August 03, 2010
Baidu Can Maintain Negligence Claims Against Register.com for Lax Security Practices Which Allegedly Facilitated Cyber-Attack - Baidu v. Register.com
[Post by Venkat]
Baidu, Inc. v. Register.com, Inc., Case no. 10 Civ. 444 (DC) (S.D.N.Y.) (July 22, 2010).
Background: Baidu registered the
The cyber-attacker gained access to Baidu's account with Register through engaging in an online chat with a Register customer service representative. The representative asked the intruder for Baidu's security verification information. The intruder did not provide the representative with the correct information, "but the [representative] nonetheless emailed a security code to the email address that Baidu had on file." When asked for the security code, the intruder did not provide the correct code (the intruder did not have access to the Baidu email address on file). Notwithstanding the discrepancy in the security codes, at the intruder's request, the representative changed the email address on file (to "antiwahabi2008@gmail.com"). From here, the intruder was easily able to access the account, by utilizing the "forgot password" function.
Discussion: Baidu brought claims for breach of contract, negligence (gross negligence), recklessness, and contributory trademark infringement.
The limitation of liability clause: Register pointed to the limitation of liability clause in its Master Services Agreement. The clause provided that Register would not be held liable for, among other things, "termination . . . or modification of [the Services,] . . . inability to use the Service[s], . . . loss incurred in connection with [the customer's] services," or "any other matter relating to [customer's] use of the Service[s]." The agreement also contained a limitation of liability clause that limited Register's liability at five hundred dollars, and also provided that it was the customer's "responsibility to safeguard the User name, password and any secret question/secret answer . . . from any unauthorized use."
The court held that as a general matter, courts in New York enforce limitations of liability clauses, particularly where these limitations are contained in a contract entered into by "those of equal bargaining power." However, New York courts do not enforce such limitations where they purport to limit liability for willful or grossly negligent acts. This "gross negligence exception" applies even to agreements between sophisticated commercial parties, although the standard for gross negligence is somewhat higher in this context. The court held that the complaint satisfied this standard, in alleging that:
(1) the rep proceeded with processing the intruder's request even though the intruder provided an incorrect response to the security question; (2) the rep didn't even bother to compare the code provided by the intruder with the security code on file; (3) the rep failed to notice the red flags raised by the rep providing the "antiwahabi2008@gmail.com" email address (which was tied to Google, a Baidu competitor); and (4) the rep ultimately provided the intruder with Baidu's user name.
Ultimately, the court found that Register's failure to follow its own security procedures (or any minimal security procedures, for that matter) were sufficient to get Baidu past the gross negligence hurdle. Register also pointed to the provision in the contract that the customer was responsible for maintaining the security of any password/security information and thus Register had no duty to maintain any security procedures with respect to Baidu's account. The court rejects this argument, noting that although Register may not have had any duty to provide any security, once it undertook to do so, it was required to do so in a non-negligent manner:
The attack by the Intruder was reasonably foreseeable - it was precisely because these cyber attacks are foreseeable that the security measures were adopted.
Lanham Act Claim: With respect to the Lanham Act claim, Register argued that it was entitled to immunity as a registrar and in any event Baidu failed to adequately allege the elements for contributory trademark infringement.
The court rejects the registrar immunity argument out of hand (registrars are only entitled to immunity when they act as registrars - i.e., "when [a registrar] accepts registrations for domain names for customers"). However, the court agreed with Register that Baidu failed to allege the elements for contributory trademark infringement. Citing to Inwood Labs., Inc. v. Ives Labs., Inc. (a flea market case) the court notes that contributory liability only attaches where the defendant either intentionally induces infringement or continues to supply products or services to the infringer where the defendant knows or has reason to know that the infringer is engaged in infringement. The court also cites to the Tiffany v. eBay case (discussed by Professor Goldman here).
___
The interesting aspect of this case is the fact that Register's broad contractual protections did not protect it against Baidu's claims. It's unclear as to whether the court's ruling would encompass a situation where someone just plain hacked into Register's system and gained access to Baidu's accounts. I would think not. Disclaimers often insulate service providers (see Duffy v. The Ticketreserve and Grace v. Neeley) but here the facts alleged by Baidu with respect to Register's negligence were pretty egregious. Given the exception in New York law for gross negligence and reckless conduct, I'm not sure any sort of limitation/disclaimer could have saved Register here.
The trademark claims are curious. To be honest, I can't even see where there's basic trademark infringement by the cyber-attacker. The cyber-attacker was not interested in selling any products or services, and the Baidu webpage text clearly stated that the website had been hacked. Moreover, any finding of infringement would have been based on the much-discredited initial interest confusion doctrine. In any event, it's tough to see - given Baidu's allegations of an attack - how Register would have harbored the requisite knowledge to have been able to prevent the infringement.
It's worth noting also that this isn't a typical domain name conversion case (a la sex.com). The case is really about failed security procedures, and the ease of gaining access to an account through social engineering. There's a big lesson in the Register rep's alleged dealings with the cyber-attacker.
Added: This interview with Elisa Cooper by Dancho Danchev ("Hundreds of High Profile Sites Unprotected From Domain Hijacking") looks at the efficacy of using Verisign's "Registry Lock Service." Some interesting bits from the interview:
1. The Registry Lock Service offers protection at the registry-level so even if the registrar account is compromised, the attacker will not be unable to update any domain settings.
2. Elisa notes that DNS hijacking may only amount to a PR/brand hit unless the website is collecting information or conducting transactions.
3. "[D]omains that are registered by large retail registrars are . . . highly vulnerable to social engineering attacks." [That's exactly what happened in the Baidu case.]
Of course, the registrar does not have an obligation to implement the additional security measures that are mentioned in the interview. It would be up to the registrant to do so.
Posted by Venkat at 11:54 AM | Domain Names , Licensing/Contracts , Privacy/Security , Trademark
July 26, 2010
Facebook's Anti-Spam Filter Blocks Legitimate Conversations about Power.com
By Eric Goldman
On Friday, Venkat and I posted about the latest ruling in Facebook v. Power.com. After Venkat or I make a blog post, I typically post the blog headline and URL to Twitter. I have enabled the app that makes my Twitter posts into my Facebook status reports as well, so the headline and URL on Twitter should automatically propagate to Facebook. On Friday, I tweeted the following:
"Blog Post: Important ruling on California's anti-computer trespass statute--Facebook v. Power.com http://bit.ly/bM7hQT"
However, I noticed that the Twitter-to-Facebook app didn't work properly and the headline didn't appear. So I tried to manually enter the headline and URL and got this message from Facebook:
"This message contains blocked content that has previously been flagged as abusive or spammy. Let us know if you think this is an error."
I do think that's an error, and I reported the problem through Facebook's automated reporting tool on Friday. Not surprisingly, I still haven't gotten a response to that. But I was baffled how my headline and URL could have been "flagged as abusive or spammy." Who flagged it? Why?
After a little more experimentation, I discovered that every instance of the character string "power.com" is blocked in Facebook. Therefore, every time I put "power.com" into my status reports or in comments to those status reports--even if it's the only content in the post/comment--I get the "blocked content" message. However, it's easily avoided; I can post "power . com" (notice the spaces before and after the period) just fine. Basically, Facebook is using a very dumb word filter.
I emailed my PR contacts at Facebook about this. They pointed to their anti-spam filter and this blog post from June. The blog post explains that "we've been working to improve our warnings and make them more clear" and that "people misunderstand one of these systems. They incorrectly believe that Facebook is restricting speech because we've blocked them from posting a specific link."
So this is where things have gone wrong. Facebook told me it has blocked Power.com because "we found that Power was spreading links to its pages in a way that violated our Statement of Rights and Responsibilities. For example, when a Power user accessed Facebook, Power would automatically create an event on Facebook (typically called 'Power.com Party' or something similar) without the person's knowledge or permission. It would then send invitations to all of the user's friends." Fair enough, and I'm glad Facebook is trying to keep its system safe for users.
However, Facebook's dumb word filter block means that every reference to "power.com," even if it's in plaintext and not linkable, is still treated as a link and therefore is blocked as well. The messaging then disparages the plaintext reference as "blocked content that has previously been flagged as abusive or spammy" when, in fact, a link to the URL, not the plaintext reference I made, has been flagged. So much for clearer error messages.
I pointed out to Facebook's spokespeople the difference between a plaintext reference to a company's name ("Power.com") and a spammy URL/link. Their response? "Spammers turning their malicious urls into plain text is the oldest trick in the book. Not blocking all of the variations of a bad URL leaves a gaping hole."
There is a kernel of truth to this, of course. A plaintext URL is not materially different from an active hypertext link--if the user chooses to cut-and-paste the link into the browser (or right-clicks on it, or whatever). However, Facebook's method of blocking spammy links by blacklisting every instance of the character string actually has the effect of blocking *every* discussion of a blacklisted company with the name [noun].[tld]. Because the main word in the name is a noun (e.g., "Power"), referencing the name without the TLD can lead to semantic ambiguity. However, the system prevents me from using the complete name (Power.com) because it can't distinguish between a link and a plaintext reference to a company's name that acts as a URL. I received a private email that another Facebook user encountered a similar block with the string seppukoo.com, the Facebook suicide tool.
In my case, the net consequence is that Facebook automatically blocks any conversations involving the string "power.com"--including my headline to my blog post--and provides an error message telling me that I am posting spammy/abusive content when I try to make the posting, which makes me feel like I did something wrong. With all of the bright engineers at Facebook, I bet they could figure out a way to more precisely tune the filter so that a plaintext reference to [noun].[tld] gets through while active links to that URL, or more fulsome plaintext URLs, remain blocked.
That is, assuming Facebook actually wants to enable Facebook users to talk about Power.com or Seppukoo.com or other enterprises that threaten the Facebook franchise. Frankly, I haven't seen much evidence of Facebook's interest in those conversations. In light of Power.com's antitrust challenges against Facebook, the fact that Facebook's system suppresses legitimate conversations about Power.com (whether it had a censorious intent or not) struck me as particularly noteworthy.
Posted by Eric at 10:33 AM | Content Regulation , Domain Names , Privacy/Security , Spam | TrackBack
July 23, 2010
Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims -- Facebook v. Power.com
[Post by Venkat, with additional comments by Eric]
Facebook v. Power Ventures, Inc., Case No. C 08-05780 (N.D. Cal. July 20, 2010)
Background: Facebook and Power Ventures (Power.com) have been locked in a battle over whether Power.com should be allowed to access Facebook on behalf of users outside Facebook’s developer channels. Facebook wants all developers to go through its channel. Power.com seemed to go down in path but decided at some point that it didn’t like Facebook’s developer channel. It accessed (on behalf of its users) Facebook’s network. Facebook sued, and Power.com became an unlikely poster child for why data portability is important.
There’s been a lot of motion practice in this case. Facebook brought the typical array of copyright/computer fraud and abuse act claims that survived a motion to dismiss from Power.com. Power.com brought antitrust counterclaims that the court knocked out (with leave to amend). Facebook focused on its attention on its claims under the California computer crime statute (section 502), and moved for judgment on the pleadings. EFF filed an amicus brief arguing for a narrow construction of the statute. (In the meantime, there was a recusal by the judge who initially drew the case and dealt with the preliminary motions.) The court now deals with Facebook’s request for summary judgment or judgment on the pleadings that Power.com violated section 502, as well as a few other motions.
The Court’s Treatment of the Claims:
Standing under section 502: Power.com argued that Facebook lacked standing under section 502. The court easily disposes of this argument by noting that Facebook was forced (or decided it was prudent) to implement technical measures following its discovery that Power.com accessed its network. The court notes that there’s no dollar amount threshold, and rejects Power.com’s attempt to rely on its declaration that Facebook would not have had to invest any substantial amounts to implement these new technical measures.
Power.com’s liability under section 502: Facebook argued that Power.com accessed Facebook’s network without authorization because it exceeded the scope of the authorization allowed by Facebook’s terms of service. The court looks to the legislative history behind section 502 and declines to give legislative statements the broad-reaching meaning that Facebook urges. Facebook argued that any access in excess of authorization constitutes a violation of section 502, and the court doesn’t seem to agree with this. EFF filed an amicus brief arguing for a narrow interpretation of section 502. EFF also argued that Power.com’s actions did not violate section 502. The court settles on an interpretation of section 502 that requires some sort of circumvention of :
Technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether.
[The court also drops a footnote noting that even though the defendant may not be liable under section 502, the defendant may still be liable for breach of contract. The footnote does not mention claims under the Computer Fraud and Abuse Act.]
Ultimately, the court leaves Facebook room to still make out a claim but says that (under section 502 at least) it can’t merely be based on a terms of service violation:
the Court finds that Power did not act “without permission” within the meaning of Section 502 when Facebook account holders utilized the Power website to access and manipulate their user content on the Facebook website, even if such action violated Facebook’s Terms of Use. However, to the extent that Facebook can prove that in doing so, Power circumvented Facebook’s technical barriers, Power may be held liable for violation of Section 502.
Power.com’s counterclaims based on Facebook’s alleged anti-competitive conduct: Facebook moved to dismiss Power.com’s antitrust claims against Facebook. The court focuses on Power.com’s allegations about Facebook’s acquisition of monopoly power. According to Power.com, Facebook gained monopoly power through allowing users to invite their friends (and making it easy), allowing people to access other networks through Facebook, while at the same time not allowing people to access Facebook through other networks. Power.com also alleged that Facebook alleged baseless intellectual property claims to dissuage new entrants into the market.
The court rejects these arguments, finding that Facebook has no obligation to allow others to access its network and it can set the terms of access without running afoul of antitrust rules. The court also finds that taking steps to protect its rights does not mean that Facebook is engaging in anti-competitive behavior.
Power.com’s affirmative defenses: The court previously struck Power.com’s affirmative defenses of copyright misuse and fair use. Power.com amended their pleadings and the court lets these affirmative defenses stand. The court’s discussion is a little sparse on whether these defenses actually are viable, but the court declines to strike them on the basis that the allegations provide Facebook with enough facts to put Facebook on notice as to what is being claimed.
__
I’d say overall it was not a big loss for Facebook. It still has viable claims under the Computer Fraud and Abuse Act and potentially copyright (in addition to auxiliary spam and other) claims. It has a chance to prove a violation of section 502 by showing that Power.com engaged in circumvention of a technical measure (IP address blocking, or additional security measures which Facebook implemented).
This is somewhat of a win for EFF, which got a ruling with a narrow construction under section 502. I’m not sure how useful this ruling will be in the Computer Fraud and Abuse context. Also, the court’s willingness to use circumvention of any technical measure to find a violation of section 502 sets a low bar. Still, in the garden variety context where an individual accesses a network in violation of the terms of service, section 502 claims don’t seem as likely (under the court’s ruling).
Power.com continues to slog it out. I’m guessing it will see this litigation as fairly unprofitable sooner rather than later, particularly with its antitrust claims out the window (I can’t imagine they thought these were terribly viable to begin with, judging by their initial set of allegations). Of course, they can bring their affirmative defenses and engage in some discovery, but this is not likely to bend the will of a company such as Facebook.
Additional Coverage:
Wendy Davis: “Facebook Rebuffed In Case Against Social Aggregator Power.com”
ars technica: “Social network aggregator no crook for violating Facebook TOS”
________
Eric's comments: A very small number of rulings have interpreted California Penal Code Sec. 502, the state law analog to the Computer Fraud & Abuse Act and a partial statutory codification of common law trespass to chattels. Based strictly on the statutory wording, Penal Code 502 (which authorizes civil suits in addition to being a criminal sanction) is the most plaintiff-friendly of the three doctrines because it does not require the plaintiff to show any minimum quantity of loss or harm from the defendant's harm.
This ruling partially reinforces why Penal Code 502 remains the most plaintiff-friendly of the three doctrines. Effectively, Facebook made the requisite showing of harm from Power.com's conduct even though Facebook's only purported harms appear to be remediation efforts. As the court says:
Defendants’ admissions that Facebook attempted to block Power’s access and that Power provided users with tools that allowed them to access the Facebook website through Power.com demonstrates that Facebook expended resources to stop Power from committing acts that Facebook now contends constituted Section 502 violations.
This is a bootstrapped type of loss that will be true in almost every anti-server use case.
The court then takes a decidedly less favorable turn when it comes to the authorization/permission question. Many CFAA rulings have allowed user agreements to delimit the authorized use of the plaintiff's servers. The court rejects that approach here, saying, in effect, that because Penal Code 502 is a criminal statute, allowing the user agreement to establish the boundaries of permitted server use is improper. I agree with that statement (some of you may recall my posts about the Lori Drew prosecution, conviction and dismissal). However, I would note Facebook's lawsuit is a civil case, not a criminal case, so the court could have distinguished between the legal requirements of criminal and civil cases. In particular, it was odd to see the court discussing constitutional limits to criminal prosecutions in a case where neither litigant really cared directly about the scope of criminality.
Even if the contract does not provide adequate notice to defendants, the court allows plaintiffs to delimit the permitted/authorized use of their severs technologically, and transgressions of those technological limits appears to satisfy the Penal Code 502 requirements and the constitutional protections applicable to a criminal prosecution. The court says:
the Court finds that accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers is “without permission,” and may subject a user to liability under Section 502.
This is because defendants are adequately put on notice when they encounter a technical block and try to route around it; therefore, with the technical block requirement, the statute will satisfy even the more stringent notice requirements of criminal law. There remained a factual dispute about Facebook's technical blocking efforts in this case based on the procedural posture of the case, so that point remains open for now.
If this case ends up setting the precedent that a user agreement cannot set the boundaries of authorized uses of computer servers in the California Penal Code Sec. 502 context, then this is a pretty important ruling. However, I don't really believe that result will necessarily be reached in other cases, especially given that Judge Ware disagreed with Judge Fogel's ruling in Facebook v. ConnectU on the same question.
In Cyberlaw I teach that an anti-computer trespass civil claim satisfying the four elements will probably win:
* Third party system use
* Damage
* Actual notice that use unpermitted
* Technological self-help
If Facebook can show these four elements, it has a good chance at winning the Penal Code 502 case; indeed, this ruling indicates that under Penal Code 502, the damage element is easy to meet and the notice/self-help elements effectively merge together. If you are prepping an anti-trespass case, the more clearly you can show all four elements, the more likely the court will find a legal doctrine to help you.
Posted by Venkat at 12:29 AM | Content Regulation , Licensing/Contracts , Privacy/Security
July 13, 2010
AOL's Disclosure of Search Data May Support Claims Under California Law
[Post by Venkat]
Does v. AOL LLC, Case No. C06-5866 SBA (N.D. Cal.; June 22, 2010)
Plaintiffs bringing a class action against AOL for improper disclosure of search data scored in an initial victory in the Northern District of California. The court denied AOL's motion for judgment on the pleadings, and allowed claims (under California consumer protection laws) to go forward.
Background: AOL "records and stores member search queries in a manner rendering it possible to connect the stored search queries with a particular member." In July 2006 AOL "packaged" (??) approximately 20 million search records into a database which it then inadvertently posted on its website "for the public to download." The database contained records of 685,000 AOL members that were stored in a two month period in 2006. The disclosed data includes sensitive information such as names, social security numbers, addresses, telephone numbers, credit card numbers, user names, passwords, and financial bank/account information.
Shortly after it posted the database, AOL pulled the database. However, by this time it had been downloaded and reposted on other websites. According to the complaint, "AOL's response to the disclosure has been to do nothing." AOL attempted to impose conditions on third parties who downloaded the database but it hadn't taken any action to restrict such use.
Plaintiffs sued alleging federal claims (under the Electronic Communications Privacy Act) and state claims (under section 1750 and California false advertising statutes).
Discussion: The case is in an atypical procedural setting, but one that may be helpful to plaintiffs. AOL initially moved to dismiss and have the case transferred to Virginia based on the venue clause in its Member Agreement. The district court agreed and initially dismissed the lawsuit so it could be re-filed in Virginia. The Ninth Circuit reversed (in 2009) and held that the venue provision in AOL's Member Agreement was unenforceable as to California residents bringing claims under "California consumer law." On remand AOL moved to dismiss one of the named plaintiffs who is not a California resident and dismiss the claims that did not arise under California consumer law. The district court granted that motion. Plaintiffs appealed and asked the district court to stay resolution of the California consumer law claims until the Ninth Circuit resolves the issue of whether the remaining claims were properly dismissed. [That's a lot of procedural wrangling!]
Standing to seek injunctive relief: The court denies plaintiffs' motion to stay. Moving on to the substantive claims, the complaint seeks an injunction, and AOL argued that plaintiffs lacked standing to seek injunctive relief. Injunctive relief would be available if there's some risk that the complained of conduct would continue to occur. The court finds that plaintiffs had the requisite standing because plaintiffs alleged that AOL engages in a practice of storing search queries and "has taken no steps to ensure that such information is not disclosed again."
California Consumer Legal Remedies Act: AOL argued that plaintiffs did not sufficiently plead injury under the CLRA. The court notes that the CLRA sets a "low but nonetheless palpable threshold of damage," but encompasses harm "other than pecuniary damages." Getting to plaintiffs' allegations, the court notes that AOL allegedly "held itself out to the market as being a leader in internet security and privacy and represented . . . that its service was 'safe, secure and private.'" The information disclosed by AOL includes highly-sensitive information, financial information, social security numbers. "Also disclosed was information regarding members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, adultery, and domestic violence." [emphasis added] The court concludes that this is more than enough to allege injury under the CLRA.
AOL also argued that the CLRA claim sounded in fraud and must be pled with particularity. The court finds that plaintiffs satisfied this requirement, in specifying that "misrepresentations were made in AOL privacy policy and other statements posted on AOL's website, and that the representations were false in that they assured members that AOL would endeavor to maintain the privacy and security of their personal confidential information." AOL finally argued that plaintiffs failed to allege causation, but the court quickly dispenses of this argument, noting that where there are representations in a privacy policy regarding safeguarding personal data, a reasonable consumer would only sign up to disclose personal information in reliance of representations contained in the privacy policy. At the end of the day, plaintiffs' CLRA claims are allowed to move forward.
UCL and FAL: AOL's arguments around the unfair competition and false advertising laws were similar to its arguments against the CLRA claims. The court rejects these arguments. Finally, the court dismisses plaintiffs' claims under the "Consumer Records Act," which requires businesses to take "reasonable steps" to dispose of customer records when they are no longer "retained" by the business. The court (citing to the legislative history) notes that the statute was intended to prevent "dumpster diving," and was not intended to encompass the situation in the present case.
__
It's tough to assess what happened (and what will happen) at the pleading stage, but if AOL really disclosed those sensitive records and didn't take any steps to remedy the situation what was AOL thinking?
It's been blogged to death that breach of a privacy policy is not actionable in the typical consumer context. (See for example: "When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue;" "9th Circuit Affirms Rejection of Data Breach Claims Against Gap [citing cases].") What's different here? For one thing, there's a statute which has a pretty low threshold for damages, and plaintiffs are wisely avoiding the negligence route. To the extent these are paying customers, they also can argue disgorgement and get their money back (or a portion of it). Finally, they're arguing about the disclosure of information (intimate and personal details) where the harm lies in the disclosure and not the misuse of the data.
It was also interesting to see that the court focused on flowery language in AOL's privacy policy. The FTC did something similar in its informal investigation of Twitter. ("The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?.")
The case is a reminder of the huge quantity of personal information that networks store about users. One can never be reminded of this often enough.
Other coverage: Wendy Davis (MediaPost): "AOL Suffers Blow In Lingering 'Data Valdez' Case."
_______
Eric's Comments: In retrospect, AOL's decision to release the dataset was, at best, a ill-considered decision (and one that already cost several AOL employees their jobs). However, AOL claimed to release the dataset for research purposes, and it remains one of the few public datasets of how actual users search. (For obvious reasons, I don't anticipate new ones being posted any time soon). While it's hard to praise AOL here, the lawsuit has problems of its own. For one, Venkat mentions the damages/harm problem. Also, the ECPA claim raises the disconcerting specter that search queries are private communications between searchers and search engines--a legal proposition with potentially far-reaching effects that I've never been able to wrap my head around. If you want more information on these issues, this case is one of several explored in Paul Ohm's paper on re-identification that I've praised repeatedly.
Posted by Venkat at 11:56 AM | Privacy/Security , Search Engines
July 11, 2010
Q2 2010 Quick Links Part 3 (Special Facebook Edition)
By Eric Goldman
It’s been an exciting quarter for Facebook, which earned its own special quick links edition. I’ve also been prompted to take a step back and reassess my relationship with Facebook.
From about 2007 through 2009, I really loved Facebook. It was a valuable tool that allowed me to do things I wanted to do and talk with people I wanted to talk with. As a result, during that time, Facebook was an essential part of my daily routine.
Then, something went wrong. It wasn’t really one single thing, but rather the accumulation of a series of missteps. For example, I was highly irritated that Instant Personalization required me to opt-out in FOUR different places. I’m a highly educated man and a reasonably sophisticated Internet user, but I couldn’t be sure if I had done everything required to completely opt out. That’s terrible.
Perhaps the last straw was this New York Times interview with Elliot Schrage of Facebook, which caused me to do a double-take when I saw this gaffe:
[Reader Q:] “Why not simply set everything up for opt-in rather than opt-out?...”
[Schrage answer:] “Everything is opt-in on Facebook. Participating in the service is a choice….”
What??? Sorry, but I’m going to have to call BULLSHIT on that. This is one of those “black-is-white” word twists that practically begs for an FTC enforcement action. It’s true that I “opted in” to voluntarily create a Facebook account, and it’s also true that I voluntarily participate in the service. However, it is not true that I therefore have “opted in” to every subsequent product choice Facebook makes, ESPECIALLY WHEN FACEBOOK CHANGES how it handles user data. A user does not “opt-in” to a new product change unless the user knowingly and affirmatively assents to the change—which Facebook didn’t solicit, especially when it launched Instant Personalization on an opt-out basis. As a result, I have to assume that Schrage’s response was either knowingly disingenuous or unbelievably naïve. Either way, I don’t really want to spend a lot of time with a service that doesn’t understand something as fundamental as the proper definition of “opt -in.”
So Schrage is right that I can choose to participate in the service, and I’m largely choosing not to. Three examples:
1) I used to have my profile fully public--and therefore fully indexable in the search engines--but I have since changed my profile to be visible only to friends. I’m not trying to keep secrets or maintain a dual persona; in fact, I don’t say anything different on Facebook than I would say elsewhere. I just don’t want Facebook to get my indexable content or any link love.
2) I have reengaged my Twitter-to-Facebook API so that my Twitter posts automatically populate to the Facebook newsfeed, which further reduces my visits to Facebook.
3) I used to read my newsfeed pretty religiously and comment on other folks’ posts routinely, but I rarely do that now. I had already reduced my commenting after a previous Facebook product change automatically posted my comments to my newsfeed despite my explicit opt-out of such postings.
Personally, I think this is how Facebook is going to go down. It’s not going out in a fiery blaze of mass account deletions. Instead, it will atrophy from the collective but individual decisions of people choosing to spend less time on Facebook and spend that time elsewhere. (I talk about this disengagement phenomenon in the context of virtual worlds here). That’s certainly what I’m doing. Indeed, there is some evidence that Facebook’s traffic is plateauing, so perhaps I’m not the only disengaging user. This is why new account signups aren’t the right measure of Facebook’s success any more, especially when the new accounts are coming from late adopters like my mom and my mother-in-law (both recent signups), both of whom have no idea what to do with their accounts and are not actually engaging in the service.
When Facebook reaches the negative tipping point, no one will go there because no one else is posting interesting content—a self-reinforcing downward spiral. As a prime example, I still have my Orkut and Friendster accounts, but I can’t imagine why I would go back because neither services offers any interesting content to me. Similarly, Facebook may become a virtual depopulated ghost town with interesting relics.
Other interesting links regarding Facebook’s imbroglio from last quarter:
* EFF: Facebook's Eroding Privacy Policy: A Timeline.
* “How Do I Delete My Facebook Account” is a popular search, which has led to bonus traffic for wikiHow’s web page on the topic. However, as I said, I don’t expect mass account deletions; mass account disuse is much more likely.
* Chris Kelly, Facebook’s former Chief Privacy Officer, disavowed himself from Facebook’s product changes as part of his unsuccessful candidacy for California attorney general. I’m hear you, Chris, but maybe could you tell us a little more about Beacon…wasn’t that on your watch??? The NYT recaps how Kelly’s Facebook background was a mixed bag for his campaign.
* EFF: Facebook should follow its own principles.
* CNET’s retrospective on some of Facebook’s missteps over the years. One they missed: Facebook v. Power.com. I am not entirely sympathetic to Power.com based on existing legal doctrine. However, the whole lawsuit would be completely unnecessary if Facebook provided a bona fide tool that lets users port their own data off Facebook—something Facebook has shown zero interest in doing. (Recall, for example, the Facebook representative painfully ducking the data portability question at the FTC’s Berkeley privacy workshop).
* Facebook’s product crisis caused an internal rift among Facebook execs.
A couple of other Facebook tidbits from the last quarter:
* Facebook's automated "Community Page" generator is leading to some wacky results for law firms.
* NYT: High school students are changing their Facebook names to aliases during college admission season.
Posted by Eric at 11:30 AM | Privacy/Security | TrackBack
July 07, 2010
Q2 2010 Quick Links Part 2
By Eric Goldman
Marketing and Advertising
* Good talk from FTC Chair Leibowitz: “we have great hopes for self-regulation….So long as self-regulation is making forward progress, the FTC is not interested in regulating” behavioral targeting.
* NYT on teaching middle schoolers how to interpret ads. We're going to need to teach kids how to consume information if we have any chance to survive infoglut.
* The LA Times and Chicago Tribune are integrating paid text links into story content.
* Search Engine Land: Google: Now Recommending Brands For Searches.
* Keeller v. Groupon Inc., No. 10 CH 8666 (Ill. Cir. Ct. Cook Cty. March 2, 2010). Groupon settles lawsuit over expired and unused coupons.
* NYT: Online coupons may not be as anonymous as people assume.
* An inside look at the MPAA's self-regulatory effort to police movie ads.
* Avi Goldfarb & Catherine Tucker, Privacy Regulation and Online Advertising.
* Microsoft sues for click laundering. Coverage at Search Engine Land and WSJ
* The FTC shut down Pricewert/3FN.net.
Contracts
* News.com: Second Life sued by its users for changing the terms of land “ownership.” Evans v. Linden Research complaint.
* Shell v. AFRA: website venue selection clause not binding just because web visitors viewed it.
* Omri Ben-Shahar & Carl E. Schneider, The Failure of Mandated Disclosure. This paper shows why mandatory disclosures fail in part because regulators think in terms of what consumers SHOULD want to know rather than what information consumers ACTUALLY want to know.
* WaPo: Reality TV secrets are hard to keep in the age of social media. My 2003 analysis of using contract law to keep reality TV secrets.
* Want to be on the TV show Survivor? Check out its contract first.
* Anderson v. Bell, No. 20100237 (Utah June 22, 2010): “electronic signatures may satisfy the Election Code’s requirements under section 20A-9-502 regarding unaffiliated candidates wishing to run for statewide office.” Tom O’Toole’s writeup.
Trademarks/Copyrights
* Jim Jansen: “Only 4% of sponsored ads were triggered by competitors’ trademarked terms. When it does happen, the results are pretty much what consumers are use to seeing, so there doesn't appear to be many negative consequences….Thus, competitive use of trademarked terms to trigger online ads does not appear to be a widespread phenomenon and is similar to the query suggestion feature that many search engines employ.”
* Michael Geist on the first Canadian keyword advertising ruling (a nice defense win).
* 2010 Joint Strategic Plan on Intellectual Property Enforcement.
* Qassas v. Daylight Donut Flour Company LLC, No. 09-663 (N.D. Okla. June 10, 2010). A company and its entrepreneur are liable for their web developer's infringements when creating the company's own website.
Miscellaneous
* Stephen Wu on Estate Planning for Online Assets
* Declan at News.com lauds Justice Stevens' Internet jurisprudence. We owe Justice Stevens many thanks for helping the Internet bloom.
* Anthony v. Yahoo!, Inc., 2010 WL 1552819 (9th Cir. April 20, 2010). Upholding Yahoo's settlement in a class action lawsuit over its online dating site. My original blog post on the case.
* Tom O'Toole reports on various stupid state efforts to regulate technology, inadvertently making the case that they are a terrible laboratory of experimentation.
* Vacation Club Services Inc. v. Rodriguez (M.D. Fla. April 22, 2010). No CFAA action against the buyer of data from a database the seller allegedly acquired in violation of the CFAA.
* Lawyers behaving badly on the Internet.
* 23 state AGs have contacted Topix about its takedown procedures, including its fee for expedited takedown review.
Posted by Eric at 03:18 PM | Copyright , E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark , Virtual Worlds | TrackBack
June 24, 2010
The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?
[Post by Venkat]
In the Matter of Twitter, Inc. (FTC; June 24, 2010) (Consent Order) (FTC Press Release)
Twitter recently agreed to a consent order with the FTC that requires Twitter to implement a variety of security measures with respect to "nonpublic consumer information" of Twitter users. The FTC probe (which was resolved by agreement) stemmed from highly publicized security breaches where hackers gained "unauthorized administrative control of the Twitter system." In the first incident, hackers gained control of 35 high profile Twitter accounts, including the accounts of Bill O’Reilly, Britney Spears, the Huffington Post, and Facebook. Separately, someone gained access to a Twitter employee's email account, which contained the employee's admin password for Twitter.
The consent order requires Twitter to implement a variety of security features which are above and beyond what many sites have in place. The consent order also requires Twitter to undergo a period audit by an outside auditor, and comply with some onerous-looking record-keeping requirements (retain consumer complaints, "widely-disseminated statements" about its security and privacy practices, etc.). Interestingly, the FTC faulted Twitter for failing to comply with security standards which many sites probably do not meet:
• requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
• prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
• suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
• providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
• enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
• restricting access to administrative controls to employees whose jobs required it; and
• imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
The million dollar question, of course, is, what this means for other websites. Should Facebook be taking a look at the consent order (which in any event is a useful best practices-type guide)? It's tough to say. One thing worth noting is that the FTC focused on language in the older version of Twitter's privacy policy:
The privacy policy posted on Twitter’s website stated that 'Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.'
This language was contained in Twitter's initial privacy policy, but was removed from its privacy policy during a revision which Twitter implemented in November 2009. (Here's my blog post at the time, noting this change in particular: "The old policy made some statements regarding security measures implemented by Twitter which Twitter [wisely] removed from the current version.".) While it's tempting to look at this settlement as the FTC taking a hard line on Twitter's current privacy and security practices, this may not necessarily be the case. The FTC focused on representations made by Twitter to end users (in its old policy) that may have lulled the end users into a false sense of certainty around Twitter's privacy and security practices. Either way, Twitter took on some pretty serious obligations as a result of the settlement.
I'm not sure what the moral of the story is here. One clear takeaway is to not include flowery language in your privacy policy or terms that provide end users false assurances about your security practices. Another one may be to not "borrow" your terms of service from another website (or be careful when drawing "inspiration" from another website when putting together your own terms of use and policies).
NB: I noticed a few tweaks to Twitter's policy which was revised a couple of weeks ago. The revised policy makes clear that: (1) Twitter tracks user interactions with links; and (2) Twitter uses more than just Google analytics. Neither of these changes seem particularly material, although it's always nice to be reminded that websites track your interactions with links. Either way, I thought they were worth noting:
Links: Twitter may keep track of how you interact with links in Tweets by redirecting clicks or through other means. We do this to help improve our Services, including advertising, and to be able to share aggregate click statistics such as how many times a particular link was clicked on.
Third Party Services: Twitter uses a variety of services hosted by third parties to help provide our Services, such as hosting our various blogs and wikis, and to help us understand the use of our Services, such as Google Analytics. These services may collect information sent by your browser as part of a web page request, such as cookies or your IP request.
Added: The BBC reports (June 24, 2010) that "Obama's Twitter hacker receives a suspended sentence." According to French investigators, the hacker (Francois Cousteix) "deduced the passwords of Twitter administrators from public information on the web, thus gaining access to the accounts of important and famous individuals." Mr. Cousteix's actions spurred (in part) the FTC probe. Also, Gawker thinks that Twitter got off too easy: "The Pathetic Punishment of Twitter." Many people probably had the opposite reaction, but that's neither here nor there.
