony on the issue of whether Comerica's acceptance and processing of the unauthorized wire transfers comported with industry or commercial standards. The court does not give much credence to the testimony of either party's expert. Ultimately the court concludes, based on a variety of facts that Comerica failed to satisfy its burden:
the volume and frequency of the payment orders and the book transfers [from one Experi-Metal account to another] that enabled the criminal to fund those orders; the $5 million overdraft created by those book transfers in what is regularly a zero balance account; Experi-Metal's limited prior wire activity; the destinations and beneficiaries of the funds; and Comerica's knowledge of prior and . . . current phishing attempts.
Based on these facts, the court concludes "that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."
Patco Construction Co. v. People's United Bank, d/b/a Ocean Bank, 09-cv-005003 (D. Maine; May 27, 2011)
In this case, unknown third parties initiated a series of withdrawals from Patco's account with Ocean Bank over the course of several days. The withdrawals totaled $588,851, and of this amount Ocean Bank blocked $243,406 of the transfers. Patco sought to hold Ocean Bank liable for the remainder. The person who initiated the transfers obtained Patco's credentials:
The Bank authenticated [the initial unauthorized transfer] with Patco's company ID and password and [Patco's] proper credentials, including [an authorized user's] ID, password, and answers to challenge questions. Whoever initiated this transaction did not submit an incorrect password or answers to challenge questions even once.
The court focused on whether the security procedures employed by Ocean Bank were "commercially reasonable" (as in the Comerica case, the court looked to the UCC and the state law version of the relevant provision). In a 70 page opinion which includes discussion of the perspectives of competing experts, industry practices, and alternative security measures, the court concludes that the bank's procedures may not have been perfect, but were commercially reasonable. As summarized by Brian Krebs ("Court: Passwords + Secret Questions = 'Reasonable' eBanking Security"):
The magistrate analyzed whether the bank’s security satisfied "multi-factor authentication" guidelines by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token); and something the user is, such as a biometric identifier. (Those guidelines were established in 2005 by banking regulators at the Federal Financial Institutions Examination Council (FFIEC).)
The magistrate judge said the bank's security satisfies these guidelines. Patco argued that the fraud was caused by keylogging software and the bank's security measures (its "rules" for when it would look into suspicious transfers and how it deployed its authentication procedures) were commercially insufficient to deal with this type of risk. Patco faced a bit of an uphill on this point because it failed to preserve the evidence in its computers--i.e., Patco did not immediately stop using them and allow them to be forensically examined.
___
Both cases had a few things in common. First, the actual breach happened on the user's end--there was no allegation that a criminal broke in to the bank's computer system and siphoned money out of it. Regardless, this did not preclude the claims in either case. Second, in both cases, the bank's customers were limited by the agreements in question. Although the agreement did not totally preclude Experi-Metal's claim, it undermined Experi-Metal's argument that the individual employee who was the victim of the phishing attack was not authorized to undertake wire transfers. I'm willing to bet the plaintiffs in both cases did not carefully review the voluminous documents and updates provided by their respective banks as to matters such as account security, authorized signatories, and loss prevention. In both cases, the parties entered into agreements which were "updated" by the banks numerous times, often via email notice or notice via the bank's online interface for online banking.
The court's conclusion in Comerica was very Solomonic: "I've taken in all of the evidence and here is my judgment." The court does not give much credence to either expert. In contrast, the court in Patco goes into mind-numbing detail about the processes, industry standards, and the contentions of the experts.
These decisions are both good wake-up calls to businesses about their exposure to security risks and limits on their ability to outsource losses to third parties. Both plaintiffs were small business who suffered relatively significant out-of-pocket losses, and it probably came as a surprise that there is no legal mechanism to shift the losses to the banks. From reading through both orders, you get the sense that neither the bank nor the customer is particularly well situated to prevent the losses in question. (Undeniably, some additional training and education at the customer end could have potentially averted these losses, but it's tough to say.) This looks like the type of loss where insurance would be well worth exploring, to the extent it is available. I wonder if we will eventually see federal legislation that sets minimum standards here.
Other coverage:
"Court Says Comerica Bank Must Pay After Customer Is Hacked" (Bob McMillan)
"Court: Passwords + Secret Questions = 'Reasonable' eBanking Security" (Brian Krebs)
Posted by Venkat at 08:46 AM | Privacy/Security
June 06, 2011
April-May 2011 Quick Links, Part 3
By Eric Goldman
Search Engines
* Google is working on a deal with the DOJ over illegal pharmaceutical ads and has set aside $500M for fines. Some background on the problem. Google isn’t the only search engine with problematic pharmaceutical ads. Will the other companies be getting the DOJ’s call too?
