Technology & Marketing Law Blog: Spam Archives

Technology & Marketing Law Blog

May 07, 2013

Crazy SOPA-Like Attempt to Hold International Banks Liable for Pharmacy Spam Fails on Jurisdiction Grounds--Unspam v. Chernuk

[By Venkat Balasubramani with comments from Eric Goldman]

Unspam Technologies, Inc. v. Chernuk, 2013 WL 1849080 (4th Cir. May 4, 2013)

We’ve mentioned “Project Honeypot,” the efforts of a company (founded by Matthew Prince) to track down and prosecute spammers. This lawsuit was ambitious in its scope and suitably quixotic. Like SOPA, it sought to attack pharmacy spam by going after the money.

Unspam (operator of Project Honeypot) and John Doe sued two individuals for pharmacy spam. They also named a slew of international banks who allegedly provided transaction processing services to pharmacy spammers. The banks submitted affidavits demonstrating that they had no activity or customers in the United States, and therefore they should not be subject to personal jurisdiction in the U.S. The district court agreed, granting the banks’ motion to dismiss on jurisdictional grounds. Unspam appealed to the Fourth Circuit.

Unspam fared no better on appeal. In a published opinion, the Fourth Circuit affirms the district court’s dismissal of the banks on jurisdictional grounds:

Not one of the banks directed its business to Virginia or aimed its commercial efforts at customers in Virginia. Indeed, there is no evidence that any drug transactions involving the plaintiffs were connected by intermediaries to these banks. Moreover, even if we were to assume that Doe's purchase was presented by some Internet “pharmacist” to one of the foreign banks for processing through the international Visa network, that transaction still would be too remote an act to justify jurisdiction in Virginia. The transaction would have occurred in the foreign country where the pharmacist presented the Visa charge to the bank, and thereafter, the bank would simply have collected the charge through the Visa network. The foreign bank's relevant activity would thus be localized to the foreign country where it did business, and its only conduct “aimed” from that location would be the transmittal of the transaction into the Visa network. The fact that the transaction ultimately rippled through other countries for the collection of monies would not indicate that the bank purposefully availed itself of the laws of the countries where subsequent transactions occurred..

Plaintiffs also argued that they need not establish jurisdictional facts over the banks because the banks were part of a conspiracy and were subject to jurisdiction based on the acts of co-conspirators. Plaintiffs argued, relying on “blog research and internet searches” that “Canadian Pharmacy” was a trade name for two of the defendants and that Chronopay [described as “the PayPal of Russia”] provided transaction processing services to defendants, with the defendant banks acting as links in the chain. The court says this is mere speculation, and there is no evidence or allegation regarding the transaction(s) involving the doe plaintiff.

Finally, plaintiffs tried to rely on Rule 4(k), which provides personal jurisdiction based on federal claims where the defendant may not be subject to jurisdiction in a particular state, but has minimum contacts with the U.S. as a whole. The court says that defendants do not have sufficient contacts with the United States as a whole for plaintiffs to invoke Rule 4(k) as a basis of jurisdiction.
_____

As mentioned in my post on the district court ruling (Is SOPA's "Follow the Money" Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does), on the merits, plaintiffs' claims were a serious stretch. It’s not surprising that the plaintiffs got zero sympathy from the Fourth Circuit on the jurisdictional issues.
_____

Eric's Comments. The Fourth Circuit reached the logical result in this case. However, I view this lawsuit as a cautionary tale of how close we are to breaking the Internet.

The overzealous war against Internet pharmaceuticals has already taken a half-billion dollar toll on Google and another $40M toll on UPS (yes, the shipping company). In both cases, these intermediaries "agreed" (with the DOJ's axe ready to swing if they didn't acquiesce) to become the DOJ's deputies and police their customers more aggressively. The result is that we now have key cogs in the wheel making legal determinations about the legitimacy of their customers' activities, with zero due process or other oversight of any errors they make make against customers.

This problem only exacerbates as we continually expand the list of potential deputies who should be combating illicit activity online. There is no natural boundary for that witchhunt, and lots of defendants got tossed into the litigation mix and have to spend lots of money defending their conduct (even if legitimate). Worse, any vendor who might be deputized becomes adversarial to their customer base, with the inevitable waste of resources and chilled environment for innovation. For those of you who think that a narrow "follow the money" liability trail as an alternative to more draconian intermediary deputization, I encourage you to review this lawsuit and think carefully if this is the world you want. For more on this, see my six month retrospective of SOPA.
_____

Previous post:

Is SOPA's "Follow the Money" Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does

[image credit: Shutterstock - Matthew Cole - "Illustration of a Honey Bee on a White Background"]

Posted by Venkat at 07:24 AM | Derivative Liability , E-Commerce , Evidence/Discovery , Spam

February 20, 2013

Telephone Consumer Protection Act Case Update – February 2013 Edition

[Post by Venkat Balasubramani]

Birchmeier v. Econ. Strategy Group, 12 C 4069 (N.D. Ill. Dec. 28, 2012): This was a putative class action filed against Economic Strategy Group and Caribbean Cruise Line. Plaintiff alleges that defendants made calls to their cell phones under the auspices of conducting political polls, but in reality wanted to sell cruises. The court denies defendants’ motion to dismiss on Rule 8 grounds, saying that plaintiff does not need to specify which defendants engaged in what activity. More importantly, the court rejects the argument that only the person who placed the call is liable under the TCPA. Finally, the court rejects as a “non starter” defendants’ argument that the fact that the call allegedly involved a political survey fits it within the FCC exemption for political surveys. In any event, the court says that the FCC exemption covers calls made with artificial or pre-recorded voices but does not involve calls made with autodialers.

Gragg v. Orange Cab Co., C12-0576RS (W.D. Wash. Jan. 17, 2013): This was another putative class action where plaintiff alleged that defendants sent a text message offering a free taxi booking app. The text attached to the complaint read as follows:

Taxi #850 dispatched @ 05:20. Smart phone? Book our cabs with Taxi Magic - #1 FREE taxi booking app http://cabs.io/29e1b7d

In order to trigger liability, the call must be placed with equipment that “has the capacity to store or produce numbers using a random or sequential number generator.” The court says that the message appears personal in question and does not appear to be sent “by means of an ATDS.” The court dismisses the claim but grants leave to amend. The court says that plaintiff can allege supporting facts that the message was not a personalized message but was a mass marketing text.

The court also looks at whether the message violates Washington’s email statute. While another judge in the same district had recently held (Hickey v. Voxernet) that a message that offers a free download was not “commercial” for purposes of the Washington statute, since the date of this decision, the Ninth Circuit issued its opinion in Chesbro v. BestBuy. Chesbro took an expansive view of what is a “commercial” message for the TCPA (and the Washington statute dealing with autodialers). The court follows suit and finds that the message in question was commercial for purposes of Washington’s email law. While the app was free, “the only purpose of the offer was to promote or encourage the use of defendants’ taxi services.”

Lee v. Stonebridge Life Insurance Co., C 11-0043 RS (N.D. Cal. Feb. 13, 2013) [pdf]: This was another putative class action—the court finds grants the motion for class certification. Plaintiff received the following text that she alleges violated the TCPA and was a lead generation mechanism for Trifecta, the marketing company defendant:

Thanks 4 visiting our website please call 877-711-5429 to claim your $100 walmart gift card voucher! Reply stop 2 unsub.

As alleged by plaintiffs, Stonebridge and Trifecta had a marketing arrangement. Trifecta’s job under this arrangement was to generate leads for Stonebridge, but it contracted the job of actually sending out text messages to third parties. Consumers who received the messages and responded were connected to a Trifecta call center and pitched products from either Stonebridge or third parties. If they expressed interest in a Stonebridge product, their number was then passed on to Stonebridge.

The court says that the dispute is amenable to class-wide resolution. The fact that Stonebridge didn’t actually send the messages is not a defense that requires an individualized determination (in the process,the court says this is unlikely to be a viable defense for either). The court passes on a related argument that the messages may not have been sent “on behalf” of Stonebridge exclusively.

None of these cases alone are blockbusters, but it’s interesting to see the text spam litigation juggernaut continue on. Three points from the cases:

- making a call with an autodialer is a low standard (the Orange Cab case, notwithstanding, Satterfield set an incredibly low bar for pleading standards);

- outsourcing text marketing is a recipe for disaster (the fact that the particular defendant did not send the messages in question is not likely to be a viable defense);

- fitting within an exception is not easy, and courts have taken a broad view of what is commercial.

Overall, it probably bears repeating that text-based marketing is a high risk endeavor.

[image credit: Shutterstock/Anton Novik "Glossy Winged Mail Envelope"]

Posted by Venkat at 12:43 PM | Content Regulation , Marketing , Spam

November 15, 2012

Court: Customer Consents to Receive Texts by Providing Phone Number to Pharmacy – Pinkard v. Wal-Mart Stores, Inc.

[Post by Venkat Balasubramani]

Pinkard v. Wal-Mart Stores, Inc., 12-cv-02902 (N.D. Ala. Nov. 9, 2012)

Text messaging lawsuits are out of control.* That said, a district judge granted a motion to dismiss brought by Wal-Mart in a text spam case that even by the most conservative standards was a harsh result. (Two other courts have also recently given text spam lawsuits the boot: Ibey v. Taco Bell and Ryabyshchuck v. Citibank.)

Pinkard visited a Wal-Mart in-store pharmacy, and at the request of Wal-Mart employees, provided her mobile phone number. She alleges that the employees did not expressly seek her permission to send text messages but rather said the number was necessary “in case . . . any questions . . . came up.” She started receiving text messages from Wal-Mart (the frequency and contents were not alleged). When she inquired with Wal-Mart staff as to why she received text messages, a Wal-Mart employee told her that it was Wal-Mart’s policy to automatically enroll pharmacy customers into a program that sends Wal-Mart-related texts to those customers.

Wal-Mart argued that by providing her number, plaintiff consented. The key question is what consent under the TCPA should look like. The court notes that the FCC has a rule that requires written consent, but this rule will not go into effect until October 2013. Therefore, written consent is not required. The court says that a party consents to receiving calls when the party “voluntarily provides her telephone number to another.” Pinkard argued that this rule only applied to telephone calls in the colloquial sense and not text messages (that the FCC and courts also treat as “calls” under the TCPA). The court is not persuaded, and says that text messages and voice calls are treated the same for other purposes of the TCPA, so there’s no reason to distinguish when it comes to consent:

no statutory, regulatory, or caselaw rationale to distinguish [between calls and text messages] presently exists. Consequently, under sec. 227(b)(1), a person ‘who knowingly releases her phone number has in effect given her invitation of permission’ to be contacted at that number, including via text message.

Plaintiffs pointed to the Ninth Circuit’s statement in Satterfield that consent needs to be “clear[] and unmistakable,” but the court says that giving someone (even an employee at Wal-Mart) your mobile number is clear and unmistakable consent. To hold otherwise, the court says would “contradict the overwhelming weight of social practice.”

Finally, plaintiff moved to amend her complaint, and she submitted a proposed amended complaint that added a bunch of factual detail, including that she did not consent to receive texts (whatever the scope of consent may be inferred from providing her number). The court says that plaintiff’s proposed amended pleading inverts the burden of proof. It’s initially Wal-Mart’s burden to prove consent. Once it satisfies this burden, it’s then plaintiff’s burden to “explicitly state the limited scope of her consent.” [emphasis in original] Either way, the court denies the proposed amendment on the basis that it would be futile.

Oy. It can’t be the right answer that if you provide a pharmacy your mobile number at the pharmacy's request, you automatically consent to receiving a stream of commercial text messages. I’m not sure in what universe this would be in accordance with the “overwhelming weight of social practice,” but probably not ours. It will be interesting to see if plaintiff appeals. I would assume she has a reasonably good chance of success, at least to proceed past the pleading stages.

The ruling touches on a favorite theme: unintended consequences from application of a law or regulation to a medium it was not necessarily originally intended to address. (See also Facebook v. Max Bounty.) Here, although virtually every court has since come to this conclusion, it was far from obvious that the TCPA’s definition of "call" encompassed text messages. (See Joffe v. Acacia Mortgage for early discussion of this issue, as well as Abbas v. Selling Source.) One of the problems with this approach is that consent for texts plays out differently than consent from calls, and the operative FCC regulations don’t provide sufficient guidance on how to distinguish between the consent that should be implied to receive a call when you give someone your telephone number and consent to receive texts. (Either way, the fact that the customer provided the number at the employee’s request should affect the analysis.)

* - If a class action suing a sports team for sending more than the allotted amount of 5 texts per week isn’t over the top, I’m not sure what is. See the recently filed complaint in Wojcik v. Buffalo Bills, Inc., 12 cv 2414-SDM-TBM (M.D. Fla. Oct. 25, 2012).

[image credit: Shutterstock/Anton Novik "Glossy Winged Mail Envelope"]

Posted by Venkat at 12:52 PM | E-Commerce , Marketing , Spam

November 05, 2012

Confirmatory Opt-out Text Message Not Actionable Under the TCPA -- Ryabyshchuck v. Citibank

[Post by Venkat Balasubramani]

Ryabyshchuck v. Citibank, 11-CV-1236 – IEG (WVG) (S.D. Ca. Oct. 30, 2012)

Ryabyshchuck filled out an online credit card application. A pop-up message displayed when he entered his information alerted him to the fact that by providing his number, he:

agree[d] to receive calls and messages, such as text messages, to service [his] account.

A couple of days later, he received a text from Citibank to the number he provided:

Free Text Msg.: Citi Cards needs to talk with you regarding your recent application. Please call 866 365-8692. To Opt-Out reply STOP.

He replied “STOP,” and promptly received confirmation that Citi opted him out from receiving additional messages:

Free Text Msg.: Per your request you will no longer receive text messages from Citi Cards Credit Dept. If you have any questions call 866 365 8962.

He sued, alleging that the text messages violated the Telephone Consumer Protection Act. The court initially denied Citibank’s motion to dismiss. (Here’s our previous blog post on this ruling: “Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank.“) However, the court recently granted Citibank's motion for summary judgment.

Plaintiff abandoned his argument as to the initial message so the only message at issue was the confirmatory opt-out message. At least one court has held that a confirmatory opt-out message does not violate the TCPA (Ibey v. Taco Bell), and this court follows suit as well. Agreeing with the conclusion that imposing liability for a single confirmatory text message would “contravene public policy and the spirit of the statute,” the court grants Citibank’s motion for summary judgment.

Nice to have that cleared up.

[NB: Ryabyshchuck has a name that even I found difficult to spell (and that’s saying something). I thought I misspelled his name in the previous blog post about the case, but it turns out I followed the court’s spelling—that ended up changing from the previous order to this order.]

Group Text Services Grapple with TCPA Class Actions
Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster
Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage
Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank
Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc.
Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp.
Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC
Confirmatory Opt-Out Text Message Doesn't Violate TCPA – Ibey v. Taco Bell
Franchisor Isn't Liable Under the TCPA for Franchisees' Text Message Campaign – Thomas v. Taco Bell

[image credit: "old fashioned phone over white" earshot/shutterstock]

Posted by Venkat at 03:24 PM | Content Regulation , Marketing , Privacy/Security , Spam

October 20, 2012

9th Circuit Zings Best Buy Over Robocalls – Chesbro v. Best Buy

[Post by Venkat Balasubramani, with a comment from Eric]

Chesbro v. Best Buy Stores, L.P., No. 11-35784 (9th Cir. Oct. 17, 2012) [pdf]

The Ninth Circuit has issued a few consumer-favorable rulings in the unsolicited text and phone call realm. Here is a another one.

Chesbro bought a computer at Best Buy and provided his telephone number. Best Buy says that he also signed up for Best Buy's “Rewards Zone Program.” Chesbro says he knows nothing about the program, and if he signed up to enroll, he did so unwittingly.

Then, the robocalls started. Chesbro says he received “more than five, less than a dozen” calls from Best Buy following his computer purchase. Chesbro complained to the Washington AG’s office after receiving one particular call. He also called Best Buy and told them to put him on their internal “do not call” list. (He was also signed up on the national “do not call” registry, but that doesn’t seem to have been very effective.) Finally, the straw that broke the proverbial camel’s back:

This is a very important message regarding the Best Buy Reward Zone program. We’re making some changes to increase the security of the program and be more environmentally friendly. Please listen to the entire message and then go to MyReward-Zone.com for details and to update your membership.

The following changes take effect October 31st, 2009 …

For full details and to make sure you’re ready for these changes, go to MyRewardZone.com.

If you would like to hear this message again, press 9
Thank you for your time — and for being a valued Reward Zone program member.

Chesbro sued, asserting claims under the TCPA and Washington’s do not call statute. The TCPA allows the FCC to exempt certain commercial calls that do not adversely affect the privacy interests protected by the TCPA and do not contain unsolicited advertisements. The FCC promulgated rules but said that “dual purpose” calls—calls where a company may inquire about the customer’s satisfaction or otherwise provide customer-service information but also offer to sell additional goods or services--are advertisements and subject to the prohibitions of the TCPA.

Best Buy says that the calls were purely courtesy calls or informational calls. The court disagrees:

The robot-calls urged the listener to “redeem” his Reward Zone points, directed him to a website where he could further engage with the RZP, and thanked him for “shopping at Best Buy.” Redeeming Reward Zone points required going to a Best Buy store and making further purchases of Best Buy’s goods. There was no other use for the Reward Zone points.

The court says that the absence of any reference to products or services is not determinative. The court also allows Chesbro’s claims under the Washington version of the TCPA to move forward.

Ouch. The court’s conclusion that the calls are advertisements only leaves room for Best Buy to argue consent, and that doesn’t seem like a particularly easy argument to make. (See Citibank; Thrasher-Lyon v. CCS Commercial.)

As a consumer, I applaud the court’s privacy-friendly approach. I (like everyone) can’t stand robocalls. But the court's interpretation doesn't leave much room for "informational calls" that are not advertisements. Maybe this is the right approach, as a "purely informational" or customer service call from a corporation is about as real as a unicorn. Perhaps what ultimately swayed the court is Best Buy’s mule-like refusal to honor Chesbro’s numerous opt-out requests. It’s a given in today’s day that the right hand of the corporation will never talk to the left, but that is very likely what could have tipped the scales here.

I've long advocated leaving text message-based marketing out of the marketing toolbox (due to the risk of liability). Perhaps it's time to add robocalls to the list.

Added: I thought it was worth mentioning Stern v. Bluestone, a 2009 decision from New York's highest court tackling this issue in the context of unsolicited faxes sent by attorneys: "N.Y. High Court Finds Attorney's Unsolicited Faxes Did Not Violate Communications Act."

Of interest: “The Federal Trade Commission (FTC) is challenging innovators to create solutions that will block illegal robocalls.” $50,000 bounty!
___

Eric's Comment: Following the Dex v. Seattle case we'll be blogging about soon, this is a second Ninth Circuit case this week attempting to make legal distinctions between editorial content and advertising. As I indicate in the upcoming Dex post, there are simply too many border cases for that distinction to remain coherent. Consider this: this week, the Ninth Circuit held that Yellow Pages are editorial content and a reminder about expiring loyalty points is advertising. Good luck rationalizing those conclusions!

[image credit: John T. Takai / Shutterstock]

Posted by Venkat at 09:38 AM | Content Regulation , E-Commerce , Marketing , Privacy/Security , Spam

September 10, 2012

Courts Allows Text Spam Class Action Against Voxer, a Cell Phone Walkie-Talkie App -- Hickey v. Voxernet

[Post by Venkat Balasubramani]

Hickey v. Voxernet, C12-373 MJP (W.D. Wash.; Aug 13, 2012)

Voxer is an app that turns your cell phone into a walkie-talkie. Plaintiff sued on his own behalf and on behalf of a putative class, alleging that he received unsolicited text messages sent “by or on behalf of Voxer.” The precise nature of the text messages is unclear from the court’s order. While the order says that Voxer allegedly used its subscribers’ “phone contact lists,” it’s unclear as to whether users sent out “get on Voxer” texts to all of their contacts as a default, or merely sent these messages when they tried to contact specific individuals on their contacts lists. Plaintiff asserted claims under the Telephone Consumer Protection Act and Washington’s anti-spam statute.

Who is responsible for the messages?: Voxer argued that it wasn’t the one who sent the messages—i.e., the individual users were. The court says that although the relationship between Voxer and the person whose phone sent the messages is unclear, the complaint alleges sufficient facts to get past a motion to dismiss. Citing to In re Jiffy Lube, the court also says:

other courts’ willingness to expand liability under the TCPA despite the involvement of third parties in the transmission of prohibited communications indicates that potential third party involvement in sending the message . . . is not dispositive of defendant’s liability under the TCPA.

Did Voxer use an automatic telephone dialing system?: The court also says that plaintiff adequately pled the use of an ATDS by Voxer. Voxer’s app in this circumstance functions as a “predictive dialier” which according to the TCPA regs is “hardware, when paid with certain software, [which] has the capacity to store or produce numbers and dial those numbers . . . from a database of numbers.” Citing to statements in the FCC regs that automated dialing technology will continue to develop and the difficulty plaintiff faces in knowing precisely what type of dialing system a TCPA defendant uses at the early stage of the case, the court says that plaintiff’s allegations are sufficient to satisfy the requirement that defendant used an ATDS to initiate the call. (See Satterfield.)

Preemption of Washington’s email/text spam statute: Voxer argued that plaintiff’s claims under Washington’s anti-spam statute were preempted, but the court says no. There’s no difficulty in complying with both sets of rules, and no scenario where your compliance with one would put you out of compliance with the other. Voxer also argued that since the Washington statute applies to cross-border messages, it impedes the federal regulatory scheme for interstate communications. The court disagrees, and notes that Congress intended the TCPA to be a floor, to strengthen state regulations around intrusive text messages.

Having said that plaintiff’s claims are not preempted, the court finds that plaintiff does not state a claim under the Washington statute because the Washington statute only applies to texts messages that are sent to promote products or services that are for “sale or lease.” Looking to the dictionary definition of the term sale (“a price in money paid or promised”) the court says that the texts in this case don’t fit because there’s no allegation that consumers pay money for Voxer. The intangibles consumers pay to download or use Voxer are not enough to turn this into a “sale.”

Oy. In re Jiffylube strikes again. The key factual question it would have been nice to see fleshed out is whether a text was triggered by the user’s actions or by Voxer. The court says, looking to the seemingly broad notions of liability under the TCPA, that this does not matter (at least at the pleading stage). It’s interesting that there was no discussion of the terms of service and whether users were provided notice that their contacts would be sent texts. Even assuming that Voxer sends a text to every single contact, maybe Voxer could have said that it wasn’t the moving force behind the text (i.e., consumers were apprised that their contacts would be sent texts, and their act of downloading and installing the software after having been apprised of this is what caused the texts to be sent).

The preemption argument is worth noting. The two statutes are slightly different. The TCPA doesn’t speak directly to text messages but has been given this interpretation by the FCC and courts. Washington’s statute, on the other hand, doesn’t require the use of an automatic dialing system but says that you can’t send any “commercial” texts to a number assigned to a Washington resident. You could conceivably comply with the TCPA by not using an auto-dialer, but violate the Washington statute by sending a commercial text. The part of the Washington statute that’s awkward is that it only applies to numbers that are assigned to Washington residents. Are people who send out commercial texts required to consult with a directory to make sure whether the numbers on their list are assigned to Washington residents?

(The TCPA also contains a savings clause that says states are free to impose “more restrictive intrastate requirements or regulations on, or which prohibits . . . the use of . . . facsimile machines or other electronic devices to send unsolicited advertisement.” The court says that intrastate does not modify prohibitions—i.e., any prohibition is OK under the savings clause, but only intrastate regulations are saved. The drafting seems awkward to begin with, but this interpretation is clunky at best.)

As mentioned above, the big question is whether Voxer is sending texts to everyone in a user's contact list (as companies such as Reunion are alleged to have done) or whether a text is merely sent when a user tries to contact someone in his or her contact list. If it's the latter scenario, Voxer should have a viable defense under Section 230. (This brings to mind Abrams v. Facebook, a dispute from several years back, where Facebook was sued for allowing users to send SMS messages. Facebook had a Section 230 defense available, but settled and agreed to make changes around its SMS offering.) If it's the former scenario, Voxer should get out its checkbook and be prepared to write a check.

Previous posts:

"Confirmatory Opt-Out Text Message Doesn't Violate TCPA – Ibey v. Taco Bell"
"Text Spam Class Action Against Jiffy Lube Moves Forward – In re Jiffy Lube Int’l, Inc., Text Spam Litigation"
"Group Text Services Grapple with TCPA Class Actions"
"Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank"
"Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc."
"Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp."
"Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC"
"Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"
"Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage"
Telephone Numbers as Identity Authenticators--Abrams v. Facebook

Posted by Venkat at 03:30 PM | Content Regulation , Spam

July 25, 2012

Franchisor Isn't Liable Under the TCPA for Franchisees' Text Message Campaign – Thomas v. Taco Bell

[Post by Venkat Balasubramani with comments from Eric]

Thomas v. Taco Bell Corp., SACV 09-01097-CJC(ANx) (C.D. Cal.; June 25, 2012)

Thomas allegedly received unauthorized text messages as part of an advertising campaign for Taco Bell's Nachos BellGrande ("[a] large platter of crisp, freshly prepared tortilla chips covered with hearty beans, seasoned ground beef, warm nacho cheese sauce, diced ripe tomatoes, and reduced fat sour cream"--I'm sure they taste as glorious as they sound).

The text messages in question were organized by the “Taco Bell Local Owners Advertising” association, an Illinois entity comprised of 12 owners of Taco Bell stores in the Chicago area. The Association retained ESW Partners, an advertising agency, who then contracted with ipsh!net, who actually sent the messages. Taco Bell Corp., the national franchisor, had some influence over the Association’s activities through a seat on the Association’s Board of Directors, and control of the pursestrings (the funds that were used by the Association for advertising were controlled by a division of the national franchisor). While the Association was free to conduct its own separate advertising, where funds from Taco Bell (the franchisor) were used to pay for a campaign, approval from Taco Bell was required. In this case, a division of Taco Bell ended up paying for the advertising campaign.

She sued several different entities in the chain alleging violations of the TCPA, but amended the complaint to name only two defendants: Taco Bell (the national franchisor) and the Association. The Association was dismissed on jurisdictional grounds. Another defendant was dismissed earlier on jurisdictional grounds as well. The key question was whether Taco Bell (the franchisor) could be on the hook for any alleged TCPA violations.

The court says that the TCPA imposes liability on someone who actually “makes” a call that violates the statute. While Thomas argued that the TCPA also imposes liability on someone on whose behalf the call was made (i.e., any party that “receives benefit from the text message”) but the court says that the language and intent of the TCPA does not envision derivative liability on such a broad standard. In the absence of a specific basis of vicarious liability, traditional (agency) standards govern. A principal-agent relationship, the court says, “means more than passive permission; it involves request, instruction, or command.”

The court says that Thomas’s evidence falls short in this regard. Thomas did not present any evidence that Taco Bell (the franchisor)

directed or supervised the manner and means of the text message campaign conducted by the Association, and its two agents, ESW and ipsh!. She presented no evidence . . . that Taco Bell created or developed the text message. Nor did she present any evidence . . . that Taco Bell played any role in the decision to distribute the message by way of a blast text.

Thomas argued that the existence of a policy under which Taco Bell would pay for the Association’s advertising demonstrated that Taco Bell controlled the advertising, but the court says that approval of the campaign is different from control over “the manner of marketing”. Thomas also argued that the presence of a Taco Bell employee on the Association’s Board of Directors and the fact that the employee cast a vote to approve this campaign also reflected the requisite control. The court says this is insufficient to create the type of agency relationship required for derivative liability under the TCPA. Thomas tried to marshal some other evidence in support of agency liability, but the court says this is all anecdotal and doesn’t reflect Taco Bell’s control over the means of marketing.

This could be somewhat of a blockbuster ruling under the TCPA. The big TCPA case out of the Ninth Circuit didn’t rule on derivative liability but made it painfully easy to sue anyone who sent an unsolicited text. (See Satterfield v. Simon & Schuster.) Incidentally, ipsh!, the entity that sent the messages in this case, was also involved in Satterfield and was actually a defendant in that case, but the Ninth Circuit did not delve into the relationship between ipsh! and Simon & Schuster from the standpoint of legal liability.

In the context of unsolicited text messages, Satterfield has been a boon for plaintiffs, and they have taken full advantage of the resulting litigation bonanza. We've blogged a bunch about TCPA cases, but this post from Tom O'Toole talks about a hockey team being sued for sending text messages ... to its fans!

The big question this case raises is whether this is just an instance of a plaintiff not having the right defendant available on the other side of the v., or whether it somehow changes things as far as plaintiffs’ attempts to hold advertisers—rather than their marketing agencies—liable. I would think it’s more of the former. Here, the plaintiffs sued multiple entities and at one point amended the complaint to name only the parent entity and the association. I'm not 100% clear as to why the plaintiff did not name ipsh. (It's possible plaintiffs settled with ipsh or there's some other explanation, other than the obvious issue of personal jurisdiction, for why the franchisor and association ended up being the only defendants.)

Interestingly, plaintiffs have been stymied consistently in trying to smack defendants with affiliate liability in lawsuits under CAN-SPAM. (See the cases mentioned in this post.) Might we see a similar dynamic play out in future TCPA lawsuits? (See also Anderson v. Domino's Pizza, Inc., et al., for a similar result under state law in a text spam case brought in Washington.)

FWIW, I predict this one will be appealed.
_________

Eric's Comments

Even though Ipsh wasn't in the courtroom, the ruling throws Ipsh under the bus, saying that Ipsh pushed the button on the campaign and therefore would be the prime mover behind any TCPA violation. If the campaign violated the TCPA, Ipsh would have been legally liable--perhaps along with other defendants, but possibly as the only defendant left holding the bag. Ipsh can try to put into place an airtight indemnity agreement with its customers (though those are rarer than unicorns), but this ruling can't be a confidence-booster about the vitality of its text-messaging business line. I further wonder if this ruling will spook the marketing services companies providing email campaign outsourcing? They are governed by a different statute, but they too are the ones who "push the button."

Meanwhile, assuming the facts are true, I don't understand how this text-messaging campaign got greenlighted given the obvious legal risks. Sure, it would be great to reach texting young adults who have the munchies via their most precious device, but text-messaging campaigns are always fraught with legal peril. When you add in the Grande legal costs of defending the resulting lawsuits--and the plaintiff lawyers love these kinds of lawsuits--the per-text-message costs of reaching 17,000 consumers never had a chance of being profitable no matter what the conversion rate of such ads. Plus, this isn't Taco Bell's first ride at the text-messaging litigation rodeo.

To me, the message is clear: text-messaging ad campaigns are lawsuit bait. Until the law becomes clearer and more favorable, marketers should permanently retire text-messages from their marketing campaign toolkits.

Related posts:

Posted by Venkat at 09:45 AM | Content Regulation , Derivative Liability , Marketing , Privacy/Security , Spam

July 06, 2012

Confirmatory Opt-Out Text Message Doesn't Violate TCPA – Ibey v. Taco Bell

[Post by Venkat Balasubramani]

Ibey v. Taco Bell Corp., 12 CV 0583 (HVG) (S.D. Cal.; June 18, 2012)

Plaintiff responded to an invitation to complete a survey about Taco Bell and “voluntarily sent a text message . . . to the number 93138.” In response to his text, he received instructions on how to complete the survey. He then changed his mind and sent a “STOP” message. In response to the STOP message, he received a confirmatory text message from Taco Bell acknowledging that he would receive no further messages.

He sued, alleging that the confirmatory message violated the TCPA. Taco Bell moved to dismiss or in the alternative for summary judgment. The court grants the motion to dismiss.

The court says that plaintiff “expressly consented” to contact by Taco Bell, and that

[Taco Bell’s] sending a single, confirmatory text message in response to an opt-out request from Plaintiff, who voluntarily provided his phone number by sending the initial text message, does not appear to demonstrate an invasion of privacy contemplated by Congress in enacting the TCPA.

In order to assert a claim under the TCPA, the plaintiff must also allege that the text was sent using equipment that had the capacity to generate random or sequential numbers. (See Satterfield.) The court says that plaintiff failed to make this allegation. In fact, the court says that if the facts are as they had been pled by plaintiff, Taco Bell would be entitled to summary judgment. Although the court grants plaintiff leave to amend, judging from the tone of the court's order, Ibey would be wise to drop his claims. (Ibey moved to reconsider the court's order, you can access his motion here.)

There has been at least one case going the other way – i.e., holding that even confirmatory opt-out messages can violate the TCPA. (See Ryabyshchuk v. Citibank.) This case is distinguishable from Ryabyshchuk on the basis that consent was not an issue here. Plaintiff admitted that he voluntarily texted Taco Bell in the first place. In any event, it’s nice to see this court come to the conclusion that should be glaringly obvious: a confirmatory opt-out message shouldn’t violate the TCPA or separately form the basis for liability.

This decision notwithstanding, companies should consider avoiding sending a confirmatory opt-out message to avoid the hassle of litigating these types of claims.

Related posts:

Posted by Venkat at 12:16 PM | Content Regulation , E-Commerce , Marketing , Spam

July 05, 2012

Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal

[Post by Venkat Balasubramani with comments from Eric]

Boorstein v. Men’s Journal LLC, 12-771 DSF (Ex) (C.D. Cal.; June 14, 2012)

California’s Shine the Light (STL) statute is a little unusual in that it mandates that businesses make specific disclosures about their privacy practices. For the most part, when it comes to telling consumers what you will do with consumer information and restrictions on how you will use such information, your own privacy policy and the FTC Act are the main regulations that companies need to worry about. The STL law is designed to inform users as to how their information is being used for direct marketing purposes. It doesn’t necessarily impose any substantive restrictions on the use of such information, but it requires websites to disclose (at the consumer’s request) how their information is being used. To this end, businesses are supposed to designate contact information where consumers can request how their information is being distributed. Alternatively, the business can comply with the statute by allowing consumers to opt-in or opt-out of distribution of their information. It’s an interesting attempt by the California legislature to give consumers more control and choice, but as this case illustrates, things didn’t really work out that way.

Boorstein sued (on behalf of a putative class) alleging that Men’s Journal did not comply with the statute because it failed to provide consumers with the appropriate contact information to enable consumers to make requests under the STL statute. Boorstein did not allege that he took any steps to find out this information (or otherwise find out about Men's Journal's information sharing practices) by contacting Men’s Journal. Boorstein simply alleged that Men's Journal's failure to designate contact information alone was sufficient to allege a violation of the statute.

The court says no go.

No standing as a result of loss of economic value to Boorstein’s information: First, the court says that Boorstein did not suffer economic injury that was caused by a violation of the statute. It’s questionable in the first place whether Boorsteein’s information has economic value in Boorstein’s hands. (See, e.g., Del Vecchio v. Amazon, among other cases.) In any event, the court says the statute does not actually prohibit the exploitation of consumer information for marketing purposes. Additionally, the statute is backward looking, and only requires businesses to disclose their use of consumer information for the “immediately preceding calendar year.” End result: even to the extent plaintiff's personal information is property that can be appropriated by Men's Journal, any harm Boorstein suffered isn't caused by the alleged statutory violation.

Failure to provide contact information is not an “injury” under the STL law: The court also says that Men’s Journal’s failure to display the contact information alone does not state a claim under the STL law. The law requires some sort of “injury” flowing from a violation, and as mentioned above, the court says there’s no injury to the value of Boorstein's personal information that results from the alleged statutory violation. Case law only recognizes “information injury” (failure to provide required information) where the information is requested but not provided. Boorstein’s failure to allege that he requested the contact information from Men's Journal undermines his claim. The court also says that Boorstein’s injury is “procedural,” rather than “informational.”

Boorstein’s argument based on the Men’s Journal subscription fee fails: Boorstein also made the typical consumer protection argument that the price of the Men’s Journal subscription included the value of the designated contact information for STL law purposes, and Men’s Journal’s failure to provide this information means that he has been cheated out of his bargain. [Say what?] The court says that Boorstein’s allegation that Men’s Journal impliedly represented that it would "abide by all applicable laws" doesn’t mean that Men’s Journal agreed to provide contact information as part of the subscription price--or, more importantly, that Boorstein would not have subscribed had he known the contact information would not be forthcoming. The court also says that Boorstein cannot make out a UCL claim because he has not lost “money or property” as a result of Men’s Journal’s violations of the statute. As already mentioned, he would have subscribed anyway, so Boorstein can’t use the subscription price as part of his “money or other property” argument. Similarly, he also can’t use the value of his personal information in order to support his UCL claim.

A few observations:

1. The "personal information as property" meme is not gaining much traction. In fact, apart from an initial decision or two that recognized this as a possible theory (for standing purposes), courts have pretty resoundingly rejected it. (Del Vecchio v. Amazon and In re iPhone App Litigation are two recent examples.) Perhaps a blockbuster appellate ruling will come along to rescue privacy plaintiffs. Until then, the trial courts are not buying this argument at all.

2. The "privacy as part of the purchase price" argument is also something that plaintiffs often raise, but courts don’t like this either. It’s worth noting that in this case, even the plaintiff’s own allegations (as the court described them) didn’t expressly say that he would not have bought the magazine subscription had he known he would not have been provided contact information. There's an obvious reason for this.

3. The court doesn’t get into Article III standing here, and instead relies on lack of statutory standing. To me, the two standing concepts all run together into a big quagmire, but when dealing with a state law in federal court, it seems preferable to rely on statutory standing as a bar. (First American v. Edwards, the then-pending Supreme Court case in which Facebook and other companies weighed in on as amici, involved standing under a federal statute. But in an anticlimactic move, the Supreme Court dismissed the case without ruling on it. I didn't think a ruling in First American's favor in this case would have dramatically changed the landscape, but the lack of a decision from the Supreme Court moots this issue for now.)

4. Obviously, this ruling puts a slight crimp in the legislature’s vision of using STL to give consumers additional control over how their information is used. The court's ruling doesn’t leave consumers in a great position. Even if Boorstein had requested the information and it wasn’t provided, would he be able to obtain damages under the statute? STL provides for statutory penalties, but the tone of the ruling is that Boorstein hadn’t been damaged anyway (or damaged in a way that was tied to the statutory violation), so it’s possible that the court would have come out the same way even if Boorstein had made the necessary request.
____

Eric's Comments:

California's "Shine the Light" statute is a textbook example of a miscalibrated privacy statute (which I would argue describes almost all privacy statutes). It starts from a simple premise--consumers just want to know if a business is selling their personal information to marketers--and, to effectuate this premise, imposes substantial compliance costs and obligations on businesses (mostly just creating traps for the unwary) without any clear countervailing benefit for consumers or society at large. Not only do I question the basic premise that consumers "just want to know" about sales of their private info to marketers (see my Coasean Analysis of Marketing article), but as this and related cases illustrate, the private cause of action means that the statute almost certainly will be enforced by privacy class action lawyers who are more interested in their own quick profits than in advancing consumer welfare (see my Irony of Privacy Class Action Litigation article). There are a number of good cautionary lessons that legislators, and the privacy advocates who egg them on, could learn from this statute and this ruling, but I'm skeptical either legislators or privacy advocates will take the time to reflect on those lessons.
____

Venkat's follow-up comment:

I mildly dissent from Eric's position questioning "the basic premise that consumers 'just want to know' about sales of their private info to marketers." I may be idiosyncratic and in the minority in this regard, but particularly when it comes to magazine subscriptions I would love to know where my information ends up. (My instinct is that a big chunk of my junk mail is a result of the three or four magazine subscriptions I have in place.) I'm not sure I would change my purchasing decisions dramatically, but knowing this bit of information may tip the balance a bit or cause me to try to pressure the companies into not making my information available to third parties for direct marketing purposes. [On a loosely related note, those who are trying to get rid of junk mail may want to check out PaperKarma, an app that lets you take photos of and upload junk mail and then sends an unsubscribe request on your behalf.]

Other coverage:

First Reported Shine the Light Suit Dismissed for Failure to State Cognizable Injury
'Shine The Light' Lawsuit Against 'Men's Journal' Dismissed
Federal Judge Dismisses Shine-the-Light Suit

Posted by Venkat at 12:10 PM | E-Commerce , Marketing , Privacy/Security , Spam

June 27, 2012

Court Refuses to Dismiss Claims Against Alleged Twitter-Bot Spammer--Twitter v. Skootle

[Post by Venkat Balasubramani]

Twitter, Inc. v. Skootle Corp., et al., 2012 WL 2375486 (N.D. Cal.; June 22, 2012)

Twitter sued several alleged spammers, including (1) those who provided software for the use of automated account creation and tweeting, and (2) other defendants who actually created automated accounts and sent large amounts of spam tweets.

One of the individual defendants who allegedly created and maintained numerous bot accounts moved to dismiss on the basis of personal jurisdiction, venue, and for failure to state a claim. The court declines to grant his motion.

Subject matter jurisdiction: Twitter has a good faith basis for alleging that the amount in controversy exceeds the jurisdictional threshold for diversity jurisdiction, and the court finds defendant is unable to establish to a legal certainty that the claims do not meet this jurisdictional amount.

Personal jurisdiction: The court easily finds that defendant is subject to personal jurisdiction because he aimed his acts at a California corporation and agreed to its terms of service. Defendant is unable to demonstrate that the exercise of personal jurisdiction is unreasonable. (The court says in a footnote that it's not commenting on the enforceability of forum clauses in "clickwrap" agreements generally, but just that there hasn't been a showing of unreasonableness in this case.)

Venue: The court similarly says that venue is proper under the forum selection clause in Twitter’s agreement and defendant fails to argue with any credible facts as to why litigating the dispute in California would be unduly burdensome.

Failure to state a claim: Defendant argued that Twitter’s sole remedy for a violation of Twitter’s terms of service is to suspend user accounts, but the court says that Twitter’s terms expressly reserve any other available remedy to Twitter. Twitter alleges that creating bot twitter accounts and sending spam tweets was a violation of its terms and it was damaged by defendant’s breach of the terms. At the pleading stage, Twitter easily satisfies its burden.
__

A fairly run of the mill ruling resolving some typical arguments raised by a pro se defendant.

It’s worth noting that Twitter did not assert claims under CAN-SPAM, and the core of its claims are based on a breach of its terms of service. (See my previous posts on CAN-SPAM and social media posts that mention why Facebook posts don’t track neatly to CAN-SPAM: "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM"; "Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures -- Facebook v. Power Ventures." The same would be true of tweets.) A noteworthy move by Twitter to not push the envelope on this issue.

The fight that may end up being interesting is the one between Twitter and the defendants who allegedly made available the software used by those who created bot accounts and tweeted. These defendants may have a potential Section 230 defense available, and to establish liability, Twitter will have to show something more than that the software can be used to manage tweets from multiple accounts and automate tweets (functionality shared by many tools that are perceived as “legitimate” by Twitter). (See also "Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft.")

[A final procedural note. The court (separately) issued a show cause order requiring Twitter to demonstrate that joinder is proper. The order notes that there doesn't seem to be a connection between several of the defendants other than the fact that they were all engaged in Twitter-spamming.]

Posted by Venkat at 06:57 PM | E-Commerce , Licensing/Contracts , Spam , Trespass to Chattels

May 30, 2012

Is SOPA's "Follow the Money" Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does

[Post by Venkat Balasubramani]

Project Honey Pot v. Does, 11-cv15 (LMB/JFA) (E.D. Va.; May 21, 2012)

Project Honey Pot is a “spam-tracking network that ‘allows spammers, phishers, and other e-criminals to be tracked throughout their entire ‘spam life cycle’’.” It had, and maybe still has, great ambitions and was founded by Matthew Prince, of Unspam fame. As detailed by Eric in this blog post, Unspam is (or was) a for profit company that operated a "do not email kids" registry aimed at allowing people to comply with Utah's "don't email the kids" law: "Utah's 'Don't Email the Kids' Registry a 'Financial Failure.'" Prince also publicly defended Utah's ill-fated key word advertising law: "Keyword Advertising as Corporate Identity Theft—Sen. Eastman Defends New Utah Law Banning Keyword Advertising." (Prince is now CEO of CloudFlare, which offers, among other things, services that help you comply with EU's cookie regulations: "CloudFlare To Launch Service For Sites Dealing With Tortuous EU Cookie Law.")

Anyway, PHP filed and voluntarily dismissed a couple of lawsuits in Virginia without any apparent docket activity. This time around, it tried to go after banks who allegedly offered payment processing services to online pharmacies, along with two individual defendants.

The complaint alleged that one of the Doe plaintiffs attempted to buy a prescription drug through an online pharmacy. He paid for it by debit card but never received any medication in the mail. He didn’t suffer any out-of-pocket loss (the bank credited him the amount charged and changed his debit card number), but he alleged that since this transaction, he has received “voluminous spam email.” The complaint alleged claims under CAN-SPAM, the Virginia Computer Crimes Act, a slew of state law claims, as well as RICO claims.

Several banks filed motions to dismiss on the basis of personal jurisdiction. The court dismissed these defendants in December 2011, finding that the complaint raised speculative allegations regarding any conspiracy between the banks and the pharmacy operators. PHP dismissed one of the individual defendants, intimating that this defendant was a victim and not one of the perpetrators. The court dismissed the other defendant due to PHP's failure to effect service, and closed the file. (This is a simplified version of the procedural history; there are a few other details that are not relevant here, including the fact that PHP filed an appeal before the case was fully resolved.)

PHP filed a motion to alter or amend the judgment and reopen the action as to two of the banks. Apparently PHP’s counsel obtained a dataset of 900,000 transactions for “Glavmed” from a well-known security blogger, Brian Krebs. (See "SpamIt, Glavmed Pharmacy Networks Exposed.") The dataset included numerous records allegedly “tied to Virginia residents.” PHP also pursued third party discovery and obtained transaction records from 2006 through 2010. 63 of these transaction records identified the processing bank, and 51 of these identified transactions were allegedly tied to two of the defendant-banks.

The court denies PHP's motion to reopen the case, largely on the basis that PHP did not offer any justification for why it failed to come forward with the evidence earlier. The court also says that even if it considered this evidence, it would still dismiss the defendant-banks. PHP relied on the “conspiracy theory of personal jurisdiction.” Because the pharmacies deal with Virginia residents and since the banks deal with the pharmacies, in PHP’s view, this was sufficient for personal jurisdiction. The court says there are three flaws with this view. First, PHP cannot show that either of the banks in question have any “direct contacts” with Virginia. Second, PHP’s evidence:

still does not link the defendant banks with Virginia customers, [the individual defendants], or the single transaction at issue in this case.

Finally, the court says that even if PHP could show that the banks processed transactions for any merchants with Virginia customers, personal jurisdiction would not be proper due to the “extremely attenuated nature of the banks’ contacts with the forum.”

The court doesn’t reach the underlying merits of PHP’s claims against the banks, but the opinion is tinged with enough discussion of the banks’ “attenuated” connection with any underlying spam activity that you don’t get any warm fuzzies regarding PHP’s claims against the banks.

There are a couple of problems with PHP's theory on the merits. First, the Doe plaintiff didn’t suffer any financial injury. Standing issues aside, there is no such thing as a standalone legal claim for receiving spam emails. (Cf. Cherny v. Emigrant Bank.) It’s fairly well established that you can only sue under CAN-SPAM if you are the provider of Internet Access Services, and PHP’s factual allegations did not include any IAS-specific harms. (See Gordon v. Virtumundo.) I don't see the basis for any CAN-SPAM claims in this scenario. (It’s unclear exactly how “Project Honey Pot” fits into the picture. It all sounds very Righthavenesque.)

Even assuming PHP or Doe can sue the payment processors under CAN-SPAM, under what theory will it hold a payment processor liable? They payment processors did not send any emails. Nor were their products or services advertised via any emails. Courts have allowed parties to proceed against third parties in the chain in some trademark (Gucci v. Frontline; Akanoc) cases, but outside the context of affiliate liability, I'm not aware of any such cases in the spam context. (See also, the Perfect 10 v. Visa and Perfect 10 v. ccBill cases, dealing with payment processor liability in the copyright context, discussed by Eric in these posts: "Credit Card Providers Aren't Liable for Third Party Infringement--Perfect 10 v. Visa"; "Ninth Circuit Opinion in Perfect 10 v. CCBill.")

CAN-SPAM contains provisions governing third party (affiliate) liability, but the banks clearly did not fit within the statute. (See the Cyberheat case where the government was able to make a case for affiliate liability but had some damaging facts. A key distinction in this case is that the banks did not procure or initiate the emails in question.) Section 6 of CAN-SPAM discusses liability for third party service providers in certain limited scenarios, but the section authorizing civil actions by IASs does not list Section 6 under the list of sections that support a civil cause of action brought by an IAS. Any attempt to go after a third party in the chain based on a vague conspiracy theory (as opposed to satisfying CAN-SPAM’s standards for affiliate liability) would be an extension of liability that has no basis in the statute.

PHP's attempt to hold the banks liable is similar to the "follow the money" instincts underlying SOPA/PIPA. (Check out Eric's post on the OPEN Act for why he is not a fan of this approach: The OPEN Act: Significantly Flawed But More Salvageable Than SOPA/PROTECT-IP.) PHP figures that if it obtains any sort of a favorable ruling against the banks, it can then wave this ruling around to try to get banks to terminate relationships with reported spammers. As the trademark and copyright rulings illustrate, trying to impose this type of liability against payment processors who provide services to alleged infringers or counterfeiters is far from easy. But while there is case law plaintiffs can rely on in those contexts, it seems like a long shot at best, with little or no basis in the statute, in the anti-spam context.

Maybe PHP has achieved some lucrative settlements behind the scenes, but this ruling makes me wonder what it's been doing. The whole thing has a quixotic feel to it.

Related posts:

Posted by Venkat at 10:06 AM | Derivative Liability , E-Commerce , Spam

March 17, 2012

Text Spam Class Action Against Jiffy Lube Moves Forward – In re Jiffy Lube Int’l, Inc., Text Spam Litigation

[Post by Venkat Balasubramani]

In re Jiffy Lube International, Inc., Text Spam Litigation, 11-md-2261-JM-JMA (N.D. Cal.; Mar. 9, 2012)

Plaintiffs filed a class action against Jiffy Lube (a multi-location franchisee Heartland Automotive Services) and TextMarks alleging TCPA violations based on text messages sent by TextMarks on behalf of Jiffy Lube:

JIFFY LUBE CUSTOMERS 1 TIME OFFER:REPLY Y TO JOIN OUR ECLUB FOR 45% OFF A SIGNATURE SERVICE OILCHANGE! STOP TO UNSUB MSG&DATA RATES MAY APPLY T&C:JIFFYTOS.COM.

The court denies Heartland’s motion to dismiss. The big takeaway from the order is that text message-based marketing is something that companies often screw up, and these screw-ups end up being costly. Given the draconian provisions of the TCPA (statutory damages, stringent consent provision, no free pass for the initial message, and liability for any unsolicited message that is sent with certain equipment), rulings like these make me think companies should consider avoiding text message-based marketing altogether.

TCPA Provides for Derivative Liability:

Heartland’s first argument was that it should not be held liable because it did not actually send out the text messages (TextMarks did). The court cites to Satterfield v. Simon & Schuster and notes that the Ninth Circuit had no problem imposing liability on Simon & Schuster despite the fact that Simon & Schuster did not physically send the messages. The court also cites to an unsolicited fax case for the proposition that “congressional tort actions implicitly include the doctrine of vicarious liability.” If advertisers were allowed to escape liability by not actually sending the messages, this would allow advertisers to make an end-run around the TCPA’s prohibitions.

Heartland also argued that plaintiffs failed to sufficiently plead vicarious liability, but the court says that plaintiffs’ allegation that Heartland "engaged TextMarks to send the messages" is sufficient.

Plaintiffs’ Prior Consent:

Heartland produced invoices and sought to rely on the invoices to demonstrate that plaintiffs consented to receive the messages. The court rejects Heartland’s request that the court take judicial notice of the invoices, saying they stand for the opposite of what plaintiffs allege in their complaint. The invoices are not central to plaintiffs’ claims; therefore, they are not properly the subject of judicial notice in the same way that contractual terms—which the plaintiff relies on in the complaint—are. In passing, the court expresses skepticism as to whether the invoices would satisfy the TCPA's strict consent requirements.

Were the Messages Sent Using an Auto-Dialer:

The TCPA only imposes liability for text messages that are sent using equipment that has the capacity to store or produce random numbers. Heartland argued that plaintiffs should only be permitted to allege the use of an auto-dialer on in formation and belief if (1) the content of the message was impersonal, and (2) the text message was sent by a specific SMS-short code. I think what Heartland is trying to argue is that only if the text messages bear indicia of being transmitted en masse should a TCPA plaintiff be entitled to allege the use of an auto-dialer on information and belief. The court rejects this, noting that in Simon & Schuster the Ninth Circuit only required that the equipment at issue have “the capacity” to store or produce numbers using a random or sequential number generator. Under Satterfield, it does not matter whether this capability was actually used to send the messages.

First Amendment Challenge:

Heartland also brings a First Amendment challenge, arguing that the broad definition of auto-dialer would mean that friends who text each other dinner invitations could incur TCPA liability, and this would render the statute overbroad. As expected, this argument doesn’t get much traction with the court. The court says that the statute is intended to protect consumers against the costs and privacy invasions that accompany unsolicited text messages, and regulating texts sent through auto-dialers adequately serves this interest. The court also says that the prospect of friends incurring liability under the TCPA for texting each other dinner invitations is fairly remote. At worst, this type of a text message lies at the fringe of the statute and thus the statute does not suffer from overbreadth issues.

Plaintiffs’ Cannot be Compelled to Arbitrate Their Claims:

Heartland finally argued that one of the plaintiffs who signed an agreement with Jiffy Lube (and other class members who fell into the same category) should be required to arbitrate their dispute. This plaintiff entered into an agreement while obtaining services at Jiffy Lube which contained the following provision:

[the parties] agree that any and all disputes, controversies or claims between Jiffy Lube and [the customer] (including breach of warranty, contract, tort or any other claim) will be resolved by mandatory arbitration according to the terms of this Mandatory Arbitration Agreement (“Agreement”), except that any such dispute can be resolved by a small claims court if and for so long as the dispute is within its jurisdiction. By this Agreement, Jiffy Lube and [customer] also agree to only bring disputes against each other in an individual capacity and not as a class representative or class member and waive the right to a jury trial.

The court says the arbitration language is “incredibly broad,” and application of the clause to disputes unrelated to the contract would raise conscionability issues. The court cites to a Judge Posner opinion and concludes that if enforced as drafted, “absurd results would ensue.” Heartland asked the court to construe it narrowly but the court declines, saying it is not authorized to do so. Even if the clause were construed to be limited to disputes “arising out of or relating” to the contract, the court says that the TCPA claims would not fall within the clause.
__

As mentioned above, text message litigation has been brutal for marketers and advertisers, and this decision is no different. (Liability for spam email in contrast has been much more limited.) To my knowledge, the issue of dervative liability hasn't been squarely argued by a TCPA defendant, but decisions have implicitly recognized that the TCPA provides for derivative liability in rejecting the requests to dismiss filed by advertisers who did not transmit the messages in question. From that standpoint, the ruling is not significant, but it is still worth nothing.

Outsourcing your text message-based marketing was a risky proposition to start with, but as this decision squarely allows for derivative liability (albeit under somewhat vague standards), this makes it an even riskier proposition. Marketers may labor under the perception that the initial text message is a freebie (from a liability standpoint) and including an opt-out from receiving future texts absolves the marketer or advertiser from liability under the TCPA. It's worth repeating that this is not the case.

Previous posts:

"Group Text Services Grapple with TCPA Class Actions"
"Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank"
"Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc."
"Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp."
"Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC"
"Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"
"Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage"

Posted by Venkat at 08:46 AM | Derivative Liability , Marketing , Privacy/Security , Spam

March 09, 2012

Group Text Services Grapple with TCPA Class Actions

[Post by Venkat Balasubramani]

Pimental v. Google Inc., No. 11-2585 (N.D. Cal.; Mar. 2, 2012)

Plaintiffs sued Google (and Slide), asserting that text messages sent via the “Disco” service offered by Google violated the Telephone Consumer Protection Act.

As I understand it, Disco allows anyone to create a group for group text messaging purposes. According to the complaint, any time someone’s number is added to the group, Google sends out a service advertising its Disco services:

Disco is a group texting service. Standard SMS rates may apply or chat for FREE w/ our app – http://disco.com/d . . .

Plaintiffs sued for TCPA violations, but alleged that the messages sent by Disco violated the TCPA (they did not sue for the underlying texts).

The court rejects Google’s motion to dismiss, noting that the TCPA only requires that the text message be unsolicited (sent in the absence of prior express consent or pursuant to another exception) and sent using equipment that has the capacity “to store or produce telephone numbers to be called, using a random or sequential number generator.” Citing to the Ninth Circuit’s decision in Satterfield v. Simon and Schuster, the court says that plaintiffs’ allegations are sufficient to state a claim under the TCPA.

Defendants also raised a First Amendment argument, saying that the text messages were “informational” in nature. As with First Amendment arguments in spam litigation generally, the court was skeptical of this argument.

Glauser v. Twilio, No. C 11-2584 PJH (N.D. Cal.; Jan. 27, 2012)

A separate class action involved Twilio and GroupME, who were sued in a putative class action alleging TCPA violations. In that case, defendants successfully moved for a stay pending resolution of the FCC’s rulemaking procedures around TCPA issues. Because the FCC was considering rules clarifying (1) what constitutes an “auto-dialer” for TCPA purposes; (2) the scope of the prior express consent exception; and (3) the applicability of the “common carrier” exception to liability under the TCPA, the court granted a stay. Although the court has not lifted the stay, plaintiff recently filed a notice of decision from the FCC, and argued that as to GroupMe, the stay should be lifted, and the FCC’s rulemaking did not affect GroupMe’s liability. The court has not considered whether to lift the stay, but if plaintiff is correct, it looks like the lawsuit will go forward with respect to GroupMe. Interestingly, plaintiff did not seek to have the stay lifted as to Twilio.
__

I took a quick look at the FCC’s final regulations, and nothing in the rules offer much of an out for group text messaging services. With respect to the equipment used and the type of consent that is required, the final regulations do not seem to change much. Given the stringent nature of the TCPA rules (as articulated by Satterfield and other cases), those who send text messages are advised to procure consent through means other than the initial text message informing recipients that they can opt-out from receiving further texts. Also, this did not come through in the court orders resolving the claims against Disco or Twilio, but group texting services suffer from the flaw that they can be used by spammers, absent adequate validation measures. I haven’t seen a validation mechanism that is foolproof, and the best approach is to procure consent over the web or through some other means before any texts are sent (e.g., if you sign me up to receive texts, tell me to go to a website and validate my phone number, and only after this validation is complete should I receive texts). Courts seem warm to the idea that even the initial text saying people can opt-out from receiving further texts is sufficient to create TCPA liability, and nothing in the statute says otherwise.

The platforms may also have a viable section 230 defense if they provide "interactive computer services." Given the broad definition of interactive computer services, they should qualify, but only as to messages sent by third parties. The lawsuit against Slide is aimed at texts sent by the Slide service (arguably automated and triggered by other users of the services), so Slide probably has a tougher argument to make based on Section 230. To the extent the claims are based on text messages transmitted by customers, Section 230 should come into play.

Other coverage:

Jeff J. Roberts (PaidContent/Giga): "Spam Lawsuits Weigh On Twilio, Group Texting Apps"

Posted by Venkat at 05:30 PM | Spam

February 29, 2012

California Appeals Court Says Emails That Don't Identify Sender Violate State Spam Statute – Balsam v. Trancos

[Post by Venkat Balasubramani]

Balsam v. Trancos, Inc., 2012 WL 593703 (Ca. Ct. App.; Feb. 24, 2012)

It seemed like most emailers and anti-spam activists have moved on from worrying about spam email to other things, such as social networks, but a few disputes continue to linger. One of them involves Dan Balsam, of danhatesspam.com fame, who is a lawyer and self-proclaimed anti-spam activist.

Balsam sued Trancos in 2008, alleging that he received numerous unsolicited emails from Trancos. After a bench trial, the trial court awarded Balsam $1,000 in liquidated damages for each of seven emails. (Here’s the prior blog post on this case: "Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute -- Balsam v. Trancos.") The trial court also awarded Balsam $81,900 in attorneys' fees. The trial court rejected Balsam's claims under California's Consumer Legal Remedies Act and held that Trancos' CEO, Brian Nelson, could not be held personally liable. Trancos appealed, alleging that the emails did not violate California’s anti-spam statute (B&P 17529.5(a)(2)). Trancos also argued that Balsam’s claims were preempted by CAN-SPAM. On appeal, the appeals court rejects both of Trancos’ arguments. Balsam cross appealed on the trial court's resolution of the CLRA issue and rejection of personal liability to Nelson personally. The court also rejects Balsam's arguments on cross appeal.

Violations of Cal. Code Sec. 17529.5(a)(2)

Section (a)(2) makes it unlawful for anyone to advertise in an email sent from or to a California email address where the email “contains or is accompanied by falsified, misrepresented, or forged header information.”

According to the opinion, Trancos’ company sent out emails from various "nonsense" domain names (e.g., misstepoutcome.com; modalworship.com; moussetogether.com) that were registered to Trancos via a privacy proxy. The emails did not identify Trancos, but mentioned that if recipients wanted to opt-out, they could forward the emails to USAProductsOnline, or click on a link provided in the email. USAProductsOnline was not a separately existing entity, but it had registered a PO Box. Nelson, the CEO of Trancos, testified that he registered the domain using privacy protection services because he and Trancos had been harassed in the past.

The court focuses on whether the California Supreme Court’s decision in Kleffman v. Vonage, which construed section 17529.5(a)(2), lets Trancos off the hook here. (See "Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage.") Kleffman involved emails sent on behalf of Verizon using nonsensical or random domain names that were designed to evade spam filters. Kleffman made a variety of unsuccessful arguments why using garbled or random domain names constituted “misrepresentation.”