Additional coverage:
FTC analysis: [pdf] ("Analysis of Proposed Consent Order to Aid Public Comment
In the Matter of Twitter, Inc., File No. 0923093")
TechCrunch: (FTC Bars Twitter "For 20 Years From Misleading Consumers" About Privacy After 2009 Hacks)
Wired: (Twitter Settles With FTC Over 'Happiness" Breach)
CNET: ("Twitter, FTC reach agreement on security")
Posted by Venkat at 02:23 PM | Privacy/Security
June 09, 2010
Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute -- Barnes v. CUS Nashville
[Post by Venkat]
Barnes v. CUS Nashville, LLC, (M.D. Tenn) (June 3, 2010)
I mentioned Barnes v. CUS Nashville in my post about Crispin v. Audigier, a case where a court found that production of private Facebook messages and postings pursuant to a civil subpoena would be barred by the Stored Communications Act. In Barnes, the court also dealt with a civil subpoena to Facebook, and summarily denied a motion to compel, finding similarly that the Facebook information sought by the defendant was covered under the Stored Communications Act. The parties in Barnes engaged in further wrangling (wrangling is an understatement) over the Facebook information of plaintiff and other witnesses, and the magistrate judge came up with an interesting way to resolve the underlying discovery issues.
Barnes is a slip and fall case where plaintiff alleged claims based on injuries arising out of her fall one evening at the "Coyote Ugly" saloon in Nashville:
On or about September 19, 2008, Plaintiff was a business invitee of the Saloon and in that capacity was encouraged by employees of the Saloon to climb onto the Saloon's bar to dance. At the time of said encouragement, the Saloon's bar was wet and extremely slick. As a result of the Saloon's employee's encouragement, Plaintiff did attempt to climb onto the bar to be photographed with her friends. In so doing, Plaintiff slipped on the wet and slick bar and fell backwards a considerable distance, striking the back of her head on the ground.Defendant subpoenaed Facebook for plaintiff's Facebook information, including photos of plaintiff and her friends dancing on the bar. The court quashed the subpoena to Facebook, and in response, defendant issued a subpoena to plaintiff's friends, who are witnesses in the case. The defendant sought photos posted by plaintiff and her friends that depicted the events on the night in question. The court finds that the subpoenas issued to these witnesses cannot be enforced by the district court in Nashville, and if defendant wants to move to compel, it must do so in Colorado and Kentucky, the districts where the subpoenas were issued out of.
The magistrate judge chastises both parties for their failure to cooperate in the discovery process, and specifically calls out the defendant for its "mishandling of the Facebook subpoena." The judge then offers to create a Facebook account "for the sole purpose of reviewing photographs and related comments in camera . . . and disseminat[ing] any relevant information to the parties." Assuming the non-party witnesses (who will be located/contacted via email (!)) will accept the judge's Facebook friend requests, the magistrate judge agrees to review their Facebook information, provide any relevant information or photographs to the parties, and then close the Facebook account. (It doesn't seem like the court will store copies of the non-relevant portions of the Facebook pages, even under seal.)
I have to give credit to the court for coming up with this novel approach for resolving this issue. And they say judges are not technically savvy. It's nice to see a member of the judiciary who doesn't share the over-the-top view of Facebook friending that's held by the bar regulators in Florida. (That said, there may be a slew of issues lurking in the background here.)
To Magistrate Judge Brown: Nice work your honor! You should keep in mind those pesky default privacy settings on Facebook. We wouldn't want you to friend the witnesses, and in the process, disclose to the entire world the private contents of their Facebook pages. Alone these lines, I don't know the answer to this, but you should confirm the Facebook terms of use to make sure that your creation of a Facebook page and friending of these witnesses doesn't somehow run afoul of the Facebook terms of service.
Posted by Venkat at 10:56 AM | Privacy/Security
June 08, 2010
Google Street View Litigation Mania--Seven Class Action Lawsuits and Counting
By Eric Goldman
It appears that virtually the entire plaintiff’s bar saw Google's blog post that it captured wi-fi payload data as part of its data collection for Google Street View. At least 7 class action lawsuits have been filed:
* Berlage v. Google (N.D. Cal. filed May 20)
* Carter v. Google (E.D. Pa. filed June 2)
* Colman v. Google (D.C. D.C. filed May 26)
* Galaxy Internet v. Google (D. Mass. filed May 25). I'm not sure about standing in this case because Galaxy Internet is an Internet access provider complaining that Google snooped on its customers' traffic.
* Keyes v. Google (D.C. D.C. filed May 28)
* Redstone v. Google (S.D. Ill. filed May 28, 2010)
* Van Valin v. Google (D. Ore. filed May 17). This is the first lawsuit filed, and it has already reached a ruling requiring Google to fork over the collected data.
Undoubtedly, all of these lawsuits (and any more still coming) will be consolidated into a single action. Let the jockeying for lead counsel position begin!
Looking at the group of complaints as a whole, I'm impressed with all of this previously undisclosed expertise with the ECPA, a notoriously tricky statute that I rank as one of the most indecipherable statutes of all time. With all of these newly identified ECPA experts, perhaps this will contribute to the birth of a new ECPA plaintiffs' bar?
It's remarkable that these lawyers were able to conclude to their satisfaction that their named plaintiffs in fact had their payload data captured in the process--presumably by confirming that payload data was actually being transmitted at the precise time the cars drove by. I'm not sure how I would research this issue sufficient to satisfy my Rule 11 obligation, but these attorneys surely didn't just assume Google captured their clients' payload data...did they?
Finally, it will be interesting to see how these cases will be affected by the countervailing legal trends requiring privacy breach victims to show some actual harm from the breach (see, e.g., Ruiz v. Gap). I'm not sure this showing will be required for the ECPA claims, but it could wreak havoc with the ancillary claims.
Posted by Eric at 06:27 AM | Privacy/Security , Search Engines | TrackBack
June 04, 2010
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
[Post by Venkat with a few comments from Eric at the bottom]
Ruiz v. Gap, Inc. (9th Cir. May 28, 2010)
In a decision that does not bode well for plaintiffs bringing privacy-based claims against Facebook in California, the Ninth Circuit recently affirmed the trial court's rejection of data breach claims against Gap.
Facts: The case arose out of the theft of two laptop computers from a Gap vendor who processed job applications for gap. The stolen laptops contained personal information of applicants who applied for a job at Gap. Ruiz, one of those applicants, brought claims on behalf of a putative class under theories of negligence, breach of contract, unfair competition (17200), the California constitution, and California Civil Code section 1798.85 (which addresses when a social security number could be required to access a website).
The district court rejected Ruiz's claims largely on the basis that he failed to articulated any cognizable injury. Increased risk of future harm was not sufficient to state a negligence claim under California law, and risk of future harm and credit monitoring were not recognizable damages for a breach of contract claim. In any event, Gap had offered credit-monitoring services, which Ruiz failed to avail himself of. (See Tom O'Toole's coverage of the case here.)
The Ninth Circuit's Ruling: The Ninth Circuit agreed with Judge Conti.
Negligence: With respect to the negligence claim, the court held that nominal damages cannot vindicate a "technical right" in the absence of "actual loss." While in the toxic exposure context, the court recognized that damages for monitoring may be available, the court declines to decide whether that rule should be extended to this context, given the total evidence of any time or money spent on credit monitoring. (And the fact that Ruiz failed to take up Gap's offer of credit monitoring, or demonstrate why it was insufficient.)
Breach of Contract: With respect to the breach of contract claim, the court held that controlling 9th circuit authority holds that a breach of contract claim "requires a showing of appreciable and actual damage." This ruling is fairly consistent with the majority rule that breach of a privacy policy is not actionable absent a showing of economic loss, and increased monitoring generally doesn't qualify. In re JetBlue Airways Corp. Privacy Litigation is the seminal case, but many cases since have followed this route. In JetBlue, there was some discussion of whether a privacy policy even constitutes an enforceable contract in the first place, but ultimately, the court assumed that even if it constitutes a contract, a failure to allege damages is fatal. Cases since have included Pinero v. Jackson Hewitt, Bell v. Acxiom, and many many others.
17200 (UCL) Claim: The court ruled that recovery under California's unfair competition statute is limited to individuals who suffer "actual losses of money or property." Ruiz could not make a colorable argument that he was entitled to any restitution from Gap, so this claim was a loser.
California Constitution: There were two problems with Ruiz's claim under the California constitution. First, cases have found that the breach must be egregious, and have yet to extend a cause of action under this theory to negligent or accidental conduct. Second, the court says Ruiz only alleges a "risk of privacy invasion, rather than an actual privacy invasion." In the court's eyes, the actual invasion only occurs when someone actually misuses the data which they obtained from Gap's vendor.
Section 1798.85: Ruiz also brought a claim under California Civil Code 1798.85. The court ruled that, by its terms, this section only required a person or entity conditioning access to a website on the use of an individual's social security number to also require the use of a password, a unique personal identification number, or an authentication device. Here, the social security number was not used to access the website of Gap's vendor, so the section did not apply.
___
This is not a surprising result. The overwhelming majority of courts have rebuffed data breach claims brought by affected persons (particularly those that have been offered monitoring) on the basis that those individuals have not suffered any appreciable injury. While a few cases have taken a different legal route by holding that these plaintiffs lack Article III standing, the end result is always the same: No actual injury = no recovery (and risk of future identity theft does not equal cognizable injury).
This news is probably depressing to two groups of plaintiffs who recently sued Facebook: Robertson v. Facebook and Gould v. Facebook. Both of these lawsuits allege that Facebook improperly disclosed the user name and other information of Facebook users who accessed content on the web. Claims in both lawsuits are premised around Facebook's violation of its privacy policy. As this case makes clear, the plaintiffs in these cases are unlikely to be able to show actual damages, and their breach of contract, negligence, and unfair competition claims are likely dead on arrival.
___
Eric's comments: In the past few months, I've noticed a disturbing trend. Whenever Google or Facebook make a privacy gaffe, the plaintiffs' lawyers go into full-tilt litigation mode. There have been too many complaints filed to blog them all, although I've been posting many of the complaints to my Scribd account. Unfortunately, Google and Facebook have made their lives harder by making too many unnecessary mistakes, but many of these mistakes are obviously inconsequential in the grand scheme of things. But the most disturbing thing is that so many plaintiffs' lawyers seem completely uninterested in pleading how their clients suffered any consequence (negative or otherwise) from the gaffe at all. Their approach appears to be that the service provider broke a privacy promise, res ipsa loquitur, now write us a check containing a lot of zeros.
Although this case was designated non-published and therefore isn't binding on the 9th Circuit, this case nevertheless illustrates that most of these plaintiffs' lawyers are wasting their time and significant social resources with their poorly developed cases. Instead, if they truly believe the privacy gaffe is worth suing over, they should do the advance legwork to find at least one plaintiff representative who actually suffered some harm. If they can't even do that, society would be better off if the lawyers redirected their energies elsewhere.
Posted by Venkat at 10:27 AM | Licensing/Contracts , Privacy/Security
June 03, 2010
April-May 2010 Quick Links Part 1 (IP Edition)
By Eric Goldman
[Note: I just got back from the Netherlands, where I had extremely limited Internet connectivity, so sorry for my absence in the last week (although you were in good hands with Venkat). I will be posting more material from my Netherlands trip to my personal blog and Twitter. You might want to follow me at those places too. I have a long list of "quick links" to share with you as I get the opportunity. The first installment:]
Copyright
* NYT: Current TV defeats a claim that in-line linking is copyright infringement.
* Google won a copyright challenge against Image Search in Germany, apparently on implied license grounds.
* Smoking Gun reports that ESPN sportscaster Erin Andrews has acquired the copyrights to the peephole videos made of her, which should make it a little easier for her to go after online republishers.
* UMG v. Veoh has been appealed to the Ninth Circuit. Although Veoh declared bankruptcy, its law firm, Winston & Strawn, is still fighting it. Ben Sheffner has posted the amicus briefs on behalf of UMG.
* Ben Sheffner also reports that Scott v. Scribd did not get class certification. My initial blog post.
* Arista Records LLC v. Doe 3 (2d Cir. April 29, 2010). P2P file sharer can't claim anonymity to resist copyright owner's subpoena. This ruling also signals that the Second Circuit will take a dim view of fair use claims in P2P file sharing cases and might import the Napster standards for secondary infringement claims.
* Lyrics website hit with preliminary injunction, but not the shutdown requested by the plaintiffs. The court rejects a 17 USC 512 defense because the defendant did not file the required agent designation with the copyright office.
* The RIAA’s campaign to sue file sharers led to a bubble in copyright litigation activity. Ars Technica suggests the bubble may be coming back.
* International Swaps and Derivatives Ass'n, Inc. v. Socratek, L.L.C., 2010 WL 1780999
(S.D.N.Y. 2010). Socratek aggregates agreements from EDGAR and resells them on its website. The plaintiff is upset that Socratek aggregated and resold the plaintiff’s allegedly copyrighted order form for ordering derivatives. The plaintiff sells blank forms, but Socratek grabbed completed versions that had become material agreements for SEC filing purposes. The court denies Socratek’s dismissal motion but also denies a preliminary injunction.
* The Second Circuit upholds the dismissal of Bio-Safe v. Hawks. My initial blog post.
* Zusha Ellison of the Recorder catches up on three copyright First Sale cases pending before the Ninth Circuit. This is a good time to remind you about our November 5 conference on the First Sale doctrine.
* Cosmetic Ideas v IAC InteractiveCorp (9th Cir. May 25, 2010): "receipt by the Copyright Office of a complete application satisfies the registration requirement of § 411(a)."
Trademark
* Google has won the Rosetta Stone case, but we’re waiting to see the written opinion to figure out why (and how good the win is).
* Au-Tomotive Gold v. VW (9th Cir. May 6, 2010). Post-sale trademark confusion trumps the First Sale doctrine. We'll also be discussing trademark exhaustion at the November 5 conference!
* Boston Marathon sues CafePress and Zazzle for trademark infringement.
* Dan Burk, Cybermarks, Minnesota Law Review. The abstract:
The commercial development of the Internet has been punctuated with legal disputes over the use of trademarks as domain names, as metatags, as search terms, and as advertising keywords. As in previous disputes in copyright over the legal status of software, these Internet trademark disputes arise from the overlap of communicative and functional symbols in information technology. Such “cybermarks” are not merely indicators of product source, but function both as symbolic indicia for human recognition and as strings of computer code in the operation of automated search and indexing mechanisms. Application of trademark law’s functionality doctrine, perhaps with some modest amendment, could begin to resolve disputes over the use of cybermarks.
* Nature’s Footprint, Inc. v. Providnet Co Trust, 2010 WL 1903183 (W.D. Wash. May 11, 2010): “The Court is convinced that plaintiff sought to use its superior position vis-a-vis the trademark to, cause harm to a competitor. Given this Court’s strongly-held belief that a significant part of this litigation was motivated by plaintiff’s desire to quash competition, no fees will be awarded under the Lanham Act’s ‘exceptional case’ authority.”
Posted by Eric at 11:06 AM | Copyright , E-Commerce , Marketing , Privacy/Security , Trademark | TrackBack
June 02, 2010
Facebook Messages/Wall Posts, Civil Discovery, and the Stored Communications Act -- Crispin v. Audigier
[Post by Venkat]
Crispin v. Audigier, Case No. CV 09-09509 MMM (JEMx) (May 26, 2010)
With the proliferation of the use of social network profile evidence, it was only a matter of time before a court dealt with the issue of whether you can subpoena someone's Facebook page in a civil lawsuit. A judge in the Central District of California looks at the issue in Crispin v. Audigier [scribd].
Facts: Crispin sued Audigier, alleging that Crispin granted Audigier an oral license to use some of Crispin's works of art in connection with the manufacture of garments by Audigier. Crispin alleged that Audigier (1) failed to include Crispin's logo on the garments; (2) wrongly attributed Crispin's work to another artist; and (3) wrongly sublicensed Crispin's copyrighted material without permission. Crispin brought a variety of claims, including copyright infringement claims. Audigier subpoenaed third party businesses, including Media Temple, Facebook, and MySpace, seeking communications between Crispin and a tattoo artist (those communications which referenced or related to Audigier). [If I were the judge, I would have said this was awfully close to fishing expedition territory.]
14 days after Audigier served the subpoenas, Crispin moved to quash the subpoenas. [Facebook, MySpace, and Media Temple did not appear or file pleadings.] The magistrate judge found that the Stored Communications Act did not apply, and in any event only precluded voluntary disclosure (and did not apply to compelled disclosure pursuant to a civil subpoena). Finally, the magistrate judge found that the SCA only prohibited disclosure of communications held "in storage," which wasn't the type of information covered by the subpoena.
The Court's Ruling: The court largely reverses Magistrate Judge McDermott's ruling in an order that contains a lengthy discussion on the applicability of the Stored Communications Act to Facebook and MySpace profiles, wall posts, and messages. I can't tell if this case breaks any new ground (or whether the case gets it right), but given the growing importance of social networking evidence, I thought it was worth mentioning. (This post by David Johnson provides a good, basic overview of the issues at play: "Employer Access of Employee Digital Communications and Federal Wiretap Laws: It's Easier to Be Found Immune if the Communications Reside on Your Servers.")
A summary of the court's order:
1. The Stored Communications Act (passed in 1986) is woefully out of date, and was "enacted before the advent of the [web] and before introduction of the web browser . . . " In those days, "few could afford to spend hours casually exploring . . . [the internet] . . . ."
2. A third party whose information is sought by this type of a subpoena has "standing to move to quash a subpoena seeking personal information protected by the SCA."
3. 18 U.S.C. sec. 2703(e) does not permit disclosure pursuant to a civil subpoena.
4. Do not, under any circumstances, cite to Wikipedia as a source for a key factual issue (the court drops a footnote citing to Badasa v. Mukasey ("Respondent is admonished from using Wikipedia as an authority in this District again. Wikipedia is not a reliable source at this level of discourse.")). [emphasis added]
5. Facebook, Media Temple, and MySpace provide "private messaging or email services . . . such services can constitute ['electronic communications services'] . . . ." Case law looking to the treatment of private BBS services is helpful. Public BBS services are not entitled to protection under the SCA.
7. The privacy settings of services such as Facebook affect the outcome:
[since] Facebook permits wall messages to 'be viewed by anyone with access to the users profile page'. . . there is no basis for distinguishing between a restricted-access BBS and a user's Facebook wall or Myspace comments. There similarly is no basis for distinguishing between Media Temple's webmail and Facebook's and MySpace's private messaging, on the one hand, and traditional web-based email on the other. As a consequence, the court concludes that each of Media Temple, Facebook, and MySpace is an ECS provider.
8. That Facebook, MySpace and Media Temple are ECS providers doesn't end the analysis. "The court must also determine whether the information sought by the subpoenas . . . constitute 'electronic storage' within the meaning of the statute."
9. Citing to the City of Detroit text messaging decision (Flagg v. City of Detroit) the court notes that "an ECS provider [becomes] an RCS [remote computing service] provider after a communication has been read and stored." It seems factually unclear (but legally relevant) as to whether the services provide storage or backup/archival services.
10. Unlike the "messages," the "Facebook wall and MySpace comments present a distinct and more difficult question":
in the context of a social-networking site such as Facebook or MySpace, there is no temporary, intermediate step for wall postings or comments. Unlike an email, there is no step whereby a Facebook wall posting must be opened, at which point it is deemed delivered. Thus a Facebook wall posting or a MySpace comment is not protectable as a form of temporary, intermediate storage.The court concludes that "the postings, once made, are stored for backup purposes . . . Facebook and MySpace are ECS providers as respects wall postings and comments. . . ."
11. In the alternative, the court holds that Facebook and MySpace are RCS providers with respect to the wall postings and comments.
End Result: the court quashes the portions of the Facebook and MySpace subpoenas that sought "private messaging," and remands for further development of the record on the wall postings and comments.
__
It's a pretty dense order that is worth reading, if nothing, to get a sense of the complexity of the issues that arise in this context, and the lay of the land as far as case law.
From a practical standpoint, obtaining Facebook messages and private profile information in a civil lawsuit seems fairly tricky (although judging from media reports, people must do it all the time). Assuming you can't get access to some or all of this information through a subpoena, one option is to get the party (whose records are sought) to sign a consent or waiver. This has the downside of giving the party seeking the information access to all of the witness's information, including irrelevant, privileged, or other information that should remain private. As best as I know, Facebook doesn't perform e-discovery services on the side - you can't provide Facebook a set of search parameters and get Facebook to produce information that falls under those parameters. (Here's a good post on the topic, with references and suggestions: [pdf] "Obtaining Records From Facebook, LinkedIn, Google and Other Social Networking Websites and Internet Service Providers.")
Another interesting aspect of the dispute is that Facebook didn't appear or file any pleadings. I assume Facebook has a blanket policy objecting to these types of subpoenas, but maybe timing was an issue here? In contrast, Facebook recently successfully quashed a subpoena issued to it in another civil case (Barnes v. CUS Nashville, LLC, No. 3:09-0764 (M.D. Tenn.) (May 27, 2010)). There, the magistrate judge concluded that "the SCA prohibit[ed] the disclosure of [the sought after] information in response to a subpoena" [citing Flagg v. City of Detroit].
Finally, the court looks to the effect of privacy settings for Facebook pages. I wonder if the ability of Facebook friends to "share" postings affects the outcome? How about Facebook's constantly changing privacy policy and settings?
In any event, parties (employers, and even lawyers) should tread carefully here. See, e.g., Theofel v. Farey-Jones and Hillstone Restaurant Group v. Pietrylo.
Posted by Venkat at 08:13 AM | Privacy/Security
May 27, 2010
EFF Weighs in on Facebook v. Power Ventures -- Facebook v. Power Ventures
[Post by Venkat]
Facebook v. Power Ventures, Case No. 5:08-cv-05780 JW (N.D. Cal.) (Facebook Motion) (EFF Amicus Brief)
Facebook and Power Ventures have been locked in a dispute over whether Power Ventures can access Facebook's website and network outside of Facebook's authorized developer channels. The dispute yielded an interesting ruling on Power.com's motion to dismiss. The parties are both seeking summary judgment on the issue of whether Power.com's conduct violates California Penal Code section 502(c). EFF recently weighed in with an amicus brief which makes the already interesting dispute even more interesting.
The Dispute: Facebook brought Computer Fraud and Abuse Act claims and copyright claims (along with a slew of other claims) against Power.com. Setting aside the peripheral trademark and CAN-SPAM claims, Facebook's key allegations are that (1) Power.com accessed Facebook's network "without authorization" in violation of the Computer Fraud and Abuse Act (and section 502(c), the California computer crime statute); (2) Power.com accessed Facebook’s network in violation of the Facebook terms of use; and (3) Power.com copied the copyrighted portions of the Facebook website in the process of allowing Facebook users to access Facebook through Power.com's interface. (There's also an anti-circumvention claim tied to the unauthorized copying claim.) The court denied Power.com's motion to dismiss. (See coverage of the court's initial ruling on Power.com's motion to dismiss from Tom O'Toole, Jeff Neuburger, and Cyberlaw Cases.)
At this point, the parties are jousting over whether Power.com's conduct violates California Penal Code section 502(c). I'm surprised the parties are focusing their initial battle around this statute, rather than the Computer Fraud and Abuse Act. That said, given that California courts have held that Computer Fraud and Abuse Act decisions are persuasive when it comes to interpreting Section 502(c), what the court does here will be a good indication of what the court will do with the Computer Fraud and Abuse Act claim.
EFF's Amicus Brief: The brief comes at an opportune time for Power.com. I speculated earlier as to whether Power.com would settle this dispute, but given the recent barrage of negative publicity surrounding Facebook (including planned protests/mass deactivations (or deletions ?) of Facebook accounts, and criticism from numerous high profile users and technology commentators), this round of motions could ratchet up the pressure on Facebook. [As a sidenote, Judge Fogel, who originally presided over the dispute and who seemed sympathetic to Facebook's position, recused himself. He didn't give any reasons for the recusal (nor is he required to). I'm not sure what effect this will have on the dispute, but I thought it was worth mentioning.]
EFF urges for a narrow interpretation of section 502(c) in a way that avoids liability to Power.com. The EFF brief argues that finding liability based on access in excess of Facebook's terms of service is similar to attempting to hold Lori Drew liable for creating a MySpace profile in violation of MySpace terms of service. ("[In] Facebook's view . . . [a] user who is twelve years old violates the criminal law every time she uses Facebook.") According to EFF this results in allowing a private entity to define the bounds of criminal conduct, and does not give end users sufficient advance notice of what's permitted and what is criminal conduct. Notwithstanding the difficulties in analogizing a criminal case to a civil one, EFF's argument resonates, in light of the fact that Facebook has changed its terms of service over the past few years. (EFF: "Facebook's Eroding Privacy Policy: a Timeline.") Facebook's terms are difficult to read and digest for a lawyer; for a non-lawyer end user, they are even tougher. Although length is not a proxy for whether a document is understandable, a popular refrain on the internet was that Facebook's terms are longer than the Constitution.
Does Access in Violation of Facebook's Terms of Service Violate the CFAA: There are cases holding that repeated unauthorized access of a website through automated means may violate the CFAA (for example: EF Cultural Travel BV v. Zefer Corp.; EF Cultural Travel BV v. Explorica, Inc.; Southwest Airlines v. Farechase, Inc.; Register.com, Inc. v. Verio, Inc.). Power.com does not have an easy road when it comes to legal precedent. EFF's brief cites to a recent case from the employment context where the Ninth Circuit narrowly interpreted the Computer Fraud and Abuse Act (LVRC Holdings, LLC v. Brekka, discussed by Jeff Neuburger here). Brekka was a case where an employee accessed his employer's computers and servers for his own purposes (and contrary to his employer's interests). The employer never expressly rescinded Brekka's access. The Ninth Circuit granted summary judgment in favor of the employee (Brekka), reasoning that once authorized, the authorized user cannot violate the CFAA unless the authorization has been rescinded or where the authorized user "exceeds authorized access" - i.e., by accessing the computer to obtain or alter information" that the authorized user is not entitled to obtain or alter. The court in Brekka acknowledges that the Seventh Circuit took a different approach in International Airport Centers v. Citrin, where it concluded that an employee can lose "authorization" when the employee "resolves to act contrary to the employer's interest."
There's one key difference between Brekka and this case, which is that in this case, there was never any dispute as to whether Power.com or Facebook end users are authorized to access Facebook's servers through Power.com's service. In any event, Facebook sent Power.com a cease and desist letter making clear that Facebook viewed Power.com's access as unauthorized. Interestingly, one of the CFAA sections covers unauthorized access where the defendant "obtains information" which the defendant is not entitled to obtain. Arguably Facebook end users are not "entitled" to obtain information from Facebook through channels that are not authorized by Facebook. However, the information that end users are looking to access is clearly not Facebook's - it's the end users own data. (The Computer Fraud and Abuse Act has several different sections, but broadly, it requires (1) access or the transmission of information that is unauthorized; (2) which causes damage or effects fraud, and (3) with a certain level of culpability. The EFF's internet law treatise page on the CFAA is a good resource for background.)
The CFAA component of this dispute reminds me in some ways of Southwest Airlines v. BoardFirst, a case where Southwest Airlines tried to shut down BoardFirst's service, which assisted passengers in checking in to Southwest's flights. The court denied Southwest's motion for summary judgment, and the parties ultimately settled. The court's ruling denying Southwest's motion for summary judgment [scribd] contains some good discussion about whether access in excess of a website terms of use constitutes a violation of the Computer Fraud and Abuse Act. As that case makes clear, however, even if there are problems with Facebook's Computer Fraud and Abuse Act claim, Facebook most certainly has a valid terms of service-based claim. Finding that there's been no terms of service violation would require some serious judicial contortions, and would undermine a pretty basic principle that a website owner is free to define the bounds of access of its website through a terms of service. There have been decisions which have invalidated portions of terms of service based on the fact that the terms are grossly unfair (or are unconscionable) but it's tough to see this part of Facebook's terms fitting into this category. (On a related note, Professor Goldman recently blogged about Miller v. Facebook, a case where Facebook successfully invoked the venue provision of its user agreement to get a copyright dispute transferred from Georgia to California.)
Facebook also has a copyright claim. As tenuous as Facebook's copyright claims may be, there are cases which support Facebook's position, and a judge in this case has already ruled that Power.com doesn't get a pass if it is found to have accessed Facebook's copyrighted material (even for the purpose of allowing end user access).
__
While recent events have made Power.com's arguments more tenable, I think it still has a tough battle, among other things because it's a competitor of sorts. That said, there are a variety of factors which make this case a harder one for Facebook than I initially thought. It is interesting to see people rally around Power.com, who judging from Facebook's pleadings, has some baggage - the type that makes a clear win for Power.com unlikely. As far as data portability goes, Power.com is an unlikely champion. On the other hand, Facebook doesn't look so great blocking Power.com's efforts.
Other Third Party Services: Another interesting aspect to this dispute is that a plethora of third party services have arisen which arguably address the privacy and data concerns of Facebook's end users. Are these services allowed to access end user data in violation of Facebook's terms? Facebook has tried to force some of these applications to stop, but I think some of these applications may have a more compelling argument than Power.com, which is just a point of aggregation for various social networking profiles. For example, if Facebook didn't provide a way for end users to delete their user data, could a third party provide this service?
1. Openbook: "Facebook helps you connect and share with the people in your life. Whether you want to or not." An interesting site that lets you search public Facebook status updates to show how often embarrassing information is shared through Facebook.
2. ReclaimPrivacy.org: a "website provides an independent and open tool for scanning your Facebook privacy settings."
3. Seppukoo: an app that lets you kill your online profiles - in response to a Facebook cease and desist [pdf], the site stopped killing Facebook accounts.
Facebook has a good argument that it needs to regulate access for security reasons. Along these lines, Facebook recently implemented "anti-hacking" features which may make access through third party channels more difficult.
Other coverage:
Techdirt: "Facebook Abusing Computer Crime Law To Block Useful Service"
ReadWriteWeb: "Facebook Suing Power.com for Auto-Logging"
EFF: "EFF Seeks to Protect Innovation for Social Network Users"
Wendy Davis: "EFF: Violating Terms Of Service Isn't Computer Fraud"
Posted by Venkat at 10:23 AM | Privacy/Security
May 26, 2010
Beacon Class Action Lawyers Awarded $2.3MM in Fees -- Lane v. Facebook
[Post by Venkat]
Lane v. Facebook, Case No. 08-3845 RS (N.D. Cal.) (Order re Attorney Fees)
The lawsuit over Facebook's ill-fated Beacon program generated three lawsuits, a lot of wrangling by class action lawyers, and more than a few blog posts (e.g., "Beacon Class Action Settlement Approved;" "Stop Saying 'We Can Amend This Agreement Whenever We Want'!;" "Texas Class Action Aims to Derail Facebook Beacon Settlement"). Judge Seeborg recently approved the settlement, which included the formation of a privacy foundation funded by Facebook. (Here's an earlier post of mine summarizing the then-proposed terms of the settlement.)
The one item pending was the amount of fees which class counsel would be entitled to. Judge Seeborg issued an order on Monday awarding plaintiffs' counsel $2,322,763.00 in fees and $42,210.58 in costs, for a total award of $2,364,973.58. Counsel expended approximately 2500 hours of work on the case, and sought a multiplier of 2.4. The court ruled that a multiplier of 2 was appropriate. The court also found that the hours attributable to the Harris plaintiffs should be "excised," given that "those attorneys attempted to derail the settlement of [Lane v. Facebook] at the preliminary approval stage, before later coming to support it."
[For an explanation of the lawsuit brought by a second group of plaintiffs (Harris v. Facebook) who initially objected to the settlement, check out this post: "Texas Class Action Aims to Derail Facebook Beacon Settlement."]
Although several of the named plaintiffs recovered nominal amounts for their efforts, the class members recovered zero dollars as part of this settlement. The settlement was heralded because it brought significant non-monetary benefits: (1) the establishment of a privacy foundation and (2) a change in Facebook's behavior. Given recent events, I'm sure many are probably left questioning the efficacy of one or both of these.
Posted by Venkat at 08:27 AM | Privacy/Security
May 19, 2010
Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act -- Pulte Homes, Inc. v. LiUNA
[Post by Venkat]
Pulte Homes, Inc. v. Laborers' International Union of North America, et al. (E.D. Mich.) (May 12, 2010)
Background: Pulte Homes, "the largest new home builder in the United States" terminated eight employees. Defendant Laborers' International Union of North America (LiUNA) is a labor organization that represents workers in the construction industry. LiUNA claimed that seven of the eight employees were fired for expressing support for LiUNA. Plaintiff alleged that in response to the terminations LiUNA began a "targeted effort to sabotage and interrupt" plaintiff's business operations. Plaintiff argued that LiUNA's email campaign was a violation of the Computer Fraud and Abuse Act (sections 1030(a)(5)(A), 1030(a)(B), and 1030(a)(C)):
Defendants have encouraged LiUNA supporters to inundate Plaintiff with mass quantities of phone calls and e-mails . . . . LiUNA's website featured a 'call to action,' which provided a pre-typed e-mail voicing opposition to Plaintiff's alleged termination of employees for supporting the union. This e-mail was pre-addressed to Plaintiff and allowed users to send it to Plaintiff with the click of a few buttons.
The Court's Ruling:
Unlawful transmissions: The unlawful transmission prong of the CFAA requires the transmission of information as a result of which the defendant "intentionally causes" damage to a protected computer. The court dismissed this claim because plaintiff failed to allege that LiUNA's email campaign caused any appreciable damage to plaintiff's computer system.
Unauthorized access: The unauthorized transmission prong of the statute requires intentional access "without authorization," along with resulting loss. The court concludes that LiUNA did not "access [plaintiff's] computer under the CFAA merely by leaving a voice-mail or sending an e-mail." The court rejects plaintiff's attempt to rely on an older AOL spam case (AOL v. National Health Care Discount, Inc.) where the Northern District of Iowa held that the transmission of bulk email through AOL's servers could constitute a violation of the CFAA. (The court there expressed serious reservations as to whether the Computer Fraud and Abuse Act even covered unsolicited bulk emails: "it is not clear that a violation of AOL's membership agreements results in 'unauthorized access.'") The AOL case was decided pre-CAN-SPAM, and as the court recognized, stretched the bounds of the Computer Fraud and Abuse Act. It's tough to conclude that sending an email to an email address that's designed to receive emails from the general public constitutes "unauthorized access" under the Computer Fraud and Abuse Act. AOL argued that mass emails were "unauthorized," because they were a violation of AOL's terms of service, but this argument suffers from the same problems that any terms of service-based Computer Fraud and Abuse Act claim suffers from.
[Anyone engaging in this sort of a mass email campaign may want to stagger the emails or otherwise take steps to minimize potential damage or slowdowns to the recipient's servers. Where there's no damage or slowdown, courts are reluctant to find liability.]
__
This case is reminiscent of Intel v. Hamidi, another case involving a departing employee who was sued for sending mass emails. In Hamidi, the California Supreme Court held that the departing employee could not be held liable under a trespass to chattels theory because the emails he sent did not damage Intel's servers. As in this case, in Hamidi, the plaintiff seemed more concerned about the content or peripheral effects of the emails, rather than any effect the emails had on plaintiff's servers.
Related:
The case also brings to mind the contempt order slapped on "television-pitchman" Kevin Trudeau. Trudeau was a defendant in a case brought by the FTC who exhorted "his radio and web followers to deluge U.S. District Judge Robert Gettleman with e-mail" in an attempt to persuade the judge to side with Trudeau in the FTC proceeding. Judge Gettleman found that this interfered with his administration of justice, and sentenced Trudeau to 30 days. That decision is on appeal to the Seventh Circuit. (See coverage from Wired's Threat Level blog here.)
Another union activity case which Prof. Goldman blogged about recently (in that case, involving trademarks) is Cintas v. Unite Here ("Union Organizers' Activist/Gripe Sites Don't Support Trademark Claims").
UPDATE FROM ERIC: This case also vaguely reminds me of the Utube v. YouTube lawsuit, where Utube claimed that YouTube was trespassing its domain name because people were lousy spellers.
Posted by Venkat at 11:28 PM | Privacy/Security , Spam
May 17, 2010
FTC Busts Check-Issuing Website for Unfair Practices--FTC v. Qchex
By Eric Goldman
Federal Trade Commission v. Neovi, Inc., 09-55093 (9th Cir. May 14, 2010)
Qchex allowed registered users to create and send checks via a website. Initially, users could submit bank account information and payee information, and Qchex would manufacture a check and send it (in some cases physically, in other cases electronically, depending on the sender's request) to the payee. Given that bank account information is widely available (i.e., it's on every check we send and receive), it sounded like it was trivially easy for fraudsters to submit other people's bank information and send an official-looking check drawing on an innocent bystander's account. These bogus checks can wreak havoc on the payment system when they are presented and then bounce (or worse, clear). According to the opinion:
Indeed, over a six-year period, Qchex froze over 13,750 accounts for fraud. Those accounts spawned nearly 155,000 checks, supplied over 37,350 bank account numbers, and were the source of checks totaling more than $402,750,000—an amount more than half of the total drawn during that time.