* Kevin Kelly: "This is the great gift of the free web. It has made some goods so cheap to acquire -- like answers, encyclopedia facts, directions, weather reports, recommendations -- that we generate entirely new realms of activity by doing far more of them. More is different. We ask so many more questions than before that this ask-and-answer is something new. Have you ever wondered where all our questions were before search engines? We didn't even bother to ask them."
* Vitaly Borker, who tried to game Google’s algorithm by seeking out bad consumer reviews, will be going to prison.
* Google won ALM's Best Legal Department in 2011. This article has a great inside look at Google’s legal department and how it makes decisions.
* More winners and losers from Google's algorithmic update.
* Latest antitrust enforcement challenge for Google: South Korea.
* More search censorship in Argentina. The ruling in Spanish.
* Yahoo changed its search log retention period from 3 months to 18.
* Market America is appealing its court loss to Google to the Third Circuit. Most recent blog post.
* Apple jiggers with the ranking algorithm for apps in its app store.
* CNET: “Bing head says 'traditional search' is dying.”
* Realcomp II, Ltd v. FTC, 11a0084p.06 (6th Cir. April 6, 2011). A monopolistic real estate electronic network violated antitrust laws when it provided only limited syndication of real estate listings subject to non-standard brokerage fee arrangements. Implications for Google?
* JC Penney’s 90 day timeout from Google for black hat SEO appears to be over.
* Gord Hotchkiss: “Why Results Quality Is So Important to Search Engines”
Privacy and Security
* Facebook tried to conduct a whisper campaign to bash Google on privacy. That backfired. Steven Levy: “Facebook’s Stealth Attack on Google Exposes Its Own Privacy Problem.” Danny Sullivan: “How Facebook Enables The Google Social “Scraping” It’s Upset About.”
* Not everyone loves the WSJ “What They Know” series.
* Kate Kaye of ClickZ on which of the half-dozen Congressional privacy bills the ad industry should favor.
* WSJ: Schmidt: Google Trying to Simplify Privacy Policies, but Lawyers Get In the Way.
* Less than 1% of Firefox users are using Do Not Track TPLs.
* Third party misuse of an open wifi leads to an unhappy wake-up call for the wifi owner.
* FTC gets $3M settlement from Playdom for COPPA violations. Among other purported defects, Playdom asked kids their ages and purported to bounce underage kids, but gave those kids the option to proceed just by checking a box rather than obtaining verifiable parental consent.
* An IP address can now pin down your location to within a half mile.
* The Sony Playstation hack of 70M member records will probably make my year-end list of top 10 Internet law developments. This event will be horking the law for the better part of a decade.
* EFF on how the Kerry-McCain privacy bill would preempt state law.
* Apple tried to squash the Mac Defender malware in its latest operating system release, but didn't get very far. Microsoft has made such benevolent dictatorship decisions before as well.
Publicity Rights and Trade Secrets
* Reality TV show participants were sued for prematurely revealing the show's outcome (in a lawsuit over the show's alleged failure to pay). See my first year Contract Law problem on maintaining secrecy in reality TV shows.
* Stars on the red carpet grant an implied license to their publicity rights in photos taken there.
* Basketball player Chris Bosh sues the mother of his child to prevent her from appearing in a reality TV show “Basketball Wives.”
* Larry Montz v. Pilgrim Film and Television, 08-56954 (9th Cir. May 4, 2011). In an idea submission case, “We again hold that copyright law does not preempt a contract claim where plaintiff alleges a bilateral expectation that he would be compensated for use of the idea, the essential element of a Desny claim that separates it from preempted claims for the use of copyrighted material.” The panel also reversed the district court conclusion that a “breach of confidence” claim was preempted.
* Many publicity rights complaints over Facebook's "Sponsored Stories": Fraley v. Facebook; JN v Facebook; and EKD v. Facebook. Filings in the Cohen v. Facebook case: motion to dismiss and supplemental brief on 47 USC 230.
* Litigation over Donald Trump’s licensing of his name to home developers. Interesting issues about a trademark licensor’s liability for a licensee’s activity and liability by endorsers for bum offerings.
* MGA spent $130M in its legal battle with Mattel.
Posted by Eric at 07:19 AM | Privacy/Security , Publicity/Privacy Rights , Search Engines , Trade Secrets | TrackBack
June 04, 2011
NebuAd Deep Packet Inspection Lawsuits Sputter -- Deering v. CenturyTel & Green v. Cable One
[Post by Venkat Balasubramani]
The alleged monitoring and use of ISP subscribers' internet activity for advertisement targeting purposes by NebuAd spawned a slew of class actions. NebuAd shut down, leaving plaintiffs to go after the individual ISPs who partnered with NebuAd. ("Turning Out The Lights: NebuAd.") Plaintiffs have not had much luck with their claims against the ISPs.