The appeals court distinguishes Kleffman, saying that in Kleffman, all of the emails were sent using domain names that were “traceable” to Vonage’s marketing agent. In contrast, in this case, the court says the emails were not traceable to Trancos because Balsam could not determine the identity of the sender using a "publicly available database," and thus Trancos' email had misrepresented header information. The emails listed "USAProductsOnline" as the sender and provided a street address for USAProductsOnline, but this turned out to be a PO Box, and Balsam had to subpoena the information provided to the PO Box company to obtain the information provided by USAProductsOnline. The court also distinguishes the Fourth Circuit's decision in Omega World Travel v. Mummagraphics saying that, in that case, the identity of the sender was readily obvious to the recipient, who had no trouble tracking down the sender.

Preemption Under CAN-SPAM

Trancos also argued that Balsam’s state law claims were preempted by CAN-SPAM. The court notes the split of authority in federal courts regarding whether CAN-SPAM preempts claims which fall short of common law fraud, or whether CAN-SPAM only preempts claims which do not involve “falsity or deception.” Citing to the California Appeals Court’s decision in Hypertouch v. Valueclick, the court says that claims which allege any sort of falsity or deception escape preemption under CAN-SPAM’s preemption clause. Balsam’s claims therefore aren't preempted.
__

The thrust of the court’s decision is that emails have to identify some actual person or entity they are sent by or on behalf of, whether in the “from line” or the email body. Emails that do not so identify themselves violate the statute. There are a few problems with this from my perspective.

First, it broadens the definition of “header information” to include not just the from line but also the body of the email. The California statute does not define “header information” but Kleffman looked to CAN-SPAM’s definition, which clearly talks about either the human or computer readable parts of the “from line.” The overall structure of CAN-SPAM lends weight to the view that the header information prong does not deal with information in the actual body of an email.

Second, it injects the element of concealment into the California statute. It’s fair to presume that if the legislature intended the statute to cover not just misrepresentations of facts regarding an email's origin but also concealment, the legislature would have made that explicit.

Third, the FTC rules interpreting CAN-SPAM allow the use of private mail boxes (that the sender registers with a commercial mail receiving agency established under US Postal Service regulations) to satisfy the requirement of listing the sender's street address. The FTC announcement of these regulations indicate that the regulation accommodates the two interests of (1) law enforcement being able to track down the sender (ostensibly with a subpoena) and (2) recipients being able to communicate with the senders (by sending paper correspondence). Not only is the issue of identifying the sender comprehensively regulated by CAN-SPAM, CAN-SPAM regs allow the practice Balsam complained about.

The court distinguishes Kleffman. but I wasn’t persuaded by this. Everyone agreed in Kleffman that the emails were fairly traceable to Vonage, but importantly, the emails were traceable not to Vonage directly, but to its “marketing agent.” Because the emails all identified Vonage (who was being advertised in the emails), it’s tough to say for sure, but as far as identifying the actual sender of the email, Kleffman says nothing more than that if the emails can be identified as having been sent by some entity (e.g., Vonage’s “marketing agent”), that’s sufficient. Here, the problem seems to have been that the entities identified in the emails as senders were not actual legal entities.

The court’s decision slams the use of private registration services in the context of email marketing. Balsam previously tried to hold Tucows liable for emails sent via a domain name registered (privately) through Tucows. (See "Domain Name Privacy Protection Services Not Liable for Failure to Disclose Identity of Alleged Spammer -- Balsam v. Tucows.") Balsam was not successful in that case, but the court’s decision here contains plenty of bad juju towards the use of private registration services.

Although the California Supreme Cout may have better things to do with its time, this looks like a good candidate for review so it can clarify the scope of Kleffman v. Vonage.

It's unclear how much mileage Balsam and company will get out of this ruling. As the court notes, several cases have held that claims such as this one are preempted, and it's a likely bet that Balsam's subsequent defendants would remove on the basis of preemption and try to get the claims dismissed on this basis. This is undoubtedly a significant ruling, but it's unlikely to open the floodgates for judgments against emailers.

Previous posts:

Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute -- Balsam v. Trancos
Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage
An End to Spam Litigation Factories?--Gordon v. Virtumundo
Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics
Domain Name Privacy Protection Services Not Liable for Failure to Disclose Identity of Alleged Spammer -- Balsam v. Tucows

Posted by Venkat at 05:11 AM | Spam

February 21, 2012

Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures -- Facebook v. Power Ventures

[Post by Venkat Balasubramani, with comments from Eric]

Facebook, Inc. v. Power Ventures, Inc., et al., C 08-05780 JW (N.D. Cal.; Feb. 16, 2012)

The long-running dispute between Facebook and Power Ventures came to a close last week, with Judge Ware granting Facebook’s motion for summary judgment on Facebook's claims under CAN-SPAM, California Penal Code section 502, and the Computer Fraud and Abuse Act. The power.com domain name went up for auction in 2011 and it appears that the domain name was not owned by Power Ventures, the defendant in this lawsuit. The court deferred ruling on the liability of individual defendant Steve Vachani. [Update: see an update below regarding the ownership of the domain name and its relationship to this dispute.]

Facebook alleged that Power Ventures allowed Power.com users to access their Facebook profiles through Power.com’s interface, and also induced its users to send emails to other Facebook users telling them to try out Power.com. The specifics of how Power Ventures' conduct differed from other Facebook apps isn't entirely clear, although it is clear that Power Ventures did not participate in Facebook’s authorized developer program, and Facebook undertook some technical efforts to prevent the access of Facebook by Power Ventures and Power.com users. As with the enforcement efforts of many networks, Facebook’s approach here raises some questions as to how courts will view other similar efforts of people who are a part of the Facebook ecosystem. The big question Professor Goldman always raises--and I think is relevant here--is to what extent there may be blowback from this ruling to Facebook (or its partners) in other cases. The case also raised data portability issues and issues relating to the scope of California Penal Code section 502. Likely for this reason, EFF participated as an amicus.

CAN-SPAM

Standing: The first question regarding Facebook’s CAN-SPAM claims was whether Facebook had standing to sue. Citing Gordon v. Virtumundo, the court says that Facebook has standing under CAN-SPAM to the extent it can show that it suffered harm that is of the type “uniquely encountered by” providers of internet access services. Virtumundo said end users don’t have standing under CAN-SPAM, and end users cannot manufacture standing by casting themselves as ISPs. The plaintiff in that case signed up for hosting services provided by third parties and did not suffer any particular “adverse effects” from the spam, other than the annoyance of having to delete it. Here the court says that the evidence produced by Facebook demonstrates that it suffered unique adverse effects as an ISP: (1) Power.com users sent approximately 60,000 emails, and (2) Facebook undertook specific efforts to stop these emails. (The evidence offered by Facebook seemed equivocal as to whether it was directed to stopping unwanted communications from Power.com end users or whether Facebook was concerned with restricting Power Ventures' access of Facebook's networks. Facebook's enforcement efforts spilled over into both categories, but the evidence seemed more suited to a Computer Fraud and Abuse Act claim than a CAN-SPAM claim.)

Did Power Ventuers ‘Initiate’ the Messages: CAN-SPAM defines "initiate" to include those who “originate or transit” a message, or “procure” its origination or transmission. Routine conveyance of a message is excluded from the definition of initiate. Facebook argued that Power Ventures initiated the messages because it ran a contest for Power.com users signing up their Facebook friends (if you signed up more than 100 users, Power Ventures would pay you $100). The court concludes that this inducement is sufficient to categorize Power Ventures as one of those who “initiated” the messages, even though end users selected which friends would be emailed, and Facebook’s servers filled in the header information when the user requested an email to be sent.

Were the Emails Misleading: The final question with respect to the CAN-SPAM claims were whether the messages were misleading in any way. Power Ventures understandably argued that the messages were sent through Facebook, came from a Facebookmail.com email address, and therefore the messages could not contain any misleading header information. Power Ventures also argued that text of the messages contained information about Power.com, and Power Ventures could not have changed the headers of the emails because it did not have any control over the headers. The court says all of this is irrelevant:

[the] emails did not contain any return address, or any address anywhere in the e-mail, that would allow a recipient to respond to [Power Ventures]. Thus, as the header information does not accurately identify the party that actually initiated the e-mail within the meaning of [CAN-SPAM], the Court finds that the header information is materially misleading as to who initiated the email.

Whoa. The court does not cite to Mummagraphics, where the 4th Circuit rejected the same basic argument. (See "Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics.") Mummagraphics' key holding is that in order to be actionable, an email header must be materially misleading, and if there the recipient would reasonably know where the email was coming from then there should be no CAN-SPAM violation. Here the emails were sent through Facebook's platform by end users, so Power Ventures has an even better argument than the defendant in Mummagraphics that the header information was not misleading.

California Penal Code Section 502

On the Section 502 issue, the court already ruled that access to a network in violation of the terms of use alone does not support a claim for unauthorized access under section 502, but access in circumvention of a “technical or code-based barrier” is enough. The court grants Facebook summary judgment on its claim under this statute. Although Power Ventures did not react to any particular measures and circumvent them, the software Power Ventures used to access Facebook’s site was designed to evade IP address blocks. Facebook also put forth a damning email from Power Ventures' founder that indicated awareness of the general need to access third party sites in a way that avoids IP address blocks:

We also need to do some planning to make sure we [access data from Orkut] in a way where we are not really detected. Possible rotating IP’s or something. Don’t really understand this too well. . . . . We need to plan this very carefully since we will have only one chance to do it.

[Ouch!] In granting summary judgment, the court says there is no reason “to distinguish between methods of circumvention built into a software system to render barriers ineffective and those which respond to barriers after they have been imposed.”

Computer Fraud and Abuse Act Claim

The court also grants summary judgment on the Computer Fraud and Abuse Act claim, finding that the access of Facebook’s servers by Power Ventures was “without authorization,” and Facebook satisfies the $5,000 damage threshold.
__

This case looked like it was teed up to highlight a data portability issue and the question of whether Facebook can keep third parties who don’t go through its authorized developer channels but who act at the request of end users out of its network. The court’s decision gives short shrift to both of those issues. There is probably not much precedent to the contrary (if any), but Power Ventures' access of “information” from Facebook’s servers was ostensibly done at the request of Facebook end users, and the information that Power Ventures extracted was the contact information (friend lists) of Facebook end users. Thus, Facebook's allegations regarding Power Ventures' actions shouldn't in theory come within the Computer Fraud and Abuse Act. True, there were some additional facts which made Power Ventures' arguments tougher from an optics standpoint, but the end result is that if users want to access data, they have to do so on Facebook’s terms, and may not do so using a third party tool that is not a part of Facebook’s developer platform. (To my knowledge, the Computer Fraud and Abuse Act as written does not look to whose data is accessed, so the statute allows the result achieved by Facebook in this case.)

The CAN-SPAM ruling is remarkable--and screwy--on a number of levels. Several courts have ruled that emails sent through networks (such as MySpace or Facebook) are covered by CAN-SPAM, but those decisions did not confront the practical issue of how an emailer can comply with CAN-SPAM with respect to emails that are sent by an end user via a network such as Facebook--i.e., where those who "initiate" a message cannot alter the content of the messages. (See "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty.") I wonder whether Facebook considered the practical aspects of this ruling: retailers who send messages through Facebook are not CAN-SPAM compliant! End users don’t have standing to sue, but retailers and companies who induce end users to send messages through their friends can be considered to "initiate" these messages, and under the court’s ruling, since the messages come from Facebook (via facebookmail.com) and do not contain the retailer's header information, these message are materially misleading under CAN-SPAM.

Update: I originally speculated whether Facebook would try to go after the power.com domain name or the proceeds of the auction. Via email, Scott Smith, the CEO of RokME Inc., who is brokering the sale of the power.com domain name, reminded me that the power.com domain name was leased to Power Ventures and therefore the domain name is not a part of this dispute:

Several years ago Power Assist Inc. the owner of Power.com leased the domain to Power Ventures Inc. During the course of the lease Power Ventures Inc. operated Power.com as a social network aggregation site and did some things that Facebook disagreed with. At that time Facebook sued Power Ventures Inc. and by association, Power.com was noted in the filings. That is the only connection.

The lease on the domain Power.com ended last February. Once the lease ended the owner was free of any further obligations and decided to sell the domain. My company - RokMe Inc. was hired to broker the sale. . . .

Since that time there has been no connection with Power Ventures Inc. or its owner Steve Vachani. It has taken this long for the case to wind its way through the courts and because of the earlier association, the domain Power.com was unfortunately caught up in the web of their legal wrangling.

_____

Eric's Comments

Ugh. Bad facts make bad law, and this case has plenty of badness to go around. Power Ventures was a lousy poster child for a test case on data liberation. Yet, the court's results are troubling for everyone--including Facebook!--and I can only hope future courts recognize the opinion's goofiness when deciding whether to accord it any weight.

The CAN-SPAM ruling is the most troubling. Running through the elements tendentiously, the judge finds a technical violation of the CAN-SPAM elements, but this element-by-element review leads to a tone-deaf outcome overall. Stripping away the detail, users were using Facebook's messaging tools to talk with each other. Sure, Power Ventures was interested in that conversation and facilitated it in a number of ways, but calling Power Ventures a spammer because users talked to other users is baffling. It's a little like the misguided underpinnings of the FTC Endorsement and Testimonial Guidelines; this case similarly treats Power Ventures like an "advertiser" and thus makes it liable for how users talked to each other. Huh?

As Venkat points out regarding retailers, this ruling could set up other Facebook users for a similar fate if they get Facebook users to use Facebook's native tools to talk to each other. This could be counterproductive for Facebook's long-term interests if businesses (and others) start to fear that Facebook now has the discretion to sue them as a spammer whenever it wants.

Similarly counterproductive to Facebook's interests is the expansive interpretations of the CFAA and Penal Code 502. Facebook grabs a lot of content from third parties without permission--for example, every time a user posts a link, Facebook grabs and republishes snippets of the linked page without permission. Is that a CFAA/502 violation BY FACEBOOK? Facebook might have other defenses, but it seems to have negated any "we're just a proxy for the users" defense. Because I'm a cyberlaw purist, I hope Facebook doesn't get hoisted on its own petard; but if it ever does happen, it will be hard to suppress a slight schadenfreude smile.

Clearly, though, Facebook is signalling that it won't download email addresses from third party sources like Gmail without the third party's permission--like for its "find a friend" feature. After all, even if Facebook has the user's permission to access the user's own data, that's legally meaningless without the data source's permission as well. The net result is that data sources can erect fences around user data despite the user's wishes.

Indeed, the most tone-deaf aspect of the ruling is the anti-competitive backdrop to Facebook's enforcement action, which doesn't even get a nod from this opinion. Personally, I would not have trusted Power Ventures with my personal data, so losing them as a competitive option is no big deal to me. Facebook positions this case about user protection. Their formal statement: "We are pleased that the court ruled in our favor. We will continue to enforce our rights against bad actors who attempt to circumvent Facebook's privacy and security protections and spam people," said Craig Clark, Lead Litigation Counsel, Facebook. But I don't find it all that credible that Facebook was motivated solely by a desire to protect us as users from a dangerous Power Ventures (Indeed, I believe Power Ventures could have sucked down an immense amount of user data through Facebook's APIs with, at most, minimal oversight by Facebook). The other obvious possible motivation: Facebook didn't like Power Ventures competition, so it shut down Power Ventures' access to Facebook's users. With its massive leadership in its niche, it seems only a matter of time before antitrust regulators start sniffing around Facebook. Its enforcement action against Power Ventures probably won't spur that, but Facebook will have to tread cautiously with future blatant shutdowns of competitors.

Posted by Venkat at 11:30 AM | Privacy/Security , Spam , Trespass to Chattels

January 04, 2012

Nov.-Dec. 2011 Quick Links, Part 3

By Eric Goldman

Marketing and Advertising

* Facebook is putting Sponsored Stories in user newsfeeds. Naturally, they will make the ad label almost invisible. Yet another reason to hate Facebook, and what a desperate act of financial overreaching to goose their IPO. FWIW, I absolutely hate that Twitter does the same thing. It's terribly marked as an ad, and it takes me more time than it should to figure out why it's appearing in my stream. Boo for Twitter, and boo for Facebook.

* Then again, not all Twitter ads are objectionable. The most popular tweet of 2011? An ad from Wendy’s.

* Interesting NAD decision involving Coastal Contacts' offer of "free" glasses in exchange for Facebook likes. Compare the subsequent ruling in Fraley v. Facebook.

* Top 10 PR Blunders of 2011.

* FTC does another bust of health marketers who allegedly used affiliates to create fake news sites. Prior blog post.

* Rebecca reports on a lawsuit over marketing that chickens were “raised humanely.” Note to meat eaters: there's no such thing as mass-raising of animals "humanely" for our food consumption. Invariably, meat-eaters who actually take the effort to understand the process of manufacturing meat decide to reduce their meat consumption.

* NYT on caller ID spoofing. The FTC just announced another bust on this front.

* AdAge: FDA's Social-Media 'Guidelines' Befuddle Big Pharma.

* Yahoo Inc. v. XYZ Companies, 2011 WL 6072263 (S.D.N.Y. Dec 5, 2011). Yahoo gets a huge and uncollectable default judgment of $610M under CAN-SPAM against Nigerian spammers.

* Adware déjà vu: Facebook bitches about adware. Prior blog post.

* A table manufacturer tinkers with his AdWords account and discovers a correlation between AdWords and clicks on his organic links (1, 2). Prior blog post.

* Pom loses a jury trial against Ocean Spray over false advertising.

* Washington Post: An inside look at the world of TV news payola/“plugola.”

* Ad Naseum on reverse product placement, i.e., manufacturing virtual brands created for TVs and movies.

* NYT: In China, car brands have very different meanings to consumers than they do in the US (except for BMW, where the brand attributes are surprisingly the same).

* Cracked: 5 Black Friday Myths The Media Wants You to Believe.

Privacy

* In re Facebook Privacy Litigation, 2011 WL 6176208 (N.D. Cal. Nov. 22, 2011). Prior blog post. Judge Ware dismisses the Facebook/Zynga referrer ID case with prejudice. Wendy Davis' coverage. It appears the plaintiffs have appealed (sub nom Graf v. Zynga) to the Ninth Circuit.

* Facebook will make 45 privacy-related changes—almost none of them “important”—to appease the Irish Data Protection bureaucrats.

* Mark Zuckerberg has extensive experience apologizing to Facebook users for Facebook's privacy transgressions.

* USA Today on how Facebook tracks user activity at websites other than its own.

* Cohen v. Facebook appealed to the Ninth Circuit. I'm not sure how the Fraley v. Facebook ruling affects this. Prior blog post.

* Interesting visualization of Facebook’s creeping degradation of privacy for user-provided info.

* In the Matter of ScanScout, Inc., FTC File No. 1023185:

According to the FTC complaint, from at least April 2007 to December 2010, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout, the FTC charged. The claims by ScanScout were deceptive and violated the FTC Act, the complaint alleged.

* FTC bust of Skid-e-Kids for COPPA violations.

* Another cookie litigation settlement where the lawyers get almost all of the settlement value. PaidContent and MediaPost coverage.

* Weber v. Google, over Google toolbar snooping, was quietly dropped.

* Incorp Services, Inc. v. Does 1-10, 2011 WL 5444789 (N.D. Cal. Nov. 9, 2011). The court orders unmasking of alleged click fraudders:

By tracking the clicks over the course of several weeks and narrowing a substantial portion of the activity to only two IP addresses—both owned by the same ISP—Incorp has provided sufficient information to indicate that the responsible parties are “real person(s)” who may be sued in federal court. Incorp also has demonstrated that it took reasonable steps to identify Defendants. Because information pertaining to the assignee of an IP address is maintained by the third-party ISP, the only way in which Incorp is able to identify definitively the parties associated with the suspect IP addresses is by subpoena to the ISP.

* In re Application of the USA for an Order Pursuant to 2703(d), 1:11-dm-00003-TCB –LO (E.D. Va. Nov. 10, 2011). No Fourth Amendment privacy protection for IP addresses.

* NYT provides yet another update on some European regulators' efforts to kill Silicon Valley.

* Peter Fleischer: Harsher data protection sanctions are coming.

Contracts

* Stebbins v. Texas, 2011 WL 6130403 (N.D. Tex. October 24, 2011). Another court calls David Stebbins’ attempt to manufacture an arbitration award “frivolous,” saying “his factual assertions that the alleged contract was formed when Plaintiff sent an e-mail to Defendant with a blog link and a dollar bill describe fantastic or delusional scenarios that are clearly irrational and incredible.” Prior blog coverage (1, 2).

* Garon v. eBay, Inc., 2011 WL 6329089 (N.D.Cal. Nov. 30, 2011). No antitrust claims for vendors who eBay terminated for low ratings. I think eBay should have been able to use 47 USC 230(c)(2) (not discussed by the judge).

* Fadal Machining Centers, LLC v. Compumachine, Inc., 2011 WL 6254979 (9th Cir. Dec.15, 2011). In a B2B context, enforcing an arbitration clause posted to the web that was incorporated by reference in the vendor’s invoices.

* Spam Arrest v. Marketingesquire complaint: Spam Arrest sues an email marketer for violating its TOS by sending "spam."

* Wofford v. Apple Inc. (S.D. Cal. Nov. 9, 2011). Free software update to iPhone software did not constitute a "tangible good or service" for California CLRA purposes.

* How plaintiff firms are adapting to Concepcion.

* WSJ: Are We All Online Criminals?

Posted by Eric at 03:04 PM | Marketing , Privacy/Security , Spam | TrackBack

December 23, 2011

Old School Spam Plaintiff Rebuffed in the Ninth Circuit

[Post by Venkat Balasubramani]

Gordon v. BMG Columbia House, 10-35180 (9th Cir. Nov. 28, 2011)
Gordon v. Inviva, 10-35283 (9th Cir. Nov. 28, 2011)
Gordon v. Commonwealth Mktg. Group, 10-35030 (9th Cir. Nov. 28, 2011)

James Gordon has generated more than a few blog posts as a result of his quixotic quest to hold bulk emailers liable under CAN-SPAM, despite not fitting within the categories of persons or individuals who have standing under that statute to bring private causes of action. He was the plaintiff in the Virtumundo case, in which the Ninth Circuit rejected his claims and effectively put an end to the budding spam litigation cottage industry. ("An End to Spam Litigation Factories?--Gordon v. Virtumundo"; "CAN-SPAM Defendant Awarded $111k in Fees/Costs--Gordon v. Virtumundo.") Following Virtumundo, Gordon was the subject of some collections efforts, where he may have lost his home and belongings. (DirectMag: "Anti-Spammer Loses More than His Lawsuit.")

It turns out, despite his stunning string of failures in court, Gordon is still at it! But he doesn’t seem to be making much progress. The Ninth Circuit recently rejected his appeal in three pending cases. Proceeding pro se, Gordon appealed three district court grants of summary judgment against him. In all three cases, the court affirmed the district court judgments on the basis that Gordon lacked standing to sue under CAN-SPAM and his claims under Washington’s spam statute were preempted. He brought a few additional state law claims (consumer protection act, breach of contract) but the court doesn't give those more than a cursory sentence.

Virtumundo, along with Mummagraphics, the two leading appellate cases construing CAN-SPAM preemption, left a small window available to spam plaintiffs. There has been some attempts by plaintiffs to advance state law claims in California ("CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM"; "Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute"), but for the most part, plaintiffs suing under state anti-spam laws have been shut down elsewhere.

Posted by Venkat at 04:42 AM | Spam

December 12, 2011

Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank

[Post by Venkat Balasubramani]

Ryabyshchuk v. Citibank, 11-cv-1236 - IEG (S.D. Cal.; Nov. 28, 2011)

Plaintiff alleged that he contacted Citibank and inquired about a credit card. Later that day, he alleged he received the following unsolicited text from Citibank:

Free Text Msg: Citi Cards needs to talk with you regarding your recent application. Please call 866-365-8962. To Opt-Out reply STOP.

Plaintiff replied "STOP" and alleged that he received the following from Citibank:

Free Text Msg: Per your request you will no longer receive text alerts from Citi Cards Credit Dept. If you have any questions call 866-365-8962.

Plaintiff sued for violations of the Telephone Consumer Protection Act, seeking statutory damages ($500 per text) and treble damages. Citibank moved to dismiss.

The court says that text messages are "calls" within the meaning of the TCPA, and any text sent with equipment which has the capacity to store or produce telephone numbers using a random or sequential number generator falls within the TCPA. (See Satterfield v. Simon & Schuster.)

Citibank argued that plaintiff "consented" to the text and first relied on plaintiff's initial complaint where he alleged that he "provided his cell phone number" to Citibank in connection with the credit card application. Plaintiff amended his complaint to avoid any implication that he provided his number, instead alleging the second time around that he "contacted Citibank ... by telephone" in connection with a possible credit card. The court says that plaintiff should be allowed to revise his pleadings and there is nothing in the rules which prohibit plaintiffs from making inconsistent or even contradictory allegations in successive pleadings.

Citibank also relied on two FCC pronouncements to argue that plaintiff consented. The FCC stated in 1992 that people who "knowingly release their phone numbers have . . . given their invitation to . . . be called . . . absent instructions to the contrary." The FCC also stated in a 2008 ruling that calls to wireless numbers "in connection with an existing debt" fall under the 'prior express consent' exception to the TCPA. Specifically, the FCC stated:

the provision of a cell phone number to a creditor, e.g., as part of a credit application, reasonably evidences prior express consent by the cell phone subscriber to be contacted that that number regarding the debt.

The court says that it's unclear at the pleading stage whether plaintiff released his number "knowingly," and what limitations he attached to the release of his number. The court also says that the FCC has recognized the burden consumers may face in proving that they did not provide consent, and thus senders should bear the evidentiary burden of showing that consent was provided. Given the state of the pleadings, the court says the consent issue is better suited for adjudication at the summary judgment stage, rather than the pleadings stage.
__

Ouch. Not only does the initial text violate the TCPA (in the absence of consent), even the text which confirms Ryabyshchuk would not receive any further text messages can violate the statute.

The rules governing unsolicited text messaging leave little room for those who send unsolicited texts. Despite the texts relating to a proposed transaction which plaintiff admitted he contacted Citibank about, and despite Citibank apparently honoring plaintiff's opt-out request, Citibank may still be on the hook! Relying on a check-the-box opt-in that says "please send me text messages regarding various topics to XXX-XXX-XXXX" would seem to be the prudent choice. The defense that the recipient provided a phone number in the course of a proposed transaction does not insulate Citibank here. Although Citibank may ultimately prove consent, the fact that it was unable to get rid of the lawsuit at the pleading stage means that it has to deal with the expense of discovery and summary judgment.

The odd thing about this case is that Ryabyschuck obviously anticipated or implicitly requested additional contact with Citibank. He filled out a credit card application and included his phone number. Citibank would have to comply with certain restrictions, but it could have avoided the prospect of liability by calling Ryabyshuck on the phone. Because it chose to text him--which some would say is less intrusive--Citibank got tagged with a lawsuit.

Posted by Venkat at 12:58 PM | Spam

October 13, 2011

Court Dismisses Lawsuit Under Michigan Spam Statute Based on Preemption and Lack of Standing -- Hafke v. Rossdale Group, LLC

[Post by Venkat Balasubramani]

Hafke v. Rossdale Group, LLC, 11-cv-220 (W.D. Mich.; Oct. 7, 2011)

Hafke described himself as someone who is "attempting to stop Spam in Michigan." He sued Rossdale, a continuing legal education provider, complaining about six unsolicited email messages he received from Rossdale, and alleging that these emails violated Michigan's spam statute.

Rossdale removed the lawsuit to federal court, arguing that the claims are preempted by CAN-SPAM. On a motion to remand, the court agrees with Rossdale, and finds that the lawsuit belongs in federal court. For good measure, the court dismisses the case.

Michigan's anti-spam statutes (sections 445.2503 and 445.2504) contains a mix of elements from other state statutes. Although the statute prohibits misrepresentation of the point of origin or the transmission path of an email, the court notes that the statute does not "set a materiality standard for misrepresentation." Spam preemption cases have found that in order for a state spam claim based on misrepresentation to escape CAN-SPAM's preemption, the misrepresentation must be material. (See Eric's post on Omega World Travel v. Mummagraphics, "Fourth Circuit Rejects Anti-Spam Lawsuit," for background on this.) Because plaintiff did not allege any misrepresentations in the email that were material, the court finds the claims preempted:

The technical violations regarding header, sender, and opt-out information that Plaintiff alleges as violations of the Michigan statute are not allegations of materially deceptive actions. His allegations are thus subject to preemption under CAN-SPAM.

After finding that the claim are preempted, the court dismisses the lawsuit for lack of standing. CAN-SPAM creates standing for a discrete group (other than agencies): providers of "Internet access services" who have suffered "adverse effects" as a result of the spam. Citing to Virtumundo, the court concludes that plaintiff does not have standing under CAN-SPAM.
__

Ouch. A dismissal that is more or less sua sponte is rough, but it's an understandable reaction from the court given the circumstances. Case law established CAN-SPAM preemption standards years ago. While interesting preemption questions linger around the edges, the plaintiff in this case did not come close to alleging claims that escaped CAN-SPAM's broad preemption clause. Unsophisticated spam plaintiffs should take note that CAN-SPAM allows for an award of attorney's fees.

Eric mentioned that Virtumundo marked an end to spam litigation factories, and it mostly did. There have been a few cases in California where litigants continue to hash out causes of action under state spam statutes (see Hypertouch v. Valueclick and Balsam v. Trancos) but in most other jurisdictions, plaintiffs have had no luck.

Related posts:

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH
Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

Posted by Venkat at 03:43 PM | Spam

October 12, 2011

Spam Claims Covered by Contract's Indemnity Clause--Commonwealth Marketing Group v. IMG Assocs.

[Post by Venkat Balasubramani]

Commonwealth Mktg. Group v. IMG Assocs., 08-5074 (W.D. Wash. Sept. 28, 2011)

Commonwealth Marketing asserted claims for indemnification against IMG Associates, for underlying claims brought by prolific spam plaintiff James Gordon. Among other cases, Gordon is famous for litigating the Virtumundo case, which ended with the dismissal of his claims on standing and preemption grounds. See Eric's post titled "An End to Spam Litigation Factories?" for more background.

IMG provided marketing services to Commonwealth. The agreement between the parties contained an indemnification clause, which in relevant part read as follows:

IMG shall indemnify, defend (with legal counsel reasonably acceptable to [IMG]) and hold CMG . . . harmless at all times after the Effective Date of this Agreement, from and against and in respect of, any liability, claim, deficiency, loss, damage, penalty, or injury . . . suffered or incurred by CMG . . . arising from (i) any breach or default on the part of IMG . . . , (ii) any act outside the scope of IMG's duties . . ., (iii) any breach by IMG . . . of the CAN-SPAM Act of 2003 . . ., (iv) any misrepresentation by, or breach of any covenant or warranty of IMG contained in this Agreement . . .

IMG argued that since Gordon's claims turned out to be meritless, they were not covered by the indemnification clause. The court disagrees, and says:

the duty to defend arose when Mr. Gordon alleged statutory violations of the CAN-SPAM Act; the merit of those claims is irrelevant.

It was undisputed that Gordon's claims were premised on emails sent by IMG--the emails produced by Gordon in discovery indicated they were sent by IMG. End result: judgment in favor of Commonwealth in the amount of $131,938.93, the fees incurred by Commonwealth in defending against Gordon's claims (which were ultimately dismissed for lack of standing).
__

The indemnification clause did not obviously cover Commonwealth's claims for indemnification, and it's not surprising that IMG refused the initial tender. Indemnitors often refuse to accept a tender regardless of what the contract actually says. The indemnification clause in this case was tied to IMG's breach of IMG's contractual obligations, a representation or warranty, or "a breach . . . of . . . the CAN-SPAM of 2003." A catch-all clause which offered Commonwealth protection from "any third party claims alleging that IMG's marketing efforts violated applicable laws or third party rights" would have more clearly protected Commonwealth, but the court did not put the indemnification clause at issue under a microscope.

Gordon and other spam plaintiffs must have left a sea of similar indemnification claims in their wake. Fees are available in CAN-SPAM cases, but collecting against the likes of Gordon is no easy task. (See Serial Anti-Spam Lawsuit Filer Loses Appeal... And His Possessions.) A contract's indemnity clause does not often trigger an indemnity obligation, so Commonwealth has to feel good about this result.

Posted by Venkat at 03:45 PM | Spam

September 28, 2011

In Facebook's Lawsuit Against Alleged Spammer, Court Denies MaxBounty's Motion to Dismiss

[Post by Venkat Balasubramani]

Facebook v. MaxBounty, 10-Cv-04712 (N.D. Cal. Sept 14, 2011)

Facebook is suing MaxBounty for allegedly running an affiliate network which dupes people into fanning Facebook pages, promoting the page to their friends, and signing up for third party offers, all based on the promise of free items. Facebook brought a variety of claims, including common law fraud, CAN-SPAM, and the Computer Fraud and Abuse Act. The court previously found that Facebook wall posts can be considered "electronic mail messages" and thus are subject to CAN-SPAM. (Here's my post on this ruling: "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM.") However, the court said that Facebook had to be more specific regarding some of its allegations. This time around, the court finds that Facebook's allegations are sufficiently specific, and denies MaxBounty's motion to dismiss.

Fraud claims: Facebook alleged that MaxBounty's affiliate manager knew of and encouraged an affiliate that offered a free IKEA gift card. The affiliate manager allegedly provided technical assistance, assured the affiliate that the affiliate's actions were kosher and, when the affiliate expressed hesitation, offered the affiliate $30,000 to continue. Interestingly, the court doesn't quite specify what the fraudulent statements were and who was deceived by them. In some ways, this case is somewhat reminiscent of the Reunion.com case involving an alleged "spam a friend" scheme, while that case addressed the issue of whether claims under California's spam statute were preempted by CAN-SPAM. One other difference is that in this case, Facebook is the one bringing the fraud claims and it's unclear how Facebook has been duped. The court allows the fraud claim to go forward and also allows claims for aiding and abetting the fraud and for conspiracy.

CAN-SPAM claims: MaxBounty argued that Facebook's allegations fail to make out a claim that MaxBounty "procured or induced" the transmission of messages at issue. MaxBounty also argued that Facebook failed to specify how the messages at issue contained materially false header information. The court rejects these arguments, noting that the messages sent as part of the campaign do not identify MaxBounty as "the initiator" despite the fact that MaxBounty "initiated the messages by inducing Facebook users to execute malicious computer code that cause[d] messages to be sent automatically to all of their Facebook 'friends'."

Computer Fraud and Abuse Act claims: The court refuses to dismiss the CFAA claim, finding that access in violation of the stated restrictions (with a predicate act) can violate the Computer Fraud and Abuse Act. MaxBounty argued that because Facebook granted MaxBounty permission to access the site, MaxBounty did not engage in any "unauthorized access," but the court says no (citing to U.S. v. Nosal).
__

There are some interesting issues raised in the three claims discussed in the court's order, but since this lawsuit involves a large network trying to police against alleged spam, the court doesn't give MaxBounty's arguments a detailed treatment they may have otherwise deserved. As in many other cases where networks try to shut down interlopers, the causes of action end up being stretched pretty thin.

In the prior post, I mentioned that treating Facebook messages as email messages that are subject to CAN-SPAM does not necessarily jibe with the statute or its requirements. The court says that "none of the messages in question [identified] MaxBounty as the initiator." The court is not specific about what types of Facebook messages were involved, but it's possible to see the practical limitations of including this type of a notification on a Facebook message. This is one of the potential problems with calling messages on social networks "electronic mail messages" that are subject to CAN-SPAM.

The CFAA claims similarly push the envelope. Terms of use-based CFAA claims are widely recognized as being overly broad and encapsulating innocent conduct. (Facebook users better watch out!) Senators Franklin and Grassley recently proposed an amendment that would, among other things, remove access in excess of terms of use from the definition of "exceeding authorization." The court also does not get into the issue of whether MaxBounty can be held liable for the CFAA violations of third parties, a proposition that does not have clear support in the text of the statute or the case law.

Another thing to consider is that Facebook is a platform, and will be subject to attacks from third parties that seek to hold Facebook liable for the actions of third parties in its ecosystem. Could Facebook's overly broad legal arguments come back to haunt it? Mike Masnick makes a similar point about Craiglist's enforcement efforts here: "Craigslist Trying To Destroy The Life Of Someone Who Made Posting To Craigslist Easier." Facebook has ample legal hooks to go after rogues on its network, and it may want to think twice about going in with guns blazing and creating bad precedent in the process.

Posted by Venkat at 07:59 AM | Marketing , Spam , Trespass to Chattels

September 08, 2011

Lawyer Hit With $4.2 Million Judgment in Junk Fax Class Action -- Holtzman v. Turza

[Post by Venkat Balasubramani]

Holtzman v. Turza, 08 C 2014 (N.D. Ill. Aug. 29, 2011)

Apparently reports of the fax machine's death are greatly exaggerated. People still use fax machines.

Holtzman sued Turza for receiving unsolicited faxes. The court certified the lawsuit as a class action, and granted Holtzman's motion for summary judgment as to two issues: (1) the faxes in question were "advertisements" under the TCPA, and (2) the defendant would be liable for all faxes received on a "target list."

After conducting some discovery, Holtzman files a motion for summary judgment, largely directed at damages. Holtzman takes the deposition of Michael Richard, the CFO of VillageEDocs, which is a parent company to MessageVision, the service used by Turza to send out the faxes. Richard testifies as to the approximate number of faxes he sent out on behalf of Turza, what portion of faxes sent to the "target list" were reliably transmitted, and how much he billed Turza. It turns out MessageVision sent out 8,430 faxes. At $500 in statutory damages per fax, this amounts to a damage award of $4,215,000.

Turza raised a few arguments in opposition to Holtzman's motion, but the court isn't very impressed by any of them. Turza argued that because Richard is a CFO and not a technical expert, his testimony as to fax transmission rates was not reliable. The court finds this objection curious, since Turza himself relied on the "until-now unquestioned integrity of MessageVision's system to compute the number of successful fax receipts that resulted in the charges paid by [Turza]." Turza relied on new testimony from his expert but the court finds this evidence untimely and insufficient to create a factual dispute as to Richard's testimony. Turza also argued that there was no evidence that the class members did not consent to the faxes, but this was contradicted by Turza's own testimony that he did not procure consent from any of the recipients. Turza also raises the issue of whether class members owned the fax machines to which the faxes were sent. The court says that this does not preclude summary judgment, although it's something that may bear on the individual damage award to class members.

Finally, Turza also sought to decertify the class and argued that the imposition of a $4 million award violates Due Process. As to the certification issue, Turza argues that there are other methods to adjudicate the dispute, namely that the individual class members could pursue their own claims in small claims. The court says that even if a chunk of class members have sizeable claims (e.g., those amounting to $10,000 or more) this would not mean that a class action "would be less fair or efficient than individual litigation." Since statutory damages are at issue, TCPA claims are "arguably best suited" to class resolution.

With respect to Turza's due process argument, the court notes that the class award is not excessive because of the risk of Turza having to declare bankruptcy. Turza had insurance policies in place, and these policies should cover the awards at issue. The bulk of the bill will be borne by the insurance company and not by Turza at all!

This would be a pretty unremarkable case, except for the fact that the faxes were actually newsletters that were written on behalf of a lawyer. Here is Eric's previous post on the case: "Ghostwritten Attorney Newsletter is an "Ad" for TCPA Junk Fax Law Purposes." Professional courtesy aside, it's pretty scary that sending out a bunch of faxes which contained editorial but ghostwritten content can put you at risk of an award for four million dollars. Fortunately for Turza, his insurance company may end up footing the bill.

A big takeaway from this case is that it's risky behavior to send out marketing communications to lists that you have bought. I guess it also illustrates one of the many perils of using ghostwritten content.

Posted by Venkat at 02:51 PM | Marketing , Spam

September 02, 2011

Seventh Circuit Awards e360 a Whopping $3 in Damages Against Spamhaus -- e360 v. Spamhaus

[Post by Venkat Balasubramani]

e360 Insight, Inc. v. The Spamhaus Project, 10-3538 & 10-3539 (7th Cir. Sept. 2, 2011)

The lawsuit between e360 and Spamhaus was a long-running, tortured affair, and it looks like it finally came to a close. With e360 being awarded a whopping $3 in damages against Spamhaus. (Here's a link to Ars Technica's recap of the oral argument, where Judge Posner blasted e360's counsel: "This is just totally irresponsible litigation . . . .You can't just come into a court with a fly-by-night, nothing company and say 'I've lost $130 million.'")

Background: e360 sued Spamhaus, a UK entity, for damages allegedly resulting from being identified as a "known spammer." It sued Spamhaus for tortious interference and defamation. Spamhaus removed to federal court and asserted lack of personal jurisdiction. It then withdrew its answer and decided that it did not wish to defend against e360's claims. e360 sought and obtained a default judgment, and the district court granted e360's request for damages and awarded e360 $11,715,000 in damages. Spamhaus moved to set aside the judgment, and when this request was refused, appealed to the Seventh Circuit. The Seventh Circuit affirmed the default judgment but remanded for a proper determination of damages.

Back at the district court, e360 was left with the task of proving up its damages, but it suffered a slew of discovery foibles. e360's principal failed to appear for his deposition as scheduled and failed to respond to Spamhaus's interrogatory requests. Spamhaus moved to dismiss on the basis of e360's discovery failures, and the trial court gave e360 another opportunity to address the discovery issues. e360 supplemented its previous responses but added a slew of new witnesses. It also increased its damages estimate from $11.7 million to a "whopping $135 million." It also sought to reopen discovery. The trial court said no dice and struck the new witnesses listed by e360 and struck e360's requested damage award to the extent it exceeded the initial $11.7 million request. After a bench trial on damages, the trial court awarded e360 "a mere $27,002, a far cry from the millions of dollars that e360 sought." Both parties appealed.

Discussion: The Seventh Circuit affirmed the district court's sanction (of striking the new request for damages and the newly listed witnesses), finding that the district court exercised its discretion "with considerable restraint." It also affirmed the district court's exclusion of a spreadsheet prepared by e360's principal which listed e360's damages at $135,173,577. (The week before trial e360 revised this number to $122,271,346.) The Seventh Circuit also affirmed the district court's exclusion of the bulk of the testimony on e360's behalf:

The district court gave Linhardt's testimony no weight because he was not credible.

Finally, the court gets to the actual damage award of $27,000. The district court cited to Linhardt's testimony regarding contracts with three customers who collectively paid e360 $27,000 per month for services performed. As a result of Spamhaus's actions, the district court found that e360 lost these contracts. Spamhaus argued on appeal that it was not appropriate for the district court to award the entire contract amounts as this amount represented revenue rather than profit. The Seventh Circuit agreed, saying that although Linhardt may have adduced credible testimony as to these three contracts, e360's failure to put forth any evidence on what portion constituted profits versus overhead was fatal to the damage award.

Ultimately the court ends up awarding nominal damages as to the three claims raised by e360, for a whopping award of three dollars:

By failing to comply with its basic discovery obligations, a party can snatch defeat from the jaws of certain victory. After our earlier remand, all e360 needed to do was provide a reasonable estimate of the harm it suffered from Spamhaus's conduct. Rather than do so, however, e360 engaged in a pattern of delay that ultimately cost it the testimony of all but one witness with any personal knowledge of its damages. That lone witness lost all credibility when he painted a wildly unrealistic picture of e360's losses. Having squandered its opportunity to present its case, e360 must content itself with nominal damages on each of its claims, and nothing more.

Ouch.
____

Spamhaus ended up traveling the long road and ultimately defeating e360, but it's nice to see it prevail. As the Holomaxx v. Yahoo and Microsoft cases indicate, lawsuits brought by emailers against ISPs or filtering services face a long and uphill road, which should lead to a dead end. ("Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe;" "Court Affirms Robust ISP Protection For Blocking Bulk Emails -- Holomaxx v. Microsoft/Yahoo.")

Previous posts:

Judge Kocoras Cuts Down $11MM Award Against Spamhaus to $27,000 -- e360 v. Spamhaus

[h/t Mickey Chandler]

Posted by Venkat at 12:10 PM | Spam

August 24, 2011

Court Affirms Robust ISP Protection For Blocking Bulk Emails -- Holomaxx v. Microsoft/Yahoo

[Post by Venkat Balasubramani]

Holomaxx v. Microsoft, 2011 WL 3740813 (N.D. Cal. Aug, 23, 2011) [pdf]
Holomaxx v. Yahoo, 2011 WL 3740827 (N.D. Cal. Aug, 23, 2011) [pdf]

Eric and I both previously posted on the Holomaxx cases, where Holomaxx sued Yahoo and Microsoft for blocking or filtering bulk emails transmitted by Holomaxx. The court granted motions to dismiss filed against Holomaxx with leave to amend. ("Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe.") Holomaxx filed an amended complaint, but it produced no better results. The second time around, the court permanently shuts the door on Holomaxx's claims, finding again that Section 230(c)(2)(A) insulates the ISP's filtering decisions and dismissing without leave to amend.

The result was not terribly surprising, given that the court was initially skeptical of Holomaxx's vague allegations that the ISPs harbored some sort of bad faith when they blocked Holomaxx's bulk emails. As Laura Wise notes in her recap of the oral argument, Judge Fogel asked Holomaxx for its "absolute best argument" that Microsoft and Yahoo harbored some sort of bad faith intent, and he was not swayed by what Holomaxx had to offer. Judge Fogel concludes that the Messaging Anti-Abuse Working Group guidelines which Microsoft and Yahoo allegedly deviated from are not an "industry standard," so Microsoft or Yahoo could be faulted for not following them. He also concludes that the fact that the filtering efforts stopped and re-started is not in any way indicative of bad faith. While he acknowledged some tension between Section 230's robust grant of immunity and Judge Fisher's concern (in Zango v. Kaspersky) that a service provider may abuse filtering immunity by blocking content for "anticompetitive purposes or merely at its malicious whim," the court says that allowing Holomaxx to proceed with only its vague allegation of bad faith would undermine Section 230:

To permit Holomaxx to proceed solely on the basis of a conclusory allegation that [the ISP] acted in bad faith would essentially rewrite the CDA.

The court also dismisses Holomaxx's claims under the Wiretap Act and the Stored Communications Act based in part on Holomaxx's failure to articulate how exactly Microsoft and Yahoo violated these statutes in the course of their filtering efforts. (These statutes are excluded from Section 230 so the court deals with them separately.)

As with blocking or filtering decisions targeted at malware or spyware, complaining that the ISP was improperly filtering bulk email (spam) is likely to fall on unsympathetic ears. It would take a lot for a court to allow a bulk emailer to conduct discovery on the filtering processes and metrics employed by an ISP. (Hence the rulings on a 12b motion, rather than on summary judgment.) Here the court reiterates the "good faith" standard for 230(c)(2) is measured subjectively, not objectively. That puts a heavy burden on plaintiffs to show subjective bad faith. Eric's reaction to the Zango case--where the Ninth Circuit held that anti-spyware company Kaspersky's decision to classify Zango as adware was protected--largely alludes to this result:

this opinion is terrific news for vendors of anti-spam/anti-spyware/anti-virus services. Although we have long suspected that they would be protected under 230(c)(2), this opinion codifies their immunization as Ninth Circuit law. As a result, these vendors should continue to have a high degree of freedom to make judgments about how to best serve their customers. On the flip side, this opinion confirms that anyone blacklisted by these software vendors can’t use judicial proceedings to change the classification. Fortunately, most reputable vendors offer an extra-judicial mechanism to correct their misclassification errors.

The only difference is that Microsoft and Yahoo are ISPs, and they could use unfettered filtering discretion to block competitive content, links, or maybe even throttle users (or skew search results). Holomaxx's complaint did not credibly raise any such concerns, so the judge dismisses them.

Previous posts and other coverage:

* Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe
* Amendment was futile (Laura Wise)

Posted by Venkat at 11:13 AM | Content Regulation , Derivative Liability , Spam

July 26, 2011

Court Rejects First Amendment Challenge to CAN-SPAM Indictment -- US v. Smallwood

[Post by Venkat Balasubramani, with comments from Ethan Ackerman]

US v. Smallwood, 09-CR-00249 (N.D. Tex.; July 15, 2011)

First Amendment challenges to spam statutes are long shots at best, with Jaynes v. Virginia being the big exception. In this case, Smallwood was charged with a variety of criminal acts, including violations of CAN-SPAM's criminal provisions (18 U.S.C. 1037(a)(2) and (b)(2)(C)). The statute is aimed at anyone who:

uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages.

Subsection (C) kicks in where there is a significant volume of messages (2,500 during any 24 hour period, 25,000 during any 30-day period, or 250,000 during any 1-year period). Smallwood argued that the statutory provisions were vague and overbroad, because it chilled "protected anonymous speech."

The court rejects Smallwood's arguments that the statute is overly broad. Smallwood cited Jaynes v. Virginia, a case where the Virginia Supreme Court struck down a portion of Virginia's spam statute, but the court here distinguishes Jaynes from this case: CAN-SPAM only applies to commercial email messages. In contrast, the statute in Jaynes applies to all communications, including religious or political speech.

Smallwood's vagueness arguments fared no better. She argued that:

she could not have known from the statute the circumstances that would cause sending multiple emails to be unlawful, because the Internet is diverse in terms of origin identification, and because multiple emailings may have multiple sources, or origins; "origin" is a broad term, defying easy definition; and there is no clear notice as to the type of conduct that might mislead or deceive someone about the origin of the emailings.

The court agrees with the government that since Smallwood is charged with something which requires a showing of intent to deceive, common sense definitions of the term "deceive" or "mislead" provides sufficient notice as to the scope of the statute.
__

There were two aspects of the statute that caught my attention.

First, the statute covers emails that are misleading not only to recipients, but also to any "internet access service" as to the origin. This reminds me of Kleffman v. Vonage where the California Supreme Court construed the scope of the California spam statute. ("Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute.") In that case the plaintiff argued that using multiple domain names to bypass a spam filter violated California's spam statute. While the California Supreme Court rejected this argument, I wonder if the language in the statute (about deceiving an ISP) is aimed at something similar? Is there a legitimate vagueness argument on this point?

Second, it's interesting that the defendant is charged with providing "SPAMmers with equipment, bandwidth, corporate infrastructure, and IP addresses, and domain names from which their customers could send SPAM with the intent to mislead recipients and Internet access services as to the messages' origin." Once you start penalizing people who provide bandwidth, domain names, and infrastructure, you're pretty far afield from the people who are actually sending the emails. It looks like there's some sort of "knowingly" limitation on this (i.e., that she supplied the assistance knowing that the customers were spammers) but it still surprised me.

Not necessarily an earthshattering ruling, but given the dearth of cases dealing with First Amendment challenges to spam statutes, an interesting data point.

Ethan's comments:
It's worth noting that the Court's cursory dismissal of Smallwood's overbreadth argument isn't as uncontroversial as the Court suggests. The opinion dismisses Smallwood's overbreadth argument with a quote from Village of Hoffman Estates v. Flipside, Hoffman Estates, Inc., "the overbreadth doctrine does not apply to commercial speech." That quote was itself a footnoted description of Central Hudson's holding. Interestingly enough, Central Hudson doesn't actually say anything of the sort, noting only that commercial speech is less at risk of being chilled due to overbroad laws. Supreme Court caselaw on the overbreadth doctrine as applied to commercial speech is not as simple as "not applicable." Several Court cases describe it, like Central Hudson did, as being "seldom," or "unlikely to be," applicable. Bigelow v. Virginia says using the overbreadth doctrine to facially invalidate a statute restricting commercial speech is a remedy that should be used "sparingly," but then finds the statute in question overbroad. Only Hoffman describes the overbreadth doctrine as inapplicable to commercial speech.

The Court rejects Smallwood's vagueness challenge by adopting the Government's argument that the intent element of the crime remedies any arguable vagueness concerns for terms like "origin." If it explored deeper, the Court could have also pointed out that the challenged statutory terms are made rather clear by the other definitions in the Act--the defined terms "initiate," "procure," "sender," "header information," and "routine conveyance" use the contested terms, inform those terms, or provide categories that function to exclude some of those terms. It is an uphill battle to argue vagueness on a statute that has around twenty fairly specific definitions.

Previous related posts:

Internet Obscenity Conviction Requires Assessment of National Community Standards--US v. Kilbride
Still Standing? Catching Up on the Jaynes Case

Posted by Venkat at 01:57 PM | Spam

July 04, 2011

June 2011 Quick Links, Part 2

By Eric Goldman

Social Media

* The Third Circuit issued its en banc rulings in Layshock v. Hermitage School District and J.S. v. Blue Mountain School District, both involving school discipline against kids who created fake MySpace profiles of school administrators. Prior blog post on both cases. The good news is that the kids won in both cases; the courts held that the administrators overreacted. However, the decisions don't resolve any of the fundamental issues about the legitimacy of school discipline for kids discussing school-related issues online.

* Too Much Media, LLC v. Hale, 2011 WL 2305620 (N.J. June 7, 2011). A blog commenter doesn’t qualify for the NJ reporter shield law.

* Dr. T.S. v. Plain Dealer, No. 96201 (Ohio App. Ct. June 16, 2011). Uploading a 20 year old version of a newspaper doesn’t reset the single publication rule, even if the article becomes newly indexable in Google.

*Back in September 2010, Xcentric v. Bird settled in a no money deal. The settlement agreement. Ripoff Report's appended response to the original blog post. Prior blog post.

* Scott P. v. Craigslist dismissed. It appears Scott P. gave up against Craigslist. Prior blog post.

* News.com: Is the FTC going after Twitter...again?

* Another PR agency loses a client account over an ill-advised tweet.

* NY Times tries to deconstruct the Twitter hashtag convention.

* Art of Living Foundation v. Does, 2011 WL 2441898 (N.D. Cal. June 15, 2011). Griping bloggers about Ravi Shankar and his organization avoid defamation and trade secret liability for now.

* Jakobot v. American Airlines, 2011 U.S. Dist. LEXIS 64824 (S.D. Fla. June 20, 2011). In a battle over whether the plaintiff lives in Florida or Texas, the court says: “The internet is often filled with old, out-of-date, unsubstantiated, self-aggrandizing and misleading information. It is not enough to submit a selective chunk of Plaintiff's 'Google footprint' and note every time that a tie to Florida appears -- Defendant must do more to connect the dots.”

* State v. Hanson, 2011 WL 2301801(Minn. App. June 13, 2011). Statutory rape conviction reversed based on a mistake of age defense when the victim misreported her age to MySpace. Prior blog post.

* The Duluth doctor is appealing his defamation lawsuit loss against a patient's family member who criticized him online.

* Marin IJ: "A Greenbrae cosmetic surgeon who filed a defamation suit against an online reviewer was ordered to pay nearly $20,000 in attorney's fees after a judge dismissed the case."

* IT World: Is Facebook really 'hated' more than Bank of America?

* Job opening: Executive Director, Public Participation Project, to work towards a federal anti-SLAPP law. Spread the word!

Google

* Reuters on how the FTC's investigation of Google could chill innovation regardless of its outcome. Google's blog post about the investigation.

* In June, I participated in a TechFreedom panel on search engine bias on Capitol Hill. Declan McCullagh moderated. His writeup: "On Capitol Hill, it's all about beating down Google". The video.

* News.com: Google's Enemies: a Primer.

* Google hires TWELVE lobbying firms to fight the FTC (on top of the 6 they already had).

* Neeley is appealing his loss to Google. Prior blog coverage.

Spam

* Spam filters have taken a huge bite out of spam. See my 2003 article expressing confidence that technology would do a much better job fighting spam than legislation.

* Amazon's Kindle hit by spammed e-books. Another example that service providers have to exercise editorial control to curb spam.

Miscellaneous

* The FTC approved the final order in the Chitika case.

* CA enacts an Amazon tax and Amazon instantly tosses its affiliates overboard--including me! More evidence that the taxman will effectively kill the affiliate industry.

* Weinstein v. eBay Inc., 2011 WL 2555861 (S.D.N.Y. June 27, 2011). As a secondary market, StubHub does not need to comply with NY state law requiring printing the face value on tickets.

* Ni v. Slocum, A128721 (Cal. App. Ct. June 30, 2011). Rejecting electronic signatures in support of a ballot petition. Contrast Anderson v Bell in Utah about the application of UETA to election petition signatures.

* Zamora Radio, LLC v. Last.fm LTD., 2011 WL 2580401 (S.D. Fla. June 28, 2011). A defense-favorable Internet personal jurisdiction ruling: "the AccuRadio website reflects a low quality of commercial activity; visitors cannot purchase products or download music and are primarily limited to live streaming audio. Moreover, Plaintiff has not established that (1) Florida constitutes a principal consumer base for AccuRadio's service; (2) AccuRadio.com makes any reference to Florida, or directs visitors to any Florida establishments; (3) AccuRadio has engaged in any print, radio, television, or Internet advertising targeting Florida residents; or (4) AccuRadio has in any way specifically encouraged Florida residents to visit AccuRadio.com." The court distinguishes co-defendant Last.fm: "AccuRadio users do not have to download a program to access and listen to AccuRadio's programming and AccuRadio users do not download music from AccuRadio's website....Further, AccuRadio's website is not specifically directed at Florida consumers and local information about concert events is not provided on AccuRadio's website."

* Take James Grimmelmann's Internet Law exam.

Posted by Eric at 08:43 AM | Content Regulation , E-Commerce , Search Engines , Spam | TrackBack

April 28, 2011

Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

[Post by Venkat Balasubramani]

Cyberlaw P.C. v. Thelaw.net, No 2009 CA 003615 (D.C. Sup. Ct. March 16, 2011) (complaint) (verdict form)

Lawyers receive a fair amount of spam from service providers and companies who offer CLEs and other services. Most lawyers simply hit the delete button, but not Eric Menhart. Menhart sued Thelaw.net alleging violations of the District of Columbia spam statute. Menhart is not just any lawyer. He is the one who tried to assert trademark rights over the term CyberLaw(TM). (See "Who Owns "CyberLaw"(TM)? Eric Menhart, a DC IP Attorney, Thinks He Does." After much (well deserved) public ridicule, including on this blog, he finally backed off: "Eric Menhart Backs Off CyberLaw Trademark Claim".))

Menhart alleged that he received 49 pieces of spam, and that the emails: (1) "contain[ed] false or misleading information in the subject line" and (2) had incorrect routing or transmission information.

The subject line claims: The subject line claims were a serious stretch to begin with. They included phrases such as "what you're missing with Westlaw," "Search Nationally in 2009!," and "make the transition." Most of them screamed "advertisement" and none of them suggested that they were from an acquaintance or contained a free offer. You can access a full list of the email subject lines on the verdict form here.

The routing information claim: Menhart did not detail his routing or transmission information claims, but the complaint cites to a listserv post which says that Thelaw.net "are constantly changing their email addresses" so their emails cannot be blocked.

___

Thelaw.net had solid preemption arguments with respect to both of these claims. CAN-SPAM cases have interpreted CAN-SPAM to only cover "material" errors or misstatements and to preempt any state causes of action which impose liability based on immaterial errors or misstatements. The claims in this case are precisely the type of claims based on non-material discrepancies or minor misstatements that CAN-SPAM preempts. The flagship cases for these principles are Omega World Travel v. Mummagraphics and Gordon v. Virtumundo; more recent examples of cases which have rejected precisely these types of claims are: Kleffman v. Vonage (use of multiple random domain names to bypass spam filter does not violate California's spam statute) and Martin v. CCH (claims for failure to label email using "AD:," and disclose alleged tracking preempted by CAN-SPAM).

It is unclear from the online record whether Thelaw.net argued preemption. Lawyers for Thelaw.net issued a press release following their victory, but expressing concern that the judge "ruled that whether an email subject line is false or misleading is a question of fact not law, which would mean future lawsuits under the DC statute, no matter how frivolous, could not be dismissed before trial." So maybe no one brought up the preemption issue?

The court should have dismissed this case and never have let it get this far. Menhart, who runs a law firm called CyberLaw(TM), should have known better. The CyberLaw trademark debacle may prompt lawyers to question Menhart's legal assessments from the standpoint of trademark law. It looks like the jury questioned his assessments (that the subject lines were misleading) as well.

Other coverage: "Jury Dismisses Spam Lawsuit Against Legal Research Company" (Wendy Davis)

Posted by Venkat at 12:14 PM | Spam

April 27, 2011

Court Says CAN-SPAM Plaintiff Can't Take Second Bite at the Apple -- Melaleuca v. Hansen

[Post by Venkat Balasubramani]

Melaleuca v Hansen, 10-cv-00553 (D. Idaho; Apr. 15, 2011)

This is a case where Melaleuca - a large multi-level marketing company - asserted spam claims against Daryl Hansen. That's probably a charitable way of putting it. Melaleuca looks like it had motives other than its injuries from allegedly receiving spam, and went after Melaleuca with legally unsustainable claims under CAN-SPAM.

Hansen, proceeding pro se, defeated Melaleuca's claims against him the first time around. The court concluded that Melaleuca was not a bona fide ISP and did not adequately allege damages (i.e., that it had suffered "adverse effects") as a result of the alleged spam. Melaleuca also argued in the first lawsuit that, even though it was not an ISP, it had obtained an assignment of claims from the ISP who received and processed the spam. The court was skeptical of this assignment, since it was procured after Melaleuca filed its complaint. (Here's the earlier blog post on the case and the court's rulings: "Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen." My instinct was the the district court's dismissal should have been with prejudice, but it turned out to not matter.)

Undaunted, Melaleuca filed a second lawsuit against Hansen. Hansen (again proceeding pro se) moved to dismiss, this time on the basis that the second suit was barred by preclusion principles. The court agrees with Hansen and dismisses the case. Melaleuca argued that the first decision was not a final decision on the merits, but the court rejects this argument. Both parties had the opportunity to brief the standing issue and the court issued a definitive order the first time around that was appealable (indeed, as the court notes, it was on appeal at the time of the second lawsuit). Melaleuca also argued that the deficiencies in its complaint were "curable," and it should be allowed to proceed. The court finds that while Melaleuca could have cleaned up the assignment (and obtained the assignment of claims prior to filing the complaint) it "alleges the same damages/types of harms as were raised in Melaleuca I that the court deemed insufficient to meet . . . CAN-SPAM . . . standing requirements." Regardless of whether Melaleuca should have been able to "cure" this deficiency, the court says Melaleuca did not bother to adequately allege injury the second time around!