Eventually, Qchex enhanced its security procedures to deposit a small amount in a bank account and then require the accountholder to report that amount back to Qchex to authenticate the account. For a variety of reasons, this authentication procedure did not eliminate fraud.
The FTC pursued Qchex for unfair trade practices under Section 5 of the FTC Act. Qchex defended on lack of causation, saying the users supplied the relevant information and therefore were responsible for the bum checks. The court's response:
Qchex created and controlled a system that facilitated fraud and that the company was on notice as to the high fraud rate. Qchex’s approach would immunize a website operator that turned a blind eye to fraudulent business made possible only through the operator’s software. Even if the creation of the checks was impossible without user input, that does not mean Qchex did not create the checks that it later delivered.
(I dig the double/triple/quadruple negative in the last sentence. Say what?)
Even if the court's statement is true, isn't this exactly what 47 USC 230 was supposed to immunize? Amazingly, 230 isn't referenced in the opinion at all, although the court does cite the 230-based Accusearch case in support of its conclusion. It's not like 230 was unfamiliar to this panel; the opinion author is Judge McKeown, who also authored a pro-230 dissent in the Roommates.com en banc case.
Put the doctrinal finery to one side for a moment. We know Qchex has to go down for its sloppy authentication processes and the calamitous effect on our banking system. Fine. But the legal reasoning in support of this takedown is troubling. First, it's based on Section 5's unfairness restrictions, a lightly used prong because "unfairness" is unbelievably subjective and malleable. Second, it's based on some type of but-for causation theory, which applies universally to many service providers throughout the Internet (i.e., without PayPal, there would be no PayPal fraud). Third, the courts gave typical deference to the FTC—but perhaps too much deference. Finally, the causation discussion superseded any discussion about 47 USC 230--a conspicuous omission given that Qchex's whole system was premised on user-supplied content.
Having said that, it's not clear that Qchex’s 230 defense would have succeeded. The court emphasizes that liability is due to Qchex's conduct, not its users’. The court says "Qchex caused harm through its own deeds—in this case creating and delivering unverified checks." I expect any other businesses manufacturing inadequately authenticated fake checks will suffer a similar fate. However, I’m not sure this explanation adequately distinguishes between first party and third party content/actions.
It will be interesting to see how the plaintiffs try to misuse the language I quoted above for other types of claims. For example, replace the word “fraud” with “defamation” and see how the language reads. My hope is that the courts will entertain such citations only in FTC Act unfairness cases and not others, but I expect plaintiffs will try to expand its scope nonetheless.
This case brought to mind an old blog post on a site called "Cheezus," which provided a tool that people could use to create and print fake newspaper articles about another person's sexual misconduct. (Unlike Qchex, the user printed the resulting article). Cheezus caught my attention when a mischievous teen used the tools to prank his teacher and got disciplined. I thought the site was irresponsible, but under this rationale, is the Cheezus tool also illegal because it engaged in Sec. 5 unfair practices? If not, why not?
Posted by Eric at 01:55 PM | Content Regulation , Derivative Liability , E-Commerce , Privacy/Security | TrackBack
May 13, 2010
4th Cir.: No Expectation of Privacy in Internet and Phone Subscriber Info -- U.S. v. Bynum
[Post by Venkat]
United States v. Bynum, Case No. 08-4207 (4th Cir.) (May 5, 2010)
The FBI observed Marques Bynum's activities in a Yahoo! chat room. Bynum had uploaded photos of children engaged in sex acts. The FBI served an administrative subpoena on Yahoo! seeking the subscriber information and IP address associated with Bynum's profile. Based on the information provided by Yahoo!, the FBI identified the internet service provider associated with the IP address (UUNET). The FBI then subpoenaed UUNET and obtained the email address and telephone number for the customer associated with the IP address. Finally, the FBI subpoenaed the phone and internet companies that operated the dial-up service used by the user, which revealed the "physical address from which the uploads emanated" (which happened to be the defendant's mother's house). The FBI also accessed publicly available information from the defendant's Yahoo! chat profile such as his photo, demographic information, and interests.
The defendant made what appeared to be a half-hearted argument that the Government's use of administrative subpoenas (which precluded disclosure of the subpoenas to the defendant) to obtain his subscriber information violated his Fourth Amendment rights. The court rejects this argument, noting that there was no evidence that defendant "had a subjective expectation of privacy in his internet and phone 'subscriber information' . . . ." He voluntarily provided the information to his internet and phone companies and "assumed the risk" that these companies would reveal this information to the authorities. Even if he was able to show that he had a subjective expectation, he would not be able to show that this expectation would be objectively reasonable. The court notes that "every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment's privacy expectation." Finally, the court footnotes the fact that the defendant did not allege a privacy interest in the IP address the FBI initially obtained from Yahoo!.
As this Ars Techinca article notes, although the New Jersey Supreme Court took a slightly different approach (and required a grand jury subpoena based on the state constitutional right of privacy and the fact that the IP address-identity connection is sufficiently private to warrant some protection) federal cases pretty uniformly follow the approach taken by the Fourth Circuit in this case. In light of the case law, the court's decision does not seem surprising. That said, as someone who doesn't follow the case law very closely in the criminal context, I was surprised at how easy it is for the government to track down your IP address, and through that, your account information and personal details (email address, street address, etc.). From what I understand, an "administrative subpoena" - which was used in this case - is nothing more than a letter from the FBI.
Related:
Tom O'Toole blogged recently about a file sharing (civil) case where subpoenaed Doe defendants unsuccessfully fought to remain anonymous: "File Sharers Have Little But Not Zero Privacy"
A 2009 MediaPost article discusses a decision by Judge Jones of the Western District of Washington where Judge Jones ruled that IP addresses are not "personally identifiable information": "IP Addresses Are Not 'Personally Identifiable' Information"
FourthAmendment.com covers U.S. v. Bynum: "CA4: No reasonable expectation of privacy in subscriber info with ISP"
Posted by Venkat at 11:49 AM | Privacy/Security
May 11, 2010
Internet Access Provider & Blocklist Publishers Denied 230(c)(2) Immunity for Anti-Spam Efforts
By Eric Goldman
Smith v. Trusted Universal Standards in Electronic Transactions, Inc., 2010 WL 1799456 (D.N.J. May 4, 2010)
It's usually a drag to read opinions in pro se lawsuits. Most of the time, the litigant gets flattened mercilessly. Occasionally, however, the judge bends over backwards to give the litigant the benefit of the doubt. Either way, the opinions are messy and untrustworthy.
This case fits that description. The judge says he can't figure out the facts from the complaint. but here's his best guess. It appears that Smith is a Comcast Internet subscriber. Comcast blocked his outgoing mail twice because he was allegedly sending spam. When pressed why it thought Smith's emails were spam, Comcast pointed the finger at IronPort (owned by Cisco), who in turn pointed the finger at Spamhaus. Smith then filed a "Consumer Watchdog" complaint against Comcast with TRUSTe (misnamed as the lead defendant).
Independently, Microsoft put Smith's email server on its Frontbridge blocklist. Smith separately filed a TRUSTe complaint against Microsoft for that. Smith ultimately decided to sue TRUSTe, Comcast, Cisco and Microsoft for 8 different legal violations in one big litigation fiesta.
Smith's claims go nowhere. The court dismisses all of them with leave to amend the complaint, so the story turns out largely happily for the defendants. Unfortunately, the plaintiff does get one more chance, and he even attached a massive 404 page (!) draft amended complaint. (Note: this is 404 pages, not a 404 error, although it certainly is an error). The court reminds the plaintiff that the rules require a short and plain statement of the claims.
Along the way, the court reaches a decidedly defendant-unfriendly conclusion by rejecting Comcast's, Cisco's and Microsoft's 230(c)(2) defense, the statutory immunity for online filtering decisions--and the often overlooked cousin of 230(c)(1) which I have blogged about many times. Worse, the court reaches its conclusion in the face of several clearly applicable precedent cases. In my opinion, this is an example of how Smith's pro se status causes the court to be overly cautious…to the point of reaching the wrong result.
The court starts off right by concluding that spam could qualify as "otherwise objectionable" content under 230(c)(2) (cite to e360insight v. Comcast). Doing a light ejusdem generis analysis, the court says "nothing about the context before or after that phrase limits it to just patently offensive items."
However, Comcast is denied 230(c)(2) on a motion to dismiss because Smith alleged that Comcast acted in bad faith. In support of this, Smith alleged that Comcast told him that they didn't mind his emails, but he just needed to upgrade to a more expensive subscription. The court says if this is true, "Comcast was not concerned that people were receiving large quantities of emails, or concerned about the content of the emails, but rather was concerned that Plaintiff had not purchased a sufficient level of service. This is not a good faith belief that the emails were objectionable, but rather a belief that they violated a service agreement."
This is a garbled statement at best. What I think the court was trying to say is that Comcast had a pink contract that allowed spam if the user paid enough money, and Smith hadn't gotten a pink contract. If so, then I can see the court's point that Comcast is being duplicitous arguing that spam is objectionable content because Comcast's assessments could be bought.
I was uncomfortable with the court's almost off-hand reference that "One would expect that if an interactive computer service had acted in good faith, it could and would come forward with the legitimate basis for its actions when questioned (though the Court is not suggesting they must do so)." First, as the court notes, this is a motion to dismiss, so Comcast can't proffer new evidence. Second, this is a burden-shift. As regular readers know, I believe 230 is an immunity against suit, not an affirmative defense, so the plaintiff has the burden to show why the service provider did not possess the requisite subjective good faith when making its filtering decision. It's not Comcast's responsibility to prove its own subjective good faith beliefs. (How does one prove those in any case?)
Cisco and Microsoft both published blocklist-type information. They try to fit into 230(c)(2)’s statutory definition of "access software providers," which requires them to show that they "provide or enable computer access by multiple users to a computer server." This issue was litigated in the Zango v. Kaspersky case, where Kaspersky distributed anti-spyware software that phoned home for new definitions. The Ninth Circuit said that the phone home feature satisfied the statutory requirement. In contrast, the court appears to say that pure blocklist publishers (i.e. those who do not distribute accompanying software with a phone home capacity) do not; this reading effectively kicks blocklist publishers out of the statute.
As the court acknowledges, this conclusion seemingly conflicts with the 2004 OptInRealBig decision, where the court held that IronPort as a blocklist publisher qualified for the statute because it was a user of an interactive computer service. The court doesn't explain why IronPort doesn't still qualify as an ICS user except to say that IronPort didn't make the requisite showing. The court also does not note that the OptInRealBig case was a 230(c)(1) decision (not a 230(c)(2)) because IronPort republished third party reports, and that should have applied here as well. The court also does not address the extensive 230(c)(1) precedent effectively treating online content publishers (which would include blocklist publishers) as "users" of ICSs, ranging from Barrett v. Rosenthal to the implicit conclusion in Novins v. Cannon.
More specific to 230(c)(2), the court doesn't explore either Pallorium v. Jared or MAPS v. Black Ice (an old 2000 case), both of which arguably contradict this particular conclusion in the 230(c)(2) context. Thus, because the court did not engage the applicable precedent, was overly solicitous to a pro se litigant, and knew that its discussion was dicta because it was ruling for the defendants anyways, the court chunks the analysis.
For more on 230(c)(2), see my 230(c)(2) talk notes from last summer.
One other noteworthy aspect of the ruling. Smith alleges that Comcast breached its privacy policy, but the court dismisses the contract claim because he doesn't show any loss from the alleged breach. This is yet another case holding that merely breaching a privacy policy isn't an actionable contract breach without more. See, e.g., the cited JetBlue case.
UPDATE: John Levine provides some perspectives about what might have happened.
Posted by Eric at 10:37 AM | Content Regulation , Derivative Liability , Privacy/Security , Spam | TrackBack
April 19, 2010
Online Publishers, Advertising and Privacy Considerations
By Eric Goldman
I recently spoke at OMMA Global on a panel entitled "Can Publishers Take Ownership of Privacy?" This panel focused on the role of online publishers in the marketing-and-privacy discussions. Most of the privacy angst has focused on other intermediaries in the advertising ecosystem, such as ad networks. However, online publishers play a crucial but under-discussed role in privacy considerations as well.
I made the following three points in my brief introductory remarks:
1) Our privacy regulatory architecture of "notice and choice" requires that publishers actually give their consumers notice and choice, but I'm routinely flummoxed by publishers who balk at doing both. Publishers often rely on dense obfuscating language to mask their true behavior--eviscerating the notice part of "notice and choice"--and will broadly interpret user consent or opt-in beyond the consumer's clear consent. If publishers want to enjoy the benefits of a "notice and choice" regulatory regime, then they have to deliver accordingly. No excuses, no corner-cutting, no BS.
2) I am also amazed at how often publishers let third party vendors place web beacons on their pages or otherwise let third parties have access to their server logs. Routinely consumers are "informed" in obscure or vague privacy policy references that third party vendors might have access to logs (i.e., "we might use third party vendors, so trust us"). At best, the privacy policy links the consumer to the vendor's own privacy policy, at which point the publisher pats itself on the back and feels like it has checked off the "notice and choice" box. But this isn't notice or choice; 99% of consumers won't even look at the privacy policy, and exactly what choice do they have...to follow the daisy-chain of privacy policies to try to assemble the overall picture of what is happening to the consumer and his/her data?
More importantly, I think publishers underestimate the competitive risks of letting other vendors put web beacons on their pages. Every vendor who's listening in via the web beacon knows pretty much everything about the publisher's online business. The publisher can try to handcuff the vendor's enjoyment of that data in the contract; but as we know, too many contracts are not worth the piece of paper they're written on.
As a result, I think publishers need to think long and hard about letting vendors put beacons on their pages or otherwise granting vendor access to the publisher's server logs. Publishers need to evaluate it from a competitive standpoint, and publishers need to act as a proxy for their consumers' interests given that consumers don't have any meaningful notice or choice in the situation. After all, if something blows up, it's the publisher's trust relationship with its consumers that will suffer.
3) Personally, I don't have any problem with providing publishers with more information about me--even PII--so long as they actually provide enhanced value to me. However, in far too many situations, I don't see any extra value from the publisher despite the information I provide. I keep getting the same crappy ads I'd get if they knew nothing about me. So, publishers: if you want better info about me, deliver better value to me. On the flip side, when publishers keep doing a crummy job after asking me to personalize my experience, I will absolutely hold it against them.
Posted by Eric at 09:44 AM | Marketing , Privacy/Security | TrackBack
April 14, 2010
Yahoo! Chat Logs Admitted Over Defendant's Objections Based on Eavesdropping Statute -- People v. Nakai
[Post by Venkat]
State v. Singh Nakai, 2010 Cal. App. LEXIS 446 (Cal. App.) (Div. 2) (April 2, 2010)
Division two of the California Court of Appeals recently rejected a defendant's argument that California's eavesdropping statute precluded the admission of Yahoo! chat logs. (Warning: the case contains strong language.)
The case arose out of chats between defendant Singh Nakai and "Coleen," who was actually 35 years old but posing (and posting) as a 12 or 13 year old in internet chat rooms.* Defendant was convicted of "attempting to send harmful matter to a minor with the intent to seduce the minor," and acquitted of trying to commit a lewd act with a minor. Defendant argued (among other things) that the Yahoo! chat logs were improperly admitted over his objection.
Section 632 of the California Criminal Code prohibits the recordation of a "confidential communication . . . without the consent of all parties" to that communication, and provides that any information obtained in violation of section 632 is not admissible in any proceeding. Section 632 defines a "confidential communication" as "any communication carried on in circumstances as may be reasonably indicate that any party to the communication desires it to be confined to the parties thereto . . . . but excludes a communication made in . . . . any other circumstance where the parties to the communication may reasonably expect that the communication may be overheard or recorded." [emphasis added]
The prosecutor argued that "it was not objectively reasonable to believe that the Yahoo! chat dialogues were not being recorded, due to the dialogues being sent and received in a recorded format, i.e., writing." The prosecutor also argued that Yahoo!'s chat privacy policy undermined any reasonable expectation of confidentiality because the policy provided that Yahoo! would share information as necessary to "prevent . . . illegal activities."
The policy stated that Yahoo! could disclose information:
if [Yahoo!] believe[s] it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use or otherwise required by law.
The policy also stated that participants in Yahoo! chat communications should not necessarily expected the chats to remain confidential.
The appeals court held that the chats could not reasonably be seen as "confidential": (1) the privacy policy indicated that chat logs may be shared; (2) the policy warned users that chat logs can be archived and printed by the receiving party; (3) the defendant was communicating with someone he didn't know (and could not reasonably trust); and (4) the defendant himself expressed concern as to whether the receiving party's parent would discover the communications (which reflected awareness that the communications could be viewed or printed).
__
Rather than delving into the Yahoo! chat privacy policy and how this affected the expectation of confidentiality, I'm surprised the court didn't just say that chats don't fall under the statute because chat logs are "recorded" as a matter of course by the sender and recipient, and leave it at that. No one ever asks consent to record and retain chat logs. For some reason, people always seem to equate them with telephone calls as far as whether chats leave behind a recording and whether permission is required. With respect to how this ruling may apply to other scenarios, surreptitiously obtained chat communications are often used in civil cases, such as divorce proceedings. While other laws may come into play, it looks like the California eavesdropping statute will not.
Either way, the case is a good reminder that chat logs (like texts and emails) may be admissible.
[* As I read the case I wondered about the propriety of these types of stings, and whether the legality of internet stings, including those conducted by private citizens or "investigators" was well settled. Given that the defendant didn't even raise the issue in this case, it didn't appear to be a viable argument (in California at least). As a civil practitioner, this issue is pretty far outside my realm of experience. But Cyb3rcrim3 has a post that talks about how attacks on private internet stings have played out.]
Posted by Venkat at 07:00 AM | Privacy/Security
April 08, 2010
Unmasked Judge/Commenter Sues Newspaper for $50mm -- Saffold v. Plain Dealer
[Post by Venkat]
Saffold v. Plain Dealer Publishing Co., Cuyahoga County Court of Common Pleas (filed April 7, 2010) [scribd]
A judge/commenter who was unmasked by the Cleveland Plain Dealer is reportedly suing the newspaper for 50 million dollars. (h/t ABA Journal) There are plenty of bad facts to go around, but I see an uphill battle for the plaintiff.
Background: Cuyahoga County Common Pleas Judge Shirley Strickland Saffold (or someone with access to her email, commenting as "lawmiss") allegedly left some eighty plus comments on the website of the Cleveland Plain Dealer (at cleveland.com). Some of the comments included:
All of these criminals committing crimes against women must stop. None of them should get out of prison, EVER.
Rufus Sims (lawyer of Sowell and of a bus driver convicted of vehicular homicide) did a disservice to his client. If only he could shut his Amos and Andy style mouth ... This was not a tough case, folks. She should've hired a lawyer with the experience to truly handle her needs. Amos and Andy, shuffling around, did not do it.
I'm confused. There's three stories. The first accuses Saffold of being a bully and demeaning the presence of this reporter for no reason. The second indicates that she refused to allow the Plain Dealer reporters to view the proceedings today, and the last indicates that the defense attorneys and the prosecutors agreed that the court needed to find out who the leak was, but they disagreed about the leaking spoiling the pool. What did Saffold do that was wrong??
The Plain Dealer decided to "unilaterally . . . unmask" Judge Saffold and wrote an article about the unmasking. The Plain Dealer and Judge Saffold were not on the best of terms prior to this incident. While Judge Saffold allegedly commented on pending capital murder cases, her comment dealing with the mental health of a relative of Jim Ewinger, a Plain Dealer reporter, supposedly led to the unmasking. (Wendy Davis covered this in an article here: "Cleveland Paper Unmasks Judge As Commenter".)
The Complaint: The Complaint asserts various claims based on the privacy policy (including a promissory estoppel claim), a claim for fraud, a claim for invasion of privacy/false light, and a claim for defamation.
Privacy Policy: The privacy policy claim is tough. For starters, the privacy policy is not clear that it guarantees anonymity. Second, claims for damages based on a breach of privacy policy are not very easy to make. Many recent cases rejected privacy policy-based claims for lack of actual damages (and some jurisdictions have a rule that precludes recovery for emotional damages unless a physical injury is involved). (See, for example, Pinero v. Jackson Hewitt; Bell v. Acxiom; Pisciotta v. Old National Bancorp [pdf].) There's even a case which expressly rejects a claim based on the disclosure of an email address in violation of a privacy policy. (Cherney v Emigrant Bank) Of course, all of these cases are based on the view that disclosure in itself does not cause damage, and Judge Saffold's case presents different facts. She will probably get past the damages hurdle, but she will have to deal with any provisions in the terms of service that the paper could use to undercut her claims or at least limit damages (disclaimers of warranty, limitations of liability, etc.). Her bigger challenge is to prove that the privacy policy actually guaranteed anonymity, and as Wendy's article points out, the policy envisions that the newspaper would use personal information in a variety of scenarios, including for the newspaper's own benefit.
Invasion of Privacy: The invasion of privacy claim is similarly tough because it will probably turn on whether plaintiff reasonably expected that her comments would remain anonymous. Anyone using the internet will tell you that there's no guarantee of anonymity, and in addition to the ambiguity of any guarantee in the policy, the paper will likely argue that the policy made clear that there are a variety of circumstances in which any user's personal information would be disclosed. Disclosure in response to a subpoena is obviously the classic example. Use of personal information for business purposes is another example.
First Amendment/Media Privilege Defense: At the end of the day, plaintiff will have a challenge proving that she reasonably expected some guarantee of anonymity, and even if the court finds that there was a guarantee, the newspaper could also try to invoke some sort of First Amendment/media privilege defense. It's certainly newsworthy for a judge to have commented on pending cases. While this wasn't what prompted the newspaper's unmasking of the plaintiff, this could bolster the newsworthiness argument. The fact that the judge used the same online profile to supposedly comment on a case she was presiding over (!) is extremely problematic and will cut against the expectation of anonymity. A litigant in that case certainly has a shot at discovering the identity of the commenter in order to support a recusal motion, and once the litigant figures out the judge's identity, the cat is out of the bag. The lawyers litigating the serial murder case Judge Saffold was presiding over (and allegedly commented on) are actually making this argument. ("After Web Post About Serial Murder Case, Judge Should Step Down, Lawyer Says"; "‘Lawmiss’ Comment on Accused Serial Killer Is Linked to Judge Overseeing His Case") This makes the Judge's expectation of anonymity argument that much harder. Had the newspaper found this information out from another source, the First Amendment argument would probably be a fairly strong one. However, given that the Plain Dealer doesn't seem to have the cleanest hands, I'm not sure how much mileage this will get here.
__
There are two strong facts on the other side, in the plaintiff's favor. First, the paper seems to have been engaged in a feud with her, and the reporter may have had his own personal score to settle. This will not look good for the paper. Second, media entities can't pick and choose. It certainly is arbitrary for a paper to say "we have a privacy policy and will protect your anonymity . . . except when your identity as a commenter is newsworthy, in which case we'll exploit that to our benefit." Newspapers are in a tricky position as far as commenter anonymity, and no one will reasonably think that media can have it both ways, which is what they'll have to end up arguing. Finally, while the newspaper could have disclosed the Judge's identity in response to a subpoena, that doesn't mean the paper should voluntarily disclose it in order to publish something it thinks is newsworthy (or to settle a score).
The key question here, is how, why, and when the newspaper decided to check out the real identity of "lawmiss."
When all is said and done, plaintiff will finally have to actually prove damages, and suffer the additional embarrassment of a very public dispute around her comments on a newspaper website. Discovery sure is not going to be pretty. (Interestingly, the complaint cites to many public statements made by the Plain Dealer. The Plain Dealer should have adhered to the "less is more rule," when making statements about potential disputes.) Regardless of how the dispute plays out, I guess it illustrates that when interacting online, people need to keep common sense at the forefront. To the extent the she commented on a serial murder case she was presiding over, what was she thinking? On the other hand, what was the newspaper thinking when it decided to "check out the identity of a commenter?"
The case raises the issue of the ethical quandary inherent when a newspaper is the custodian of anonymity. To the extent the newspaper has access to the identity of commenters, there will always be the temptation to check out who particular commenters are. The newspaper in many situations ends up making the call on when to release the identity of the commenter, when to publicize it, and when to fight for anonymity. There will always be conflicting considerations and ethical issues present here.
A final note. Whether someone had the expectation of privacy when dealing with a website or social network is becoming an increasingly litigated issue. I question how useful it is to use the actual language of a privacy policy to determine the expectation of privacy. These are clunky documents that no one ever reads, much less understands. I cringe every time a court wades through a privacy policy, picking and choosing among language it thinks supports or detracts from an expectation of privacy. I blogged about a recent case where a court held that a newspaper website commenter did not waive the expectation of privacy based on language of a policy: Sedersten v. Taylor. Tom O'Toole makes a similar point in a post about another recent case, McVicker v. King: "Newspaper Website's Privacy Policy Creates Expectation of Privacy for Commenters?"
Update: I've added a few additional links below, and clarified that the comments were left with someone who shares the same email address as Judge Saffold. (Judge Saffold's daughter is taking credit for the comments, or at least some of them.) The Plain Dealer reported that someone with the same email address as Judge Saffold left the comments, and verified some of the information behind its reporting through a public records request. It reported that its public records request revealed that someone used Judge Saffold's work computer to access the paper's website at the same exact time as when someone left some of the comments.
Additional Coverage:
Courthouse News has a post which provides some good factual background: "Judge Demands $50 Million From Plain Dealer"
ABC News has a post which also contains some interesting background facts: "Judge Saffold Files $50M Suit Against Cleveland Newspaper Over Online Comments" (It looks like the Judge's daughter who is or was a law student says she was the one who made some of the comments! An Ohio law professor is also quoted as saying it would have been a "major ethics violation" for the judge to have commented on pending cases.)
Cleveland Plain Dealer: "Cuyahoga County Judge Shirley Strickland Saffold files $50 million lawsuit against The Plain Dealer and others"
Gawker: "Can Anonymous Commenters Be Outed if They Do Something Newsworthy?"
The Newsroom Law Blog had a good post about the ethics of the unmasking: "Cleveland Newspaper Unmasks Anonymous Commenter" The post makes a good point about what this may mean for future anonymity arguments asserted by the Plain Dealer on behalf of anonymous commenters. [The Plain Dealer's John Kroll comments on the post . . . fodder for discovery?]
Posted by Venkat at 08:36 AM | Privacy/Security , Publicity/Privacy Rights
April 01, 2010
Facebook Privacy Class Action Filed by Lanier Firm Voluntarily Dismissed -- Melkonian v. Facebook
[Post by Venkat]
Melkonian v. Facebook, Orange County Superior Court Case No. 30-2009-00293755-CU-BT-CJC [complaint]
In August of last year, prominent plaintiffs' lawyer Mark Lanier filed a privacy lawsuit against Facebook on behalf of a group of plaintiffs. [WSJ Law blog] [Techdirt] The complaint seemed sort of all over the place, with no core allegations of misconduct by Facebook. The fact that it was filed by the Lanier Firm (which, incidentally, has a Facebook page, as does Mark Lanier) made it noteworthy.
Curiously, the lawsuit was voluntarily dismissed with prejudice. [dismissal] It's somewhat old news (the dismissal was entered in early February), but given that there's been no public mention of it, I thought it was worth noting. If there's a backstory, I'm definitely curious about it.
Note: Although Facebook dodged a bullet by settling the Beacon class action against it, and getting rid of this case, this is far from the end of Facebook's privacy woes. There are another couple of class actions against Facebook arising out of Facebook's recent revisions of its privacy settings. (Wendy Davis reports on those suits, which were recently consolidated here.) And Facebook implemented yet another set of privacy changes, which brought about a fresh round of criticism. ("Facebook Keeps Chipping Away at User Privacy"; "Facebook Mulls Privacy Changes, Causes More Outrage".)
Posted by Venkat at 07:10 PM | Privacy/Security
March 31, 2010
March 2010 Quick Links
By Eric Goldman
Internet Exceptionalism
* Stern v. Sony Corp., CV 09-7710 PA (C.D. Cal. Feb. 8 2010) "to the extent Plaintiff is suing Sony as a manufacturer of video games, and the provider of online services, Sony is not a ‘place of public accommodation’ and is therefore not liable for violating Title III of the ADA" Nice complement to the Estavillo case. My prior post on Internet exceptionalism.
Online Competition
* Microsoft’s head algorithms guru says that Google's search engine beat Microsoft because Microsoft ignored the long tail of search queries. If Google and Microsoft made different product design choices and the marketplace liked Google's choices better, doesn’t this make it hard for Microsoft to complain about Google’s "anti-competitive" practices? I wonder if this talk was pre-cleared by Microsoft’s antitrust counsel.
* SJ Mercury News: Google's most recent 10-K lists some new self-identified competitors, including Yelp, Kayak & WebMD. By identifying some vertical players as competitors, such as Kayak and WebMD, does Google lend credence to the arguments by TradeComet and myTriggers that Google does compete with vertical search engines?
* In re eBay Seller Antitrust Litigation, 2010 WL 760433 (N.D. Cal. March 4, 2010). eBay wins summary judgment in an antitrust challenge: "Despite the voluminous briefing permitted in connection with both of the instant motions-which includes hundreds of pages of supporting documents-Plaintiffs have not drawn the Court's attention to any actual proof of antitrust injury caused by eBay's alleged anticompetive acts-on an individual or a classwide level."
Online Pornography
* U.S. v. Beckett, 2010 WL 776049 (11th Cir. March 9, 2010). A man posed as a 17 year old girl on MySpace and AOL, engaged boys in discussions, induced them to send nude photos, and then coerced them to have sex with him to prevent his dissemination of the photos.
* Miller v. Mitchell, No. 09-2144 (3rd Cir. March 17, 2010). This is the case where the government prosecutor threatened to bring felony charges against girls for "sexting." The court upholds a preliminary injunction against requiring the girls to go through an education program in lieu of felony prosecution.
* U.S. v. Durdley, 2010 WL 916107 (N.D. Fla. March 11, 2010). No privacy expectations in a flash drive left in a public computer.
Online Security
* Cormac Herley of Microsoft Research, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users." In my observations, users are actually intensely rational when it comes to privacy and security issues, and privacy and security advocates who don't fully account for this user behavior do so at their peril.
* Reuters takes a deep look at Innovation Marketing, a Russian scareware operation.
User-Generated Content
* Josh King explains why Avvo supports the proposed federal anti-SLAPP law.
* T.V. ex rel. B.V. v. Smith-Green Community School Corp., 2010 WL 935574 (N.D. Ind. March 11, 2010). Denying class formation for a lawsuit in response to a ridiculously harsh school suspension for a MySpace photo of ribald off-campus activity.
* Melton v. Boustred, 2010 WL 881919 (Cal. App. Ct. Mar 12, 2010). Boustred throws a ragin' party and advertises it via a MySpace open invitation. The plaintiffs show up and were beaten and stabbed at the party by unknown assailants. The court concludes that Boustred isn't liable for the physical injuries. Note to self: stay away from parties advertised via MySpace.
* Yelp Litigation Mania!
- Cats & Dogs Animal Hospital v. Yelp first amended complaint
- LaPausky v. Yelp complaint. A write-up.
- Levitt v. Yelp complaint.
- ClickZ: Ex-Yelper Helps Law Firms Go After Yelp
Anonymity
* Park West Galleries, Inc. v. Global Fine Art Registry, LLC, 2010 WL 742580 (E.D. Mich. Feb. 26, 2010). Using an online pseudonym can lengthen the defamation statute of limitations.
* White v. Baker, 2010 WL 1009758 (N.D. Ga. March 3, 2010). Mandatory reporting of Internet usernames by registered sex offenders violates the First Amendment.
Advertising and Marketing
* ClickZ: New Facebook Policies Clamp Down on 'Loose' Ad Copy.
* Coyote Pub., Inc. v. Miller, 2010 WL 816936 (9th Cir. March 11, 2010). Upholding the constitutionality of Nevada's restrictions on advertising prostitution.
Trademark
* WSJ: It's a crowded namespace for bands.
* 1-800Contacts, Inc. v. Memorial Eye, P.A., 2010 WL 988524 (D. Utah March 15, 2010). It was not objectively baseless for 1-800 Contacts to bring a trademark enforcement action over competitive keyword advertising.
* Rhea Drysdale tells how she busted the trademark application for "SEO."
* The Utah governor has signed SB 26, which (among other things) creates a bastardized version of ACPA. My initial comments on the proposed bill.
Copyright
* James Grimmelmann on Reed Elsevier v. Muchnick.
* Ben Sheffner has some updates in the Scribd lawsuits. My initial post on Scott v. Scribd.
* Ars Technica on an experiment to block users who are using ad blocking software from accessing its site.
General
* Hudson v. University of Puerto Rico, 2010 WL 1131462 (D. Minn. March 23, 2010). Passive blog does not confer general jurisdiction.
* Doe 1 v. AOL LLC (N.D. Cal. Feb. 1, 2010). "Plaintiffs' claims for violation of the ECPA (Count I), unjust enrichment (Count VI) and for public disclosure of private facts (Count VII) are subject to the forum selection clause because none are California consumer law claims." Prior blog post.
* Commonwealth v. Interactive Media Ent’mt and Gaming Ass’n, Inc., No. 2009-SC-000043-MR (Ky. Mar. 18, 2010). Challenge to Kentucky's seizure of 141 gambling-related domain names tossed on standing grounds. Prior blog post.
Posted by Eric at 08:42 AM | Content Regulation , Copyright , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark , Virtual Worlds | TrackBack
March 18, 2010
Beacon Class Action Settlement Approved -- Lane v. Facebook
[Post by Venkat]
Lane v. Facebook (Case No. 09-3845 RS; March 17, 2010) [scribd link]
Judge Seeborg yesterday issued an order approving the class settlement in Lane v. Facebook, the class action lawsuit arising out of Facebook's Beacon program.
Background: Shortly after the uproar around Facebook's launch of its Beacon program, a group of plaintiffs filed a class action lawsuit in the Northern District of California. Prior to this lawsuit, another group of plaintiffs sued Blockbuster in Texas, based on Blockbuster's participation in the Beacon program. Both plaintiffs asserted, among other claims, violations of the Video Privacy Protection Act, a statute which protects against disclosure of video rental records.
In Texas, Blockbuster argued that the claims should be subject to arbitration based on a terms of service. The court rejected Blockbuster's arguments on the basis that the terms of use were illusory because they contained language saying that they could freely be amended at any time. (Here are posts by Professor Goldman and Tom O'Toole on this potentially far-reaching ruling.) Blockbuster appealed this ruling.
Meanwhile, the California plaintiffs (represented by Scott Kamber) announced a settlement of their claims. The proposed settlement did not provide for monetary damages to the plaintiffs; Facebook agreed to set aside a chunk of money to fund a "privacy foundation," which would be staffed by nominees of counsel for the parties. (Here's a summary of the proposed settlement terms at CircleID.)
Once the Texas plaintiffs found out about the settlement, they moved to intervene in the California lawsuit. They argued that the two class actions should have been consolidated and that the California plaintiffs could not release claims on behalf of the class against Blockbuster, since those claims were first asserted by the Texas plaintiffs in the Blockbuster class action. Judge Seeborg denied the motion to intervene, a ruling which the Blockbuster plaintiffs appealed.
The parties engaged in a round of wrangling in the Northern District of California, and behind the scenes. Ultimately, Blockbuster settled with the Blockbuster (Harris) plaintiffs by agreeing to pay $50,000. More importantly, counsel for the two classes probably came to some sort of agreement regarding fee sharing. Counsel for the Blockbuster plaintiffs then withdrew their objections to the proposed settlement pending in front of Judge Seeborg. This left a few objections raised by individuals and public interest organizations. Judge Seeborg rejected these objections and approved the settlement.
The Court's Disposal of The Objections:
Form of Notice: One interesting objection was raised by Shan Huangfu. He argued that notice of the settlement was sent via email, was caught in his spam filter and therefore inadequate. (Here's an article by Wendy Davis flagging this objection.) I didn't pick up on this at first, but interestingly, the parties wanted to use email notice in lieu of notice through Facebook accounts, and Judge Seeborg did not agree with this. Ultimately, it looks like Facebook sent notice via email and through the potential class member's Facebook account, but did not send any paper notice. I wonder if people who cancelled their Facebook account in reaction to Beacon were more likely to fall through the cracks?