In Mortensen v. Bresnan, the court dismissed the ECPA and state law privacy claims but left the Computer Fraud and Abuse Act claims intact. ("Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues.") As an update to that case, the court ruled that the claims were not subject to arbitration, but the defendant-ISP moved for reconsideration of this ruling in light of AT&T Mobility LLC v. Concepcion, the recent Supreme Court case where the Court held that the Federal Arbitration Act preempts state law unconscionability arguments which are applied disproportionately to invalidate arbitration agreements. You can access the motion for reconsideration here.
Deering v. Centurytel, Inc.: In Deering, the court came to the same conclusion as it did in Bresnan, dismissing the privacy and ECPA claims on the basis of the end user agreement. The court notes that as in Bresnan, the ISP here:
also provided notice of the NebuAd agreement. Specifically, an email to its subscribers was sent informing them that the Privacy Policy had been updated and providing a link to the updated Privacy Policy. Under the heading, "Online Advertising and Third Party Ad Servers," CenturyTel customers were notified that "CenturyTel partners with a third party to deliver or facilitate delivery of advertisements to our users while they are surfing the web. This delivery of advertisements may be facilitated by the serving of ad tags outside the publisher's existing HTML code. These advertisements will be based on those users [sic] anonymous surfing behavior while they are online." . . . CenturyTel customers were further notified of their right to opt out of receiving targeted advertisements by clicking on an imbedded link. The "Online Advertising and Third Party Ad Servers" section also contained a link to NebuAd's website.
I'm a little stumped by the court's reliance on the language in the privacy policy. The court cites to CenturyTel's privacy policy which at the time said that:
personal information collected [by CenturyTel] may include, without limitation, name, address, telephone number, personal computer specifications, e-mail address, user IDs and passwords, billing and transaction information, credit card information, and contact preferences.
It looks like this describes information collected by CenturyTel, as well as information provided to CenturyTel by its users. But it still doesn't come out and say that CenturyTel or a third party track the contents of users' communications. As described by the court, the policy also had standard "cookies and web beacons" language which made clear that CenturyTel used cookies and web beacons to target. This would put users on notice that their clickstream would be used for targeting purposes, but would not alert them to the fact that their traffic is being routed through a third party server or that the contents of their web surfing activity would be exposed to a third party (which is what NebuAd is accused of doing).
CenturyTel sent an email to its users alerting them of an update to CenturyTel's privacy policy, but the email only said that "advertisements will be based on . . . [the] anonymous surfing behavior" of end users." The court does not cite to the NebuAd agreement, but nothing in the CenturyTel disclosures look like they clearly state that the contents of users' communications would be viewable and accessible by a third party. The use of "anonymous surfing" language if anything would tend to minimize the effect of any disclosures in the NebuAd agreement or would create a conflict between the two. How exactly NebuAd was monitoring and targeting is not clear, but the disclosure could have certainly been much clearer, and the court doesn't delve into the details here.
More than anything, this ruling seems to reflect the court's antipathy towards privacy class actions or the motivations behind them. The subtext of the ruling is that there is no "there" there. The notice provided by the ISPs and NebuAd may not have been perfect, but the court had to be influenced by the fact that the plaintiffs were told about some monitoring and given the ability to opt-out. No one took advantage of this or alleged that they followed up.
The court also has harsh words for plaintiff's counsel, finding that it is "telling, and somewhat troubling" that the plaintiff did not mention the Bresnan case, "even though the same lawyers appear to have filed very similar complaints in these cases."
Green v. Cable One: In addition to Bresnan and CenturyTel there's another NebuAd case where plaintiff's claim went sideways (this happened in late February and I missed it at the time). In Green v. Cable One, plaintiff brought claims against Cable One based on alleged monitoring by NebuAd. According to a post at Wildman Harrold, here's what happened next:
Plaintiff filed a motion for class certification in August 2010. Cable One served a demand to copy and inspect plaintiff’s computer. The plaintiff then voluntarily dismissed with prejudice three of the four claims that depended upon allegations of harm/damage, leaving only the claim for violations of the ECPA remaining. (Dkt 43, October 2010). On November 9, 2010, the named plaintiff Green was deposed. During that deposition, he testified that he only accessed his Cable One account from one computer/IP address located in Alabama. Cable One’s records revealed that the Internet subscription had been canceled for that home address on November 19, 2007, one day before the NebuAd ad serving technology went into use by Cable One.