The court was way too lenient with Melaleuca here. Maleleuca deserved a smackdown. I'm surprised the court did not consider sanctions, or at least a strong statement that sent a message to Melaleuca. Courts should do their best to strongly discourage this type of litigation. (CAN-SPAM has a fee-shifting provision (see "CAN-SPAM Defendant Awarded $111k in Fees/Costs"), but I'm not sure if Hansen can take advantage of it as a pro se defendant.)

Related: Professor Goldman previously posted on another dispute involving Melaleuca, this one involving an expedited DMCA subpoena which also touched on the copyrightability of a take-down letter: "Co-Blogger Identity Isn't Disclosed via 512(h), but Takedown Letters Are Copyrightable."

Posted by Venkat at 10:51 PM | Spam

April 19, 2011

Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe

By Eric Goldman

I've been so behind that it's taken me until now to blog these cases from last month. All three opinions involve the same basic fact pattern: a bulk emailer gets blocked by an email service provider (relying in part on third party filtering/blocking services) and sues to undo the block. These claims are largely preempted by 47 USC 230(c)(2), and the courts mostly get to the right place with the immunity (although not without small points of drama). The aggressive plaintiffs also assert claims not covered by 47 USC 230(c)(2), but these mostly don't go anywhere either. The lesson is pretty clear: if an email service provider blocks your email, the courts aren't going to help you out.

Holomaxx Technologies v. Microsoft Corp., 2011 WL 865278 (N.D. Cal. March 11, 2011), and
Holomaxx Technologies v. Yahoo, Inc., CV-10-4926-JF (N.D. Cal. March 11, 2011). Venkat's excellent prior blog post on the complaints. These rulings are substantially identical, so I'll discuss them together except where they diverge.

Holomaxx is a bulk email sender upset because Yahoo and Microsoft are blocking its emails based both on IP address blocks and reputation scores (including those provided by third parties). We've heard this refrain before in many cases over the years, and the law is pretty clear about this. Email service providers can't be obligated to carry emails they don't want to carry. There are a number of legal doctrines that help reach this conclusion, but the most salient one is 47 USC 230(c)(2), the immunity for filtering decisions.

In response to Holomaxx's lawsuit over the block, Microsoft and Yahoo interposed the 230(c)(2) defense on a 12(b)(6) motion to dismiss. Holomaxx objected that 230(c)(2) is an affirmative defense and not appropriate response for a 12(b)(6) dismissal motion. This is the issue that vexed the Ninth Circuit in the Barnes v. Yahoo case until they fixed the opinion. In this case, Judge Fogel properly concludes that 230(c)(2) can support a 12(b)(6) motion to dismiss. (He reached the same conclusion in Goddard v. Google).

Holomaxx then argued that 230(c)(2) does not prevent blocking of legitimate email because such a block doesn't fit within 230(c)(2)'s "otherwise objectionable" language. The judge says:

No court has articulated specific, objective criteria to be used in assessing whether a provider’s subjective determination of what is “objectionable” is protected by § 230(c)(2).

And Judge Fogel isn't going to be the first. Instead, he sidesteps the issue, holding that the service providers could deem the emails "harassing" because, even if Holomaxx had a 0.1% error rate, as it claimed in the Yahoo case, that still netted 2M bad emails/year. Therefore, the filtering decisions fit within the other statutory language in 230(c)(2). This is a cute intellectual move which potentially expands the scope of 230(c)(2) by reading "harassing" broadly.

Holomaxx also attacks the "good faith" requirement of 230(c)(2), but does so in a generalized way. The judge rejects the argument, saying (in the Yahoo case):

Holomaxx alleges no facts in support of its conclusory claim that Yahoo!’s filtering program is faulty, nor does it identify an objective industry standard that Yahoo! fails to meet. While it suggests that Yahoo! is “using cheap and ineffective technologies to avoid the expense of appropriately tracking and eliminating only spam email,” it offers no factual support for these allegations. Nor does Holomaxx cite any legal authority for its claim that Yahoo! has a duty to discuss in detail the particular reasons for blocking Holomaxx’s communications or to provide a remedy for such blocking. Indeed, imposing such a duty would be inconsistent with the intent of Congress to “remove disincentives for the development and utilization of blocking and filtering technologies.”

The Microsoft opinion's text is similar. Holomaxx gets another chance to marshal better allegations, but I'm guessing they won't be able to do so.

The court rejects the ECPA claim (which 230(c)(2) doesn’t immunize) because Holomaxx didn't explain clearly enough how the email service provider "intercepted," "used" or "disclosed" Holomaxx's email or how the ESP improperly accessed stored communications. The 17200 claim (which I think should be preempted by 230(c)(2), although that issue isn't discussed) also fails for lack of Holomaxx's specificity. A Microsoft-only defamation claim doesn't survive either:

Holomaxx alleges, on information and belief, that Microsoft "informed Dragon Networks in writing" that it had blocked all IP addresses originating from Dragon Networks because "certain of Holomaxx's .78 addresses had been rejected 'for policy reasons,' and were blocked manually 'or for spamming.'" Holomaxx does not explain how the alleged statement was defamatory or produce a copy of the alleged defamatory correspondence between Microsoft and Dragon Networks. Nor does it explain how the alleged communication amounts to "a statement of fact that is false."

As a result, the judge dismisses the lawsuit but with leave to amend.

Smith v. Trusted Universal Standards in Electronic Transactions, Inc. (d/b/a TRUSTe, Inc.), 2011 U.S. Dist. LEXIS 26757 (D. N.J. March 15, 2011).

Like Holomaxx, Smith sends a lot of email through Comcast. Comcast blocked his outgoing email twice. The first time, Comcast pointed to Microsoft's Frontbridge/Exchange Hosted Services (EHS) quarantine system. The second time, Comcast pointed to Cisco's IronPort/Senderbase blocklist. Smith sued all three entities (and others). Last year, the court rejected a 12(b)(6) motion to dismiss based on 47 USC 230(c)(2).

Ten months later, after presumably lots of wasted effort, the court converts Cisco's and Microsoft's 12(b)(6) motions into a summary judgment motion and grants the dismissal on 230(c)(2) grounds. I'm sure the defendants appreciate the dismissal, but I'm sure they would have been even more appreciative if the court had reached the result on the last go-around. The court still can't let the case go with respect to Comcast, however.

Cisco/SenderBase gets the 230(c)(2) defense as a blocklist provider. This may sound easy, but the statutory drafting makes the court’s analysis more arduous than it ought to be.

Cisco's senderbase.com website constitutes an ICS. This makes Cisco a "user" of an ICS because it uses its website to publish the blocklist. It is also a provider of an ICS because it runs the website. This is the issue that tripped up the court in the last ruling, and although it got to the right result, I don't think the court has fully wrapped its head around the statutory language. I read the court's discussion at least 6 times, and I couldn't make it make sense. Just know that a blocklist provider probably is both a provider and user of an ICS, so this element is met.

The blocklist easily satisfies the requirements of 230(c)(2)(B). As the court notes (citing Zango v. Kaspersky), whether material is "objectionable" is measured subjectively. Thus, the court dismisses Cisco, noting:

The Court notes that Plaintiff's breach of contract and defamation claims are dismissed because they specifically relate to Cisco's SenderBase service. Plaintiff defamation claim is based upon the fact that Cisco publishes IP scores. Plaintiff's breach of contract claim is based on the fact that Cisco refused to provide Plaintiff with the information that it used to calculate the reputation score for the IP address assigned to Plaintiff by Comcast.

Microsoft's EHS quarantine operates in the cloud by routing all email through its servers, which screen out emails based on its blocklist (as modified by customers' parameters). This should be even easier to qualify as a provider/user of an ICS. The court's discussion on this point doesn't make any sense either, but it reached the right result. As with Cisco, the court says the blocklist qualifies for 230(c)(2)(B) and the contract breach claim fails for the same reason.

Comcast doesn't get so lucky. The court once again finds that Comcast could have acted in "bad faith" which could disqualify it from 230(c)(2) coverage:

the Court finds that a reasonable jury could conclude that Comcast acted in bad faith when it failed to respond to Plaintiff's repeated requests for an explanation why it continually blocked Plaintiff's outgoing email...the Court is not convinced that an internet service provider acts in good faith when it simply ignores a subscriber's request for information concerning an allegedly improper email blockage...there is no reason why Comcast could not articulate its immunity (or provide another rationale for the blockage) when asked to do so by a paying customer.

Whoa. Hold on a sec. The court is saying that online providers have to provide explanations to their customers for their back-end choices. First, that's not in the statute. Second, Judge Fogel expressly rejected this argument in his Holomaxx rulings. Third, the court’s position is ridiculous. Being legally obligated to explain business decisions to affected customers would add an extra layer of expense/hassle to everyday business decisions, and the explanations will just become additional grist for the plaintiff's mill (see, e.g., Barnes v. Yahoo and the resulting incentives to tell customers less, not more). I'm 99%+ confident that an appellate court would reverse this judge on this point. I think he went off the rails. As a result, I don't plan to advise clients that they have to provide explanations for their blocking decisions, and I don't recommend you advise otherwise.

Although Comcast doesn't get the 230(c)(2) immunity, the court still ends up granting it summary judgment on all of the claims. There's some interesting discussion there too.

The court rejects Smith's ECPA claims and the substantively identical state claims. Cisco doesn't actually intercept emails, and Microsoft quarantines emails with its customers' consent.

Smith's contract breach and promissory estoppel claims against Comcast fail because Comcast didn't make any promises it failed to keep and because Smith was using a personal account for unpermitted commercial activities. (To me, this is facially inconsistent with any argument that Comcast had bad faith for 230(c)(2) purposes, but the court ignores that implicit contradiction).

Smith's NJ Consumer Fraud Act claim against Comcast also fails because he can't show fraud or ascertainable loss (because he only alleged that he lost time). The court dismisses a couple other claims, too.

Posted by Eric at 11:04 AM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack

April 07, 2011

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH

[Post by Venkat Balasubramani]

Martin v. CCH, 10-cv-3494 (N.D. Ill.; Mar. 24, 2011)

Plaintiff received two emails from CCH, with the following subject lines:

"Buy now pay Feb. 15"

[and]

"Offer extended - Buy now pay Feb. 15"

Based on these emails, plaintiffs files a putative class action against CCH alleging that CCH violated the Illinois spam statute. The court grants CCH's motion to dismiss, finding the claims preempted by CAN-SPAM.

The Illinois spam statute contains the standard prohibitions on misleading subject lines and falsifying the point of origin or transmission path of an email. The statute also requires email ads to contain "ADV: as its first 4 characters." Plaintiff alleged in the complaint that the emails were deceptive because

the subject lines do not state that the e-mails are advertisements, and the language used is misleading because it has the purpose and effect of making the recipient think the e-mail is from someone with whom he has a preexisting relationship.

The court finds that plaintiff "wisely" abandoned these arguments at the briefing stage. The emails both contained the word "buy" (and "pay") and it's hard to think of words that more clearly denote an invitation to engage in a commercial transaction. To the extent plaintiff argued that the emails were actionable because they were not labeled with "ADV:" this claim was "clearly" preempted by CAN-SPAM. With respect to plaintiff's claim that the emails improperly implied that the parties had some sort of pre-existing relationship, this did not rise to the level of fraud, or at worst, was a claim for "less than comprehensive information regarding the sender."

Plaintiff also argued that the emails were deceptive because they did not disclose the "'secret' 'information-harvesting' purpose of the e-mails." The court treats this as a misleading subject line claim. Citing to Virtumundo and Mummagraphics, the court finds that this claim is also preempted:

[t]hat claim also appears to be for 'incomplete' or 'less than comprehensive information' in the subject lines regarding the content of the e-mails. Plaintiff essentially argues that if Defendant had provided more information or 'complete' information, in the subject line, Plaintiff would not have opened the e-mail . . . . [T]wo circuits have held that less than comprehensive information outside the body of an e-mail is at best a technical allegation that finds no basis in traditional tort theories and thus falls within CAN-SPAM's express preemption clause (and outside the exception). And even if the omitted information could be deemed not only incomplete but also 'misleading,' Plaintiff's claim would still be preempted by the express language of the CAN-SPAM Act, which prohibits subject headings likely to 'mislead a recipient about a material fact regarding the contents of the message.'

In a footnote, the court also notes that the Illinois General Assembly is unlikely to have required - in the subject line of a commercial email - "a potentially lengthy and somewhat technical description of the process through which information is transmitted from recipient to sender when the recipient opens an e-mail." Indeed, in some instances, "it may not be possible to include on the subject line" the kind of disclosure plaintiff argued for.
__

Spam plaintiffs continue to come up with wacky theories of liability, and courts continue to reject these theories.

Posted by Venkat at 08:59 AM | Privacy/Security , Spam | TrackBack

April 01, 2011

N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty

[Post by Venkat Balasubramani]

Facebook, Inc. v. Maxbounty, Inc., CV-10-4712-JF (N.D. Cal.; Mar. 28, 2011)

The Northern District of California ruled that commercial posts to a Facebook user's wall, news feed, and home page constitute "electronic mail messages" that are subject to CAN-SPAM. Two other courts in California had taken a similar approach with respect to MySpace messages (MySpace v. Wallace and MySpace v. TheGlobe.com).

Facebook brought claims against Maxbounty, which it alleged set up an affiliate scheme in violation of Facebook's policies and procedures. As described in the complaint:

MaxBounty, through its network of affiliates, creates fake Facebook pages that are intended to re-direct unsuspecting Facebook users away from Facebook.com to third-party commercial sites . . . In the first step, MaxBounty establishes a network of affiliates; in the second step, MaxBounty's affiliates create numerous Facebook pages that function like (and in effect are) advertisements; in the third step, the page displays a message indicating that upon registration a user will be able to take advantage of a "limited time offer," such as receiving a gift card or becoming a product tester for a high-end product (e.g. an Apple iPad); in the fourth step, the Facebook user is induced by the page and begins the registration process. The registration process requires three discrete user actions: (1) to become a "fan" of the page, (2) to invite all of his or her Facebook friends to join to the page, and (3) to complete additional administrative registration requirements. Upon completion of these requirements, Facebook users are not sent the promised item but instead are directed "to a domain registered to and managed by Maxbounty that then redirects the user to a third-party commercial website . . . ." The third-party commercial site informs the user that he or she must complete still more steps in order to obtain the promised item. Such additional steps include signing up for numerous "sponsor offers," which typically are offers for memberships in subscription services.

CAN-SPAM has three broad requirements: (1) no misleading subject lines; (2) no false or misleading header information; and (3) inclusion of a means to opt-out. I'm not sure how these requirements track to Facebook posts. Maxbounty argued (among other things) that the Facebook posts by its affiliates were not "electronic mail messages" that are subject to CAN-SPAM. CAN-SPAM defines an electronic mail message as":

a message that is sent to a unique electronic mail address . . . [i.e.] a destination, commonly expressed as a string of characters, consisting of a unique user name of mailbox and a reference to an internet domain . . . whether or not displayed, to which an electronic mail message can be sent or delivered.

The court declines Maxbounty's invitation to construe CAN-SPAM's definition of electronic mail message narrowly, pointing to congressional intent in curtailing the scourge of spam and to the two prior cases that held that MySpace posts could constitute email messages that are subject to CAN-SPAM.

From a practical standpoint, the court's order omits one question - whether the Facebook users actually received the messages in question via email. Some Facebook users would not set their Facebook accounts to forward posts or messages via email, so although the messages may be "routed" by Facebook, they may never be received (or even viewed) by the user. There's also the issue that the users in question "liked" the pages in question. My understanding is that people (or companies) that you are not "friends" with cannot post messages to your wall or message you, so the people who received unwanted wall posts or messages in question had to take an affirmative step before they were sent the messages in question. Are these messages truly unsolicited?

This is a pretty expansive reading of CAN-SPAM. When you get to the point that social networking messages can constitute messages that are regulated by CAN-SPAM, there's really no stopping point. How about blog comments? Tweets? Are the Facebook posts in question subject to the Telephone Consumer Protection Act as well, if the user had set his or her Facebook account to forward messages via SMS?

A case from Utah deciding whether pop-up ads were emails illustrates some of the practical difficulties with treating Facebook wall posts as email messages. (Riddle v. Celebrity Cruises, Inc.) The Utah statute required commercial emails to be labeled as advertisements (with "ADV") and the court (which found that pop-up ads do not constitute email messages) noted:

[a]ny requirement to include the "ADV:" designation on the subject line of a pop-up ad would be meaningless because there is no subject line per se.

The same difficulties can arise when you treat Facebook messages as emails which are subject to CAN-SPAM.

Maxbounty also argued that Facebook failed to plead its Computer Fraud and Abuse Act claims with particularity. The court finds that CFAA claims are not subject to the heightened pleading standards of Rule 9(b), and that Facebook satisfied the lower pleading standard.

Posted by Venkat at 07:30 AM | Spam

March 03, 2011

Jan.-Feb. 2011 Quick Links, Part 4

By Eric Goldman

Internet Freedom

* The EFF points out the inconsistency between Hillary Clinton's speech championing Internet freedom abroad when our own US government has gone rogue on its own citizens, including unlawful domain name seizures and an obsessive vendetta against Wikileaks.

* Fast Company: Why Twitter stood up for its users against the "secret" Wikileaks subpoena when other sites didn't.

47 USC 230

* Fleming v. Duncan: Yahoo wins 47 USC 230 motion to dismiss in Georgia state court.

* Neeley v. NameMedia, Inc., 2010 WL 5677069 (W.D. Ark. Dec. 16, 2010). 47 USC 230 preempts "outrage" claim over displaying nude photos in search results. A complementary follow-up ruling: Neeley v. NameMedia, Inc., 2011 WL 336174 (W.D. Ark. Jan 31, 2011).

* Several professors contributed essays to a book critical of 47 USC 230. Paul Levy takes them on.

* Jonathan I. Ezor, Busting Blocks: Revisiting 47 U.S.C. § 230 To Address The Lack Of Effective Legal Recourse For Wrongful Inclusion In Spam Filters, Richmond Journal of Law and Technology (Fall, 2010).

Spam

* Facebook, Inc. v. Fisher, 2011 WL 250395 (N.D. Cal. Jan. 26, 2011). Facebook gets $360M default judgment against spammers.

* Goodmail shutting down.

History

* Antone Johnson on the dot-com hangover of 2000-2002.

* 25 Best Startup Failure Post-Mortems of All Time.

Miscellaneous

* You can watch video from Next Digital Decade event. More on that event: 1, 2, 3. If you haven’t looked yet, you should check out the book.

* Unique Products Solutions v. Hy-Grade Valve (N.D. Ohio Feb. 24, 2011). Patent false marking qui tam process is unconstitutional.

* Shrader v. Biddinger, 2011 WL 678386 (10th Cir.(Okla.) Feb 28, 2011). In this Internet jurisdiction case, the Tenth Circuit adopts ALS Scan v. DSC as its test rather than Zippo.

* FairSearch.org has a new partial rival, Faretransparency.org, the web front for the Open Allies for Airfare Transparency, "a coalition representing all of the stakeholders in the travel booking industry, works to promote price transparency and full access to airline pricing and fee information." It's chaos in the online travel booking industry right now!

* Very useful table: State Cyberstalking, Cyberharassment and Cyberbullying Laws

* Evony sues its user for automated mapping of its site.

* ABA Journal: "For Federal Plaintiffs, Twombly and Iqbal Still Present a Catch-22"

* Direct Marketing Association v. Huber, No. 10-cv-01546-REB-CBS (D. Colo. Jan. 26, 2011). Judge strikes down Colorado's attempt to impose an "Amazon" tax as unconstitutional. My previous reference to the law.

* In the Silicon Valley, being the "Craigslist Congressman" might be considered a compliment. Unfortunately, that term will now be pejorative.

* Segal v. Amazon, 2:11-cv-00227 (S.D. Fla. Feb. 4, 2011). Amazon's participation agreement's venue selection clause upheld.

* Rep. Matheson wants to require age authentication to access online porn. Been there/done that 13 years ago with COPA. Lest you forget, it was unconstitutional.

Funny Stuff

* French second-graders are shown items like an old Fisher Price record player and 3.5 and 5 inch floppies and are totally baffled by them. Funny video.

* Great Dilbert strip riffing on the old joke of how you know if a lawyer is lying.

Posted by Eric at 11:53 AM | Content Regulation , Derivative Liability , Internet History , Patents , Spam | TrackBack

February 12, 2011

Debt Collection Text May Result in Liability under the Telephone Consumer Protection Act -- Gutierrez v. Barclays Group

[Post by Venkat Balasubramani]

Gutierrez v. Barclays Group, Case No. 10cv1012 DMS (BGS) (S.D. Cal.; Feb. 9, 2011)

The Telephone Consumer Protection Act is a big stick. And it's being wielded against debt collectors.

Plaintiffs (a husband and wife) applied for a credit card. On the application, the husband listed his work number and his wife's cell phone number. Credit cards were issued to both the husband and the wife. At some point, when the couple were delinquent on their payments, Barclays began making collection calls to both numbers. It also sent text messages to the numbers. In response to one of the text messages, the husband asked (via text message) to cease further text messages. Although the court doesn't explicitly say this, presumably, the messages from Barclays continued. Plaintiffs filed claims under the TCPA.

Defendants argued that plaintiffs consented to the text message by listing their number on the credit application, and sought to dismiss the claims against the wife on the grounds that she was not the "called party." The court denies defendants' request for summary judgment.

Consent: The first question was whether the wife consented to listing her telephone number and provided the "prior express consent" that would allow defendants to argue that the communications fell under this exception to the TCPA. Defendants pointed to an FCC Report and Order which stated that calls made by a creditor to a debtor to the number which the debtor provided in the credit application fall under the "prior express consent" exception. However, the wife argued that since she did not fill out the application in question, she could not have consented. The court found that there was little case law on the issue of how this type of consent must be expressed. The court looked to the criminal context and found that courts find consent to a search by the defendant, but also by a third party who possessed "common authority over or other sufficient relationship to the premises or effects" in question. Defendants put forth evidence that the husband possessed "common authority" over the phone because he freely used it. On this basis, the court finds that the wife effectively gave prior express consent to receiving the calls.

Revocation of consent: Unfortunately for defendants, that was not the end of the story. Plaintiffs argued that they revoked the consent via text message. Defendants argued that the revocation had to be in writing, but the court disagrees, noting that if consent could be provided by telephone or other means, it would be odd to require a revocation to be in writing. Ouch!

Whether the wife was the proper plaintiff: Defendants finally tried to get the wife's claims dismissed on the basis that since she did not receive the texts in question, she was not the "called party" for purposes of the TCPA. The court looked to mixed rulings on the issue of who could sue for a TCPA violation. One case held that unintended and incidental recipients could not sue. At least one case held to the contrary that any recipient could sue. The court takes a different approach and rules that only the subscriber has a cause of action to sue under the TCPA.

The TCPA is a tough statute for people who send unsolicited text messages. Third party consent is unreliable in the marketing context (see "Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"), but it looks unreliable in general. When you add the fact that consent can be revoked by text message or orally, people who send unsolicited text messages are not left with much comfort. I think that's worth remembering is that unlike spam, it does not matter whether an unsolicited text message as sent for advertising purposes. It is also no defense that the recipient was not "separately charged" for the call. Debt collection text messages can violate the statute, absent consent (which can be easily revoked).

Unsolicited text message litigation has followed almost the opposite trajectory to spam litigation. Defendants just can't seem to get a break. Some of this is a result of the overzealous plaintiffs involved in spam litigation. Some of it is also the structure of the respective statutes. The TCPA is just much more of a plaintiff friendly animal.

Posted by Venkat at 11:16 AM | Publicity/Privacy Rights , Spam

January 29, 2011

Class Action Brought by "Lonely and Vulnerable" Men Against Online Cupid Site Moves Forward -- Badella v. Deniro Mktg.

[Post by Venkat Balasubramani with some comments by Eric]

Badella v. Deniro Marketing LLC, 10-03908 CRB (N.D. Cal.; Jan 24, 2011)

This is a good one.

A group of plaintiffs brought a putative class action against an online dating website that they alleged contained predominately fake profiles. As Judge Breyer describes it in more colorful language:

This is a putative class action purportedly a vast, fraudulent scheme centered around an internet dating website that lures 'often lonely and vulnerable men' into joining . . . with the false promise that they are communicating with real women in their area who are interested in dating and/or intimate relationships.

Plaintiffs brought claims for fraud, RICO and California's anti-spam statute against multiple defendants. They alleged that they were "drawn" to the website fraudulently (e.g., via "spam, internet pop-up ads, or social networking scams"), induced to sign up for free, and then induced to upgrade to paid memberships.

Fraud: With respect to the fraud claim, defendants argued that the website terms of use undermined plaintiffs' reliance on any purported misstatements. The website terms stated:

This Service is for Amusement Purposes only.
You understand and accept that our site, while built in the form of a personals service, is an entertainment service. . . You are not guaranteed that you will find a date, a companion, or an activity partner, or that you will meet any of our members in person.
Online CupidTM Communications: You understand, acknowledge and agree that some of the user profiles posted on this site may be fictitious, and are associated with . . . our "Online CupidsTM", ("OC"). Our OC's work for the Site in an effort to stimulate conversation with users, in order to encourage further and broader participation in all of our Site's services, including the posting of additional information a.or pictures to the users' profiles.

Judge Breyer found that the terms did not undercut reliance for three reasons: (1) plaintiffs alleged that nearly all (as opposed to some) of the profiles are fictitious; (2) the fake profiles were not always labeled "OC," as promised; and (3) the plaintiffs alleged a "widespread and pervasive effort on Defendants' part to make the website appear to be a legitimate dating service." The disclaimer did not defeat reliance because defendants allegedly used a "wealth of information" to create a false impression, and the disclaimer was not as prominent as the information which created the false impression. In rejecting the claims, the court suggested what an appropriate disclaimer would look like, and contrasted this with the one from the website terms:

THIS WEBSITE USES FICTITIOUS PROFILES - READ THIS DISCLAIMER [or] THE MAJORITY OF PROFILES YOU SEE WILL NOT CORRESPOND TO ACTUAL WOMEN - READ THIS DISCLAIMER.

Disclaimers have achieved mixed results against claims of misleading website practices. (See, e.g., Vistaprint; Easysaver Rewards; Duffy v. The Ticketreserve, Inc.) I found the court's conclusion plausible, although a part of me said that an average person reading this disclaimer would conclude that they weren't visiting a typical dating website. Maybe the court figured - as many people do - that people rarely read or digest website terms?

Defendants also argued that the fraud claims were not pled with particularity. The court held that with respect to initially being drawn to the site, the plaintiffs failed to allege the particulars of how they were fraudulently drawn to the site. With respect to being persuaded to register and upgrade to paid memberships, the court held that these allegations were pled with particularity, since plaintiffs' allegations referenced specific messages sent by fake profiles which were not so labeled. Interestingly, plaintiffs alleged that in order to make the fake profile messages more compelling, defendants did not rely on "canned or automatic messages . . . [they employed] actual individuals who control hundreds of fictitious profiles." [Reasonable minds can disagree about the quality of the copy, but my feeling was that anyone who has ever moderated blog comments or been exposed to blog spam would be able to spot this as the same type of copy from a mile away.]

RICO: For the RICO claim, plaintiffs argued that defendants engaged in a conspiracy to commit wire fraud and access device fraud. The underlying fraud plaintiffs alleged was that defendants set up numerous entities to fraudulently obtain merchant accounts and then used these merchant accounts to process credit card payment for the websites in question.

The court does not give defendants' argument much credit here and declines to dismiss the RICO claims. I didn't check to see whether RICO claims have been successfully brought in the online context, but this seems like a way to attack a bunch of people in the chain of a transaction and drastically expand the scope of liability. A charge of conspiracy was successfully brought by the government in Kilbride, a criminal CAN-SPAM case. "Defendants Convicted in 1st Criminal CAN-SPAM Trial." There, among other things the government alleged that defendants used fictitious entities to register domain names. The court in Kilbride also relied on the use of privacy protection services to register the domain names. The RICO claims will have to be fleshed out and no one knows how they will fare, but plaintiffs' theory sounds pretty expansive.

Spam claims: Plaintiffs brought claims under California's spam statute. The court concludes that these claims are barred by the one year statute of limitations, thus avoiding the preemption question that has been plaguing California courts for some time, including in Reunion.com, another case where plaintiffs alleged they were induced to sign up (and upgrade) using unsolicited messages and allegedly bogus "friend messages." ("Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com.") Interestingly, an appeals court in California recently held that under the California statute claims for actual damages must be brought within three years of the receipt of the emails, while claims for statutory damages can only be brought one year within the receipt of the emails. The court's opinion here does not contain a discussion of whether plaintiffs sought actual or statutory damages, but if they sought actual damages, the dismissal does not jibe with the recent appeals court ruling in Hypertouch. ("CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick.")
___

It's hard to not be judgmental about this suit. People - specifically "lonely and vulnerable men" - sign up for these random "dating" websites and then complain because a greater than anticipated number of the profiles are fake (??). I can just picture one of the plaintiffs saying: "I'm playing the odds by going on this site. I don't know what the odds are (no one does), but they were different from what you promised!" It's also hard to fault the court for deferring the underlying issue of whether the users were misled to the factfinder, but unless the plaintiffs are chosen carefully, they are not going to have an easy time credibly explaining how they were misled. In the meantime, we can take comfort that the interests of lonely and vulnerable men trolling internet dating sites for dates can be protected.
___

Comments by Eric: It's interesting how Venkat concludes his post, because in fact I have zero sympathy for the website (treating the allegations as true, as the court was required to do on this motion to dismiss). I'm trying to imagine a world where customers would pay substantial fees to a "dating" site where much/most of the interaction was with automated scripts. (I also couldn't get Austin Power's "fembots" out of my mind reading this case). The silly disclaimers--that the site was for "amusement" and that paying customers should expect automated interactions--clearly weren't likely to be read by anyone who actually paid money to the site. So it seems axiomatic to me that the only people who paid should have been the people who didn't get the message.

Thus, this seems like one of those cases where the fine print ("we're just going to send you canned messages if you pay us a lot of money") is designed to completely contradict the big print ("we're a dating site"). You can't do that.

This case brought to mind the old Anthony v. Yahoo case, where Yahoo allegedly retained profiles of expired/terminated members so that it looked like it had a bigger dating pool. (Yahoo ultimately settled for up to $4M). We talk about how it can be a jungle out there for single people, but oh man, at least their dating services shouldn't be lying to them. Clearly, before you starting "dating" your dating site, you need to diligence it too.
___

Related (coverage of a recently filed class action against Match.com over an alleged excessive number of inactive or fake profiles):

"Lawsuit Claims More Than Half Of Match.com Profiles Are Inactive Or Fake" (Joe Mullin)
"Love’s Labour’s Lost in Cyberspace" (Danielle Citron/Concurring Opinions)

Posted by Venkat at 08:30 AM | Content Regulation , E-Commerce , Marketing , Spam

January 20, 2011

CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick

[Post by Venkat Balasubramani with some comments from Eric]

Hypertouch, Inc. v. Valueclick, Inc., et al., B218603 (Cal. Ct. App.; Jan. 18, 2011)

A California appeals court weighed in on a long-running debate: whether CAN-SPAM preempts California's spam statute. This is a significant decision that covers a lot of ground (I think it mentions just about every major spam case), and it is sure to be appealed.

Background: Two of the seminal anti-anti-spam cases were Mummagraphics and Virtumundo. Mummagraphics said that CAN-SPAM is intended to cover material misstatements in emails and preempted contrary state laws (to the extent they imposed liability for immaterial misstatements). Virtumundo said that only legitimate ISPs that have suffered actual harm can sue under CAN-SPAM. In Virtumundo, the Ninth Circuit also rejected the plaintiff's claims under Washington's email statute. The plaintiff in Virtumundo was pushing the envelope, and it was unclear as to whether the Ninth Circuit's rejection of his state law claims was restricted to the plaintiff's fanciful claims which clearly stretched the scope of Washington's spam statute to the breaking point. Mummagraphics and Virtumundo were from the Fourth and Ninth Circuit respectively, and they left open the question of how other state spam statutes would fare, including California's, which is one of the most expansive (and important). Lower federal courts courts struggled with applying Virtumundo and Mummagraphics to the preemption question in California, and decisions were all over the place. Some courts held that CAN-SPAM's savings clause only saves state statutes that sound in traditional fraud, and since California's spam statute didn't require proof of reliance and damages, it did not fall into this category and was preempted. (Here's my April 2010 post on Hoang v. Reunion.com, a case that struggled with the preemption question: "Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com.")

Factual Background: Hypertouch brought claims against Valueclick, various Valueclick subsidiaries, and PrimaryAds for violating section 17529.5 (California's spam statute). As the court describes it, Hypertouch is a small provider of email service to about 100 customers. Valueclick provides online marketing services to:

third-party advertisers who promote retail products. . . . Valueclick contracts with these third-party advertisers to place promotional offers on websites that are owned and operated by various Valueclick entities. Consumers, in turn, can visit Valueclick's websites and earn rewards in exchange for participating in the advertised promotional offers.

Valueclick contracts affiliates who "drive traffic" through methods chosen by the affiliates in their discretion. Valueclick provides the affiliates the creatives for a promotion, and the affiliates promote as they see fit (in many cases hiring sub-affiliates to effect the promotions). Valueclick alleged that it had no "knowledge of, or control over, the email delivery methods or header information used by [affiliates] or their sub-affiliates." [This is a risky admission!] PrimaryAds looks like it's similar to Valueclick - PrimaryAds operates a website which contains third party offers. PrimaryAds contracts with affiliates who download materials from PrimaryAds' website, engage in promotions (which are tracked by PrimaryAds). PrimaryAds requires its affiliates to sign agreements stating that the affiliates will comply with all laws, including anti-spam laws, in carrying out their promotion activities. PrimaryAds also alleged that it had "no control over the email delivery methods used by affiliates."

Hypertouch argued that Valueclick and PrimaryAds were advertised via emails that violated California spam statute in three ways: (1) the emails contained deceptive header information (because the from and to fields did not accurately reflect the sender or recipient); (2) the subject lines were likely to mislead recipients into thinking they would receive free stuff; and (3) the emails used third party domain names without the third party's permission. The trial court granted defendants' motion for summary judgment. The trial court held that defendants could only be held liable for emails they sent or caused to be sent (which cut out a chunk of the emails in question). The trial court also found that CAN-SPAM preempted state spam statutes which regulated misleading emails, unless the statutes covered "common law fraud or deceit." Since the claims did not cover the elements of common law fraud, they were preempted. Significantly, the court awarded defendants $100,000 in costs.

The appeals court's decision: The court reversed and ruled for Hypertouch, with an order that dramatically expands the reach of potential liability for products or companies that are advertised via email (regardless of whether they send the email). It's a blockbuster ruling for the anti-spam community.

Preemption: CAN-SPAM's preemption provision states that it preempts state statutes that regulate the use of commercial email "except to the extent that any such statute prohibits falsity or deception in any portion of a commercial email." The court acknowledges that CAN-SPAM's preemption was intended to accomplish a uniform standard for email regulation (to avoid requiring compliance with a "patchwork" of laws). The court also cites to a Senate Report that says that states laws prohibiting things like "fraudulent or deceptive headers, subject lines, or content" should not be preempted "because they target behavior that a legitimate business trying to comply with relevant laws would not be engaging in anyway."

The court disagrees with the trial court's conclusion on preemption and provides two main reasons, along with a lengthy discussion (and canvassing of the case law): (1) the language of the preemption clause does not support a finding of preemption; (2) allowing state law claims that reach misleading but not fraudulent emails would not undermine a national standard.

Hypertouch's claims survive summary judgment: Defendants argued that Hypertouch failed to put forth evidence that defendants either sent the emails or "knew" they were being sent by an affiliate in a misleading manner. The court responds that:

the plain text of 17529.5 indicates that its application is not limited to entities that 'send' the offending emails nor does it require plaintiff to establish that defendant had knowledge of such emails. Rather, the statute imposes liability on any 'person or entity' that 'advertises' in an email containing any of the forms of deceptive content described in section 17529.5 [(a)(1)-(3)].

Do the emails Violate the Statute?: Although plaintiffs asserted that the emails at issue violated three different prongs of section 17529.5, the court doesn't discuss the other two prongs, and merely focuses on the subject line prong. Section (a)(3) is the no misleading subject line prong, and the court finds that the following representative subject lines potentially violate the statute:

Get a FREE Golf Retreat to 1 of 10 destinations;

Let us know your opinion and win a free gift card;

Do you think Hillary will win? Participate now for a Visa card

In support of its summary judgment burden, Hypertouch put forth the testimony of its president (?) who says that he clicked on links in these emails and found out that in order to receive anything for free, you had to purchase something. As the court phrases it, the statute requires the subject line to mislead a recipient about a "material fact," and

if a subject line "creates the impression that the content of the email will allow the recipient to obtain a free gift by doing one act (such as opening the email or participating in a simple survey) and the content of the email reveal [sic] that the 'gift' can only be obtained by undertaking more onerous tasks . . . the subject line is misleading about the contents of the email.

1 year statute of limitations on liquidated damages claims: The California statute allows for statutory damages or actual damages. If the statutory damages are considered a penalty, then they are subject to a one year statute of limitations under California law. Hypertouch argued that statutory damages should not be subject to the one year time-bar because they are discretionary, but the court disagrees, holding that although the court has discretion with respect to the amount of damages it awards, it must award some amount of damages. Therefore, the court concludes that Hypertouch may seek actual damages for emails within three years of their receipt, but may only seek statutory damages for emails within one year of their receipt.

___

This is a big ruling on several levels.

The big practical effect is that it provides an avenue for California spam plaintiffs to seek relief under the California statute. Previous spam cases have backfired on spam plaintiffs due to over-reaching, but I wonder if the preemption argument backfired on defendants due to their over-reaching. Arguing that the preemption clause only saved claims which sounded in actual fraud was a stretch, and both Ethan and I expressed discomfort with rulings that embraced this standard. The court almost has an easy argument to knock down, and it happened to be an aggressive interpretation of the preemption clause that defendants were responsible for pushing.

The even bigger effect of this ruling is the fact that persons or entities who do not themselves send email but who are advertised in non-compliant email can now be held liable, without a showing that they knew or should have known that they were being promoted via non-compliant spam. This is going to throw a big monkey wrench in affiliate programs. Previous cases dealing with affiliate liability in the CAN-SPAM context required plaintiffs to show some sort of knowledge or facts sufficient to impute knowledge. ("Affiliate Spam Liability is Fact Question--US v. Cyberheat"; "Affiliate Liability Extravaganza".) .

In fact, the court expressly embraces a strict liability standard for affiliate liability. This is going to lead to some wacky results - for example, think of the case where a company located outside California is being promoted via email but does not know that its affiliates are emailing to California residents (the affiliates themselves may not know). All of a sudden, they find themselves subject to liability in California for violations of the California spam statute? (Does this present a section 230 issue, since neither of the defendants created the copy which allegedly violated the statute?)

The court's assessment of the substantive violations of the statute is cursory. The court tackles the subject line violations but where's the court's assessment of the violations of subsections (a)(1) (the domain name prong) and (a)(2) (misleading or forged header information prong). Setting aside the fact that the court's interpretation of the subject line prong is charitable (and aimed at protecting people who take on face value a claim via email that the recipient is getting something for free), there's no discussion from the court on how the emails violate the prong which prohibits the use of third party domain names without permission. The court similarly doesn't deal with the misleading header information prong, but Hypertouch's claims sound similar to the claims the Ninth Circuit rejected in virtumundo ("there is . . . nothing inherently deceptive in Virtumundo's use of fanciful domain names").

Interestingly, the California Supreme Court weighed on its spam statute just once. In a ruling last year in (Kleffman v. Vonage) the court held that use of random and multiple domain names even if they were intended to bypass spam filters does not violate California spam statute. ("Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage.")

Additional coverage: "C.A. Revives Action Charging Advertiser Under Anti-Spam Law" (Metropolitan News-Enterprise)
______

Comments by Eric:

This is an incredibly noteworthy opinion for several reasons.

First, published opinions on Internet law from California appeals courts are becoming rarer than a hen's tooth, so this is likely to be one of the few citable opinions by a California state court on spam issues for the foreseeable future (unless the Supreme Court takes it on appeal). As a practical matter, then, this opinion not only sets California law, but all federal courts interpreting federal law will also have to acknowledge this opinion. I anticipate this will be a heavily cited opinion in the future.

Second, the court's imposition of strict liability for advertisers promoted by spam is breathtaking. The court says "imposing strict liability on the advertisers who benefit from (and are the ultimate cause of) deceptive e-mails, forces those entities to take a more active role in supervising the complex web of affiliates who are promoting their products." Well, that's true in theory, but it's completely divorced from reality. Because of strict liability, even advertisers who undertake substantial efforts to police their affiliate network ARE STILL LIABLE FOR ANY PROBLEMS CREATED BY AFFILIATES. Maybe the court got confused about what it meant to impose STRICT LIABILITY. In reality, many advertisers won't rely on affiliates at all if they are strictly liable for what they do. I bet this court would view that as a perfectly fine outcome, but the it's disingenuous to say that strict liability will ratchet up the policing effort. A negligence standard might have done that; strict liability squashes the endeavor altogether.

For that reason, the strict liability standard for advertisers is the #1 thing (of a pretty long list) that needs to get fixed on appeal.

Venkat raised the issue of 47 USC 230's role here. I haven't had a chance to see if the issue was raised by the litigants, but my initial instinct is that an advertiser's 230 defense for ad copy written by a third party sounds pretty meritorious.

Overall, rulings like this reinforce to me how desperately we need to get states out of the business of trying to regulate the Internet. First, Congress built a structure to hold advertisers should be liable for spam violations in CAN-SPAM (a narrow liability scope, although I question the wisdom of even that). If California can impose a supplemental and much more expansive advertiser liability doctrine, Congress clearly did a crummy job with its preemption clause (so what else is new?). Second, this liability rule, if it sticks, is terrible policy destined to generate lots more of wasteful profit-seeking litigation. Third, it's unclear how California's policy would affect interstate advertising campaigns--a question we shouldn't even have to ask when dealing with Internet activities. We really, desperately, need to rethink our governance scheme that puts states in the business of regulating the Internet. IT DOESN'T WORK, and we lose a lot in the process.

Finally, a gossipy note. This is an unusual spam opinion in that it had big firm lawyers on both sides (Steptoe on the plaintiff side; Gibson Dunn on Valueclick's defense). I wonder if the court's decision to write a lengthy, detailed, footnoted and published opinion is the result of that.

Posted by Venkat at 05:22 PM | Derivative Liability , E-Commerce , Marketing , Spam

January 05, 2011

Lawyer-Spam Plaintiff Loses in the Sixth Circuit Over Allegedly Misleading DISH Network Emails -- Ferron v. Echostar

[Post by Venkat Balasubramani]

Ferron v. Echostar Satellite LLC, 09-4407 (6th Cir.; Dec. 28, 2010)

Ferron brought claims against Dish Network and its retail and marketing partners alleging that he had been deceived by the terms of email offers sent by defendants. According to defendants, Ferron's strategy was to actually sign up to receive emails which he claimed were deceptive. However, prior to receiving any emails, he allegedly called to verify the terms of Dish Network's service:

according to defendants, Ferron purposefully provided his email address to the approximately twelve satelitte dish websites from which he later received advertisements. Before he provided his email address to the websites, Ferron contacted Dish network call centers to obtain information about the terms and conditions of various Dish Network products and services. Accordingly, Ferron was aware of the terms allegedly excluded from the deceptive emails before he received them.

The trial court granted summary judgment, and the Sixth Circuit affirms in an unpublished opinion.

Ohio Consumer Protection Statute: Ferron claimed that he did not need to have been deceived personally to bring a claim under the OCSPA - it was sufficient that the emails contained objectively misleading information. The court disagrees. Citing overwhelming precedent in defendants' favor, the court concludes that a plaintiff must have been actually deceived in order to bring a claim under the OCSPA (i.e., individual plaintiffs cannot take the private attorney general route). Although Ferron argued that a ruling to this effect would foreclose legitimate claims, this argument didn't get much traction with the court:

Simply put, the only persons foreclosed by today's ruling are individuals who solicit emails from an advertiser after having researched and discovered the additional terms the advertisement allegedly excludes.

Ouch!

The Publisher Exception to the OCSPA: The Sixth Circuit also affirmed the trial court's ruling that one of the defendants (Hydra) who was a mere intermediary was entitled to the "publisher exception" to the OCSPA. As an initial matter, the court concludes that Hydra "was not involved in the creation of the . . . advertisements," and thus was precisely the type of entity who could take advantage of the publisher exception. Ferron argued that Hydra was not the type of publisher the legislature intended to fit within the exception, because Hydra received a referral fee each time a customer signed up (instead of a flat fee per ad, or a monthly fee). The court rejects this argument, reasoning that regardless of the fee structure, the publisher always has an interest in ensuring that customers respond to advertisements. Ferron also argued Hydra should not be entitled to take advantage of the publisher exception with respect to any ads transmitted by Hydra after the filing of the lawsuit. The court rejects this argument as well, since the mere filing of Ferron's complaint is not indicative of a violation of the statute (just that Ferron alleged that defendants violated the statute).

Request for Sanctions: Ferron requested sanctions on the basis that defendants did not maintain the ads in their native form (i.e., he could not click through and access the underlying links and graphics). The Sixth Circuit affirms the district court's rejection of Ferron's request for sanctions, noting that Ferron himself had the emails in question and should have saved them.
__

The court's description of the facts makes me think a section 230 defense may have been available to Hydra, not that it ended up needing it anyway.

The bigger takeaway? When it comes to spam litigation at least, courts seem more than able to ferret out what they see as unworthy claims. This is one of a long line of losses by plaintiffs who seem to have made it a part of their business to seek out and sue people to send them unsolicited email (see Gordon v Virtumundo, Mummagraphics, etc.).

A couple of days after the Sixth Circuit issued its opinion in this case, it issued its ruling in Charvat v. Echostar, a case where Ferron was counsel for the plaintiff. This case involved alleged do-not-call violations against Echostar and third parties brought by Philip Charvat, whom the court describes as not being "shy in taking on the role of private attorney general under the Telephone Consumer Protection Act" and listed him as a plaintiff in 13 TCPA lawsuits. The Sixth Circuit delves into the thorny jurisdictional issues, but ultimately ends up punting to the FCC on the interesting issue of whether Echostar could be liable for TCPA-violating calls made by third party independent contractors/affiliates. The FCC's amicus brief in this case suggests that it has an expansive (and perhaps troubling) view of such imputed liability.

Previous post: "Email Ad Network Isn't Liable for Unsolicited Email--Ferron v. Echostar"

Coverage of an earlier Ferron lawsuit: "Q1 2009 CAN-SPAM Quick Recaps"

Posted by Venkat at 02:14 PM | Content Regulation , Derivative Liability , E-Commerce , Spam

January 01, 2011

Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc.

[Post by Venkat Balasubramani]

Kramer v. Autobytel, Inc., et al., 10-cv-02722 CW (N.D. Cal.; Dec. 29, 2010)

We've blogged a bunch about cases involving defendants accused of sending text messages - none of them have resolved favorably in favor of the defendants:

"Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp."

"Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC"

"Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"

"Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage"

This case is no exception. Plaintiff brought a putative class action on behalf of recipients of "thousands of" unwanted text messages, some of which were allegedly received after plaintiff opted out. Plaintiff settled against the named defendant (Autobytel), and the court dismissed the individual claims against Autobytel. The putative class claims against Autobytel were dismissed without prejudice, and proceeded against the remaining defendants. Defendants advanced two arguments in their motion to dismiss: (1) the Telephone Consumer Protection Act was vague in its requirement that the messages be sent without the recipients' "prior express consent"; and (2) the allegations in the complaint failed to state a claim.

The plaintiff's complaint alleged the classic transmission of messages through a list procured by or on behalf of the sender (a list which was allegedly passed on multiple times down the chain). Plaintiff alleged:

an effort to promote its automotive products to consumers, Autobytel, the proprietor of one of the nation's largest automotive referral services, through marketing partners such as LeadClick, engaged B2Mobile to conduct an especially pernicious form of marketing: the transmission of unauthorized advertisements in the form of 'text message' calls to the cellular phones of consumers throughout the nation. . . . In order to make their en masse transmission of text message advertisements economical, Defendants used lists of thousands of cellular telephone numbers of consumers acquired from third-parties. . . . Defendant B2Mobile contracted with third parties to acquire lists of phone numbers for the sole purpose of sending spam text messages on behalf of advertisers for its own monetary gain.Defendant Autobytel contracted with LeadClick, who there after contracted with B2Mobile, for the purpose of advertising Autobytel's products and services through spam text messages.

As Professor Goldman mentions in his post about Satterfield, this is exactly the sort of thing that is likely to land those who transmit mass text messages in trouble (i.e., relying on consent allegedly procured by third parties).

First Amendment Challenge: Citing the standard articulated by the Ninth Circuit in Satterfield which requires a "common sense interpretation" of "express consent," and FCC pronouncements that the TCPA applies to SMS spam, the court rejects defendants' constitutional challenge to the statute. I'm always pretty skeptical of First Amendment challenges to statutes regulating the unsolicited transmission of one-to-one communications. It wasn't a shocker that the court rejected defendants' constitutional arguments in this case.

Sufficiency of the Complaint: Defendants' challenge to the sufficiency of the complaint fared no better. Plaintiff alleged that the messages were transmitted "using equipment that . . . had the capacity to store or produce telephone numbers to be called, using a random or sequential number generator" (this was the standard articulated by the Ninth Circuit in Satterfield). Some of the defendants also contested the sufficiency of plaintiff's allegations regarding defendants' role in the transmission of the messages, but the court held that plaintiff's allegations were sufficient:

[plaintiff] stated plainly that he never consented to the receipt of such messages, and described his attempt to opt out of receiving messages from SMS code 77893, which was allegedly registered toB2Mobile. Kramer described the relationship between B2Mobile, Autobytel, and LeadClick, and the roles involved in text message advertising.

There's not a whole lot more to say about this case. It's a good reminder that relying on third party consent when you transmit unsolicited messages is risky behavior.

Posted by Venkat at 06:15 AM | Content Regulation , Spam

December 24, 2010

Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues

[Post by Venkat with comments by Eric]

Mortensen v. Bresnan Comm., CV 10-13-BLG-RFC (D. Mont. Dec. 13, 2010)

A district court in Montana hearing one of the many NebuAd "deep packet inspection" lawsuits partially granted a defendant's motion to dismiss. This lawsuit arises out of NebuAd's alleged attempt to monitor and use an end user's internet activity for advertisement targeting purposes - i.e., not using cookies or other tracking, but actually routing the communications themselves through NebuAd's "appliance." There have been a slew of lawsuits out of this practice; this lawsuit involved claims against Bresnan Communications, an Internet access provider, who is accused of letting NebuAd install the appliance for its profit.

Electronic Communication Privacy Act Claims: Bresnan first argued that it did not engage in any interception itself, so it could not be held liable under the ECPA. The court rejects this argument on the basis of plaintiff's allegation that Bresnan "allowed" NebuAd to install its device on Bresnan's network, and but for the appliance, the monitoring would not have occurred.

However, the court accepts Bresnan's argument that the plaintiffs agreed to the interception based on disclosures in the terms of service and elsewhere. The court quotes from Bresnan's "Online Privacy Notice," which says:

the equipment used to provide the service collects information . . . [including] information about . . . 'electronic browsing,' and the text of email or other electronic communications the [users] send or receive using [the] services.

The notice also references that the information that is collected will be disclosed to third parties. Bresnan's "Online Subscriber Agreement" contained similar disclosures. Finally, the court notes that Bresnan alleges that it provided customers "specific notice" and a link to opt-out from information collections.

Shockingly, plaintiffs did not contest that "they agreed, by way of Bresnan's Privacy Notice and Subscriber Agreement to the interception." (??) Instead, plaintiffs quibble with the scope of the documents in question and argued that Bresnan construes plaintiffs' consent "cavalierly." The court rejects plaintiffs' argument, and grants Bresnan's motion to dismiss the ECPA claim on the basis of consent.

Invasion of Privacy Claims: Plaintiffs brought a common law invasion of privacy claim. The court finds that the notice and disclosure (discussed above) undermines any expectation of privacy plaintiffs had in their use of the service. This ends the court's discussion.

Computer Fraud and Abuse Act Claims: Although the court rejects plaintiffs ECPA claim, the court allows plaintiffs' Computer Fraud and Abuse Claim to go forward. The court concludes (based on Bresnan's disclosures to its customers) that Bresnan's access of plaintiffs' computers had some authorization. Nevertheless, the court finds that Bresnan may have exceeded the authorization that was initially granted. The court bases this conclusion on the fact that the notices provided by Bresnan did not clearly apprise plaintiffs that "their computer settings were to be actively altered or tampered with by Bresnan." The court concludes that for purposes of surviving a motion to dismiss, plaintiffs have sufficiently alleged that:

Bresnan's act of tampering with the security and privacy protocols exceeded any authorization that Plaintiffs may have given.

The court also addresses the jurisdictional damage requirement, under which a CFAA plaintiff must show that the unauthorized access caused $5,000+ in damages. The court notes that plaintiffs' allegations of emotional distress are not compensable, since only economic losses are recoverable under the CFAA. However, the court finds that plaintiffs satisfy the jurisdictional damage threshold since they allege they were "forced to mitigate Bresnan's invasive actions by expending time, money and resources to investigate and repair their personal computer's diminished performance."

Trespass to Chattels: Finally, the court allows plaintiffs' trespass to chattel claims to go forward. With respect to the trespass claim, the court says that the plaintiffs sufficiently alleged an interference with their chattel (their computers).
__

Venkat's Comments:

This is one of many privacy lawsuits that are percolating through the courts right now. I think this one differs qualitatively from many of the others in that here, there is an allegation of improper monitoring of the contents of the plaintiffs' communications. It's one thing to surreptitiously find out what websites someone has been visiting or leak someone's unique user ID. It's another thing entirely to read their email and the contents of what they access while browsing. This is an important distinction to keep in mind. I don't think you can necessarily extrapolate a tentative result in the other cases based on this result. Apart from the damages issue (discussed below) a key unknown in the pending cases is to what extent the information that is captured or disclosed are covered by the statutes in question.

I was somewhat surprised to see little or no discussion from the court on whether the policies were presented in a "leak proof" manner, or whether the disclosure satisfied FTC standards. Was there evidence that plaintiffs could not access the service without encountering the policy? (See Prof. Goldman's post on that topic: "Clickthrough Agreement With Acknowledgement Checkbox Enforced.")

The court's conclusion on the consent issue is also somewhat perplexing, in light of the exact same judge's earlier order denying Bresnan's request to compel arbitration, which you can access here. BNA recaps the decision denying Bresnan's request to subject the claims to arbitration as follows: "A mandatory arbitration clause in an internet service provider's terms of service—which was presented in capitalized text in the ninth paragraph of the unsigned document—was an inconspicuous part of a contract of adhesion and unenforceable under Montana law."

On the other hand, if plaintiffs conceded the consent/disclosure issue, then the court did not need to get into it. [What were the plaintiffs thinking, conceding this? If you are bringing this type of a lawsuit, you have to be able to put together enough allegations of no-consent to get past the motion to dismiss stage.]

At the end of the day, if consent is going to be the basis to defend against these types of privacy claims, defendants would be well advised to really be thorough in procuring this consent. In fact, I'm surprised that Bresnan - given that it is an IAP allegedly engaging in gray area practices - didn't just secure written consent at the time it first provided the service.

I'm also surprised at the court's conclusion on the Computer Fraud and Abuse Act damage issue, given its conclusion on the ECPA issue. If it was going to split hairs on the notice and consent (as it did with respect to the CFAA claims), it could have probably done so on the ECPA claims as well. Courts often keep in claims they may otherwise dismiss if they decided that some claims are going to survive. Also, some cases construe the CFAA narrowly as requiring damage to the protected computer (or an interruption in data). It's conceivable that plaintiffs could have suffered the requisite loss (which can be aggregated in the class action context), but the court's discussion of plaintiffs' allegations made the damage allegations seem awfully light. (Two posts from Nick Akerman look at some recent CFAA dismissals and discuss the restrictive approach taken by some courts with respect to the CFAA's jurisdictional damage requirement: "Dismissal of CFAA Claim for Lack of Jurisdiction" and "Why Two District Courts Dismissed Valid Computer Fraud and Abuse Claims for Lack of Jurisdiction.")

The dismissal of the ECPA claim as opposed to the CFAA claim could have some ramifications on the damages front. Statutory damages are available under the ECPA, but not under the CFAA. For what it's worth, there's conflicting authority on the issue of whether non-economic damages are recoverable under the CFAA. (See Garland-Sash v. Lewis, 348 Fed. Appx. 639 (2d Cir. 2009) (construing the phrase "compensatory damages" - which was added to a provision of the CFAA after the DoubleClick case came down - to include damages for pain, suffering, and other emotional harms").) Even if for some reason the court decides that plaintiffs are entitled to non-economic damages, it will be interesting to see how plaintiffs prove up these damages.

The trespass claim is a bonus claim, but again, the court doesn't dig in to the damage issue with respect to common law trespass. Although the court cites to California law, the court does not discuss damage or slowdown to the machine in question as articulated by the California Supreme Court in Intel v. Hamidi (an email bombardment case) or as interpreted by the Fourth Circuit in the Omega v. Mummagraphics case.

I'm not sure how much light this ruling will shed on the many pending privacy lawsuits that involve things like surreptitious tracking, sniffing, and leakage of personal information. Damages issues aside, the ruling may highlight the importance of choice, consent, and the requirement that any disclosures or disclaimers be conspicuous, all issues the FTC seems to frequently opine on and issue reports about.

(h/t Wendy Davis)
__

Eric's Comments:

As Venkat notes, this ruling is an inconsistent mix of formalism and realism. In light of the judge's ruling last month that Bresnan made inadequate disclosures to uphold an arbitration clause, it's odd for the judge to now find that Bresnan made adequate disclosures to wipe away the ECPA and privacy invasion claims via dense/buried EULA language plus an opt-out notice; while that same consent wasn't good enough to wipe away the CFAA and Trespass to Chattels claim. The CFAA ruling on damages was also oddly formalist given the consent ruling. I respect formalist judges for being careful and methodical, but it would have been nice if this judge had been a little more aggressive about calling a spade a spade.

I am not a fan of deep packet inspection (DPI) by IAPs done on anything but an opt-in basis. We're basically back to the old battles about unwanted adware/spyware getting onto users' hard drives as part of some bundle. Sure, the adware vendors could claim user consent through a formalist reading of the contracts, but there wasn't true consumer consent, and we all knew it. I'm reminded a little of the FTC's bust of Sears for its trackware installations--Sears paid people for the installation, but the software did things far beyond anything users might have expected, even though these attributes were putatively explained deep in the EULA. If you're an IAP trying to implement DPI on an opt-out basis, bonne chance, and don't expect a lot of friends to rally around your cause.

At the same time, I'll be interested to see if the plaintiffs can marshal any true evidence of harm. If the plaintiffs are advancing a recycled version of the old, tired and completely laughable arguments that installing cookies on a user's computer creates cognizable harm, I hope this judge will quickly give them the boot they deserve. In that respect, I'm disappointed the judge didn't more aggressively police the trespass to chattels claim on the harm requirement per Hamidi. Personally, I think these plaintiffs should have been forced to put-up-or-shut-up on the harm issue early. Then again, this case came out the day before the Ninth Circuit's recent Starbucks case, but perhaps it's consistent with it.

Overall, this ruling is just another small data point in a much larger struggle over targetable consumer data. My Coasean Analysis of Marketing article doesn't directly address DPI by IAPs, but the article tells the story of how different intermediaries are fighting with each other to capture better datasets of targetable consumer behavior. After the flameout of the early 2000s model of adware, IAPs are trying to squeeze into the middle by using their more favorable position (compared to websites) to see more complete consumer data. Similarly, Facebook is trying to use tools like Beacon nee Instant Personalization to sweep up targetable consumer data from throughout the web, not just the smaller dataset it can capture at facebook.com. Meanwhile, Google is trying to move onto the desktop (the toolbar, Desktop, Chrome and its various OSes) to let it get closer to the honeypot of consumer data residing there, rather than just rely on the data it can get at google.com properties. Adware circa 2005 may be dead, but battles between different intermediaries fighting to get the good stuff is a perennial. For more, see my posts Adware is Dead and Relevancy Trumps Creepiness.

Posted by Venkat at 09:00 AM | Derivative Liability , Licensing/Contracts , Privacy/Security , Publicity/Privacy Rights , Spam , Trespass to Chattels

December 17, 2010

Domain Name Privacy Protection Services Not Liable for Failure to Disclose Identity of Alleged Spammer -- Balsam v. Tucows

[Post by Venkat]

Balsam v. Tucows, No. 09-17625 (9th Cir.; Dec. 16, 2010)

Prolific spam litigant Dan Balsam sued the registrant of [adultactioncam.com] under California's spam statute for allegedly sending Balsam thousands of pieces of spam. Balsam obtained a default judgment in the amount of $1,125,000 (!) against Angeles Technology, Inc., who was listed as the registrant of [adultactioncam.com]. Balsam was ultimately unable to recover against Angeles and then sued Tucows. His beef with Tucows was that Tucows refused to turn over the identity of the registrant of [adultactioncam.com] (when he conducted his initial search, apparently, Angeles was the registrant, but at some point later, Angeles opted into Tucows' privacy protection services). He demanded that Tucows disclose the identity of the registrant "or pay the default judgment." Tucows predictably refused, and Balsam sued, trying to hold Tucows liable. I should note that the court's description of the facts is much better than mine, although it's somewhat charitable to Balsam. The court concludes its recitation of facts by saying that "[a]lthough [Balsam's] approach is novel and creative, it cannot survive a motion to dismiss."

Balsam's main argument is that Tucows as the registrar is bound by the ICANN registrar accreditation agreement, which contains the following provision (Sec. 3.7.7.3):

A Registered Name Holder licensing use of a Registered [domain] Name . . . shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly disclosed the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.