Whether The Privacy Foundation Will be Beholden to Facebook: One of the biggest objections to the proposed settlement was that the foundation created as a result of the settlement would be beholden to Facebook and wouldn't provide any public benefit. Judge Seeborg found that there had been "no persuasive showing that the Foundation will be a mere publicity tool for Facebook, or in any meaningful sense under Facebook's direct control." The foundation will initially staffed by Chris Hoofnagle, Larry Magid, and Tim Sparapani (Facebook's Director of Public Policy and a formerly Senior Legislative Counsel to the ACLU in Northern California). (Interestingly, Sparapani shares a fair amount of personal information on his publicly accessible Facebook profile.)
The Fact That No Monetary Relief Was Awarded to Class Members: Another significant objection was that the class members will not receive any compensation under the settlement (except for the named plaintiff who would receive $10,000, two named representatives would receive $5,000 each, and the remaining named representatives would receive $1,000 each). Judge Seeborg dismissed this objection on the basis that the damages available (principally, the statutory damages under the Video Privacy Protection Act) would be "speculative at best." Because of the speculative nature of the statutory damages, and the risks inherent in litigation, the settlement as structured could be viewed as reasonable.
Observations:
1. The appeal in Harris v. Blockbuster (the Texas action) has been dismissed by the parties. However, they haven't moved to vacate the trial court's ruling so it looks like it will stay on the books. (EPIC filed an amicus brief in favor of the Harris plaintiffs: [pdf]. EPIC's page on Harris v. Blockbuster is worth checking out.)
2. There were approximately 3.6 million potential class members. 100 opted out, and 4 objected. These numbers understandably swayed Judge Seeborg. I'm surprised no one mounted a vigorous "opt out of the Beacon settlement" social media campaign. This would have probably been the most effective method to derail the settlement.
3. This plaintiffs in the California action were left in the awkward position of arguing that the lawsuit that they brought would not support the award of significant damages. In fact, Scott Kamber's declaration [scribd link] argues that it would be tough to hold Facebook liable under the Video Privacy Protection Act, among other reasons because Facebook does not fall under the statute's definition of a "video tape service provider".
4. The Harris plaintiffs were in this position as well. Additionally, the Harris plaintiffs settled separately with Blockbuster, and Blockbuster agreed to pay "Plaintiffs $22,500 and also . . . pay Plaintiffs' counsel $27,500 [in fees]." (Access the Blockbuster settlement agreement on Scribd here.) From the settlement agreement, it appears that the named plaintiffs will receive settlement payments but the remaining members of the class receive nothing. In fact, the court hearing the Blockbuster lawsuit did not approve the settlement. I suppose you could say that the Blockbuster plaintiffs were receiving these amounts for their efforts expended in representing the class, but there was no class award and no class to represent. Shouldn't the remaining Harris plaintiffs receive some compensation? Another factor here is Blockbuster's precarious financial condition.
5. Judge Seeborg deferred ruling on counsel's request for fees, asking for some additional evidence on time spent by counsel. The request for fees states that the Lane class counsel incurred $1.1mm in fees and the Harris class counsel incurred $820,000. After adjustments, between the two, they seek approximately $2.8mm in fees.
6. It's interesting that a piece of legislation passed in the wake of then-Judge Bork's Supreme Court confirmation hearing ended up being influential in this context. I doubt when the legislation was passed, Congress envisioned that the statute would be central to a significant dispute around online advertising and would result in a settlement of this scale. There's no counterpart to the Video Privacy Protection Act for magazines, books or newspapers. Just videos.
7. The Video Privacy Protection Act reared its head in another privacy dispute recently. Netflix just settled with the FTC and agreed to discontinue the sequel to its recommendation engine contest. (Forbes/The Firewall) Professor Ohm flagged the issue in September 2009 post and urged Netflix to reconsider its decision to launch the second contest. While the settlement between the FTC and Netflix wasn't expressly based on the Video Privacy Protection Act, Scott Kamber also sued Netflix under this statute. Netflix announced on its blog that this lawsuit has been settled, but the terms have not been made public.
8. I guess someone can appeal. Public Citizen objected, maybe they will?
__
(h/t Wired's Threat Level)
Wendy Davis at MediaPost has been following this lawsuit closely. Here is a link to her article on Judge Seeborg's decision.
Posted by Venkat at 10:42 AM | Privacy/Security
March 15, 2010
Data Anonymization and Re-identification Lecture Featuring Paul Ohm, SCU, April 7
By Eric Goldman
University of Colorado law professor Paul Ohm has written one of the most provocative privacy-related papers of the past few years, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. Using examples such as the AOL "Data Valdez" release of search logs and the NetFlix personalization contest, he shows that seemingly innocuous datasets can still become personally identifiable when combined with other data sources. This puts significant pressure on our regulatory distinctions between "personally identifiable information" and non-personally identifiable information, as the combination of datasets can convert non-PII into PII. The implications potentially shake the privacy literature to its core.
Paul will be presenting his research on April 7, 6-8 pm, at SCU. I've heard Paul present this paper a few times and it's always a treat. To spice things up, we'll have two commenters on his work: Cynthia Dwork, a computer scientist at Microsoft, and Chad Raphael, an SCU communication professors. The event is free, and it includes an hour of free CLE if you want it. You can register through this URL. Hope to see you there.
Posted by Eric at 09:36 AM | Privacy/Security | TrackBack
February 02, 2010
FTC Privacy Roundtable Recap
By Eric Goldman
[Introductory note: I have repeatedly criticized the FTC on this blog, and this post may implicitly criticize them as well. At the same time, I want to share a couple of compliments for the FTC. First, the FTC did a terrific job preparing for this event. For the panel I participated on, we had two official group organizing calls, plus I had at least 3 individual calls as well. I can’t recall another event which had more pre-event preparation efforts. Second, I remain consistently impressed with the dedication of the FTC staff attorneys. The FTC attorneys I've met uniformly seem to be trying to do the right thing, even if bright minds might disagree about what that is.]
Last week, the FTC held the second of three privacy roundtables at UC Berkeley. A large crowd (I estimate 200+ people) showed up, and I know that many other people watched online. Combined with my conversations with the FTC folks prior to the event, I took away a few meta-observations:
1) The FTC is Facebook-obsessed. FTC staff kept citing Facebook examples. It's clear that the FTC is paying extraordinarily close attention to Facebook.
2) The FTC has embraced the idea of "data as currency." The concept is that online services that don't make consumers pay with cash instead make consumers "pay" by providing their personal data. This didn't come up much at the second roundtable, although I understand it was a big issue at the first.
It's a little dispiriting to see this argument gain traction. I have repeatedly criticized this concept before (see my Coasean Analysis of Marketing and Data Mining and Attention Consumption articles), so I will only briefly recap its deficiencies here. Basically, the concept treats the provision of personal data as an automatic detriment to the consumer, which creates a zero-sum game—just like the transfer of cash, the service provider wins at the consumer's expense. Although consumers may suffer negative consequences from providing their personal data to service providers, the overall concept is wrong because many service provider-consumer relationships are "win-win" where both the consumer and the service provider are better off due to the data transfer. I build some economic formulas in my articles to explain these scenarios with more rigor. Win-win can occur, for example, if the service provider can provide better services to the consumer based on access to personal data. Personalized search is one example. Ultimately, any policy proposals predicated on treating data as currency are likely to overregulate by reducing or eliminating potential win-win scenarios.
3) The term "privacy enhancing technologies" or PETs lacks a consensus definition. Because we didn't agree on what qualifies as a PET, we couldn't determine if they had been successful or not.
Construed narrowly as add-on technologies that guard against specific vectors of privacy intrusions, it's clear that PETs have failed as a mass-market offering. Hardcore privacy folks may seek out tools that advance their interests, and they may even be willing to pay for those tools, but most folks don't care enough to pursue such solutions--even those available for free. (I highlight this tension in my 2002 Forbes editorial.)
However, if we construe PETs more broadly, they have been massively successful. For example, I would consider anti-spam/anti-spyware/anti-virus software as PETs. Obviously those software programs have other benefits, such as security protection, but they solve a variety of privacy-related problems too. For example, my Gmail spam filter learns my preferences and, over time, blocks some types of unwanted emails (such as repeat emails meant for other “egoldman”s like Emma Goldman) from showing up in my in-box. Similarly, PETs have been incorporated into the browsers and provide default protection to their users. If we can get past the one-off single-vector conception of PETs, we may find lots of successful examples.
4) The online "privacy" dialogue hasn't advanced very far in the past 15 years. I felt like much of the 2010 roundtable's discussion would have been apropos 15 years ago. For example, instead of discussing cookies in 1995, in 2010 we are discussing flash cookies and supercookies. There's no real difference in the underlying principles; we're simply at a new point in the technological arms race. Just like technology evolved to provide user control over cookies, it will eventually catch up to flash cookies and supercookies and super-duper-cookies or whatever the next iteration of persistent client-side identifiers is called. Unless we look past the specific technological implementations and focus on broader concepts, we are doomed to repeat the same conversations.
5) Due to the semantic ambiguity of the word "privacy," "privacy" inquiries are guaranteed to fail. Ultimately, I found much of the roundtable discussion unenlightening because the "privacy" umbrella is too broad and ambiguous. From my perspective, the term "privacy" is always fatally ambiguous to any productive conversation; I just don't understand what it means. As a result, at the roundtable, panelists were simultaneously discussing privacy, security, anonymity and a variety of other concepts. The result was a jumbled doctrinal mess and a lot of talking past each other.
At the same time, the "privacy" umbrella hindered the inclusion of non-privacy concepts that might have helped overcome the deja vu tendency. The panel titles were:
Panel 1: "technology and privacy"
Panel 2: "privacy implications of social networking and other platform providers"
Panel 3: "privacy implications of cloud computing"
Panel 4: "privacy implications of mobile computing"
Panel 5: "technology and policy"
My latest project on reputation is relevant to the issues discussed at the roundtable, but where does "reputation" fit into these panels? Everywhere--and nowhere. Similarly, I was hoping to discuss the implications of 47 USC 230(c)(2), the immunization for filtering technologies, but where does that fit in? I hoped to discuss it in the first panel but we ran out of time. Using a classic "privacy" structure for the discussion implicitly stifles these important non-privacy considerations from emerging. As a result, this structure almost guarantees a "same old, same old" discussion by precluding new concepts from joining the discourse.
Before the panel, lame-duck Commissioner Pamela Jones Harbour gave some opening remarks. She expressed displeasure with Facebook's resetting of privacy defaults and disagreed with Mark Zuckerberg's quoted remarks that the technology change reflects emerging social attitudes. She also gave a lengthy shout-out to Paul Ohm's paper on de-anonymization/re-identification of non-PII. Note that we will have an evening panel event featuring Paul Ohm at SCU on April 7. Please put that on your calendar now. Paul's paper is already affecting the considerations of FTC Commissioners; come hear what the fuss is about.
After Commissioner Harbour, David Vladeck (head of the FTC's Bureau of Consumer Protection) gave some opening remarks as well. He summarized three conclusions from the first roundtable:
* Consumers don’t understand commercial information-collection practices (ex: data brokers, behavioral targeting).
* Lengthy privacy policies aren’t effective, but privacy disclosures are important.
* Consumers care about privacy.
He concluded his remarks with an ominous threat. He noted that the FTC continues to bring privacy-related enforcement actions, and in particular (a quote from his prepared remarks) "we are currently examining practices that undermine the effectiveness of tools consumers can use to opt out of behavioral advertising, and we hope to announce law enforcement actions in this area this year." I'm not sure what this means. Perhaps the FTC is fed up with NAI's behavioral ad network opt-out tool? I have not been able to make the tool work properly for years.
Finally, I'll mention a few thoughts from the social networking panel, which featured Erika Rottenberg of LinkedIn, Nicole Wong of Google and Tim Sparapani of Facebook. Given all the Facebook-bashing throughout the day, Tim was in the hot seat!
One of Tim’s talking points was that 35% of users customized their privacy settings in response to Facebook's privacy default resetting and its subsequent requirement that they review the settings. 35% user participation would be a remarkably high percentage for any website, and it’s incredible for Facebook with 350M claimed users.
Tim's other talking points didn't go over as well. He claimed that there are no barriers to entry for other social networking sites. This is technically true but woefully incomplete. It could very well be that the optimal number of social networking sites that consumers can actively embrace is precisely one, and there is good reasons to believe that social networking sites experience powerful network effects. See, e.g., Reuter's article about the tipping point between MySpace and Facebook.
Further, although the friendship relations are sticky, Facebook’s real stickiness comes from the self-published content on Facebook that cannot be exported to another site. Tim completely chunked the question about data portability from Facebook, slavishly espousing his talking point that Facebook will delete user accounts on their request--a non-sequitur that made most people in the audience quietly groan. We all understand that Facebook will kill content upon request, but the question on the table was how Facebook will allow users to move their extensive content to a competitor. Tim ducked that question because Facebook doesn't enable it. Facebook does not offer a front door for data portability, and Facebook has been shutting down the backdoor by suing folks like Power.com who try to create an unsanctioned portability method. To be clear, I'm not 100% convinced that Power.com is the good guy in that dispute, but I'm pretty confident that Facebook doesn't tolerate backdoor data portability.
Even so, I think Facebook's biggest threat is itself. Few users will get so mad that they will delete their accounts (I still have my Orkut and Friendster accounts, for example). Instead, Facebook should be concerned that users will simply reduce their usage because they get burned out or lose trust in Facebook. Ultimately this will cause users to migrate elsewhere, so the end game for Facebook could be a whimper, not a bang.
As an example of this latter phenomenon, Tim’s talking points claimed that Facebook gives users control over who they want to share every piece of data at the time they publish the data. He rightly praised this granularity but I am still grumbly that Facebook killed the setting that kept my comments and likes off my profile page. Now, if I don't want those items to show, I have to manually delete each one. So I do have control over my publications as Tim touted, but the additional transaction costs cause me to comment on and like other posts less frequently than I used to. This seems like more of a bug than a feature in my book.
In contrast to Facebook, Nicole Wong hammered the point that Google embraces data portability and builds it into the design of many of its services. As she said (I'm paraphrasing her), because users can leave with a click, we have to better with every product every day, and it makes us build better products. That's the spirit! Facebook, are you listening?
Posted by Eric at 04:04 PM | Internet History , Privacy/Security | TrackBack
January 19, 2010
4th Amendment Updates in the State Courts
The US Supreme Court is not the only Supreme Court to recently focus on 4th Amendment privacy issues critical to technology.
By Ethan Ackerman
This blog recently covered the US Supreme Court's decision to hear a 4th Amendment case dealing with texting privacy. While technology privacy cases are fairly rare at the US Supreme Court level, many of the 50 states' highest courts have dealt with similar issues recently. The waning months of 2009 saw three fairly important state-level 4th Amendment cases that could potentially have a big impact on electronic and online privacy.
Searching Suspects' Cellphones
In December, the Ohio Supreme Court addressed the searches of an arrestee's cell phone. In a 4-3 split, the court held that police searches of a suspect's cell phone, even though incident to the suspect's arrest, required a warrant. The court's decision grappled with the scope of 'a search incident to arrest,' which is one of the few exceptions to the warrant requirement the 4th Amendment usually imposes. Susan Brenner helpfully lays out the details surrounding the exception and its scope here. The court noted that federal courts were split on the issue; the Supreme Court hadn't addressed cell phones or anything similar. So the court proceeded to look at the underlying justification for the exception (officer safety, evidence protection). The court held that the exception wasn't necessary and ruled that a warrant was necessary to protect the private and extensively detailed personal information cell phones often hold.
It's perhaps an understatement to say that this area of the law isn't settled, and the Ohio court's focus on two federal cases is just a small chunk of the universe of cases on this issue. In-house counsel at the Federal Law Enforcement Training Center has helpfully catalogued the cases on this issue. So is the outcome sensible? Orin Kerr is a bit skeptical, but as of yet undeclared.
In a necessary reminder that the 4th Amendment matters even in non-criminal cases, the Mississippi ACLU has taken a civil case over a student's expulsion stemming from a cell phone search.
Fourth Amendment Protection for Records Held by Third Parties
The second state Supreme Court case, Colorado v. Gutierrez, doesn't occur online or even address online activities. It's about the impropriety of a (paper) search warrant for the (paper) tax records kept in the (physical) office of a tax preparer. Politicizing it just a smidge, the prosecutor in the case is running for the US Senate, and the taxpayer in the case was a Mexican immigrant. But the case's principal issue, whether information stored with a 3rd party retains 4th Amendment protections, is one of the core issues of online privacy. Facebook, Google Docs, every other "cloud" service, Skype, Hotmail, Google chat, Verizon wireless voicemail, and even Quicken all are 3rd parties holding private communications and information generated by their users. While privacy policies and state and federal statutes grant (or deny) some protections to this information, the 4th Amendment remains the cornerstone of much of the protection this information has. Several past US Supreme Court cases on the 4th Amendment have latched onto the "3rd party" present in these types of relationships to sometimes find that there was no reasonable expectation of privacy in information given to the 3rd party and thus no 4th Amendment protection. This phenomenon was common enough to get its own name as a legal doctrine - the '3rd party' doctrine. 4th Amendment scholar Orin Kerr recently published a law review article mostly praising the doctrine, and skillfully addressing its applications and shortcomings in the online world.
One of the major exceptions to the 3rd party doctrine is when a statute or protected type of relationship may still preserve a reasonable expectation of privacy despite transmission to a 3rd party. Evidentiary privileges like the attorney-client or marital privilege are examples of this. Less clear is the degree to which statutes protecting privacy may preserve the expectation. The Supreme Court has occasionally found statutes insufficient to protect the expectation (e.g. US v. Paynter, the Bank Secrecy Act was an insufficiently privacy-protecting law) but hasn't to my knowledge yet found a statute sufficient.
In Colorado v. Gutierrez, the Colorado Supreme Court found the federal and state laws protecting the privacy of tax records were sufficient to create a reasonable expectation of privacy in those records, even though they were held by the 3rd party tax preparer. Will a court hold that ECPA's protections for email, or the SCA's protections for chat logs or a Google doc, are sufficiently similar and strong to create a reasonable expectation of privacy in those records?
GPS Tracking of Vehicles
The third recent case is really a trilogy of recent state cases on GPS tracking of vehicles. Long ago in the 1990's, GPS tracking was a world of cops and scorned spouses sticking bulky devices under cars. In the past decade with the (government-mandated) addition of GPS tracking to cellphones, and their increasing ubiquity, the prospect of after-the-fact and real-time tracking of a person's every move is closer now than its ever been. How state courts handle these three car cases might give us some clues to how they'll handle the phone cases in the next few years.
New York, Wisconsin and Massachusetts went three different ways on the issue; finding, denying, and punting on 4th Amendment protections. Jeff Bone does an excellent summary of all three cases on his employers blog, so I'll just point you there. To give you a flavor of how the issue splits across the country and between different federal Circuits, read an earlier email of mine helpfully archived on the internets. Once again go-to scholar Orin Kerr also has thoughts on the general issue. Continuing its record as the best place on the internet for intelligent comment debates, Concurring Opinions is host to a 2008 comments debate between Kerr and fellow scholar Renee Hutchins on the issue.
Posted by Ethan Ackerman at 09:48 AM | Privacy/Security | TrackBack
January 18, 2010
File Names Can Help Predict File Content in Child Porn Prosecution--US v. Beatty
By Eric Goldman
United States v. Beatty, 2009 WL 5220643 (W.D. Pa. Dec. 31, 2009)
This is a child porn prosecution. Using Phex P2P software, an undercover investigator accessed the Gnutella network and conducted searches using search terms known to be used by child pornographers. The investigator identified IP address 76.188.64.82 with 11 files with troubling titles such as:
* r@ygold-pedo-13yo brother fucks 11yo sister and sperm inside 61943812.mpg
* (Pthc) 14yo Isabel-(Rape and Fuck) (R@ygold).mpg
* Little young girl hardfucked by me-7 yrs R@ygold illegal pedo sex.mpg
* (Hussyfan) (pthc) (r@ygold ) (babyshivid) Jessica 11y o get fucktgood.mpg
The investigator then matched hash tag fingerprints of the 11 files with child porn files in a database maintained by the Wyoming Internet Crimes Against Children (ICAC) Task Force. Subsequently, the investigator connected Beatty to the IP address. Based on this information, the government got a search warrant for Beatty's home, found hundreds of incriminating files on his home computer, and got incriminating statements in an interview.
Beatty challenged the government's right to search his home computer. The judge and the litigants agree that the government can legally conduct remote warrantless searches of P2P share directories, but the government apparently argued that they were free by extension to look through Beatty's entire computer. The judge rejected such a broad position, saying:
even if the Defendant suffered no Fourth Amendment intrusion by virtue of Trooper Pearson's conduct in remotely accessing certain shared computer files, the Defendant nevertheless retained a reasonable expectation of privacy in his computer and his home such that he possesses "standing" to challenge the merits of the subject search
This shifts the inquiry to the officers' probable cause for the warrant. Apparently, the investigator did not download the files to review them or attach the files as evidence when requesting the search warrant. I'm not sure why the investigator didn't do either step other than to avoid the toxicity of child porn generally. As a result, Beatty challenged the warrant because the warrant-approving magistrate did not see the files directly or get an affidavit from the investigator stating what he saw in the files. However, the magistrate did have the file names and the matching hash tags. Beatty challenged both.
The judge and the litigants agree that file names do not dispositively predict the actual file's content. As we know, file names can be inaccurate for a variety of reasons: plain error, semantic ambiguity, an effort to surreptitiously install malware, and as a way of increasing the content's perceived illicit value (see, e.g., the discussion in the uncited Perfect 10 v. ccBill case about websites with names like "illegal.net" and "stolencelebritypics.com"). The court correctly concludes that "common knowledge dictates that actual file content cannot be definitively determined from the file name alone."
Nevertheless, the court says that file names have some predictive value:
one can also envision circumstances where the file name is so explicit and detailed in its description as to permit at least a reasonable inference as to what the actual file is likely to show. Many, if not most, of the files at issue here had titles that contained highly graphic references to specific sexual acts-including ejaculation, sexual intercourse, oral sex, and anal sex-involving children ranging in age from 7 to 13 years. Several of the files also reference terms such as "child_sex," "pedofilia," "illegal pedo sex," "incest," or "Lolita." The unmistakable inference which arises from such highly descriptive file names, is that the content includes material pertaining to the sexual exploitation of children-i.e., evidence of criminal activity, if not outright contraband. Given the number of files in question and the pointed references in their titles to specific sexual acts involving young children-described in the most coarse and vulgar terms, this inference is a strong one.
I'm reminded of the admonishments that airport security is not a joking matter, so don't make jokes about having a bomb while going through the airport security line. (I've seen a few airports, including the New Orleans airport, post reminders about this). Similarly, child porn is so toxic that no one in their right mind would falsely use a file title suggesting the file is child porn.
The judge also credits the file titles because accurate file titles enable searches by others. So, if you want to distribute child porn in a searchable way (a seemingly illogical proposition because, as this case illustrates, doing so puts you on a fast track to Club Fed), then you need to use keywords that match search terms. The court says:
As a matter of common sense, the very fact that individuals utilize search terms with P2P software to produce results (i.e., file names ) consistent with their chosen search terms suggests a substantial degree of correlation between file names and file content; if file names were, as a general rule, completely random and bearing no relation whatsoever to their content, then there would be no point in conducting a search in the first place and the whole purpose of peer-to-peer file sharing would be frustrated because there would be no meaningful method for locating the sought-after file content.
I agree with this only superficially. It's true that searchable metadata must have some relationship to the underlying content to make a successful match, but community outsiders might think the metadata looks inaccurate or even completely random. Consider how Napster users used alternative spellings to route around the court-ordered blocks on various names. Now, go one step further: if a group of Napster users agree (in an offsite discussion forum) to tag Britney Spears' songs using "Lolita" (a not wholly inappropriate appellation given some of the videos she made before the age of majority), then a block on searches for "Britney Spears" will eliminate an obvious matchmaking route but will fail to stop matchmaking completely. Indeed, subcommunities can develop multiple synonyms that are opaque to outsiders. For more on this, look at the Urban Dictionary to see how slang can have multiple meanings, and note my article on how a single search term can have dozens of possible meanings. As a result, the search matchmaking process may be more complicated--and the value of "accurate" file descriptors is lower--than the court contemplates.
In any case, it wasn't clear how much traction Beatty expected from reducing the predictive value of file names. Ultimately, the search warrant was issued based on the combination of the file names with the fingerprint matches. It's not like the investigator or the judge had no idea what the files might contain--they had a hash value fingerprint matching a known child porn file. (Beatty unsuccessfully argued that the underlying fingerprinted files should not be credited as known child porn ) Then again, there is no reason why law enforcement isn't routinely preserving copies of suspect files they think are child porn and describing the file contents (or submitting the files) when seeking search warrants, easy steps that would have largely mooted Beatty's challenges.
Posted by Eric at 10:23 AM | Content Regulation , Internet History , Privacy/Security , Search Engines | TrackBack
December 27, 2009
November-December 2009 Quick Links, Part 2
By Eric Goldman
Copyright
* Want Ad Digest Inc. v. Display Advertising Inc. (N.D.N.Y. Sept. 3, 2009). A classified ads publisher wants to stop a competitor from republishing its classified ads. The court said that advertisers, not the publisher, generally own the copyrights to each individual ad, but the publisher claimed it had edited those ads sufficient to claim a copyright interest in them as well. This factual allegation prevented summary judgment. The publisher also claimed a compilation copyright based on the organization of individual ads into various headings and subheadings. The court said that the placement of ads within headings and the headings themselves weren't protectable. The organization of subheadings might support a compilation copyright, but the republisher didn't use the same organization and therefore didn't violate any compilation copyright. A little known fact: one of my key summer associate projects in 1993 was to analyze republication of classified ads. Note to my assigning attorney: it may be 16 years later, but I think I got my analysis right!
* Moberg v. 33T LLC, 08-625(NLH) (D. Del. Oct. 6, 2009). Publication of a photo on a German website does not constitute "publication" in the United States sufficient to require the copyright owner to register the photo before suing for copyright infringement in a US court.
* Sony v. Tenenbaum. Downloading copyrighted works via peer to peer software isn't fair use (something we already knew from BMG v. Gonzalez), but it might have been a closer call with a better litigation strategy by the defense.
* Rebecca on EsNtion Records v. TritonTM, an impressive copyright infringement and 1202 defense win.
Virtual Worlds
* The FTC thinks virtual worlds should clean up their act to keep kids away from online porn.
* GameSpot: Estavillo has appealed his loss in the Sony case and expanded his litigation to Microsoft and Nintendo.
* Prof. Miriam Cherry on employment law issues in virtual worlds.
Defamation
* Marine Pile Drivers, LLC v. East Coast Marine Pile Drivers, LLC, 2009 WL 3753526 (W.D. La. Nov. 9, 2009). Allegedly defamatory blog post gives rise to jurisdiction in the plaintiff's home court.
* Salyer v. The Southern Poverty Law Center, Inc., 2009 WL 4758736 (W.D. Ky. Dec. 7, 2009). The CMLP page. Subsequently linking to and referencing an allegedly defamatory online article does not reset the statute of limitations under the single publication rule.
* Colette Vogele put together an excellent presentation discussing plaintiff-side considerations when pursuing anonymous posters.
Miscellaneous
* The Feds dropped their appeal in the Lori Drew case, finally bringing to an end a case that never should have been brought.
* The FTC and other agencies have promulgated model Gramm-Leach-Bliley privacy policies. Five years in the making and battled tested by consumers. The instructions are pretty specific about font size, font color, page orientation, etc. Although the tabular format should make scanning the notices easier, it will be interesting to see if these notices actually do a better job than the current notices on any dimension that matters.
* LA Times: An in-depth look at Facebook's “judicial system.”
Posted by Eric at 08:41 AM | Content Regulation , Copyright , Privacy/Security , Virtual Worlds | TrackBack
December 15, 2009
When the Supreme Court gets in your inbox
The Supreme Court agrees to review one of the very few Circuit Court opinions finding 4th Amendment protection for in-box content. Should netizens tremble or rejoice?
By Ethan Ackerman
The Supreme Court has agreed to hear an appeal by a California city from an earlier 9th Circuit ruling finding the city had violated the Constitutional and statutory rights of one of its police officers by recovering and reading the officer's pager text messages. While some appellate commentators expected the Supreme Court to take the case, many 4th Amendment scholars (and this author) were surprised by the Court's action in granting certiorari in the case of USA Mobility Wireless, Inc. v. Quon.
The Quon case is notable because it contains two major issues: the 4th Amendment privacy issue and the somewhat unique issue surrounding employer monitoring when the employer is also the government.
The latter aspect had previously driven much of the attention focused on the Quon ruling. In fact, 4th Amendment scholar Orin Kerr even suspects it is the public employee legal standard dispute that may be driving the cert. grant, especially in light of the arguments and authors of the dissent.
Prior to the Supreme Court's action, most of the legal commentaries and even a majority of the web search results for the case were from employer-side law firms telling their clients that private sector employee monitoring was still OK. For example:
* NelsonMullins attorneys, in an article oxymoronically titled "Employer Monitoring Best Practices," informed their clients that that there was no need to change "the surveillance approach used by U.S. employers."
* Greenberg Traurig reminded all employers that "electronic communications policies must be drafted and implemented to effectively eliminate any reasonable expectation of privacy," and that it was advisable to preemptively obtain employee consent to the disclosure of employee communications, even on 3rd-party services. However, Greenberg Traurig also pointed out the "limited direct applicability to private employers" of the case.
* Proskauer Rose explained that the "decision appears to change very little for private employers who wish to review employee communications stored on, or sent through, their own servers and computers" but also (regretfully?) concluded that federal law does "limit employers’ ability to request from third-party providers the contents of employees’ electronic communications."
* Foley & Lardner attorneys undercut the certainty of their recommendations, including that "text messages should be included in monitoring policies," by confusing cellphones and old-fashioned alphanumeric pagers in their discussion of the case.
Even much of the media coverage of the Supreme Court's decision to review the case focuses on the government employer-employee aspect, with both the LA Times and CNN devoting significant discussion to the fact that it was Quon's boss doing the reading and Quon was a police officer (salaciously) using department property.
Warning, a brief blogger-criticizes-some-mainstream-journalism rant: You'd think that a major news organization like CNN, able to employ someone with the presumably competent title of "CNN Supreme Court Producer," wouldn't get fundamental elements of this story wrong. The Court pointedly did not "accept[] a pair of appeals on this free-speech and privacy dispute" - it denied one and granted one. And "free speech dispute?" There's nothing remotely free speech about this case.
Employment law issues aside, this case is, at its core, a classic 4th Amendment case addressing when someone has a reasonable expectation of privacy in a communication. Quon's holding is notable for two things: (1) it finds a fairly expansive protection of 4th Amendment rights in electronic communications, and (2) it's one of a very small number of Circuit Court cases to do so. Rare cases like this can be privacy gold - they effectively stand until the Supreme Court reverses them. Further, because there are so few cases on the issue, a circuit split or other conflict is unlikely to occur, lessening the chance of Supreme Court reversal. This fact alone is reason for fans of an expansive 4th Amendment to be wary of any Supreme Court review.
Posted by Ethan Ackerman at 09:49 AM | Privacy/Security | TrackBack
December 14, 2009
Online Commenter Did Not Waive Right to Anonymity by Agreeing to News Website's Privacy Policy -- Sedersten v. Taylor
[Post by Venkat]
Sedersten v. Taylor, 2009 U.S. Dist LEXIS 114525 (Case No. 09-3031-CV-S-GAF) (W.D. Mo. Dec. 9. 2009).
A Missouri district judge rejected a plaintiff's attempt to unmask an online commenter based in part on the argument that language in the website's privacy policy resulted in a waiver of anonymity.
Plaintiff allegedly suffered injuries at the hands of defendant Taylor. Plaintiff sued Taylor, the City of Springfield, and its chief (the claims against the city and the chief were based on theories of negligent hiring and retention). The Springfield News-Leader published an article about the incident in question and the prosecutor's decision to drop charges against Taylor. A commenter "bornandraisedhere" criticized the prosecutor's decision. Plaintiff issued a subpoena to the News-Leader requesting the identity of the commenter.
The court rejected plaintiff's motion to compel the production of information sufficient to identify "bornandraisedhere." The court found that the sought after information was cumulative, and the identity of "bornandraisedhere" would add little to plaintiff's argument (that the city negligently hired Taylor).
Plaintiff argued that "bornandraisedhere" waived any right to anonymity by agreeing to the terms of the News-Leader's privacy policy, which provided that the News-Leader:
reserve[s] the right to use, and to disclose to third parties, all of the information collected from and about [users] while [users use] the Site in any way and for any purpose . . . .
I haven't seen the waiver argument come up in online anonymity cases. It came up in oral argument in the Brodie case but the court did not mention this argument in its opinion. (See coverage by Citizen Media here). Courts in other contexts (e.g., employer monitoring, government surveillance, attorney-client privilege) have looked to the operative terms or policies to determine whether there's an expectation of privacy. (See Jennifer Granick's discussion of Quon v. Arch Wireless here, Jeff Neuburger's discussion of Alamar Ranch, LLC v. County of Boise here (imputed knowledge of employer monitoring results in waiver of attorney-client privilege), and PogoWasRight's discussion of the Oregon case involving gmail/Fourth Amendment notice here.) Here, despite a policy which allowed for disclosure, the court found that there was no waiver. Among other reasons, the court relied on the fact that the provision governing disclosure was buried in a privacy policy which the commenter probably did not read in the first place. The online anonymity cases (which involve the First Amendment right to anonymity) present slightly different issues than the employer and government surveillance cases, but in any event, as Jennifer Granick notes in her post about Arch Wireless, "user consent to access for some purposes [should not destroy] the expectation of privacy for every purpose."
Kudos to the News-Leader for spending the resources to protect the privacy of "bornandraisedhere," notwithstanding the News-Leader's extremely open-ended privacy policy. (Websites typically retain the right to disclose personal information in response to subpoenas or law enforcement requests, but the News-Leader's policy allows it to disclose personal information "in any way and for any purpose.")
Related: The Supreme Court today accepted review of the Arch Wireless case, which involved a public employee's privacy rights in text messages. (See coverage by the LA Times here.) Also, the EFF is pursuing a claim for attorney's fees (under a California statute) against a company who is trying to out an anonymous commenter: "USA Technologies Attempts to Out Anonymous Online Critics, Runs Into New California Fee Statute."
Posted by Venkat at 02:46 PM | Privacy/Security
December 11, 2009
Court Rejects Computer Fraud & Abuse Act Claim Based on Unsolicited Text Messages--Czech v. Wall Street on Demand
[Post by Venkat]
Czech v. Wall Street on Demand, Inc., No. 09-180 (DWF/RLE) (Dec. 8, 2009).
A Minnesota district judge rejected claims brought under the Computer Fraud and Abuse Act based on the receipt of unsolicited text messages. There's not much to the facts, except that plaintiff received unwanted text messages from Wall Street on Demand, Inc. She did not have a prior business relationship with WSOD. She (vaguely) alleged that she incurred fees and charges related to her receipt of these messages. Based on her receipt of unwanted text messages, she filed a claim against WSOD alleging violations of the Computer Fraud and Abuse Act and state statutes.
The Court's Ruling: The court dismisses plaintiff's amended complaint in an order that helpfully provides a summary of the Computer Fraud and Abuse Act (and recent 2008 tweaks) as it's used in the civil context. Plaintiff brings three possible claims: (1) a claim for obtaining information from her phone; (2) a claim for transmitting information or code through her phone; and (3) a claim for "accessing" her phone.
Information Claim: The court rejects the information-based claim because there's no information that WSOD allegedly obtained through accessing the plaintiff's phone. Plaintiff analogizes to websites and argues that any time someone sends a message to a mobile phone, information is "obtained" in the same way that information is obtained any time someone accesses a website. The court rejects this analogy, finding that "there is a fundamental difference between viewing websites and communicating with wireless devices such as cell phones by sending text messages." Even if the transmission of an unwanted text message somehow resulted in the "obtaining of information," the court concludes that there's no loss as a result of defendant having obtained the information.