Cable One filed a motion to dismiss for lack of standing. In response, plaintiff filed a "non-opposition" with a curious explanation:
Plaintiff conferred with Defendants in effort to reach a stipulation on the Motion to Dismiss in an effort to minimize the use of judicial resources. Defendants requested the Plaintiffs file a Notice of Non-Opposition instead. Therefore, Plaintiff submits this Notice of Non-Opposition to Defendant's Motion to Dismiss.
Say what? The fact that the named plaintiff dismissed a chunk of the claims in response to a request to inspect plaintiff's computer is telling. The fact that plaintiff agreed to dismiss the claims in their entirety when Cable One argued that plaintiff cancelled his Cable One subscription the day before NebuAd filtering was implemented just demonstrates that (assuming what Cable One says its true), there was no way that plaintiff could have suffered any harm as a result of the alleged filtering. This points in the direction that courts' skepticism towards these lawsuits may be entirely warranted.
Posted by Venkat at 01:10 PM | Licensing/Contracts , Privacy/Security
June 01, 2011
Updates on DoctoredReviews.com and Medical Justice
By Eric Goldman
You may recall our April launch of DoctoredReviews.com, a website explaining why Medical Justice's form agreement, the "Mutual Agreement to Maintain Privacy," was a bad deal for doctors, patients and review websites. See a list of the media coverage on the site's launch.
Since then, there have been three developments of interest.
First, Timothy B. Lee at Ars Technica covered his experiences with a dentist who asked him to sign the Mutual Agreement to Maintain Privacy and what happened when he balked at signing (predictably, there was no negotiation, and he was booted from the office). The entire article is a great read, but this line especially caught my eye: "we began to wonder if Medical Justice was taking advantage of medical professionals' lack of sophistication about the law." Watching the doctor community's response to our site launch, I had been wondering the same thing. Doctors and other healthcare professionals are very scared of the combination of privacy laws and unfettered consumer reviews; and Medical Justice has a several year headstart in (mis?)educating them about the law. It's clear that our advocacy site alone isn't enough to do the necessary counter-education.
Timothy also hammers on how Medical Justice has been backpedaling about the efficacy of the Mutual Agreement to Maintain Privacy. Medical Justice publicly claims that the agreement is principally useful for dealing with reviews from the doctors' competitors or ex-employees or other fraudsters. This is a baffling argument because (as Timothy points out) those folks undoubtedly haven't signed the Mutual Agreement to Maintain Privacy, so doctors can neither assert a breach of the agreement nor the assigned copyrights in those reviews. (And asserting copyright to the review websites could lead to 512(f) claims). There is a massive logic disconnect between the purported goals of the Mutual Agreement to Maintain Privacy and the legal effect of the contracts. For an outfit that was clever enough to develop a way to hack 47 USC 230 through a copyright workaround, the response that the agreement should be used only against people who haven't signed it is so oddly sophomoric that it makes me wonder about the sincerity of the proffered explanation.
Timothy followed up his initial story with a postscript. In it, the dentist who claimed he'd never enforced the Mutual Agreement to Maintain Privacy backpedaled and admitted that he had, in fact, help drive a negative review off the Internet. On the plus side, the dentist publicly acknowledged that the Mutual Agreement to Maintain Privacy wasn't a good deal for him, and he said he wouldn't renew with Medical Justice. Hey doctors and other healthcare professionals, I hope you took note.
Second, John Swapceinski of RateMDs made a post entitled "Medical Justice planting glowing reviews on RateMDs.com." Apparently, John saw some early activity from a new Medical Justice offering called the "Review Builder Program" that Medical Justice claims will help patients leave reviews from doctors' offices. Timothy at Ars Technica has plenty of sharp words about the program and the possibility of Medical Justice duplicity.
Third, we are working on Phase 2 of the DoctoredReviews project, during which we identified another doctrinal oddity: doctors, based on their purported copyright ownership, can obtain and send 512(h) expedited subpoena requests in an effort to unmask the review author--in a process that is outside of public view and without any substantive judicial oversight. Obviously, review websites can (and should) push back on these subpoenas, but I have some reason to believe that the Mutual Agreement to Maintain Privacy's purported copyright assignment is producing unmaskings that would not occur if supervised in a court of law. I'm adding this attack on privacy to the taxonomy of abusive takedown practices I'm developing.
Posted by Eric at 02:18 PM | Content Regulation , Copyright , Derivative Liability , Licensing/Contracts , Privacy/Security