As the court notes, Balsam's claim against Tucows depends on his status as a third party beneficiary to the RAA agreement between ICANN and Tucows. The court concludes that Balsam is not a third party beneficiary because among other things, the agreement contains an explicit "no third party beneficiary clause," and because the agreement itself does not contain terms applicable to ICANN or any registrar - it merely provides that a a registrar must include certain terms (including this one) in its domain name registration agreements. Balsam responded that the "no third party beneficiary" clause does not relieve Tucows of its obligation as a registrant (which it or one of its affiliated entities is in name when it provides privacy protection services) but the court rejects this argument as well. Tucows entered into the agreement as a registrar, and didn't agree to bind itself as a registrant.
__

Balsam has an uphill battle arguing that the RAA creates third party rights. See Register.com v. Verio, 356 F.3d 393 (2d Cir. 2004.) (Interestingly, Register v. Verio dealt with the use of WHOIS information where Verio sent unsolicited emails to Register registered domain names advertising Verio's services.) However, more relevant to the court's discussion is a recent case involving proxy registration services - Solid Host v. NameCheap - where the court found that NameCheap could be held liable for contributory cybersquatting based on the actions of the registrant-in-fact. Here's Prof. Goldman's post on the muddled ruling in that case: "Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap." As he mentions in that post, it's important to be clear about who is the registrar and registrant (and in what capacity a particular entity is acting when it's providing services). He raises the issue of whether registrars will shy away from providing privacy protection services. I don't know the answer to that, and although it may be early to assess the fallout (if any) of the NameCheap case, this case seems to indicate that proxy registrars don't roll over and readily disclose registrant information absent a court order.

In any event, I don't think Balsam had a strong argument here since Angeles's utilization of the privacy protection services did not contribute in any way to the alleged harm. Although the facts aren't crystal clear, it seemed like Balsam obtained a judgment (after having determined that Angeles was the registrant) and only then did Angeles opt in to the privacy protection feature. The damage (if any) was done by the time the privacy protection feature entered into the picture. Additionally, as the district court's order notes, the Angeles lawsuit was pending at the time Tucows declined to reveal the underlying registration info - Balsam had an obvious solution (which he failed to take advantage of). He could have issued a subpoena seeking the registrant information and could have easily obtained it. There may be some set of facts under which a refusal to reveal the registrant information could support a claim, but those facts were not present here.

This also raises the issue of the appropriate response from a company who provides private registration services. The registrars have an interest in not freely disclosing registrant information absent a court order, but NameCheap suggests that in some cases, a failure to disclose may result in liability to the provider of privacy protection services. (NameCheap raised the issue of whether the registrar was acting in its capacity as registrar or in another capacity - in its capacity as registrar, it may be able to take advantage of an ACPA safe harbor. As I mentioned in my previous post about this case, Tucows may have been able to take advantage of a Section 230 defense, although ultimately it didn't end up needing to invoke the protections of Section 230, given the court's ruling.) This case indicates that courts are reluctant to freely impose liability on a registrar who provides proxy registration services, which isn't necessarily a bad thing from the standpoint of protecting registrant anonymity and privacy. A finding of possible liability in this case could have resulted in registrars getting more nervous when they receive requests for the identity of the underlying registrant.

"Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap"

"Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute -- Balsam v. Trancos"

Posted by Venkat at 09:29 AM | Derivative Liability , Domain Names , Privacy/Security , Spam

November 27, 2010

Junk Fax Claim Fails Due to "Established Business Relationship" Exception -- Cardinal Partners v. Fernandez Discipline

[Post by Venkat]

Cardinal Partners, Ltd. v. Fernandez Discipline, LLC, Case No. L-10-1180 (Ohio Ct. App.; Nov. 19, 2010)

Background: Toledo chiropractor Dr. William J. Houttekier II shared a fax number with Cardinal Partners (they both apparently had the same fax number). Houttekier received a fax (advertising an upcoming two day marketing seminar) sent by Fernandez Discipline, a marketing consulting firm. [It's interesting to see marketing consultants advertise their services via communications that turn out to be unwelcome. I would think this does not engender much trust in the consulting services, but that's neither here nor there.] Houttekier threatened suit but offered to settle for $3,000. The parties did not settle, and ultimately Cardinal Partners (not Houttekier) filed a class action lawsuit alleging junk fax violations.

The procedural details are murky, but it appears the trial court dismissed (or denied certification of) the class action, and Cardinal Partners appealed. While the appeal was pending, the parties both moved for summary judgment. Cardinal Partners voluntarily dismissed its appeal, and the case moved forward on an individual basis in the trial court. The trial court granted summary judgment in favor of Fernandez Discipline, on the basis that Fernandez Discipline had an established business relationship with Houttekier, who "co-used the telephone number at which [the fax to Cardinal Partners] was received."

Discussion:

Was the "established business relationship exception" defense available?: The first question was whether the "established business relationship" was available as a defense to the fax at issue. The court looks at the TCPA (enacted in 1991), as amended by the Junk Fax Prevention Act (enacted in 2005), and concludes that although it was unclear as to whether the TCPA (as implemented by the FCC regulations) provided for an "established business relationship" exception to faxes, the enactment of the Junk Fax Prevention Act cleared this up, and since the fax at issue was sent after enactment of the Junk Fax Prevention Act, the exception was available.

Did Fernandez Discipline put forth sufficient evidence to demonstrate that it was entitled to the "established business relationship" exception?: In support of its motion for summary judgment, Fernandez Disciple submitted pages from an online directory which showed that Houttekier and Cardinal Partners shared the same telephone number. This evidence was uncontested. Although there were hearsay problems with the remainder of the evidence submitted by Fernandez Discipline, the court concluded that there was enough competent evidence to show that Fernandez Discipline had an "established business relationship" with Houttekier (who had attended several Fernandez Discipline seminars). Based on this, the court affirms the trial court's dismissal of the claims.
__

The case raises two questions, which the court does not really dig into. First, who has the cause of action when people share a telephone number? Presumably, the person or entity who the number was assigned to (in this case Cardinal Partners) does. Second, if two people share a number, does consent from (or a business relationship with) one undermine a cause of action for the other?

Posted by Venkat at 09:52 AM | Marketing , Spam

November 15, 2010

Melaleuca Files Second Lawsuit Following Dismissal of its CAN-SPAM Claims

[Post by Venkat]

Melaleuca v. Hansen, Case 1:10-cv-00553 EJL (D.Idaho) (Nov. 10, 2010)

I recently blogged about the dismissal of a CAN-SPAM case by a federal district court in Idaho. The district judge adopted the magistrate judge's recommendation, and dismissed the CAN-SPAM claims for lack of standing, a belated assignment of claims, and a finding of no "adverse effect." The dismissal was without prejudice and the plaintiff appealed the order dismissing the case. ("Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen.") I expressed surprise that Melaleuca decided to appeal the order dismissing its case.

Not only is Melaleuca appealing the case, it filed a second complaint which appears to be based on the same underlying conduct. You have to just shake your head when companies do stuff like this. One the one hand, it's trying to remedy the deficiency that got it kicked out in the first place, but on the other hand, you have to wonder if the company is throwing resources at a dispute where the recovery may well eclipse any potential recovery.

In any event, Melaleuca is definitely in a disadvantageous position, procedurally speaking. The Ninth Circuit may decide that the dismissal should have been with prejudice, or that Melaleuca is estopped from arguing certain facts. The district court may stay the case, pending resolution of the Ninth Circuit appeal. The district court may impose a bond requirement. Melaleuca may be bringing claims that are now barred by the statute of limitations. Finally, in the unlikely event that the merits of the case ever see the light of day, IP Applications' claims may not turn out to be viable either. Of course, all of this presupposes that CAN-SPAM claims are assignable, which is an open question.

Aggressive litigation tactics are one thing, but this has potential to backfire.

Previous posts:

"Idaho District Court Dismisses CAN-SPAM Claims Due to Non-ISP Status -- Melaleuca, Inc. v. Hansen"
"Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen"

Posted by Venkat at 09:15 PM | Spam

Holomaxx Sues Yahoo, Microsoft, and Others for Non-Delivery of Bulk Emails

[Post by Venkat]

Holomaxx Technologies v. Yahoo!, Inc. and IronPort Systems, LLC, Case No. CV10-4926 (N.D. Cal.) [Scribd]

Holomaxx Technologies v. Microsoft Corp. and Return Path, Inc., Case No. CV10-4924 (N.D. Cal.) [Justia Page]

In what may fit under the dictionary definition of chutzpah, Holomaxx, a (CAN-SPAM-compliant) bulk emailer, sued Yahoo, Cisco (IronPort), Microsoft, and Return Path (in two different lawsuits) for failing to deliver emails sent by Holomaxx. Microsoft and Yahoo are sued for refusing to transmit the emails, and IronPort and Return Path are sued for improperly flagging Holomaxx as a spammer. Holomaxx also alleges that the defendants improperly intercepted and disclosed the emails in the course of their filtering activities.

Holomaxx alleges that it has been sending emails (in bulk) for about ten years, and it sends approximately ten million emails a day on behalf of its clients. It "requires that its clients acquire their list subscribers in accordance with the CAN-SPAM Act . . . which provides federal standards for commercial email." The complaints state that the emails sent out by Holomaxx are all compliant with CAN-SPAM and don't have the characteristics of spam: (1) the emails contain accurate transmission and header information, (2) the emails are sent through a relatively small block of IP addresses, (3) the emails contain opt-out links and allow for unsubscribing through one click, and (4) the emails contain accurate subject lines and include the physical postal address for Holomaxx or its clients.

Holomaxx alleges that the ISPs (Yahoo and Microsoft) are interested in "lowering costs at the expense of commercial . . . speech and internet communications." Holomaxx alleges that the ISPs rely on faulty spam filters which flag emails as spam "without reference to whether the email in question actually violates the CAN-SPAM Act." Holomaxx further alleges that Ironport and Return Path improperly intercepted emails transmitted through the ISPs and also improperly assigned Holomaxx low "sender reputation scores" - i.e., labeled Holomaxx as a likely spammer. Finally, the complaint alleges that the ISPs have improperly forwarded emails sent through the ISPs to IronPort and Return Path.

As a result of defendants' conduct, Holomaxx claims that its reputation has suffered, its business relationships have been disrupted, and it has lost revenues. Holomaxx asserts claims under the Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, the California Wiretapping statute, and California's unfair competition law. It also asserts claims for defamation, and interference with contractual relationships. Holomaxx seeks a broad array of relief against defendants, including injunctive relief, and interestingly, disclosure of "the grounds for blocking Holomaxx's emails."

It's always tough to evaluate claims based on the complaint, but at least a chunk of Holomaxx's claims will likely face an uphill battle.

The Filtering Decision: As some who have been watching this case note, being compliant with CAN-SPAM does not mean that you have some right to force an ISP to transmit your emails. The CAN-SPAM Act states:

Nothing in this chapter shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages.

Additionally, section Section 230(c)(2) immunizes intermediaries for their good faith decisions to filter unwanted content:

No provider ... of an interactive computer service shall be held liable on account of -- (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be . . . objectionable, whether or not such material is constitutionally protected . . . [emphasis added]

In e360Insight v. Comcast, where e360 sued Comcast for filtering emails, the court held that section 230(c)(2) insulated Comcast, as long as Comcast's decisions were undertaken in good faith:

a mistaken choice to block, if made in good faith, cannot be the basis for liability under federal or state law. To force a provider like Comcast to litigate the question of whether what it blocked was or was not spam would render § 230(c)(2) nearly meaningless.

The Assignment of Low "Sender Reputation Scores": The claim that the assignment of low "sender reputation" scores to Holomaxx defamed Holomaxx is similarly tough. This activity may also fall under section 230(c)(2), and one case (Pallorium v. Jared) held that publishing a database of IP addresses that others may use for purposes of creating a blocklist falls under Section 230(c)(2). (Here's Professor Goldman's post on Pallorium: "Anti-Spammer Wins 230 Defense--Pallorium v. Jared.") Even in the absence of Section 230, attacking an entity who assigns a "reputation score," could present a First Amendment problem. A suit against lawyer-rating service Avvo was dismissed on the basis that "Avvo's ratings, even if generated through automated algorithms, are opinions, not facts, and thus fully qualify for First Amendment protection." ("Avvo Wins Big in Ratings Lawsuit--Browne v. Avvo.") The sender reputation scores assigned by Return Path and IronPort could very well fall into same category as Avvo's ratings.

Improperly Intercepting, Forwarding, and Disclosing Contents of Emails: The set of claims around alleged forwarding, interception, and disclosure of the emails by the ISPs are somewhat tougher to evaluate. The federal statutes governing the interception and disclosure of emails contain exceptions for these activities when they are "a necessary incident to the rendition of [the ISP's] service or to the protection of the rights or property of the provider of that service" I didn't come across any cases that discuss whether spam-filtering falls under this exception. A policy paper from the Center for Democracy & Technology [pdf] seems to indicate that "the latter prong [referencing the rights or property of the ISP] covers anti-spam and anti-virus monitoring and filtering and various anti-fraud activities . . . " Instinctively, I would think that some basic filtering would not run afoul of these federal statutes. Still, a quick search did not reveal much case law on this point. The Computer Fraud and Abuse Act claims look like losers. Accessing emails sent by Holomaxx does not equate with accessing Holomaxx's "protected computers" (unless I'm missing something).

At any rate, Holomaxx's core claims face an uphill battle. Courts don't like to interfere with filtering decisions, and here Section 230(c)(2) should apply to the basic filtering decisions of the ISPs. As to whether a part of the complaint survives, we'll see.

Other coverage:

John Levine: "How Now to Get Your Email Delivered"
The Magill Report: "Email Marketer Sues Microsoft, Yahoo, Return Path, Cisco Ironport"
Al Iverson: "Holomaxx suing Microsoft, others" & "Holomaxx Link Roundup"
TechEye: "Holomaxx sues Microsoft over mass emailing ban"

Topically related posts:

"Internet Access Provider & Blocklist Publishers Denied 230(c)(2) Immunity for Anti-Spam Efforts"
"Anti-Spyware Company Protected by 47 USC 230(c)(2)--Zango v. Kaspersky"
"7Search Sues McAfee For Red Flagging It"

Posted by Venkat at 09:58 AM | Spam

November 07, 2010

Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen

[Post by Venkat]

Melaleuca, Inc. v. Hansen, No. CV 07-212-E-EJL-MHW (D. Idaho; Sept. 30, 2010)

I blogged in June about a CAN-SPAM case in the District of Idaho involving CAN-SPAM and state law claims asserted by Melaleuca, a "multi-level marketing company," against Daryl Hansen. Melaleuca is the registrant of "iglide.net" domain name. Melaleuca provided its "marketing executives" internet access and email services "through a third-party Internet service provider." Hansen allegedly sent emails to individuals at their "iglide.net" email addresses, and Melaleuca asserted CAN-SPAM and state law claims based on Hansen's conduct. The magistrate judge (citing Gordon v. Virtumundo) found that Melaleuca was not a bona fide ISP, and as a result, recommended dismissal of the CAN-SPAM claims, and recommended that the court decline to take jurisdiction over the state law claims.

Melaleuca objected to the magistrate judge's recommendation. The district judge overrules Melaleuca's objections, and finds that Melaleuca is not entitled to bring claims under CAN-SPAM because it is not a bona fide ISP. As the court finds:

Melaleuca provides email and internet access through a third party internet service provider, IP Applications. Melaleuca does not own or operate IP Applications. Melaleuca does not have access or control over the hardware that enables internet access to iglide.net customers. Melaleuca does not control the spam filters applied to emails by IP Applications.

As such, the court finds that Melaleuca does not fall within the limited class of plaintiffs who can bring claims under CAN-SPAM. Melaleuca argued that it had obtained an assignment of claims from IP Applications, but the court notes that this occurred "after [Melaleuca filed] its complaint and before [Melaleuca filed] its response." Since standing is determined at the time of filing, Melaleuca's attempt to create standing through the assignment fails. The court also finds that Melaleuca was not "adversely affected" by the emails at issue. While the court agrees with Melaleuca that "spam 'in general' increases the cost [Melaleuca] has to pay to its ISP," the court finds that "Melaleuca has not established any direct adverse affect or additional costs" due to the emails at issue. The court also rejects Melaleuca's speculation that it somehow lost "goodwill" based on the six complaints it received due to the emails at issue.

Surprisingly, the court dismisses the CAN-SPAM claims without prejudice. I may be missing something, but as the court notes, although Hansen filed a motion to dismiss, the magistrate judge converted the motion into a motion for summary judgment and properly considered the motion under summary judgment standards. The court's determination on the no "adverse effect" issue should be conclusive, and Melaleuca should not get another shot at asserting these claims (and neither should IP Applications, since it assigned the claims to Melaleuca).

Even more surprisingly, Melaleuca is appealing this decision. I can't see the Ninth Circuit viewing this appeal with much favor. Additionally, as I mentioned in my previous post on this case, Melaleuca may have to deal with an adverse fee award, since Hansen (as the prevailing party) may be entitled to fees under CAN-SPAM.

Added: John Levine comments on this ruling at CircleID ("Yet Another Unfortunate CAN SPAM Case"). John notes an interesting quote from the court's order:

[T]he harm must be both real and of the type experienced by ISPs. While the harm need not be significant in the sense that it is grave or serious, the harm must be of significant to a bona fide IAS provider, something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business.

While John concludes that the judge here correctly followed the law, he finds that Ninth Circuit precedent is really the problem: "[the] unfortunate fact is that if you want to have any hope of winning a CAN SPAM case, don't file it on the west coast." I'm not so sure about this. This case is one of many (many) examples of CAN-SPAM plaintiffs going to court with flimsy damage arguments. While the line quoted by John hints at an evidentiary problem that a real CAN-SPAM plaintiff could face, the evidence in this case was clear that Melaleuca did not offer any internet access services. It contracted with a third party to do so, and then tried to assert the third party's claims relying on a belated assignment of claims. Courts have sniffed out these attempts to "create damages" time and time again. Also, it's worth noting that the seminal appeals court precedent that was unfavorable to CAN-SPAM plaintiffs came from the Fourth Circuit (in Mummagraphics), and not the Ninth Circuit. (See "Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics.")

Previous post: "Idaho District Court Dismisses CAN-SPAM Claims Due to Non-ISP Status -- Melaleuca, Inc. v. Hansen."

Posted by Venkat at 09:01 PM | Spam

November 04, 2010

Spam Filter Excuse for Missing a Deadline Flies in the Northern District of Illinois -- Pace et al. vs. AIG

[Post by Venkat]

Pace et al. vs. AIG, 8 C 945 (N.D. Ill.; Nov. 1, 2010)

As the court notes in this case, 'I missed a deadline because I did not receive electronic notice of a filing' is becoming the "modern [lawyer's] version of the classic 'my dog ate my homework' line."

The court granted AIG's motion for summary judgment on March 30, 2010. The notice of appeal would have been due on April 29, 2010. After the due date, on May 27, 2010, Appellants moved for an extension of the deadline to file a notice of appeal. Initially, they argued that they never received a copy of the court's March 30, 2010 order, but they wisely changed course and blamed it on their overzealous spam filter.

Ultimately, the court grants the motion and extends the deadline, even though six lawyers were listed as counsel on the case, and a local rule requires local counsel to be responsible for receiving notices and notifying "the designating attorney of their receipt and contents." In the process of granting the extension, the court beats up on counsel for appellants, noting that "[t]here can be no doubt that Appellants are guilty of neglect in this case . . . " The court runs through the numerous other cases where courts have rejected the spam filter excuse, but finds that in many of those cases, the failure to act on an e-filed document was part of an overall pattern of lack of diligence or lack of credibility on the part of the lawyer who offered this excuse:

in the cases where courts have held attorneys accountable for failing to monitor the docket, the attorneys' neglect far surpasses the neglect conceded in this case. Unlike here, the cases cited by AIG involve situations where an attorney's malfunctioning e-mail is just one example of the attorney's overall lack of diligence. See Fox v. American Airlines, Inc., 389 F.3d 1291, 1295, 363 U.S. App. D.C. 459 (D.C. Cir. 2004) (affirming denial of plaintiffs' Rule 59(e) motion to vacate dismissal of amended complaint where counsel claimed that he never received electronic notice of defendant's second motion to dismiss even though his later filing repeatedly referred to a pending motion to dismiss and his failure to receive a timely answer to the amended complaint should have aroused his suspicion and prompted him to check the docket); Tobin v. Granite Gaming Group II, LLC, No. 2:07-CV-577-BES-PAL, 2008 U.S. Dist. LEXIS 20906, 2008 WL 723337 (D. Nev. Mar. 17, 2008) (discounting counsel's spam filter excuse where she repeatedly failed to comply with court orders, discovery obligations, and federal and local rules and routinely failed to appear in court); In re Philbert, 340 Br. 886, 891 (Bkrtcy. N.D. Ind. 2006) (rejecting spam filter excuse where counsel failed to show up for hearing on his motion to stay because "counsel knew he was initiating proceedings that had to be dealt with expeditiously," selected the deadlines for objections to his motion, and should have expected imminent activity in the case). Additionally, in some of the cases cited by AIG, courts rejected excuses like Appellants out of disbelief. See Moore v. U.S., No. S 04-0423 FCD JFM, 2005 WL 1984745, at *3 (E.D. Cal. Aug. 17, 2005), rev'd, 262 Fed.Appx. 828 (7th Cir. 2008) (rejecting counsel's spam filter excuse where "serious questions cast doubt on his explanation" and the court of appeals later found that counsel's overall non-responsiveness amounted to gross negligence); Tobin, 2008 U.S. Dist. LEXIS 20906, 2008 WL 723337, at *10 ("Even if the Court were to accept this explanation regarding the spam filter, which it does not, Plaintiff's counsel was clearly on notice that motions were pending before this Court . . ."). Unlike these cases, the Court has no reason to doubt the veracity of counsel's explanation here, which is supported by an affidavit and evidence from his firm's information technology manager.

Posted by Venkat at 12:43 PM | Spam

October 22, 2010

Former Employee's 'Email Barrage' Does Not Support CAN-SPAM or Computer Fraud and Abuse Act Claims -- Nyack Hosp. v. Moran

[Post by Venkat]

Nyack Hosp. v. Moran, 08 Civ. 11112 (SCR)(PED) (S.D.N.Y.; Oct. 20, 2010)

Moran was employed by Nyack Hospital. When the employment relationship ended he:

sent [an unspecified number of] e-mails, including a 17-page attachment, to over "100 . . . senior managers and employees [at the Hospital]" and others and misrepresented the source of the e-mails as David Freed, the president of the Hospital. The e-mails, as characterized by [the Hospital] "leaked certain aspects of an internal confidential employee survey, defamed the Hospital's reputation and the reputations of several Hospital employees . . . and urged the . . . recipients to report the alleged wrongdoings to the Hospital's Board of Trustees and the Rockland Journal News."

The Hospital sued Moran under CAN-SPAM and the Computer Fraud and Abuse Act. Moran, acting pro se, defeated the claims.

CAN-SPAM claims: The Hospital alleged that Moran violated the subject line and header information prongs of CAN-SPAM. The court concludes that because the emails were not "commercial electronic mail messages," there could be no subject line violation. With respect to the header information prong, there could be no violation unless the messages are found to be "commercial email messages" or "transactional or relationship messages." Having already concluded that the messages were not commercial in nature, the court analyzes whether the messages were "transactional or relationship messages." The Hospital made the flimsy argument that the messages were transactional or relationship messages because the messages "provide[d] information directly related to an employment relationship." The court rejects this argument, noting that the "transactional or relationship messages" were intended by the statute to be a sub-category of commercial email messages (with respect to which CAN-SPAM relaxes certain requirements). Of course, even assuming that the messages were commercial in nature, the Hospital would have had a tough time showing that it suffered any "adverse effects," a point which the court alludes to in a footnote (citing Virtumundo).

Computer Fraud and Abuse Act Claim: The Hospital alleged that Moran violated the CFAA by "transmitting information" to a protected computer and as a result of such transmission intentionally causing damage. While pre-CAN SPAM cases (e.g., AOL v. National Health Care Discount, Inc.) grappled with the issue of whether the CFAA was ever intended to cover spam, the court easily rejects the Hospital's claim on the basis that the Hospital did not allege Moran's emails caused any damage to the Hospital's computer system. In the process, the court cites to Czech v. Wall Street on Demand, a case which rejected CFAA claims based on unsolicited text messages.

The Hospital here took Moran's acts and tried to shoehorn them into CAN-SPAM and the Computer Fraud and Abuse Act. In the process, it made some arguments that were pretty far out in left field.

Claims around advocacy through email bombardment haven't fared well, absent some showing that the emails caused damage on the receiving end. Intel v. Hamidi was an email bombardment case involving a former employee where the court rejected trespass claims for failure to show damage. Intel brought common law claims, and this case is a good indicator of how CAN-SPAM and CFAA claims would have fared had Intel brought them. I recently blogged about Pulte Homes, Inc. v. LiUNA, where the court held that a union's email campaign on behalf of former employees did not violate the Computer Fraud and Abuse Act. ("Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act.") Also, as mentioned in the post about Pulte Homes, the Seventh Circuit recently vacated the district court's contempt order based on emails sent by supporters of Kevin Trudeau. ("Seventh Circuit Vacates Contempt for E-Mail Barrage.")

I didn't think the issue of whether the emails were commercial in nature was a close question. The emails were not reproduced by the court in its order, but the emails were cloaked in whistleblower language (I wondered whether an anti-SLAPP motion was a possibility). For a loosely related case on this issue (that looks at whether a [ghostwritten] attorney newsletter is an ad) see Holtzman v. Turza ("Ghostwritten Attorney Newsletter is an "Ad" for TCPA Junk Fax Law Purposes").

At the end of the day, this seemed like a garden variety employment dispute that didn't really implicate laws which cover spam or hacking. Maybe the Hospital brought the CAN-SPAM and CFAA claims in an attempt to preempt any claims which Moran had threatened to raise? It's possible that the Hospital succeeded in achieving its ultimate purpose, although it suffered a smackdown in the process.

Posted by Venkat at 12:05 AM | Spam , Trespass to Chattels

October 12, 2010

Sending Politically Charged Emails Does Not Support Disturbing the Peace Conviction -- State v. Drahota

[Post by Venkat]

State v. Drahota, 280 Neb. 627 (Sept. 24, 2010) [pdf]

Background: Drahota was a student at the University of Nebraska who corresponded via email with his political science professor Avery. According to the opinion, they "shared a passion for politics," although they apparently resided on different ends of the political spectrum.

Drahota traded 18 emails with Avery on topics ranging from "terrorism, the Bush presidency, and the Clinton impeachment." Predictably, at some point, their email exchange went south:

In early February 2006, the exchange came to a head. Drahota sent Avery a lengthy e-mail suggesting that indiscriminately massacring those living in the Middle East would save American lives after first suggesting that Democrats, including Avery, were full of hate.

Avery responded:

I am tired of this shit. You have accused me of being anti-American, unpatriotic, and having a mental disorder, among other things. I find this offensive and I will not engage in anymore of this with you. I served my country in uniform honorably for four years. How many have you served? Since you are so pure, so pro-American, so absolutely correct, and wonderfully patriotic, I suggest you sign-up for duty in Iraq right away and put all your claims to the test. But, of course, you will not do that. You, Michael Savage, and the “Chicken Hawks” in the Bush Administration don’t have the guts!!

Of course, Drahota felt compelled to retort:

Fuck you! You don’t know me one bit. You are a liberal American coward. If it were up to you, you would imprison Bush before bin Laden because you have such a fascination with it. I am tired of your brainwashing students who are in the process of molding their minds. I spent 18 months in Pensacola Florida before I was honorably discharged for a neck injury. You can go fuck yourself if you are going to get that way. I’d kick your ass had you said that right in front of me, but YOU don’t have the guts to say that. If you think you do, just try me. You have done nothing for this country, but bad things in recent years. Once again, if you have the courage to say that to my face, I’ll let you do it, but don’t you EVER talk anything about the military with me. We call you people turncoats and I’ll be dammed if I’m going to take that kind of disrespect from someone who is so clueless as to my military background. As long as we’re on the topic, how many years did your hero Clinton serve? You contradict yourself so much that I want to puke. Your website is also a farce. You lie so much and don’t show the true you. I guess, you’re a politician. You’ve really pissed me off.

Drahota later apologized. Apparently, he didn't get back into good graces with Avery, who asked Drahota to not contact him again. In June, Drahota sent Avery two other emails. He sent the emails from averylovesalqueda@yahoo.com. The first email asked whether Avery was sad that Al-Zarqawi was killed in Iraq, and the second email (with the subject line that said "traitor") informed Avery that a friend of Drahota thought Avery was a "Benedict Arnold," in light of Avery's support for Michael Moore, the ACLU, and John Murtha. The closing sentence of this email said that "Libs like [Avery] are the lowest form of life on this planet."

Upon receiving these emails, Avery contacted the police department, who traced the emails to the house of a woman with whom Drahota was living. When confronted with this fact, Drahota admitted to sending the emails. He was charged with disturbing the peace, and fined $250.

The Court's Decision: The Nebraska Supreme Court held that Drahota could not be convicted of breach of the peace for sending the emails, on the basis that regardless of whether the words inflicted emotional injury, the proper test was whether the words would tend to provoke an immediate violent reaction. Here, the court held that the emails would not tend to provoke such a reaction, because the parties were engaged in an "ongoing political debate," in the context of which, both parties had made "provocative statements." The court also noted that at the time of the emails, in addition to being a teacher, Avery was also running for office, which brought Drahota's emails into the realm of political speech. At the end of the day, the circumstances did not support a conclusion that the emails would have provoked an immediate violent reaction in Avery, because among other things, he did not even know who sent the emails or where to find the author.

The State belatedly raised another argument at oral argument (which it left out in its brief). It argued that Avery had the "right to be let alone" after he asked Drahota to stop emailing him, and since Drahota sent emails after Avery's request, regardless of the content, the emails constituted a breach of the peace. The court disagreed, and rejected the State's argument that Rowan v. Post Office Dept. supported its position. Rowan is a case from the 1970s which involved a federal statute that allowed a homeowner to request a vendor to remove his or her name from a mailing list if the homeowner found the material sent by the vendor to be sexually provocative. [Is there anyone out there would not support a statute like this that would let you ban mail order catalogs from your mail box?] The Supreme Court upheld this statute against a challenge brought by bulk mailers. The court in Drahota distinguished Rowan primarily on the basis that there was no Nebraska statute in place like the one at issue in Rowan. Further, the statute in Rowan merely allowed the government to enforce the homeowner's preference "and had no part in deciding what was objectionable." According to the court, in contrast to Rowan, in the present case, the decision of whether the communications were objectionable where left in the prosecutor's hands, who enjoyed the discretion to bring a prosecution for a breach of the peace. [Rowan also mentions the quasi-physical intrusion associated with receiving unwanted mail.]
__

As Professor Volokh - who represented Drahota - notes, the decision is not remarkable as a matter of First Amendment law ("Nebraska Supreme Court Decision on Offensive E-Mails"). One point that was interesting was the court's conclusion that the emails could not rise to the level of fighting words because the recipient in this case was far removed physically from the sender. The court says this is because Avery did not even know who sent the emails, but I'm guessing he figured this out pretty quickly. Some of the commenters at the Volokh Conspiracy raised the question of whether emails can ever constitute fighting words. I don't know the answer to this question, although some decisions hold (right or wrong) that repeated unwanted emails can result in liability for harassment. In answering the question, I think it's worth distinguishing harassment or stalking from a "breach of the peace," which is what Drahota was charged with here.

[Physical proximity seems to be a big factor in our views on whether electronic communications can constitute fighting words. However, we may want to keep in mind the story of the woman who supposedly traveled 200 miles to try to kill an internet commenter: "Woman Travels 200 Miles, With Gun in Hand, to Kill Mean Internet Commenter." No comment as to whether this is reasonable or typical.]

On a related note, I happened to listen to the oral argument in Snyder v. Phelps, the funeral picketing case. Some of the discussion focused on the posting of videos online. As Dahlia Lithwick notes in Slate:

Justice Stephen Breyer—who has had a good deal to say about the Internet and incitement and free speech and balancing tests in recent weeks—also wonders whether the interesting part of this case is the handful of signs at Matthew Snyder's funeral, which Albert Snyder never saw, or the television broadcasts and Internet postings that followed. And so he's off: "Do you think that a person can put anything on the Internet? Do you think they can put anything on television, even if it attacks, say, the most private things of a private individual?"

I haven't followed the case closely (other than in the news), so I can't say whether the Supreme Court will squarely address the issue of how the internet postings will figure into whether the funeral protesters can be held liable for their speech, but I thought it was worth noting that it came up during the argument.

Congrats to Professor Volokh, whose involvement in the case was, coincidentally, the result of an email.

Added: I forgot to mention the "Twitter joke trial" case from the UK, where Paul Chambers was convicted for "sending a menacing message over a public telecommunications system" based on the following tweet:

Crap! Robin Hood Airport is closed. You've got a week... otherwise I'm blowing the airport sky high!

He is appealing is conviction. You can check out details about the case at the "Jack of Kent" blog ("Why the Paul Chambers Case Matters") and at the New Statesman ("A brief guide to the Twitter Joke Trial").

Posted by Venkat at 10:36 AM | Content Regulation , Spam

September 26, 2010

New York Court Dismisses Putative Class Action Brought Under California Spam Statute -- Bank v. Hydra Group, LLC

[Post by Venkat]

Bank v.Hydra Group LLC, 10-CV-1770 (JG) (E.D.N.Y. Sept. 24, 2010)

Todd Bank brought a putative spam class action against Hydra Group. The court dismissed the lawsuit for lack of subject matter jurisdiction.

Bank alleged that he received three pieces of spam:

[the] subject lines all contained the phrase “ATTN: Your Auto Insurance Renewal Reminder,” but the bodies contained only advertisements for an auto insurance broker.

Claiming that his was one of a million pieces of spam sent out by defendant Hydra Group, Bank styles his lawsuit as a class action. (But see footnote 1 of the order, where Bank admits this number is based on his "'general knowledge' of the industry.") Hydra Group, which is headquartered in California, brought a motion to dismiss for lack of personal jurisdiction and for failure to state a claim. The court on its own motion raises the issue of subject matter jurisdiction, and dismisses the lawsuit for lack of subject matter jurisdiction.

Bank asserted the Class Action Fairness Act of 2005 (which requires the amount in controversy to exceed five million dollars) as the basis of subject matter jurisdiction. However, the statute he sued under had a cap of $1 million per “incident.” (Cal. Bus. & Prof. Code § 17529.5(b)(1)(B)(ii) (“A person or entity bringing an action . . . may recover . . . [l]iquidated damages of . . . up to one million dollars ($1,000,000) per incident.”).) The statute defines incident as “a single transmission or delivery to a single recipient or to multiple recipients of an unsolicited commercial e-mail advertisement containing substantially similar content.” Bank argued that the cap was a limit on the recovery per plaintiff and not an aggregate cap on a defendant's liability. The court disagreed:

First, if the liability-limiting provision is interpreted as Banks suggests it should be, it would rarely, if ever, limit a plaintiff’s recovery. A plaintiff would have to receive more than 1000 unsolicited messages of substantially similar content from the same defendant in a single transmission to trigger the provision. On the other hand, if the provision is read as a cap on a defendant’s per-incident liability, it would be triggered more frequently -- whenever a defendant sent more than a thousand messages of substantially similar content in a single transmission, whether the messages went to one recipient or many more.

Furthermore, the statute evinces an intent to limit a defendant’s liability even further if the defendant has made efforts to comply with it. In the case of a defendant that has “established and implemented, with due care, practices and procedures reasonably designed to effectively prevent unsolicited commercial e-mail advertisements that are in violation of this section,” the statute limits liquidated damages to $100,000 per incident. Id. § 17529.5(b)(2). This reduced cap would provide far less of a reward, and therefore far less of an incentive, for defendants to avoid sending spam if, instead of limiting a defendant’s total liability for each transmission, it merely limited the amount a defendant had to pay to each plaintiff. For this reason as well, the damages provision is best interpreted as a limit on total liability rather than individual recovery.

At first glance, this may seem like a harsh turn of events for a pro se plaintiff. However, Bank is far from the typical pro se plaintiff who is typically accorded some leeway by courts -- he is a lawyer. In a previous case, Bank (or someone who shares his name, including his middle initial) tried to assert a section 1983 claim in federal court based on a state court judge's denial of his request to wear jeans and a hat in court: "Lawyer Has No First Amendment Right to Wear Hat in Court, Federal Judge Decides."

Throwing out the dispute on subject matter (rather than personal jurisdiction) grounds, kicks the lawsuit out of the federal system. In the process, the court expresses some skepticism at Bank's claims for damages:

I have difficulty conceiving of a statutory provision, concededly intended to limit liability in at least some cases, that nevertheless fails to operate in this case -- thus permitting the recovery of $3 billion in damages for the receipt of misleadingly labeled insurance advertisements. The inartful drafting of the provision is no justification for such a bizarre result.

Added: In 2008, Bank suffered a loss in the Second Circuit, which affirmed the dismissal of his claims under the Telephone Consumer Protection Act: "2nd Circuit Rejects Lawsuit Over Unsolicited Fax Ads." (h/t @LearnedElbow)

Other cases involving subject line claims under California's spam statute:

Email Header Information Claim Preempted by CAN-SPAM, But Subject Line Claim Not Preempted -- Asis Internet Servs. v. Member Source Media, LLC

Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com

Posted by Venkat at 10:21 AM | Spam

September 22, 2010

Reunion.com Back to District Court -- Hoang et al v. Reunion.com Inc

[Post by Venkat]

Hoang et al v. Reunion.com Inc., Case No. 08-cv-03518-MMC (N.D. Cal.)

Reunion.com is a spam case that's generated some blog fodder, to say the least: "CAN-Spam-a-Friend?--Hoang v. Reunion.com," "Reunion.com Revisited," and "Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM." In the last round, the trial court reconsidered its prior orders and decided that the claims asserted by plaintiffs under California law were not preempted by CAN-SPAM.

Reunion sought to appeal this order. Denials of motions to dismiss are not typically appealable, but here Reunion sought and obtained an order from the district court certifying the court's most recent order (denying Reunion's motion to dismiss) for immediate appeal. Reunion then sought permission in the Ninth Circuit to have the appeal heard. The Ninth Circuit recently issued an order declining to hear the interlocutory appeal. This means that the case is now back in Judge Chesney's court. Judge Chesney also granted Reunion's request to stay discovery pending the appeal to the Ninth Circuit. As a result, the case is now just getting under way, a full two years after it was first filed! It's also worth mentioning that one of the two lawyers representing plaintiffs withdrew. I wouldn't read anything into this, but I only mention it because I mentioned this firm in a previous post, as having represented defendants in spam lawsuits (who happened to be on the plaintiffs' side in this case). [Correction: one of the lawyers working for one of the firms on the plaintiffs' side is no longer working on the case. I misread this and thought one of the firms withdrew. My mistake, and thanks for the heads up!]

Posted by Venkat at 12:01 PM | Spam

September 10, 2010

Veteran Spam Plaintiff Abandons Spam Lawsuit -- Asis Internet v. Subscriberbase

[Post by Venkat]

Asis Internet Servs. v. Subscriberbase, 2010 U.S. Dist. LEXIS 93518 (N.D. Cal. Sept. 8, 2010).

Asis is a veteran spam plaintiff, whose lawsuits have generated a fair amount of blog fodder. (See, for example, posts here, here, and here, discussing Asis lawsuits.) In May of this year, it suffered a bit of a setback when a federal court awarded approximately $800,000 in attorneys' fees against it: "CAN-SPAM Plaintiff Slammed With $800K Attorney Fee Award."

It had at least one spam lawsuit ongoing at the time, and it recently moved to dismiss its lawsuit against Subscriberbase with prejudice. The court granted the motion, but retained jurisdiction over the lawsuit, in case Subscriberbase (the defendant in this lawsuit) wanted to argue that Asis's litigation was "abusive." We'll see what happens in this case, but this certainly seems like the end of the road for Asis's litigation efforts. It acknowledged the $800,000 attorneys' fees award against it and argued that it "can no longer afford to prosecute the [lawsuit against Subscriberbase]," because the attorneys' fees award previously assessed against Asis "threatens to place Asis in either bankruptcy or corporate dissolution."

Another plaintiff (represented by the same lawyers) did not move to dismiss and presumably will continue to prosecute the case.

Posted by Venkat at 01:35 AM | Spam

August 24, 2010

Ghostwritten Attorney Newsletter is an "Ad" for TCPA Junk Fax Law Purposes--Holtzman v. Turza

By Eric Goldman

Holtzman v. Turza, 08 C 2014 (N.D. Ill. Aug. 3, 2010)

This case is a unremarkable straight-down-the-middle analysis of when editorial content becomes a regulated ad, which in turn makes it a remarkable case. Most editorial-content-as-ad cases have quirky hooks that undercut their broader applicability.

The defendant is an Illinois lawyer. The court says:

In August 2006, he hired Top of Mind Solutions, LLC ("Top of Mind") to create and distribute by fax and email one-page documents titled the "Daily Plan-It" to a list of persons supplied by defendant. Defendant's target list included a combination of contact information he purchased from the Illinois CPA Society and numbers he obtained from business contacts and students.

Top of Mind issued 41 versions of the Daily Plan-It on defendant's behalf, every two weeks, from August 2006 to March 2008. All 41 versions include a masthead with the words "The `Daily Plan-It'" in italicized, bolded, and underlined text. "Gregory P. Turza, JD" appears just below the masthead along with the date, volume and issue number of the document. Beneath this title, the page is divided into two columns that contain an editorial article offering advice about various topics. Each article runs the length of the left column of the page and concludes in the middle of the right column....

The content of each Daily Plan-It was created entirely by Steven Patrick Riley ("Riley"), Top of Mind's owner. Defendant did not contribute to the editorial content. At the end of each article, in the lower right corner, defendant's name is listed (in a font larger than any other type on the page, with the exception of "The `Daily Plan-It'"). He is identified as an attorney and counselor at law, and the words "estate planning," "post mortem administration," and "business succession planning" appear before his name. Each fax also includes two or three graphic images: defendant's business logo, a photo of the building in which defendant has his office, or a head shot of defendant. Also included are his business address, telephone and fax numbers, e-mail address, and website address. At the bottom of the fax the document repeats defendant's name and phone number. This "identifying information" occupies approximately 20 to 25 percent of total area of the fax.

Three things stand out from this recitation of facts:

* it was bad form to buy a list of fax numbers and start blasting fax messages every 2 weeks. I've repeatedly noted that I think the days of buying email lists are long dead. Buying fax lists strikes me as an even worse idea.

* it's interesting to think that a lawyer would rely upon a vendor to generate editorial copy that goes out under the lawyer's name. The facts don't indicate if Turza reviewed and approved the content before it went out. I don't use ghostwritten material; I usually even extensively rewrite co-authored material.

* while the content's marketing intent is clear and unmistakable, the newsletter's substance is also unambiguously editorial content however broadly or narrowly we conceive of it. The law doesn't handle editorial-content-as-marketing overlaps very well, unfortunately.

The court applies the FCC's interpretation that faxed editorial newsletters aren't regulated advertising so long as any advertising content in the newsletter is "incidental," which in turn depends on whether the ad is a "bona fide informational communication." As you can see, the quest for synonyms doesn't really advance the analysis; it just shows that if you don't know how to parse between ads and editorial content, synonym proliferation tries to mask that fact (unsuccessfully, I might add).

The court concludes that the newsletter is regulated advertising. The court appears to focus on the sender's intent: "the record is replete with evidence demonstrating that the primary purpose of defendant's agreement with Top of Mind was to generate awareness of defendant's services and build his client base." The court continues: "defendant has provided no facts to show that his genuine, primary motivation in paying Top of Mind to distribute the Daily Plan-It was to educate CPAs and his business contacts on various industry-related topics rather than to build brand recognition and solicit business referrals for his law practice."

To me, this suggests the case would have been much harder if the editorial content hadn't been ghostwritten because the newsletter's educative intent would be clearer. Nevertheless, the court's sender-payoff-oriented standard--"to generate awareness of defendant's services and build his client base"--is unworkable because those payoffs are exactly what most professional service providers seek every time they publish editorial content.

UPDATE: Carolyn Elefant has more to say about this case.

Posted by Eric at 03:30 PM | Marketing , Spam | TrackBack

July 26, 2010

Facebook's Anti-Spam Filter Blocks Legitimate Conversations about Power.com

By Eric Goldman

On Friday, Venkat and I posted about the latest ruling in Facebook v. Power.com. After Venkat or I make a blog post, I typically post the blog headline and URL to Twitter. I have enabled the app that makes my Twitter posts into my Facebook status reports as well, so the headline and URL on Twitter should automatically propagate to Facebook. On Friday, I tweeted the following:

"Blog Post: Important ruling on California's anti-computer trespass statute--Facebook v. Power.com http://bit.ly/bM7hQT"

However, I noticed that the Twitter-to-Facebook app didn't work properly and the headline didn't appear. So I tried to manually enter the headline and URL and got this message from Facebook:

"This message contains blocked content that has previously been flagged as abusive or spammy. Let us know if you think this is an error."

I do think that's an error, and I reported the problem through Facebook's automated reporting tool on Friday. Not surprisingly, I still haven't gotten a response to that. But I was baffled how my headline and URL could have been "flagged as abusive or spammy." Who flagged it? Why?

After a little more experimentation, I discovered that every instance of the character string "power.com" is blocked in Facebook. Therefore, every time I put "power.com" into my status reports or in comments to those status reports--even if it's the only content in the post/comment--I get the "blocked content" message. However, it's easily avoided; I can post "power . com" (notice the spaces before and after the period) just fine. Basically, Facebook is using a very dumb word filter.

I emailed my PR contacts at Facebook about this. They pointed to their anti-spam filter and this blog post from June. The blog post explains that "we've been working to improve our warnings and make them more clear" and that "people misunderstand one of these systems. They incorrectly believe that Facebook is restricting speech because we've blocked them from posting a specific link."

So this is where things have gone wrong. Facebook told me it has blocked Power.com because "we found that Power was spreading links to its pages in a way that violated our Statement of Rights and Responsibilities. For example, when a Power user accessed Facebook, Power would automatically create an event on Facebook (typically called 'Power.com Party' or something similar) without the person's knowledge or permission. It would then send invitations to all of the user's friends." Fair enough, and I'm glad Facebook is trying to keep its system safe for users.

However, Facebook's dumb word filter block means that every reference to "power.com," even if it's in plaintext and not linkable, is still treated as a link and therefore is blocked as well. The messaging then disparages the plaintext reference as "blocked content that has previously been flagged as abusive or spammy" when, in fact, a link to the URL, not the plaintext reference I made, has been flagged. So much for clearer error messages.

I pointed out to Facebook's spokespeople the difference between a plaintext reference to a company's name ("Power.com") and a spammy URL/link. Their response? "Spammers turning their malicious urls into plain text is the oldest trick in the book. Not blocking all of the variations of a bad URL leaves a gaping hole."

There is a kernel of truth to this, of course. A plaintext URL is not materially different from an active hypertext link--if the user chooses to cut-and-paste the link into the browser (or right-clicks on it, or whatever). However, Facebook's method of blocking spammy links by blacklisting every instance of the character string actually has the effect of blocking *every* discussion of a blacklisted company with the name [noun].[tld]. Because the main word in the name is a noun (e.g., "Power"), referencing the name without the TLD can lead to semantic ambiguity. However, the system prevents me from using the complete name (Power.com) because it can't distinguish between a link and a plaintext reference to a company's name that acts as a URL. I received a private email that another Facebook user encountered a similar block with the string seppukoo.com, the Facebook suicide tool.

In my case, the net consequence is that Facebook automatically blocks any conversations involving the string "power.com"--including my headline to my blog post--and provides an error message telling me that I am posting spammy/abusive content when I try to make the posting, which makes me feel like I did something wrong. With all of the bright engineers at Facebook, I bet they could figure out a way to more precisely tune the filter so that a plaintext reference to [noun].[tld] gets through while active links to that URL, or more fulsome plaintext URLs, remain blocked.

That is, assuming Facebook actually wants to enable Facebook users to talk about Power.com or Seppukoo.com or other enterprises that threaten the Facebook franchise. Frankly, I haven't seen much evidence of Facebook's interest in those conversations. In light of Power.com's antitrust challenges against Facebook, the fact that Facebook's system suppresses legitimate conversations about Power.com (whether it had a censorious intent or not) struck me as particularly noteworthy.

Posted by Eric at 10:33 AM | Content Regulation , Domain Names , Privacy/Security , Spam | TrackBack

July 02, 2010

Idaho District Court Dismisses CAN-SPAM Claims Due to Non-ISP Status -- Melaleuca, Inc. v. Hansen

[Post by Venkat]

Melaleuca, Inc. v. Hansen, Case No. CV 07-212-E-EJL-MHW (D.Id; June 29, 2010)

A federal magistrate judge in the District of Idaho dismissed spam claims brought by Melaleuca, Inc., in a (recommended) decision that's not particularly noteworthy, except for the fact that it's a carbon copy of Gordon v. Virtumundo.

Background: Hansen was an "independent marketing executive for a multi-level marketing company called ITV." Melaleuca was and is engaged in a similar business. Melaleuca "encourages its customers to become marketing executives by referring family and friends to Melaleuca to purchase its products and allowing them to earn commission on any orders made by the referred individuals." (Sounds Amway-like, from what little I know of Amway, but that's neither here nor there.) Hansen sent out emails while working for ITV inquiring as to whether the recipients "would be interested in hearing about a new business opportunity." Some of his emails were sent to Melaleuca marketing executives.

Melaleuca used an email service called "iglide.net," through which it provided email services to its customers. Melaleuca also used an ISP called "IP Applications," through which it provided internet access to its customers. It did not have control over (or even access to) the hardware that enabled the internet access. According to the court, Melaleuca was a customer of IP Applications and iglide.net, and simply made the services provided by these companies available to its customers.

Discussion: The court holds that Melaleuca did not fall under the definition of an "internet access provider," citing to the fact that Melaleuca did not play more than a "nominal role" in providing internet-related services. The court also finds that even if Melaleuca falls under this definition, it could not maintain claims under CAN-SPAM because it was not "adversely affected." In Virtumundo, the court noted that Congress intended private CAN-SPAM plaintiffs to be able to sue only when they suffer the type of harm that is "uniquely encountered by IAS providers." Typical consumer harm - such as calling technical support and having to undergo the inconvenience of deleting unsolicited emails - did not suffice. Melaleuca did not put forth evidence that it required hardware upgrades or even more bandwidth due to the emails at issue (or as a result of increased spam in general). No luck for Melaleuca.

Melaleuca argued that it obtained an assignment of claims from its ISP, but the court found that the assignment could not rescue Melaleuca's claims. The assignment occurred more than a year after the case was filed. (The precise nature of the relationship between Melaleuca and the ISP is unclear, but if nothing more, the assignment shows that they are friendly parties.)

The court declines to address Hansen's preemption arguments as to the state law claims, leaving those to be addressed in state court. While Melaleuca has another shot at its state law spam claims, it may have to contend with some sort of adverse fee award, which the court may well award to Hansen.

Posted by Venkat at 11:30 AM | Spam

June 21, 2010

Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage

[Post by Venkat]

Kleffman v. Vonage Holdings Corp., Case No. S169195 (Calif. Supreme Ct.; June 21, 2010)

The California Supreme Court issued its opinion in Kleffman v. Vonage, a case certified from the Ninth Circuit. The California Supreme Court held that the transmission of "commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters" does not violate California's spam statute. Kleffman was a putative class action, and in bringing claims based on the transmission of accurate emails from multiple domain names, plaintiffs tried to stretch the bounds of California's spam statute to the limit. The California Supreme Court - citing preemption, among other considerations - rightly rejected the arguments brought by Kleffman.

Background: Kleffman sued in state court, alleging that the transmission of emails on behalf of Vonage through domain names such as 'superhugeterm.com,' 'formmycompanysite.com,' 'ursunrchcntr.com,' and 'urgrtquirks.com' violated section 17519.5(a)(2), a provision of California's spam statute which prohibits the use of "falsified, misrepresented, or forged header information." Vonage removed to federal court (in the Central District of California). The Central District dismissed the lawsuit without leave to amend, finding that Kleffman's failure to allege anything misleading about the emails doomed the claims, and the claims were preempted anyway. Kleffman appealed to the Ninth Circuit, which certified the following question to the California Supreme Court:

Does sending unsolicited commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters constitute falsified, misrepresented, or forged header information under Cal. Bus. & Prof. Code § 17529.5(a)(2)?

Discussion: The court starts out the discussion by noting a fact that to me starts and ends the discussion:

There is . . . no dispute . . . that the domain names used to send Vonage's e-mail advertisements . . . actually exist and are technically accurate, literally correct, and fully traceable to Vonage's marketing agents.

There's another case that turned a similar issue - Mummagraphics, covered by Professor Goldman here: "Fourth Circuit Rejects Anti-Spam Lawsuit." In that case, "the . . . header information [for the emails] incorrectly indicated that the e-mails originated from the server 'FL-Broadcast.net,' and [] the messages' 'from' address read cruisedeals@cruise.com, although that e-mail address was apparently non-functional' but the court says that these mistakes are immaterial because the 'e-mails at issue were chock full of methods to 'identify, locate, or respond to' the sender or to "investigate [an] alleged violation' of the CAN-SPAM Act." The court held that these immaterial errors do not state a claim under CAN-SPAM, and to the extent state law allows claims under these facts, it would be preempted. It's hard to see if the claims in Mummagraphics failed, how Kleffman's claims would be viable.

Kleffman tried to argue that the term "misrepresented" in section 17529.5(a)(2) should be construed with reference to other unfair business practices-type statutes, namely, the notoriously amorphous section 17200. According the Kleffman, the spam statute should cover not only header information that is deceptive, but also header information that's "likely to deceive." The court finds that Kleffman's argument is untenable as a matter of statutory construction (the specific provision of the spam statute uses the term "misrepresented," and does not use the term "misleading"). Second, the header information prong, which uses the term "misrepresented," can be contrasted with the subject line prong, which actually uses the term "misleading," and which the court implies has a much broader reach. The court also notes that there's a specific section in California's spam statute which speaks to the use of multiple domain names (17529.4), but section 17529.5(a)(2) says nothing about the use of multiple domain names. Finally, the court notes that the construction urged by Kleffman presents a huge preemption problem (citing Virtumundo).

___

It's nice to see the California Supreme Court come out on the right side on this one. That said, it's painful to see that the dispute had to be litigated through three different courts to achieve a clear answer. This is one of those arguments that anti-spam plaintiffs often make that is out in left field. At least there's some case law to point to in answer to these arguments.

Where does this leave us? In California at least, subject line claims continue to be viable under the broad "likely to mislead" standard. Header information claims, on the other hand, will be much harder to bring. As long as you don't violate any other rules in registering the domain names or acquiring the recipient's email addresses, sending emails from multiple (albeit accurate) sources is not a violation of either federal or state spam laws.

[corrected to note that the decision came to the Ninth Circuit from the Central District of California and to make a few edits (reversed "misrepresented" and "misleading")]

Posted by Venkat at 10:13 AM | Spam

June 15, 2010

Judge Kocoras Cuts Down $11MM Award Against Spamhaus to $27,000 -- e360 v. Spamhaus

[Post by Venkat]

e360 Insight, LLC v. The Spamhaus Project, (N.D. Ill June 11, 2010)

e360 v. Spamhaus is one of these cases that's been around so long it feels like an old friend. A few years ago, e360 got some press for winning an eleven million dollar damage award against Spamhaus. In a less heralded development, following a bench trial on damages, last week a district judge modified e360's damage award down to only $27,000 on its tortious interference and defamation claims. I'm not sure what it is about spam that spawns wasteful litigation, but this is yet another example of a lengthy spam dispute which consumed a lot of resources but which ultimately ended with a whimper.

Background: e360 is (was) a company that provided marketing services (including email marketing) to its customers. Spamhaus is a company which maintains a list of alleged spammers and provides "blacklisting" services. In 2006 Spamhaus "listed e360 and [its principal] Linhardt as being involved in transmitting unsolicited email, colloquially referred to as 'spam.'"

e360 sued Spamhaus alleging claims for tortious interference and defamation. Spamhaus, which is located in the UK, initially appeared, but then "withdrew both its counsel and its answer." The court entered default in late 2006. e360 then moved for default judgment, relying on the declaration of its executive, David Linhardt. The declaration stated that Spamhaus's actions resulted in the cancellation of three contracts e360 had with customers, and the loss of the opportunity to work with prospective customers. e360 claimed a total in damages of $11,715,000, and the district judge awarded this amount.

Spamhaus then appealed, challenging jurisdiction, service, and pretty much everything else. The Seventh Circuit rejected most of Spamhaus's challenges, but found that "a more extensive inquiry" was required on the damages issue. So the case came back to Judge Kocoras for a determination of damages.

Damages: Despite litigating the case vigorously up to this point, when it came to damages, e360 seemed to muster a lot less energy. According to the court, e360 was "slow to provide information requested by Spamhaus . . . [and] missed several [d]eadlines." I'll spare readers a detailed discussion on damages, but the court's take can be summed up as follows:

The unreliability of [e360's] approaches is unmistakably demonstrated by the profound differences in claimed damages profferred at various points during these proceedings. Finally, it strains credulity that a company that made only a fraction of the profits [e360] asks for over the course of its five-year lifespan would have garnered profits in the amounts [e360] set out in [its] testimony or documentary evidence. The profit and loss statement [e360 provided] sets out the company's overall profits at $332,000. . . . .

At the time of default judgment, the damages claimed were $11,715,000. During discovery, Exhibit 5 was proffered reflecting damages of $135,173,577. At trial, proffered Exhibit 5(a) showed damages of $122,271,346. During final argument, the claimed amount was $30,000,000.

Note to plaintiffs: if your damages estimates vary by more than $100M from one iteration to the next, chances are you're not going to get any.

Everyone has their own calculus for when and how far to litigate a dispute, but a case that spanned almost four years and a Seventh Circuit appeal and which resulted in a final judgment of $27,002 doesn't sound like a particularly good outcome for the plaintiff. If you're wondering where the odd two dollars came from, the court awarded nominal damages on the tortious interference with prospective economic advantage and defamation claims. The court declined to award injunctive relief.

Spamhaus had a viable Section 230 argument here, but this argument got lost in the procedural quagmire. Section 230(c)(2) protects filtering judgments and insulates "action taken to enable or make available to information content providers or others the technical means to restrict access to material [that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable]." (See Professor Goldman's post discussing Pallorium v. Jared, a California state appeals court case where the court held that a publisher of list of IP addresses for open relays could not be held liable. See also Zango v. Kaspersky.)

The decision contains a detailed discussion of the volume of emails transmitted by e360, and which customers many emails were sent on behalf of. Ironically, through litigating this dispute, e360 caused to be memorialized in a court order, facts about its email practices (and the email marketing industry in general) that I'm guessing it would prefer not be in the public eye. Two facts jumped out at me from the order. First, e360 sent out 6.6 billion (!) emails through the course of its five year existence. Second, there were some familiar faces among the list of its customers: SmartBargains and Optinbig.

Posted by Venkat at 02:09 PM | Spam

May 20, 2010

CAN-SPAM Plaintiff Slammed With $800K Attorney Fee Award -- Asis Internet v. Optin Global

[Post by Venkat]

Asis Internet Servs. v. Optin Global, Inc., et al., Case No. C-05-05124JCS (N.D. Cal. May 19, 2010)

A federal court granted a request for attorney's fees (in the amount of $806,978.84) against prolific CAN-SPAM plaintiff Asis Internet. I thought things were looking good for Asis - whose lawsuits have generated substantial blog fodder - when it recently obtained a 2.5 million dollar default judgment in a spam case. I don't know the details of Asis's financial situation, other than the fact that it's a small ISP that once argued a bond should not be imposed against it due to its financial situation. At the least, this fee award will take some spring out of its step. More importantly, it stands as a warning to CAN-SPAM plaintiffs everywhere.

The court's order contains a good summary of the procedural history of the case. In 2008, the court granted summary judgment in favor of Azoogle, finding that Asis lacked standing and there was insufficient evidence for a reasonable jury to conclude that Azoogle "procured" the emails in question. Asis then moved for fees. The court denied the fee request without prejudice, but awarded costs ($34,825.24). Asis appealed both the summary judgment order and the cost order to the Ninth Circuit. The Ninth Circuit summarily affirmed. (Here's my blog post on that Ninth Circuit ruling.) Although the Ninth Circuit affirmed both the summary judgment order and the cost order, it didn't comment on the proper standard to be used for awarding costs in CAN-SPAM cases. Asis urged a plaintiff-friendly approach that is used in civil rights cases. Azoogle argued that the more neutral Fogerty standard (which is used in copyright cases) was appropriate.

The court finds the Fogerty standard to be appropriate and grants Azoogle's request for attorney's fees and costs. Azoogle also filed a Rule 11 request for sanctions along with its request for fees. The court awards the fees and costs under CAN-SPAM and doesn't make a finding as to whether Rule 11 sanctions are appropriate:

the Court concludes that while Asis may not have acted out of bad faith in initiating litigation against Azoogle, it at least acted unreasonably. Even assuming Asis might have reasonably believed when it initially named Azoogle as a defendant that it would establish standing - a question that turned on an as-yet unresolved issue of law - there was never any evidence that Azoogle sent or procured the emails on which Asis based its claims. Rather it is apparent that Asis sued Azoogle based on little more than speculation that there might be a connection between those emails and Azoogle. Asis then continued to litigate even as its discovery efforts turned up no evidence in support of its claims against Azoogle. Having initiated over 20 similar actions, and sued over 20 defendants in this action alone, an award of attorneys' fees here is necessary to deter Asis and other plaintiffs hoping to profit under the CAN-SPAM Act from casting such a wide net. [emphasis mine]

Ouch! The court also cites to Gordon v. Virtumundo, where Judge Coughenour awarded Virtumundo $110K in fees and costs. Finally, the court finds that expert fees are unavailable under CAN-SPAM, and declines to award the $105,435 in expert fees which Azoogle requested.

Asis's filings in response to Azoogle's fee request provide a window into the approach frequently taken by Asis and other spam-plaintiffs. Despite being unable to marshal sufficient evidence to withstand summary judgment on the core issues, Asis maintained that it shouldn't be hit with a fee award because the emails at issue "were 'clear violations' of the CAN-SPAM Act." (??)