Transmission Claim: The transmission claim requires plaintiff to allege that WSOD caused the transmission of code or information and as a result "intentionally caused damage without authorization" to plaintiff's device. The complaint fails on both counts. There wasn't a credible allegation of damage (there was no allegation of impairment to the machine) or of WSOD's intent to cause the damage.
Access Claim: The court rejects the access claim since plaintiff does not adequately allege that the unauthorized access was intentional.
My Take: The Computer Fraud and Abuse Act is an often abused statute, and this seemed like another example of a situation where the statute is being stretched to fit the conduct/harm that was not intended to be covered by the statute. I was surprised that plaintiffs cited to the Lori Drew case [link], which many people view as a classic example of stretching the statute to its breaking point. In some ways this case is reminiscent of ISPs using the Computer Fraud and Abuse Act to attack spam. Some courts were open to this; other courts expressed reservations to the applicability of the Computer Fraud and Abuse Act to spam. See, e.g., America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp. 2d 1255, 1275 (N.D. Iowa 2000) ("A disturbing issue is whether subsection (a)(5)(c) is intended to address UBE at all.").
The case is also somewhat reminiscent of Abrams v. Facebook, a lawsuit based on the fact that Facebook sent SMS messages to cellphone numbers provided by its users and would keep sending those messages even if the cellphone number changed owners. In a lengthy article, Prof. Goldman discussed the weaknesses of using phone numbers as identity authenticators.
Advice to plaintiffs. If the court dismisses your complaint, come back with additional facts. Do not merely add what the court here calls "background discussion" about the issue you are complaining about. In five or six separate instances, the court mentions the fact that the amended complaint is just a bulkier, more "dressed up version" of the old complaint . . . with no new facts. At a broader level, the court's understandable skepticism towards the damage claims in this case illustrates how difficult it is to bring claims based on unsolicited marketing communications (whether received via your phone or your computer).
Advice to defendants. Transmitting unsolicited text messages is not free of risk. The Telephone Consumer Protection Act is one possible avenue for plaintiffs, and courts are not always deferential to broadly (and poorly) worded opt-ins. (See Eric's post on Satterfield v. Simon & Schuster here.)
Posted by Venkat at 12:27 PM | Marketing , Privacy/Security , Spam
December 03, 2009
Claims Brought by Express Scripts Data Breach Plaintiffs Rejected on Standing Grounds -- Amburgy v. Express Scripts, Inc.
[Post by Venkat]
A federal court in Missouri recently rejected a class action brought by consumer plaintiffs on standing grounds. Given the long line of consumer plaintiffs who have suffered a similar fate I thought this case was somewhat unexceptional, but I think it's worth mentioning for a couple of reasons. (Amburgy v. Express Scripts, Inc., Case No. 4:09-CV705 FRB; Nov. 23, 2009 (E.D. Mo). Access a copy of the order at scribd here.)
Consumer plaintiffs who have tried to bring claims arising out of data breaches have all pretty much failed, unless they are able to show that someone actually misused their data (for example, by withdrawing money from their account). A good recent example of this is the Citizens Financial case mentioned here and here, where the court allowed plaintiffs to sue a bank which tried to hold the plaintiff liable for funds that were hacked from plaintiff's bank account. Where the plaintiff or class of plaintiffs have not had their data actually misused by the person who stole it, courts have uniformly rejected class actions trying to seek redress. Typically the company who suffered the loss of data will offer monitoring services effectively mooting the issue of whether this is something plaintiffs should be able to sue for.
Express Scripts provides "pharmacy benefit management services." It suffered a data breach coupled with an extortion attempt by someone who threatened to disclose customer information. (WSJ Health Blog [link] covered the story in 2008.) Although Express Scripts notified the FBI, a quick Google search didn't unearth any news reports of the bad actors having been caught. The Express Scripts webpage [link] which provides notice of the incident states that in August 2009 the perpetrator sent a similar letter threatening to expose consumer information. Plaintiffs sued alleging negligence, breach of contract, and state law satutory claims.
The court granted the motion to dismiss brought by Express Scripts on Article III standing grounds. Language used by the court expressed some hostility to the underlying claims - in describing the hypothetical nature of the injury, the court states:
[f]or plaintiff to suffer the injury and harm he alleges here, many "if's" would have to come to pass. Assuming plaintiff's allegation of security breach to be true, plaintiff alleges that he would be injured "if" his personal information was compromised, and "if" such information was obtained by an unauthorized third party, and "if" his identity was stolen as a result, and "if" the use of his stolen identity caused the harm. These multiple "if's" squarely place plaintiff's claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court's standing doctrine would be meaningless.
[quotations in original]
The result is pretty typical, but two things struck me about this case. I didn't realize this at first, but the records at issue included prescription information. Medical information is subject to a higher degree of privacy and subject to specialized rules. Either the plaintiff didn't allege violations of these specific rules or the rules weren't implicated. Either way, the court only made a passing reference to the fact that the data included prescription information. Second, the bad actor is still at large. There are cases where an information breach occurs as part of another incident (such as a theft of a laptop). It's less clear in those cases whether someone just stole a laptop or whether they were focused on obtaining information. Here, there's no dispute that a bad actor has the customer information. Express Script received not one but two extortion letters which contained specific information demonstrating that the third party had access to Express Scripts information. And the person who sent the letters has not yet been caught. (On the other hand, the fact that they were seeking to extort Express Scripts tends to point in the direction that they didn't necessarily use the information. The bad actors lose leverage by using the information and using the information increases the likelihood of being caught.)
I wonder if anyone has compiled data on what actually happens to these data breach class action plaintiffs - i.e., how many of them suffer damages as a result of identity theft, etc. I would think this type of data would be useful.
[Added: see additional coverage of this case from Proskauer's Privacy Law Blog here.]
Posted by Venkat at 06:51 AM | Privacy/Security
November 20, 2009
A Look at Twitter's Updated Privacy Policy (November 19, 2009)
[Post by Venkat]
As noted on Twitter's blog, Twitter refreshed its privacy policy yesterday. Given that virtually everything Twitter does is placed under the microscope, I'm sure the policy will be pored over in detail. (Here's a link to the updated policy and a link to the old policy.)
General thoughts on the policy: The policy is short, easy to understand, and in plain English. The thrust of the policy is that most users typically use Twitter to publicly disseminate information, and users should expect any of this information to be broadly disseminated. This includes dissemination by Twitter, third party applications, search engines, etc. To the extent you want to restrict use of this information, Twitter gives you the tools to do so in your profile settings.
Much of what's in the policy is very typical of what you would find in the privacy policy of any other website or social network. However, a few things are worth mentioning:
1. Geolocation: The policy provides that you can turn geolocation on and off, and if you have it turned on, your location information is obviously broadcast and also used by Twitter. Geolocation is opt-in and this makes sense.
2. Cookies: The policy also mentions that Twitter places cookies on your computer. Virtually all privacy policies contain this, since most websites use cookies. But for some reason this part of the privacy policy jumped out at me. I guess it's a reminder of the tremendous advertising power that Twitter could wield. Everyone who uses Twitter expresses their preferences through Twitter, by clicking on links, using applications, and just through general usage. Most people probably do more, such as expressing their food, drink, entertainment, political, and other preferences. (Some more than others.) By being able to identify the computer of someone who expresses those preferences, Twitter can build a valuable network that would be useful to advertisers. I'm not only talking about advertising on Twitter.com (the web client), but also advertising on other websites or networks as well. This is pretty common in the industry, and subject to attack by privacy advocates, some of whom are pushing for an opt-in system for this type of tracking. Thus far Twitter has been free of advertising, but this is likely to change, as indicated by Twitter's own statements. (See Scoble's link below.)
3. Metadata: Interestingly, the policy also treats tweet metadata as public information ("information you are asking us to make public"). This seems to create some grey area between information which you broadcast and is truly public, and information which is available to Twitter (but not to your followers) from your use of Twitter. Robert Scoble has a post with comments from Twitter's COO signaling Twitter's turn to advertising and possible use of metadata in this context. I didn't pick up on this at first, but I think this is significant.
4. Subpoenas: The part of the policy that talks about disclosing information in response to a subpoena provides plenty of wiggle room to either require law enforcement (or a civil litigant) to obtain a subpoena or for Twitter to respond to a "legal request" (presumably, this could be a letter from law enforcement). It's probably unreasonable to expect these types of companies to always take a stand and require a subpoena or fight for the privacy rights of users when a third party tries to unmask a commenter or user, but it would be nice from the user perspective to have some clarity. I'm guessing in practice Twitter provides notice when a third party seeks information from or about a user's account, but this doesn't seem to be required under the policy. (The social media dynamic is probably a strong check here.)
What Changed?: Other than the points mentioned above, I didn't notice any other significant changes to the policy (the cookie stuff was leftover from the old policy). The old policy made some statements regarding security measures implemented by Twitter which Twitter [wisely] removed from the current version. The provision that any transfer of information in connection with a sale of the business would be subject to the provisions of Twitter's privacy policy remains, although Twitter removed the notice provision.
It's worth mentioning that neither the old policy nor the new one clearly speak to whether Twitter or any third party can build a "profile" using information which you make publicly available. Twitter can crunch the data contained in someone's Twitter stream and obtain a wealth of information regarding a particular person. Anything ranging from their sleeping patterns, to their dietary habits and their political preferences. Of course, people make this information publicly available anyway, so they have no real argument as to why a third party should be prevented from using this information, but realistically, it would be tough to construct such a profile without access to Twitter's data and tools. Do users expect Twitter to use user information in this manner? Probably not at this juncture, but as a general matter there's nothing from a legal standpoint that would prevent this, and the privacy policy does not preclude it. These types of applications are not that far-fetched, given reports of tools to analyze someone's social network and assess their credit worthiness ("Rapleaf") or psychological profile ("TweetPsych"). Recently a story made the rounds about an insurer who denied an insurance claim based on the insured's photos posted on Facebook ("Depressed Woman Loses Benefits Over Facebook Photos"). (A host of specialized rules could come into play in this instance - ranging from rules governing financial privacy and fair credit to rules governing the employment relationship - so a privacy policy wouldn't necessarily provide a definitive answer to the question anyway.)
How Does it Compare to Facebook's Recently Revised Policy?: As far as volume, in comparison to Twitter's policy, Facebook's policy [link] reads like a (painful-to-read) epic saga. This is partially due to the fact that information sharing and interaction on Facebook is more complex, but Facebook's policy is simply impossible to read and digest in one sitting. The two policies are somewhat similar in their approach, although Facebook differs in that users don't make their Facebook data "public" in the same sense that Twitter users do. Of course, Facebook has a bit of a history of advertising initiatives and pitfalls that probably prompted the additional complexity. Facebook's policy has some interesting tweaks such as a "memoriam" for Facebook users where friends and relatives can post items about a deceased person. Also, Facebook has a deletion policy, which I didn't see in Twitter's privacy policy. (Deletion policies will become increasingly important as people try to obtain information (deleted by the user) from social networking sites in the context of litigation.)
***
The Trademark Guidelines: It's worth mentioning that Twitter also refreshed its trademark guidelines. They are pretty standard fare, but contain some rules that people pretty clearly are not following right now, for example: (1) use only the current Twitter logo to link to and promote your Twitter account ("40 cute free Twitter badges"); (2) don't use Twitter's logo on the cover of your book ("The Twitter Book"); (3) don't use screenshots of third party profiles or tweets without the third party's permission; (4) don't use Twitter marks on apparel or merchandise without Twitter's permission ("Sock Guy Socks"). The trademark guidelines also address some of the sore spots in the area of third party use of Twitter's trademarks (or terms which Twitter is trying to obtain trademark protection for): (1) "don't use Twitter in the name of your website or application;" (2) "don't register a domain name containing 'twitter';" and (3) "don't apply for a trademark with a name including Twitter or Tweet (or similar variations thereof)." Both Twitter and third party developers are trying to obtain trademark protection for the term "tweet," (see for example "CoTweet") and it's unclear as to how the battle between Twitter and these third party developers will play out. It's difficult to tell at this juncture whether Twitter's new trademark guidelines signal a true change in policy or whether it's business as usual. (See posts by Tom O'Toole here and Mike Masnick here for some discussion of Twitter's "laissez faire" attitude with respect to third party use of Twitter trademarks.)
[Edited: to add the point about disclosure in response to subpoenas or law enforcement requests. I should probably also note that I've been using Twitter for the past 15 months or so. I was going to say that I'm a "casual user," but at 5000+ updates, that's a tough claim to make!]
Posted by Venkat at 12:15 PM | Privacy/Security , Trademark
November 15, 2009
Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft
[Posted by Venkat]
In what probably belongs in the "software doesn't surreptitiously record conversations, people do" file, a federal court in Tennessee rejected Electronic Communications Privacy Act and product liability claims brought by someone whose ex-spouse used software to log internet activity and communications. (Access a copy of the order here [scribd].)
The case presented a now-familiar fact pattern of the use of monitoring (in this case keylogger) software by a spouse to keep track of the online activities of the soon-to-be ex-spouse. The plaintiff (Thomas Hayes) sued SpectorSoft, which produced two pieces of software used by his ex-spouse and someone else to monitor his instant message, email, and browsing activities. Hayes alleged violations of the Electronic Communications Privacy Act and also asserted negligence and product liability claims. The court granted SpectorSoft's motion for summary judgment and dismissed the case.
With respect to the ECPA claims the court concluded that Hayes needed to prove that SpectorSoft intended for the communications to be wrongly intercepted, and that Hayes's evidence that SpectorSoft marketed the software to spouses who were conducting surveillance was insufficient to show this intent. According to the court, the type of intent required by the ECPA was that the defendant must have the "conscious objective" to cause the result (i.e., the unlawful surveillance and disclosure). The court cites to In re Pharmatrak where the First Circuit found that a web-monitoring company's gathering and inadvertent disclosure of information about web users did not violate the ECPA due to lack of intent. The court also relied on the fact that the person who installed the SpectorSoft software clicked through a terms of use agreement which contained a representation that the software would only be installed on computers which the user owned, or computers on which the user was authorized to install the software. (SpectorSoft is a classic passive conduit and presented ample evidence that it did not know of the underlying violations.)
Plaintiff also made a creative argument that the SpectorSoft software was "unreasonably dangerous." The court expressed doubt as to whether software qualified as a product at all, and in any event concluded that plaintiff failed to demonstrate that the software was unreasonably dangerous by putting forth evidence that SpectorSoft could have taken alternative measures that would have prevented the inadvertent disclosure.
The court's decision is not surprising, given that (1) SpectorSoft did not conduct the eavesdropping but only provided the tools to facilitate it and (2) the software could be used to conduct multiple lawful activities (monitoring children, employees, archiving messages). The decision was also not surprising given that the installation and use of the software could have been avoided if the user had taken adequate security precautions. (Sidenote: I wonder if it's farfetched to argue that one spouse has the right to access the email and other accounts of another spouse based on some community property-like theory?)
I guess at the extreme end of the spectrum a court may be willing to hold a software company liable for developing software where the only possible use is to conduct unlawful surveillance, but this fact pattern wasn't even close. Holding the software company in that instance would also raise potential First Amendment/crime-facilitating speech issues (?).
Related: In late 2008, a federal court halted sales of keylogger/do it yourself spyware software. (See coverage at Wired and JOLT Digest.) Also, this type of a claim has a higher likelihood of success when brought against the ex-spouse, rather than the software company, as noted by Tom O'Toole here.
Posted by Venkat at 08:13 PM | Privacy/Security
November 11, 2009
Starbucks Data Breach Plaintiffs Try Their Luck in the 9th Circuit -- Krottner v. Starbucks
[Post by Venkat]
A lost laptop computer containing the personal information of Starbucks employees prompted a class action lawsuit against Starbucks (in Washington). The lawsuit received some coverage (see, for example Bob McMillan here, and Starbucks Gossip here), but the trial court's dismissal of the lawsuit received almost no coverage. (I mentioned the lawsuit, but failed to note the court's dismissal of it. Here is the one mention I came across of the dismissal.) Plaintiffs appealed the dismissal to the Ninth Circuit, and their just-filed appeal brief is worth a look. Access a copy of the brief at scribd here.
Background: As described in the complaint, in 2008, someone stole a laptop containing the personal information of approximately 97,000 employees. Starbucks notified the police and affected employees (plaintiffs claim Starbucks was slow in effecting this notice). Starbucks also offered one year of free credit monitoring to affected employees. The plaintiffs fall into a couple of categories, but significantly, one of the plaintiffs was notified that someone tried to open a bank account without his authorization. It was never determined whether this attempt to open a bank account with the information of one of the plaintiffs was connected to the underlying breach.
Ruling by Judge Jones: Judge Jones granted the motion to dismiss filed by Starbucks, finding that Washington courts would not recognize a cause of action as asserted by plaintiffs. (Access a copy of the order by Judge Jones dismissing the claims here: [scribd].) After concluding that plaintiffs had standing (given the broad scope of Article III standing this wasn't a surprise), Judge Jones focused on the issue of whether plaintiffs stated cognizable claims in negligence under Washington law. Judge Jones noted that Washington courts don't typically recognize claims where the sole injury is "risk of future harm," and if Washington courts were to recognize a common law cause of action arising from a data breach, they would be alone in doing so. Judge Jones also noted that the overwhelming majority of courts that have looked at the issue have declined to find that plaintiffs could recover merely because their data was stolen, and those that have recognized a possible cause of action have typically ruled against plaintiffs due to insufficient proof of misuse of the data. In Judge Jones's view, the Washington Supreme Court would likely conclude that the issue is best left to the legislature. In a footnote, he notes the enactment of data breach laws in other states, but points out that none of those laws provide for private causes of action, "much less a private right to damages."
With respect to the plaintiffs who did not have any proof that their personal information was misused, the court found that they could "claim only monitoring costs" as a potential injury, and these wouldn't fly under Washington law. With respect to the plaintiff who presented proof that someone tried to open a bank account in his name, the court acknowledged that "the timing of the [events permitted] the inference that someone acquired [plaintiff's] personal information from the laptop and misused it." Nevertheless, the court concluded that he did not assert a cognizable claim because he didn't suffer any out of pocket loss. The plaintiffs also asserted a claim based on implied contract, but the court didn't need to address whether Starbucks breached any implied obligations since it found that plaintiffs did not suffer any type of injury for which Washington law affords a remedy.
What to Make of the Appeal? Plaintiffs' appeal brief (filed on Monday) sort of canvasses the various theories under which plaintiffs should be entitled to relief under Washington law. Plaintiffs spend a fair amount of space discussing how Starbucks breached its (implied) contractual obligations to plaintiffs - Starbucks obtained this information in the employment context, and had policies in place which required employees to safeguard employee information. Given that Starbucks failed to fulfill these obligations, plaintiffs argue that the law would fashion some sort of remedy for the injured plaintiffs. Plaintiffs also attack the trial court's dismissal of the negligence claim from all angles, pointing out that stolen data is often misused long after it is compromised, and the fact that the underlying data breach is unsolved means that Starbucks can't conclusively show that the data will not be misused at some point in the future.
The dispute raises the familiar issue of whether the harm in the data breach context lies in the breach, or the actual misuse of the data. Courts have pretty uniformly taken the view that the harm flows from the actual misuse of the data, rather than the loss of the data. That said, the outcome here depends on the vagaries of state law, and what the Ninth Circuit predicts the Washington Supreme Court would do. My anecdotal observation is that Washington courts are very privacy friendly, but somewhat middle of the road when it comes to crafting "new" causes of action. Plaintiffs also asked the Ninth Circuit to certify the issue to the Washington Supreme Court, something the Ninth Circuit did recently in a spam case (Kleffman v. Vonage).
The Ninth Circuit has dealt with this issue once in an unpublished decision (Stollenwerk v. Tri-West Healthcare Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).) In that case the Ninth Circuit affirmed the dismissal of data breach claims brought by plaintiffs who did not allege misuse of their data, but reversed as to the plaintiff who made a basic showing that the data could have been misused. Stollenwerk was inconclusive in that the Ninth Circuit (again, in an unpublished decision) merely stated that if the plaintiff was able to show actual damages, he would be entitled to relief. Interestingly, Stollenwerk was settled shortly after remand, on the heels of the district court's denial of a motion for class certification. One possibility to consider is that a monitoring claim seems much easier to fit into a class. An "actual damage" claim may be less amenable to class resolution.
On a related note, there's talk of federal data breach legislation winding its way through Senate. (Two proposals are mentioned here.) To my knowledge, neither of the proposals contain a private right of action, and both merely speak to notification upon a breach. There's also the familiar call for a federal standard which would displace disparate state standards. This debate sounds somewhat similar to the one that surrounded the passage of the CAN-SPAM Act.
Related: Tom O'Toole has a post from a while back about Ruiz v Gap Inc., a case from the Northern District of California also involving the loss of employee/applicant data (coincidentally, from an unencrypted laptop): "Court Finds No Cognizable Damages in Gap Laptop Theft Case."
Posted by Venkat at 03:51 PM | Privacy/Security
November 03, 2009
Court Sanctions Lawyer for Including Social Security Number and Date of Birth Information in Filing -- Engeseth v. Isanti County
[Post by Venkat]
I've blogged about parties who complain when opposing counsel wrongly includes personal information (usually social security numbers) in court filings. Attempts to assert counterclaims based on this type of conduct typically fail. For one example, see In re Killian, discussed here. (You can see a list of other cases rejecting these types of claims noted here.)
However, a judge in Minnesota recently sanctioned a lawyer for including the "full social security numbers and dates of birth for 179 individuals" in a court filing. (Engeseth v. Isanti County, Case No. 06-CV-2410 MJD/RLE (D. Minn.; Oct. 20, 2009).) After issuing a show cause order on its own motion (as best as I can tell, none of the parties complained), the court concluded that counsel's inclusion of the social security numbers and date of birth information in a filing violated Federal Rule of Civil Procedure 5.2(a), and demonstrated poor judgment. That rule requires truncation of certain personal information (e.g., social security number, taxpayer identification number) in court filings unless otherwise ordered by the court. (Here is a link to the rule: "Privacy Protection for Filings Made with the Court".)
The sanctions imposed by the court included: (1) notice to all injured parties, along with "individualized credit reports and credit monitoring," and (2) payment of $5,000 to the Second Harvest Heartland food bank.
Without minimizing the seriousness of the privacy interests at issue, it seems rough for the court to impose these types of sanctions on its own motion. The credit monitoring makes sense, but I'm not sure what's up with the donation to the food bank. Particularly rough from the lawyer's perspective, given that this appears to be a pro bono case where the lawyer achieved a good result for the clients. The filing containing the social security numbers was an accounting affidavit filed by the lawyer detailing the disbursements of settlement proceeds to his clients. I'm not suggesting that you don't have to follow the rules in pro bono cases. You obviously do, but the sanction must have stung, coming at the end of a successfully prosecuted pro bono case.
My own anecdotal observation is that courts are very reluctant to sanction lawyers these days, and I've seen courts reject sanctions for a lot worse. Nevertheless, the court's order illustrates the importance of adhering to court orders and rules that govern the inclusion of private information in court filings. As to whether this means that parties can assert claims based on the wrongful inclusion of personal information in filings, the answer is, no, they probably cannot. In any event, I would think the relief awarded by the court would be limited to notice and credit-monitoring, as is typically the case in consumer data breach cases. In other words, it's difficult to gain leverage in a case based on the opposing party's wrongful inclusion of personal information in a court filing.
Added: additional coverage at the Minnesota Lawyer Blog here (which first noted the order) and The Register here. The Minnesota Lawyer Blog also provides access to the order itself: [pdf].
(h/t Cathy Gellis)
Posted by Venkat at 01:04 PM | Privacy/Security
November 02, 2009
October 2009 Quick Links
By Eric Goldman
Just a reminder that I am posting most of these types of links exclusively to my Twitter feed.
* Tricome v. eBay, Inc., 2009 WL 3365873 (E.D.Pa. Oct 19, 2009). Court upholds eBay user agreement's venue selection clause. Evan Brown covers the case.
* The AutoAdmit case is over. Above the Law and the Yale newspaper.
* Google doesn't want to hear your complaints about your reputation management.
* Moneygram settles with the FTC (to the tune of $18M) that its money wiring service was used to perpetrate fraud.
* The FTC scores a rare COPPA settlement, this time with Iconix for $250,000.
* John Wiley & Sons, Inc. v. Kirtsaeng, 2009 U.S. Dist. LEXIS 96520 (SDNY Oct. 19, 2009). Another federal court holds that the purchase of foreign-manufactured textbooks and resale in the US via the Internet is blocked by the importation right and not excused by the First Sale doctrine. My coverage of the analogous Pearson v. Liu ruling.
* Utah's "Don't Spam the Kids" registry survived a constitutional challenge. That doesn't make it good policy!
* Saadi v. Maroun. Blogger hit with $90k judgment for defamation. MLRC coverage. My initial blog post on the case.
* Erik Estavillo, the gamer who sued for being kicked off the PlayStation Network, is appealing his district court loss to the Ninth Circuit. I guess he wants to lock in the adverse ruling as the binding law of the Western United States. My blog post on the district court ruling.
* Rep. Paul Kanjorski wants to end 47 USC 230 with respect to bogus stock investing info? This legislation needs careful monitoring due to its potential perniciousness.
* Venkat has his own version of Quick Links on his site.
Posted by Eric at 05:08 PM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Privacy/Security , Spam | TrackBack
October 29, 2009
Court: Prosecutors Can't Rummage Around in a Defendant's Gmail Account -- U.S. v. Cioffi
[Post by Venkat]
The government is prosecuting a couple of Bear Stearns hedge fund managers for securities fraud and related offenses. I came across a story that prosecutors obtained evidence from the gmail account of one of the defendants which prosecutors recently disclosed. ("E-Mails Seen as a Flash Point in Bear Stearns Fund Managers' Fraud Trial") In some ways I think this illustrates one of the pitfalls of using a service such as gmail. Gmail stores your data forever - or at least doesn't give you a ton of control over when it is deleted - so it's much easier for prosecutors to obtain this evidence. If you stored the data on your own servers, you may be able to get by with deleting the data pursuant to a regular document retention/destruction policy. And more importantly, there's a much higher likelihood of you knowing when the data has been or is about to be seized. (It's more difficult to obtain email from a service provider in a civil case.)
Interestingly, the defendant whose email was disclosed by the government as evidence in the Bear Stearns case prevailed in a motion to suppress the gmail evidence. (US v. Cioffi, et al., Case No. 08-CR-415 (FB) (E.D.N.Y.; Oct. 26, 2009).) (Access a copy of the ruling at Scribd [pdf] here; see the WSJ story here ("In Setback for Bear Stearns Case, Judge Suppresses Email").)
Facts: The government initially obtained an email sent through non-company email accounts between Cioffi and Tannin (the two defendants) talking about how the "subprime market looks pretty ugly . . . ." The government used this email to support its allegations that Tannin used his personal (gmail) account to commit or further the crimes. The government's affidavit argued it needed to search the gmail account, but offered certain limitations on the access - for example, the search would be limited to emails created on or before the day prior to the defendant's retention of counsel, in order to avoid interception of privileged communications. The affidavit also noted that "the nature of electronically stored data" required the authorities (rather than Google) to search through the email account.
The magistrate judge issued the warrant, but did not attach the affidavit to the warrant. The government went to Google, which initially wrote to the government that "it was no longer able to extract the information requested in [the warrant] because Tannin's account had been deleted." Several months later, "on the eve of trial," Google advised that it had located a copy of the account and delivered a copy of its contents to the government. (??)
The Court's Ruling: The critical issue in front of the court was whether the warrant was sufficiently particular as to minimize unnecessary invasions into the suspect's privacy. The court noted at the outset that Tannin had "a reasonable expectation of privacy in the contents of his personal email account." The government did not dispute this point. (This doesn't seem to be a settled issue, as noted in the case mentioned below.) Turning to particularity, the court notes that searches of documents, data, computers, and email accounts raise tricky issues as to what level of particularity is required. A couple of different approaches have been used to avoid a general search by the government: (1) providing keywords or other search parameters in advance; or (2) having a third party conduct the search and segregate responsive information from non-responsive information.
The court noted that an overly broad warrant may be cured by incorporation of an affidavit that would constrain the agents' search, but Second Circuit cases have been less receptive lately to this approach. (In the context of a digital search, it would seem that this wouldn't work as well as it would with respect to physical objects. Exposure to data that doesn't fall within the search warrant would compromise the suspect's privacy and would undermine the whole point of particularity in this context.) Regardless of whether the affidavit could have cured the warrant's particularity problem, the affidavit was not actually attached to the warrant, so this argument was not in play.
The court ultimately concludes that the warrant did not comply with the Fourth Amendment. The government sought to invoke exceptions in order to have the evidence admitted notwithstanding these issues, but the court rejected both of these attempts. With respect to the good faith exception, the court was emphatic:
[t]his case . . . is not about search terms or firewalls. It is, rather, about the fundamental and venerable prohibition on general warrants. Since 'it is obvious that a general warrant authorizing the seizure of evidence without mentioning a particular crime or criminal activity to which the evidence must relate is void under the Fourth Amendment . . . no reasonably well trained officer could believe otherwise.'
As to inevitable discovery - the second exception - the court's ruling is also interesting. The court seemed to say that the government could only satisfy particularity after having seen the emails procured by the overbroad warrant: "the government's timing still presents a problem: [h]aving seen the November 23rd email, the government is now in a position to obtain a warrant with perfect particularity. There is, in other words, no way to purge the taint of its unconstitutionally overbroad search."
***
I can't tell if the government just dropped the ball here or whether there's something more to it. One view is that if the government had a narrow warrant application and the magistrate judge issued a narrow warrant, the government could have probably obtained the information they ultimately sought? On the other hand, the court is rightly skeptical that the government could have obtained the emails at issue by providing a set of keywords to Google. After all, wasn't this the argument the government used to justify the fact that the search needed to be conducted by the government, rather than by Google or by a third party? The court's rejection of the government's inevitable discovery argument seems significant. My practice does not stray into the realm of criminal cases so take that with a grain of salt. I'm curious to see what people like Orin Kerr and Scott Greenfield have to say. (Congrats to Professor Kerr, whose "Searches and Seizures in a Digital World" article is cited by the court. He has also posted extensively on a recent Ninth Circuit decision that bears on these issues: United States v. Comprehensive Drug Testing, Inc., 579 F.3d 989 (9th Cir. 2009).)
Interestingly, Professor Kerr notes a recent decision from federal court in Oregon where the court held that email was not covered by the Fourth Amendment. [Clarification: see this post for a clarification.] Pointing to the Google terms of service, the court held that most users expect their emails to be shared with Google employees and other third parties, and the account-holder was thus not entitled to notice before the government obtained a warrant to search someone's gmail account. I think (but I'm not sure) the account-holder still has the ability to challenge the search after-the-fact, as did the defendant in Tannin. Either way, the ruling seems noteworthy, and raises issues around process where the government subpoenas your email records from the service provider. When do you as the account-holder receive notice of a government search? Does Google have a consistent policy on this?
I'm still sticking with my instinct that using a third party service such as gmail raises the risk that your emails end up in the hands of prosecutors. I'm also curious about Google's policies for dealing with these sorts of issues.
Added: You can check out Professor Kerr's post on this ruling here. His conclusion: "the basic Fourth Amendment holding was likely right," but the court should have applied the good faith exception. He also posts a clarification to his earlier post about the Oregon decision, which I linked to above: court's conclusion only speaks to notice to subscribers, which the court concludes is not required under the Fourth Amendment.
Posted by Venkat at 09:14 AM | Privacy/Security , Search Engines
October 23, 2009
Judge Rejects Attempts by Texas Plaintiffs to Intervene in Beacon Class Action--Harris v. Facebook
[Post by Venkat]
I mentioned last week that a group of plaintiffs sought to intervene in the class action filed against Facebook in the Northern District of California. The Texas plaintiffs who sought to intervene were part of a class action filed against Blockbuster (Harris v. Blockbuster - this lawsuit was filed before the the Northern District of California class action). The Texas plaintiffs argued that the two lawsuits were "related," and that the parties to the California lawsuit should have filed a "notice of related action," so the California court could have evaluated whether the lawsuits should be consolidated.
In orders issued today, Magistrate Judge Seeborg denied the request to intervene brought by the Texas plaintiffs and conditionally approved the class certification and settlement ironed out by the parties to the Northern District of California lawsuit. Judge Seeborg noted that although the lawsuits were "related," the Texas plaintiffs were aware of the California class action in September 2008. Thus, their request to intervene was untimely.
Quick thoughts on the ruling:
1. The court notes that to the extent the Texas plaintiffs have substantive objections to the settlement, these objections can be raised at a later date.
2. With the caveat that I'm not familiar with the nuances of class action procedure, I would guess it will become tougher to object to a settlement further down the road. As a practical matter, conditional approval will set in motion the process of notifying potential class members and providing them the opportunity to opt-out. A low number of opt-outs may be viewed as an indication that there's not really enough of a separate class that objects to the terms of the settlement conditionally approved by Magistrate Judge Seeborg to warrant a second class action. (On a related note, I wonder if the Texas plaintiffs will mount some sort of campaign to try to demonstrate that a substantial number of potential plaintiffs object and the settlement should not be given final approval. I'm guessing they won't set up a Facebook group as part of this campaign, but you never know!)
3. It's sort of awkward for a group of putative plaintiffs who filed their lawsuit first to have their claims extinguished by a later filed class action. Blockbuster was named in the second filed action (in California) and to the settlement in the California lawsuit is approved, my instinct is that this may effectively kill the class claims asserted in the Texas lawsuit against Blockbuster. (There was some activity in the Texas lawsuit about whether the claims are subject to arbitration. The court in Texas found that Blockbuster's terms of service were "illusory," and rejected Blockbuster's request to arbitrate. Blockbuster has appealed this ruling.)
4. The terms of the settlement in the California lawsuit do not provide for payment of compensation to non-named class members. (See the notice approved by the court here: [pdf].) On the other hand, the Texas lawsuit alleged violations of the Video Privacy Protection Act, which provides for statutory damages.
5. The notice of settlement will be published through newspapers, and of course, "through Facebook updates."
It will be interesting to see how this plays out.
Posted by Venkat at 04:50 PM | Privacy/Security
October 18, 2009
Q3 2009 Quick Links, Part 4
By Eric Goldman
Spam
* Ars Technica: "a disturbing number of e-mail users respond to spam, and not just because they're dumb—some of them did so because they were actually interested in the product or service." I collected some empirical research establishing this point in 2004.
* SpamFighter: Software Creator Admits to Aiding & Abetting Spam
Fraud
* Reuters: A virtual bank rips off depositors in EVE Online.
* Click fraud concerns at Facebook: TechCrunch; Unified ECM v. Facebook complaint (one of at least three pending).
* There can be legitimate circumstances where it makes sense for a vendor to automatically pass a user's credit card number to another vendor, but the practice seems ripe for regulation.
Contracts
* BNA: End of the Notice Paradigm?: FTC's Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements (BNA Subscription required)
* In August, the NYT interviewed David Vladeck, who suggests that the FTC v. Sears settlement could signal a changing of the guard at the FTC.
* Jonathan Ezor on common drafting mistakes in privacy policies.
* Hines v. Overstock.com, Inc., 2009 U.S. Dist. LEXIS 81204 (E.D.N.Y. Sept. 4, 2009). Browsewrap terms aren’t enforceable “because the website did not prompt her to review the Terms and Conditions and because the link to the Terms and Conditions was not prominently displayed so as to provide reasonable notice of the Terms and conditions.”
* Timothy D. Cedrone, Morals? Who Cares About Morals? An Examination of Morals Clauses in Talent Contracts and What Talent Needs to Know, Seton Hall Journal of Sports & Entertainment Law. I have given my first year contracts students an exercise involving morals clauses that I think worked pretty well (see the links on this page under the "endorsement contract" bullet).
Miscellaneous
* The USPTO has not renewed the peer-to-patent program.
* ABA Journal: E-Discovery is $4B/yr industry but is experiencing consolidation.
* Paul Ohm's paper on re-identification of putatively anonymous databases. This may be one of the more important privacy law papers in some time, as it indicates that we cannot meaningfully distinguish between personally identifiable and non-personally identifiable information.
Posted by Eric at 02:43 PM | E-Commerce , Licensing/Contracts , Patents , Privacy/Security , Spam , Virtual Worlds | TrackBack
October 16, 2009
Texas Class Action Aims to Derail Facebook Beacon Settlement--Harris v. Facebook
[Post by Venkat]
In late September, Facebook announced the settlement of a class action challenging its ill-fated "Beacon" program. Facebook set aside $9.5 million to settle the class claims and agreed to set up a privacy foundation. Facebook also agreed to not oppose a request for fees up to $3 million. A group of plaintiffs who filed a separate class action against Blockbuster are trying to object to this settlement.
The California Class Action (Lane v. Facebook): Facebook launched Beacon in late 2007. Consumers were not particularly happy, and in 2008, one set of plaintiffs filed a class action in the Northern District of California. (Lane v. Facebook, Inc.; Justia Page.) After "thorough, extensive, ongoing negotiations," which started in December 2008, a settlement was finally reached in this lawsuit. (Some details are recounted in the motion to approve settlement: [pdf].)
The Texas Class Action (Harris v. Blockbuster): Meanwhile, a separate set of plaintiffs sued Blockbuster in April 2008 in the Eastern District of Texas, also alleging injuries based on beacon. This lawsuit was filed before the class action in the Northern District of California, and Facebook was not named. Blockbuster argued that the claims were subject to arbitration. In April 2009, Judge Lynn of the Northern District (where the lawsuit was transferred) issued a ruling [pdf] rejecting Blockbuster's motion to compel arbitration. Judge Lynn found that Blockbuster's terms of service were "illusory," because the terms could be unilaterally changed by Blockbuster. See Eric's post on that ruling. (This ruling raised some eyebrows. See, e.g., BNA's TechLaw here, and an earlier post from me here.)
The Harris Plaintiffs File Against Facebook in Texas: Apparently the two sets of plaintiffs were not keeping each other apprised of what was going on. The Harris (Blockbuster) plaintiffs recently filed a class action in the Northern District of Texas against Facebook alleging violations of the Video Privacy Protection Act based on Facebook's implementation of beacon. (Here's a link to the complaint: [pdf].) The Harris plaintiffs are not too happy about the fact that apparently "[d]espite the requirements of the Local Rules of the Northern District of California, neither Blockbuster nor Facebook informed the District Court in the California Litigation of the pendency of the Texas Litigation." The Harris plaintiffs allege that Facebook agreed to indemnify Blockbuster of all wrongdoing, including those acts underlying the Harris action, and this agreement was a violation of public policy. They also argue that Facebook "in furtherance of the civil conspiracy outlined [in the complaint], also sought to achieve for Blockbuster what Blockbuster could not achieve for itself - resolution of any [Video Privacy Protection Act] liability through a non-arbitral forum."
Predictably, the Harris plaintiffs also filed a motion in the Northern District of California seeking leave to intervene and object to the Lane settlement: [pdf]. According to a minute entry, the court heard argument on this motion and will issue a written ruling. The motion to intervene contains one fact which is potentially damning if true. The Harris plaintiffs informed all parties to the Lane action (in April 2008) that the two cases were related and that the parties to the Lane action should bring this to the court's attention. The parties to the Northern District of California lawsuit apparently declined to do so. On the other hand, I did not come across anything indicating that the Harris plaintiffs informed the court in Texas about the existence of the Lane class action.
What to Make of all This? I don't have a sense of how viable these arguments are. The dispute smacks of some amount of jockeying between two sets of plaintiffs' lawyers around the fee award that will be paid out. (Not that there's anything wrong with this.) My instinct is that the two cases were related enough that it was worth being conservative and informing both judges as to what was going on in the other cases. Blockbuster was named as a party in both cases, although the Northern District of California lawsuit was being defended primarily by Facebook. Also, the proposed settlement in the Northern District of California class action lets Blockbuster off the hook. Since there was a class action going in Texas while the Northern District of California settlement was being negotiated, it strikes me as odd that all of the parties were not folded into one big settlement (particularly since the Texas lawsuit was filed first).
In an earlier post at Circle ID looking at the terms of the Facebook settlement, I mentioned the Blockbuster case, and wondered what would happen if a chunk of plaintiffs opted out and pursued their claims separately. I guess we may have an opportunity to see what happens.
One thing is for sure. Someone could end up getting an earful from one or both of the judges.
Posted by Venkat at 02:17 PM | Privacy/Security
October 14, 2009
Q3 2009 Quick Links, Part 1
By Eric Goldman
My system of managing news items that don't warrant a full blog post but can't fit into a 140 character Twitter post has broken down. So, I'm belatedly catching up on my backlog of things that caught my attention in Q3 2009. This part focuses on online content issues:
Defamation
* Ava v. NYP Holdings, Inc., 2009 WL 1885099 (N.Y.A.D. July 2, 2009). A NY Post story quoting part of the plaintiff's MySpace page and characterizing it as a "fantasy" wasn't defamatory.
* Terrific post by Paul Levy on Ripoff Report, InfomercialScams.com, Video Professor and UGC sites that go bad
* A tweet about moldy apartment leads to a defamation lawsuit. MLRC and CMLP coverage.
* Cohen v. Google, Inc., 2009 WL 2883410 (N.Y. Sup. Ct. Aug. 17, 2009). Calling a woman a “skank,” in the context of a blog with photos and other critical material, was prima facie defamation sufficient to support a pre-action disclosure of the anonymous blogger’s identity.
* Cash4Gold sued Consumerist but then dropped it as a defendant.
* You may recall my earlier blog post on the Higher Balance lawsuit, a nice 230 defense win. Subsequently, the Higher Balance defendants were awarded over $50k in attorneys fees.
* Crookes v. Newton, 2009 BCCA 392 (Sept. 15, 2009). A British Columbia appellate court says that linking to defamatory content isn’t defamation.
* Joe Mullin: "Troll Tracker" blogger defamation lawsuit settles
Cyberbullying
* Larry Magid on the definitions of cyberbullying
* US v Voneida: 3d Circuit says student's MySpace postings were "true threats" that supported 19 month sentence
* Smoking Gun: Placing a bogus Craigslist ad is being prosecuted as felony cyberbullying.
* News.com: A Missouri prosecution under Missouri's new Megan Maier anti-cyberbullying aw.
Blogs and Social Networking Sites
* A New Jersey court says a blogger isn't entitled to the reporter shield.
* Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (D.N.J. June 16, 2009). Jury verdict against a restaurant owner that forced employees to allow it to view their private MySpace group.
* HB1314: Illinois bans sex offenders from using social networking sites. Evan Brown explores the statute's constitutionality.
* Facebook Beacon is dead…and yet another privacy organization springs up in its wake. News.com, settlement agreement and motion for settlement.
* Public Citizen v. Louisiana Attorney Disciplinary Board, 2009 WL 2390866 (E.D. La. Aug. 3, 2009). A federal court struck down Louisiana’s state bar rules restricting lawyer advertising via the Internet.
Posted by Eric at 10:15 AM | Content Regulation , Derivative Liability , Privacy/Security | TrackBack
August 06, 2009
State of the Net West Recap
By Eric Goldman
Yesterday, the High Tech Law Institute and the Advisory Committee to the Congressional Internet Caucus co-sponsored the Third Annual State of the Net West event at Santa Clara University. The featured participants were 3 members of Congress (Boucher, Goodlatte and Lofgren) and the White House CTO Aneesh Chopra, supplemented by 8 distinguished discussants. In a jam-packed morning, we covered a lot of interesting and important ground on broadband, privacy, antitrust, immigration and open government. This blog post recaps some highlights from the discussion.
Boucher on Broadband
Rep. Boucher emphasized the importance of broadband availability to economic activity and expressed concern that the US wasn't keeping up with broadband deployment (he said, "we can do better"). He offered three policy proposals for ways the federal government could help:
* revise the Universal Service Fund to allow dollars to be spent on broadband deployment; and require USF fund recipients 5 years from now to be offering broadband or be cut off from USF
* federally preempt state laws prohibiting municipal broadband offerings (which about 25 states have)
* get the FCC to develop a broadband deployment plan
He expressed disappointment with the guidelines that NTIA and the Department of Agriculture have adopted to give away the $7.2B broadband fund that was part of the stimulus package. It appears he will be encouraging both entities to rethink their guidelines.
My colleague Al Hammond was the broadband discussant. Al made a number of good points, including noting that broadband deployment is both a rural and low-income issue (Boucher appeared to be focusing more on the former) and raising concerns about municipalities not playing fair and the FCC overcounting actual broadband availability.
Boucher on Privacy
Rep. Boucher also gave a preview of the privacy bill he is planning to introduce next month. He started off by saying he likes ad targeting, especially first party targeting (he said he buys items based on customized recommendations). So he wants to encourage "appropriate" ad targeting, not eliminate it. His bill is expected to contain the following elements:
* websites collecting data will be required to post a prominent privacy policy
* users can opt-out of first party targeted ads. This also includes data sharing necessary to enable first party ads
* websites that want to share data with unaffiliated third parties will need opt-in. However, behavioral ad networks can proceed on an opt-out basis if they allow users to see and edit their behavioral profile, except for sensitive information categories that would always be opt-in
* both the FTC and state AGs would have enforcement authority
To the extent that the mandatory privacy policy and opt-out options codifies existing industry practices, this proposal generally seems benign but not worth the effort--the costs of the inevitably poor statutory drafting outweighs any benefit we might get from regulatory codification. Requiring opt-in would likely eliminate third party behavioral ad networks, which (as I've discussed before) is more likely to be a detriment than a win.
I was especially intrigued by the proposal that behavioral networks can flip from opt-in to opt-out by letting users access a user profile. I need to see more details about Boucher's thinking, but doesn't this superficially sound crazy? The most obvious problem is authentication of the user before seeing his or her profile. How would this be done? The networks usually don't know the identity of the specific individuals they are profiling, so they can't authenticate identity. And just tying profile access privileges to a cookie or machine sounds like a recipe for disaster for all shared computers. Plus, a web interface seems to increase the security risks that the bad guys can see profiles they shouldn't be able to see. On first blush, it sounds like this part of Boucher's proposal may need a complete rewrite, with unknown consequences for the entire structure of his proposal.
Mike Hintze of Microsoft was the privacy discussant. He espoused Microsoft's standard line that there should be a comprehensive privacy law.
In the Q&A, Boucher appeared willing to consider concurrent privacy enforcement authority by self-regulatory organizations, so long as they enforced the law's minimum requirements. But any self-regulatory effort wasn't a substitute for other aspects of his bill.
Lofgren on Antitrust
Rep. Lofgren said that if the Bush administration did too little on antitrust enforcement, the Judiciary committee is now concerned that Obama and Varney will do too much. Lofgren is particularly focused on the chilling effects of the mere threat of antitrust scrutiny, not just the actual successful prosecution in court of cases. Thus, an "informal" DOJ expression of interest can deter innovative activity by high tech companies.
She also expressed skepticism that antitrust laws remain effective at protecting technology markets, which are marked by fast innovation and low barriers to entry. (I believe her exact words were "traditional antitrust measures of marketplace behavior might no longer work.") At minimum, any technology-related antitrust enforcement actions should be focused on improving innovation rather than trying to manage current marketplace prices.
Finally, she said that copyright restrictions should be considered in antitrust inquiries. Mike Masnick has more to say on this.
Michael Katz of UC Berkeley was the most colorful respondent. He shared Lofgren's concern that antitrust law may be counterproductively squelching innovation, especially when companies try to capture antitrust enforcers to hassle competitors. He had especially harsh words for the FCC, calling it much less disciplined than the DOJ and observing how the FCC can blackmail companies using its leverage. He also complained that the FCC's review of mergers takes too long, and as an example of their lack of discipline, the FCC will impose merger conditions that have nothing to do with the merger.
Tim Bresnahan of Stanford and my colleague Cathy Sandoval were the other respondents.
At the end of her talk, Lofgren praised the Google Book Search settlement, saying that in some ways it lowers barriers to entry. She also said she was grateful that Google appears to have found a back-door way to liberate orphan works given that she wasn't able to pass an orphan works bill. I'm all in favor of orphan works reform, but a class action settlement seems like a weird way to get there.
Chopra on Open Government
Aneesh Chopra is the new White House CTO, a role that never existed before, which puts Chopra at Obama's elbow on all technology issues. This was Chopra's first Silicon Valley trip since he undertook his new role. His first talk was on Tuesday night at a Churchill Club event; we were his second. Lots of people were very interested in learning more about him. He was the big draw for the press, and we got an unprecedented number of walks-in based in part (we think) on his talk. He was also mobbed before and after his talk--everyone seemed to want a piece of his attention (then again, I'd love to have a chance to kick some stuff around with him one-on-one myself!).
It's easy to see why Chopra sparks such curiosity. My impressions were that he was genuinely affable, smooth without being slick, substantive without being bookish, a big fan of crowdsourcing and an even bigger fan of assessment and measurement of outcomes.
He started off by discussing the importance of technology and how the US's rate of technological performance is lagging against other countries. He then identified three ways to "turn the ship around":
1. invest in innovation building blocks, such as a smart/secure infrastructure, more R&D and improved workforce expertise
2. healthcare reform, especially improvements to the information technology side of healthcare delivery
3. an improved education system, including distance learning and more emphasis on lifelong learning
He then discussed open government issues and gave examples of ways technology can facilitate participatory governance.
Goodlatte and Discussants on Immigration
Rep. Goodlatte laid out the Republican's high tech agenda, which includes:
* skilled workforce, including immigration reform
* patent reform
* trade issues
* taxation, including efforts to define when activity in a state triggers tax obligations
* net neutrality (don't regulate but improve antitrust enforcement)
* privacy (opt-out except for sensitive information)
The panel then drilled down on immigration reform. I was really excited to have this panel because workforce issues are so central to the Silicon Valley's "secret sauce" and yet I couldn't recall a time that the HTLI had sponsored a discussion about them. Obviously immigration issues are age-old and are well-trodden, but I nevertheless found the discussion helpful--with the one caveat that everyone on the panel agreed with everyone else, so there was a lot of preaching to the choir. I learned an interesting factoid that both Reps. Goodlatte and Lofgren were formerly immigration attorneys, so they have some front-line domain expertise in this area.
First discussant was AnnaLee Saxenian of UC Berkeley. She talked about how skilled immigrants have fueled innovation in this country. She gave a number of stats in support of this, including that a majority of Silicon Valley engineers are foreign-born, and a high percentage of technology entrepreneurs and patent applicants are foreign-born individuals. She also noted that foreign-born skilled works create net new jobs and also help build better ties to their home country.
We benefit from the best and the brightest from around the world, who come to the US because of our higher education system and historically have chosen to stay. However, she is concerned about this retention because of bureaucratic barriers. She is also concerned that companies, frustrated by their lack of access to development talent, will offshore their R&D.
Finally, she pointed out that immigration discussions kludge together the issues of skilled and low-skilled workers, even though their issues are very different.
Keith Wolfe of Google reinforced many of AnnaLee's points from Google's specific experiences.
My colleague Deep Gulasekaram was the last discussant. He pointed out that free marketplaces may require free movement of labor, which isn't consistent with our current immigration policy. He raised concerns about state and local anti-immigration policies and the negative consequences of tying foreign workers to specific jobs (by linking their visa to the job).
Rep. Lofgren added a few remarks:
* Obama told her that it's time for comprehensive immigration reform. [This led to a polite back-and-forth between Lofgren, who favors comprehensive reform, and Goodlatte, who would settle for piecemeal immigration reform]
* Immigration reform is not a substitute for educating the US workforce
* We should give permanence to people we want to keep (i.e., not keep them on some treadmill with the possibility of a forced exit, which prevents their long-term life planning)
* We need to address the family of skilled immigrants, not just the immigrants themselves
More Coverage of the Event
* ABC 7 News
* KCBS radio
* Zusha Ellison of the Recorder
* Joyce Cutler of BNA (BNA subscription required)
* Mike Masnick
* Joel West
* Colette Vogele
* Warren's Washington Internet Daily also ran a story (not web-linkable) "Boucher Promises Online Privacy Bill Draft Soon"
* The extensive Twitter discussion at hashtag #sotnw. Twitterers included @ipolicy, @caminick, @persistance, @miss_eli, @techpolicygirl, @cathygellis, @mmasnick, @nextgenweb, @marianmerritt, @larrymagid, @christinela, @mblatkin, @seangarrettnow, @vogelelaw (who didn't always use the hashtag--we will try to publish a standardized hashtag at future events). Whew! Apologies if I missed anyone. I can't recall seeing more Twitterers in an audience--everyone seemed to have their Twitter page up constantly. As usual, I didn't turn on my computer at the conference (I take notes by hand and blog them later), so my comments seem woefully out-of-date already!
We plan to post the event audio soon so you can listen for yourself. I'll announce the audio posting at my Twitter account when it's live.
UPDATE: Audio now available: Download (item 27) or Stream
Posted by Eric at 10:54 AM | Adware/Spyware , Copyright , E-Commerce , General , Internet History , Marketing , Patents , Privacy/Security | TrackBack
July 07, 2009
June 2009 Quick Links, Part 2
By Eric Goldman
State Regulation of the Internet
* iAWFUL, the Internet Advocates Watchlist for Ugly Laws
* Texas HB 2003. Part of the anti-cyber-harassment mania. Very broad statute with lots of room for prosecutorial mischief.
* BNA (BNA subscription required): "State Legislatures Consider Criminal, Civil Restrictions on Ticket Purchasing Software": "At least six state legislative bodies are considering bills this session that would place restrictions on the use of “ticket bots.""
* Because states are embracing the Amazon affiliate tax, the online affiliate industry is shrinking as we speak (1, 2, 3). But in one of his rare good moves, Schwarzenegger has vetoed CA's attempt to impose the Amazon tax.
* Clive Thompson in Wired: "By severing the link between location and geography, the internet turned everything upside down. Now mobile phones are inverting everything again, in the other direction — because your location becomes most important thing about you. So how is the return of geography going to change our lives?" My previous commentary on geolocation and the law.
Blogs/Social Networking Sites
* Yath v. Fairview Clinic, 2009 WL 1751767 (Minn. App. Ct. June 23, 2009). Posting illegitimately obtained health information to a MySpace page qualified as “publicity” for purposes of an invasion of privacy claim. The court says: “Yath's private information was posted on a public MySpace.com webpage for anyone to view. This Internet communication is materially similar in nature to a newspaper publication or a radio broadcast because upon release it is available to the public at large.” As a result, the publication qualified as “publicity” even if the material was posted for less than 48 hours and the plaintiff could only prove that a small number of folks actually saw it. Compare the Moreno v. Hanford Sentinel case, where republication of information the plaintiff voluntarily published on her MySpace page could not support an invasion of privacy claim.
Nevertheless, the defendants were excused because they had not created the MySpace page, even though they had supplied the information republished on the MySpace page.
* Richerson v. Beckon. Ninth Circuit upheld reassignment of teacher-mentor based on negative blog comments. My blog post on the district court opinion.
* Kaufman v. Islamic Soc. of Arlington, -2009 WL 1815641 (Tex. App. Ct. June 25, 2009). An online-only journalist qualified as a "member of the electronic or print media" for purposes of an interlocutory appeal statute.
* After von Brunn committed his hate crime outside the US Holocaust Museum, a bunch of his digital trails went dark as websites newly realized his vitriol was posted there.
* If you're looking for a paper topic, here's one: the use of MySpace, Facebook and other social networking sites in family law disputes, especially over child custody. I'm seeing cases every week where social networking site postings are being introduced to corroborate or contradict testimony about a parent's fitness.
Security
* FTC v. Pricewert. The FTC takes down an allegedly rogue Internet access provider. To the extent that the IAP is engaged in criminal activities, no problem; but it's less clear to me if the FTC can get a civil injunction under its Sec. 5 authority to stop the IAP from serving its putatively illegal customers. Such an action could be preempted by 47 USC 230. The FTC, in its brief, says the IAP fits into a Roommates.com exception, an argument presumably bolstered by their 10th Circuit win in FTC v. Accusearch.
* Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009). This is a putative class action over Microsoft’s use of Windows Genuine Advantage (WGA) to validate copies of Windows XP. In this ruling, Microsoft gets SJ on the claim alleging that the contract prevented Microsoft from doing WGA validation. Especially interesting is the court’s conclusion that IP addresses are not personally identifiable information.
* Microsoft v. Lam. Microsoft brings a lawsuit against alleged click fraudders who caused Microsoft to issue $1.5M in credits to advertisers. The NYT article.
* EFF on the most recent amendments to the Computer Fraud & Abuse Act.
Miscellaneous
* Expedia tagged for $184M in damages for improperly marking up its service fees.
* In re Jamster Mktg. Litig., 2009 U.S. Dist. LEXIS 43592 (S.D. Cal. May 22, 2009). Wireless carriers aren’t liable under RICO and false advertising laws for various deceptive practices by wireless content providers.
* New unmeritorious patent lawsuit trend: lawsuits over patent markings for expired patents.
* NYT: Investing in Lawsuits, for a Share of the Awards
* Oddee: 15 geekiest license plates:
Posted by Eric at 09:18 PM | Content Regulation , Derivative Liability , E-Commerce , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines | TrackBack
ABA Antitrust Section Consumer Protection Conference Recap
By Eric Goldman
Last month I attended the ABA Antitrust Section’s Consumer Protection Conference. This post recaps some highlights from the event.
A few overarching themes:
* in light of the country’s economic malaise, the FTC is focusing its enforcement on economic harms. This is both to combat those who prey on victims of the economic downturn as well as curbing some of the excesses that contributed to the economic downturn.
* there was significant confusion, and some apprehension, about the proposed new Financial Product Safety Commission and how it will affect other government agencies, including the FTC. If nothing else, the proposed new agency creates some turf wars and might send an implicit message that the FTC somehow wasn’t up to the job (a characterization I wouldn't necessarily agree with).
* not exactly news, but the FTC is itching to do something different about regulating online privacy.
* on a related theme, there is widespread hand-wringing about the failures of consumer notices to effectively educate consumers and improve their decision-making. I agree with this, and in fact I’ve noted before that we are experiencing a “crisis of contracts.” While some UI improvement can be made in how information is presented to consumers, we are also stuck with the bigger problem that some consumer decisions are more complicated than consumers are able to handle, no matter how effectively the complexity is disclosed. There is no clear regulatory solution to this problem.
David Vladek’s Opening Remarks
David Vladek, the new director of the Bureau of Consumer Protection, outlined some things to expect from the FTC going forward:
1) The FTC will keep up/step up its aggressive pace of litigation, education and policy-making. In particular, the FTC will have to do more on economic fraud.
2) He expects the FTC will look more at privacy regulation. He said he did not find the notice/consent and harm paradigms for regulating privacy convincing. Regarding the notice/consent paradigm, he said it is hard to know what a person is consenting to. Notices are unintelligible, and they don’t address secondary uses. The harm paradigm doesn't address harms we feel but can’t quantify. So he is wondering, how the FTC can rationalize privacy approach going forward?
3) He expects the FTC to take a hard look at Internet behavioral advertising and ads directed to vulnerable sub-populations.
4) Echoing proposals that have been floated before, he said that the FTC should be on equal footing as other government agencies, including better rule-making authority, civil penalty authority and independent civil litigation authority.
More on Vladek’s presentation from Arnold & Porter, Perkins Coie and Rebecca Tushnet. While there, make sure to look at Rebecca’s introductory remarks, which were excellent but came before I was ready to take notes!
Former Chairmen’s Panel
John Villafranco moderated a panel of Bob Pitofsky and Tim Muris, both former FTC chairmen. The panel’s overriding theme is how much Bob and Tim agree with each other, even though they come from opposite sides of the political spectrum.
Villafranco asked some questions about the FTC’s past. He noted that 40 years ago, the FTC was derided, and there were calls to shut it down. Bob explained that the FTC was viewed as the “Little Old Lady on Pennsylvania Avenue” because it was preoccupied with trivial cases, hired experienced lawyers who weren’t very accomplished, didn’t take advantage of its broad mandate, and was widely regarded as weakest agency in Washington. Bob and Tim also explained why there were deep divisions between commissioners and between commissioners and staff at that time.
Villafranco asked about the biggest misconception by outsiders. Bob said that staff runs the place; Tim said that antitrust lawyers can do consumer protection.
Villafranco also asked about the staff’s biggest misconception about companies they investigate. Tim said that staffers deal with pathologies, so sometimes they assume every business is bad actor. Bob said that the FTC’s rules are on the vague side, so good-intentioned companies can get into trouble because they didn’t understand the rules.
Rebecca’s recap of this panel.
Privacy/Behavioral Advertising Panel
Eileen Harrington of the FTC: Disseminating content online means that the sender surrenders control over that content, even when not wanted or intended. Categories of content dissemination:
* blogging/microblogging
* social networking sites
* first party collection/behavioral advertising (ex Amazon, NetFlix). In these contexts, data collection/use is intuitive, and the consumer can always leave if he/she doesn’t like the site’s practices.
* Gmail ads, which she distinguishes from first party collections. Google discloses its ad practice but buried in a big privacy policy. Also, consumers may expect greater privacy in email. [Eric’s note: I really didn’t understand how Gmail is different from Amazon in this regard, and I didn’t get a chance to push Eileen about this. Having used Gmail for a very long time, the value proposition and the ad presentation is unambiguously clear to me.]
* Third party collection practices. She further broke these down into:
- Third party ad networks. Websites are unrelated and no relationship between consumer and ad network. Consumer may not understand why they receive ads. Also, data sharing increases risks.
- Researchware. Improper disclosures that consumers won’t understand.
- Deep packet inspection. May be less transparent/voluntary. Consumers don’t know to look at their contracts with their connectivity suppliers. Deleting cookies won’t help.
In response to a question about whether there is there a different way to communicate privacy to different generations/subcommunities, Eileen expanded on David Vladek’s comments by saying that it’s time to look again at the commission’s privacy framework. For a time, the FTC followed Fair Information Practices. Then, the FTC moved to a framework focused on harm. The FTC still thinks notice-and-choice can work in some circumstances, but it fails in other circumstances. There is concern that notice hasn’t prevented harm. The FTC wants to develop a better framework, but business practices are constantly changing around the FTC.
I asked Eileen how companies can decide what is important enough to be disclosed. I pointed out that Sears’ privacy policy fully disclosed its researchware practices but only deep within its privacy policies. Eileen responded that Sears wasn’t a close call because their disclosures were completely inadequate and the pop-up ads offered consumers a different value proposition.
Perkins Coie’s recap of Eileen’s remarks.
Wendy Seltzer’s presentation did a nice job summarizing the privacy advocate’s view. What’s new online = more data + better data crunching. Most responses have been self-regulatory and focus on notice and choice. Self-regulation works only if there an effectively functioning market for privacy. Market failures:
* information costs of reading privacy policies.
* Behavioral economics/psychology. Consumers have difficulty evaluating near vs. distant events (i.e., hyperbolic discounting). Consumers are too optimistic that they won’t experience harm, even if disclosed to them. Technology moving too fast, so consumers can’t anticipate future developments (such as better deidentification).
In response, Leslie Harris of the CDT added that the latest generation of kids may value its privacy, they just may not have been faced with privacy challenges yet. We don’t know what we don’t know, and we shouldn’t assume people don’t care about privacy.
Leslie also lauded the FTC behavioral advertising principles because it discourages distinctions between PII and non-PII. Also, self-regulatory efforts have been shaped by FTC’s intervention. But she is not persuaded that self-regulation works.
Rebecca’s recap of this panel.
Research on Consumer Decision-Making
Alan Levy from the FDA. Regulators’ biggest mistake is thinking consumers read labels to learn more information about the product. Instead, consumers read labels when they have specific Qs that the label can answer. But framing the Q requires consumers to have lots of domain knowledge already, and consumers often don’t know enough to ask the Qs.
The function of label-based product claims is to ease consumers’ information search. Consumers want to make good decisions, but they satisfice. They look for products that can meet minimum adequacy standard and won’t embarrass them if asked to justify their decision. Most decisions aren’t life-and-death, and consumers usually can fix most bad decisions with their next purchase. Product claims work because they are convenient for consumers and help satisfice.
Consumers assume advertiser claims signal unique attributes of their products compared to their competitors. Consumers don’t generalize claims to the product class. Consumers want new and relevant information. The most effective marketing tells consumers something they do not already know. So claim effectiveness depends on heterogeneous consumer experience and knowledge.
Consumers need reliable information to satisfice. Consumers will accept information if it’s consistent with what they already know and legitimate on its face (i.e., not seemingly manipulative). Disclaimers about product claims can actually make claims more effective or are just ignored.
Health claims on package label front truncates a consumer’s product search—when a claim is on front, consumers won’t read the back of the package label.
Policy-makers focus too much on trying to perfect claim language, and not enough on helping frame the decision for consumers. This is based on mistaken assumption that claims don’t work well enough at educating consumers, but the real risk is that claims work too well at motivating consumer decision-making.
Michael Mazis of American University. Lessons:
* disclosure medium matters. Disclosures are more effective in media that give consumers more time to review them.
* Consumer motivation matters to the efficacy of disclosures
* Marketing claims trump other disclosures/disclaimers
Broadcast ads: text disclosures don’t work.
Print ads: consumers aren’t in search mode, so disclosures aren’t relevant
Web ads: consumers are in product search mode, so disclosures are more likely to be effective
Ways to improve disclosure effectiveness: proximity, prominence, easy to find, comprehensible, no legalese (consumers discount these disclosures), no repetitive “throw away” disclosures.
Findings from a research study about testimonial ads:
* when consumers see testimonials in ads, they assume that results are typical
* general disclosures that “results aren’t typical” aren’t effective
* specific disclosures about lack of typicality are somewhat more effective than general disclosures, but still aren’t very effective
Rebecca’s recap of this panel.
Role of Consumer Surveys in Enforcement/Litigation
Chris Cole of Manatt Phelps said that in every false advertising case, parties disagree about whether claims are literal or implied. Courts vary widely about what constitutes a literal claim; much depends on advocacy quality and the judge’s intuition (results-oriented judgment). There is no uniform standards for survey admissibility. There is a trend towards accepting non-traditional evidence such as internal brand tracking surveys not specifically prepared for the litigation.
Chris also talked about the difficulty designing a defensive survey because it’s hard to prove a negative (i.e., the absence of consumer confusion). To do so requires lots of directed (but not leading) questions to present enough evidence to convince the judge. Further, the other side often tries to reinterpret survey results, which is another reason not to conduct a defensive survey in the first place.
He also said there is no reason to give FTC or State AGs’ interpretation of ad claims any extra deference. The government should have to prove its case.
Finally, Chris discussed problems with trying to do surveys over the Internet, which may be more representative of consumers in practice than mall intercept surveys—who goes to a mall any more? However, he noted that the screen display may not be the same (ex: TV ads shown on a computer monitor may be harder to read), and there may be questions about the motivation and representativeness of panelists who are incented to participate.
Lee Peeler, a long time FTC staffer, said that years ago, FTC was perceived as not using extrinsic evidence because surveys might prove defendant’s case or get tossed out. Now, FTC looks at extrinsic evidence, but non-exclusively.
Patricia Conners of the Florida AG’s office said that state AGs don’t like to do consumer surveys because (1) they are not statutorily required, (2) they are expensive and time-consuming, (3) they distract the case from substantive issues to focus on survey methodology, and (4) many cases are against really bad actors, so survey evidence isn’t necessary to prove the case. On the flip side, defendants often overclaim their extrinsic evidence when trying to avoid regulatory intervention, which makes the regulators skeptical.
Rebecca’s recap of this panel.
More on the Conference
* Rebecca on financial products safety
* Rebecca on green marketing and internet issues. Arnold & Porter on the green marketing panel.
* My post on my talk on 47 USC 230 and consumer protection law.
Posted by Eric at 08:24 AM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security | TrackBack
June 30, 2009
Roommates.com Infects the Tenth Circuit--FTC v. Accusearch
By Eric Goldman
F.T.C. v. Accusearch Inc., 2009 WL 1846344 (10th Cir. June 29, 2009). My blog post on the district court opinion.
Introduction
June has been an active month for 230 jurisprudence. Cases this month include Doe IX v. MySpace (actually a May opinion but I blogged it in June), Gibson v. Craigslist, the Barnes v. Yahoo amendment, and Zango v. Kaspersky--all defense-favorable outcomes. As I mentioned in my post on the Doe IX case, the Ninth Circuit Roommates.com en banc decision has not cast a long shadow on 230 jurisprudence; it has been cited less than 10 times in the past year, and prior to yesterday, only once in favor of the plaintiff. Unfortunately, those good times may be over. The Tenth Circuit has largely adopted the rule and reasoning of Roommates.com in FTC v. Accusearch, effectively making Roommates.com the governing law west of the Rockies.
The FTC's Enforcement Action Against Accusearch
This is a prime example of bad facts making bad law. Accusearch runs Abika.com, a website that tried to style itself as a matchmaker between customers seeking, and vendors selling, private/personal records about people. The specific records at issue here contain "customer proprietary network information" (CPNI), the metadata about telephone calls. CPNI resales were probably illegal at the relevant time periods; following the Hewlett-Packard pretexting scandals, Congress cleared up any confusion and criminalized the resale of CPNI via the Telephone Records and Privacy Protection Act of 2006, 18 U.S.C. §1039.
If Abika.com was structured as a pure advertising site to facilitate off-site transactions, like Craigslist or eBay, perhaps Abika.com would have a stronger case for qualifying for 47 USC 230 protection for the sale and delivery of CPNI reports from Abika's vendors to their customers. However, Abika.com apparently was structured as a classic retailer in that it advertised the third party reports, processed customer payments, and delivered the subsequent reports to customers as if the reports were its own (Abika.com even stripped out the third party vendor's identifying information). So the veneer of Abika.com simply being a passive intermediary between customers and vendors may have been overwhelmed by Abika's active and overwhelming presence in the transaction.
The FTC went after Accusearch claiming that Abika.com was engaged in "unfair" trade practices under the FTC Act. (Note: the FTC has the power to pursue unfair commercial practices, even when they are not deceptive. However, the standards for "unfair" are amorphous, making such enforcements potentially problematic and controversial. Fortunately, the FTC generally wields this power sparingly). Accusearch's principal defense was 47 USC 230 on the theory that Accusearch procures the CPNI reports from third party vendors and merely republishes the third party reports to Accusearch's customers.
It's really hard to defend CPNI resales, and the court says that Accusearch had the requisite scienter that such resales were illegal/impermissible. With the combination of scienter, illegal transactions, active intermediation and the FTC as a plaintiff, it really seemed to me that Accusearch had no chance of winning this case. But this combination also tempted the judges to use loose reasoning to reach that unavoidable result.
The Opinion’s Discussion of 47 USC 230
A defendant must establish three elements of a successful 230 defense, and the majority opinion muddles the discussion on all of them:
1) "provider or user of an interactive computer service." Based on the funky definition of ICS, the FTC argued that websites qualify for 230 protection only when they enable user-to-user communications. The majority declines to accept this argument but doesn't reject it outright either, basing its decision on another prong. Although the statute could be clearer (like, for example, saying that websites qualify for 230 protection), the caselaw is extremely thick that every website qualifies for 230 protection. Unfortunately, with the majority's pathetic response, I wouldn't be surprised if plaintiffs unnecessarily put this issue into play in future 10th circuit cases.
2) "publisher or speaker of content" The concurring judge argues for a speech/conduct distinction and argues that the FTC is pursuing Accusearch for its conduct, not its speech. The speech/conduct distinction is almost meaningless in this case given that Accusearch was reselling information, which means that Accusearch was electronically republishing that information. The majority disagrees with the speech/conduct distinction but otherwise doesn't discuss this prong.
3) "created or developed by another information content provider." Adopting the arguments from the Roommates.com case, the majority says that Accusearch didn't "create" the reports but it was "responsible" for "developing" the reports. To reach this conclusion, the majority defines "responsible" and "develop":
* citing old French, "develop" means to "unwrap." Huh? Thus, "when confidential telephone information was exposed to public view through Abika.com, that information was 'developed.'" Does this definition make "develop" a synonym for "publish"?
* the majority initially says when "responsible" doesn't mean: "to be 'responsible' for the development of offensive content, one must be more than a neutral conduit for that content." This reference to "neutral conduit" parallels the Roommates.com case, which used the term "neutral tools" five times but never defined the term once.
The majority then says "a service provider is 'responsible' for the development of offensive content only if it in some way specifically encourages development of what is offensive about the content." This phrasing allows the court to distinguish the old 10th Circuit Ben Ezra precedent, which absolved AOL of liability for republishing inaccurate stock quotes. There, AOL didn't ask its vendors to give it false reports; here, the majority says that Accusearch asked its vendors to get information it knew was illegal to obtain:
Accusearch solicited requests for such confidential information and then paid researchers to obtain it. It knowingly sought to transform virtually unknown information into a publicly available commodity. And as the district court found and the record shows, Accusearch knew that its researchers were obtaining the information through fraud or other illegality.