As reported by Ken Magill in 2009, Gordon (the plaintiff in Virtumundo) lost more than his spam case - he lost his house ("Anti-Spammer Loses More than His Lawsuit"). I expect Azoogle will be fairly aggressive in its collections efforts here. Only time will tell as to whether Asis will suffer the same fate as Gordon. Regardless, this is definitely a wake-up ruling for CAN-SPAM plaintiffs everywhere.

Posted by Venkat at 10:52 AM | Spam

May 19, 2010

Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act -- Pulte Homes, Inc. v. LiUNA

[Post by Venkat]

Pulte Homes, Inc. v. Laborers' International Union of North America, et al. (E.D. Mich.) (May 12, 2010)

Background: Pulte Homes, "the largest new home builder in the United States" terminated eight employees. Defendant Laborers' International Union of North America (LiUNA) is a labor organization that represents workers in the construction industry. LiUNA claimed that seven of the eight employees were fired for expressing support for LiUNA. Plaintiff alleged that in response to the terminations LiUNA began a "targeted effort to sabotage and interrupt" plaintiff's business operations. Plaintiff argued that LiUNA's email campaign was a violation of the Computer Fraud and Abuse Act (sections 1030(a)(5)(A), 1030(a)(B), and 1030(a)(C)):

Defendants have encouraged LiUNA supporters to inundate Plaintiff with mass quantities of phone calls and e-mails . . . . LiUNA's website featured a 'call to action,' which provided a pre-typed e-mail voicing opposition to Plaintiff's alleged termination of employees for supporting the union. This e-mail was pre-addressed to Plaintiff and allowed users to send it to Plaintiff with the click of a few buttons.

The Court's Ruling:

Unlawful transmissions: The unlawful transmission prong of the CFAA requires the transmission of information as a result of which the defendant "intentionally causes" damage to a protected computer. The court dismissed this claim because plaintiff failed to allege that LiUNA's email campaign caused any appreciable damage to plaintiff's computer system.

Unauthorized access: The unauthorized transmission prong of the statute requires intentional access "without authorization," along with resulting loss. The court concludes that LiUNA did not "access [plaintiff's] computer under the CFAA merely by leaving a voice-mail or sending an e-mail." The court rejects plaintiff's attempt to rely on an older AOL spam case (AOL v. National Health Care Discount, Inc.) where the Northern District of Iowa held that the transmission of bulk email through AOL's servers could constitute a violation of the CFAA. (The court there expressed serious reservations as to whether the Computer Fraud and Abuse Act even covered unsolicited bulk emails: "it is not clear that a violation of AOL's membership agreements results in 'unauthorized access.'") The AOL case was decided pre-CAN-SPAM, and as the court recognized, stretched the bounds of the Computer Fraud and Abuse Act. It's tough to conclude that sending an email to an email address that's designed to receive emails from the general public constitutes "unauthorized access" under the Computer Fraud and Abuse Act. AOL argued that mass emails were "unauthorized," because they were a violation of AOL's terms of service, but this argument suffers from the same problems that any terms of service-based Computer Fraud and Abuse Act claim suffers from.

[Anyone engaging in this sort of a mass email campaign may want to stagger the emails or otherwise take steps to minimize potential damage or slowdowns to the recipient's servers. Where there's no damage or slowdown, courts are reluctant to find liability.]
__

This case is reminiscent of Intel v. Hamidi, another case involving a departing employee who was sued for sending mass emails. In Hamidi, the California Supreme Court held that the departing employee could not be held liable under a trespass to chattels theory because the emails he sent did not damage Intel's servers. As in this case, in Hamidi, the plaintiff seemed more concerned about the content or peripheral effects of the emails, rather than any effect the emails had on plaintiff's servers.

Related:

The case also brings to mind the contempt order slapped on "television-pitchman" Kevin Trudeau. Trudeau was a defendant in a case brought by the FTC who exhorted "his radio and web followers to deluge U.S. District Judge Robert Gettleman with e-mail" in an attempt to persuade the judge to side with Trudeau in the FTC proceeding. Judge Gettleman found that this interfered with his administration of justice, and sentenced Trudeau to 30 days. That decision is on appeal to the Seventh Circuit. (See coverage from Wired's Threat Level blog here.)

Another union activity case which Prof. Goldman blogged about recently (in that case, involving trademarks) is Cintas v. Unite Here ("Union Organizers' Activist/Gripe Sites Don't Support Trademark Claims").

UPDATE FROM ERIC: This case also vaguely reminds me of the Utube v. YouTube lawsuit, where Utube claimed that YouTube was trespassing its domain name because people were lousy spellers.

Posted by Venkat at 11:28 PM | Privacy/Security , Spam , Trespass to Chattels

May 11, 2010

Internet Access Provider & Blocklist Publishers Denied 230(c)(2) Immunity for Anti-Spam Efforts

By Eric Goldman

Smith v. Trusted Universal Standards in Electronic Transactions, Inc., 2010 WL 1799456 (D.N.J. May 4, 2010)

It's usually a drag to read opinions in pro se lawsuits. Most of the time, the litigant gets flattened mercilessly. Occasionally, however, the judge bends over backwards to give the litigant the benefit of the doubt. Either way, the opinions are messy and untrustworthy.

This case fits that description. The judge says he can't figure out the facts from the complaint. but here's his best guess. It appears that Smith is a Comcast Internet subscriber. Comcast blocked his outgoing mail twice because he was allegedly sending spam. When pressed why it thought Smith's emails were spam, Comcast pointed the finger at IronPort (owned by Cisco), who in turn pointed the finger at Spamhaus. Smith then filed a "Consumer Watchdog" complaint against Comcast with TRUSTe (misnamed as the lead defendant).

Independently, Microsoft put Smith's email server on its Frontbridge blocklist. Smith separately filed a TRUSTe complaint against Microsoft for that. Smith ultimately decided to sue TRUSTe, Comcast, Cisco and Microsoft for 8 different legal violations in one big litigation fiesta.

Smith's claims go nowhere. The court dismisses all of them with leave to amend the complaint, so the story turns out largely happily for the defendants. Unfortunately, the plaintiff does get one more chance, and he even attached a massive 404 page (!) draft amended complaint. (Note: this is 404 pages, not a 404 error, although it certainly is an error). The court reminds the plaintiff that the rules require a short and plain statement of the claims.

Along the way, the court reaches a decidedly defendant-unfriendly conclusion by rejecting Comcast's, Cisco's and Microsoft's 230(c)(2) defense, the statutory immunity for online filtering decisions--and the often overlooked cousin of 230(c)(1) which I have blogged about many times. Worse, the court reaches its conclusion in the face of several clearly applicable precedent cases. In my opinion, this is an example of how Smith's pro se status causes the court to be overly cautious…to the point of reaching the wrong result.

The court starts off right by concluding that spam could qualify as "otherwise objectionable" content under 230(c)(2) (cite to e360insight v. Comcast). Doing a light ejusdem generis analysis, the court says "nothing about the context before or after that phrase limits it to just patently offensive items."

However, Comcast is denied 230(c)(2) on a motion to dismiss because Smith alleged that Comcast acted in bad faith. In support of this, Smith alleged that Comcast told him that they didn't mind his emails, but he just needed to upgrade to a more expensive subscription. The court says if this is true, "Comcast was not concerned that people were receiving large quantities of emails, or concerned about the content of the emails, but rather was concerned that Plaintiff had not purchased a sufficient level of service. This is not a good faith belief that the emails were objectionable, but rather a belief that they violated a service agreement."

This is a garbled statement at best. What I think the court was trying to say is that Comcast had a pink contract that allowed spam if the user paid enough money, and Smith hadn't gotten a pink contract. If so, then I can see the court's point that Comcast is being duplicitous arguing that spam is objectionable content because Comcast's assessments could be bought.

I was uncomfortable with the court's almost off-hand reference that "One would expect that if an interactive computer service had acted in good faith, it could and would come forward with the legitimate basis for its actions when questioned (though the Court is not suggesting they must do so)." First, as the court notes, this is a motion to dismiss, so Comcast can't proffer new evidence. Second, this is a burden-shift. As regular readers know, I believe 230 is an immunity against suit, not an affirmative defense, so the plaintiff has the burden to show why the service provider did not possess the requisite subjective good faith when making its filtering decision. It's not Comcast's responsibility to prove its own subjective good faith beliefs. (How does one prove those in any case?)

Cisco and Microsoft both published blocklist-type information. They try to fit into 230(c)(2)’s statutory definition of "access software providers," which requires them to show that they "provide or enable computer access by multiple users to a computer server." This issue was litigated in the Zango v. Kaspersky case, where Kaspersky distributed anti-spyware software that phoned home for new definitions. The Ninth Circuit said that the phone home feature satisfied the statutory requirement. In contrast, the court appears to say that pure blocklist publishers (i.e. those who do not distribute accompanying software with a phone home capacity) do not; this reading effectively kicks blocklist publishers out of the statute.

As the court acknowledges, this conclusion seemingly conflicts with the 2004 OptInRealBig decision, where the court held that IronPort as a blocklist publisher qualified for the statute because it was a user of an interactive computer service. The court doesn't explain why IronPort doesn't still qualify as an ICS user except to say that IronPort didn't make the requisite showing. The court also does not note that the OptInRealBig case was a 230(c)(1) decision (not a 230(c)(2)) because IronPort republished third party reports, and that should have applied here as well. The court also does not address the extensive 230(c)(1) precedent effectively treating online content publishers (which would include blocklist publishers) as "users" of ICSs, ranging from Barrett v. Rosenthal to the implicit conclusion in Novins v. Cannon.

More specific to 230(c)(2), the court doesn't explore either Pallorium v. Jared or MAPS v. Black Ice (an old 2000 case), both of which arguably contradict this particular conclusion in the 230(c)(2) context. Thus, because the court did not engage the applicable precedent, was overly solicitous to a pro se litigant, and knew that its discussion was dicta because it was ruling for the defendants anyways, the court chunks the analysis.

For more on 230(c)(2), see my 230(c)(2) talk notes from last summer.

One other noteworthy aspect of the ruling. Smith alleges that Comcast breached its privacy policy, but the court dismisses the contract claim because he doesn't show any loss from the alleged breach. This is yet another case holding that merely breaching a privacy policy isn't an actionable contract breach without more. See, e.g., the cited JetBlue case.

UPDATE: John Levine provides some perspectives about what might have happened.

Posted by Eric at 10:37 AM | Content Regulation , Derivative Liability , Privacy/Security , Spam | TrackBack

May 05, 2010

Asis Internet Awarded $2.5mm on CAN-SPAM Claims -- Asis Internet v. Rausch

[Post by Venkat]

Asis Internet Servs. v. Rausch, Case No. 08-03186 EDL (N.D. Cal.) (May 03, 2010)

Asis Internet was recently awarded summary judgment on its CAN-SPAM claims which it brought against a business known as "Find a Quote." Although not technically a default judgment, the defendant against whom summary judgment was entered did not respond to Requests for Admission (or otherwise participate). This may blunt the value of the ruling. Regardless, Asis certainly hit the jackpot, at least on paper.

Facts: Some facts about Asis and the case:

- it has "just under 1,000 internet access and email customers"
- four employees
- it receives 200,000 spam emails a day
- it costs Asis approximately $3,000 per month to "process" spam emails
- it maintains agreements with Postini, Falcon Knight and other vendors
- it brought claims based on 24,724 emails
- the emails were received "first on its filtering services . . . then transferred, processed and stored . . . "

Asis issues RFAs to defendant Heckerson, who failed to respond. Asis sent a follow up letter which also prompted no response. The court deems the facts that are the subject of the RFAs admitted and grants summary judgment.

The Court's Ruling:

Standing: The court concludes that Asis has standing. Unlike Gordon from Virtumundo, Asis actually has assets and provides a service, even if it's to a small group of people. (Gordon's "service appeared to be limited to using a control panel via an ordinary Internet connection through an ISP to set up email accounts . . . he had a nominal role in providing internet services.")

Adversely Affected: On the question of whether Asis was adversely affected, the court acknowledged that while Virtumundo did not decide whether there needed to be a "direct causal link" between the emails and harms, the court stated that there must be some sort of showing of relationship between the email and the harm (or that the emails contribute in the larger sense to ISP-type harms). Asis satisfied this element by showing that it paid $3,000 per month to "process" spam, it experienced network slow downs, its employees spent time assisting customers with the spam issue (22 hours), and Asis lost customers and revenue.

The CAN-SPAM Claims: Asis had included questions in its RFAs which pretty much went to the core question of whether defendants violated CAN-SPAM. The court relied on these facts. By failing to respond to the RFAs, Heckerson admitted that he "knew his affiliates were sending or hiring others to send commercial electronic mail advertisements with misleading information." He also admitted that he engaged in "a pattern and practice of using spammers to acquire sales leads." (Asis has litigated the affiliate liability issue before, and lost, against Epic Advertising (formerly Azoogle). See this article from MediaPost discussing the summary judgment ruling against Asis, where the court also found that Asis lacked standing.)

Damages: The damages were the most interesting part of the ruling. Asis sought $3,090,500.00 in damages (!) The court looked to the ruling in Facebook's case against Sanford Wallace where Facebook was awarded $711,237,650.00 for 14 million emails (or violations). The court also looked to the recent Tagged case where the court awarded Tagged $25 per violation for a total of $151,975. (The Tagged lawsuit drew this humorous response: "The Supreme Court of Irony Investigating Tagged.com Lawsuit.") The court found the Tagged scenario more analogous and awarded Asis $25 per violation of section 7704(a)(1) and $10 per violation of section 7704(a)(2), for statutory damages of $865,340.00. [The court briefly notes that it's not considering the issue of whether the statutory damage award would violate due process.]

The court also found that Asis put forth persuasive evidence that it is entitled to treble damages. First, it put forth evidence that defendant had to have engaged in harvesting emails because defendant obtained the names of email account holders, and the names or customer information attached to the emails did not exist anywhere else. This satisfies one of the aggravating factors under section 7704(b)(1)(A), entitling Asis to treble damages under 7706(g)(C). Asis also puts forth evidence that defendant used automated scripts to create email accounts from which it sent spam messages. This is an aggravating factor under section 7704(b)(2).

When all is said and done the court awards Asis a whopping $2,596,020.00.
___

This is more or less a default judgment so it's tough to know what to make of it. There are probably collectability issues lurking in the background that could turn this into a pyrrhic victory.

The fact that Asis "received the emails first on its filtering service operated by Postini, then transferred, processed and stored the emails on its server . . . " is interesting. So Postini does a fine job filtering out the spam received by Asis (maybe spam is not the grave $2.5 million problem Asis claims?). And Asis actually moves the messages from the spam filter to its own folder where the messages are "processed"? This brought to mind Judge Gould's concurrence in Virtumundo, which talked about how the common law "did not develop remedies for people who gratuitously create . . . circumstances that would support a legal claim and act . . . with the chief aim of collecting a damage award."

Either way, Asis deserves credit for soldiering on.

Posted by Venkat at 03:40 PM | Spam

May 02, 2010

Email Header Information Claim Preempted by CAN-SPAM, But Subject Line Claim Not Preempted -- Asis Internet Servs. v. Member Source Media, LLC

[Post by Venkat]

Asis Internet Services v. Member Source Media, LLC, No. C-08-1321 EMC (N.D. Cal.) (April 20, 2010)

Yet another CAN-SPAM preemption ruling, this one is also from the Northern District of California and it also involves veteran spam plaintiff Asis Internet! Of the recent decisions that have grappled with whether CAN-SPAM preempts the California spam statute I think this one gets it most right.

Background: Asis brought claims under CAN-SPAM and section 17529.5 (one provision of California's spam statute) alleging that it received email sent by Member Source Media which had misleading header information and subject lines. The court dismissed the CAN-SPAM claims based on standing and now looks at whether the state law claims are preempted by CAN-SPAM.

The Court's Ruling: The court acknowledges that Virtumundo did not address the precise issue before the court "i.e., whether a plaintiff must plead reliance and damages in order for its state law claim to be saved from preemption." To resolve this question, the court looks to Judge Conti's ruling in the Subscriberbase (which also involved Asis Internet) where Judge Conti found that a plaintiff was not required to plead the fraud elements of reliance and damages in order to escape CAN-SPAM preemption. (Here's my previous post covering the Subscriber base ruling.) The court in this case is persuaded by Judge Conti's reasoning, and similarly concludes that "Asis need not plead reliance and damages in order for its claim to be excepted from preemption." However, the court notes Congress's concerns about "frivolous lawsuits and the scope of plaintiffs allowed to bring suit against email advertisers." The court also gives a nod to Judge Gould's concurring opinion in Virtumundo which expresses concern that allowing anyone to sue could result in the creation of "litigation factories," which Congress obviously did not intend. With this background in mind, the court turns to the specific header and subject line-based claims brought by Asis.

Header Claims: Asis argued that Member Source violated the header information prong of the California statute by sending emails from domain names such as "greenthe.com," "consumerbargrewards.com," and innocenttruthrevealed.com" Asis argued that it had to undertake a WHOIS search to find out where the emails came from, and many of the domains were registered through privacy protection services so these searches came up empty. Finally, Asis argued that certain internet protocol addresses used by the emailers were obtained through false representations because "the purported sub-lessee of the IP addresses, Frank Peters, provided a mailing address and Asis' investigation indicated that no Frank Peters resided at the address."

The court finds that these claims were similar to the claims brought by Gordon -- i.e., they were premised on "technical and immaterial . . . header deficiencies". To the extent Asis argues that domain names must somehow clearly identify Member Source, these claims are preempted under CAN-SPAM. The court contrasted Asis's claims with the claims brought against Reunion.com, which another Northern District judge found were not preempted. In the Reunion.com case, the plaintiff argued that the emails purported to come from a friend or acquaintance but they actually came from Reunion. In contrast, in this case, there was nothing inherently misleading about the header information so the court rejects these claims.

Two quick notes here. First, Professor Goldman previously blogged about US v. Kilbride, a criminal case where the court cited to the use of privacy protection services as supporting the government's case that the defendants violated the header information prong of CAN-SPAM. It's nice to see the court reject (or give nothing more than a passing reference to) Asis's argument that the email headers were somehow misleading under California law because proxy registration was used. Second, I'm not sure what's up with plaintiffs repeatedly making arguments that "fanciful" or "random" domain names can't be used to send emails. There's nothing in CAN-SPAM (or any other spam statute) that says you can't register a bunch of domain names that don't incorporate the name of your company to send out emails. Companies do this (legitimately) all the time. To me, this whole line of argument shows how much plaintiff's are trying to stretch spam laws when bringing claims. Kleffman v. Vonage is another case (certified from the 9th Circuit to the California Supreme Court) where plaintiffs make this argument, and Value Click filed a nice amicus brief [scribd link] that persuasively lays out why this argument is untenable.

Subject Line Claims: The subject line claims were based on subject lines such as "Wal-Mart 500 Dollar Gift Card Inside," and "Second Attempt: $500 Target Gift Card Inside." The court found these claims fall under the garden variety deception category (in contrast to the header information claims) and were not preempted.

End Result: The court finds the header information claim preempted and dismisses this claim with prejudice. The subject line claim is not preempted, and the court declines to exercise supplemental jurisdiction over this claim (Asis can pursue it in state court if it chooses to refile).

The court notes that this case has been going on for over two years. I wonder if Member Source will seek fees, which are available under CAN-SPAM. Fees were awarded against Gordon, the Virtumundo plaintiff. Asis in one of its own filings expressed concerns about its financial situation. It has lost a bunch of rulings over the years, but surprisingly, I haven't seen much about people trying to seek fees against it.

N.D. Cal Rejects Preemption and Standing Defenses Against Claims Under CA Spam Statute -- Asis Internet Servs. v. Subscriberbase Inc. (April 1, 2010)

Posted by Venkat at 08:12 AM | Spam

April 23, 2010

Beverly Stayart Strikes Again! This Time, Stayart Sues Google

By Eric Goldman

Stayart v. Google, Inc., 2:10-cv-00336-LA (E.D. Wis. complaint filed April 20, 2010)

I've previously blogged about Beverly Stayart (a/k/a Bev Stayart) and her mockable lawsuit against Yahoo. She has repeatedly declared that she is the only Beverly Stayart / Bev Stayart in the world and that her name--due to the cachet she has built up from being a quality human being--is being used to peddle sex-related pharmaceuticals. She lost her first foray against Yahoo on 47 USC 230 grounds but nevertheless is trying again.

Now, she has launched another effort to defend her name—this time she is suing Google for similar concerns. (Like we couldn't see that coming!). She objects to the fact that Google Suggest prompts searchers on "bev stayart" to search for "bev stayart levitra." (para. 13). Anticipating a 47 USC 230 defense, she argues (para. 15) that Google Suggest represents first party editorial content that drops out of 230 coverage. The complaint also seems to raise the question of whether selling a personal name as a keyword trigger constitutes a publicity rights violation; but the complaint does not appear to evidence any understanding of broad matching, i.e., that a search for "bev stayart levitra" will deliver Levitra-related broad-matched ads for reasons having nothing to do with Bev Stayart. (See this recurring defect in paras. 90-109).

(Note: this prompted me to check out a search for "eric goldman levitra." My first result, from www.hosmersoda.com, looks pretty sploggy to me, but there's no way I'm going to click on these links!!!)

Some unsolicited advice for Bev Stayart: stop suing search engines, and stop running vanity searches on the search engines. Life is too short to fret about sploggers!

Two final notes: Bev's attorney is, once again, Gregory A. Stayart, her employer and presumably a family relation. Also, searches for "Bev Stayart" and "Beverly Stayart" are worth a look—I can’t recall other search results quite like that.

Posted by Eric at 09:29 AM | Derivative Liability , Publicity/Privacy Rights , Search Engines , Spam | TrackBack

April 20, 2010

Spammer Convicted on Wire Fraud Charges -- United States v. Diamreyan

[Post by Venkat]

United States v. Diamreyan, 09-cr-0260 (JCH) (D. Conn.) (April 16, 2010)

Earlier this year Okpako Mike Diamreyan was found guilty of wire fraud. The district court recently denied his motion for judgment of acquittal.

Diamreyan "was charged with devising a scheme to defraud known as an 'advance fee.'" As the court describes it, this is a "scam . . . where a person asks an individual to pay an advance fee in order to obtain a larger sum of money, which the individual [victim] never receives."

The government presented evidence that defendant used a Yahoo email account (miklymyx@yahoo.com) for over ten years, and presented evidence of emails sent to victims, telephone calls made, and wire transfers which were initiated by the victims.

The stories about Diamreyan's purported identity, the amount of money available, the reason it was tied up, the money needed to free it, and the name of the contact person changed from email to email, but the overall scam was the same. Frequently, Diamreyan would include his phone number (one of those listed on his visa application) in the email and ask people to contact someone by a different name at that number. For example, in one email, Diamreyan told the email recipient that he was in Sierra Leone, and his family's $23.4 million was on consignment at the airport. He then asked the recipient to contact the airport director, Rev. Dr. Richard Camaro, to release the money from this consignment.

Defendant's arguments in favor of a judgment of acquittal did not end up carrying the day.

Two things about the case struck me. First, people who respond to these emails (from miklymyx@yahoo.com, no less) and transfer money to complete strangers in the hopes of receiving more money do in fact exist. Second, the amounts transferred were nominal. In this case, the amounts were between $50 and $250. (I'm curious as to what the government will end up arguing as a loss amount for sentencing purposes. I'm sure it will present some sort of projection of how much money defendant must have gained.) [Update: one of the filings contained a spreadsheet [link] which listed amounts transferred to defendant and to third parties. The amounts were more than "nominal".]

Here's the press release from the US Attorney's Office: "Federal Jury Finds Nigerian Citizen Guilty of Charges Related to Internet 'Advance Fee' Fraud Scheme." According to the press release he faces up to 20 years and a fine of up to $250,000. [I don't have a good frame of reference, but this seems absurdly high.] Also, not to make light of the plight of the victims, but you would think the government has bigger fish to fry?

Related: Two interesting radio programs on those who take matters in their own hands when dealing with internet scammers: (1) Xeni Jardin on NPR's Day to Day: "Scam-Baiters' Turn Tables on Would-Be Cons"; and (2) This American Life -- Act two of Episode 363 ("Enforcers"): "Hanging in Chad." Both programs reference "419 Eater", a website that documents "scambaiting" (scamming the scammers).

Posted by Venkat at 10:34 AM | Spam

April 16, 2010

Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com

[Post by Venkat]

Hoang v. Reunion.com, No. C-08-3518 MMC (March 31, 2010)

Reunion.com is a long-running case that's been blogged extensively by Ethan and others. A group of plaintiffs who received emails through Reunion's alleged "invite your friends whether you like it or not" program sued under California spam laws. They alleged three claims: (1) a subject line claim that the emails misleadingly said "[Your friend] is looking for you"; (2) a from line claim that the from lines of the emails contained an email address (e.g., edmorphic@yahoo.com) through a domain that the sender did not have permission to use; and (3) a from line claim that the emails misrepresented that they were from specific individuals (i.e., friends), rather than from Reunion.

The Court Dismisses the Amended Complaint: The court (in December 2008) dismissed the amended complaint on the basis that CAN-SPAM preempts all but "torts" involving misrepresentations. Plaintiffs failed to allege that they relied on any of the misleading statements in the emails to their detriment so they failed to state a claim under state law. The court cites to CAN-SPAM's legislative history, noting that CAN-SPAM's preemption clause was designed to ensure a "national standard," and thus only laws that touch "fraud or deception" would be left surviving under the preemption clause. As an alternative argument, the court found that plaintiffs lacked standing to sue in federal court.

[The complaint asserted state law causes only but is in federal court under the Class Action Fairness Act of 2005.]

The Court Reconsiders Its December 2008 Order: The latest order (issued on March 31, 2010) focuses on Gordon v. Virtumundo, a 9th Circuit case many thought would sharply curtail spam litigation. (Prof. Goldman's post: "An End to Spam Litigation Factories?--Gordon v. Virtumundo".) The court "reads [Virtumundo] as implicitly finding [that the Washington email] statute was intended to confer standing based solely" on receipt of emails. [The discussion about Virtumundo and standing is somewhat confusing to me.] Ultimately, the court concludes that in light of Virtumundo, in order to have standing under state law, a spam plaintiff need not allege reliance and actual damage.

The court tackles preemption next. The court relies on the presumption against preemption (citing Virtumundo) and relies on CAN-SPAM's legislative history to find that the plaintiffs' claims against Reunion are not preempted. The court's order almost reads like an opposition brief to its earlier order. The court concludes that "plaintiffs' failure to allege they relied to their detriment on the alleged false statements in defendant's emails does not constitute a ground for dismissal of their claims."

Finally, the court addresses defendant's materiality argument. The court compares the misstatements in Virtumundo to the misstatements here. In Virtumundo, the plaintiff complained that he received emails from addresses such as "Criminal Justice@vm-mail.com," while in this case, plaintiffs allege they received emails which appeared to be sent from people they knew. Given these differences, at least at the pleading stage, the court could not conclude that the misstatements were not material.
__

What to Make of the Latest Reunion.com Order?

1. Ethan's posts are good reading for background: "CAN-Spam-a-Friend?--Hoang v. Reunion.com" and "Reunion.com Revisited". Judge Chesney's most recent order vindicates his view.

2. It's tough to figure out the current state of CAN-SPAM preemption. One way of looking at it is that Mummagraphics and Virtumundo involved claims based on state email statutes for emails that were not misleading. Reunion.com emails, on the other hand, are arguably misleading. (Are reasonable people really misled by "your friend is looking for you" emails?) The big question is: where is the line? Of course, email marketers would benefit from having a bright line which they can adhere to without fear of getting sued in any one of the fifty states.

3. There's a discrepancy between how California plaintiffs are faring versus how plaintiffs in other states such as Washington are faring. John Levine notes at Circle ID that another Washington spam case - this one brought by Bennett Haselton and Peacefire - was recently dismissed: "Another Spam Case Lost in Washington, or Gordon Strikes Again." The plaintiff in Virtumundo (James Gordon) has also had a slew of Washington spam cases recently dismissed. Although the most recent court order in the Peacefire case focused on the CAN-SPAM claims and not on state law claims (the court in footnote 1 notes that "it [appeared] plaintiffs . . . abandoned" their state law claim), the fact that similar lawsuits are moving ahead in California but failing in Washington is problematic. [Correction: it looks like Peacefire is pursuing a claim under the Washington spam statute as well as a claim under Washington's consumer protection statute. The court indicates that he abandoned the CPA claim but not the claim under the Washington spam statute.] This is one of the things preemption is designed to avoid.

4. There are two ways at looking at possible "from line" claims: (1) they could cover spoofing (where an email is sent to look like it's coming from an email address when it's not) or (2) they could more broadly cover "unauthorized" use of a domain name to transmit an email. There's a third view that's pressed by plaintiffs such as Gordon, which is that the address in the from line has to refer to an actual person, but this argument has never gotten much mileage. With respect to the second view, accepting the proposition that you can state a claim where an email is transmitted through a Yahoo email address in violation of Yahoo's terms of use (which would make it technically "unauthorized") has never sat well with me. It would be great if courts construe the from line prong of state email statutes to only cover spoofing.

5. On the bright side, we should hopefully get some clarity soon. Kleffman v. Vonage, another California spam case which raises similar issues (which the 9th Circuit certified to the California Supreme Court), is scheduled for argument in front of the California Supreme Court on May 6. Also, Reunion.com moved for a stay and permission to file an interlocutory appeal. It's a long shot, but who knows, maybe this case will end up sooner rather than later in front of the 9th Circuit? I was unpersuaded that the standards for reconsideration were satisfied here. The court pretty much did a 360 on its earlier ruling, and the court should recognize this when it considers defendant's request for leave to file an interlocutory appeal.

6. Finally, it's worth noting that counsel for the plaintiffs here are on the defense side in Asis Internet v. Subscriberbase, a case which raises similar preemption issues which I blogged about last week ("N.D. Cal Rejects Preemption and Standing Defenses Against Claims Under CA Spam Statute"). The defendant in Reunion devoted some energy to raising this issue to the court and trying to argue a conflict, but Judge Chesney wasn't swayed by this. (see page 3, footnote 3)

Related: See additional coverage from Wendy Davis here: "Judge Brings Reunion.com And Spam Suit Together Again".

Also, Tagged.com, a company that allegedly scrapes the contact lists of people who join to invite other potential members to join, recently settled up with the San Francisco DA's office by paying $650,000. This comes on the heels of other similar settlements between Tagged.com and regulators.

Posted by Venkat at 09:30 AM | Spam

April 06, 2010

Fourth Circuit: Email, ECF, and Domain Name Woes do not Excuse Failure to Respond to Summary Judgment Motion -- Robinson v. Wix Filtration

[Post by Venkat]

Robinson v. Wix Filtration Corp. LLC, 4th Cir. (Mar. 26, 2010) [scribd]

The Fourth Circuit recently held that the district court properly granted summary judgment in favor of a defendant, and rejected plaintiff's argument that counsel's failure to respond to a defense motion for summary judgment was excusable due to email, malware, and domain name issues.

As described by the court, plaintiff's counsel "was afflicted by a malware virus and . . . his counsel's firm's domain name had temporarily expired when the motion for summary judgment was filed." Counsel re-registered the domain name but the "e-mail accounts associated with the domain name were 'blacklisted' causing further e-mail problems."

The court found that plaintiff's failure to receive notice of the motion "resulted from counsel's conscious choice not to take any action with respect to his computer troubles." In the words of the court: "counsel made the affirmative decision to remain in the dark." Finding that a client must bear the consequences of his or her attorney's conduct, the court found that it was not an abuse of discretion for the trial court to refuse to set aside the judgment. The court found that plaintiff was not entitled to relief under either Rule 59(e) or 60(b).

One judge concurred, finding that the dismissal was a result of "counsel's unwise and misplaced strategic choice to litigate, ostrich-like, with his head in the sand." The concurring judge noted critically (in a footnote) that periodically checking the CM/ECF docketing system "simply was not a part of [counsel's] practice."

Judge King filed a spirited dissent, among other things, arguing that the Fourth Circuit's decision creates a "duty to monitor," and that the party should not in this case made to bear the consequences of counsel's actions. Interestingly, Judge King also argues that the exception to the rule (taken for granted as a matter of practice in many ECF jurisdictions) that ECF filing constitutes service should come into play. The dissenting opinion argues that once defense counsel became aware that plaintiff's counsel had email issues, defense counsel should have sent a paper copy of the motion in order to complete service. (The rules provide that ECF filing "is not effective if the serving party learns that [the Notice of Electronic Filing ] . . . did not reach the intended recipient," but by the time the defendant had notice of the other side's email problems, it was pretty much too late. And plaintiff's counsel should have probably checked the docket anyway, to see if a dispositive motion was filed when the deadline came and went.) Judge King also notes that imposing a "duty to monitor" will result in additional costs (in the form of PACER fees) which will fall on the shoulders of clients.

___

It's tough to not be sympathetic to plaintiff and to counsel for plaintiff. Everyone will have an email gaffe at some point in their career. (I'm not sure the failure to check the docket is as excusable.) That said, courts are not very tolerant of arguments that counsel did not respond to a motion or a deadline due to a failure to receive electronic notice. The "spam filter ate my CM/ECF notice" is often offered as an argument in these situations, but this argument typically does not get a lot of mileage. (See Shuey v. Schwab discussed in this post (court remands for consideration of the merits) and the other cases mentioned there.)

(h/t ABA Journal: "Lawyer’s Computer Virus Doesn’t Excuse Missed Dismissal Motion, 4th Circuit Says")

Posted by Venkat at 12:20 PM | Adware/Spyware , Spam

April 05, 2010

N.D. Cal Rejects Preemption and Standing Defenses Against Claims Under CA Spam Statute -- Asis Internet Servs. v. Subscriberbase Inc.

[Post by Venkat]

Asis Internet Services v. Subscriberbase Inc., (N.D. Cal.) Case No. 09-3505 SC; April 1, 2010 [scribd]

Judge Conti (in the Northern District of California) issued a potentially significant decision last week that keeps the door open for plaintiffs alleging claims under California's spam statute. This is good news for anti-spam plaintiffs, and comes on the heels of last month's state court trial win for another spam plaintiff which resulted in an award of $7000. (Balsam v. Trancos)

Background: The Ninth Circuit in Gordon v. Virtumundo held that veteran spam plaintiff James Gordon could not sue under CAN-SPAM because he was not a bona-fide ISP (or provider of an "internet access service") and because he did not suffer any "adverse effects" from the spam he received. He was harmed as any email recipient would be and thus was not among the class of plaintiffs entitled to sue under CAN-SPAM. The court also held that CAN-SPAM preempted Gordon's claims under Washington's spam statute. Here is Prof. Goldman's post discussing that ruling. The post asked whether Virtumundo would spell an end to "spam litigation factories". Following Virtumundo, courts knocked out Gordon's many pending cases. Plaintiffs who appear similarly situated to Gordon have persevered in California, trying to assert claims under California's spam statute.

One issue that was left unresolved was whether CAN-SPAM preempted California's anti-spam statute (and how much of it was preempted). A few courts have dealt with this issue. One court held that a plaintiff must satisfy the "actual fraud" standard in order to assert a claim under a state spam statute. (Hoang v. Reunion.com, discussed by Ethan here and here.) Other courts (Asis Internet v. Vistaprint and Asis Internet v. Consumerbargaingiveaways, discussed by Ethan here) have taken a less restrictive view, rejecting Reunion.com's premise that only claims satisfying the traditional "actual fraud" standard survive CAN-SPAM's broad preemption clause.

This case takes a fresh look at the issue and rejects the Reunion.com view. Regardless of the outcome of this dispute, portions of California's spam statute, such as the provisions imposing a blanket ban and those requiring labeling are preempted. The issue is whether there's room to allege that emails are misleading based on information in the subject lines, from lines, or headers, and make a claim under California's spam statute.

The Court's Ruling:

1. Were the Subject Lines Were Likely to Deceive Recipients: Defendants argued that the subject lines were not likely to deceive recipients. Section 17529.5(a)(3) prohibits subject lines that are likely to mislead "about a material fact regarding the contents or subject matters of the message." The court predictably refuses to conclude as a matter of law that the email subject lines are not deceptive. I don't know if anyone reasonably believes that email subject lines which offer free products (for example: "Review & Keep Designer Handbags worth $1500 Dollars-guys invited too") actually offer free products. But given the statutory language, it would have been tough for the court to conclude as a matter of law that the subject lines were not "likely to mislead." Once you use the word "free," if something is not actually free, you will have an uphill battle getting a court to conclude that the marketing copy is not misleading as a matter of law.

[Tip to marketers: avoid using "free" unless something truly is free, particularly when this claim is made in an email or online!]

2. Did Defendants Have Knowledge That the Subject Lines Were Likely to Deceive: Defendants also argued that the complaint did not sufficiently allege that defendants knew the subject lines were likely to deceive, in light of the fact that defendants did not transmit the messages. Plaintiffs earlier lost a case on this precise issue, where a district court held that the defendants could not be held liable for spam received by plaintiffs because the defendants in that case neither sent nor "knowingly procured" the messages. (Here's Professor Goldman's post discussing that ruling, along with other affiliate liability issues. As mentioned below, this ruling was affirmed by the Ninth Circuit.) In light of the fact that plaintiffs previously lost on this issue, it's irritating for plaintiffs to get another chance here. Defendants will likely have to fight this one out on summary judgment, rather than at the motion to dismiss stage. It would have been nice for the court to require some specific allegations regarding defendants' supposed knowledge.

3. Do Plaintiffs have Standing Under California Law: Defendants' first standing argument was that Proposition 64, which amended California's false advertising and unfair competition laws to provide that only plaintiffs who "suffered injury in fact and has lost money or property" could bring claims, applied to section 17529.5 and barred the claims asserted by plaintiffs. The court rejected this argument, noting that section 17529.5 included "independent, non-exclusive standing and remedy provisions" which authorize ISPs (defined as "electronic mail service providers") to bring suit. The court acknowledged the effect of Prop 64 was unclear, and reasoned that Prop 64 was designed to curb the practice of members of the general public bringing lawsuits to enforce advertising and unfair competition rules, rather than change the standing requirements of statutes which only applied to a narrower (more specific) class of plaintiffs. According to the court, since California's spam statute only authorized a narrow class of plaintiffs to bring claims to begin with, the statute was left unaffected by Prop 64.

4. Are Plaintiffs' Claims Preempted by CAN-SPAM: Defendants relied on Gordon v. Virtumundo and argued that plaintiffs' claims were preempted by CAN-SPAM. The court acknowledged that other courts in California had reached differing results on the preemption issue. Hoang v, Reunion.com held that CAN-SPAM's preemption clause only leaves room for state law causes of action based on "common law fraud," which requires allegations of reliance and actual harm. On the other hand, two judges in the Northern District of California (Asis Internet v. Vistaprint and Asis Internet v. Consumerbargaingiveaways) came to a different conclusion, finding that section 17529.5 was not preempted, even though this statute does not require a showing of reliance or damages. (Odd sidenote: the Reunion plaintiffs are represented by the same lawyers who are representing defendants in this case.)

Judge Conti found that Virtumundo "did not clearly resolve this split." In his view, the Ninth Circuit in Virtumundo found the plaintiff's claims under Washington's spam statute preempted because those claims reached "non-deceptive statements." The court focused on the fact that in Virtumundo, plaintiffs were complaining about immaterial errors in emails (the fact that an advertiser's name did not "expressly appear in the 'from lines,'" and Virtumundo's use of "fanciful domain names"). Judge Conti viewed Virtumundo (and Mummagraphics) as standing for the proposition that only state law claims that reach immaterial errors and omissions were preempted. The court's discussion on preemption is in depth, and worth reading. Ultimately, the court concludes that requiring the elements of reliance and damages would have one practical consequence:

[i]t would limit the scope of entities that are entitled to bring suit under section 17529.5. It would restrict enforcement suits to the (presumably more rare) case where a plaintiff actually been duped by a misleading subject line. The bulk of deceptive email would go unpunished, until such an email happened to mislead someone with the resources and wherewithal to pursue a private claim.

The court found that Congress could not have intended this result under CAN-SPAM.

5. Whether the Enforcement Mechanism of Section 17529.5 Conflicts With CAN-SPAM: The final issue (which it sounds like defendants didn't press, but which to me was the most interesting) was whether the enforcement mechanism of the California spam statute conflicts with CAN-SPAM. CAN-SPAM only allows for enforcement by two classes of entities: (1) certain government actors and agencies and (2) bona-fide ISPs who have been been "adversely affected". The California spam statute on the other hand allows the Attorney General, ISPs, and recipients of emails to bring suit. As the court notes, allowing a broader class of plaintiffs to sue under state law may "disturb . . . the fine balance struck by Congress . . . ." However, the court concludes that it would not upset the balance intended by Congress because CAN-SPAM's preemption savings clause only speaks to the subject of state law (rather than the class of plaintiffs authorized to sue). The court also noted that there was no evidence of Congressional intent to "occupy the field."

____

My Reaction: The court is right that Virtumundo and Mummagraphics found the state law claims in those cases to be preempted by CAN-SPAM because those claims relied on immaterial errors. However, California plaintiffs typically raise similar claims, and courts have not been the most vigilant about scrutinizing them. Plaintiffs seem to construe California's spam statute pretty broadly. For example, in Trancos, the recent decision following trial, and Kleffman v. Vonage, a case pending in front of the California Supreme Court, some of the arguments raised by plaintiffs were similar to the arguments raised by Gordon in Virtumundo. The preemption structure only works if courts dealing with the state law claims use the same standard for what is false or deceptive.

The practical consequence of the court's ruling is to open a gaping exception to the enforcement structure that Congress may have intended. Congress intended only two classes of actors to enforce CAN-SPAM: (1) the authorities and government agencies and (2) bona-fide ISPs who were adversely effected. CAN-SPAM does not allow for enforcement by mere recipients of email, and doesn't allow for enforcement where the recipient does not suffer any injury, and the court's ruling opens the doors to this enforcement. This is particularly troubling, given that many plaintiffs do not take steps to avoid email and may even invite the harm in question. To the extent they are trolling for spam emails in order to bring lawsuits, they are really no different from a member of the general public.

Another issue to consider is the scope of affiliate liability. It wouldn't make sense for state laws to hold a broader category of actors liable (under a lower standard) than CAN-SPAM, but this could be a practical result of allowing these types of claims to proceed under California's spam statute.

Finally, I'm not sure there's anything wrong with allowing ISPs and those with sufficient resources to sue, when they actually have been harmed. I doubt we've derived much benefit from the proliferation of the anti-spam litigation "cottage industry."

What Does the Ruling Mean For Spam Litigation: The ruling gives spam plaintiffs in California some breathing room. With respect to subject line violations at least, plaintiffs can continue to bring claims under California's spam statute, and unfortunately, can continue to try to sue affiliates as well. They can bring claims in state court (as in Trancos) or in federal court, to the extent they are able to independently satisfy jurisdictional requirements. There is a case pending in front of the California Supreme Court (Kleffman v. Vonage - oral argument is set for May) which should clarify the scope of California's anti-spam statute and whether it's preempted, and Reunion.com is likely to be appealed as well, once it makes its way out of the trial court. But until then, plaintiffs will probably cite to this case for the proposition that subject line claims and other claims based on allegedly misleading aspects of emails that don't necessarily violate CAN-SPAM are not knocked out by CAN-SPAM's preemption clause.

Other Asis Cases: Asis has filed many many different spam lawsuits. 13 alone according to a Justia search. There's been ongoing activity on several of those cases recently:

Asis Internet . Azoogle.com, Case Nos. 08-15979 and 08-17779 (9th Cir.) (Dec. 2, 2009): 9th Cir. affirms dismissal of claims brought against various entities for lack of standing and because Asis failed to prove affiliate liability.

Asis Internet v. Member Source Media, Case No. C-08-1321 EMC (Jan. 28, 2010): CAN-SPAM claims dismissed.

Asis Internet v. Active Response Group, Case No. C07-06211 TEH (Feb. 9, 2010): dismissed for lack of standing under CAN-SPAM; state law claims dismissed without prejudice.

Posted by Venkat at 08:00 AM | Spam

March 27, 2010

Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp.

[Post by Venkat]

Lozano v. Twentieth Century Fox Film Corp., Case No. Civ. 09-cv-6344 (N.D. Ill) [scribd]

A court in Illinois rejected a motion to dismiss filed by defendants in a class action brought on behalf of plaintiffs who received SMS spam marketing an animated film called "Robots". The court's ruling is not surprising, given the other cases which have come to a similar conclusion. (Abbas v. Selling Source, LLC; Satterfield v. Simon & Schuster)

Are Text Messages "Calls" Under the TCPA: The court grants the FCC's interpretation some deference and finds that text messages are "calls" for purposes of the Telephone Consumer Protection Act.

Do SMS Spam Plaintiffs Have to Allege They Were Charged for the Text Messages: The court concludes that "the plain language of the TCPA does not require Plaintiff to allege that he was charged for the relevant call at issue in order to state a claim" under the TCPA. The defendants in Selling Source raised a similar argument which the court in that case rejected.

Does Section 227 of the TCPA Violate the First Amendment: First Amendment challenges in the context of laws regulating unsolicited communications rarely get any traction. Predictably, the court in this case rejects the First Amendment challenge raised by defendants.
___

Taken together, several recent cases have concluded that: (1) text messages are "calls" under the TCPA, (2) a message can violate the TCPA if it is sent with equipment that has the capacity to send or store messages using a "random or sequential number generator," and (3) a plaintiff need not allege that he or she was separately charged for the message in order to bring a claim under the TCPA. This does not leave much room for a company trying to market through text messages. Marketers are forced to rely on a recipient's consent/opt-in, and as the Satterfield case illustrates, this is a risky road to go down.

The cases all acknowledge that the TCPA was not enacted with text messages in mind, since text messaging was not around when the TCPA was enacted. The laws have some catching up to do, and it will be near impossible for the law in this context to keep pace with rapidly changing technologies. Either way, this case serves as a good reminder as to the perils of marketing through text messages.

Posted by Venkat at 01:42 PM | Spam

March 25, 2010

Craigslist Wins $1.3M Default Judgment Against Autoposting Facilitator -- craigslist v. Naturemarket

[Post by Venkat]

craigslist, Inc. v. Naturemarket, Inc., Case No. C 08-05065 PJH (MEJ) (N.D. Cal. March 5, 2010) [scribd] (report and recommendation adopted on February 5, 2010)

Craigslist obtained a 1.3 million dollar default judgment against defendants Naturemarket, Inc. and Igor Gasov.

Naturemarket (doing business as powerpostings.com [typical bad choice of name]) sold software which allowed its customers to automatically post listings to craigslist. As advertised by defendants, the software made "the difficult craigslist posting process child's play and [helped users] manage and multi-post . . . ads." Defendants also advertised "posting agent" services where defendants would post ads on behalf of customers. Finally, defendants sold software that scraped email addresses from the craigslist site.

Craigslist sued alleging claims under (1) copyright; (2) DMCA; (3) the Computer Fraud and Abuse Act; (4) trademark; (5) breach of contract/terms of use. Defendants failed to contest the suit. The court granted default judgment against defendants:

Copyright Infringement: Craigslist alleged it registered protectable elements of its site (the "post to classified, account registration and log-in features") and that defendants copied these elements of the craigslist site when developing, testing, and using their auto-posting software. The court accepted these allegations at face value, notwithstanding questions as to what parts of the craigslist site were copyrightable (minus the listings themselves, obviously), how the copying here was different from search engine copying under an implied license, and the fact that it's awkward to conclude that browsing in excess of the terms of use constitutes copyright infringement.

DMCA Violations: The court agreed with craigslist that defendants violated two provisions of the DMCA through making available, among other things, "pre-verified craigslist accounts and CAPTCHA credits." There's precedent that supports the proposition that at least some of these types of acts do not violate the DMCA. (See, for example Egilman v. Keller & Heckman, LLP, 401 F. Supp. 2d 105, 113-14 (D.D.C. 2005) ("using a username/password combination as intended--by entering a valid username and password, albeit without authorization--does not constitute circumvention under the DMCA.").) Real made a similar argument to the one defendants would have made here, but this argument was rejected. Either way, the trouble with the court's conclusion is that it's not clear that a violation should be based on use of an anti-circumvention mechanism in a way that's not authorized. This isn't the type of conduct that the DMCA is necessarily meant to address. Mike Masnick flags this aspect of the ruling here.

Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act claims were premised on access of craigslist computers in violation of the craigslist terms of service. This argument is often used in civil cases, but most recently received attention in the Lori Drew case, a criminal case. The Lori Drew case illustrated many of the problems with imposing Computer Fraud and Abuse Act liability based on violations of a terms of use. Professor Goldman's post when the case first started is a good read.

Trademark Infringement: Craigslist alleged that defendants used the craigslist mark "in the text and . . . the headings of sponsored links on internet search engines to advertise their auto-posting products and services." The court cites to American Blinds for the proposition that this will cause "initial customer confusion". (Here's one of Prof. Goldman's posts on American Blinds.) It's odd to see craigslist arguing initial interest confusion. These are the types of arguments one would expect to see against craigslist (for example by someone suing it for trademark infringement, not made by craigslist.

Breach of Contract/Terms of Service: Craigslist pointed to provisions in its terms of use which prohibited the use of automated means and posting agents to post listings. Craigslist argued that defendants violated these provisions and induced craigslist users (who were customers of defendants) to violate these provisions. The court awards $840,000 in liquidated damages based on the terms of use claims asserted by craigslist. Craigslist argued that defendants posted at least 18,200 ads or alternatively defendants posted 4,200 ads as a posting agent. The court assumes for purposes of calculating damages, that the lower number is correct and awards $840,000 based on this number. For each listing posted in violation of the terms of service, the court awarded $100 in liquidated damages (and an extra $100 for each item posted as a "posting agent"). [Note to self: be careful about posting items in violation of the craigslist terms of service!]

Attorney's fees: Craigslist sought $83,614.45 in fees, for the work performed by 5 lawyers and one paralegal. The court found the hours expended reasonable, but reduced the hourly rate slightly, ultimately awarding $65,038.20 in fees. (As a side note, what's up with the reduction in billing rates by one dollar in the April-June 2009 time period. The hourly rates for one partner went from $525 in 2009 to $550 in January-March 2009, to $549 in April-June 2009. Does the one dollar change in someone's hourly rate really matter?)

____

This case is similar in many ways to Ticketmaster v. RMG, where Ticketmaster sued RMG, a company that automated the ticket buying process on behalf of its customers. Following the issuance of an injunction, Professor Goldman noted that this case was "a troubling Cyberlaw development." The claims asserted by craigslist here suffered from some of the same weaknesses as those in Ticketmaster. On the other hand, this was in the context of a default judgment, where the good faith allegations in the complaint are taken as true, and craigslist knew it had to only make colorable arguments. It wants to keep out certain perceived bad actors. In the default judgment context, I'm not sure how much it can be faulted for not fine-tuning its legal arguments. That said, it's always tough to read through these types of rulings without cringing.

One of the more troubling things about the ruling is how the terms of use supports three separate claims: the copyright claims, the Computer Fraud and Abuse Act claim and, of course, the breach of contract claim. It's unsettling to see the website terms of service (which are typically tough to read and digest, rarely read by end users, and incredibly one sided) be given enough clout to support serious statutory violations. But this is nothing new, and courts always seem to be willing to accept these types of arguments.

Another issue for craigslist to consider is whether any of the arguments could come back to bite craigslist. I haven't thought through whether there was a good section 230 argument to be made here, I'm guessing not. Assuming there was, it doesn't seem like such a good idea for craigslist to knock down that argument. It's the classic section 230 beneficiary. At any rate, at a basic level, craigslist is ultimately suing Naturemarket based on harm caused by end users. This is exactly what state regulators did to craigslist. The initial interest confusion argument is also one that does not seem like it's in craigslist's interest to push.

Finally, I'm always curious as to what these damage awards accomplish. How often does the company chase down the defendant's assets? More likely, this is something that can be waved around to other potential defendants to get them to comply and/or settle.

Related: Mike Masnick discusses some of these issues in a post flagging an early round of lawsuits filed by craigslist against spammers: "Craigslist's Dumb Lawsuit Against Spam Tool Provider"

Posted by Venkat at 09:25 AM | Content Regulation , Copyright , Licensing/Contracts , Spam , Trademark

March 22, 2010

Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute -- Balsam v. Trancos

[Post by Venkat]

Balsam v. Trancos, Inc., Cal Sup. Ct. Case No. (Civ.) 471791; March 10, 2010 [scribd]

Although spam lawsuits have not gone particularly well for individual (non-ISP) plaintiffs, Dan Balsam recently took a case to trial in San Mateo Superior Court and was awarded $7,000 in damages.

Balsam sued under the California Legal Remedies Act (1750) and California's anti-spam statute (section 17529). The court held that Balsam could not maintain an action under section 1750 because he was not a "consumer" and did not sustain any damages, and dismissed the 1750 claim. His claim under section 17529 was tried to the bench and he was awarded $1,000 in statutory damages per email.

Background: Defendant Trancos registered numerous domain names through DomainsByProxy. Through Defendant's "Meridian" division, Defendant entered into a deal with Hi-Speed Media/ValueClick under which Defendant "managed" several email lists and sent out emails. Trancos and Hi-Speed Media shared revenues generated from transmission of the emails. Trancos discontinued this conduct in 2007 and according to the court had "stopped the allegedly wrongful conduct of which [Balsam complained]."

The Emails: The trial was over eight email messages. The emails were sent through various domain names (privately) registered to Trancos: misstepoutcome.com, modalworship.com, moussetogether.com, mucousmarquise.com, minuteprovenance.com, minecyclic.com, mythicaldumbwaiter.com, and nationalukulele.com. (How on earth did Trancos come up with these domain names!) The subject lines of the emails were typical unsolicited email fare, and ranged from inviting people to take surveys and get paid ("Get paid 5 dollars for 1 survey") to dating-related invitations ("It's a Great Time to Say Hello to Someone New!"; "Date Single Christians"). The emails did not purport to be from anyone particular. The "from" email addresses were from accounts such as "franchisegater@modalworship.com," and "dating@mythicaldumbwaiter.com". The emails contained varying opt-out text and (in some cases) links.

The Court's Ruling: The court held that Balsam's claim under section 17529 was not preempted under federal law. Defendant pointed to Virtumundo and argued that CAN-SPAM preempts state email statutes which reach immaterial errors in emails. The court rejected this argument noting that in Virtumundo, the plaintiff did not put forth any evidence that the emails at issue rose to the level of "falsity and deception" excluded from CAN-SPAM's preemption clause, and on the basis that the Washington statute was different from the California statute (nothing in the Washington statute required any misrepresentations to be "material").

The court looked to the "from" addresses in the emails and held that the "'senders' identified in the headers of the . . . emails do not exist or are otherwise misrepresented . . . [i]n those same headers reflecting the 'from' line of the email, the referenced sender email is a non-existence [sic] entity using a nonsensical domain name reflecting no actual company . . . ." The court also relied on the fact that the address at the end of the email messages (a PO Box in Santa Monica) was registered in the name of a non-existent entity.

Although the plaintiff "was not tricked into believing that [the] emails were anything other than commercial advertisements . . . and was not tricked into seeking to purchase any goods or services," the court held that seven of the emails violated 17529.5(a)(2) because the emails had "falsified, misrepresented, or forged header information." The emails came from Trancos, "but none of the emails disclose[d] this in the header."

Observations: The two significant preemption CAN-SPAM cases (Mummagraphics and Virtumundo) both held that state laws which prohibit immaterial misstatements in emails are preempted. There's another district court case which went beyond this and held that a plaintiff had to satisfy the "actual fraud" standard in order to successfully assert a spam claim under state law (Reunion). The cases in this context often look to whether the plaintiff could have easily ascertained where the email came from. In Mummagraphics the court relied on the fact that the plaintiff could have easily determined where the email originated from in finding the error immaterial (and the claim preempted). In Kilbride, a criminal case, the court imposed liability, finding that the sender's use of GoDaddy's privacy protection services was evidence of the sender's intent to mislead the recipient. In this case, there were similar facts. None of the emails at issue in this case stated where they originated from (or on whose behalf they were sent). Defendant used a lot of names of companies that did not exist, and got a PO Box for the company in the name of another non-existent company. That said, the violations didn't fit nicely within the statute.

17529.2: The court quoted section 17529.2, which is a blanket prohibition on the transmission of unsolicited email to or from a California email address. This section of the statute is obviously dead on preemption grounds and can't support liability.

17529.5: The court also looked to section 17529.5 which is similar to the anti-spam statutes of many states, including Washington. This section prohibits the transmission of email that (1) "contains or is accompanied by" a third party's domain name without permission; (2) "contains or is accompanied by falsified, misrepresented, or forged header information;" or (3) has a misleading subject line. The court found that the subject lines were not likely to mislead and in fact Balsam was not misled by the subject lines. The court didn't expressly find that the emails contained or were accompanied by a third party's domain name without permission. There was no violation of this provision since there was no dispute that Trancos owned the domain names at issue.

The court found that Trancos violated the header information prong, because there was no such person or entity referenced in the "from" line. It's tough to see how this is the case, since the header information was not forged. If you own or control a domain name, you are free to create any number of email addresses that can send emails through the domain name, and no one sees anti-spam statutes as requiring the reference in the from line to refer to an actual living person. I have received numerous emails from "customer support" or "orders" at Amazon.com and I'm fairly confident that there's no such person at Amazon.

What this section of the statute actually gets at is the transmission of emails that appear to come from someone when they actually don't, or the obfuscation of header information. There was no evidence of either in this case. The plaintiff in Virtumundo raised somewhat similar arguments, which were rejected by the trial court. On appeal, the court found that the claims were similar to the ones raised by the plaintiff in Mummagraphics (arguably because accurate WHOIS information could have readily identified the sender of the emails) and held that the claims were preempted under Washington's email statute. There's a colorable argument to be made that nothing in Virtumundo precludes a claim under 17529.5(2), but the differences in the statutory language cut against Balsam's claims. The California statute prohibits "falsified, misrepresented, or forged header information," while the Washington statute prohibits emails where the sender "misrepresents or obscures any information in identifying the point of origin or the transmission path." The Washington statute incorporates a "point of origin" concept that makes it easier to argue that a violation occurs if you include an email address in the from line that's related to a non-existent company.

The final point to consider is that Balsam admitted that he didn't suffer any "adverse effects" of the sort that the court held were required to support a claim under CAN-SPAM. Balsam didn't expend any funds on bandwidth, filtering, infrastructure, etc. His sole injury was the fact that he mistakenly opened the message, and presumably, expended sums litigating his claims.
___

As the court notes, the California Supreme Court is currently considering Kleffman v. Vonage, a case that deals with the scope of California's anti-spam statute. Also, the Reunion case, dealing with the scope of CAN-SPAM preemption, is still stuck in the district court (in the Northern District of California). It's likely to be appealed to the Ninth Circuit.

It will be interesting to see how this plays out. In the meantime, kudos are due to Balsam and his counsel, who unlike James Gordon, Asis Internet, and other spam plaintiffs, are at least generating positive cash flow (if Trancos ever pays up).

Added: "Save the Mail Blog" asks whether it was worth it ("Lawyer Awarded $7k in Spam Suit: We do the Math"). SFGate also covers the ruling ("S.F. lawyer awarded $7,000 from e-mail spammer").

Posted by Venkat at 12:08 PM | Marketing , Spam

March 05, 2010

Eighth Circuit: No Derivative Liability Under Iowa Spam Statute -- Kramer v. Bartok

[Post by Venkat]

Kramer v. Bartok, Case No. 08-3841 (8th Cir. Feb. 19, 2010) (scribd link).

The Eighth Circuit recently reversed an award of $236 million in damages against a spam defendant based on a theory of secondary liability. The court found that the clear language of the Iowa statute only allowed for the imposition of liability against the sender.

Background: Kramer sued defendants Bartok, Perez, and Brown after allegedly receiving millions of spam emails advertising mortgage refinancing services. Kramer asserted claims, including claims under the Iowa's spam statute (then Iowa Chapter Code 714E, which while the suit was pending was replaced with Iowa Chapter Code 716A (which looks fairly different, and does not contain the term "initiate")), the Computer Fraud and Abuse Act, and trespass. According the Eighth Circuit, Kramer (who ran an ISP) actually only received twenty three offending emails, as the remaining millions of emails were blocked by Kramer's spam filter. Defendants produced no evidence at trial, and the lower court found that one of the defendants "dissembled" and sold the computers used by the enterprise. Kramer did not produce evidence that defendant Bartok actually sent the messages in question. The only evidence of Bartok's involvement was that she was "half owner of a business whose sole source of income was predicated on spamming," she signed an agreement for the procurement of mortgage leads, and she assisted Perez in destroying some of the relevant records in question.

The lower court found that Kramer produced no evidence of "actual damages," and rejected all of the claims except for the claims under Iowa's spam statute. With respect to this claim the court awarded $236 million in statutory damages ($10 per spam email).

The Eighth Circuit's ruling: The Eighth Circuit looked to the plain language of the statute and found that the statute only imposed liability on those who "use an interactive computer service to initiate the sending of bulk electronic mail." In other words, the statute was clear that it only imposed liability on someone who actually hit the send button.

Kramer argued that he had produced sufficient evidence of a civil conspiracy between Bartok and the other defendants to sustain a finding of derivative liability, but the court rejected this theory. In the court's view, if the statute didn't authorize the imposition of liability on those who conspired with the person(s) who initiated transmission of the messages (through the use of an interactive computer service), the court was not free to imply a cause of action based on this theory. While Kramer argued a common law conspiracy claim, the court found that Kramer's failure to produce evidence of actual damages precluded the imposition of derivative liability on Bartok. To allow Kramer to assert liability against Bartok based on a conspiracy theory absent evidence of actual damages would be an end-run around the statute's limited focus on those who actually sent the offending messages.

My thoughts: Derivative liability regarding spam and other types of advertising is a favorite topic of Professor Goldman's. I agree that absent clear standards, liability can move up the chain to advertisers and service providers, and this can cause obvious problems.

Here, the court interpreted a statute which by its terms only imposed liability on the person who initiated the transmission of the messages, so the court's conclusion isn't particularly surprising. The fact that the plaintiff in this case only produced 23 emails and was awarded a whopping $236 million in damages (despite having failed to put forth evidence of actual damages) was probably not lost on the court either.