Implications
I doubt the literal holding of this case is all that troubling to most folks. If you're in the business of reselling illicit phone records and the FTC comes calling, 230 isn't likely to help you.
However, this opinion could be problematic for any online retailers who thought they could use 230 to insulate themselves. It's never been clear how much 230 protects online retailers when they are making sales for their own account (as opposed to advertising services like eBay or Craigslist), and this opinion raises the specter that 230 won't apply even when "retailing" involves republishing third party content. Indeed, the loose language means the case could be a major carveback of 230's coverage in the Tenth Circuit. As the concurrence points out, the majority's reading is "an unnecessary extension of the CDA’s terms 'responsible' and 'development,' thereby widening the scope of what constitutes an 'information content provider' with respect to particular information under the Act."
Then again, between its role as a retailer and the illicit nature of its goods, Accusearch was always at the periphery of 230's coverage. Today, 230 would be irrelevant if a federal government agency pursued a CPNI reseller under the new criminal provisions in 18 U.S.C. § 1039. So I think a better interpretation of this case is that where an online provider is dabbling too close to third party illegal activity, judges simply will ignore 230 as a bailout. Framed that way, this ruling is akin to Roommates.com, which was a largely a normative judgment by the Ninth Circuit that the Fair Housing Act should trump 230 regardless of 230’s precise statutory contours.
I'll conclude with a few more thoughts about the concurrence. Although the concurrence's proposal to distinguish between speech and conduct wasn’t a good one, there was a useful nugget embedded in it. To bypass 230, perhaps the case could have focused on first party content published by Accusearch--namely, copy written by Accusearch advertising the availability of CPNI records, including any express or implied statements that it was reselling legitimate records. I've repeatedly blogged on the challenges of first-party/third-party content distinctions in 230 (see, e.g., my recent discussion about 230 and consumer protection), but in this case, I think focusing on Accusearch's own representations may have led to a cleaner doctrinal result than the one we got.
Finally, in the concurrence's FN5, Judge Tymkovich says:
If Accusearch had run a traditional business out of a physical location and offered similar services, it would seem the FTC would have the same unfair business practices complaint. Nothing would immunize Accusearch’s conduct had it chosen to deliver the confidential telephone records to requesters through hard copy print-outs either in person or through the mail. Accusearch’s duty to refrain from engaging in the solicitation and distribution of unlawfully-obtained confidential telephone records should not depend on the medium within which it chooses to operate.
Uh, NO. As with some other bright judges dealing with 230 cases, Judge Tymkovich has fallen into the mental trap that smart common law judges applying their powers of reasoning can simply intuit what the law should be. Congress has made it abundantly clear that it did exactly what Judge Tymkovich rejects; via 230, Congress created medium-specific rules that make some activities online permissible even if their offline analogue would not be. As challenging as it may be, judges should resist the temptation to make these kinds of normative assumptions in the face of clear Congressional intent.
Posted by Eric at 10:28 AM | Derivative Liability , E-Commerce , Privacy/Security | TrackBack
June 10, 2009
Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster
By Eric Goldman
Harris v. Blockbuster Inc., 2009 WL 1011732 (N.D. Tex. April 15, 2009). The Justia page.
[I've been sitting on this case for a couple of months, but it's such an important case that it still deserves a write-up even at this comparatively late date.]
This case is part of the legal detritus from the Facebook Beacon program. As you recall, Facebook Beacon included purchases from third party e-commerce sites into the buyer's Facebook status reports. This required the e-commerce sites to report Facebook users' purchases back to Facebook. A Blockbuster user claimed that Blockbuster's reports to Facebook violated the Video Privacy Protection Act, which prevents disclosures of PII about video customers without their consent. (Beacon did have an opt-out of debatable efficacy). Blockbuster moved to compel arbitration of this lawsuit based on the mandatory arbitration clause in Blockbuster's user agreement.
Blockbuster used an industry-standard and entirely typical introductory clause to its user agreement, which said:
Blockbuster may at any time, and at its sole discretion, modify these Terms and Conditions of Use, including without limitation the Privacy Policy, with or without notice. Such modifications will be effective immediately upon posting. You agree to review these Terms and Conditions of Use periodically and your continued use of this Site following such modifications will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to any modification of these Terms and Conditions of Use, you must immediately stop using this Site.
This industry-standard and entirely typical clause does not fare well in this courtroom. Among other defects, the judge notes that "there is nothing in the Terms and Conditions that prevents Blockbuster from unilaterally changing any part of the contract other than providing that such changes will not take effect until posted on the website." As a result, the court deems the arbitration clause "illusory," an odd Texas law descriptor that appears to be a cousin of lack of consideration.
I could wax philosophic about the ontological meaning of a "contract" that one party can amend unilaterally at any time without notice. However, I'd rather focus on the simple practical implication from this ruling. I've never been a fan of the language Blockbuster used, and I had hoped many websites would reconsider the language after the Ninth Circuit trashed such provisions in 2007 in Douglas v. Talk America (also see my follow-up post). Yet, these clauses are still ubiquitous, even at big websites that "should know better," so let me boil it down for you into a single all-caps mantra:
STOP PUTTING CLAUSES INTO YOUR CONTRACTS THAT SAY YOU CAN AMEND THE CONTRACT AT ANY TIME IN YOUR SOLE DISCRETION BY POSTING THE REVISED TERMS TO THE WEBSITE
This language has a significant risk of killing the entire contract, which would strip away a lot of very important provisions that should be/need to be in the contract. So far Blockbuster has only lost its mandatory arbitration clause, but it's possible other important risk management clauses (warranty disclaimer, liability limits, dollar caps, etc.) will similarly fall. If those clauses fail, let the plaintiff feasting begin!
I recognize that weaning ourselves from very flexible amendment language leaves us as drafters with few good options to modify online user agreements over time. I discussed this dilemma in my post on the Douglas case. I haven't found any better solutions in the past 2 years, but I can say with confidence--DON"T DO WHAT BLOCKBUSTER DID.
UPDATE: I got the following email from a reader proposing a good alternative to current amendment notification processes: "To avoid the spam-filter problem, the provider could give notice via an RSS feed as well, and then disclaim like crazy about the problems with the email option (which would indeed simply be an option -- a link to a page where users can sign up to receive notices)." I love this idea! RSS is a true opt-in with few of the challenges of email.
Also, this brought to mind the EFF's new TOSBack service, which I'll mention more in a future blog post, that effectively provides a third party service to track amendments of various user agreements into an RSS feed. I LOVE IT! I have subscribed to TOSBack and plan to blog on interesting user agreement amendments it reveals--and I suspect I'm not the only one queued up to do so. TOSBack is a game-changer for public scrutiny of agreement amendments--sites being monitored in TOSBack are now on notice that their user agreement amendments are being watched!
Posted by Eric at 10:26 AM | Licensing/Contracts , Privacy/Security | TrackBack
June 09, 2009
May 2009 Quick Links Part 2
By Eric Goldman
Blogs and Boards
* WSJ: Bloggers, Beware: What You Write Can Get You Sued
* j2 Global Communications v. Zilker Ventures, CV 08-07470 SJO (AJWx) (C.D. Cal. April 22, 2009). A consumer review website can putatively qualify for anti-SLAPP protection, but not in this case because the plaintiff established its prima facie case.
* Biggs Cardosa Associates Inc. v. Bradbury, 2009 WL 1508703 (Cal. App. Ct. May 29, 2009). Here's another one for all of you Rip-off Report fans. A former employee lost a jury trial (and was hit with over $100,000 of damages) for breaching a "non-disparagement" clause in his separation agreement by posting negative comments about his former employer and colleagues on a variety of online fora, including numerous posts on the Rip-off Report.
* Houston Chronicle article on a lawsuit against a website operator for a user post saying that a woman has herpes when she, in fact, does have herpes. She is claiming public disclosure of private facts. [Stupid Houston Chronicle expired the article and moved it to its archives, breaking a number of links throughout the web. Here's a short recap of the article.]
* Stengle v. Office of Dispute Resolution, 2009 WL 1138119 (M.D. Pa. April 27, 2009). The contract of an independent contractor government "hearing officer" was non-renewed because she blogged on the topics of her hearings, raising questions about her impartiality. As the court says in dismissing the resulting lawsuit from the hearing officer:
To reiterate, this Court fully recognizes the cherished right of free speech, as well as the commendable goals of the RA. But these cannot wash away the bona fide concerns that arise when a judicial officer elects to disseminate her opinions in cyberspace with little or no restraint. Because of her position, Plaintiff's attempts to qualify her stances as solely her own were entirely ineffectual. With particular jobs come certain precise responsibilities. In Plaintiff's case, one of these included avoiding even the appearance of bias via extra-judicial comments. Plaintiff's deep concerns about the special education issues and the resulting creation of her blog ultimately caused her to face a dilemma that she alone created. The choices she freely made thereafter led to her non-renewal, and as aforestated we do not find any of the Defendants' conduct actionable under the circumstances.
This case reminded me some of Richerson v. Beckon from last year.
* JuicyCampus redux: People's Dirt. Let the angst over anonymous online forums begin anew.
* Doe v. Ciolli, 2009 WL 1204361 (D. Conn. April 30, 2009). In the AutoAdmit lawsuit, the court rejected Matthew Ryan's (aka ":D") motion to dismiss for lack of jurisdiction.
* Facebook v. Power Ventures, Inc., 2009 WL 1299698 (N.D. Cal. May 11, 2009). Largely following the troublesome Ticketmaster v. RMG case, Power Ventures' motion to dismiss Facebook's copyright and DMCA claims was denied. (Other claims survived too). Comments from Jeff Neuburger and Tom O'Toole.
Miscellaneous
* Colleen Chien, Of Trolls, Davids, Goliaths, and Kings: Narratives and Evidence in the Litigation of High-Tech Patents, North Carolina Law Review, Vol. 87, 2009
* Mazur v. eBay Inc., 2009 WL 1203937 (N.D. Cal. May 5, 2009) Class certification denied. My blog post on this case’s more troubling ruling about 47 USC 230.
* Riggs v. MySpace, Inc., 2009 WL 1203365 (W.D. Pa. May 1, 2009). Venue selection clause in MySpace user agreement upheld.
* Salter v. State, 2009 WL 1409484 (Ind. App. Ct. May 20, 2009). Saving pornographic photos of a minor to a CD does not constitute the "creation" of child porn, even though a new "copy" has been created.
* State v. Bell, 2009 WL 1395857 (Ohio App. Ct. May 18, 2009). MySpace chat sessions aren't MySpace "business records" for hearsay purposes.
* Forbes: the Hidden Costs of Privacy. This article has been written, and written again, many times in the last decade; yet the regulatory dynamics have not improved.
Posted by Eric at 10:35 AM | Content Regulation , Copyright , Derivative Liability , Patents , Privacy/Security , Publicity/Privacy Rights | TrackBack
June 08, 2009
May 2009 Quick Links Part 1
By Eric Goldman
Just a reminder that I'm posting some quick links exclusively to my Twitter account.
Trademarks
* Texas International Property Associates v. Hoerbiger Holding AG, 2009 U.S. Dist. LEXIS 40409 (N.D. Tex. May 12, 2009). Domainer loses ACPA claim over typosquatted domain name. The PPC advertising constituted bad faith intent to profit. Ryan Gile recaps the action.
* GunBroker.com LLC v. Heckler & Koch Inc., No. 09-cv-00051 (M.D. Ga. complaint filed May 14, 2009). Interesting lawsuit by an online auction site for guns seeking a declaratory relief action against a trademark owner who deployed an enforcement agency, Continental Enterprises, to send a driftnet takedown letter that apparently targeted used gun resales or compatible goods. Ryan Gile has more.
* Miranda v. Guerroro, 2009 WL 1381250 (S.D. Fla. May 14, 2009). Miranda is “Paola Morena,” a Latin singer. Her former manager convinced her to do some nude photo shoots in an effort to get a Playboy gig. The Playboy gig didn't materialize, and the manager stopped representing Miranda/Morena. After Morena's career took off, the manager then allegedly threatened to publicly post the photos unless she paid him $70k. Morena rebuffed the request, so the manager allegedly followed through with his threats by launching a website paolamorena.com [I got a nasty Google malware warning when I tried to visit the site], calling it her “official” site and posting some of the photos. The court enjoined the manager under trademark law. I'm a little confused how Morena had protectable trademark rights in her name. Did she make any use in commerce in the United States? Did her name achieve secondary meaning? This could be another case where trademark law is being stretched to stop bad behavior.
* Eric Menhart, the self-purported owner of a trademark in the term Cyberlaw, has gotten his very own personal gripe site.
Advertising and Marketing
* How much can Behavioral Targeting Help Online Advertising? HT Greg Linden
* Yingling v. eBay, 5:2009cv01733 (N.D. Cal. complaint filed April 21, 2009). A class action lawsuit alleging that eBay Motors overcharged merchants.
* IAB has issued its Click Measurement Guidelines designed to answer the Q “What is a Click?” See if their 28 page report actually answers the Q.
* A confusingly written LA Times article reports that 4 South Korean dissident bloggers are being criminally prosecuted for artificially inflating impression counts in order to game rankings of most popular pages.
* Perennially funny: unfortunate product names.
Copyright
* Solicitor General recommends against granting cert in Cartoon Network v. CSC.
* AV v. iParadigms, April 16, 2009. The Fourth Circuit says that the Turnitin system is fair use. My initial blog post on the district court ruling.
Security
* News.com: Interview with FBI cybercrime agent working undercover.
* Oddee: problematic CAPTCHAs. Funny.
* Everyone wants to talk about whether Google is a monopolist
- In early May, I heard Susan Athey, Microsoft's Chief Economist, give a lunchtime attack speech on Google at a George Mason event
- Google is circulating a document explaining why it's good for competition
- Google is blanketing DC with lobbyists too.
- And Google says it's actually small potatoes.
- Wired: Will Wolfram Alpha forestall antitrust inquiry into Google? As I've argued before, we continue to see new entrants into the search business all the time—it’s just too big a market to ignore.
- NYT weighs in too. And the Washington Post discusses how Microsoft and others are complaining about how many Google folks are going into the Obama administration.
* Danny Sullivan: State Of Search: Google Will Stay Strong Despite Bing & Yahoo
* Wired: Secret of Googlenomics: Data-Fueled Recipe Brews Profitability
Posted by Eric at 04:03 PM | Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Trademark | TrackBack
May 28, 2009
Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap
By Eric Goldman
Solid Host, NL v. NameCheap, Inc., 2:08-cv-05414-MMM-E (C.D. Cal. May 19, 2009)
Facts
This case involves an alleged domain name theft. Solid Host is a web host and initial owner of the domain name solidhost.com, which it registered through eNom in 2004. Solid Host claims that in 2008, a security breach at eNom allowed an unknown interloper (Doe) to steal the domain name and move the registration to NameCheap. Doe also acquired NameCheap's "WhoisGuard" service, a domain name proxy service that masked Doe's contact information in the Whois database. Solid Host contacted Doe and sought the domain name; Doe asked for $12,000, and Solid Host took a pass. Instead, Solid Host demanded that NameCheap hand back the domain name and identify Doe, but Doe claimed that he had bought the domain name legitimately. NameCheap, apparently feeling like the cheese in a sandwich, demurred to Solid Host's requests. Solid Host then got a TRO ordering NameCheap to transfer the name and reveal Doe's identity, both of which occurred. For unclear reasons, Solid Host hasn't amended the complaint to name the Doe, but it is proceeding against NameCheap on various claims, including an Anti-Cybersquatting Consumer Protection Act (ACPA) claim.
The Opinion
Who is the Registrant?
My understanding of domain name proxy services is that the service acts as the legal registrant, thus supplying its contact information, but it registers the domain name for the benefit of its customer, making the customer the beneficial registrant. An analogy: a bank may take legal title of a property as part of securing a loan on the property, but the borrower retains beneficial title to the property.
So, for purposes of the ACPA, is the proxy service the “registrant” of the domain name? ICANN’s agreement with registrars seemingly contemplates this characterization in Section 3.7.7.3 of its Registrar Agreement, which says “A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.” However, it’s not clear to me that a proxy service “licenses” the domain name, especially if you accept my lender-borrower analogy above. Alternatively, if the proxy service is the “agent” of the customer, the licensing analogy also breaks down.
Whether the proxy service is the registrant matters a great deal to the legal outcome, and unfortunately, the court’s analysis of this important question was cursory, muddled, and possibly internally inconsistent.
In this case, the court’s inquiry is made more difficult by the fact that NameCheap acted as both the registrar and the proxy service provider. As a registrar, an ACPA claim against NameCheap should be squarely preempted by the domain name registry/registrar safe harbor enacted as part of the ACPA (15 U.S.C. §1114(2)(D)). For example, 1114(2)(D)(iii) says:
A domain name registrar, a domain name registry, or other domain name registration authority shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name
(This provision only moots damages, not an injunction, but since Solid Host has the domain name back in its possession, damages seem like the only remaining issue).
The court concludes that NameCheap is not eligible for the domain name registrar safe harbor because NameCheap is the domain name registrant. It says, "NameCheap is, by virtue of the anonymity service it provides, the registrant of a domain name that allegedly infringes Sold [sic] Host’s trademark." Thus, NameCheap is ineligible for the registrar safe harbor, which applies only when the registrar acts as a registrar.
But, having rejected the domain name registrar safe harbor because NameCheap was the domain name registrant, the court then inconsistently says that NameCheap is not the registrant for purposes of the prima facie ACPA claim. Instead, for ACPA purposes the court treats Doe as the registrant, leaving NameCheap exposed to a possible secondary ACPA liability claim. (The court acknowledges that NameCheap would defeat a direct ACPA claim because NameCheap did not have any bad faith intent to profit from the domain name. Offering the proxy service wasn't enough to qualify as a bad faith intent to profit).
Wait a minute—how can NameCheap simultaneously be both the registrant (no safe harbor) but not the registrant (thus, subjected to a secondary claim)? The court does not acknowledge or explain this apparent inconsistency.
Contributory Cybersquatting
Courts have rarely discussed a contributory ACPA claim. The only one cited by the court was a 2001 case (the Ford Motors vs. Greatdomains.com case) and I can’t think of any others. Perhaps this isn’t surprising because (1) as the Greatdomains.com case indicated, a contributory ACPA claim is available "in only exceptional circumstances," and (2) registrars are the most likely targets of a contributory ACPA claim, and the domain name registrar safe harbor effectively eliminates their contributory ACPA liability.
Adopting the analysis in the Greatdomains.com case, this court equates contributory ACPA liability with the Ninth Circuit’s 1999 Lockheed standard for online contributory trademark infringement (as opposed to ACPA liability), which requires that "a plaintiff must prove that the defendant had knowledge and ‘[d]irect control and monitoring of the instrumentality used by the third party to infringe the plaintiff’s mark.'"
So how did NameCheap have the requisite control over Doe's instrumentalities? Good question. The court tosses out this gem: NameCheap was "the “cyber-landlord” of the internet real estate stolen by Doe." WHAT??? The court continues:
NameCheap’s anonymity service was central to Doe’s cybersquatting scheme. If NameCheap had returned the domain name to Solid Host, Doe’s illegal activity would have ceased.
The second sentence is true with respect to NameCheap, but it is also true of every registrar for every domain name they register--and we know from the 1999 Lockheed case that registrars lack control over the instrumentalities of their registrants. So the proxy service seems to make a legal difference, but how does the proxy service evidence NameCheap's greater control over the registrant's instrumentalities? I think something is amiss here.
To complete the prima facie contributory ACPA claim, in addition to control, Solid Host must show that NameCheap has the requisite knowledge of Doe's ACPA violation. The court sets a high scienter bar--mere notice from an aggrieved party isn't enough--but the court conclusorily says that the complaint alleged enough knowledge to survive the motion to dismiss.
Why This is a Troubling Ruling
As I trust is clear, I think the court's analysis is questionable at best. I’m also troubled about the normative implications. Most obviously, this case could portend the demise of domain name proxy services. Read literally, every proxy service is exposed to potential contributory ACPA liability for every domain name it services. I can’t imagine proxy service providers will be excited about that liability exposure, and some may choose to exit the business.
If proxy services evaporate, domain name registrants will have a tougher time maintaining their privacy. This could affect at least two groups. First, businesses seeking to register domain names for unlaunched new brands often want to procure the new brand's domain names without publicly announcing their intentions through the Whois database. (Of course, some businesses register such domain name through agents or shell companies, but at a much greater expense than a proxy service). Second, gripers, whistleblowers, critics and others may want to use proxy services to make it harder for their targets to unmask their identities. This ruling jeopardizes the potential privacy options available to both groups.
I’m also troubled by this ruling’s narrow reading of the domain name registrar safe harbors. There haven’t been many cases interpreting those safe harbors, and this case might influence other courts to read them narrowly.
A Mini-Trend of Lawsuits Against Registrars
I’ve noticed a small but troubling increase in lawsuits against domain name registrars in the past few months. In addition to this case, see the Vulcan Golf v. Google lawsuit (which named some registrars as defendants), OnlineNIC cases, Philbrick v. eNom and uBid v. GoDaddy. Personally, I believe this litigation trend mirrors the expansion of new and legally untested non-registration services offered by registrars. I explored this issue with Elliot Noss of Tucows in the most recent installment of TWiL (worth listening to, IMO). Discussing the uBid lawsuit, Elliott explained how registrars monetize dropped domain names before being returned to the available pool of unregistered domain names. The delay is putatively for the benefit of customers who mistakenly let a registration lapse; but this also has the happy (?) by-product of letting registrars create new ad inventory that they are monetizing.
In the past, a lot of the legal attention regarding domain names has focused on trademark owners vs. registrants. From my perspective, those lawsuits are becoming passé. The real litigation growth industry appears to be trademark owner vs. registrar lawsuits over new registrar service offerings that trademark owners don't like. Rulings like this one, with a broad reading of contributory ACPA liability and a narrow reading of the domain name registrar safe harbor, raise the specter that registrars may find more legal trouble than they anticipated.
UPDATE: Commentary from Domain Name News
UPDATE 2: A call for registrars to exit the domain name proxy business.
Posted by Eric at 03:27 PM | Derivative Liability , Domain Names , Privacy/Security , Trademark | TrackBack
April 12, 2009
Q1 2009 Quick Links, Part 4
By Eric Goldman
Security
* Massachusetts Data Security regulations were amended.
* In Facebook v. Power.com, Facebook brought another lawsuit to block extraction of user data from the site (similar to the Facebook v. ConnectU lawsuit). Venkat, Masnick, News.com, NYT, Justia. In this case, I wonder if Facebook has adequately distinguished between Power.com's behavior and the operation of its own "Find a Friend" service that taps into third party email servers to extract email addresses. Power.com’s response.
* Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. Jan. 7, 2009). IP infringement isn't a cognizable harm under the Computer Fraud & Abuse Act.
Adware/Spyware
* Who says Valentine's Day is just a Hallmark holiday? Sales of spyware and other tools to track cheating SOs also increase around Valentine's Day.
* Susan Brenner on the Cybercrimes Treaty and the US's decision not to criminalize possession of malware as required by the treaty.
Venture Capital
* BusinessWeek: Silicon Valley innovation is being stifled by VCs who only want to make small bets, not big bets. But VC investing is faddish, so the wind might change tomorrow.
* $600M of VC investments in virtual worlds.
Contracts
* Burcham v. Expedia, Inc., 2009 U.S. Dist. LEXIS 17104 (E.D. Mo. Mar. 6, 2009). Buyer was bound to user agreement even though he argued (without any evidence) that someone else established the account he used. This dovetails nicely with the broad reading of who is bound by an online user agreement; see my discussion in the Lori Drew case. Jeff Neuburger's writeup. Aside: I wonder if Expedia will be insulated by 47 USC 230 for the allegedly wrong description of amenities if they got the description of the hotel from third parties. For an analogous result involving the binding of users who didn't agree to the initial contract, see CoStar Realty Information, Inc. v. Field, 2009 WL 841132 (D. Md. March 31, 2009).
* Fractional Villas Inc. v. Tahoe Clubhouse, No. 08cv1396 (S.D. Cal. Feb. 25, 2009). Citing the RMG case, the court says that merely visiting a site may be sufficient to bind visitors to a browsewrap. However, in this case, there was insufficient evidence that the defendant had ever visited the site.
* Cherny v. Emigrant Bank, 2009 U.S. Dist. Lexis 2486 (March 12, 2009). Latest case that breach of privacy policy isn’t actionable unless there are actual damages. Venkat’s writeup.
* A stat I fully believe: "studies have shown that more than half of all companies cannot even locate signed copies of 10% or more of their contracts." The Zen Master asks: if both parties think they have entered a contract but neither can find a copy, do they have a contract? (this has really happened to me before).
Taxes
* Amazon v. New York and Overstock v. New York (N.Y. Sup. Ct. Jan. 12, 2009). Kudos to New York for finally figuring out a way to break the Internet and defeat the Internet Tax Freedom Act by treating Amazon Associates as traveling salespeople for sales tax collection purposes. I imagine every state in the country will jump on this bandwagon, at which point some e-tailers will kill their affiliate program and others will end up imposing sales tax collection nationwide.
* Pitt County v. Hotels.com, L.P. (4th Cir. Jan. 14, 2009), Online travel aggregators aren't "retailers" (as referenced in the statute) for purposes of collecting local hotel occupancy taxes.
General
* Some interesting cyberspace exceptionalism developments involving cases where paper presentation may be different from electronic presentation of the exact same content. In Smith v. Under Armour, Inc., 2008 WL 5486764, web payment confirmations displayed on-screen are not "printed" within the meaning of the Fair and Accurate Credit Transactions Act. Accord Smith v. Zazzle.com, Inc., 2008 U.S. Dist. LEXIS 101050. See generally this Proskauer recap. In Saulic v. Symantec Corp., a California law prohibiting data collection with credit card sales was held inapplicable online.
* Sudduth v. Donnelly, 2009 WL 918090 (N.D. Ill. April 1, 2009). Plaintiff got stiffed on his eBay transaction and sued eBay for 1983 equal protection and conspiracy claims as well as a Title VI civil rights claim. Because eBay isn't a state actor, however, the court dismissed eBay.
* My colleague Steve Diamond is blogging every detail of the battle for SAG's soul over at his new blog, King Harvest. For example, he summarizes the travails of the Screen Actor's Guild.
* Oddee: 10 Geekiest T-Shirts. I own a t-shirt that says "I'm Blogging This" (a gift from a former student) and a mug that says "Vegetarian Blogger" (gift from a colleague).
* Oddee: 15 Most Unfortunate Town Names. I think Licking County should have been a contender.
* Is there any better sign of Cyberlaw's maturity than the publication of Internet Law in a Nutshell
* Oddee: 12 Most Ridiculous Lawsuits. I welcome your nominations for the most ridiculous Internet lawsuits of all time. I hope to write that up some day.
* Happy birthday, Gmail! Best email software I've ever used. The battles over Gmail privacy seem so...2004!
Free Stuff
* The Ninth Circuit recently updated its website...with RSS feeds!
* Nolo Press' "NDAs for Free." Potentially useful site.
* I have one extra copy of my Fall 2008 Cyberspace Law course reader. First person to send an email with their mailing address gets it. [CLAIMED]
Posted by Eric at 12:03 PM | Adware/Spyware , E-Commerce , Licensing/Contracts , Privacy/Security , Trade Secrets , Virtual Worlds | TrackBack
April 11, 2009
Q1 2009 Quick Links, Part 3
By Eric Goldman
Blogging and Social Networking Sites
* A new version of the EFF Legal Guide to Blogging. While you're there, consider joining EFF as a member. The EFF does first-rate work, and they can use all the support they can get in this economic downturn.
* Red Tape Chronicles: "Blogger: Cash4Gold tried to 'bribe' me."
* Klein v. City of Laguna Beach, 594 F. Supp. 2d 1142 (C.D. Cal. Jan. 23, 2009): "many of the cases striking down ordinances that restrict sound-amplification equipment are artifacts of a bygone age that offered activists few media of mass communication. Twenty, thirty, or fifty years ago, a sound truck was an important means of spreading a message to a large group of people. Now, one must only have a computer and a printer to publish a newsletter or handbill. The Internet, e-mail, text messaging, and widespread mobile communications devices have made it easier than ever to reach a large audience on a small budget. Indeed, it might be easier for Mr. Klein to reach the youth he wishes to target by using Facebook or MySpace."
* Maybe everyone already knew this, but I learned something interesting about Blogger. Apparently in some cases they will place an interstitial warning in front of certain user-posted content.
* Doninger v. Niehoff, 2009 WL 103322 (D. Conn. Jan. 15, 2009). On remand from the Second Circuit, the district court denies damages for a student whose off-campus blog entry led to school discipline. At the same time, Wendy Davis reports on how a Conn. Bill Would Protect Students' Free Speech Online:
* Funny article on Facebook's efforts to police against people who create funny account names, which sometimes ensnares people who actually have funny names like Batman, Six, Super, Pancake and Kisser.
* Facebook Sex-Extortion Plot: a boy pretends to be a girl, gets boys to send naked photos to him, and then threatens to go public with the photos unless they consent to sex with him.
* Dynamic Sports Nutrition, Inc. v. Roberts, 2009 WL 136023 (S.D. Tex. Jan. 16, 2009). A former employee republishing confidential information via his blog is enjoined.
* We now know that Facebook settled with ConnectU for $65M. However, ConnectU might get a little more cash after this information was inadvertently disclosed by its former counsel, Quinn Emanuel, in a marketing brochure.
* Facebook gets TRO against Wallace.
* Some people gave up Facebook for Lent.
* Reuters writes up a shocking study: many teens on MySpace post things they might regret.
* State v. Hause, 2009 WL 295404 (Ohio App. Ct. Feb. 9, 2009). Facebook photos help convict a woman for allowing minors to drink alcohol in her house.
* U.S. v. Villanueva, 2009 WL 455127 (11th Cir. Feb. 25, 2009). MySpace photo and YouTube video showing defendant holding firearms contribute to sentence enhancements for firearms charges.
* John Palfrey & Adam Thierer discuss Palfrey's arguments to "improve" 47 USC 230 by reversing Doe v. MySpace.
Defamation/Cyberbullying
* JuicyCampus has shut down. LA Times, Chronicle of Higher Education, CMLP.
* Lengthy article on the AutoAdmit lawsuits. And a mixed ruling in Ciolli v. Iravani.
* Noonan v. Staples (1st Cir. Feb. 13, 2009). Truth is NOT an absolute defense to defamation in Massachusetts, which apparently also has seceded from the Union because the First Amendment no longer seems to apply.
* Neuwirth v. Silverstein, 2009 WL 294737 (Cal. App. Ct. Feb. 9, 2009). Reiterating that a website can be a public forum for purposes of anti-SLAPP laws. The CMLP writeup.
* Douchebags Lawsuit dismissed. Marc Randazza mocks the lawsuit.
* Rios v. Fergusan, 2008 WL 5511215 (Conn. Super. Ct. Dec. 3, 2008). Connecticut court has jurisdiction to issue restraining order against North Carolina man who posted YouTube video threatening Connecticut woman.
* Fahmy v. Hogge, 2009 WL 33418 (C.D.Cal. Jan. 2, 2009). Court denies Fahme's motion to set aside the dismissal based on lack of jurisdiction because Fahme made the error that caused the dismissal.
* 24Grille v. TripAdvisor (complaint filed April 2, 2009). Restaurant sues TripAdvisor for anonymous TripAdvisor review. Hello 230!
* Censorious laws brewing in WV and NJ.
Yelp
I have been meaning to post about my experiences with Yelp as a reader and a writer, but that has been repeatedly deferred. So, instead, how about a quick recap of Yelp’s woes? Yelp has been under the microscope quite a bit in the last few months.
* Wendy Davis recaps all the Yelp-related litigation she and I could find--at least 5 known cases. CMLP recaps a couple of the lawsuits.
* This East Bay Express article about Yelp caused quite a stir. It was followed up with more attributed sources. A number of other media outlets covered Yelp, including News.com and the NYT. For a full rundown of Yelp haters, check out the Eater coverage.
Wikipedia
* 25 Biggest Blunders in Wikipedia History.
* Two books about Wikipedia I’ve been checking out.
- Wikipedia, the Missing Manual.
- How Wikipedia Works.
Pornography
* Mukasey v. A.C.L.U., No. 08-565. The Supreme Court declined the cert petition regarding the challenge to the 1998 Child Online Protection Act, officially killing the law after a decade of litigation. Putting aside the merits of the law, it would have been a huge shock to the Internet community to have a circa-1998 criminal act resurrected! I'd like to think Congress will be wiser than to try to criminalize Internet porn a third time, but the regulation of Internet porn is like a siren song to Congressmembers.
* State v. Hurst, 2009 WL 580453 (Ohio App. Ct. March 6, 2009). From the unfortunately-named Licking County courts, the defendant downloaded 14,000 pornographic photos into his work computer's local cache in a five day period (he acknowledged he spent 70% of his workday downloading porn). An expert said that about 50 of the photos were child pornographic. The defendant was convicted of possessing child pornography even though he argued that he didn't intentionally download the photos, getting a 39 month sentence and classified as a sex offender.
* Excellent article by Colette Vogele on suing over a sex tape.
Gambling
* The credit card payment systems blocked the New Hampshire Lottery due to the Unlawful Internet Gambling Enforcement Act of 2006.
* Peer-to-peer gambling OKed in Washington.
Posted by Eric at 12:53 PM | Content Regulation , Derivative Liability , Internet History , Privacy/Security | TrackBack
March 12, 2009
Rip-off Report Lawsuit Updates: Certain Approval Programs and Ecommerce Innovations
By Eric Goldman
Certain Approval Program v. Xcentric
Certain Approval Programs, L.L.C. v. XCentric Ventures L.L.C., 2009 WL 596582 (D. Ariz. March 9, 2009). I previously blogged about this case in November. This ruling is in response to the plaintiff's request to file an amended complaint, which Rip-off Report resisted on several grounds. Of particular interest is the plaintiff's desire to add a claim for “misappropriation of name or likeness." Rip-off Report responded that such a claim is futile due to 47 USC 230. The court rejected the futility argument at this early procedural stage, saying
Plaintiffs have alleged enough facts regarding Defendants' “creation or development of information provided through the Internet or any other interactive computer service” to make it plausible that Defendants are an “information content provider” for some content and therefore the CDA does not completely immunize Defendants.
This is not the first time that plaintiffs' allegations against Rip-off Report have survived the equivalent of a motion to dismiss, but getting further into the litigation process has proven difficult for plaintiffs.
The court didn't reach the issue, but it's also germane to the futility argument whether a "misappropriation" claim is even preempted by 230 at all or if qualifies as an "intellectual property" claim that is excluded from the immunization. Compare ccBill and Friendfinder.
Ecommerce Innovations v Doe
Ecommerce Innovations, L.L.C. v. Does 1-10, No. MC-08-93 (D. Ariz. Feb. 10, 2009). Thanks to Jeff Neuburger for calling attention to this case. In this case, a defamation plaintiff is seeking identifying information for an anonymous Rip-off Report contributor. The Rip-off Report initially fought the request, but the district court ordered Rip-off Report to comply because the plaintiff had established a prima facie case. The Rip-off Report responded that it plans to appeal the judge's order to the Ninth Circuit, and the district court has stayed the order pending the appeal (although I can't find any evidence that the appeal has been filed yet). As Jeff points out, an appeal by Rip-off Report may prompt the Ninth Circuit to articulate its standards for when plaintiffs can unmask anonymous defendants; it also could become a backdoor way to gauge the Ninth Circuit's attitude towards Rip-off Report in light of some ambiguous language in the initial Ninth Circuit Roommates.com opinion.
Posted by Eric at 11:54 AM | Content Regulation , Derivative Liability , Privacy/Security , Publicity/Privacy Rights | TrackBack
February 20, 2009
Facebook User Agreement Imbroglio Recap (and Some Comments of My Own)
By Eric Goldman
I didn't have a chance to blog on the Facebook user agreement amendment flap in real-time, but now that Facebook has rolled back its amendments and everyone is catching their breath, the Monday morning quarterbacking is proceeding in full earnest. Some of the articles that caught my attention:
* CNET News.com: "Facebook's about-face: Change we can believe in?"
* InternetNews: "Experts: Facebook Must Rethink TOS Stance"
* EFF: "Facebook's reaction is a tremendous victory for its users." I guess that's true, in the way that getting back to zero at a casino sometimes can be considered a win.
* Bill McGeveran powerfully (and with irony) demonstrates that Facebook's terms weren't all that unusual. Et tu, Consumerist?
Some of my own observations:
* When you're a high-profile company living in the media fishbowl like Facebook, there is no such thing as a minor amendment to your user agreement.
* Facebook's amendments--and the news reports about them--were confusing for two independent but often correlated problems. First, lay readers often misread user agreements, especially broad license grants that users mistakenly read as statements of ownership. This is a well-known and long-standing phenomenon; see, e.g., the flap over GeoCities' user agreement from a decade ago. So initial news reports on Facebook's amendments were garbled and perhaps overly dramatic.
Second, Internet lawyers often draft user agreements using legalese in ways that make the agreements indecipherable to lay readers...and, not infrequently, to other lawyers. Having drafted a lot of them in my life, I'm a pretty sophisticated reader of user agreements, yet it took me a fair amount of time to parse Facebook's license terms to figure out what they were saying--and, even then, I wasn't quite sure. In particular, the "perpetual" and "irrevocable" terms in the license agreement were in seeming conflict with Facebook's promise in the same license grant to honor a user's privacy settings. In other words, if a user can set the configurations to remove content from Facebook's purview and Facebook will honor those instructions, then how is Facebook's license grant irrevocable? Unless I'm missing something big, this looked to me like a drafting error by Facebook. (And check out Nancy Kim's op-ed identifying this exact issue--in March 2008).
This suggests a drafting lesson we might internalize from Facebook's hassles (Jonathan Zittrain makes a complementary point). We as Cyberlawyers are used to parroting the exact words from the applicable statutes and caselaw because it seemingly increases the precision of the agreement, but frankly I think Facebook and other Internet companies would do a whole lot better--both legally and in the court of public opinion--if it junked the legalese and actually tried to write license grants in real English.
* Partially obscured in the haze is the lurking question of whether Facebook can unilaterally amend its user agreement without providing any notice to users. I don't even see this as a close question. From my reading of the precedents, I think the answer is pretty emphatically NO, both as a matter of contract law (and see more; but compare MySpace v. theglobe.com) and FTC law (see, e.g., the Gateway Learning case). Without a doubt, I wouldn't want to be Facebook trying to defend the new incremental changes in court.
* I got a few inquiries about whether a lawsuit against Facebook would have been successful. As Ethan explained recently, there may be unexpected hurdles to any such lawsuits.
* Now that Facebook has stirred the hornet's nest, it's not clear that they can simply roll back to the prior version of the user agreement and put everyone back in the happy apple. Instead, having called attention to its licensing policies, Facebook will be lucky if the pre-amendment terms survive as those undergo critical and jaundiced scrutiny from users. David Kirkpatrick touches on this.
* No matter how Facebook resolves its agreement, this episode has been damaging to its trust relationship with its users. It gives users yet another reason to question whether Facebook is a site we can trust. For users who lived through the Newsfeed and Beacon episodes, this may be a three-strike situation. For others, the fracas is yet another wedge in the users' relationship with Facebook. Trust is hard to earn and easy to lose.
Having said that, in the past couple of quarters, Facebook has been riding a strong network effects bull and seeing remarkable growth DESPITE Beacon. So Beacon clearly did not destroy users' trust in Facebook. At the same time, if users fall out of love of Facebook due to loss of trust, they will scale back their involvement with Facebook, which ultimately could negate the network effects benefits they are currently experiencing. IMO, this is the real risk created by Facebook's highly publicized problems.
Posted by Eric at 08:57 AM | Internet History , Licensing/Contracts , Privacy/Security | TrackBack
January 23, 2009
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt
A recent court case reiterates that privacy policies aren't the be-all, end-all panacea for protecting online privacy.
By Ethan Ackerman
One of the main arguments against a federal online privacy law has been that website privacy policies were a self-regulatory solution that was more than sufficient, permitted more flexibility, and bound parties as surely as any federal law. Real-life court cases continue to suggest the contrary.
From mid-90s FTC staff decisions to "encourage self-regulation" to the 1998 formalization of a Clinton administration e-commerce policy framework to the extension of this policy through both terms of the G.W. Bush Administration, "self-regulation" of online privacy has been the policy of the executive branch of the federal government. Similarly, "self-regulation" has been the primary card played (the 10 of spades?) against Congressional attempts to pass federal online privacy regulation, successful in stalling any legislation on the issue since at least the 106th Congress. Online industry lobby groups still emphasize that "self-regulation" is the only needed enforcement, and online privacy advocates cite self-regulation's failures for the 'decade of disappointment' in internet privacy.
Meanwhile, outside of the policy debates, online activity has exploded, along with the collection and use of personal information online. Putting aside the real challenge of discovering unacceptable uses, sometimes that collection and use (or misuse) is egregious enough that someone sues over it. As the recent case of Pinero v. Jackson Hewitt Tax Service shows yet again, actual monetary damages matter more than egregiousness.
Ms. Pinero discovered that a Jackson Hewitt Tax Service licensee that prepared her taxes had breached its privacy policy when a local news station contacted her and provided her with her prior year tax returns, discovered in a public dumpster along with the returns of more than 100 other Jackson Hewitt clients.
Mindful of the increasing body of cases that have refused to find damages in the mere breach of protective statutes, violations of privacy policies or unlawful disclosures of personal records, Ms. Pinero's attorneys alleged specific factual emotional, physical, and economic damages in their suit. Those damages weren't good enough under the applicable state law, according to U.S. District Judge Sarah Vance. Specifically, the judge found that the plaintiff suffered no direct pecuniary damage from the breach - a heightened risk of future loss or steps taken to mitigate that loss weren't enough under Louisiana law for a negligence or breach of contract claim.
Above and beyond my brief summary, the opinion is worth a read in greater detail. The judge's detailed discussion of the pleadings reveals much work on this case. The pleading drafters clearly went to great effort to avoid precisely this outcome, claiming damages of several types with a great deal of specificity and carefully formulating claims under a variety of different statutes and causes of action, including a Consumer Protection Act and database breach statute claim. Judge Vance addresses each claim and the surrounding caselaw in good detail as well, providing scant room for a reversal on appeal by leaving every issue addressed.
The takeaway? As Eric has worried in the past, there may be no effective customer legal recourse against companies that breach their privacy policies.
[Eric's comment: we've seen a long list of situations where plaintiffs suffered some privacy invasion but were unable to obtain any legal recourse. Ethan links to the JetBlue case (which remains remarkable to me to this day), and we've blogged on others as well (see, e.g., the Acxiom and Key cases). In general, I think these opinions have often reached a sensible and pragmatic result that a privacy invasion may lead to no tangible losses, so damage awards may overcompensate the victim or overdeter the defendant. However, providing no damages awards--especially when a company breaches its self-selected promises--may under-deter and reward companies for overpromising and underdelivering. This case seems especially odd because the complaint contained allegations of specific tangible harm. Maybe we don't believe the allegations, but normally they ought to be heard.
At the same time, I fear the policy-makers may overreact to this situation by creating statutory damages. Those solve one problem (the courts' balking at plaintiffs that have no obvious damage) but create another, (IMO) much bigger problem of motivating plaintiffs and their lawyers engage in litigation frenzies with low-merit lawsuits. We've seen a lot of wasted motion in the spam context from people chasing statutory damages, and I shudder to think about the tax on our economy if we ever created a statutory damage for generalized privacy violations.]
Posted by Ethan Ackerman at 09:47 AM | Licensing/Contracts , Privacy/Security | TrackBack
January 22, 2009
Data Privacy Day at SCU Jan. 28: Erika Rottenberg, LinkedIn GC
By Eric Goldman
Please join us for this event being held in conjunction with the Data Privacy Day. Free admission and no RSVP required. Erika is a long-time colleague (dating back to our Cooley Godward days) and I'm very interested to hear how she sees the world from LinkedIn's perspective.
____________
"Protecting Personal Identities Online"
Erika Rottenberg
Vice President, General Counsel and Secretary of LinkedIn
January 28th
12:00 p.m. – 1:00 p.m.
Williman Room, Benson Center
Santa Clara University
Light lunch will be served
Part of the IT, Ethics & Law Colloquium Series cosponsored by the High Tech Law Institute; the Center for Science, Technology, & Society; and the Markkula Center for Applied Ethics.
On-line networking sites, such as LinkedIn, Facebook and MySpace, allow friends, acquaintances and/or professionals to connect and communicate with each other and have become an essential part of many people's daily lives. While most of these communications and interactions enrich our lives and enhance our business productivity, sometimes they can become problematic, especially when inappropriate or harmful information is published online. Erika Rottenberg, General Counsel of LinkedIn, a professional networking site with over 34 million members, representing 170 industries in 200 countries, will talk about opportunities and pitfalls posed by on-line networking sites and how we can be smart users of the sites. This will be a moderated discussion followed by an audience question and answer period.
About the speaker: Erika Rottenberg is Vice President, General Counsel and Secretary of LinkedIn, responsible for LinkedIn’s worldwide legal matters, including privacy. Prior to LinkedIn, Erika served as General Counsel for two public technology companies, providing valuable experience in dealing with the regulatory policies and challenges specific to technology centric public companies. Most recently, Erika was Senior Vice President, General Counsel and Secretary, for Nasdaq-listed SumTotal Systems. Prior to SumTotal, Erika was Vice President, Strategic Development and General Counsel of Creative Labs, the company that brought multimedia to the PC with the Sound Blaster sound card. Erika received her law degree from Berkeley's Boalt School of Law and started her legal career at the Silicon Valley technology based law firm of Cooley Godward.
Posted by Eric at 04:07 PM | Privacy/Security | TrackBack
January 16, 2009
AOL Loses Venue Selection Dispute in Ninth Circuit Due to an Unfortunate "Of"--Doe 1 v. AOL
By Eric Goldman
Doe 1 v. AOL LLC, 2009 WL 103657 (9th Cir. Jan. 16, 2009)
This is one of several lawsuits against AOL over AOL's 2006 posting of a database of improperly anonymized search queries. This particular lawsuit was brought by AOL members in California and alleges a variety of federal and state law claims against AOL.
AOL defended based on its venue selection clause in its member agreement, arguing that the contract required the lawsuit to be brought in Virginia. AOL has had a lot of success with its venue selection clause over the years, but it has had some prominent failures as well. One of those is America Online v. Superior Court (ex rel Mendoza) from 2001, in which a California appellate court struck down AOL's venue selection clause on public policy grounds because Virginia law did not provide adequate relief to California consumers--because, among other things, Virginia state courts do not permit class action lawsuits.
The Mendoza case was part of a broader judicial trend against online user agreements over the past decade. We've seen them fail for unconscionability, public policy and other reasons, making the successful drafting of such clauses tricky. Collectively, I think these cases have established pretty clearly that a venue selection clause designed to suppress class action lawsuits has a high risk of failure and, in California, is presumptively unenforceable.
What isn't clear to me is what, if anything, AOL did to modify its member agreement's venue selection clause in response to its Mendoza defeat. As a result, I can't tell if this court is interpreting the same contract language as was presented to the Mendoza court. But in all other respects this case is extremely similar to Mendoza: the plaintiff initiated a class action lawsuit in California, AOL defended on its venue selection clause to force the case back to Virginia, and the court is confronted with the public policy implications. Thus, if AOL did change its contract post-Mendoza, it didn't get the desired results, because it suffers another defeat here.
It appears that if the case could be heard in Virginia federal court, the class could form and the clause would not necessarily fail; but if the clause only permits Virginia state court, this is Mendoza redux and AOL loses. As a result, the court tries to figure out which venue the member agreement language specifies. AOL's agreement designates the exclusive venue as "the courts of Virginia." The court parses the grammar of the word "of" and looks at other precedent analyzing "the courts of [state]" and concludes that this language selects only Virginia state court. Because a California appellate court (the Mendoza court) had already said that Virginia state court isn't an acceptable choice for a putative class action of California consumers, the Ninth Circuit has no choice but to toss the venue selection clause.
This raises an obvious drafting point: courts are reading venue clauses specifying the venue as "state of X" to mean only state courts in the designated state, so don't use that grammar unless that's what you intend. I'm sure that most drafters using "state of X" language instead mean the parties can litigate in either federal or state court in that venue, but that's not the way courts are reading it. Accordingly, I think it would be prudent to avoid the "courts of X" grammar altogether, which isn't hard to do. Personally, I normally say "courts in X" (as opposed to "courts of X"). I would have to research the precedent interpreting that grammar (this case has made me a little nervous), but the "in" grammar should pretty clearly avoid the analysis in this Ninth Circuit opinion. Another alternative would be to expressly reference both federal and state courts as options; I've seen this language frequently, although I've previously thought that was unnecessarily wordy. Maybe it isn't.
Posted by Eric at 01:29 PM | Licensing/Contracts , Privacy/Security | TrackBack
January 08, 2009
December 2008 Quick Links, Part 2
By Eric Goldman
Social Networking Sites/Cyber-Bullying/Sexual Predation
* More on the Lori Drew conviction:
- Wired has a tough behind-the-scenes look at the Lori Drew jury deliberations.
- The jury instructions
- In case you missed it, my special three part series on implications of the Lori Drew conviction: Part 1, Part 2, and Part 3.
* Yet more fallout from the Lori Drew prosecution and conviction. Wired has a story on the cyberbullying litigation frenzy. The Washington Post has a recap on the proliferation of state anti-cyberbullying laws.
* U.S. v. Morris, 2008 WL 5101636 (7th Cir Dec. 5, 2008). Judge Posner talks about the difference between entrapment (not OK) and vigilantism (OK) in the context of a mom who created a fake MySpace persona to chat with an alleged sexual predator who had contacted her underage daughter.
* Facebook's policy on breast-feeding photos has sparked protests both online and off (1, 2, 3). It reminds me a bit of one of my first challenges as Epinions' general counsel. (search for Epinions).
* Barry Schwartz: is Google getting desperate for ad revenue?
* The Register: "Google this week admitted that its staff will pick and choose what appears in its search results." However, I don't think the article supports this aggressive statement. Instead, it appears the article is getting excited about the fact that Google manually tweaks the algorithms when they produce goofy results--something we've known for years.
* Updates on Axact v. Student Network Resources, the case involving alleged copyright infringement of term papers. Axact allegedly has been trying to get its domain name registrars to release its domain names for transfer, and SNR is trying to cut them off. Apparently Google also balked at the instructions to kick the subject domain names out of its index, but SNR and Google resolved their differences enough to reach a stipulation. Finally, I've received numerous threats and requests from Axact to modify my original post, which has prompted me to make some minor changes.
Marketing
* IMS Health v. Ayotte. New Hampshire passed a law restricting the use of a doctor's past prescribing practices (i.e., behavioral information) for personalized/targeted sales calls. This opinion upholds the NH law against a First Amendment and dormant Commerce Clause challenge.
* Australian advertisers are cookie-ing users at high CPM sites so that they can show the users targeted ads when those users appear at lower CPM sites.
* Sony busted for COPPA violations.
* New advertising medium: school exams.
Miscellaneous
* Good article on the Sprint v. Cogent peering fight.
* And a good article showing limits to the Long Tail theory.
* U.S. v. Grober, 2008 WL 5395768 (D. N.J. Dec. 22, 2008). Grober pleaded guilty to uploading and downloading child porn over the Internet. The judge rejects the 19 1/2 year minimum sentence specified by the Sentencing Guidelines and instead sentences Grober to the 5 year statutory minimum. This opinion poignantly explains why this judge, like several others, rejects the Sentencing Guidelines in Internet child porn cases because the dictated sentences are too severe.
* BusinessWeek is still amazed that people actually--get this--provide their time and efforts over the Internet without getting paid!
* Lior Strahilevitz, Reputation Nation: Law in an Era of Ubiquitous Personal Information, 102 Nw. U. L. Rev. 1667 (2008). Lior explores the cross-elasticities of demand for types of reputational information and shows that if some information isn't available (due to, say, privacy laws), decision-makers will consult less credible or pernicious sources. For example, if a landlord can't get good credit information about a prospective tenant, the landlord may resort to discriminatory considerations (like race) to decide whether or not to rent to the tenant. Good article.
* I have previously written about New York v. Synergy6, Inc., 404027/03 (N.Y. Sup. Ct. Jan. 6, 2006), where the court soundly rejected the New York Attorney General's office regarding a marketer's liability for allegedly illegal emails sent by downstream affiilates (i.e., not in direct privity). I have not been able to find a copy of the opinion electronically, but over the holidays I found my hard copy and scanned it to a PDF. Check it out, especially in combination with the 2008 New York v. DirectRevenue opinion, which soundly rejected the NYAG's affiliate liability arguments in the adware context.
Posted by Eric at 07:44 AM | Content Regulation , Copyright , Domain Names , Marketing , Privacy/Security , Search Engines | TrackBack
December 02, 2008
November 2008 Quick Links
By Eric Goldman
Trademark
* NYT: "A handful of new Web sites with names like Typo Bay and Typo Buddy are out to help shoppers save money by searching eBay for misspelled brand names." In 2005, I blogged that typographical errors are a significant issue for eBay's search engine.
* It's a bull market for Obama-related trademark filings and Obama merchandise.
* Domain name tasting down 84%?
* Wired: "Think Godzilla's Scary? Meet His Lawyers"
Copyright
* Reuters: "Instead of triggering the usual take-down notices, copyright-infringing footage of select MTV Networks programing uploaded by MySpace subscribers would be automatically redistributed with advertisements that would generate revenue for the companies." I'm interested to see how this system applies to fair uses of the works!
* Arista Records LLC v. Usenet.com, Inc., 2008 WL 4974823 (S.D.N.Y. Nov. 24, 2008). The court dismisses USENET.com's counterclaims for declaratory relief that it doesn't violate 17 USC 512 because the claims duplicate its affirmative defenses.
* James Grimmelmann does an excellent job parsing the Google Book Search settlement agreement and makes some sage recommendations for how it should be modified before court approval.
Advertising/Marketing
* The Google-Yahoo ad syndication deal is dead. Some behind-the-scenes discussions.
* I'm not sure about the implications of this, but Google is expanding its efforts to allow website and ad targeting based on automatic geographic detection. See my prior post about the future of geolocation and a bordered Internet.
* Good news: entrepreneurs want to authenticate children's ages to keep them out of online trouble. Bad news: entrepreneurs might use age authentication to hit the kids with targeted marketing.
* Classmates.com sued for misrepresenting that former school chums were actually looking to reconnect. Yet more pushback on bogus "X is looking for you!" ads.
47 USC 230
* The Supreme Court denied cert in Doe v. MySpace, 2008 WL 4218722. According to Tom O'Toole, this is the seventh time that the Supreme Court has denied cert in a 47 USC 230 case.
* It appears that Children of America v. Magedson has settled.
* The Santa Clara University community is having a catharsis about Juicy Campus.
* Dan Solove and I chatted with Doug Lichtman about social networking sites (asynchronously--I spoke with Doug after Dan had), with most of my conversation focusing on 47 USC 230. Doug edited the conversations together into a one-hour podcast entitled "Privacy in the Networked World." An added bonus for listening--you may be able to earn one hour of CLE FREE!
Spam
* Facebook v. Guerbuez. Facebook wins $873M default judgment under CAN-SPAM. Now, if Facebook could only collect any of this, they would have finally figured out a way to make money!
* Gordon v. SubscriberBASE Holdings, Inc., 2008 WL 4809833 (E.D. Wash. Oct. 31, 2008). Serial anti-spam plaintiff lost again on whether he has standing under CAN-SPAM.
* Evan Brown: Government spam filters do not deprive citizen of right to petition the government.
* Venkat: Unsolicited Marketing Extravaganza in the Ninth Circuit.
Miscellaneous
* eHarmony settles claim that it discriminates against gay singles.
* NYT: "almost five years into its expansion into Europe...Google is getting caught in a web of privacy laws that threaten its growth and the positive image it has cultivated as a company dedicated to doing good."
Posted by Eric at 09:47 AM | Copyright , Derivative Liability , Domain Names , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
November 19, 2008
October 2008 Quick Links, Part 3
By Eric Goldman
Pornography
* Can you believe this? A 15 year old girl took nude photos of herself using her cellphone and sent the photos to her peers. She is now being prosecuted on child pornography charges. The girl's behavior sounds more like a cry for help than a criminal act.
* Judges are pushing back against online child porn downloading cases.
* PROTECT Our Children Act (S.1738). If I were a legislator, I would name all of my bills (regardless of substantive topic) “Protect Our Children Act” to ensure passage. Among other things, the law creates a new crime of “child pornography that is an adapted or modified depiction of an identifiable minor” (assuming this survives First Amendment scrutiny, no more photoshopping Miley Cyrus’ face onto a naked woman’s body). The law also modifies existing law to require that websites and Internet access providers who find child porn on their network to forward it and other information to the CyberTipline operated by the National Center for Missing and Exploited Children.
Online Crimes
* Sarah Palin email hack indictment. Orin's comments.
* HR 5938. Congress amended the Computer Fraud & Abuse Act again to increase the penalties and criminalize conspiracies to violate the law.
* S 431, Keeping the Internet Devoid of Sexual Predators Act of 2008 or the `KIDS Act of 2008'. Wired's critique. This law requires sex offenders to register their email addresses with a central database and then permits social networking sites to access the database and block registrations from the sex offenders. The most interesting aspect of the law is that it tries to define a social networking site as: “an Internet website (i) that allows users, through the creation of web pages or profiles or by other means, to provide information about themselves that is available to the public or to other users; and (ii) that offers a mechanism for communication with other users where such users are likely to include a substantial number of minors; and (iii) whose primary purpose is to facilitate online social interactions.” Is there any Web 2.0 site that does not qualify? Any wagers about how long it will take Congress to change this law to require social networking sites to block sex offenders’ email addresses rather than making it optional as this law states?
* State v. Ellison, 2008 WL 4531860 (Ohio App. Ct. Oct. 10, 2008). Two childhood friends have a falling out. One posts an allegation on her MySpace page that the other is a child molester. After the district court convicted her of harassment via a telecommunications device, the appellate court overturned the conviction because she lacked sufficient intent to harass.
Miscellaneous
* Ryan Haight Online Pharmacy Consumer Protection Act of 2008, HR 6353. “No controlled substance that is a prescription drug as determined under the Federal Food, Drug, and Cosmetic Act may be delivered, distributed, or dispensed by means of the Internet without a valid prescription.”
* Gotbaum ex rel. Gotbaum v. City of Phoenix, 2008 WL 4628675 (D. Ariz. Oct. 17, 2008). Malicious blog posts in local Phoenix blogs about a lawsuit aren't enough pre-trial publicity to warrant a change in venue.
* Bursac v. Suozzi, 2008 WL 4830541 (N.Y. Sup. Ct. Oct. 21, 2008). Online shaming of DWI suspects before conviction violates due process. Are you listening, FTC?
* Canadian court: linking to defamatory material is not defamation.
* In an attempt to forestall further movement on the Global Online Freedom Act, the search engines released a high concept statement on how they won’t help repressive regimes.
Posted by Eric at 10:03 AM | Content Regulation , Privacy/Security , Search Engines | TrackBack
November 18, 2008
October 2008 Quick Links, Part 2
By Eric Goldman
Spam
* Kramer v. Perez. An Iowa court awards $236M in damages in a spam case. Venkat's comments.
* After the government lost its jury trial against Impulse Media, the court denied Impulse Media attorneys fees.
Contracts
* AT&T put its own emailed notice of amended contract terms into its spam folder. Whoops! Due to spam filters and other automated blocks, it is becoming almost impossible for websites to communicate with their users by email.
* An estimate of the massive "tax" imposed on consumers by reading privacy policies. Of course the financial drain is overstated because many people make a rational decision not to read every privacy policy, plus not every person has to read a privacy policy for marketplace responses to be effective.
* The Blizzard v. MDY WOWGlider case has reached a stipulated damages amount of $6M.
* Pulaski & Middleman, LLC v. Google Inc., 5:2008cv03888 (N.D. Cal. complaint filed August 14, 2008). The Justia page. Yet another me-too lawsuit against Google over serving ads to parked domains and error pages.
* An Israeli GPL enforcement action settled.
Trademarks/Domain Names
* Kentucky v. 141 Domain Names. Is a domain name property? Yes. See the Sex.com case. Can a plaintiff seize a domain name pursuant to a favorable judgment? Yes. Is it appropriate for Kentucky to seize domain names for gambling websites available in Kentucky? Of course not, because this would effectuate an extraterritorial reach by curtailing non-Kentucky residents from making possibly legal uses of the domain name. More recently, the seizure was stayed.
* Speaking of inappropriate seizures, the Feds are trying to seize the trademarks of the Mongols motorcycle group. DOJ press release. LA Times article.
* Best Western Intern., Inc. v. Doe, 2008 WL 4630313 (D. Ariz. Oct. 20, 2008). Prior blog post in this case. The judge is losing patience: "These filings are wasteful in the extreme. The Court is not a forum for the parties to expend every possible dollar seeking to litigate every conceivable issue, no matter how insubstantial. The Court will no longer tolerate the excesses of this case."
* The Verizon v. Navigation Catalyst Systems domainer lawsuit settled.
* 50 Cent brings yet another questionable lawsuit. (1, 2).
Advertising
* Goddard v. Google Inc., 2008 WL 4542792 (N.D. Cal. Oct. 10, 2008). The case against Google for deceptive mobile phone ads will stay in federal court.
* Eyeblaster, Inc. v. Federal Insurance Co., 2008 WL 4539497 (D. Minn. Oct. 7, 2008). This is a collateral lawsuit to Sefton v. Eyeblaster alleging that Eyeblaster distributed spyware. Eyeblaster tendered the claim to its insurer. This court holds that the CGL policy doesn't apply because the claim relates to software problems, not physical damage to the users' computers. Further the E&O policy doesn't apply because Sefton alleges that Eyeblaster intentionally installed the spyware, bumping Eyeblaster into one of the policy's exclusions.
* Are consumers becoming more tolerant of pop-up ads? For more on consumer acceptance of new advertising formats, see here.
* A big damages award in NetQuote v. Byrd.
Posted by Eric at 06:42 AM | Adware/Spyware , Domain Names , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam , Trademark | TrackBack
October 14, 2008
September 2008 Quick Links, Part 3
By Eric Goldman
eBay
* Universal Grading Service v. eBay, Inc. More fallout from the National Numismatic v. eBay case--another lawsuit alleging antitrust and defamation because eBay designated some coin rating services as preferred and impliedly devalued others.
* Windsor Auctions v. eBay has been refiled in a new jurisdiction.
* Mehmet v. Paypal, Inc., 2008 WL 3495541 (N.D. Cal. Aug. 12, 2008). Upholding the consequential damages waiver in PayPal’s user agreement.
* A company's failure in the marketplace can drive up the value of its collectibles on eBay.
* Stelor Productions, Inc. v. Google, Inc., 2008 WL 4218107 (S.D. Fla. Sept. 15, 2008). In the lawsuit alleging that Google causes reverse confusion of Googles.com [warning: annoying music ahead], the plaintiff doesn't get to depose Sergey or Larry yet. Rose Hagan, Google’s long-time chief trademark counsel, is the lucky substitute.
* Lots of rhetoric in the Google/Yahoo ad syndication deal. Google’s advocacy website. Google Chief Economist Hal Varian explains why the deal won’t raise ad prices in the auction. Randall Stross weighs in.
* Google has changed course and now allows religious groups to advertise on the keyword “abortion.”
* Kubit v. Google Groups, 2:2008cv00738 (M.D. Fla. complaint filed Sept. 29, 2008):
I then would like to sue Google Groups for not removing the posts when I repeatedly asked them to for 2 years. I believe I am entitled to at least a small amount of compensation for the emotional distress and lost business income that has resulted from them allowing these posts to remain on their Google Groups, even though I offered them VERY solid proof that I do not have HIV. If they had stopped the posts when they first occurred, they would not have proliferated to hundreds of websites. I became suicidal for a period of time after the posts started. I incurred a lot of emotional pain and fear because of the posts and had to seek psychiatric and psychological help to get my life back together. I still suffer from fears of dating, living a public business life and trusting others.
Yes, this is a pro se complaint. Yes, it is preempted by 47 USC 230.
Marketing/Advertising
* NebuAd is dead (1, 2). Even so, the lure of intermediaries aggregating deep data about consumers for commercial purposes will never die.
* Is Gator/Claria dead?
* The EU passed a non-binding resolution against sexual stereotypes in advertising.
* Celebrity branded merchandise run amok.
Miscellaneous
* Valleywag: "The 5 most laughable terms of service on the Net." For more laughs, see Mark Lemley’s Terms of Use paper.
* Murakowski v. University of Delaware, 2008 WL 4104087 (D. Del. Sept. 4, 2008). This reminded me a lot of the Jake Baker case from the mid-1990s.
* The Virginia Supreme Court reversed itself on the Jaynes anti-spam prosecution, and Jaynes walks. Does Virginia routinely pass unconstitutional laws?
* Becker v. Toca, 2008 WL 4443050 (E.D. La. Sept. 26, 2008). Ex-wife's alleged delivery of "Infostealer" program to grab passwords from ex-husband could violate the ECPA, SCA and CFAA.
* Interesting article on ESPN’s exclusive distribution and bundling agreements with Internet access providers.
* Silly? Horrifying? A sign of the apocalypse?
Posted by Eric at 06:17 PM | Adware/Spyware , Content Regulation , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam | TrackBack
September 02, 2008
eBay Cracks Down on Cookie Stuffing--eBay v. Digital Point Solutions
By Eric Goldman
eBay, Inc. v. Digital Point Solutions, No. 5:08-cv-04052-PVT (N.D. Cal. complaint filed Aug. 25, 2008)
It is exceedingly rare for marketers to sue affiliates who are trying to game their affiliate programs. I'm sure there have been other lawsuits, but frankly I'm drawing a blank. (The only relevant precedent that came to mind was Google's tepid enforcement actions in 2004/2005 against click frauders--see Google v. Auction Experts and US v. Bradley). [Update: A reader reminded me of Land's End v. Remy, which is an on-point precedent.] The more typical remedy when commission fraud is taking place is to cancel any unpaid commissions and write off the rest as a cost of doing business (or an uncollectible painful lesson). But if someone gamed the system big--I mean, really big--maybe it would be worth hiring fancy and very high-priced counsel to go see what they might be able to retrieve...
eBay isn't saying how much it got taken for by the defendants in the case. The complaint was conspicuously silent on that juicy detail. However, the amount appears to be enough that eBay hired the premium law firm O'Melveny & Myers for a glorified collections effort. Either that, or eBay has decided to send a remarkably expensive message to other potential fraudsters.
The complaint alleges that the defendants engaged in a cookie stuffing campaign to hijack commissions through Commission Junction. Cookie stuffing occurs when a fraudster places a cookie on a third party computer that will cause the fraudster to get paid a commission that the fraudster didn't earn legitimately by doing the things that the marketer wanted to pay for. In this case, eBay alleges that the defendants used a clever technical exploit to put cookies on users' computers even though the users had not seen the requisite ads. The complaint also alleges that the defendants deployed some tricks to cover their tracks, like deliberately not cookie-ing computers in San Jose and Santa Barbara, the homes of eBay and Commission Junction respectively, to keep employees of those companies from spotting the marauding cookies.
If in fact the defendants engaged in cookie stuffing, I hope eBay nails them. However, I must say that some of eBay's legal arguments made me nervous. eBay's alleged causes of action include:
* CFAA (18 USC 1030). The allegation is that presenting a bogus cookie to eBay's servers was a misuse of the servers. Hmm...
* fraud. Similarly, the allegation is that the defendants caused web users to make a misrepresentation to eBay's servers by presenting a bogus cookie. Hmm again...
* CA Penal Code 502. There are very few cases interpreting 502, which isn't necessarily a bad thing because the statute is so broadly over-inclusive that everyone violates it routinely. Here, it looks like the lawyers weren't quite sure how to fit cookie stuffing into the statute. Take a look at para. 60 and let me know if you agree that this is an odd pleading.
* a civil RICO conspiracy claim. Given that eBay is being sued for RICO claims in the Mazur case (and, I'm sure, others), I would think eBay would want to avoid building new legal precedent that could be applied against them in other cases.
Reading the list of causes of action, I was surprised that there wasn't a more squarely applicable cause of action that governed cookie stuffing (however, I will confess, none came to mind as I drafted this post). Maybe this is due to the fact that eBay rather than Commission Junction is the plaintiff. If there isn't a better cause of action, then perhaps there is a hole in the law. However, I'm keeping my fingers crossed that a judge won't bastardize existing legal doctrines to plug it.
Posted by Eric at 09:23 AM | Licensing/Contracts , Marketing , Privacy/Security | TrackBack
July 24, 2008
Relevancy Trumps Creepiness, and Some Thoughts About Behavioral Targeting
By Eric Goldman
On Monday I spoke on a panel at OMMA Behavioral. See the MediaPost recaps (1, 2, 3, 4). The crowd was buzzing about Dave Morgan's earlier remarks (which I didn't hear) that behavioral targeting is "creepy," and throughout our panel discussion, any enthusiasm expressed about behavioral targeting was tempered by creepiness concerns.
I can understand this reaction, as least a little. When I was younger and first learned about the many tricks of marketer targeting, I was initially aghast by the seeming intrusion. They can't do that, I thought.
As regular readers know, I've outgrown those sentiments. Now, I really don't care what the machines know about me. And if the machines can figure out how to better cater to my interests and reduce the spam in my life, then I'm all for it.
At the same time, I think this latter observation suggests my real problem with behavioral targeting. There will always be some privacy diehards who will object to machine monitoring of their behavior on principle, but most people will be receptive (even after they get through the initial shock about behavioral tracking) if the targeting improves the user or consumer experience. Demonstrate to consumers that behavioral targeting gives them better results, and it's an easy sale. Relevancy trumps creepiness.
But I haven't seen any evidence that behavioral targeting has produced these payoffs (or, for that matter, any meaningful payoffs) for consumers yet. Current behavioral targeting practices might give marketers a little conversion lift compared to other targeting solutions (or not), but they have done little to change the overall fact that ads remain poorly targeted and crummy, and consumers still have plenty of incentives to treat ads as the pain to avoid through ad blindness or technology.
At this point, I'm still wondering if and when behavioral targeting will deliver on its theoretical promise. Sure, we can find excuses for the crummy user experiences today--the technology is still being developed, it's hard to get useful datasets (more on that in a moment)--but those excuses only go so far, and they will wear thin quickly. For behavioral targeting to really be a game-changer, it needs to deliver dramatically improved ad relevancy for consumers, and we're far from that ideal point.
I've argued before that for behavioral targeting to work, the marketer needs a comprehensive dataset about the consumer. Accordingly, a marketer--even an ad network--that relies solely on data collected from a consumer's interaction with web servers simply can't see enough data about the consumer to achieve a sufficient level of relevancy for the consumer. My paradigmatic example: no matter how much Amazon knows about my purchases from it and my browsing habits on its site, they still don't know if I bought a book from someone else unless I tell them (and I have no reason to tell Amazon what books I buy elsewhere).
This is why I'm so intrigued by the Internet access provider-level targeting exemplified by Phorm and NebuAd. In theory, they get access to much better datasets than web server-level targeters. If I browsed for a book on Amazon but I bought the book at barnesandnoble.com, the Internet access provider can know this while neither Amazon or B&N will know about my interactions with the other vendor.
For this reason, I've been quietly bemused by the legal fracas over Phorm and NebuAd's practices. Don't get me wrong--although the analysis is intensely fact-specific and I don't have all the facts, I have serious concerns about the legality of their practices. But from my perspective, the battles over the legality of Phorm and NebuAd are a smokescreen for the real issue, which is that marketers who have only server-level data don't want to compete against someone who has a better dataset than them. So expect plenty of continued fireworks over Phorm and NebuAd, but don't kid yourself that it's only the privacy advocates beating up on them.
Posted by Eric at 02:05 PM | Marketing , Privacy/Security | TrackBack
July 01, 2008
June 2008 Quick Links
By Eric Goldman
Trademarks/Domain Names
* Utah Lighthouse Ministry v. Foundation for Apologetic Information and Research, 2008 WL 22043807 (10th Cir. May 29, 2008). CMLP writeup. Nice 10th Circuit win for a gripe site against trademark infringement and cybersquatting. This case, plus the SKI VAIL case, indicate that the 10th circuit is making progress undoing the harm it created in the Australian Gold v. Hatfield case.
* Georgia has a new anti-phishing law (16-9-109.1) that acts as a para-trademark law. See my com