How does this relate to CAN-SPAM: In the context of CAN-SPAM, the standards are slightly different. CAN-SPAM imposes liability on those who "initiate" or "procure" the initiation of noncompliant messages. "Initiate" is defined as "to originate or transmit [messages] or to procure the origination or transmission of [messages] . . . ." "Procure" is defined as "intentionally, to pay or provide other consideration to, or induce, another person to initiate [messages] on one's behalf." Where a civil claim is brought by an ISP, the term procure contains an actual knowledge or a conscious avoidance limitation. (section 7706(g)(2)) CAN-SPAM thus allows for the imposition of derivative liability, but makes it more difficult when the ISP is the one enforcing.

How have CAN-SPAM plaintiffs fared when they sought to impose this type of liability? Not very well. I haven’t done an exhaustive tally, but on the civil side there have been several defense wins (Hypertouch v. Kennedy Western, Asis Internet v. Optin Global, Fenn v. Redmond Venture). On the affiliate liability issue, these cases are typically resolved in favor of defendants on the basis that defendants were not (and had no reason to be) aware of the underlying violations. With respect to enforcement efforts by the FTC, the FTC lost a jury trial (Impulse Media), settled one case after the court found that affiliate liability is a question of fact (Cyberheat), and obtained a conviction (US v. Kilbride). (Oddly, after losing the jury trial in the Impulse Media case, the FTC sought to obtain injunctive relief against Impulse Media. The court denied this request.) Overall, the case law is largely defense favorable. Although CAN-SPAM allows for derivative liability, courts and juries have not been quick to impose it.

Related posts: "Affiliate Liability Talk Notes From SMX West"

Posted by Venkat at 09:15 AM | Derivative Liability , Marketing , Spam

January 31, 2010

January 2010 Quick Links

By Eric Goldman

Copyright

* An English translation of Google's December loss in France on a Google Book Search lawsuit.

* Ed Felten reports on a survey of files available via BitTorrent. Acknowledging some methodological limits, he estimates ~99% were likely copyright infringing.

* Elsevier B.V. v. UnitedHealth Group, Inc., 2010 WL 150167 (S.D.N.Y. Jan 14, 2010). Denying copyright statutory damages and attorneys' fees to unregistered foreign works is constitutional because the Berne Convention (which Elsevier argued prohibits the statutory formalities) is not self-executing.

* Techdirt: Singapore Court Rules That Online DVR Is Infringing...While Noting How Copyright Law Isn't Really Set Up For This

* Techdirt: If Banning The Internet For Sex Offenders Is Unfair, Is Banning The Internet For Copyright Infringers Fair?

* The Copyright Office issued new regulations on the deposit of online-only works: “The regulation establishes that online–only works are exempt from mandatory deposit until a demand for deposit of copies or phonorecords of such works is issued by the Copyright Office.”

Trademark/Publicity Rights

* American Airlines v. Yahoo settled. Previous coverage:
- Yahoo Subpoenas Expedia in American Airlines Lawsuit
- Fifth Circuit Denies Yahoo's Jurisdictional Appeal in American Airlines Case
- American Airlines v. Yahoo Venue Transfer Denied
- Yahoo Countersues American Airlines for Declaratory Judgment
- American Airlines Sues Yahoo for Selling Keyword Advertising

* Duplicity alert! Rescuecom is in court defending its keyword ads triggered by competitor Best Buy's TMs.

* Bev Stayart sues Yahoo again over publicity rights. My September 2009 blog post on her prior loss against Yahoo.

Pornography

* Clark v. Commonwealth, 2009 WL 5125009 (Ky. App. Ct. Dec. 30, 2009). Upholding a conviction when "Clark knowingly used a computer for the purpose of getting a minor, or a peace officer whom Clark believed was a minor, to take a sexually explicit photograph of herself."

* Am. Booksellers Found. for Free Expression v. Cordray, Slip Opinion No. 2010-Ohio-149 (Jan. 27, 2010). Ohio's Supreme Court partially upholds its state law restricting Internet distribution of harmful to juveniles material to juveniles when the communications are to recipients known or believed to be juveniles.

Spam

* United States v. Zein (E.D. Mich. 2009). Posting an ad on Craigslist constituted a "mass marketing" activity sufficient to trigger a 2 level sentencing enhancement.

* Comcast and e360 settled their lawsuit. Previous blog coverage.

Blogs/Social Networking Sites

* Sieber v. Brownstone Publishing Company, 2007 CA 002549 B (D.C. Superior Ct. Dec. 23, 2009). A building contractor sued Angie's List and other people over consumer reviews. My prior mention of the case. After 2 years of litigation, a DC trial judge dismissed all defendants on summary judgment and awarded one defendant-counterclaimant $18k+. The entire text of the memo opinion:

MEMORANDUM OPINION AND ORDER GRANTING MOTIONS FOR SUMMARY JUDGMENT OF ALL DEFENDANTS, DENYING PLAINTIFFS' MOTIONS FOR SUMMARY JUDGMENT, and GRANTING POOLE'S MOTION FOR SUMMARY JUDGMENT ON HIS COUNTERCLAIM signed by Judge Long, efiled, eserved, and docketed in chambers on December 23, 2009. It is ORDERED that the Motions for Summary Judgment of Brownstone Publishing Co., the Washington Post Company, John Kelly, and John W. Poole are granted; and it is FURTHER ORDERED that the Motions for Summary Judgment filed on behalf of the plaintiffs are denied; and it is FURTHER ORDERED that judgment shall be entered in favor of all defendants against the plaintiffs as to all claims in the Second Amended Complaint; and it is FURTHER ORDERED that judgment shall be entered in favor of defendant Poole and against plaintiff SCS Contracting Group LP as to Poole's Counterclaim against plaintiff SCS Contracting Group for $18,300 plus 6% (six percent) per annum interest, and a separate money judgment for this sum shall be docketed. Court Jacket not in chambers.

* FINRA Regulatory Notice 10-06: Guidance on Blogs and Social Networking Web Sites.

* Duer v. Henderson, 2009-Ohio-6815 (Ohio App. Ct. Dec. 23, 2009). A web publication telling a ghost story and describing the location of purportedly paranormal phenomenon on private property is not liable for any resulting trespass to real property.

* The “moldy tweet” lawsuit was dismissed.

* Two lawsuits holding that bloggers aren't subject to jurisdiction in the plaintiff's home court:
- Silver v. Brown, 2009 WL 5220297 (D. N.M. Nov. 30, 2009).
- Workman Sec. Corp. v. Phillip Roy Financial Services, LLC, 2010 WL 155525 (D. Minn. Jan 11, 2010)

* BBC: France ponders a right-to-forget law.

E-commerce

* Appliance Zone, LLC v. NexTag Inc., No:4-09-cv-0089-SEB-WGH (S.D. Indiana Dec. 22, 2009). Upholding NextTag's clickthrough-formed advertiser agreement. Mehmet Munur’s comments.

* Edward A. Zelinsky, “New York’s 'Amazon Law': Constitutional But Unwise.”

* Largo Cargo v. Google, a new complaint over allegedly mismanaged AdWord bids. This is the latest incarnation of the Almeida case. I think Largo Cargo’s complaint is still a no go.

* The NYT catalogs an impressive roster of futility for US dot coms trying to compete in China.

Miscellaneous

* Gmail will consult the user's prior emails to pick an ad if a particular email doesn't lend itself to a good ad.

* Illustrating the divergence between the open source community and the Wikipedia community, APC reports that 75% of Linux code is now written by paid developers.

* Oddee: 15 Funny Facebook Fails.

* I expect to be in the Netherlands May 23-30. Let me know if you would like to meet up there.

Posted by Eric at 01:19 PM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Marketing , Publicity/Privacy Rights , Search Engines , Spam , Trademark | TrackBack

January 27, 2010

Utah May Repeal Its Spyware Control Act--SB 26

By Eric Goldman

It's that time of year again. The Utah legislature is back in session and cooking up new schemes to regulate the Internet. So far I only see one Internet-specific bill in queue, SB 26. Surprisingly, it does not directly attempt to regulate keyword advertising.

SB 26 is sponsored by Sen. Stephen H. Urquhart, who rocketed to national cyberlaw fame (infamy?) in 2004 when he sponsored Utah's Spyware Control Act. It was such a misguided law that it motivated me (in part) to write a 71 page magnum opus explaining its policy deficiencies. It was also hampered by its fairly obvious unconstitutionality, which was confirmed by a Utah court a few months after passage. (Note: I helped write an amicus brief in that court challenge, so you might interpret my assessment as an advocacy statement). Following the judicial thumping, then-Rep. Urquhart shepherded an amendment to the Spyware Control Act in 2005 that effectively neutered the law. Since then, I believe the law has sat largely dormant. The only court citation I know of was in the 2008 Overstock v. SmartBargains case, easily rejecting Overstock's mystifying attempt to make a claim under the superseded 2004 version of the law.

Among other items I'll discuss in a moment, SB 26 proposes to repeal the Spyware Control Act entirely. If passed, that would be a remarkable development because most legislators let their failed laws sit on the books unused. It takes some work to repeal a law, plus it can be a little embarrassing to repeal a law--especially after hyping up the law to get it passed initially (Urquhart had a lot of tough talk about spyware/adware in 2004-05, see, e.g., here). Kudos to Sen. Urquhart for having the fortitude to admit and fix his errors publicly.

While repealing the law would be a remarkable step on its own, it's even more remarkable in the context of the Utah legislature's track record of Internet regulation. By my count, repealing the Spyware Control Act would be at least the THIRD Utah Internet law that its legislature repealed in the past few years--the other two being Utah's 1995 digital signature act and its infamous Trademark Protection Act. For a legislature that meets only a couple of months a year, a trifecta of repealed Internet laws in the past couple of years is a stunning waste of scarce legislative resources. Wow.

As bad as that is, the three repealed laws don't even tell the full story of the Utah legislature's incompetence when it comes to Internet regulation. Recall Utah's failed attempt to line its coffers by taxing email (which turned into a big money-loser), and don't forget its repeated attempts to regulate Internet content that have spawned years of costly litigation (see, e.g., Free Speech Coalition v. Shurtleff). From my perspective, anyone looking objectively at the Utah legislature's track record of regulating the Internet would logically conclude that they should cut their losses and focus on other legislative priorities.

Unfortunately, SB 26 indicates that either hope springs eternal in the Utah legislature or they are doomed to forget the lessons of history. Despite doing some good by putting down the Spyware Control Act, the bill amazingly proposes more regulations of the Internet! To Sen. Urquhart's credit, the bill is largely clone-and-revise proposals from other places and not drafted from scratch, which may contribute less from a regulatory standpoint but at least they aren't quite as error prone. The proposed law has three main components:

1) anti-phishing/anti-pharming restrictions. I'm not sure where the original text came from. California has an anti-phishing law but I don't think this is a clone-and-revise of that law. Maybe it's cloned from another state's anti-phishing law. In any case, the anti-"phishing" proposal is noteworthy because the regulation doesn't restrict itself to email (presumably to avoid any risk of CAN-SPAM preemption). As a result, as currently drafted, it's an unlimited anti-pretexting law applicable to both online and offline conduct.

2) anti-spyware restrictions. After wiping out the Spyware Control Act, the new anti-spyware proposals are based on the California model of state anti-spyware laws, which have been followed by a couple dozen other states. The California model regulates various types of "intentionally deceptive" conduct regarding software activity. This is what Utah should have done in 2004-05 rather than trying to develop its own sui generis law. I generally don't have a problem with regulating intentionally deceptive software behavior, but it seems a little late to be enacting the laws now. Most of the regulations contemplate practices more common in 2003-06 and largely defunct now, so Utah is showing up late to a party that ended years ago.

3) a state version of the federal Anti-Cybersquatting Consumer Protection Act. I know some other states have enacted domain name protection laws (California comes to mind), but it's not clear what benefits these state laws have. As far as I know, California's law is almost never used. Tom O'Toole speculates that this bill will make it easier for Utah trademark owners to bring in rem lawsuits, but it's not clear to me how much this law will help given the rarity of ACPA in rem lawsuits (UDRPs are usually cheaper and faster for the same results) and already expansive jurisdictional principles under ACPA. Further, I wonder if this law is preempted either by the dormant commerce clause or via field preemption of the federal ACPA.

I should add that I’ve observed that Utah bills can change radically from draft to draft with little warning, even if the law is on the legislative floor for a final vote, so we'll have to see if this law transmogrifies through the process. And I am keeping a vigilant watch for any resurrected attempts to regulate keyword advertising.

Posted by Eric at 09:58 AM | Adware/Spyware , Domain Names , Internet History , Spam , Trademark | TrackBack

January 11, 2010

Top Cyberlaw Developments of 2009 (Eric's List)

By Eric Goldman

Guest blogger John Ottaviani recently dropped by to offer his perspectives on 2009’s top Cyberlaw developments. While I like his list a lot, I independently developed my own top 10 list that has a different emphasis. You might enjoy the contrasts. My list:

#10: Louis Vuitton v. Akanoc. After the judge ordered a web host to stand trial, a jury awarded the trademark owner $32 million due to the web host’s contributions to trademark infringement by its customers. This case stands out for the big damages award and as a rare example where an online provider was held liable under a contributory trademark liability theory. Many trademark practitioners are scratching their heads trying to figure out the import of this case, however. Does this case represent a dangerous new frontier of online liability? Was this a bad jury verdict fueled by poor defense lawyering? Or was this an appropriate outcome because the web host actually engaged in bad behavior that distinguishes it from most “legitimate” web hosts? 2010 may help us understand if this case is part of a new trend or an aberration.

#9: Gordon v. Virtumundo. We’ve seen a lot of silly anti-spam litigation, including the emergence of an entirely new group of entrepreneurs called “spam litigation entrepreneurs” who try to make a living on anti-spam lawsuits. These folks have a true love-hate relationship with spam; they hate it so much that they devote their lives to fighting it, but they love getting spam because each one is a potential revenue source. In general, judges hate spam a lot too, so over the years we have seen a number of doctrinally unsupportable results where judges bent the law to make sure spammers lost.

However, the judicial pendulum has swung in the opposite direction, and in Gordon v. Virtumundo, the Ninth Circuit destroyed a serial anti-spam plaintiff’s entrepreneurial business in a doctrinally questionable but strongly worded opinion. In short order, a number of other spam litigation entrepreneurs have seen their lawsuits shut down with emphasis. Due to this ruling, the era of anti-spammers partying in courts may be on the wane.

#8: Zango v. Kaspersky. The question raised in this issue is simple to state but hard to answer: who should decide what constitutes spam, spyware or a virus? Vendors of software designed to curb these threats would like unfettered discretion to make their classifications; businesses who are classified as a threat would like judges to overturn adverse decisions. As it turns out, in a relatively obscure provision (47 USC 230(c)(2)), in 1996 Congress said that software vendors get to make classifications decisions and unhappy businesses can’t complain about them. In June, the Ninth Circuit upheld Kaspersky’s decision to classify Zango’s software as a threat and rejected Zango’s efforts to take the classification decision out of Kaspersky’s hands. This ruling gives enormous freedom to vendors of anti-spam/anti-spyware/anti-virus software to do their best to keep us safe.

#7: Columbia Pictures v. Fung. This case came out just before the Christmas holiday, so it got lost in the holiday hoopla a bit, but it’s a case of potentially significant import. First, it held that the specific torrent sites at issue induced copyright infringement. Second, the court denied the torrent sites’ eligibility for the DMCA online safe harbors. In part, the court said that an inducing website was categorically disqualified from the DMCA online safe harbors. Like the Akanoc case, it’s not entirely clear if this result was a legal aberration or an appropriate reaction to the defendants’ poor choices. Either way, it is possible that more “legitimate” websites may change their behavior to minimize their exposure based on the legal precedents in this case. If they do, this case could have a major impact on UGC websites.

#6: Lori Drew’s acquittal. Megan Maier’s suicide remains a heartbreaking tragedy, but unfortunately, overzealous prosecutors compounded the tragedy by prosecuting Lori Drew using bogus legal doctrines. The tragic facts got a jury to convict Drew of some misdemeanor crimes. Fortunately, the judge recognized the legal errors of the prosecution’s theory and the jury’s conclusions and granted Drew an acquittal despite the jury findings. The judge finally got to the right result as a matter of Cyberlaw, but the case remains a chilling testament to prosecutorial power.

#5: Harris v. Blockbuster. The rule is really clear. Service providers can't amend online user agreements in the provider’s sole discretion without notice. As the Ninth Circuit informed us in 2007, those contracts don’t fare well in court. So although these provisions are in just about every online user agreement, they don’t work--as Blockbuster found out the hard way.

As part of the litigation detritus from the Facebook Beacon experiment, users sued Blockbuster for sharing their rental transactions with Facebook and all of their friends, allegedly in violation of the Video Privacy Protection Act. Blockbuster tried to bust the class action by invoking the contract’s arbitration clause. Instead, because Blockbuster had the impermissible amendment provision in its user agreement, the court said the contract was illusory and refused to send the case to arbitration.

This case should signal the end of the ridiculous amendment clauses. We’ll see how long it takes the lawyers to give the provisions up.

#4: Battles Over the First Sale Doctrine. We have seen numerous legal battles this year over the First Sale defenses in both copyright and trademark law.

Copyright owners try to engage in price discrimination by carving up the world into geographic territories with different prices for the same product. If they can use copyright law to keep the cheap products from entering the other geographic market, this keeps the product from effectively price-competing with itself.

This year, two cases involved European textbooks which were functionally equivalent to the textbooks being sold in the United States at higher prices. Entrepreneurs were buying the cheap European texts, shipping them to the US and then selling them online. The entrepreneurs invoked the First Sale doctrine, which says that copyright law can’t prohibit the legitimate purchaser of a tangible copyrighted item from reselling the item to whomever they want at whatever price they want.

However, copyright law has another provision that allows copyright owners to block the importation of copyrighted works into the United States. In the 1998 Quality King case, the US Supreme Court said that the First Sale doctrine trumped the importation right when the goods were manufactured in the US, sold overseas, and then imported back to the US. However, in Pearson v. Liu and John Wiley & Sons v. Kirtsaeng, the judges said that the importation right trumps the First Sale doctrine when the goods were initially manufactured overseas. This issue is ripe for further adjudication, though. A similar importation case, Costco v. Omega, is pending before the US Supreme Court, which is deciding whether or not it wants to hear the case. If it does, we may get clearer instructions about the interplay between the First Sale doctrine and the copyright importation right.

Copyright’s First Sale doctrine was also at issue in Vernor v. Autodesk, where the purchaser of a software disk wanted to resell the disk on eBay despite restrictions in the software licensing agreement barring such resales. The court held that the First Sale doctrine applied and allowed the resale. There are other cases percolating through the court system involving the resale of tangible media contained copyrighted material despite contractual restrictions on resale, so this issue remains a hot one.

Trademark owners also try to prevent competition with their products that leak out of their official channels of distribution. eBay has been the site of a couple battles over the First Sale doctrine in trademark law. In Mary Kay v. Weber, the court held that the trademark First Sale doctrine may not permit the eBay resale of expired cosmetics by a Mary Kay independent beauty consultant. In Beltronics v. Midwest, a trademark owner shut down the eBay resale of radar detectors that had leaked out of the manufacturer’s channel and were being sold (at a cheaper price) without the manufacturer’s warranty.

Clearly, the First Sale doctrine matters a lot to eBay and other consumer-to-consumer e-commerce websites. With a possible pending Supreme Court case and lots of IP owners looking to stifle competition from goods they have already profited from, expect the First Sale doctrines to get lots of attention in 2010.

#3: 47 USC 230. In my opinion, 47 USC 230 is the most important Cyberlaw statute, so new 230 developments will make my top 10 list for the foreseeable future. This year, there were three federal appellate court rulings interpreting 47 USC 230(c)(1):

* in Barnes v. Yahoo, the Ninth Circuit held that 230 protected a website’s negligent delay in removing user content. However, if the website had promised removal to the user, the user could have a viable claim for promissory estoppel that would not be preempted by 230.
* in FTC v. Accusearch, the Tenth Circuit held that a website’s resale of pretexted phone records—even if those records were supplied by third party suppliers—did not qualify for 47 USC 230 protection because of their illegality.
* in Nemet Chevrolet v. ConsumerAffairs.com, the Fourth Circuit held that a consumer review website was not liable for user-supplied reviews, even when the website worked with the user to submit the review, and despite the plaintiff’s unsubstantiated claims that the website had fabricated the reviews itself.

Really, the big 47 USC 230 news in 2009 is the absence of big news. Specifically, 2009 reinforced that the Ninth Circuit’s 2008 Roommates.com decision—one of the most significant defense losses under 47 USC 230—did not rip open a major hole in the statutory protection of websites. Of the 13 cases that I have seen that have cited the Roommates.com en banc opinion, eleven have cited the case in favor of the defense. (See the list here). The two exceptions are the Accusearch case, mentioned above, and the New England Patriots’ lawsuit against StubHub over season ticket resales, an odd opinion that may not have much influence. Therefore, despite our fears about Roommates.com, the 47 USC 230 immunity remained healthy and vibrant in 2009. For more on this topic, see my special recap of 47 USC 230's year-in-review for 2009.

#2: Keyword Advertising Battles. Keyword advertising battles are another perennial topic on these year-in-review lists. A multi-billion dollar a year industry has sprung up around the sale of keyword-triggered advertising, including some keywords that may be third party trademarks, and trademark owners don’t like it at all. This has led to a multi-front battle between trademark owners, keyword advertising sellers (such as Google), and keyword advertising buyers.

One of the biggest Cyberlaw cases of the year was the Second Circuit’s ruling in Rescuecom v. Google. In the district court in 2006, Google won an easy victory against a trademark owner because the court said that Google did not make the requisite “use in commerce” of the trademark. The Second Circuit reversed the district court, sending the case back for further proceedings. The reversal does not ensure Google’s defeat; Google will now litigate other legal doctrines and might very well win on one of those. However, the Second Circuit’s opinion largely spells the end of any “use in commerce” defense by either keyword advertising sellers or buyers.

Because of the “use in commerce” defense’s demise, keyword advertising cases will now likely turn on whether the advertisements create a likelihood of consumer confusion. One case, Hearts on Fire v. Blue Nile, offered up a new and complicated test for gauging consumer confusion. If other courts adopt this test, keyword advertising cases will get even more expensive and complicated—highlighting how important it was that the Rescuecom case eliminated an easy way to end these lawsuits early.

Meanwhile, despite the fact that keyword advertising battles have been taking place for at least a decade, we have not heard what a jury thinks about the practice—until the November jury ruling in Fair Isaac v. Experian. In that case, the jury found for the defense that the keyword-triggered ads did not create the requisite likelihood of consumer confusion. It remains to be seen if other juries reach the same conclusion. If they do, keyword advertising lawsuits should slowly fade away over time because the trademark owners can’t win in the end.

As for now, keyword litigation is going strong and hardly fading away. In Spring, Google made two changes to its trademark policies where it voluntarily agrees to take down certain types of ads at the trademark owner’s request. In May, Google extended its more liberal US-based policy to nearly 200 other countries, replacing the more restrictive policies it had in place there. Shortly thereafter, Google modified its US policy to do less for trademark owners in situations involving product resales, review websites and sales of complementary/replacement parts. Trademark owners were none too pleased with these changes. In response to these changes and the door opened by the Second Circuit Rescuecom decision, Google got hit with about a dozen new lawsuits, including some class action lawsuits, of which I believe 10 are currently still active.

Finally, all of the wrangling in court and over voluntary trademark policies could be mooted by legislative action, and for the third time, the Utah state legislature considered resolving the keyword advertising issue itself. A law regulating keyword advertising passed the Utah house but died in the Utah senate. Expect the pro-regulatory forces to round up the troops for a fourth try in 2010.

#1: FTC Endorsement Guidelines for Bloggers. The Obama administration has breathed new life into a pro-regulatory FTC, and the FTC sure is interested in all things Internet. The FTC has been nosing around Internet privacy and Internet marketing practices pretty carefully, and I expect 2010 to bring more FTC pronouncements designed to tackle the Internet.

But nothing stirred up a hornet’s nest of confusion and anger in 2009 like the FTC’s Endorsement and Testimonials Guidelines. I think it’s fair to say that the FTC’s guidelines rollout was a complete failure. As usual, the FTC’s guidelines were mealy-mouthed and filled with conditional statements (the FTC hates to lay out bright line rules that might constrain their future discretion). However, the FTC’s general gist was clear: bloggers should disclose when they receive financial or other consideration for their blog posts.

Unfortunately, this general principle leaves open some fairly fundamental questions, like when is disclosure required in situations less clear than straight cash-for-posting, and where should disclosure be made, especially in space-constrained media like Twitter. Needless to say, unhappy bloggers can be very noisy, so blogger response to the FTC’s announcement was loud and vituperative. The FTC tried to backpedal a little by saying that it did not intend to pursue individual bloggers, but this announcement only reinforced that bloggers do not understand what the FTC wants from them.

Meanwhile, the FTC’s proposed guidelines also took an interesting position about an advertiser’s liability for rogue blogger’s posts. This position is generally consistent with government enforcement agencies’ views that commercial players can be legally responsible for content they endorse or link to (see, e.g., my comments on the SEC’s liability-for-linking policy), but this position runs directly contrary to 47 USC 230’s provisions that say A isn’t liable for B’s online content. As a result, I believe that part of the FTC’s proposed guidelines violate 47 USC 230 and would not survive a court challenge.

Overall, the firestorm over the FTC’s Endorsement and Testimonials guidelines is a small part of a larger effort to regulatorily separate advertising from content. The Internet has collapsed those distinctions, perhaps irreparably, so regulators may be trying to accomplish the impossible. Nevertheless, the FTC seems determined to prop up the distinction, and I expect 2010 will bring more FTC efforts on this front.

* * * * *

While that concludes my top 10 list, there were a number of other interesting developments in 2009 that are worth a brief note:

* Moreno v. Hanford Sentinel. A woman trashed her hometown in an obscure but public MySpace posting and learned there is no “do-over” for Internet content publication. My vote for the most factually interesting Cyberlaw case of 2009.

* Google’s keyword metatag announcement. Courts generally treat the inclusion of third party trademarks in keyword metatags as per se trademark infringement. But Google has confirmed that it ignores keyword metatags. Will courts get the message?

* Google Book Search settlement. If the Google Book Search settlement ever gets approved, it may reshape the book industry, redefine libraries, and make all kinds of other socially significant changes. But the list of opponents to the settlement is long and growing. Professor James Grimmelmann of New York Law School is our community’s maven for all things “GBS.”

* Kindle book deletion. The Kindle store sold e-books it didn’t have the right to sell, so it took them back. Users learned of a key factual difference between physical books and e-books—the vendor can remotely make e-books go poof.

* States’ efforts to impose sales tax efforts based on marketing affiliates. For years, states have been looking for ways to make online retailers collect sales tax for them. They are generally stopped by Supreme Court precedent, but in 2008 New York finally figured out a workaround. The New York statute said that marketing affiliates were like traveling salespeople and thus created the physical nexus required for a state to impose sales tax collection obligations. The New York statute survived its first legal challenge, which opened the floodgates of other states passing similar laws hoping to get their piece of the action. Meanwhile, online retailers aren’t just rolling over; instead, they are threatening to cut off (or actually cutting off) marketing affiliates in states that enact these laws—thus potentially costing the states income tax from the marketing affiliates’ revenue, and creating the potential for the entire affiliate industry to be torn apart.

* Maine kids privacy law. Maine thought it could pass a law banning marketing to kids. It was wrong. The state had to withdraw the law and go back to the drawing board.

* UMG v. Veoh. Veoh won another nice DMCA online safe harbor victory.

* US v. Kilbride. The Ninth Circuit says that online obscenity prosecutions need to evaluate national attitudes towards obscene content, not local community standards.

* Kentucky domain name seizure. Kentucky tried to grab 141 domain names that enabled Kentucky residents to engage in illegal gambling. But those domain names also serviced customers for whom the gambling was completely legal, so the Kentucky courts are rethinking the grab.

* FTC v. Sears. As another example of the new pro-regulatory winds blowing through the FTC, the FTC cracked down on Sears for installing spyware on users’ computers that looked at the users’ hard drives, even though Sears paid the users for the installation and disclosed the spyware’s snooping in the user agreement (though in an inconspicuous manner). This case has made a lot of lawyers concerned that adverse disclosures in user agreements won’t satisfy the FTC.

* Facebook the Drama Queen. Ah, Facebook. Love it. Hate it. Facebook is a pretty nifty site and part of my daily routine, but boy, they sure do have a knack for stirring up trouble.

- In February, they made a relatively modest change to their user agreement that caused people to freak out.
- In response to this, Facebook took the provocative step towards user self-governance. Facebook let users vote on some choices and promised to be bound by the results, but with an asterisk: Facebook decided what options users could vote on, and Facebook would honor those choices only if a prohibitively large number of users exercised their franchise. Still, it was a nice gesture towards cyberspace community self-governance.
- In summer, they tried to settle their Beacon litigation, but that also reminded folks of how much Beacon irritated them in the first place.
- Summer also brought allegations of click fraud on Facebook, and lawsuits followed.
- Finally, in Thanksgiving, Facebook rolled out some changes to its privacy options that it pitched as giving users more choices, but it also took away some choices and defaulted users into some options that surprised them.

Given this track record, is it unrealistic to expect more Facebook drama in 2010?

* Estavillo v. Sony. Speaking of self-governance, virtual world enthusiasts would love to establish the legal proposition that virtual worlds are legally equivalent to governments and therefore obligated to restrain their actions just like governments are. One virtual world enthusiast sued Sony for kicking him off the network, claiming that Sony was legally governed as a “company town” and therefore lacked the discretion to kick him off. WRONG (and it wasn’t even close).

* Wikipedia's policy change. In August, the English-language Wikipedia announced that it was going to tighten up its editorial policies, and people Freaked Out. (In fact, I have predicted that Wikipedia cannot avoid increased editorial restrictions over time, so this change should not have been surprising). However, it turns out that everyone got it wrong, and Wikipedia’s editorial changes are far less dramatic (and consequential) than initially reported. I will post a separate recap on Wikipedia shortly.

If you would like a stroll down memory lane, you can see my previous top 10 lists from 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.

Posted by Eric at 10:46 AM | Content Regulation , Copyright , Derivative Liability , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Publicity/Privacy Rights , Search Engines , Spam , Trademark , Virtual Worlds | TrackBack

December 17, 2009

Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC

[Post by Venkat]

Abbas v. Selling Source, LLC, Case no. 09 CV 3413 (N.D. Ill.; Dec. 14, 2009).

I didn't think there was much dispute as to whether SMS spam falls under the Telephone Consumer Protection Act, but Judge Gottschall's order in Abbas v. Selling Source, LLC, tackles this issue and concludes that SMS spam messages are "calls," under the Telephone Consumer Protection Act. Along the way, the court addresses a few other interesting arguments, including defendant Selling Source's First Amendment defenses.

Abbas allegedly received SMS spam from Selling Source. Abbas sued Selling Source in state court under the TCPA. Selling Source removed and filed a motion to dismiss. The court rejected the crux of Selling Source's arguments.

Was Abbas Charged for the Text Messages? Selling Source's first argument was that Abbas did not allege he was charged for the text messages, and that the TCPA only applies to messages for which the recipient is charged. Due to lazy drafting, the statute is not totally clear on this issue. It contains a list of services to which the TCPA applies, but adds a catch-all: "or any service for which the called party is charged for the call." The question for the court is whether this modifier applies to numbers assigned to all types of services, or whether it's just a separate catch-all category. Following passage of the TCPA, the FCC concluded that the TCPA did not apply to calls to cellular customers for which the called party is not charged. Shortly after this FCC pronouncement, Congress passed a law that allowed the FCC to exempt from the scope of the TCPA any calls for which the called party is not charged. The court looked to this Congressional amendment and concluded that the TCPA applies to both "charged and uncharged calls." [Sidenote: should the applicability of the TCPA to "uncharged calls" affect the First Amendment analysis?]

Did Selling Source Use an Automatic Telephone Dialing System? Selling Source argued that Abbas failed to adequately allege that Selling Source used an auto-dialing system to send the messages. The Ninth Circuit dealt with this issue in Satterfield (discussed by Prof. Goldman here and Jeff Neuburger here), where it held that the TCPA only required that the calling mechanism have the capacity to store or produce numbers using a "random or sequential number generator," not that this mechanism was used to initiate the calls (messages). I'm not really sure what to make of this argument in the context of this case, since it's unclear exactly what equipment Selling Source used. Plaintiff certainly has no way of knowing this information at this stage in the litigation. Whatever it means for a piece of equipment to have the "capacity" to store or produce random or sequential numbers, I would guess - given the analysis in Satterfield and in this case - that any reasonably sophisticated piece of equipment fits the bill.

Does the TCPA Apply to SMS messages? Selling Source argued that the TCPA only applies to
"calls," and not to text messages (or that text messages were not "calls" under the TCPA). The court engages in a fairly lengthy analysis (which is worth reading) before concluding that "an SMS message is a 'call' within the meaning of the TCPA." Most people treat this as a foregone conclusion (or at least assume this is likely the case), given that the FCC has long held (starting from a 2003 FCC order) that text messages are "calls" within the TCPA. But Selling Source made some creative arguments that the court seemed to grapple with. Interestingly, the court declined to give the 2003 FCC order concluding that text messages were calls under the TCPA Chevron deference. (The court undertakes an independent look at the issue and concludes that SMS messages are "calls" within the meaning of the TCPA.)

Selling Source's First Amendment Challenge: Finally, the court rejects Selling Source's First Amendment challenge. Jaynes (and the Virginia spam statute) notwithstanding, First Amendment challenges to unsolicited marketing laws are a losing proposition. It wasn't a big surprise that the court didn't buy Selling Source's First Amendment arguments, but cost-shifting is typically advanced as one of the big evils sought to be addressed by unsolicited marketing laws. The court's interpretation of the TCPA potentially takes this out of the equation, at least in some cases. This leaves the privacy rationale, but accepting that rationale as a justification for laws governing unsolicited marketing may make way for lot broader regulation than most people think is appropriate from a First Amendment standpoint. I'm not quarreling with the court's conclusion, and I haven't taken a close look at the issue, but I thought this was worth noting.

***

It's worth mentioning that the court grants Selling Source's motion to dismiss on the basis of specificity. Although it finds plaintiff's claims viable as a matter of law, plaintiff is required to re-file and allege specifics regarding the receipt of the text messages in question.

It's also worth noting that last week a district court dismissed Computer Fraud and Abuse Act claims based on the receipt of SMS spam messages. See, my post here for a discussion of Czech v. Wall Street on Demand, Inc. As I mentioned in that post, the TCPA is a possible avenue for plaintiffs who receive SMS spam messages.

Posted by Venkat at 09:09 PM | Spam

December 11, 2009

Court Rejects Computer Fraud & Abuse Act Claim Based on Unsolicited Text Messages--Czech v. Wall Street on Demand

[Post by Venkat]

Czech v. Wall Street on Demand, Inc., No. 09-180 (DWF/RLE) (Dec. 8, 2009).

A Minnesota district judge rejected claims brought under the Computer Fraud and Abuse Act based on the receipt of unsolicited text messages. There's not much to the facts, except that plaintiff received unwanted text messages from Wall Street on Demand, Inc. She did not have a prior business relationship with WSOD. She (vaguely) alleged that she incurred fees and charges related to her receipt of these messages. Based on her receipt of unwanted text messages, she filed a claim against WSOD alleging violations of the Computer Fraud and Abuse Act and state statutes.

The Court's Ruling: The court dismisses plaintiff's amended complaint in an order that helpfully provides a summary of the Computer Fraud and Abuse Act (and recent 2008 tweaks) as it's used in the civil context. Plaintiff brings three possible claims: (1) a claim for obtaining information from her phone; (2) a claim for transmitting information or code through her phone; and (3) a claim for "accessing" her phone.

Information Claim: The court rejects the information-based claim because there's no information that WSOD allegedly obtained through accessing the plaintiff's phone. Plaintiff analogizes to websites and argues that any time someone sends a message to a mobile phone, information is "obtained" in the same way that information is obtained any time someone accesses a website. The court rejects this analogy, finding that "there is a fundamental difference between viewing websites and communicating with wireless devices such as cell phones by sending text messages." Even if the transmission of an unwanted text message somehow resulted in the "obtaining of information," the court concludes that there's no loss as a result of defendant having obtained the information.

Transmission Claim: The transmission claim requires plaintiff to allege that WSOD caused the transmission of code or information and as a result "intentionally caused damage without authorization" to plaintiff's device. The complaint fails on both counts. There wasn't a credible allegation of damage (there was no allegation of impairment to the machine) or of WSOD's intent to cause the damage.

Access Claim: The court rejects the access claim since plaintiff does not adequately allege that the unauthorized access was intentional.

My Take: The Computer Fraud and Abuse Act is an often abused statute, and this seemed like another example of a situation where the statute is being stretched to fit the conduct/harm that was not intended to be covered by the statute. I was surprised that plaintiffs cited to the Lori Drew case [link], which many people view as a classic example of stretching the statute to its breaking point. In some ways this case is reminiscent of ISPs using the Computer Fraud and Abuse Act to attack spam. Some courts were open to this; other courts expressed reservations to the applicability of the Computer Fraud and Abuse Act to spam. See, e.g., America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp. 2d 1255, 1275 (N.D. Iowa 2000) ("A disturbing issue is whether subsection (a)(5)(c) is intended to address UBE at all.").

The case is also somewhat reminiscent of Abrams v. Facebook, a lawsuit based on the fact that Facebook sent SMS messages to cellphone numbers provided by its users and would keep sending those messages even if the cellphone number changed owners. In a lengthy article, Prof. Goldman discussed the weaknesses of using phone numbers as identity authenticators.

Advice to plaintiffs. If the court dismisses your complaint, come back with additional facts. Do not merely add what the court here calls "background discussion" about the issue you are complaining about. In five or six separate instances, the court mentions the fact that the amended complaint is just a bulkier, more "dressed up version" of the old complaint . . . with no new facts. At a broader level, the court's understandable skepticism towards the damage claims in this case illustrates how difficult it is to bring claims based on unsolicited marketing communications (whether received via your phone or your computer).

Advice to defendants. Transmitting unsolicited text messages is not free of risk. The Telephone Consumer Protection Act is one possible avenue for plaintiffs, and courts are not always deferential to broadly (and poorly) worded opt-ins. (See Eric's post on Satterfield v. Simon & Schuster here.)

Posted by Venkat at 12:27 PM | Marketing , Privacy/Security , Spam

December 04, 2009

Ninth Circuit Rebuffs Another CAN-SPAM Plaintiff -- Asis Internet Services v. Azoogle.com, Inc.

[Post by Venkat]

The Ninth Circuit recently rejected [pdf] two appeals brought by CAN-SPAM plaintiff Asis Internet Services. The trial court granted summary judgment in favor of Azoogle and awarded costs. See Eric's earlier blog post on that ruling. Asis has brought numerous lawsuits against different defendants. While this ruling won't necessarily be used preclusively against Asis it will definitely be cited by the defendants in those cases.

Citing Gordon v. Virtumundo, the court finds that:

the mere costs of carrying SPAM emails over Plaintiff's facilities does not constitute a harm as required by the statute. While Plaintiff argues that employee time was spent on spam-related issues, Plaintiff concedes that it has no records detailing employee time. Plaintiff also spent money on email filtering, though the cost of email filtering did not increase due to the emails at issue. Such ordinary filtering costs do not constitute a harm. [cite omitted] Thus, Plaintiff has not suffered a harm within the meaning of the statute and lacks standing.

The entire memo opinion is about two pages, and the court spends a sentence noting that Asis is not entitled to relief under the California statute (17529.5) because Azoogle "neither sent nor procured the emails at issue, and therefore did not 'advertise' within the meaning of the statute."

The big take away is that courts seem to be able to sniff out people who they view as pursuing litigation for the wrong reasons. It's unlikely that Asis was truly damaged to the extent of even a fraction of fees and resources it spent on this case.

Plaintiffs who aren't large ISPs or social networking websites haven't found a very sympathetic audience, particularly at the appellate level. We're probably left with a regime where only larger ISPs, social networking websites, and state actors are able to effectively bring anti-spam lawsuits. The scope of preemption of California's anti-spam statute is still unclear (Kleffman v. Vonage was certified to the California Supreme Court) so this is one possible option for plaintiffs, but I can't imagine they'll be spending much energy on this.

Posted by Venkat at 07:31 AM | Derivative Liability , Marketing , Spam

December 01, 2009

"Spam Filter Ate My Electronic Filing Notice" Plaintiffs Get Another Chance -- Shuey v. Schwab

[Post by Venkat]

The "spam filter ate my electronic filing notice" excuse was an inevitable byproduct of the CM/ECF electronic filing system now in place in federal courts. As expected, courts have not been very sympathetic to this excuse. In an unpublished decision, the Third Circuit gave a party who advanced this excuse another chance. (The case caption is Shuey v. Schwab, Case No. 08-4727 (3rd Cir.; November 3, 2009). Here's a link to the Justia page.)

Plaintiffs brought civil rights claims against a township and certain police officers alleging excessive force. Defendants moved to dismiss. Plaintiffs failed to respond. The court issued an order directing plaintiffs to respond or "otherwise communicate with the court." Plaintiffs did not respond to this order either, and the court dismissed the action with prejudice. After the dismissal was entered, plaintiffs sought reconsideration, alleging among other things that their failure to respond was caused by "technological error." Specifically, counsel "explained that the court's electronically filed order was errantly tagged as 'spam' in counsel's email system and therefore was never delivered." The district court denied plaintiffs' request for reconsideration.

On appeal, the Third Circuit reversed, holding that before dismissing a case as a sanction the trial court must engage in some sort of merits analysis. The court's ruling doesn't directly address the "spam filter ate my CM/ECF notice" excuse, but gives the lawsuit a small dose of oxygen.

Although I'm sure we'll see parties continue to assert this excuse, I don't think courts will be very sympathetic. I guess common sense is the best advice here. Get a good spam filter and whitelist all domain names through which you are likely to receive electronic notices. When all else fails, keep track of your cases by checking PACER (or RECAP) once in a while!

Related: You can see my take on the ruling below here: "The Spam Filter Ate My CM/ECF Notice?," and posts on other cases where parties have asserted this excuse here (Russo v. Network Solutions, Inc.), here (American Boat Company, Inc. v. United States), and here (Stewart v. Avaya, Inc.).

Posted by Venkat at 10:15 AM | Spam

November 12, 2009

Tagged Settles Spam and Address Book Harvesting Claims Brought by NY and TX Authorities

[Post by Venkat]

Tagged, which is supposedly the "third-largest social networking site in the world" (whatever this means) recently settled enforcement actions brought by New York and Texas Attorneys General. (See coverage at Bits and Media Post.)

The basic allegations were that Tagged sent emails to people which falsely implied that the people were depicted (or "tagged") in photos in order to get people to sign up for the service. At sign up Tagged also allegedly failed to disclose that Tagged would access the address books of users and send emails trying to get friends of these users to sign up.

The Tagged settlements - details of which are recapped by David Johnson here - required Tagged to pay 250,000 and 500,000 to Texas and New York, respectively. The settlements also require Tagged to provide users with greater disclosure and require Tagged to jump through certain hoops before accessing the address book of a user. David notes that the enforcement actions were brought under a variety of New York statutes including New York's deceptive trade practices law and false advertising statutes. He notes that those statutes "would not be preempted by CAN-SPAM . . . [but] we will never know" for sure, since Tagged settled.

Although Tagged chose not to fight the battle, there's another case pending in California that is roughly analogous, where the court ruled that claims arising out of similar conduct were preempted by CAN-SPAM. (Hoang v. Reunion.com, discussed by Ethan here and here.) As Ethan notes, in the Reunion case, Judge Chesney ruled that CAN-SPAM preempted pretty much every type of email-based claim except for those sounding in common law fraud. Common law fraud has a high damage threshold and because none of the plaintiffs were able to show that they actually relied on, or suffered out of pocket loss due to, misstatements in any Reunion emails, Judge Chesney dismissed the claims against Reunion. (Incidentally, that case is mired at the district court level. Plaintiffs have indicated they plan to appeal, but defendants moved for sanctions based on the fact that plaintiffs represented to the court that they could file a third amended complaint containing adequate damage allegations but ultimately changed their minds and decided they wanted to appeal. The court deferred ruling on the pending motions and requested additional briefing from the parties.)

Tagged is also defending against a class action filed in California. The plaintiffs in this case allege claims under the Computer Fraud and Abuse Act and the Stored Communications Act, among other statutes. (You can access a copy of the complaint here (scroll down).)

So, what to make of these lawsuits against Tagged and Reunion?

1. I'm inclined to agree with Ethan that Reunion went too far in concluding that only claims for common law fraud are carved out of CAN-SPAM's preemption clause. Mummagraphics - the early appellate preemption case - concluded that immaterial errors are not actionable, but that's a far cry from the high bar set by the court in the Reunion case.

2. CAN-SPAM's preemption clause has a second exception for laws that "are not specific to electronic mail," I don't understand why plaintiffs don't try to rely on non-email specific laws. The Reunion plaintiffs brought claims under California spam statutes. Maybe there were structural (standing or damages-related) reasons for why they did so, but I was surprised they didn't just bring claims under California's unfair business practices statute. On a related note, with respect to the Tagged class action, the Computer Fraud and Abuse Act and Stored Communications Act don't seem like a good fit for these types of claims. The Computer Fraud and Abuse Act has a damage threshold that is probably tough to satisfy, and the Stored Communications Act regulates access to the contents of communications.

3. There isn't a ton of law on the scope of California's anti-spam statute, but the Ninth Circuit certified an issue to the California Supreme Court in Kleffman v. Vonage. I'm not sure if this ruling will add to the mix, but it should be interesting to see what the court does here.

4. It's tough to say whether these lawsuits illustrate that enforcement is better left in the hands of government regulators or whether private parties should play a role in enforcement. Excluding large ISPs, private plaintiffs don't seem to have accomplished very much by way of stopping spam. If anything, they have pushed the envelope, and ended up with a framework that makes private enforcement much harder. That said, here the Texas and New York enforcement actions followed the California class action against Tagged, so it's tough to say.

5. Where is the FTC in all of this? Busy regulating paid endorsements by bloggers I guess.

Posted by Venkat at 08:54 AM | Spam

November 02, 2009

October 2009 Quick Links

By Eric Goldman

Just a reminder that I am posting most of these types of links exclusively to my Twitter feed.

* Tricome v. eBay, Inc., 2009 WL 3365873 (E.D.Pa. Oct 19, 2009). Court upholds eBay user agreement's venue selection clause. Evan Brown covers the case.

* The AutoAdmit case is over. Above the Law and the Yale newspaper.

* Google doesn't want to hear your complaints about your reputation management.

* Moneygram settles with the FTC (to the tune of $18M) that its money wiring service was used to perpetrate fraud.

* The FTC scores a rare COPPA settlement, this time with Iconix for $250,000.

* John Wiley & Sons, Inc. v. Kirtsaeng, 2009 U.S. Dist. LEXIS 96520 (SDNY Oct. 19, 2009). Another federal court holds that the purchase of foreign-manufactured textbooks and resale in the US via the Internet is blocked by the importation right and not excused by the First Sale doctrine. My coverage of the analogous Pearson v. Liu ruling.

* Utah's "Don't Spam the Kids" registry survived a constitutional challenge. That doesn't make it good policy!

* Saadi v. Maroun. Blogger hit with $90k judgment for defamation. MLRC coverage. My initial blog post on the case.

* Erik Estavillo, the gamer who sued for being kicked off the PlayStation Network, is appealing his district court loss to the Ninth Circuit. I guess he wants to lock in the adverse ruling as the binding law of the Western United States. My blog post on the district court ruling.

* Susan Gindin, When are a Posted Privacy Policy and 'Enforceable' Terms of Use Not Enough? The Many Lessons Learned and Questions Raised by the FTC’s Action Against Sears.

* Rep. Paul Kanjorski wants to end 47 USC 230 with respect to bogus stock investing info? This legislation needs careful monitoring due to its potential perniciousness.

* Venkat has his own version of Quick Links on his site.

Posted by Eric at 05:08 PM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Privacy/Security , Spam | TrackBack

October 30, 2009

Internet Obscenity Conviction Requires Assessment of National Community Standards--US v. Kilbride

By Eric Goldman

U.S. v. Kilbride, 2009 WL 3448360 (9th Cir. Oct. 28, 2009)

Jeffrey Kilbride and James Schaffer were porn spammers, operating through Ganymede Marketing, a Mauritian company. I previously blogged on their case in 2007. Their spam failed to comply with CAN-SPAM in several respects, including forged headers, fake email addresses and bogus contact info. The FTC claimed that it had received over 662,000 complaints about their spam. After a 3 week trial, a jury convicted them of criminal CAN-SPAM violations, criminal obscenity for 2 spammed images and other charges. Kilbride was sentenced to 6 1/2 years and Schaffer got over 5 years. Both appealed their convictions.

In the resulting Ninth Circuit opinion, the most important discussion relates to their obscenity convictions. The Supreme Court defined obscene material in the Miller case as:

(a) whether the average person, applying contemporary community standards would find that the work, taken as a whole, appeals to the prurient interest; (b) whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable ... law; and (c) whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value [emphasis added]

On the Internet, the question arises: whose community standards? The Miller test anticipates that geographically dispersed communities could have different norms, and in theory an Internet content publisher needs to conform to all of them or at least the most restrictive ones. For an early example of this, see United States v. Thomas, 74 F.3d 701 (6th Cir. 1996) (involving a dial-in BBS). However, the cost and limitations of geographic authentication technology means that many Internet content publishers can't steer their content into or away from a particular geography. Personally, I think this is especially true for publishing content by email because I know of no effective way to accurately authenticate the geography of most email recipients.

The US Supreme Court squarely wrestled with the issue of disparate geographic communities being collapsed on the Internet in 2002 in its first Ashcroft v. ACLU ruling (this should be distinguished with the more influential second Ashcroft v. ACLU opinion from 2004, which I still teach today in Cyberlaw). That case involved a challenge to the 1998 Child Online Protection Act (COPA), and the Third Circuit had affirmed a preliminary injunction against COPA on the grounds that the application of a "contemporary community standards" clause to Internet publication was constitutionally infirm due to disparate community standards. In 2002, the US Supreme Court reversed the Third Circuit in a massively fractured way, with 5 different opinions and no clear consensus on anything.

To resolve this appeal, the Ninth Circuit had to divine a single rule of law from this mess-o-opinions. After parsing the inscrutable Supreme Court opinions, the Ninth Circuit concluded that "a national community standard must be applied in regulating obscene speech on the Internet, including obscenity disseminated via email." Whether or not the Ninth Circuit read the Ashcroft v. ACLU precedent correctly, it reached the only logical outcome for a communication medium without clear geographic authentication. Nevertheless, this is hardly an unquestionable conclusion; the Miller case expressly rejected a national standard (whatever that means): "obscenity is to be determined by applying 'contemporary community standards'...not 'national standards.'" Presumably, the 2002 Ashcroft v. ACLU opinion overwrote this statement from Miller (and similar statements in earlier obscenity cases), but no one really understands what the Supreme Court said in 2002.

While the Ninth Circuit reached a sound result, its ruling doesn't help these appellants. Even though the district court provided different jury instructions, the Ninth Circuit concluded that the district court's instructions were not "plain error" (the applicable review standard), so the convictions stand. Harsh.

Even if appellants wrested a reversal, I'm not sure it would matter because I have never fully understood the import of regionally disparate "contemporary community standards." The phrase only explicitly modifies the Miller test’s determination of whether a work "appeals to the prurient interests"--basically, whether the work appeals to content consumers' interest in sex. Community standards can also implicitly come into play with the determination of what is "patently offensive" or the perceived value of the work, but these are not explicitly referenced in the Miller test.

With respect to the prurient interest reference, I could imagine regional differences about some borderline cases (say, a sex education tutorial) or with respect to niche sexual interests, where the niche audience would find that the work appeals to their esoteric interests and the remainder of a region's population might find the work so unappealing that it’s not viewed as sexually interesting at all. But for a lot of "mainstream" pornography, my guess is that there are not meaningful regional differences about the work's sexual appeal. I haven't seen the 2 images at issue in this case, so maybe they fall into the borderline cases. Otherwise, I wonder if a new trial using national community standards would actually change the result. (Another reason for skepticism: our rage towards spam frequently causes us to ignore the rule of law when we have a chance to punish spammers).

In the ruling, the Ninth Circuit also rejected the defendants' facial and as-applied challenges to the criminal CAN-SPAM provisions. The defendants focused their attack on CAN-SPAM restrictions on falsifying information in a way that would "impair" spam blocking. The court concludes that none of the provisions are constitutionally too vague. This wasn't really a close case for the as-applied challenge because of the defendants' egregious handling of their email campaigns. In contrast, I would like to think the facial challenge has not been resolved permanently; these were clearly not the right defendants to raise or litigate the facial issues.

Along the way, the Ninth Circuit takes a swipe at domain name proxy registrations. Pulling a quote only slightly out of context, the court says "Based on the plain meaning of the relevant terms discussed above, private registration for the purpose of concealing the actual registrant's identity would constitute 'material falsification'" (one of the elements of a CAN-SPAM crime). You may also recall the recent Solid Host v. NameCheap case suggesting that proxy service providers could face contributory ACPA liability. Collectively, these two opinions indicate legally disadvantageous treatment for proxy service usage. Given this disconcerting trend, I don't see the domain name proxy business as a growth industry.

Thomas O'Toole also discusses the ruling.

Posted by Eric at 03:00 PM | Content Regulation , Domain Names , Spam | TrackBack

October 25, 2009

Tucows Not Liable for Spam Judgment Against 3rd Party Based on Private Registration Services -- Balsam v. Tucows

[Post by Venkat]

Judge Breyer (N.D. Cal.) rejected an attempt by a spam plaintiff to hold a registrar liable for a judgment against a third party based on private registration services provided by the registrar. (Balsam v. Tucows Inc., et al., CV 09-03585 CRB (N.D. Cal. Oct. 23, 2009). Access a copy of the order at Scribd here.) Incidentally, the plaintiff - Dan Balsam - is a recent law school grad who catalogues his extensive anti-spam efforts at his website: "danhatesspam.com."

Facts: As recounted by the court, Balsam received 1,125 pieces of spam advertising an adult-oriented website over a seven month period. Balsam performed a WHOIS lookup and found that the website was registered to Angeles Technology Inc. Some time later, Angeles started utilizing private registration services provided by Tucows. Balsam sued Angeles, and obtained a default judgment for $1,125,000. After Balsam brought suit but before he obtained judgment, Balsam requested the registrant’s identity from Tucows. Tucows refused to provide the name without a court order.

Balsam tried unsuccessfully to collect against Angeles and have garnished revenues from the website's payment processor. He even tried to have the underlying domain name seized. Understandably miffed, he brought suit against Tucows, arguing that Tucows was liable for the judgment due to its failure to disclose the identity of the person who held the beneficial interest in the domain name.

The Court's Ruling: Balsam sought to hold Tucows liable based on a variety of claims, but they were all premised on Balsam being a third party beneficiary to the "Registrar Accreditation Agreement" which registrars are required to sign with ICANN. Specifically, the RAA contains a clause which requires all registrars to enter into agreements which obligates registrants to provide accurate information and also for each registrar (referred to as a "Registered Name Holder") who provides private (or nominee) registration services to "accept liability for harm caused by wrongful use of the [domain name], unless [the registrar] promptly discloses the identity of the licensee to a party providing [the nominee registrar] reasonable evidence of actionable harm." I've reproduced the actual clause below at the end of this post. (Arguably, the reference in section 3.7.7.3 to the "registered name holder" should not necessarily be seen as a reference to the registrar. Registrars often wear multiple hats, and this results in some confusion. But to me it doesn't seem like the fact that registrars often provide private registration services through subsidiaries or related entities should be a determining factor. At the end of the day, the clause speaks to the person or entity in whose name the domain name is registered, which in the case of private registration services is the registrar or its subsidiary.)

Judge Breyer held that Balsam was not a third party beneficiary under the RAA and thus all of Balsam's claims failed.

Thoughts: To begin with, Balsam was fighting against the weight of precedent in arguing third party beneficiary claims under the RAA. Courts have refused to find that the RAA creates obligations enforceable by third parties. (See, e.g., Register.com v. Verio, 356 F.3d 393 (2d Cir. 2004).) Also, this isn't the first time a court has looked specifically at whether section 3.7.7.3 of the RAA creates a class of third party beneficiaries. As Professor Goldman previously noted, in Solid Host NL v. NameCheap, Inc. (No. 08-5414) (C.D. Cal. May 19, 2009), a judge in the Central District of California denied a registrar's motion to dismiss where a plaintiff sought to hold a registrar liable for cybersquatting under theories of direct and contributory liability (among other theories). That case also involved a registrar's failure to disclose the identity of the person or entity using the private registration services. Oddly, the court in Balsam cites NameCheap for the proposition that section 3.7.7.3 does not create an intended class of third party beneficiaries. I actually read NameCheap to say that third party beneficiary status was possible, depended on the facts as to intent and construction of the agreement, and thus could not be resolved on a motion to dismiss. (See pp. 39-49 of the NameCheap order.)

Balsam's case is somewhat tougher to make than Solid Host's, in that Balsam obtained a default judgment of over a million dollars. No judge is going to put the registrar on the hook for this type of a damage award absent some serious facts showing misconduct (i.e., the type of evidence the jury found persuasive in the Louis Vuitton case mentioned below). And that's where Balsam falls short in my opinion. It's tough to see where the real harm is to Balsam from the use by Angeles of private registration services. Balsam already knew the identity of the registrant, since the registrant he proceeded against started using the privacy protection services after Balsam after discovered its identity. (Stepping back, it's tough to see how a thousand emails should result in a million dollar damage award, but that's a separate issue.) Balsam only alleges that the failure by Tucows to reveal the identity of the beneficial registrant 'complicated' Balsam's ability to collect against Angeles Technology Inc. Regardless of how the third party beneficiary status discussion plays out, to me this casts a shadow over Balsam's claim.

As a side note, I agree with Professor Goldman that the court's reasoning in NameCheap isn't crystal clear, but I think it's a closer question as to whether - based on section 3.7.7.3 - a registrar should be held liable for harm flowing from a delay in disclosure. Regardless of whether the parties intended to create a class of third party beneficiaries, the thrust of section 3.7.7.3 is that if a registrant offers privacy protection services (i.e., register the domain name in your own legal name and allow someone else to be the beneficial owner), it seems to have a contractual obligation to disclose the identity of the beneficial owner upon request by an injured party. The fact that the RAA is an agreement registrars enter into with ICANN (which is a quasi-public entity) as a condition of being accredited and being allowed to offer domain name registration services also weighs in favor of the third party beneficiary argument. On the other hand, accepting that the RAA creates third party beneficiaries would result in a variety of problems and create unintended classes of plaintiffs and causes of action. Ultimately I don't think it's a very good idea, and courts have not been very receptive in general to third party beneficiary claims under the RAA.

To the extent the third party beneficiary argument flies, Solid Host had a stronger argument for why it should be treated as a third party beneficiary. Solid Host involved wrangling over a domain name that was originally registered in the name of Solid Host. Solid Host arguably relied on the provisions in the RAA in registering its domain name in the first place. (Note: to the extent a court accepts the third party beneficiary argument this leaves registrars in an arguably tricky spot. Section 3.7.7.3 does not limit itself to harm caused by the failure to disclose. It seems to cover harm "caused by wrongful use of [the domain name] . . .")

In any event, trying to hold a registrar (or someone else in the chain) liable for ACPA or trademark claims raises a host of thorny issues that courts struggle with. To the extent they can be unpacked, I'll admit I'm incapable of unpacking these issues in a blog post, or even a series of blog posts. I'll leave that to Professor Goldman. (See posts from Professor Goldman on the Solid Host case here and on the recent jury verdict for contributory liability for trademark infringement ($32MM!) obtained by Louis Vuitton here.) Suffice it to say that facts often dictate the result, and here, it just didn't pass the gut test to hold Tucows liable for a significant default judgment based on failure to disclose by Tucows. Particularly when in the court's view Balsam's evidence connecting the failure to disclose by Tucows with the underlying harm wasn't particularly strong.

As I read Balsam v. Tucows, I wondered whether Tucows had a Section 230 argument lurking in the background. My tentative thought is that it could have a viable 230 argument, since Balsam is seeking to hold Tucows liable based on third party content. Although Balsam could argue that under Barnes v. Yahoo Tucows could be viewed as having a contractual obligation which it didn't fulfill, this could be a tough argument to make, given that Tucows did not make any promises to Balsam directly. (See the two rulings in Goddard v. Google, Inc. (rejecting attempts to bring claims against Google based on third party beneficiary status under Google's advertising terms); see also Morrison v. America Online, Inc., 153 F. Supp. 2d 930, 934 (N.D. Ind. 2001) (rejecting attempt to evade § 230 immunity by claiming to be third-party beneficiary of AOL’s member agreement with chat-room users).) Given his interest in Section 230, I'll leave this issue to Professor Goldman as well.
__

ICANN Registrar Accreditation Agreement (pre-May 21, 2009):

3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the following provisions:
3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.

Posted by Venkat at 10:45 PM | Domain Names , Spam

October 22, 2009

Power.com Counterclaims Dismissed -- Facebook v. Power Ventures

[Post by Venkat]

Facebook and Power Ventures have been involved in a lawsuit over whether Power.com can allow its users to access user data on Facebook's network. Facebook brought suit against Power.com asserting a slew of claims ranging from copyright infringement to violations of the Computer Fraud and Abuse Act. Power.com brought a motion to dismiss, which the court denied. This ruling was noteworthy, among other reasons because it recognized Facebook's potentially tenuous copyright claims and gave credence to Facebook's argument that access of user data by Power.com (or Power.com users) in violation of Facebook's terms of use was potentially actionable by Facebook. (For comments on this ruling, see Cyberlaw Cases; BNA's TechLaw blog; Jeff Neuberger; and an earlier post from me.) After the court denied Power.com's motion to dismiss, Power.com answered the complaint and asserted counterclaims against Facebook. Power.com's counterclaims garnered some attention, likely due to the fact Power.com alleged that Facebook engaged in anti-competitive conduct by restricting consumers' access to their data. (See, e.g., NYT/Bits Blog ("Power.com Fights Back Against Facebook").)

In a recent order, Judge Fogel granted Facebook's motion to dismiss, finding that Power.com failed to sufficiently articulate the bases for its counterclaims. (Access a copy of the order here: [pdf].) There's not much to say about Judge Fogel's order, except that it was brief (four pages!), and the court was not moved by Power.com's vague allegations of misconduct by Facebook. As noted by the court:

Power's Answer and Counter-Complaint contains a seven and a half page 'Introduction and Background' narrative untethered to any specific claim. The claims themselves each consist of a conclusory recitation of the applicable legal standard and a general 'reference [to] all allegations of all prior paragraphs' . . . .[T]his form of pleading does not enable the Court to surmise which facts in the introductory narrative support which claims, if in fact they do.

The court observes that antitrust claims require a heightened standard of pleading, and throws in a reference to Twombly for good measure. The court also strikes Power.com's affirmative defenses (of misuse and estoppel) as unsupported by "any factual allegations." Although the court grants Power.com leave to amend its counterclaims and affirmative defenses, I would guess Power.com will think twice about filing amended counterclaims unless these claims have solid factual backup.

Rumors of an impending settlement between the parties swirled around, even after Facebook filed its complaint. Then it looked like Power.com was looking to fight back. It's always tough to tell from the win or loss of a particular motion which way the lawsuit will go, but Judge Fogel's order certainly lets the air out of Power.com's counterclaims. To the extent Power.com was looking to gain leverage by asserting counterclaims, it may be out of luck.

Posted by Venkat at 08:39 PM | Copyright , Spam

October 18, 2009

Q3 2009 Quick Links, Part 4

By Eric Goldman

Spam

* Ars Technica: "a disturbing number of e-mail users respond to spam, and not just because they're dumb—some of them did so because they were actually interested in the product or service." I collected some empirical research establishing this point in 2004.

* SpamFighter: Software Creator Admits to Aiding & Abetting Spam

Fraud

* Reuters: A virtual bank rips off depositors in EVE Online.

* Click fraud concerns at Facebook: TechCrunch; Unified ECM v. Facebook complaint (one of at least three pending).

* There can be legitimate circumstances where it makes sense for a vendor to automatically pass a user's credit card number to another vendor, but the practice seems ripe for regulation.

Contracts

* BNA: End of the Notice Paradigm?: FTC's Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements (BNA Subscription required)

* In August, the NYT interviewed David Vladeck, who suggests that the FTC v. Sears settlement could signal a changing of the guard at the FTC.

* Jonathan Ezor on common drafting mistakes in privacy policies.

* Hines v. Overstock.com, Inc., 2009 U.S. Dist. LEXIS 81204 (E.D.N.Y. Sept. 4, 2009). Browsewrap terms aren’t enforceable “because the website did not prompt her to review the Terms and Conditions and because the link to the Terms and Conditions was not prominently displayed so as to provide reasonable notice of the Terms and conditions.”

* Timothy D. Cedrone, Morals? Who Cares About Morals? An Examination of Morals Clauses in Talent Contracts and What Talent Needs to Know, Seton Hall Journal of Sports & Entertainment Law. I have given my first year contracts students an exercise involving morals clauses that I think worked pretty well (see the links on this page under the "endorsement contract" bullet).

Miscellaneous

* The USPTO has not renewed the peer-to-patent program.

* ABA Journal: E-Discovery is $4B/yr industry but is experiencing consolidation.

* Paul Ohm's paper on re-identification of putatively anonymous databases. This may be one of the more important privacy law papers in some time, as it indicates that we cannot meaningfully distinguish between personally identifiable and non-personally identifiable information.

Posted by Eric at 02:43 PM | E-Commerce , Licensing/Contracts , Patents , Privacy/Security , Spam , Virtual Worlds | TrackBack

October 08, 2009

CAN-SPAM Doesn't Preempt CA Privacy Law--Powers v. Pottery Barn

by Ethan Ackerman

On Sept. 19th, a California state appellate court held that CAN-SPAM doesn't categorically trump state laws that may address email. Defendant retail store Pottery Barn was hoping it would agree with the initial ruling of the California trial court and hold that the federal CAN-SPAM law preempted the state law at issue, the Song-Beverly Credit Card Act.

The Song-Beverly Credit Card Act (apparently the enemy of corporate defense attorneys everywhere judging from google search results) generally prohibits the collection of certain personal information as a condition of processing a credit card transaction. Powers sued Pottery Barn under this law over its practice of collecting email addresses at the time of payment. Faced with these fairly uncontested facts, Pottery Barn argued at the trial court that the federal CAN-SPAM Act, regulating the sending and content of email, should preempt the state law.

Putting aside the obvious difference between a law that governs the collecting of personal information and a law that governs the sending and content of commercial email, the California Court of Appeals took the arguably easier route in addressing the issue - it read the preemption exceptions contained in the federal statute.

Readers interested in the details and holding logic can read the actual opinion. My short summary:

The California court read the preemption exceptions in CAN-SPAM and rightfully held that since the federal statute itself said it didn't preempt general state laws not specific to email, Song-Beverly wasn't preempted by CAN-SPAM.

"By its terms CAN-SPAM does not pre-empt state statutes which are not specific to e-mail and have only such incidental impact on e-mail use. (Tit.15, U.S.C. § 7707(b)(2).)"

In thinking of just how weak the preemption argument is, it's not hard to come up with other instances of state law addressing the collection or use of email addresses that aren't specific to "the use of electronic mail to send commercial messages." Indeed, the court rules of all state courts in California address the redaction of certain types of personal information (although not ultimately email addresses in the rules' present version.) I suspect the state's freedom of information laws have similar provisions addressing personal identifiers. I don't imagine that defendant's counsel would have relished acknowledging that the logical extension of defendant's argument was that the courts own filing rules were preempted.

Tom O'Toole at BNA has more.

[Eric's comment: while I agree with Ethan that the court correctly concluded that the Song-Beverly law isn't preempted by CAN-SPAM, I remain a little confused and troubled by the implications of the plaintiffs' arguments. It seems to me like the logical extension of their arguments is that it is illegal to collect email addresses when accepting credit card payments online. If this is the direction the case heads, then this case could have disconcerting implications for virtually the entire e-commerce industry. UPDATE: Ethan has pointed out that Saulic v. Symantec and some other cases have constrained the application of the Song-Beverly law to online commerce, a point I had forgotten. I hope that precedent will help put this lawsuit to rest, but it does make me wonder why the defendant accelerated CAN-SPAM preemption argument, a weaker one, to the front of the line,]

Posted by Ethan Ackerman at 04:34 PM | E-Commerce , Spam | TrackBack

August 25, 2009

Why More Wikipedia Editing Restrictions Are Inevitable, and Some Comments on Flagged Revisions for Living People's Biographies

By Eric Goldman

I have posted my latest article, "Wikipedia’s Labor Squeeze and its Consequences," to SSRN. The article will be published in the Journal of Telecommunications and High Technology Law in the relatively near future. The article is still in draft form, and I gratefully welcome your comments. Please take a look.

The article traces its roots to my Dec. 2005 prediction that Wikipedia will fail in 5 years. I have continued to blog informally about Wikipedia since then, but I only decided to write a more formal academic defense of my prediction late last year. This article is that defense, but you'll notice that I don't refer to "failure" in the article. In my presentations and earlier drafts of this article, I found that predicting Wikipedia's "failure" produced very emotional responses that overwhelmed consideration of my argument's merits. I still think my 2005 predictions look pretty good (using my self-selected definition of "failure"), but I deliberately directed the article towards the "why" rather than the "when."

As a result, the article explains why evolutionary changes in Wikipedia's labor supply is forcing Wikipedia to change its basic architectural design of permissive user editability. Flagged revisions is a prime example of the ongoing architectural shift. With flagged revisions, every user has the technical capacity to edit a Wikipedia entry, but submitted revisions remain hidden from public view until a trusted editor approves them for publication. Accordingly, flagged revisions significantly changes the Wikipedia experience. It delays publication of most contributions, it buries some contributions without ever being published at all, and it creates a significant workload for editors. For example, the German Wikipedia deploys flagged revisions site-wide and publication delays are up to three weeks.

Yesterday, Wikipedia announced that it is deploying Flagged Revisions for biographies of living people. Wikipedia has been on red alert with biographies since the John Seigenthaler incident in September 2005, so it's not surprising that Wikipedia will tighten the reins there first.

However, I think this change is just one more intermediate step in Wikipedia's ongoing process of restricting user editability, and it is not the final restrictive step Wikipedia will take. For reasons I outline in the article, I expect Wikipedia eventually will deploy Flagged Revisions, or some other stringent form of editorial lock-down, across the entire site, not just for living people's biographies. I explore some other possible alternatives in the paper, but I conclude that substantial restrictions to user editability are Wikipedia's only viable long-term solution to preserve site credibility.

People who have reviewed the article have asked about the article's relationship to Benkler's Wealth of Networks and its related commentary. Those works have explored the phenomenon and implications of large-scale online volunteerism, including a convincing proof that people will contribute their labor to online collaborative enterprises without any direct financial compensation. However, I've seen less attention paid to the exact reasons why people volunteer for these projects. My article focuses on the "why" in some detail, but even then, I make some assumptions and guesses. Despite extensive academic research into the Wikipedia community, we still lack a complete and clear empirical picture of why people join the community and, perhaps just as important, why people leave. I offer up my theoretical considerations, but more empirical work remains to be done.

If you want more discussion on this topic, during the paper's development, I gave a talk at University of Colorado Boulder that sparked some online responses:

* the talk itself (in the middle of the video)
* Ars Technica coverage
* ZDNet's paraphrase of the Ars Technica post
* p2pnet
* Blorge
* Thinking Spaces
* Futureismic

The presentation led to an NPR Interview with more comments and a response from What Jeff Learned Today.

Posted by Eric at 09:09 AM | Internet History , Marketing , Spam | TrackBack

August 07, 2009

An End to Spam Litigation Factories?--Gordon v. Virtumundo

By Eric Goldman

Gordon v. Virtumundo, Inc., No. 07-35487 (9th Cir. Aug. 6, 2009)

When CAN-SPAM was passed in 2003, it was fairly clear that Congress wasn’t trying to enable broad private enforcement. Everyone knew that rabid anti-spammers would seize any new statutory right for a litigation frenzy. As this court says, "lawmakers were wary of the possibility, if not the likelihood, that the siren song of substantial statutory damages would entice opportunistic plaintiffs to join the fray, which would lead to undesirable results." Although I personally think Congress would better served all of us by omitting all private enforcement rights in CAN-SPAM, unquestionably the private rights in CAN-SPAM are drafted narrowly to prevent their abuses.

That hasn't stopped some zealous anti-spammers from testing the limits of CAN-SPAM's private enforcement remedies anyway. James Gordon has been one of the most active. He is a "professional plaintiff" who has operated a spam "litigation factory" by configuring his technology to try to trap spammers. In effect, he goes out of his way to look for spam. As the court says, “the burdens Gordon complains of are almost exclusively self-imposed and purposefully undertaken."

As it turns out, this business model does not fare well in court. He lost this case in the district court and subsequently was ordered to pay over $100k in legal fees to the defendant under CAN-SPAM's fee-switching provision. On appeal, the Ninth Circuit has even less kind words for him, saying that CAN-SPAM “was enacted to protect individuals and legitimate businesses—not to support a litigation mill for entrepreneurs like Gordon." As a result, the court issues a broad but muddy opinion that shuts down Gordon’s litigation factory and presumably others like his, but has a less clear effect on other CAN-SPAM defendants.

"Internet Access Service"

CAN-SPAM's private enforcement rights only accrue to "Internet access services." This phrase is troublesome in part because it differs from other possible statutory synonyms for online actors like "interactive computer service" (47 USC 230), "online service provider" (DMCA), "electronic communication service" and "remote computer service" (ECPA), etc. This verbiage proliferation raises questions about the scope of governed entities (who’s covered and who isn’t) and why different online actors are being treated differently (if they are). I hope future legislative drafters will recognize the costs of using different terms for online actors.

In CAN-SPAM, Congress defined an “Internet access service” as "a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services." Check out Ethan’s lengthy but irresolute deconstruction of this definition from last year.

Read literally, this definition seemingly covers all Internet services because they allow users to access their "other" services. However, the Ninth Circuit doesn’t think that's what Congress meant, although it’s not sure about the boundaries either. Instead, the Ninth Circuit "decline[s] this opportunity to set forth a general test or define the outer bounds of what it means to be a provider of ‘Internet access service.’" Gee, thanks.

Nevertheless, the Ninth Circuit had no problem saying that Gordon wasn't an Internet access service. I can’t pin down a specific reason why Gordon wasn’t covered while, according to the court, his service providers (Verizon and GoDaddy) might be. Ultimately, I think the court rejects Gordon's transparent efforts to manufacture a claim.

"Adversely Affected"

A CAN-SPAM private litigant also needs to show that it was “adversely affected” by the spam. The court doesn’t offer a single definition of adverse effect, but it does try to draw some boundaries that leave Gordon out.

In general, the court tries to narrow the scope of cognizable harms in two ways. First, the court segregates consumer-related harms from service provider-related harms. I was heartened to see this because better harm delineation was a central point of my (uncited) 2004 article "Where's the Beef? Dissecting Spam's Purported Harms." Back in the earlier part of this decade, anti-spam advocates would routinely lump together a laundry list of gripes about spam in ways that would degrade policy-makers’ ability to target policy responses to the harm. For example, CAN-SPAM suffers heavily from this schizophrenia about the targeted harm. This court makes it clear that consumer-related harms aren’t part of the CAN-SPAM private litigation calculus.

Second, the court tries to distinguish between the fixed and variable costs of spam fighting and implies that the fixed costs should be ignored when calculating adverse effect. The court’s handling of this distinction is hardly deft. It says repeatedly that we have to assume that IAS providers are absorbing some spam costs as part of their normal costs of operation. For example, the court says:

the harm must be of significance to a bona fide IAS provider—something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business. In most cases, evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail would suffice

And the court says:

We expect a legitimate service provider to secure adequate bandwidth and storage capacity and take reasonable precautions, such as implementing spam filters, as part of its normal operations….network slowdowns, server crashes, increased bandwidth usage, and hardware and software upgrades bear no inherent relationship to spam or spamming practices. On the contrary, we expect these issues to arise as a matter of course and for legitimate reasons as technology, online media, and Internet services continue to advance and develop. Therefore, evidence of what could be routine business concerns and operating costs is not alone sufficient to unlock the treasure trove of the CAN-SPAM Act’s statutory damages.

Reading these quotes, it seems like the court is trying to zero out the fixed costs borne by anyone connected to the Internet, which would then focus the analysis on only those marginal/variable consequences attributable to a specific spam campaign. However, the court does not want to raise the bar that high, at least not for “legitimate” service providers (which the court thinks clearly excludes Gordon). As the court says:

the threshold of standing should not pose a high bar for the legitimate service operations contemplated by Congress. In some civil actions—where, for example, well-recognized ISPs or plainly legitimate Internet access service providers file suit—adequate harm might be presumed because any reasonable person would agree that such entities dedicate considerable resources to and incur significant financial costs in dealing with spam.

So I’m not quite sure what to make of this language. On the one hand, the court’s acknowledgement that complex societies impose some unwanted but unavoidable costs seems to raise the harm bar pretty high for CAN-SPAM plaintiffs. On the other hand, the court is willing to presume harm for “good” plaintiffs. So why won’t the court make such presumptions for Gordon? Mostly because he “came to the nuisance” (my words, not the court). As the court says:

Gordon purposefully refuses to implement spam filters in a typical manner or otherwise make any attempt to block allegedly unwanted spam or exclude such messages from users’ email inboxes...Gordon made no real effort to avoid, block, or delete commercial e-mail, but instead has voluntarily assumed the role of a spam sleuth. He expends time and resources seeking out and capturing massive volumes of spam, which he collects and then organizes for use in his prolific lawsuits. He admits setting up domains as “spam traps” with the sole purpose of snagging as many e-mail marketing messages as possible.

So my reading of this discussion is that the court sets up a bifurcated “adverse effect” analysis. If you’re a commercial email service provider, you presumptively get access to CAN-SPAM’s “treasure trove.” If you’re a spam troll, nuts to you.

Preemption of State Laws

One of CAN-SPAM's main raisons d'etre was to preempt the rapid proliferation of state anti-spam laws in the early part of this decade (especially California's opt-in anti-spam law). I naively assumed that CAN-SPAM's preemption clause would drive states out of the anti-spam regulation business altogether (a separate rant, but I'm not a fan of any state attempts to regulate Internet activity). No such luck. Following CAN-SPAM’s enactment, nearly every state enacted NEW anti-spam laws designed to fit within the preemption exceptions. This renewed activity at the state level has contributed to the anti-spam litigation frenzy, because the plaintiffs can use both state and federal claims to extract settlements and concessions from defendants.

In 2006, in Omega Travel v. Mummagraphics, the Fourth Circuit took a lot of the wind out of plaintiffs' sails by holding that state anti-spam laws survived CAN-SPAM preemption only as applied to fraud or material misrepresentations, not garden-variety errors or immaterial deception. Here, the Ninth Circuit adopts the Mummagraphics standard, which presumably eviscerates several state laws in Ninth Circuit-governed jurisdictions.

Applying the Mummagraphics’ standard to Gordon’s case wipes out his Washington state anti-spam claim. Gordon argued that, although he was not misled or deceived, Virtumundo’s “from line” violated Washington law because it does not clearly identify Virtumundo as the sender. He also argued that to avoid being deceptive, Virtumundo’s email subject lines must have either Virtumundo’s or its client’s name. The court rejects these arguments because "Gordon offers no proof that any headers have been altered to impair a recipient’s ability to identify, locate, or respond to the person who initiated the email. Nor does he present evidence that Virtumundo’s practice is aimed at misleading recipients as to the identity of the sender."

Expect to see more state laws bite the dust in the face of this preemption analysis.

Implications

This case is exceedingly interesting and important because it destroys the arguments of anti-spam plaintiffs trying to manufacture technical violations of CAN-SPAM for their profit. Not only does the opinion send an unmistakable message to the lower courts to toss these plaintiffs out on their keister, but it sends the harsh message that these plaintiffs ought to rethink their legal hubris. As the court says, “As should be apparent here, ‘the law’ that Gordon purportedly enforces relates more to his subjective view of what the law ought to be, and differs substantially from the law itself.” Ouch. The court has apparently just invalidated the fantastic laws that some anti-spam plaintiffs dream up in their heads.

This case is also important because it puts state anti-spam laws even more clearly on the ropes. It has been an impressive but pathetic display of futility watching the states trip over themselves trying to show that they are tough on spam when their efforts are all irrelevant in light of the Fourth Circuit's and now Ninth Circuit's interpretations of CAN-SPAM. Fortunately (?), most of the states have moved on to being tough on cyberbullying instead of beating up on spammers.

It is less clear to me if the court’s discussion about “Internet access services” and “adverse effect” will have broader import on private CAN-SPAM litigation. The court deliberately sidestepped definitive interpretations of both terms, so I expect the interpretive slate is mostly clean outside of the spam litigation factories.

One final point. Spam remains actively litigated in the courts and the subject of some policy discussion, but do you still fret about the spam you receive personally? I get the sense that this panel was not that impressed with Gordon’s efforts in part because spam isn’t as big a deal for the judges as it used to be. Certainly that’s true in my case. I get about 100 spams a day, 90+% of which Gmail appropriately filters into my spam folder (with very few misclassifications of legit email as spam). As a result, it takes me just a minute or two a day to burn through the spam accruals. Not surprisingly, at least for me, good spam filters have solved the problem much better than any legislative intervention.

I understand that spam is a bigger issue for email service providers, especially now that more than 100% of all emails are spam (according to the ridiculously overhyped stats put out by vendors of anti-spam solutions). CAN-SPAM partially offers a solution to these individuals, along with other doctrines like the Computer Fraud & Abuse Act and possibly the common law trespass to chattels doctrine. However, at this point, so much of the anti-spam battle has to be fought technologically, not in the courts, due to the sheer volume and dispersed nature of the putative defendants. As a result, it doesn’t really seem to matter to the overall quantum of spam in our society if courts read CAN-SPAM broadly or narrowly.

Other comments on this case:
* Venkat
* Jeff Neuburger

UPDATE: Ken Magill reports on how Gordon has lost his house belongings due to his persistence.

Posted by Eric at 12:40 PM | Internet History , Marketing , Spam | TrackBack

July 03, 2009

Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster

By Eric Goldman

Satterfield v. Simon & Schuster, Inc., No. 07-16356 (9th Circuit June 19, 2009)

Satterfield sued Simon & Schuster (and its mobile ad agency) for sending text messages to her cellphone without the requisite permission. The district court dismissed her lawsuit; but in this ruling, the Ninth Circuit revives it. Three aspects of this ruling make it noteworthy.

When is a Text Message a Telephone Call?

The court holds that a text message to a cellphone is a "call" for purposes of the Telephone Consumer Protection Act (TCPA). This isn't unprecedented. The FCC took this position in 2003, and in 2005, I blogged on the Joffe v. Acacia Mortgage case reaching the same conclusion. Nevertheless, as I pointed out in response to the Joffe case, it reminds us of the silliness of medium-specific anti-marketing restrictions when the media collapse into each other. See my Coasean Analysis of Marketing paper for more.

Poor Consent Language

Satterfield signed up for a free ringtone from Nextones. As part of the registration process, Satterfield affirmatively checked off a box next to the following language:

Yes! I would like to receive promotions from Nextones affiliates and brands. Please note, that by declining you may not be eligible for our FREE content.

This language is hardly a model of clarity. What are "Nextones brands"? What are "Nextones affiliates"? The court adopts a trademark-style definition for "brands" and a corporate governance-rooted definition for "affiliates." Interestingly, Nextones posted its own definition of affiliates elsewhere on its site to mean other companies who “sell mobile content such as ringtones and graphics.” As the court points out, "Simon & Schuster does not fall within Nextones’ own definition." Whoops.

Obviously, better drafting could have easily avoided this problem and probably would have had little effect on conversion rates. Say what you mean, and mean what you say!

For what it's worth, one of my past Cyberlaw exams involved an ambiguously drafted online checkbox consent, a problem partially based on a real-life situation encountered by Yahoo. See the exam and sample answer.

Complex Chain of Distribution

Satterfield's cellphone number/text message address fell into Simon & Schuster's hands through a complex chain of distribution as follows:

Satterfield gives # to Nextones =>
Nextones gives # to MIA, its "exclusive agent for licensing the numbers of Nextones subscribers" (huh?) =>
MIA gives # to ipsh!, which describes itself as "the world's award-winning, full-service mobile marketing and advertising agency" =>
ipsh! gives # to mBlox, an aggregator who "handled the actual transmission of the text messages to the wireless carriers" =>
Simon & Schuster contracts with ipsh! to run a text message campaign for Simon & Schuster's new Steven King novel Cell. (Ironic name? Maybe this lawsuit will spur Stephen King to write a sequel, Cellphone).

As you know, lawyers aren't very good at math, but according to my count, it looks like four different intermediaries "touched" Satterfield's number (Nextones, MIA, ipsh! and mBlox) before it was used by Simon & Schuster, the ultimate advertiser. With that many intermediaries, there are significant additional transaction costs to reach cellphone subscribers.

More importantly, this complex chain creates a sizable risk that one or more of the entities along the way would misinterpret or forget any restrictions on the customer's grant of permissions. Certainly, I can't figure out how Nextones/MIA thought this distribution chain fit within the checkbox consent it asked for and received. (Interestingly, neither Nextones nor MIA are defendants in the case).

I also cannot figure out how ipsh!/Simon & Schuster failed to detect this permissions problem in their diligence. They did diligence the source of the cellphone numbers...didn't they? They didn't just blindly assume that they could purchase a package of random cellphone numbers and party on...did they?

Posted by Eric at 09:51 AM | Marketing , Spam | TrackBack

June 17, 2009

Twitter, Email and Brand Engagement

By Eric Goldman

Last week, in an interview with a reporter, I extolled the virtues of Twitter as a tool for brands to keep in touch with and engage their customers. The reporter responded by asking why brands would choose Twitter to engage customers instead of email, which companies have been using successfully for many years. I thought this question raised important issues about online marketing, so I thought it would be worth exploring the differences here.

Let's start with some basics. I am a big fan of email marketing. Like many of you, I have voluntarily signed up for numerous commercial email newsletters/announcement. I also get unrequested email from companies I've dealt with; I look at some of these, I ignore others, and occasionally I get so fed up that I blacklist the sender or report it as spam. I also get spam, LOTS of spam, but it doesn't bother me too much. Gmail has a good spam filter and it only takes a minute or two a day to sort, review and delete the spam.

However, as a recipient, email has some downsides. Most obviously, it is not always easy to unsubscribe. I remain amazed in this post-CAN-SPAM era by how often email unsubscriptions don't work. The link may be down, or my opt-out simply doesn't stick technologically, or the sender just ignores me. This is true even for senders who are involved in the legal industry and are spamming lawyers who love to bring lawsuits (never a wise move). If I were a litigious plaintiff, I would have no problem finding plenty of defendants.

Email also has the downside that the sender has my email address and may share it with others who are going to clutter up my in-box. With a good spam filter, this extra unwanted email isn't a huge problem, but the mere threat of subsequent email deluges can give me pause about whether or not I trust a website enough to give them my email address. (As you can appreciate, the website's privacy policy is a complete non-factor in my trust determination).

From the sender's standpoint, email is a huge pain. It is more heavily regulated than other marketing media, and complying with the regulations (such as providing a reliable opt-out mechanism) is costly and filled with litigation risks. Perhaps more importantly, email can be reported or killed as spam at several steps along the way, and the sender can be tagged as a spammer as well for all future messages. So, for example, a big website's email distribution of an announcement about a new user agreement or privacy policy--a completely legitimate communication between a site and its users--is almost certain to prompt a flurry of unsubscribes, emails from users who insist to their IAPs and email service providers that they are being spammed (even though they often just forgot about the relationship), and lots of bouncebacks from dead email addresses that may cause some IAPs/email service providers to blacklist the sender as a spammer. Plus, a bunch of users will never see the message at all because it goes into their spam folder. (Recall, for example, that AT&T spam-foldered its own contract amendment announcement). These are not exactly the hallmarks of an effective communication technology.

Contrast the user experience with Twitter. More than anything, Twitter is a no-risk opt-in communication tool for consumers to listen to marketers. I can follow a brand at Twitter any time, and more importantly, I can unfollow at any time too. Plus, there isn't any risk that the brand I'm following will ignore my unsubscribes or pass along my Twitter username to spammers. When I unfollow, the relationship is completely over on my terms.

From the brand's standpoint, Twitter has none of the baggage of email marketing. No spam folders to fear, no unsubscribes to manage, no CAN-SPAM. Sure, Twitter's tight character restriction mostly limits marketers to headlines, but frankly this isn't all that different from maximizing email subject lines to get email recipients to open the email.

Twitter has one other really important benefit for brands. Folks are often willing to retweet a message--even a commercial message--thereby sharing it to their entire follower base in ways that these same folks would never forward a commercial email to hundreds of their friends. And this type of word-of-mouth marketing is the holy grail of marketing because of the extra imprimatur of having the message validated by someone in the reader's social network. The retweeting phenomenon is a powerful traffic driver (I've been watching how it boosts my bit.ly stats), and marketers who aren't on Twitter are missing some upside. (Please, marketers, don't even consider shilling or astroturfing or any of those other silly stunts to generate faux word-of-mouth marketing; if you have a good offering, you really don't need to disrespect people that way).

I don't follow many commercial brands in Twitter, but I do want to mention three brands that have impressed me:

@LivingHarvest. I tried hempmilk for the first time recently, and I was fascinated to learn about the extensive anti-industrial hemp regulations that have hampered hempmilk from coming to market. LivingHarvest, a hempmilk manufacturer, is Twittering the status of various legislative efforts to enable industrial hemp farming. It's a fascinating political drama.

@UnitedAirlines. I am a frequent flyer on United Airlines, so I'm already on their email list. But they have totally gotten the point of Twitter. Not only have they been offering valuable freebies to their Twitter follower to boost their subscriber count (they are giving away discount certificates if you sign up before they hit 50,000 followers), but they also offer "Twares," blowout deals on remnant inventory. LOVE IT!

@AmazonMP3. Amazon offers one highly discounted MP3 download a day, and this Twitter account notifies me of the deal of the day. Great stuff. I've lost track of the number of times I've purchased albums this way.

Twitter practices like these build my trust as a loyal customer and pull cash out of my wallet in ways email marketing never did.

One final point: RSS offers many of the same benefits as Twitter in terms of reader empowerment, although it does not have the same retweeting upside. In particular, RSS is a true opt-in like Twitter. The website doesn't get my email address, and whenever I unsubscribe from the RSS feed in my RSS reader, it's over.

For example, as I recently mentioned, RSS is a great option for websites to allow users to learn about changes to user agreements and privacy policies on a true opt-in basis. In this respect, RSS is so much better than email. Consider, for example, DoubleClick's privacy policy, which offers users the opportunity to learn about privacy policy amendments by signing up to an email list. (DoubleClick will rarely have the email address already because it doesn't have direct privity with users). DoubleClick's option is a more enlightened practice than most similar web services, but still, no thanks. If I don't trust DoubleClick's privacy practices to begin with, I'm not going to give them my email address with the risk that they will spam the crap out of it and pass it along to others who will spam the crap out of it too. Of course DoubleClick promises not to do this, but the whole point is that those promises mean nothing to the people who don't trust DoubleClick to begin with. On the other hand, if DoubleClick offered an RSS feed to announce modifications to its privacy policy, then I could subscribe to its notifications with no spam risk at all.

I'm so enamored with RSS as a superior notification tool for announcing privacy policy and user agreement amendments that I will be recommending it to all of my clients as a supplement to other notification options. I hope you'll consider doing the same.

Posted by Eric at 07:03 AM | Marketing , Spam , Trademark | TrackBack

May 19, 2009

Expansive Preemption of State Anti-Spam Laws Is Curtailed

Courts are splitting over the scope of CAN-SPAM preemption, with even judges in the same federal division disagreeing.

By Ethan Ackerman

It is a truth universally recognized that a legal blogger whose legal positions cause them to eat crow or be left crying out in the wilderness usually will be entitled to the occasional I-told-you-so post as well. Two (of three) recent court opinions from California suggest that courts are (sometimes) beginning to reject the broad CAN-SPAM preemption holdings that have followed the reasoning of the 4th Circuit's Mummagraphics case.

Hypertouch v. ValueClick

First, the status quo. A slight majority of the cases addressing CAN-SPAM preemption of state laws have found preemption. Starting with some adverse rulings in response to repetitious pro-se litigants in Washington state, and building on the sweeping Mummagraphics opinion from the 4th Circuit Court of Appeals, many judges have been tempted to dismiss state anti-spam law claims as somehow preempted by the federal CAN-SPAM Act.

Hypertouch v. ValueClick falls squarely into this category. The opinion was handed down by Los Angeles Superior Court judge Richard Adler, but it basically relies on the N.D.Cal. District Court Opinion by Judge Chesney in Hoang v. Reunion.com, which in turn relies on Mummagraphics for its preemption analysis. Judge Adler's holding, "that any claim [desiring to survive preemption] must be based on fraud" represents just the most recent of what is becoming a majority position on CAN-SPAM preemption cases. This case was likely particularly problematic for plaintiff Hypertouch, representing a state court loss following on the heels of its federal court loss earlier.

Fortunately, the tide may be turning away from impossible fraud standards and back in favor of the actual language of the CAN-SPAM preemption clause, as two recent opinions show.

Asis Internet Servs. v. Consumerbargaingiveaways

The defendants in this N.D.Cal. district court case seemed to put in a rather rote defense recycling the holdings of Hoang v. Reunion.com, a previously blogged N.D.Cal. district court that found CAN-SPAM preemption and even a blurry holding that plaintiff might lack Constitutional standing. I imagine they were a tad surprised when another N.D. Cal. district judge in the same division, Judge William Alsup, held that their Constitutional standing argument was "without merit" and their California anti-spam law standing argument was "mistaken." Over and above this significant difference from the Reunion.com line of thinking, Judge Alsup's biggest departure occurs later in the opinion where he parses the preemption language of the CAN-SPAM Act. Because a second N.D. Cal. case in another division also follows and amplifies Judge Alsup's reasoning, I thought I'd summarize them together below.

AsIs v. Vistaprint

Judge Saundra Brown Armstrong wastes no time in getting to the meat of the preemption issue in her Vistaprint holding, declaring after one brief paragraph listing the differing cases on the issue that "[t]his court agrees with the preemption analysis in the recently published order in Asis [v. Consumerbargaingiveaways], and similarly rejects Defendants' preemption challenge."

Judge Armstrong's similarly brief elaboration on this holding is equally informative in its brevity - the core of her holding taking up a few brief paragraphs:

"The very terms of the savings clause exempt laws that proscribe "falsity or deception" in email advertisements, and although the terms are not defined in the Act, this Court finds they should be applied more broadly than just to common-law fraud claims. After all, Congress explicitly used the term "fraud" in the next provision of the preemption clause, yet did not in the savings clause... In the provision immediately preceding the preemption provision, Congress specifies that "[n]othing in this chapter shall be construed to affect in any way the Commission's authority to bring enforcement actions under FTC Act for materially false or deceptive representations or unfair practices in commercial electronic mail messages." The Court is persuaded that here too, Congress intended the phrase "falsity or deception" to be apply more broadly than just to common-law fraud claims."

I told you so?

If this 'when Congress meant one thing, it said it, when it meant something else, it said something else' argument doesn't sound familiar, I'll step in with my own I-told-you-so pointer to my prior post on Congress' careful word choice in the CAN-SPAM drafting negotiations:

When 'falsity' was intended, as in 15 USC 7707(b)1, 'falsity' was used. When 'fraud' was intended, as in a mere paragraph later in 15 USC 7707(b)2, 'fraud' was used. When 'falsity' wasn't enough, but 'fraud' was too much, as in 15 USC 7701(a)1, 'materially false' was used. When Congress wanted to require actual knowledge, or a specific intent, as in 7704(a)2 and 7702(12), it used the terms "actual knowledge" and "intentionally."

The brief icing on this I-told-you-so cupcake comes from Judge Alsup's astute observation that the Mummagraphics opinion doesn't even expressly hold all that subsequent courts have attributed to it, a point I identically brought up in criticizing the scope of the Mummagraphics holding. Judge Alsup has this to say:

"Most or all of the district court decisions that have equated “falsity or deception” with fraud have relied on [Mummagraphics. Mummagraphics,] however, merely held that state laws were preempted insofar as they permitted claims for immaterial errors. It did not hold, at least not expressly, that all elements of common-law fraud were required or that any particular element other than materiality was required to survive preemption."

I'd say that's a more eloquent version of my earlier observations that district courts were extending Mummagraphics even further than its mismatched holding suggested:

"[T]he Mummagraphics holding, for all its strong dicta about fraud and broad preemption, only held that CAN-SPAM would preempt a strict liability statute... Mummagraphics' stated holding (strict liability is preempted) is inconsistent with the Mummagraphics result (a 'more-than-strict-liability' statute was preempted)."

Also worth a read is the observant coverage at spamnotes.com.

Posted by Ethan Ackerman at 09:25 AM | Spam | TrackBack

May 03, 2009

April 2009 Quick Links

By Eric Goldman

[Just a reminder that I am posting some “quick links” exclusively to my Twitter account, so if you want to keep up with everything, follow me at Twitter or subscribe to the RSS feed.]

Marketing/Spam

* Zango is dead (and so is adware), Ken Smith, Zango's CTO, conducts a post mortem: What Zango Got Wrong and What Zango Got Right. Mike Masnick's post-mortem.

* The FDA's instructions about pharmaceutical search marketing have led to lots of confusion. See Search Engine Land and the NYT.

* NYT: "Never Mind What It Costs. Can I Get 70% Off?"

* Tsan Abrahamson on social media and marketing law.

* Asis Internet Servs. v. Consumerbargaingiveaways. A district court diverges from Mummagraphics and says CAN-SPAM does not preempt CA's anti-spam law even if there is no common law fraud.

* Jackson v. American Plaza Corp., No. 08-8980 (S.D.N.Y. April 28, 2009), A Craiglist advertiser isn't a third party beneficiary of Craigslist's contract for purposes of stopping another advertiser from breaching the contract (in this case, spamming the forum).

Defamation

* Gardner v. Martino (9th Cir. April 24, 2009). I'm not a fan of talk radio, and the 9th Circuit apparently isn't either. The court upheld an anti-SLAPP dismissal of a defamation claim against the radio talk show host because "The Tom Martino Show is a radio talk show program that contains many of the elements that would reduce the audience’s expectation of learning an objective fact: drama, hyperbolic language, an opinionated and arrogant host, and heated controversy." Accord DiMeo v. Max. As Marc Randazza notes, rulings like this pose a challenge for those who think contextually ridiculous statements should be treated as "cyberbullying" or "cyber-harassment." Cf. the Finkel v. Facebook case involving asinine but clearly meaningless chatter on a private Facebook page.

* Some big defamation losses reported by CMLP:
- Blogger hit with $1.8M damage award.
- $12.5M defamation judgment against a gripe site.

* CMLP has a page organizing all of its 47 USC 230 material.

Intellectual Property

* Publicly republishing a private email leads to a default judgment of copyright infringement.

* Bryant v. Europadisk, Ltd., 2009 WL 1059777 (S.D.N.Y. April 15, 2009). In 2000, musicians authorized distributors to distribute their [hard copy] recordings, which the defendants ultimately ripped and allowed Amazon and Rhapsody to deliver via downloading. The resulting lawsuit turned on the interpretation of the license agreement term “internet sites.” The court says the term "is not ambiguous and does not extend to websites selling digital copies of songs. At the time the parties entered into the agreements, The Orchard sold physical copies only. As its Vice President explained by affidavit testimony, digital downloads of music did not become a “viable business” until iTunes was launched in approximately April 2004, long after Media Right and Gloryvision entered into contract."

* Octomom is seeking trademark registrations.

Miscellaneous

* GeoCities is shutting down.

* eBay will referee customer disputes.

* Wilson Sonsini's VC financing term sheet generator.

* Oddee: 10 Most Bizarre [Online] Gaming Incidents

Posted by Eric at 06:31 AM | Adware/Spyware , Content Regulation , Copyright , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Spam , Trademark , Virtual Worlds | TrackBack

April 10, 2009

Q1 2009 Quick Links, Part 2

By Eric Goldman

Trademarks/Domain Names

* The ridiculous Jones Day v. BlockShopper case settled. The settlement agreement. The ABA Journal and Legal Blog Watch stories. Commentary from CMLP, Paul Levy, Tom O'Toole.

* The trial court denouement of the S&L Vitamins v. Australian Gold did not turn well for the defense--$6M jury award. The S&L Vitamins v. Australian Gold and Designer Skins v. S&L Vitamins cases subsequently settled. According to Ronald Coleman: "This settles, for our clients S&L Vitamins, Inc., the Australian Gold case and the related appeal in the Designer Skin case. All money judgments are vacated and parties bear their own fees. Our client agrees to move on to another line of work, however."

* Twelve Inches Around Corp. v. Cisco Systems, Inc., 2009 WL 928077 (S.D.N.Y. March 12, 2009). 17 USC 512(f) does not cover trademark takedown notices.

* Suarez Corp. v. Earthwise, 2008 U.S. Dist. LEXIS 92931 (W.D. Wash. Nov. 14, 2008). Including a competitor's name in a web page disclaimer creates initial interest confusion when the competitor's name is indexed by the search engines. Compare Promatek v. Equitrac, the 2002 7th Circuit case ordering the defendant to include the plaintiff's name on its web page as a cure for initial interest confusion.

* CRS Recovery v. Laxton, 2008 WL 4408001 (N.D. Cal. Sept. 26, 2008). Another California-based court says that domain names are property that can be converted. I'm amazed that these cases are still being brought.

* North American Bushman, Inc. v. Saari, 2009 WL 211932 (M.D. Pa. Jan. 27, 2009) The parties entered into a settlement agreement that "Plaintiffs further agree not to use, and in addition, to offer up or destroy, any material that includes, but is not limited to, the names, photos, images, embroideries, of likeness of [Defendant] James Saari and any of the a above named trade names and trademarks of Defendants." The court holds that this provision wasn't breached when third party users posted comments referencing the defendants in UGC areas of websites operated by the other party.

* Advice Co. v. Novak, 2009 WL 210503 (N.D. Cal. Jan. 23, 2009). Justia page. Stupid lawsuit alert! Attorneypages.com believes Attorneyyellowpages.com infringes its trademark. Case dismissed for lack of personal jurisdiction. Participating in Google AdSense doesn't automatically create jurisdiction in CA.

* DSW v. Zappos, which involved allegations of trademark infringement based on Zappo's affiliates, settled.

* An update on Google's AdWords woes in France.

* Kiva Kitchen & Bath Inc. v. Capital Distributing Inc., 2009 WL 890591 (5th Cir. April 2, 2009). The Fifth Circuit upholds enhanced damages under ACPA. Good discussion of the purpose of damages in the ACPA.

* Toys R Us buys the domain toys.com for over $5M. Is any domain name worth $5M any more?

* A 2007 interview with "Pokey" of Pokey.org fame. This is one of my favorite domain name disputes from the 1990s. A very smart cyberlawyer (Ian Ballon), on behalf of the trademark owners of Pokey & Gumby, unexpectedly got into a public tangle with a 12 year old kid nicknamed "Pokey" over the domain name pokey.org. Debating 12 year old kids in the press never turns out well.

Advertising/Marketing

* Some new material on behavioral advertising: an FTC report and a CRS report.

* Latest NYT article on human billboards. See my prior blog post.

* Privacy advocates are freaking out about Google Android and its ability to deliver location-based information and ads. But location-based information and ad targeting is inevitable...and a good thing.

* Action over mobile marketing: Mobile Messenger settled a false advertising suit with Florida for $1M, and another settlement. Google's response.

* The class in the "Vista Capable" lawsuit was decertified.

* Tsan's post on the latest FTC efforts to rein in testimonials on social networking sites and blogs. Unfortunately for the FTC, some of its efforts may be preempted by 47 USC 230.

* eBay v. Digital Point Solutions, 2009 WL 481269 (N.D. Cal. Feb. 24, 2009). eBay loses an intermediate round in its cookie stuffing lawsuit against Digital Point Solutions.

* e360, a serial defendant in spam cases, sued Choicepoint for selling it email addresses that led to the suits. Apparently neither e360 nor Choicepoint got the memo that the days of email list brokering are dead.

* 10 Creative Bathroom Ads.

Search Engines

* Study: Google's search lead not matched by loyalty. A critical response.

* Is Google giving big brands extra credit in its organic search results rankings? Compare: media giants complaining they don't get enough weighting in organic results.

* Sign of improving consumer search skills: search queries are getting longer.

* Yahoo reserves the right to "auto-optimize" advertiser accounts by changing ads and advertiser bids automatically. This is not a popular move.

* Wired: The Plot to Kill Google.

Posted by Eric at 10:20 AM | Domain Names , Internet History , Marketing , Search Engines , Spam , Trademark | TrackBack

April 08, 2009

Q1 2009 CAN-SPAM Quick Recaps

by Ethan Ackerman

While it seems most CAN-SPAM watchers (and even traditional media, apparently) await the results of key 9th Circuit and California Supreme Court cases, CAN-SPAM rulings in lower courts and in other Circuits continue to trickle in. Two of these new cases raise issues this blog has covered in the past, but they're still worth a quick note.

Ferron v. Subscriberbase Holdings, Inc
(excellent coverage, and a link to the decision, at spamnotes.com)

This case manages to come out just right in its results, even though the opinion relies rather extensively on the 4th Circuit's rather poorly-reasoned Mummagraphics precedent.

If ever there were a cut-and-dried 'actual statutory conflict' preemption case that largely didn't have to resort to parsing the CAN-SPAM Act's preemption language, it is this case. The 6th Circuit Court should have just done a straight forward preemption analysis and said: "The OH statute imposes labeling and physical address requirements in a manner inconsistent with CAN-SPAM's labeling and physical address requirements. Actual conflict preemption - the end. We need not dally in the hypothetical of whether CAN-SPAM's preemption savings clause for 'falsity or deception' applies..." While the Court came to the correct conclusions about CAN-SPAM's preemption clause not applying to this particular statute, because this statute wasn't a "falsity and deception" law, the court muddied the waters by using Mummagraphics to get there.

On the other hand, the court correctly pointed out that the general OH consumer protection act claims were not preempted, because the state act is one of general applicability and has "false or deceptive" elements, just like CAN SPAM's exception requires. [Author's comment: Wow, you'd think CAN SPAM had been specifically drafted to pointedly protect state consumer protection acts from preemption or something...]

Hypertouch v. Azoogle.com, 2009 WL 734674 (N.D.Cal.)

While this order granting motions to dismiss and granting leave to amend the complaint is a new and separate case, you could be excused in confusing it with another of federal District Judge Chesney's spam cases - the previously-blogged Hoang v. Reunion.com.

Like in Reunion.com, the opinion confuses the tort of fraud, with its special elements and pleading requirements, with the statutory provisions of the CAN-SPAM Act. To be fair, Judge Chesney does a precise and accurate job with the preemption analysis under CAN-SPAM. Everything in the opinion is an appropriate statement of the law regarding preemption, including the review of plaintiff's less-common trespass to chattels claim.

It's at the erroneous rulings over fraud pleading standards where this opinion looses its steam. As I bemoaned in a post over the same error in Reunion.com, falsity is still not the same thing as fraud, especially when Congress distinguishes between them in a statute. Unfortunately, this opinion also repeats this earlier mistake, and explicitly imposes the heightened pleading standards of FRCP Rule 9 because the pleadings "sound in fraud." It's dismaying to see this mistake again, especially after the judge even concedes that the plaintiffs in their complaint explicitly noted that they were not asserting a general claim for the tort of fraud.

Posted by Ethan Ackerman at 09:38 AM | Spam | TrackBack

March 31, 2009

Virginia v. Jaynes - This Time Really is The End

by Ethan Ackerman

The US Supreme Court has declined to grant a petition for certiorari filed by Virginia's Attorney General in Virginia v. Jaynes. That denial means the Virginia state Supreme Court's holding is the final say in the Jaynes case, and the Virigina spam statute is definitively unconstitutional.

While some coverage is suggesting that the Supreme Court had an opinion on this case or otherwise endorsed the ruling below, other articles are correctly framing the cert. denial - the Supreme Court didn't agree or disagree with the Virginia Supreme Court, it merely declined to take the case. As a result, the state opinion stands.

This also means I no longer have to end each of the blog posts I've written on the Jaynes case with a 'but this ruling could still be appealed further.'

An interesting final anecdote, perhaps? The outcome in the spam litigation turns out to be mostly academic for Mr. Jaynes. According to the Washington Post, he is currently in prison on unrelated securities fraud charges.

Posted by Ethan Ackerman at 02:44 PM | Spam | TrackBack

February 06, 2009

2008 Cyberlaw Year-in-Review

By Eric Goldman

It's a sign of my schedule that I'm just now getting to this, and this post will be more pithy than I initially conceived. This post recaps some of the Cyberlaw highlights from last year. Frankly, the two biggest stories of 2008 were the financial markets meltdown and the ascension of President Obama, neither of which have a lot of Cyberlaw angles. In light of those big developments, Cyberlaw in 2008 was comparatively quiet. However, there is still plenty of interesting developments to revisit.

Broad Themes

A few broad themes emerged last year:

* Ludicrous trademark claims. 2008 hardly had a monopoly on dumb trademark claims; those are perennial. But 2008 certainly saw some asinine entries, including putative Cyberlawyer Eric Menhart's claim to own a trademark in the term "Cyberlaw," Jones Day's efforts to claim that a web page referencing its name as the employer of some homebuyers violated its trademark rights, and putative Cyberlawyer John Dozier's claim that if his name is used as anchor text, the link must go to his website or it violates his trademark right.

* This was a good year for expansive readings and applications of user agreements. Some examples:
- the Lori Drew prosecution, where Lori was convicted of violating an agreement that someone else clicked through.
- Jacobsen v. Katzer, where a user of copyrighted material is bound by a contract that he/she never clicked through at all.
- AV v. iParadigms, where kids were not allowed to void a user agreement despite their status as minors (and despite the fact that some of them had no meaningful choice about whether or not to consent).
- JuicyCampus enforcement action, where the New Jersey Attorney General's office tried to treat a negative user behavioral restriction in a user agreement as an affirmative marketing representation that such user behavior would not occur on the site.

* One of the long-standing Cyberlaw memes is that websites must either be passive conduits to avoid liability or active editors to manage their liability, but if a website chooses the latter, the website is liable for any editorial mistakes. That is, if the website edits its site but misses something, it's fully liable for what it missed. This simply isn't true under 47 USC 230, which allows websites to choose to be passive, active or anything in between without varying liability. In the IP context, this passive v. active meme has had more traction, but 2008 saw two solid cases suggesting that if a website tries to police its premises and fails, courts will be sympathetic and excuse any omissions. Example #1: Tiffany v. eBay, where the court gave eBay extra credit for its VeRO program as a basis to excuse any counterfeit goods that slip through. Example #2: Io v. Veoh, where the court was more willing to excuse Veoh because it had undertaken extra policing efforts than was required for the 17 USC 512 safe harbor. Finally, although not an IP case, the court in Cisneros v. Yahoo also lauded search engines for their affirmative efforts to block gambling ads, which the court acknowledged was a hard challenge.

* Despite some adverse rulings early in the year, punctuated by the Ninth Circuit's en banc ruling in Roommates.com, the 47 USC 230 immunization is still extremely robust. We saw a number of expansive and pro-defense rulings per 230 throughout the year, including Craigslist, Doe v. MySpace, Cisneros v. Yahoo and Goddard v. Google. Perhaps more importantly, in the three 230 cases I've seen since Roommates.com that cited to the opinion, all three cited the opinion in ruling for the defense.

* Battles over keyword advertising are hardly over, even though Utah officially backed off its attempt to ban them. The ABA IP Section tried to get into the act, and American Airlines sued Google, settled, and then sued Yahoo.

Top 11 Cyberlaw Developments of 2008

#11: Utah Trademark Protection Act repealed. The Utah Trademark Protection Act had the potential to throw the entire keyword advertising business into turmoil. Instead, now that it's repealed, it just remains as a dramatic reminder of the Utah legislature's incompetence regarding Internet legislation.

# 9 and 10: Fair Housing Council v. Roommates.com and Goddard v. Google. The Roommates.com en banc opinion makes the list based mostly on its potential consequences, not its actual effect. It remains one of the most significant pro-plaintiff incursions into the solidly defense-favorable interpretations of 47 USC 230, but it's so riddled with contradictory and ambiguous language that no one really knows what to do with it. I think Judge Fogel's reading of the case in Goddard v. Google has the potential to become the defining interpretation of the case, and his solidly defense-favorable reading of the precedent in excusing Google for ads placed by its advertisers may only reinforce how little Roommates.com changed the law.

#8: AV v. iParadigms. This case was a terrific win for online fair use enthusiasts because the for-profit commercialization of a database of third party copyrighted works was still deemed fair use. The upholding of the contract against the minors forced to enter into it was also significant. Before this ruling, my assumption is that any plaintiff trying to form a class action lawsuit in the face of an adverse user agreement could always form the class on behalf of any minors who had the right to void the contract. This case seems to shut down that loophole in user agreement protection.

#7: Io v. Veoh. The 17 USC 512(c) safe harbor has been law for over a decade and has produced a couple dozen rulings, but few are cleaner and more decisive for the defense than this one. It was a textbook example of a court rejecting the many different arguments plaintiffs make to kick a defendant out of the safe harbor, and as mentioned before, it was a great validation for Veoh's decision to do more than 512 required.

#6: Jacobsen v. Katzer. From a doctrinal standpoint, this case raises really difficult questions about how a copyright consumer can be bound to terms that he/she never "assented" to. Even so, this case had huge implications because it effectively validated that open source licenses can be binding on licensees, giving much more legal credibility to the entire multi-billion open source software industry. However, an odd footnote: on remand, the district court denied an injunction for the plaintiff, raising more issues about what exactly the plaintiff won at the Federal Circuit.

#5: Tiffany v. eBay. A fantastic validation of eBay's practices against a very serious and sympathetic challenger who had plenty of evidence that counterfeit goods were being sold on eBay's site. The case also shows that courts can grow tired of IP owners simply making up their own rules about how online sites should protect them and then suing the sites for breaching these artificial rules.

#4: Mazur v. eBay. A more scary case to 47 USC 230 defense enthusiasts than the Roommates.com opinion. The court says that eBay isn't protected by 230 for some of the marketing representations it makes, even if those representations are rendered untrue by third parties. While this makes a lot of doctrinal sense, it is also a green light for plaintiffs to mine a website's marketing representations as a way to bypass the otherwise-fatal consequences of 230 on a lawsuit triggered by user behavior or content.

#3: Google Book Search settlement. This makes the list for two independent reasons. First, many folks were hoping the case would establish solid precedent on online fair use, and the settlement ended that hope. Second, the proposed Book Rights Registry has the potential to reshape a number of major industries, including the book publishing business, the book retailing industry and the library industry.

#2: the Lori Drew prosecution. I think this may have been the most polarizing Cyberlaw development of 2008, exposing deep divides in people's appetite for punishing bad conduct online. It's hard to assess the overall implications of her conviction because no one rallied to praise Lori Drew's choices, and her case is still a ways from a final legal outcome. However, the possible implications of the case were so complex that it took a special three part series for me to explore its nuances (1, 2, 3).

#1: Cartoon Network v. CSC (the "Cablevision" case). Boy, the more I think about this case, the more important it becomes. The case upends our assumption that if we see it online, it's fixed, creating a new class of unfixed electronic works. Also, the court treats the users, not the service, as making the requisite copies, which reinforces the possibility that online providers can be just "dumb technology providers" for copyright law purposes and reinvigorates the possible defense that a service provider's copying is just done as a proxy for its users. However, the Supreme Court's ambiguous response to the cert petition--not yes, not no, but a request to the Solicitor General for comments--leaves this decision in a precarious position.

Other Developments of Special Note

47 USC 230

* Doe v. MySpace. The Fifth Circuit soundly rejects the argument that MySpace had an obligation to police its “premises.”

* Craigslist. Judge Easterbrook's language in Doe v. GTE had given plaintiffs some hope that the Seventh Circuit would provide a friendly venue to plaintiffs trying to overcome 47 USC 230. Judge Easterbrook may still love his language (which he quoted extensively in the Craigslist ruling), but his practical and no-nonsense ruling for the defense squelches the hope that the Seventh Circuit will become a plaintiff's haven.

* New Jersey's enforcement action against JuicyCampus. State AG offices HATE 47 USC 230.

Affiliate Liability

* Impulse Media. A jury thumped the FTC's overly expansive views of affiliate liability for spam.

* NY v. Direct Revenue. A state judge emphatically rejected the NY AG's office's expansive views of affiliate liability for adware.

Trademarks/Domain Names

* American Airlines' lawsuits against Google and Yahoo. No one I know fully understands why American Airlines sued Google for selling its trademarks for keyword ads. No one I know understands what concessions Google gave to American Airlines to settle the case. And no one I know understands why American Airlines decided to sue Yahoo after procuring the Google settlement. It's all a big mystery.

* NSI's grabbing of domain names in response to WHOIS queries. Is there any better example of ICANN's failings to police domain name retailers than to have one retailer selling a scarce good grabbing the good exclusively (blocking attempted sales by all other retailers) when a customer merely inquires about it?

* Kentucky's attempted seizure of 141 gambling-related domain names. As I wrote before, "Is a domain name property? Yes. See the Sex.com case. Can a plaintiff seize a domain name pursuant to a favorable judgment? Yes. Is it appropriate for Kentucky to seize domain names for gambling websites available in Kentucky? Of course not, because this would effectuate an extraterritorial reach by curtailing non-Kentucky residents from making possibly legal uses of the domain name."

* Eric Menhart, a lawyer who claims to practice Cyberlaw, doesn't know that Cyberlaw is a generic term.

* New gTLDs. Maybe I should reserve this development for 2009...if it happens.

Others

* McCain complains about 512(c)(3) notices taking down his YouTube videos. Surprise! 512(c)(3) notices are unforgiving. Sen. McCain, now that you've had a first-hand taste of their power, maybe you'd like to revisit the statute to see if it's producing the right incentives?

* FCC's bust of Comcast. The pro-regulatory forces were queued up to pounce on any examples where an IAP violated Net Neutrality principles, and Comcast's chicanery in forging reset packets was impossible for anyone to defend.

* NebuAd's flameout. Behavioral ad targeting is in our future unless regulators stop it. NebuAd won't be the winning provider of targeting services, but legislators will keep trying to regulate it further out of existence nonetheless.

Posted by Eric at 05:50 PM | Adware/Spyware , Copyright , Derivative Liability , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Publicity/Privacy Rights , Search Engines , Spam , Trademark | TrackBack

January 09, 2009

Reunion.com Revisited

Following in the expected path of her earlier ruling, District Judge Maxine Chesney again dismissed an anti-spam lawsuit against Reunion.com. This time, the Judge also threw in a tenuous constitutional holding for good measure. Count this ruling as yet another one muddying the distinction between fraud lawsuits and anti-spam lawsuits and undermining the reasonably clear preemption provisions of the CAN-SPAM Act.

By Ethan Ackerman

On Dec. 23, 2008, federal District Judge Maxine Chesney issued what the defense attorneys in Hoang v. Reunion.com will likely view as a welcome, if foreseeable, Christmas present - another conditional dismissal of the plaintiffs' class action lawsuit. I've previously blogged about the first dismissal here, with an important follow-up regarding the amended complaint here. Reading those posts first to get some important context will help in following this post.

Falsity is still not the same thing as fraud, especially when Congress distinguishes between them, unless a federal judge says it is.

Judge Chesney's first dismissal ruling focused on the absence of fraud allegations in the plaintiff's complaints, ultimately holding that in order to escape preemption by the federal CAN-SPAM Act, plaintiff's' state law claims had to include, above and beyond the falsity violations of the California anti-spam laws, some or possibly all the additional elements of a fraud claim. I criticized that holding in the prior post because that's not only not what the CAN-SPAM Act requires, but it was actually adding four additional elements to the Act that Congress considered but didn't include. Falsity is one of five elements of fraud under California law. California is hardly alone in having consumer protection laws that require a lesser standard than fraud. Adding four additional elements by judicial decision would be like a judge requiring a prosecutor to prove each of the elements of premeditated murder when she's only charging involuntary manslaughter - and in this case it would be like judicially requiring them even after the legislature considered and rejected the additional elements.

Sticks and stone may break my bones, but misleading emails alone don't really hurt anyone.

My prior disagreement with the first dismissal was its inconsistency with the falsity standard of the CAN-SPAM Act, and its reliance on the similarly mistaken 4th Circuit Mummagraphics opinion. This dismissal repeats that problem and then raises the stakes by suggesting that it would be unconstitutional for the court to even hear the case if the complaint wasn't amended to allege at least several of the additional elements - reliance and damages.

Specifically, Judge Chesney states

[In] the absence of an allegation that each such plaintiff incurred some type of injury or damage as a result of his having taken action in reliance on defendant's assertedly false use of a third-party domain name in the email, [the] action is subject to dismissal.

Failure to do so, Judge Chesney holds, would not only result in preemption under CAN-SPAM, but also run afoul of the case-or-controversy requirement of the US Constitution's Article III.

Actual Injury Standing, or Wait, spam's not illegal until someone actually wires the $10,000 to Nigeria?

Prior court disagreements over whether falsity must also be material or intentional look pretty minor compared to this Constitutional "no harm, no foul" holding, so what's going on here?

By way of background, Article III of the US Constitution requires a "case or controversy" before a federal court may rule in a case, and this provision has been interpreted by the Supreme Court to mean that a plaintiff must suffer an "injury in fact" to have standing in a federal court. This is the principle underlying Judge Chesney's holding, but it’s quite a stretch to apply the principle to dismiss a case brought by admittedly aggrieved plaintiffs directly covered by a state's consumer protection statutes.

The requirement that an individually identifiable "injury in fact" be shown by someone before they can bring a lawsuit prevents judges from having to make hypothetical rulings or issue advisory opinions without the benefits of specific facts. This lack of standing is the reason any given citizen can't sue the government for spending tax dollars in a way they don't like, or a mob boss can't preemptively sue for an unlawful wiretap before it's actually installed, or more specific to this case, why someone who hasn't actually received a misleading email from Reunion.com couldn't sue it for violation of CAN-SPAM or California law even if Reunion.com's practices clearly violated the laws.

There are even particular types of cases where "injury in fact" standing is commonly a close question; (until recently) qui tam lawsuits were often challenged on "injury in fact" grounds. Similarly, environmental organizations bringing suits against government actions (and inactions) often succeed or fail based on standing, and are the source of much of the standing caselaw. Although not relevant to this case's constitutional holding, there is also a good deal of action on issues of injury standing at the statutory level. More than one CAN-SPAM lawsuit has been dismissed on the grounds that a plaintiff lacked standing under the "adversely affected" requirement of the statute. [Author's note: While it is debatable whether this element of the statute acts as a pleading requirement or functions as a prerequisite for statutory standing, courts have used it that way. I suspect Judge Chesney may ultimately rule similarly, thus avoiding an unnecessary constitutional ruling. That would definitely be the better of these two disagreeable choices.]

Similarly, some state consumer protection laws have been amended by legislatures to remove or add a specific injury pleading requirement, alternately making some consumer protection act violations "strict liability" laws or making suits for violation more complex to prove by adding another statutory element. Two notable examples of such trends are the addition, by Proposition 64, of such a requirement to the California laws, and the removal of such a requirement in the District of Columbia's Consumer Protection Act.

Based on this quick treatment, Judge Chesney's holding seems plausible. This "injury in fact" doctrine really does exist and some cases do turn on it. But, while the Constitutional requirement that there be an "injury in fact" keeps hypothetical cases out of federal court, it is a fairly low threshold for those cases actually brought under a federal or state law directed against a certain type of behavior Congress or a state legislature has already found to be damaging. But this dismissal ruling departs from other court rulings on standing by blowing past legislative determinations of just what is "damage."

So your real beef is not the result, but that the Judge had to ignore the damage determinations of the legislatures to come to such a holding?

In a word, yes. The California anti-spam act included specific findings of costs and damage to the end-user, findings that even the federal CAN-SPAM Act echoed. This frustration is perhaps amplified by the practice of Judge Chesney in other contexts to accept and defer to Congressional policy decisions, an important and correct skill needed when interpreting nuanced statutory provisions. In other contexts, Judge Chesney has cited with clear approval the notion that a court "was not at liberty to second guess congressional determinations and policy judgments."

Perhaps this holding is explicable because the statute's lower pleading standard is unique to spam laws?

In a word, no. There is no shortage of laws requiring some lesser standard of falsity than fraud at the federal and state level. Similarly, many laws provide for liability based on a statutory presumption of reliance. In some other cases, mere or factual error is sufficient to trigger liability regardless of materiality or reliance. These laws are so common and numerous that the term "strict liability laws" is a frequently used term describing just one subset. Let's explore in more detail just how large a majority of federal and state suits are brought under these laws...

Most analogous to anti-spam lawsuits are other consumer protection laws against unfair or deceptive practices where committing a prohibited practice triggers a right to sue, regardless of any monetary damages. For example, the federal Fair Debt Collection Practices Act prohibits a range of collection practices and gives debtors subjected to the illegal practices a right to sue for statutory damages, regardless of whether the unfair dunning results in a collection or not. Wisely, courts, including Circuit Courts of Appeal, have held that the illegal threats to collect constitute an "injury in fact" regardless of whether or not the debtor heeds them and pays up. Similarly, “It is well settled, however, that proof of actual deception or damages is unnecessary to a recovery of statutory damages” under the Truth in Lending Act, according to the Second Circuit in Gambardella v. G. Fox & Co.

There are also a whole host of civil laws ordering business structures and transactions where committing a prohibited practice triggers a right to sue and provides for statutory damages regardless of any monetary damages. Trademark law contemplates lawsuits over trademark use violations that in some cases don't even require an actual showing of confusion, merely the (by definition speculative) "likelihood of confusion." Touching close to the current case (and presumably different only in having more complete damages pleading) Judge Chesney apparently had no problems with the Article III standing of some recent trademark plaintiffs, allowing summary judgment under the statute in favor of an initial-interest-confusion plaintiff based only on the likelihood of initial interest confusion.

But perhaps the most dramatic examples of laws permitting civil suits to recover money even absent any measurable or conceivable or alleged harm are the IP laws, copyright and patent. The patent holder's right is fundamentally the right to exclude others from practicing her patent, and a non-practicing patent holder who has never made, sold, licensed or marketed a single product, and thus lost not a single penny in sales or licensing fees to the infringer, or indeed suffered under any cognizable theory of harm, may still bring suit to recover the wrongful profits of the infringer. Similarly, a copyright holder with an unpublished manuscript or suffering from an infringement occurring in an entirely different media is still entitled to sue for statutory damages, even in the absence of any actual damages. Indeed, many of these laws even provide statutory damages as a measurement of harm precisely because the actual harms are variable, need to be deterred, or are hard to assess.

Some parting words from the controlling courts

Suits of this type, where a legislature has already found an injury in a certain prohibited practice or behavior and passed a statute granting particular individuals a right to sue in response to that practice, are precisely the suits the Supreme Court was contemplating in Lujan v. Defenders of Wildlife when it said the "injury required by Art. III may exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing."

The Ninth Circuit also has a particularly lenient view of what constitutes damage for Article III purposes. So if Judge Chesney had accepted the damages findings of the California legislature, she would likely have to find those enumerated damages were of the types (time, money) that the Ninth Circuit has previously identified in various cases as being Constitutionally sufficient.

Concluding thoughts

As Venkat's timely post on this case notes in conclusion, several related cases raising some of these issues are in the process of being decided by the California Supreme Court or Ninth Circuit Court of Appeals. Those decisions have the possibility of perpetuating or correcting several of the trial court errors I've discussed in prior posts. Also, in this particular case, Judge Chesney did graciously grant another opportunity to amend, meaning there may be yet another opinion in this case. Finally, and most simply, an amendment to the complaint could just recite the harms identified in the California statute and allege that plaintiffs have suffered them.

Posted by Ethan Ackerman at 03:10 PM | Spam | TrackBack

December 02, 2008

November 2008 Quick Links

By Eric Goldman

Trademark

* NYT: "A handful of new Web sites with names like Typo Bay and Typo Buddy are out to help shoppers save money by searching eBay for misspelled brand names." In 2005, I blogged that typographical errors are a significant issue for eBay's search engine.

* It's a bull market for Obama-related trademark filings and Obama merchandise.

* Domain name tasting down 84%?

* Wired: "Think Godzilla's Scary? Meet His Lawyers"

Copyright

* Reuters: "Instead of triggering the usual take-down notices, copyright-infringing footage of select MTV Networks programing uploaded by MySpace subscribers would be automatically redistributed with advertisements that would generate revenue for the companies." I'm interested to see how this system applies to fair uses of the works!

* Arista Records LLC v. Usenet.com, Inc., 2008 WL 4974823 (S.D.N.Y. Nov. 24, 2008). The court dismisses USENET.com's counterclaims for declaratory relief that it doesn't violate 17 USC 512 because the claims duplicate its affirmative defenses.

* James Grimmelmann does an excellent job parsing the Google Book Search settlement agreement and makes some sage recommendations for how it should be modified before court approval.

Advertising/Marketing

* The Google-Yahoo ad syndication deal is dead. Some behind-the-scenes discussions.

* I'm not sure about the implications of this, but Google is expanding its efforts to allow website and ad targeting based on automatic geographic detection. See my prior post about the future of geolocation and a bordered Internet.

* Good news: entrepreneurs want to authenticate children's ages to keep them out of online trouble. Bad news: entrepreneurs might use age authentication to hit the kids with targeted marketing.

* Classmates.com sued for misrepresenting that former school chums were actually looking to reconnect. Yet more pushback on bogus "X is looking for you!" ads.

47 USC 230

* The Supreme Court denied cert in Doe v. MySpace, 2008 WL 4218722. According to Tom O'Toole, this is the seventh time that the Supreme Court has denied cert in a 47 USC 230 case.

* It appears that Children of America v. Magedson has settled.

* The Santa Clara University community is having a catharsis about Juicy Campus.

* Dan Solove and I chatted with Doug Lichtman about social networking sites (asynchronously--I spoke with Doug after Dan had), with most of my conversation focusing on 47 USC 230. Doug edited the conversations together into a one-hour podcast entitled "Privacy in the Networked World." An added bonus for listening--you may be able to earn one hour of CLE FREE!

Spam

* Facebook v. Guerbuez. Facebook wins $873M default judgment under CAN-SPAM. Now, if Facebook could only collect any of this, they would have finally figured out a way to make money!

* Gordon v. SubscriberBASE Holdings, Inc., 2008 WL 4809833 (E.D. Wash. Oct. 31, 2008). Serial anti-spam plaintiff lost again on whether he has standing under CAN-SPAM.

* Evan Brown: Government spam filters do not deprive citizen of right to petition the government.

* Venkat: Unsolicited Marketing Extravaganza in the Ninth Circuit.

Miscellaneous

* eHarmony settles claim that it discriminates against gay singles.

* NYT: "almost five years into its expansion into Europe...Google is getting caught in a web of privacy laws that threaten its growth and the positive image it has cultivated as a company dedicated to doing good."

Posted by Eric at 09:47 AM | Copyright , Derivative Liability , Domain Names , Privacy/Security , Search Engines , Spam , Trademark | TrackBack

November 18, 2008

October 2008 Quick Links, Part 2

By Eric Goldman

Spam

* Kramer v. Perez. An Iowa court awards $236M in damages in a spam case. Venkat's comments.

* After the government lost its jury trial against Impulse Media, the court denied Impulse Media attorneys fees.

Contracts

* AT&T put its own emailed notice of amended contract terms into its spam folder. Whoops! Due to spam filters and other automated blocks, it is becoming almost impossible for websites to communicate with their users by email.

* An estimate of the massive "tax" imposed on consumers by reading privacy policies. Of course the financial drain is overstated because many people make a rational decision not to read every privacy policy, plus not every person has to read a privacy policy for marketplace responses to be effective.

* The Blizzard v. MDY WOWGlider case has reached a stipulated damages amount of $6M.

* Pulaski & Middleman, LLC v. Google Inc., 5:2008cv03888 (N.D. Cal. complaint filed August 14, 2008). The Justia page. Yet another me-too lawsuit against Google over serving ads to parked domains and error pages.

* An Israeli GPL enforcement action settled.

Trademarks/Domain Names

* Kentucky v. 141 Domain Names. Is a domain name property? Yes. See the Sex.com case. Can a plaintiff seize a domain name pursuant to a favorable judgment? Yes. Is it appropriate for Kentucky to seize domain names for gambling websites available in Kentucky? Of course not, because this would effectuate an extraterritorial reach by curtailing non-Kentucky residents from making possibly legal uses of the domain name. More recently, the seizure was stayed.

* Speaking of inappropriate seizures, the Feds are trying to seize the trademarks of the Mongols motorcycle group. DOJ press release. LA Times article.

* Best Western Intern., Inc. v. Doe, 2008 WL 4630313 (D. Ariz. Oct. 20, 2008). Prior blog post in this case. The judge is losing patience: "These filings are wasteful in the extreme. The Court is not a forum for the parties to expend every possible dollar seeking to litigate every conceivable issue, no matter how insubstantial. The Court will no longer tolerate the excesses of this case."

* The Verizon v. Navigation Catalyst Systems domainer lawsuit settled.

* 50 Cent brings yet another questionable lawsuit. (1, 2).

Advertising

* Goddard v. Google Inc., 2008 WL 4542792 (N.D. Cal. Oct. 10, 2008). The case against Google for deceptive mobile phone ads will stay in federal court.

* Eyeblaster, Inc. v. Federal Insurance Co., 2008 WL 4539497 (D. Minn. Oct. 7, 2008). This is a collateral lawsuit to Sefton v. Eyeblaster alleging that Eyeblaster distributed spyware. Eyeblaster tendered the claim to its insurer. This court holds that the CGL policy doesn't apply because the claim relates to software problems, not physical damage to the users' computers. Further the E&O policy doesn't apply because Sefton alleges that Eyeblaster intentionally installed the spyware, bumping Eyeblaster into one of the policy's exclusions.

* Are consumers becoming more tolerant of pop-up ads? For more on consumer acceptance of new advertising formats, see here.

* A big damages award in NetQuote v. Byrd.

Posted by Eric at 06:42 AM | Adware/Spyware , Domain Names , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam , Trademark | TrackBack

November 14, 2008

Just who is an Internet access service provider under CAN-SPAM?

Worded to prevent lawsuits by individual email recipients, the federal CAN-SPAM Act limits who can bring suit for a CAN-SPAM violation. In addition to state and federal enforcers, the Act allows suits by "Internet access service providers." Just who are they, and can individuals find a way back in to court under this provision?

By Ethan Ackerman

One of the most distinct differences between the federal CAN-SPAM Act and state anti-spam laws is the federal law's restrictions on who may bring suit for a violation. Like many federal laws, it's vital to consider the environment in which it passed in attempting to understand the scope and intent of its provisions.

After several years of experience with state laws allowing individual email recipients to bring suit under state laws, and both actual and exaggerated instances of 'professional plaintiffs' bringing questionable suits against email marketers, many business and marketing lobbyists were eager to limit who could bring suits under a federal spam law. While efforts to expand or limit liability under federal laws are as old as the 1st Congress, 2003 was a notable high-water mark. At the same time as, and in the same Congress as, the CAN-SPAM Act, similar Acts altering liability standards and raising barriers to lawsuits and class actions were being passed under the mantra of "tort reform." Limitations on environmental and manufacturer liability, extending sovereign immunity to vaccine developers, restrictions on class actions, preemption of state enforcement and consumer protection laws, statutorily-mandated settlements of active court litigation - these were some of the hallmarks of the 108th Congress' involvement with the judicial branch.

In this environment, it's not surprising that various provisions in the CAN SPAM Act were negotiated back and forth to expand or contract liability, standing and preemption. This blog has previously covered the preemption back-and-forth, but similar negotiation went into just who could sue, and how, and where, and for how much under the CAN SPAM Act.

The final version of s.877 signed into law in 2003 that became the CAN SPAM Act reflects the compromises on several issues necessary to get sufficiently broad political support. This post will attempt to identify each of those issues in turn.

The final bill allows suits by a broad swath of federal regulatory agencies to enforce the law, including most notably the FTC. The scope of state officials' enforcement of the federal law, and just who else could sue, was somewhat more disputed. Prior year versions of the bill allowed suits in state as well as federal court. The initial Senate version of s.877 also allowed suit in federal or state court, but the final version negotiated with the more lawsuit-averse House of the 108th Congress restricted suits to only US federal District Courts, and now redundantly also granted the relevant federal agencies additional authority to removes suits filed by States to federal courts.

The issue of caps on damages and attorney's fees was also near and dear (or anathema) to many in the 108th Congress, and extensive changes exist between various versions of the bill as conditions were horse-traded and various constituencies weighed in. State enforcement statutory damages swung from $20 to $250 over the course of the different Congresses, with treble damages being available, then dropped and replaced with discretionary 'aggravated' damages possibilities. State enforcers' attorneys fees similarly went from mandatory to discretionary between the introduced Senate version and House-approved version. Statutory damages for internet access providers saw similar swings and horse trading, ultimately with certain egregious violations triggering $100 damages and other damages valued at $25, a far mark from a proposed 'up to $10.' Damages caps were also a feature, but swung from as little as $500,000 to in some cases $3 million.

Similarly, the political demands of the House resulted in additional, heightened pleading standards for civil suits by anyone other than federal enforcement agencies. These heightened standards, absent in the initial Senate version but added in sections 7(f)9 and 7(g)2 of the final version, raised a scienter pleading requirement for state enforcers and constricted the definition of 'procure' for suits brought by Internet access providers.

But back to the big difference

As initially indicated, the biggest difference between most state and the federal anti-spam law is the absence of a private right of action for spam recipients in the federal law. In the 108th Congress, a general private right of action was a non-starter. Even the initial Senate version of the bill restricted suits to enforcement officials and Internet access providers. Contrary to the desires of state enforcers from state with such provisions, and apparently an uncomfortable concession from the minority Democrat sponsors, the absence of a private right of action was a stated minimum.

The final wording of Section 7 of the CAN SPAM Act specifies who can bring suit, listing first federal enforcement, then state enforcement, and finally granting Internet access providers the right to bring some civil suits. So who is an 'Internet access provider'?

The short answer - the definition written in the 'definitions' section of CAN SPAM - is that the "term `Internet access service' has the meaning given that term in section 231(e)(4) of the Communications Act of 1934 (47 U.S.C. 231(e)(4))." This somewhat unenlightening reference leads to the actual statutory definition of:

The term “Internet access service” means a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services.

This broad definition originally was passed into law as part of the earlier Child Online Protection Act (not to be confused with the Childrens' Online Privacy Protection Act). Importantly, CAN SPAM also used other definitions from other prior laws defining similar terms. One example, one short line above the CAN SPAM 'internet access provider' definition, is the definition of 'Internet.' CAN SPAM defines 'Internet' by reference to the earlier passed Internet Tax Freedom Act, 47 USC 151 note. Importantly, CAN SPAM did not adopt the much narrower, more ISP-centric definition of 'internet access provider' in that Act. The Internet Tax Freedom Act defines an internet access provider as "a person engaged in the business of providing a computer and communications facility through which a customer may obtain access to the Internet..."

This definitional difference is important because CAN SPAM was written with service providers above and beyond just then-traditional modem-pooling, DNS-providing traditional ISPs in mind. Spam impacts next-generation services like online website hosts, online email providers, online proxies and filtering services, and CAN SPAM was drafted to take into account not just the dial-up AOLs of the world, but also the Rackspaces, the Hotmails, and the TUCOWs.

So courts have uniformly picked up this clear distinction, right?

If they had, what would there be to write about? While CAN SPAM was commonly understood to prevent end-user lawsuits, that portion of the law is implicit, not explicit. CAN SPAM was, however, explicitly written broadly to cover all, even the as-of-yet-uninvented, online service providers that spam negatively impacted. Unfortunately, subsequent court cases addressing the issue of whether it is an 'internet access provider' bringing suit have sometimes attempted to reinsert traditional ISP-style definitions into the Act.

A recent case getting the issue correct is Haselton v. Quicken Loans Inc.. Though anti-filtering activist Bennett Haselton, administrator of peacefire.org, sued Quicken in his individual capacity, separately incorporated Peacefire also was a named plaintiff. Defendant Quicken made much of the fact that Haselton was the sole employee of the organization and alleged Haselton was simply an individual end-user filing suit. Haselton countered, and the court agreed, that Peacefire's filter-circumventing service, even if operated only by Haselton, was clearly an 'internet access service provider' within the meaning of the Act.

Unfortunately, other courts, and commenters, have often channeled their skepticism over the litigation intentions of a plaintiff into interpreting this broad definition narrowly. For example, the Gordon v. Virtumundo court's palpable disagreement with serial plaintiff Gordon's litigation intentions and strategy led it to reach to hold, contrary to the plain wording of the definition, that Gordon's multi-user internet email service was not a " a service that enables users to access ...electronic mail... offered over the Internet." UPDATE

While they may be legitimate concerns over the capacity and legitimacy of serial plaintiffs' anti-spam suits, courts can address them without resorting to unnecessarily adjusting definitions in the statute. In Hypertouch v. Kennedy-Western University, for example, the court correctly recognized that an email service provider, even though small and providing accounts without charge, was nonetheless a 'internet access service provider.' As Eric blogged earlier, this court addressed its, and defendant's, concern that the plaintiffs allegations were inadequate and more properly addressed towards the actual marketing company in its ruling that plaintiff was an internet access service provider, but its claims were inadequate to survive a motion for summary judgment.

12/08 Update An observant Tri-cities reader gently corrects me, noting that Judge Coughenour ultimately did, contrary to what I suggested, conclude the plaintiff qualified as an Internet access service provider in Gordon v. Virtumundo. After reviewing all the criticisms and interpretation of legisaltive history and analogous cases that suggested Gorden was not intended to qualify, Judge Coughenour did ultimately conclude Gorden qualified "under the statute's capacious definition." So, my speedy reading aside, Gordon v. Virtumundo stands as an appropriate example of a court properly addressing questions about the propriety of a suit without narrowing the definition of an Internet access service provider after all.

Posted by Ethan Ackerman at 01:29 PM | Internet History , Spam | TrackBack

October 29, 2008

CAN-Spam-a-Friend?--Hoang v. Reunion.com

Hoang v. Reunion.com sidesteps an eagerly anticipated legal dispute over the legality of commercial address book scraping and 'send-to-a-friend' emails, and also highlights the damage that can cascade when a federal Circuit Court woefully misreads a statute.

By Ethan Ackerman

In July 2008, Violetta Hoang filed a class action lawsuit under California's state anti-spam laws against Reunion.com, a Los Angeles-based social network site. On October 6th, the court ruled for Reunion.com, granting its motion to dismiss, but allowing Hoang leave to re-file an amended complaint. While a less-than-3-months turnaround is admirable, this case stands as an apt reminder that haste makes waste.

What was sent?

A series of May 2008 solicitations from plaintiffs' acquaintances were the origin of this suit. More precisely, the series of emails were sent from Reunion.com mail servers but bore the names (and in some cases, addresses) of plaintiff's acquaintances in the 'From' line of the email. The emails also contained subject lines like "[Acquaintance] Wants to Connect with You." The emails were sent by Reunion.com servers because plaintiffs' acquaintances had registered with Reunion.com and at some point agreed to, or failed to opt out of, Reunion.com's address scraping practices. In the lawsuit, plaintiffs alleged that these emails were sent to plaintiffs not by plaintiff's acquaintances, as the email 'From' line and subject suggested, but by Reunion.com after Reunion.com had scraped the plaintiffs' addresses from acquaintances' address books when acquaintances became Reunion.com members. In short, pursuant to a possibly agreed-to Terms of Service, Reunion.com scraped its members' address books and then sent solicitations to the resulting addresses, but also took several steps to make it appear that the solicitation was from the member.

This email-scraping-and-dodgy-addressing practice sounds consistent with other accounts of Reunion.com's less than desirable (or legal) efforts to expand its member base. The site claims tens of millions of registered members, suggesting these email campaigns seem to work. The frequency of critical coverage over Reunion.com's various advertising and data-gathering methods also seems to suggest the tactics are as commonly objectionable as they are effective.

In February of this year, Eric highlighted a Wired article about address book scraping and other common web gathering processes. It's a very interesting area with a lot of thorny legal questions. This post, however, is just about the resulting spam.

But was it spam?

Claiming a violation of all three portions of California's anti-spam law, plaintiff's brought a claim against Reunion.com. Plaintiffs alleged Reunion.com used a falsified, misrepresented or forged 'From' line. Plaintiffs alleged that the subject lines Reunion.com used were misleading. Plaintiffs also alleged Reunion.com used a 3rd party domain name (yahoo.com) without Yahoo's permission.

[Author's aside: From the complaint, which describes several instances of 'From' line name forging, but only one instance of 'yahoo.com' appearing as part of a 'From' line, it sounds like Reunion.com's address book scraping likely picked up an email address that was stored in the name field of a member's address book, rather than some more nefarious domain name forging.]

Smells like spam, so what does the law say?

Rather than denying these accusations, Reunion.com chose to counter with a preemption defense. Reunion.com claimed that its practices were sanctioned by federal law and thus, even if actionable under California law, the federal CAN-SPAM Act preempted plaintiffs' claims.

The CAN-SPAM Act's preemption clause, 15 USC 7707 (b)1, does broadly preempt most state anti-spam laws - "This chapter supersedes any [State law] that expressly regulates the use of electronic mail to send commercial messages." This first sentence makes Reunion.com's preemption defense sound pretty plausible. But wait, as the late night infomercials say, there's more. The rest of the clause identifies a significant exception that preserves many of these state laws - "except to the extent that any such statute, regulation, or rule prohibits falsity or deception in [an email]."

So state law claims, like the plaintiffs', are preempted, except to the extent that the state law addresses falsity or deception, in which case the claims may proceed. Courts have been handling the preemption and preemption exception clauses of CAN-SPAM now for several years, and have had more or less no problem concluding that compliant state anti-spam laws can survive if they fit in CAN-SPAM's exception.

OK, so that's what CAN-SPAM says. Let's compare that to the California state law at issue. As identified above, the plaintiffs made three claims under the California law: a falsified 'From' line, a deceptive subject line, and the deceptive use of a 3rd party's domain name in an email header. All three claims address falsity and deception in an email's header, the core of CAN-SPAM's preemption exception. While Reunion.com might dispute the facts of each claim (not misleading, not false because authorized, etc.) it seems pretty clear that the claims can survive CAN SPAM's preemption test as written.

So if the law passes the CAN-SPAM test, whose preemption test is it failing?

The Reunion.com preemption defense cited two sources - the Mummagraphics holding and an FTC rule-making and policy paper on refer-a-friend email marketing.

The court accepts Reunion.com's first source, the prior Mummagraphics case, and doesn't rely on the FTC's policy paper for its holding. As a result, its discussion of the FTC guidance is a very brief discussion at the opinion's end in its discussion over whether to grant leave to amend.

A brief tangent

Before addressing the Mummagraphics precedent, I want to address the FTC rulemaking and policy paper too. Reunion.com asserts that the FTC rulemaking and policy paper permit, as a matter of law, its address book scraping and subsequent emailing. As a threshold matter, there's the fairly complex question of which portions of the FTC's Rulemaking and policy paper on refer-a-friend emails are actual Rulemakings with the force of law and which are policy guidance. Fun APA stuff. But even if the refer-a-friend portions are construed as a rulemaking, a brief read of the guidance reveals that there's, to put this politely, no sane way to conclude that the guidance makes Reunion.com's actions "as a matter of law, exempt from liability under CAN-SPAM." The guidance is page after page of non-exclusive, hedged discussions of what may make a sender liable. The FTC doesn't hand out any 'exemptions from liability' in the rules. Even this otherwise preemption-accepting court is suspicious of this assertion, stating

The FTC did not rule that a commercial entity whose message is the subject of a "forward-to-a-'friend'" email is, as a matter of law, exempt from liability under CAN-SPAM or that such entity could never be held liable, as a matter of federal law, for initiating an email containing false information. Rather, the FTC found that a determination as to whether such entity is exempt from liability under CAN-SPAM would require a "highly fact specific inquiry.

To further beat a dead horse, I'll just focus the issue a bit more. The guidance discusses when a commercially motivated refer-a-friend email is, and very infrequently isn't, subject to CAN-SPAM's provisions. It is page after page addressing when an email will be held to CAN-SPAM's standards, not on when an email will be held to, or preempted from, a state law's standards. While it may be possible that the FTC rules could categorize a given email as "not covered" by CAN-SPAM, that's not the same thing as preempted by CAN-SPAM. Buried deep within a hypothetical set of facts there might be a negative implied preemption argument that could be teased out of the FTC ruling, but Reunion.com isn't making that argument.

Back to the holding, then...

It's not that common in the development of case law that a significant intellectual error can be traced to one particular case, but that's the case here. This case errs because the court was too quick to rely on the erroneous 4th Circuit holding of Omega World v. Mummagraphics to dismiss.

The Mummagraphics court was faced with a similar suit alleging state and CAN-SPAM claims over emails with similar false and misleading subjects and headers, including subject lines falsely suggesting the recipient had requested the email, and "from:" addresses from unaffiliated domains that were not even in the actual transmission path.

A more critical argument against the Mummagraphics opinion could easily be made, but I'll simply opine that Judge Wilkerson of the Fourth Circuit sent spam jurisprudence down the wrong path in several key respects with this holding. While each of the errors will likely cause a lot of damage, several of them (e.g. the re-writing of the statute's 'materiality' standard, concluding that truthful email body text 'cures' header falsity) only have to do with claims under CAN-SPAM, and not on state law preemption. As a result, I'll focus on the error of Mummagraphics that causes so much headache for preemption claims - what constitutes a "falsity or deception" for purposes of determining preemption.

The statute says 'falsity and deception,' but this court thinks it should say fraud instead, so we now hold that it does...

The Mummagraphics court was faced with a claim under an Oklahoma statute that prohibited falsity and deception in email headers. While acknowledging that 'falsity' means just that - "erroneous, wrong," or "untrue", the court proceeded to construe the CAN-SPAM exception as preempting any state law using any standard less than "fraudulent".

This shift is no angels-on-the-head-of-a-pin difference. It's more analogous to the difference between murder and simple assault. Fraud requires misrepresentation and knowledge of falsity and intent to defraud and justifiable reliance and damage. Fraud is a significant enough legal claim that it has its own pleading standards in Federal court. In contrast, falsity or deception are just individual elements of fraud.

The Mummagraphics court dresses up this statutory re-writing by pointing to instances in CAN-SPAM where a heightened standard beyond 'falsity' is used, and argues that these other instances prove Congress intended a heightened standard. Unfortunately, this argument just proves the opposite. Far from being another instance of the same standard, the other language proves Congress knew how to state the particular standard it wanted. When 'falsity' was intended, as in 15 USC 7707(b)1, 'falsity' was used. When 'fraud' was intended, as in a mere paragraph later in 15 USC 7707(b)2, 'fraud' was used. When 'falsity' wasn't enough, but 'fraud' was too much, as in 15 USC 7701(a)1, 'materially false' was used. When Congress wanted to require actual knowledge, or a specific intent, as in 7704(a)2 and 7702(12), it used the terms "actual knowledge" and "intentionally."

Eh, so Mummagraphics was probably based on an erroneous conclusion, what's the harm?

The Mummagraphics opinion represents a Circuit-level opinion on federal law, so it is wholly binding in state and federal courts in the 4th Circuit and persuasive in all others. Additionally, it construes the scope of federal law, the CAN-SPAM Act, rather than just a particular state's law, so it is, if not controlling, at least pertinent in every case that raises a CAN-SPAM preemption defense. Not surprisingly, the opinion is having an effect. Several courts, even before Reunion.com, have relied on Mummagraphics' impossible to meet preemption standard to summarily dismiss cases raising state law anti-spam claims. State enforcers and legislatures are even starting to take notice and drafting amicus briefs and legislation to circumvent the results of the holding.

More comments about the opinion: Venkat and Tom O'Toole.
______

Eric's comments: Ethan makes a persuasive case that the statutory language in CAN-SPAM distinguished fraud from falsity. Nevertheless, I still support the Mummagraphics holding because I always thought it was unnecessary and counterproductive for Congress to let any state anti-spam statute survive preemption. From my vantage point, state anti-spam laws have done nothing useful to curb abusive spam. Instead, they have just littered the court system with junk cases, often from serial entrepreneurial litigants trying to punch lottery tickets. So if Mummagraphics provides defendants with a quick way to squelch unnecessary state law claims, I'm all for it.

I think Ethan is right that this case may misread Mummagraphics to extend the preemption even further than the 4th Circuit intended. Given my predisposition towards broad preemption, this is still a good outcome, but I am more troubled. In particular, I think the Reunion.com approach does not comfortably fit in the refer-a-friend bucket, and their efforts to leverage off the implicit social network connections bring to mind the worst aspects of the Facebook Beacon program. In this sense, the line between a true refer-a-friend program and a pretend referral that's just blatant marketing by grabbing email addresses reminds me a little of the first party/third party marketing representation distinction in 47 USC 230 jurisprudence. If the friend asks the site to send the email, it's a referral and not spam. If the friend provides the email address but doesn't endorse the message, it's governable by CAN-SPAM. This distinction is cloudy in 230 jurisprudence too, and it is giving the SEC fits too. Smells like a paper topic here.

On a personal note, mazel tov to Ethan and his wife on the arrival of their daughter Lily!
____________

10/30 UPDATE: Venkat's comments include a link to the plaintiffs' amended complaint. It takes a legally correct, tactically courageous approach. Rather than taking the Court up on its invitation to amend the pleadings to meet the various elements of a fraud standard, the plaintiffs' complaint reiterates its earlier falsity standard pleadings and then attempts to distinguish Mummagraphics, or at least limit the holding. The amended complaint distinguishes and notes that the Mummagraphics holding, for all its strong dicta about fraud and broad preemption, only held that CAN-SPAM would preempt a strict liability statute. The plaintiffs then proceed to show that the California statute is more than a strict liability statute, and even helpfully point to 9th Circuit precedent that distinguishes falsity from fraud for federal law purposes, clearly holding falsity as a lesser standard. I suspect Reunion.com could make the strong counter-argument that the Mummagraphics results matter more than the holding, because the Mummagraphics result, preemption, was of an almost identical statute that wasn't strict liability either. But making such an argument only invites closer scrutiny of Mummagraphics and highlights its error. Not only was Mummagraphics' stated holding (strict liability is preempted) inconsistent with the Mummagraphics result (a 'more-than-strict-liability' statute was preempted) but the holding was legally wrong in attempting to re-write the carefully negotiated preemption standard up from falsity to something higher. Before giving the benefit of the doubt to the Mummagraphics court in its re-writing, consider that the precise wording and standards in the preemption provisions of a federal spam law were one of its most-negotiated provisions. They changed from one Congress to the next, were different between various bills in the 108th congress, and were even switched between the different versions introduced and ultimately passed in the 108th Congress.

Posted by Ethan Ackerman at 03:55 PM | Marketing , Spam | TrackBack

October 14, 2008

September 2008 Quick Links, Part 3

By Eric Goldman

eBay

* Universal Grading Service v. eBay, Inc. More fallout from the National Numismatic v. eBay case--another lawsuit alleging antitrust and defamation because eBay designated some coin rating services as preferred and impliedly devalued others.

* Windsor Auctions v. eBay has been refiled in a new jurisdiction.

* Mehmet v. Paypal, Inc., 2008 WL 3495541 (N.D. Cal. Aug. 12, 2008). Upholding the consequential damages waiver in PayPal’s user agreement.

* A company's failure in the marketplace can drive up the value of its collectibles on eBay.

Google

* Stelor Productions, Inc. v. Google, Inc., 2008 WL 4218107 (S.D. Fla. Sept. 15, 2008). In the lawsuit alleging that Google causes reverse confusion of Googles.com [warning: annoying music ahead], the plaintiff doesn't get to depose Sergey or Larry yet. Rose Hagan, Google’s long-time chief trademark counsel, is the lucky substitute.

* Lots of rhetoric in the Google/Yahoo ad syndication deal. Google’s advocacy website. Google Chief Economist Hal Varian explains why the deal won’t raise ad prices in the auction. Randall Stross weighs in.

* Google has changed course and now allows religious groups to advertise on the keyword “abortion.”

* Kubit v. Google Groups, 2:2008cv00738 (M.D. Fla. complaint filed Sept. 29, 2008):

I then would like to sue Google Groups for not removing the posts when I repeatedly asked them to for 2 years. I believe I am entitled to at least a small amount of compensation for the emotional distress and lost business income that has resulted from them allowing these posts to remain on their Google Groups, even though I offered them VERY solid proof that I do not have HIV. If they had stopped the posts when they first occurred, they would not have proliferated to hundreds of websites. I became suicidal for a period of time after the posts started. I incurred a lot of emotional pain and fear because of the posts and had to seek psychiatric and psychological help to get my life back together. I still suffer from fears of dating, living a public business life and trusting others.

Yes, this is a pro se complaint. Yes, it is preempted by 47 USC 230.

Marketing/Advertising

* NebuAd is dead (1, 2). Even so, the lure of intermediaries aggregating deep data about consumers for commercial purposes will never die.

* Is Gator/Claria dead?

* The EU passed a non-binding resolution against sexual stereotypes in advertising.

* Celebrity branded merchandise run amok.

Miscellaneous

* Valleywag: "The 5 most laughable terms of service on the Net." For more laughs, see Mark Lemley’s Terms of Use paper.

* Murakowski v. University of Delaware, 2008 WL 4104087 (D. Del. Sept. 4, 2008). This reminded me a lot of the Jake Baker case from the mid-1990s.

* The Virginia Supreme Court reversed itself on the Jaynes anti-spam prosecution, and Jaynes walks. Does Virginia routinely pass unconstitutional laws?

* Becker v. Toca, 2008 WL 4443050 (E.D. La. Sept. 26, 2008). Ex-wife's alleged delivery of "Infostealer" program to grab passwords from ex-husband could violate the ECPA, SCA and CFAA.

* Interesting article on ESPN’s exclusive distribution and bundling agreements with Internet access providers.

* Funniest law firm names.

* Silly? Horrifying? A sign of the apocalypse?

Posted by Eric at 06:17 PM | Adware/Spyware , Content Regulation , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Privacy/Security , Search Engines , Spam | TrackBack

October 11, 2008

September 2008 Quick Links, Part 2

By Eric Goldman

Copyrights

* In the Harry Potter fair use case, the court declared that the Lexicon encyclopedia isn't fair use.

* The judge declared a mistrial in the Jammie Thomas case.

* Designer Skin v. S&L Vitamins has reached its denouement. Previous blog coverage of the case (1, 2). In the prior ruling, the judge denied the plaintiff damages for the copyright infringement. In the final ruling, the court enjoins cutting and pasting product shots but allows the defendant to recreate the product shots. Ronald Coleman has more here and here (noting that the court says that, per MercExchange, an injunction does not automatically follow from a finding of copyright infringement).

* Wired's 5 year retrospective on the RIAA's litigation campaign against file sharing.

Social Networking Sites, Blogs and Online Publishing

* J.S. ex rel. Snyder v. Blue Mountain School Dist., 2008 WL 4279517 (M.D. Pa. Sept. 11, 2008). Upholding student discipline for creating a fake MySpace page of principal. The school initially based the discipline on the student infringing copyright (by cutting and pasting the principal's photo) but this aspect of the case wasn't mentioned at all in the court’s reasoning.

* O.Z. v. Board of Trustees of Long Beach Unified School Dist., 2008 WL 4396895 (C.D. Cal. Sept. 9, 2008). Two seventh graders make a video about killing their teacher, described as:

The slide show is essentially a dramatization of the murder of Mrs. [redacted]. The first slide photo states, "Mrs. [redacted] dies." Throughout the slide show there are photos of Plaintiff dressed up in a costume, depicting a woman meant to resemble Mrs. [redacted]. There is red text on each slide photo that describes the scene. One slide says, "Jelly Donut's knife: haha fat bastard. here i come!" In this same photo, the viewer can see a butcher knife lunging at Mrs. [redacted] character from the camera's point of view. The butcher knife is then laid on the fallen victim while the text reads, "hehehe. i'm a shank yoooooooooo!" At the end of the slide show, it reads, "your [sic] dead, BITCH! :D".

I think they thought it was funny, but no one else did. One of them posted the video to YouTube. It's unclear what happens to the poster, but the co-content creator was suspended and forced to transfer to another school for her eighth grade. In this case, her TRO request is denied, even if she didn't intend the video to be publicly distributed and even if the video was not a "true threat."

* Spanierman v. Hughes, 2008 WL 4224483 (D. Conn. Sept 16, 2008). Teacher who was fired for inappropriate MySpace communications with students can't sue the school.

* An encouraging update on the Lori Drew prosecution.

* Bill McGeveran on Facebook Beacon and legal liability.

* Good NYT article on the sociology of Facebook and Twitter.

* Sam Bayard on an interesting but confusing ruling from Montana on its shield law applied to anonymous online posters.

* Verdana Partners v. Giles. Online newspaper wins anti-SLAPP claim.

* Jardin v. Datallegro, Inc., 2008 WL 4104473 (S.D. Cal. Sept. 3, 2008). A litigant's taking down a blog post and its comments is not destruction of evidence.

* Nemet Chevrolet has appealed its 230 loss. Previous blog coverage.

* Do Facebook's anti-spam policies overregulate Facebook's power users?

Posted by Eric at 07:49 AM | Content Regulation , Copyright , Derivative Liability , Internet History , Spam | TrackBack

October 07, 2008

Email Ad Network Isn't Liable for Unsolicited Email--Ferron v. Echostar

By Eric Goldman

Ferron v. Echostar Satellite LLC, 2008 WL 4377309 (S.D. Ohio Sept. 24, 2008). The Justia page.

John Ferron is one of several "repeat" plaintiffs around the country suing over unsolicited email (perhaps not coincidentally, he's also an attorney). In this case, Ferron sued a variety of defendants associated with unsolicited email promoting dish satellite offerings for violations of Ohio's consumer protection law and the Electronic Mail Advertising Act (EMAA).

One of the defendants is Hydra, "a service that connects satellite dish service retailers with companies that advertise by email. The retailers create the advertisements. Hydra then stores the advertisements on its database. Other companies then access Hydra's database and send the advertisements to consumers by email." Hydra does not create the ad content or send the actual emails.

Ohio's consumer protection act has a defense for innocent publishers of ads. Even though the statute does not contemplate the existence of an email ad network, the court says that Hydra is only an "information disseminator" and therefore qualifies for the defense. It was also alleged that Hydra wasn't innocent because Ferron had sent it a copy of his complaint, but the court says that the complaint does not act as sufficient proof of a statutory violation.

The court declines to grant Hydra SJ on the EMAA claim, saying that while Hydra did not "transmit" the email, it could not tell if Hydra "caused" the email to be transmitted. Nevertheless, the court says that, per Mummagraphics, Ohio's EMAA is preempted by CAN-SPAM because it regulates conduct that is not sufficiently fraudulent or deceptive. As a result, Hydra gets SJ on the EMAA claim and is dismissed from the lawsuit.

From my perspective, this case is another example of the larger battle against unsolicited email using state law (such as the many state anti-spam laws). In my opinion, the heavy reliance on state law has led to enormous wasted motion, which is the direct and unfortunate consequence of (1) CAN-SPAM failing to completely preempt all state anti-spam laws, and (2) early opinions (mistakenly, IMO) holding that state anti-spam laws don't violate the dormant commerce clause even though most email senders cannot realistically "steer" their emails into or out of a state.

[This post has been amended in response to emails from John Ferron alleging that my prior post was defamatory.]

Posted by Eric at 04:32 PM | Marketing , Spam | TrackBack

September 09, 2008

August 2008 Quick Links, Part 2

By Eric Goldman

Net Neutrality

* The FCC gets on Comcast’s case for deceptively blocking BitTorrent connections without disclosure. While I don’t know anyone who has defended Comcast’s behavior here, at the same time there is an undercurrent of concern about the FCC’s authority to regulate Internet activities. Could this be the FCC camel's nose in the Internet's tent? We will learn more about the FCC's authority because Comcast has appealed the FCC's decision.

* A topic I haven't seen discussed very much: how the doctrine of trespass to chattels intersects with net neutrality principles. The only article I found in a 60 second search on the topic was a couple of paragraphs in J. Gregory Sidak, A Consumer-Welfare Approach to Network Neutrality Regulation of the Internet, 2 J. Competition L. & Econ. 349 (2006).

Contracts

* Jacobsen v. Katzer (Fed. Cir. Aug. 13, 2008). This ruling has been hailed as a validation of open source licenses, but I’m not sure what to make of this opinion. If the opinion merely says that breach of a copyright license can support copyright infringement, that’s no big deal. However, among other conspicuous omissions, the court does not discuss how the licensor formed a contract in this case. Thus, if the court’s conclusion is that copyright owners can impose conditions on licensees’ enjoyment of their copyright without properly forming a contract, then this opinion could undo the entire scheme of online contract formation. For example, it could support a conclusion that browsewrap-style “contracts”/terms of use should be enforceable as conditions on the accessing of copyrighted web pages. See, e.g., Ticketmaster v. RMG.

* Interactive Retail Management, Inc. v. Microsoft Online, L.P., 2008 WL 3851691 (Fla. App. Ct. Aug. 20, 2008). This is a click fraud case I hadn't heard about previously. Microsoft won at the trial court on jurisdiction grounds. This court revives the lawsuit for more jurisdictional investigation.

* Jeff Neuburger on a Wisconsin case saying that the UCC governs contract formation via email instead of UETA.

* Request for your guidance. Wikipedia has some photos that simultaneously say they are released under both a Creative Commons license and the GFDL. See, e.g., this photo. The license terms are irreconcilably inconsistent. If someone wants to use such a photo, now what?

Competition Restrictions

* Edwards v. Arthur Andersen (CA Sup. Ct. Aug. 6, 2008). The Ninth Circuit was wrong to create a narrow restraint exception to B&P 16600, the California statute voiding non-compete clauses.

* XPEL Technologies Corp. v. American Filter Film Distributors, 2008 WL 3540345 (W.D. Tex. Aug. 11, 2008). Rebecca on an odd case involving (once again) the DMCA anti-circumvention provisions as an anti-competition tool.

Miscellaneous

* Two interesting studies recently about people’s response to spam. Despite the animosity, a quarter of consumers have responded to cellphone spam and 30% say they have made purchases in response to spam. For more complementary statistics and my attempt to explain this seeming dichotomy, see here.

* The First Circuit issued an interesting DMCA 1201 case that I haven’t seen discussed. The BNA summary: “District court properly granted summary judgment to plaintiff cable television service provider on claim that defendants violated Digital Millennium Copyright Act by selling low-frequency signal filters, within plaintiff's service area, that were capable of bypassing plaintiff's pay-per-view billing mechanism, since plaintiff's pay-per-view delivery and billing system is technological measure that effectively controls access to copyrighted works, and digital cable filter allows subscribers to "avoid" or "bypass" that technological measure (CoxCom Inc. v. Chaffee, 1st Cir., 8/4/08)”

* AP v. Moreover settles. My initial post on the lawsuit.

* Funny YouTube video: "Here Comes Another Bubble," set to the tune of Billy Joel's "We Didn't Start the Fire"

Posted by Eric at 08:49 AM | Content Regulation , Copyright , Licensing/Contracts , Marketing , Search Engines , Spam | TrackBack

August 08, 2008

Affiliate Liability Extravaganza

By Eric Goldman

[Note: I recently published a version of this article at InformIT. Here's the pre-edited version I sent them.]

Introduction

This article discusses marketers’ liability for the actions of their marketing affiliates (what I refer to as “affiliate liability”). The affiliate liability issue has become red-hot recently because numerous plaintiffs have taken aggressive legal positions seeking to expand the boundaries of affiliate liability. In three recent rulings, courts have emphatically rejected these expansive liability arguments. Even so, it seems likely that plaintiffs will continue to look for ways to expand affiliate liability, and despite the favorable rulings, defendants often settle a lawsuit alleging affiliate liability rather than establish their rights in court.

Affiliate Marketing—Good and Bad

Marketers create affiliate programs to outsource marketing decisions to domain experts. For example, independent third parties may have better or cheaper access to subcommunities of potentially interested consumers than a marketer’s employees. An affiliate marketing program compensates these local experts for work and expertise involved to take the marketer’s message to those consumer communities. When it works properly, affiliate marketing programs can play an important role in the broad “invisible hand” economic phenomenon of allocating scarce resources to consumers who value them the most.

Affiliate marketing doesn’t always have this salutary effect. Affiliate marketing programs create payoffs to motivate affiliate behavior, and inevitably some affiliates will try to obtain the payoff without doing the desired activity. Thus, even if the marketer would prefer otherwise, some affiliates might do “whatever it takes” to get paid, including using false advertising or illegitimate marketing mechanisms. Further, the fact that the marketer outsources some choices to affiliates (a necessary part of any affiliate program) can lead to “diffuse responsibility” where the marketer and affiliates point fingers at each other if something goes wrong. Sometimes, when there are multiple tiers of affiliates, it can become effectively impossible to assign responsibility for the wrongdoing.

To bypass these legal entanglements, plaintiffs have sought ways to hold marketers vicariously (automatically) liable for their affiliates’ actions. However, these efforts “break” standard tort law by trying to treat independent contractors as if they are principal-agents without the requisite supervision or authority that typically triggers agency liability. As a result, overexpansive theories of affiliate liability cause marketers to internalize too many costs, curtailing potentially socially beneficial marketing activities or leading to overinvestment in socially wasteful liability minimization schemes.

Plaintiffs Gone Wild: Two Recent Efforts to Expand Affiliate Liability

There have been countless affiliate liability enforcement actions, but I’ll focus on two recent initiatives.

New York Sales Tax Law

State and local taxing jurisdictions have long coveted a way to impose sales tax collection responsibilities on non-resident Internet vendors. In general, these efforts have been stymied by the Supreme Court’s decision in Quill Corp. v. North Dakota, 504 U.S. 298 (1992), which requires a vendor to have a physical presence in the jurisdiction before the taxing entity can impose sales tax collection obligations on it.

New York, however, developed a nifty workaround. In April, it passed a law (Chapter 57, N.Y. Laws of 2008) declaring that a vendor’s marketing affiliates in New York constituted a physical presence in New York by the vendor. If so, New York can impose sales tax collection obligations on remote vendors due to their New York affiliates. As part of its crafty plan, New York tried to induce compliance with a carrot—if remote vendors voluntarily agreed to collect and pay sales tax from New York residents going forward, then New York would grant them amnesty for any back sales tax collection obligations.

Neat trick, but…a small problem: affiliates are independent contractors of the vendor, so this effort to treat them as legally related entities surely doesn’t comply with the Constitution. I suspect a court will confirm this flaw because both Amazon and Overstock.com have sued New York over the law. At the same time, to minimize its risk, Overstock has also tossed all of its New York affiliates overboard. One might question the wisdom of the New York legislators prompting marketers to cut off opportunities for New York online entrepreneurs.

Trademark Owners Claiming Marketers Are Liable for their Affiliates’ Marketing

Another trend: trademark owners are trying to hold a marketer liable for the alleged trademark infringement committed by its affiliates, such as when affiliates purchase the third party trademark as a keyword trigger for search engine ads. Plaintiffs have alleged affiliate liability in at least three lawsuits in the past couple of months:

* DSW v. Zappos.com (S.D. Ohio complaint filed May 12, 2008). For more, see SEOmoz.

* NameSafe v. LifeLock (M.D. Tenn. complaint filed June 26, 2008). For more, see Techdirt and News.com.

* Rosetta Stone v. Rocket Languages (C.D. Cal. complaint dated July 2, 2008). For more, see the WSJ Law Blog.

Courts Weigh In—and Plaintiffs’ Expansive Theories Don’t Fare Well

The efforts to extend liability in the sales tax and trademark contexts are novel, and it’s hard to predict the final outcome because we have limited direct precedent to consult. However, looking at some recent rulings in other contexts, there is good reason to believe that both legal theories go way too far.

CAN-SPAM

Unlike many other areas of the law, CAN-SPAM (15 USC 7705 and 7706) specifically authorizes affiliate liability in the statute. The Federal Trade Commission (FTC) has routinely invoked this provision in its pursuit of marketers promoted by affiliate-initiated spam (for one of the more recent examples, see the FTC’s press release on one of its porn spam busts and settlements). Further, typically when the FTC targets a marketer on an affiliate liability theory, the marketer rolls over and settles rather than fight.

But…a small problem: the FTC’s expansive interpretation of the affiliate liability statute—the basis it has used to procure these settlements from marketers—may not actually reflect the law. In an outcome that didn’t get nearly the press it deserved, in an lawsuit against Impulse Media earlier this year, the FTC took its affiliate liability theories to a jury and lost. This is a huge verdict because (1) the FTC rarely loses in court, and (2) perhaps more importantly, when average citizens evaluate the FTC’s expansive affiliate liability theories, they may balk.

Oddly, the FTC didn’t take no for an answer. It subsequently asked the judge to enjoin Impulse Media even though Impulse Media won the jury verdict. Talk about chutzpah! Not surprisingly, the court declined the request. US v. Impulse Media, 2008 WL 1968307 (W.D. Wash. May 1, 2008).

In another lawsuit, ASIS Internet Services, v. Optin Global, Inc., 2008 WL 1902217 (N.D. Cal. March 27, 2008; unsealed April 29, 2008), a civil plaintiff, ASIS (a serial anti-spam litigant), invoked the CAN-SPAM affiliate liability provision in its anti-spam lawsuit against 20 defendants. One defendant never showed; 18 defendants settled up (as mentioned, the typical response); and only one defendant—Azoogle—persisted in court.

Azoogle is a lead generation company for upstream marketers, and it relies on downstream affiliates to help it generate leads for its clients. Some of those downstream affiliates generate leads via spam. In this ruling, the court rejects Azoogle’s liability for spam sent by its marketing affiliates:

Although ASIS has pointed to significant evidence that Azoogle, during the relevant time period, did little to investigate the third party vendors it engaged, there is no evidence in the record from which a jury could conclude that Azoogle, in contracting with Seamless Media, made a deliberate choice not to know that Seamless Media would engage third parties to send out spam on Azoogle's behalf. The evidence cited by ASIS to establish knowledge on Azoogle's part is entirely speculative. Even assuming it is true that the Emails were sent by a single individual and that the lead was typed into a web site that was copied from Azoogle's lowrateadvisors site, this is insufficient to show that Azoogle consciously avoided knowing that the Emails would be sent. Further, while ASIS relies primarily on the allegation that Azoogle failed to adequately investigate its third-party vendors, ASIS has pointed to no evidence that if Azoogle had investigated Seamless Media prior to entering into the Insertion Order, it would have learned facts sufficient to show that Seamless Media was likely to engage in CAN-SPAM violations. There is no evidence in the record that would put Azoogle on notice that Seamless Media, or Seamless Media's vendors, obtained leads from spammers. Indeed, the only evidence on this subject is that Seamless Media had a good reputation at the time, and was obliged by its contract with Azoogle to follow the law.

Adware

Another recent affiliate liability decision is the remarkable ruling in People v. Direct Revenue LLC, 2008 WL 1849855 (N.Y. Sup. Ct. March 12, 2008), another case that did not get the attention it deserved. Disclosure note: I helped file an amicus brief in this case.

In 2006, the NY Attorney General’s office (NYAG) made the apparent decision that adware vendor DirectRevenue needed to be shut down by any means necessary, and it launched a multi-front attack on DirectRevenue. It publicly posted a website with information about DirectRevenue that had no apparent purpose other than to denigrate DirectRevenue’s reputation. It bullied DirectRevenue’s advertisers, ultimately procuring, and then releasing a hyperbolic press release about, an insignificant settlement that spooked potential advertisers away from DirectRevenue. And finally, it sued DirectRevenue directly.

The NYAG’s actions had their desired effect. Perhaps due in part to the NYAG’s campaign to close DirectRevenue down, DirectRevenue did in fact go out of business. Congratulations to the NYAG for achieving its apparent goal.

But…a small problem: the NYAG’s assessment of DirectRevenue’s legitimacy may have, in fact, been itself lawless, because the court emphatically rejected all of NYAG’s legal theories. This might be amusingly ironic if the NYAG’s anti-DirectRevenue campaign wasn’t such a chilling and crushing misuse of governmental powers.

The opinion is worth reading in its entirety, especially where the court affirms the EULA formation and limits extraterritorial liability. However, apropos to this post, the court rejected DirectRevenue’s liability for allegedly illegitimate software installations made by its affiliates, saying “petitioner has not shown that respondent should be held liable for the actions of those third parties under a theory of agency or ratification, or otherwise.” The court explains:

Dismissal is required with respect to the 22 [installations by] third parties, who petitioner concedes were independent contractors rather than agents of Direct Revenue. A principal is generally not liable for the acts of an independent contractor because of the lack of control over how the contractor's work is performed (Chainani v. Bd. of Educ., 87 N.Y.2d 370, 380-81 [1995]). Neither may the principal be charged with the conduct of even more remote subcontractors (People v. Synergy6, Inc., Index No 404027/03 [Sup Ct N.Y. Co 2006][unpublished disposition][Attorney General's action for deceptive practices and false advertising under GBL dismissed as against email marketing company where fraudulent emails were sent by company retained by agent]). Although exceptions exist, such as where the contractor was negligently retained or supervised (Saini v. Tonju Assocs., 299 A.D.2d 244, 245 [1st Dept 2002]) or where the principal has ratified the wrongful acts (Kormanyos v. Champlain Valley Fed. Sav. and Loan Assoc. of Plattsburgh, 182 A.D.2d 1036, 1038 [3d Dept 1992]), the record here does not support any grounds for departure from the usual rule.

As noted, under the SDA, Direct Revenue contractually required its distributors to obtain consent of consumers consistent with the terms of the EULA. The SDA also forbade the distributors from holding themselves out as respondent's agents. Respondent was not authorized or obligated to control their work, particularly since many of them additionally acted as distributors for various other advertisers. Although in Sotelo v. Direct Revenue, 384 Supp2d 1219 (ND Ill 2005) the court upheld a cause of action against respondent for negligent supervision of distributors, the issue arose on a motion to dismiss and the court thus restricted its inquiry to the four corners of the complaint. Notably, the court stated that it was precluded at that procedural juncture from considering respondent's evidence that the distributors were independent contractors, evidence which, as here, included the SDA.

…

The theory that respondents ratified the alleged third party misconduct also fails. The allegations that respondent had general and/or constructive knowledge of some distributors' wrongful practices are insufficient to impose liability (see, Synergy6, supra; Del Signore v. Pyramid Sec. Servs., Inc., 147 A.D.2d 759, 760-61 [3d Dept 1989][mere knowledge of litigation and complaints against security company for undue force by guards insufficient to impose liability upon hiring firm]; see also Hamilton v. Beretta USA Corp., 96 N.Y.2d 222, 237 [2001]). Moreover, it is conceded that in those few instances in which respondent obtained actual knowledge of a distributor's misconduct, it took significant steps to modify its procedures. A finding of ratification cannot be found upon such facts, notwithstanding that respondent may have benefited financially from its relationship with the distributors before remedial measures were implemented (see Synergy6, supra).

It is my understanding that the NYAG has filed a notice of appeal in this case to preserve its options, but it is still deciding if it will pursue the appeal.

Unfortunately, I’m not aware of the Synergy6 opinion being available electronically, which is a shame because it’s an interesting and relatively early rejection of the NYAG’s expansive affiliate liability doctrines. Due to that ruling (which involved email marketing instead of adware), the NYAG already had good reason to suspect that its predicate theories were dubious, which makes its decision to pursue those theories against DirectRevenue even more lamentable.

Conclusion

This post highlights two seemingly inconsistent trends. Trend #1 is that plaintiffs (private actors or government agencies) are taking very expansive positions on affiliate liability. Trend #2 is that when tested, expansive affiliate liability theories are failing in the courts. These two trends seem to be in conflict with each other. My hope is that trend #2 becomes so strong that it overrides trend #1, i.e., plaintiffs and government actors get the message that they have gone too far.

Unfortunately, in the interim, many defendants will capitulate and settle an expansive affiliate liability claim—even if it’s lawless—because it’s the cheapest path to resolution or because the precedent isn’t strong enough to ensure victory. Perhaps some defendants will realize that the trend is in their favor and will fight back accordingly. More judicial clarity about the line between permissible and impermissible behavior would benefit everyone.

It is also possible that the legal ambiguities of affiliate liability will be resolved by statute. However, despite the defendants’ string of court victories, I see the chances of legislative intervention to curtail expansive affiliate liability doctrines as nil. If anything, it’s more likely that future legislation will codify liability expansion.

For a rare in-depth analysis of affiliate liability, see Jean Noonan and Michael Goodman, Third-party liability for federal law violations in direct-to-consumer marketing: telemarketing, fax, and e-mail 63 Bus. Law. 585-596 (2008) [ABA subscription required to download].

Posted by Eric at 08:04 AM | Adware/Spyware , Derivative Liability , Marketing , Spam , Trademark | TrackBack

May 02, 2008

Spam Revisited: Virginia-style

By Ethan Ackerman

The Virginia Supreme Court revisits its First Amendment holding in Jaynes.

In what is likely a second stroke of luck for criminal spammer Jeremy Jaynes, the Virginia state Supreme Court recently granted a discretionary rehearing on the earlier 4-3 opinion. The Court limited review to First Amendment standing issues. These standing issues were the focus of skepticism in the dissent and in an earlier post on this blog.

The rehearing order is here.

This blog's earlier post discussing the ruling is here.

UPDATE 9/12/08

After granting a discretionary re-hearing, the Supreme Court of the State of Virginia reversed its earlier opinion, and Jaynes' coviction, and held the Virginia anti-spam statute unconstitutionally violates the 1st Amendment. Since the statute covers non-commercial as well as commercial speech, the Court ruled it is unconstitutionally broad. In doing so, the court concluded that its initial reading of Hicks was problematically narrow, and Jaynes properly had overbreadth standing.

Posted by Ethan Ackerman at 03:26 PM | Spam | TrackBack

April 28, 2008

47 USC 230 Trifecta of Cases--Friendfinder, e360insight, iBrattleboro

By Eric Goldman

47 USC 230 cases have been coming at such a rapid clip that I've fallen behind. In this blog post, I'll catch up on three recent cases:

Friendfinder

Doe v. Friendfinder Network, Inc., 2008 WL 803947 (D.N.H. March 27, 2008)

This case involves the publication of a false user-supplied profile on adult dating/hook-up services operated by AdultFriendfinder and Various. Fake dating profiles have been the source of a fair amount of 230 litigation; see, e.g., the Anthony v Yahoo, Landry-Bell v. Various, Doe v. SexSearch, Barnes v. Yahoo, and of course the Carafano case. The Friendfinder case involves two allegations we haven't seen before: (1) when the plaintiff complained, the sites removed the profile but displayed the following message on the profile page: "Sorry, this member has removed his/her profile," which allegedly implied that the plaintiff in fact had authorized the page initially, and (2) portions of the fake profile had been displayed on third party sites as "teasers" to advertise the adult dating services.

The court quickly dismisses the defamation, intentional infliction of emotional distress and various soft tort claims per 230, even if the defendants affirmatively reposted the profiles and even with respect to pull-down menus used to help profile building. This opinion came out before the Ninth Circuit en banc ruling in Roommates.com, but taking Kozinski's disclaimers at face value, the discussion about pull-down menus should have survived Roommates.com.

The court also says that 230 protects the site-authored announcement on the removed profile because "the allegedly tortious nature of those statements proceeds solely from the association they create between the plaintiff and the content of the profile." This might be an important standard to help future courts determine when 230 governs allegations of false marketing representations predicated on bad user info.

The court takes a less defense-favorable direction regarding the right of publicity claim. In direct conflict with the Ninth Circuit's ccBill ruling, this court says that 230 does not preempt state IP claims. Personally, I think this court got the statutory construction right and the Ninth Circuit got it wrong. As this court correctly explains, a court cannot interpolate the word "federal" into 230(e)(2) if it uses intellectually rigorous statutory interpretation.

Having left open the state IP claims, the court (also correctly, IMO) says that a right of publicity claim is an IP claim while any other invasion of privacy claim (i.e., the other three prongs of Prosser's four privacy torts) is not.

The court also survives the plaintiff's allegation of a Lanham Act false designation of origin claim with respect to the use of the false profile in the advertising teasers. But why didn't the court examine the application of 230 to this Lanham Act provision, which arguably isn't an IP claim? I think the court considered the false designation of origin claim, as applied to a false endorsement, to be equivalent to a right of publicity claim, but it would have been nice for the court to unpack this assumption.

The litigation over teaser content raises a question that's been bothering me for some time--when is republication of user-supplied editorial content (in this case, the dating profile) as teaser content on third party websites legally governed as commercial advertising? Teaser editorial content is ubiquitous, but it also serves a marketing function that could (should?) be regulated by commercial advertising restrictions such as the right of publicity. Hey, if you're looking for a paper topic, I think this issue (use of user content in teaser content as a right of publicity issue) is a good one.

More discussion about this case: CMLP, Rebecca, Jeff Neuburger, John Leonard

e360Insight

e360Insight, LLC v. Comcast Corp., 2008 WL 1722142 (N.D. Ill. April 10, 2008)

e360 is an email marketer/alleged spammer. Comcast blocks their emails from getting to Comcast subscribers. e360 sues Comcast for a variety of torts. The court sweeps all of the claims away on a judgment on the pleadings per 230(c)(2), saying that spam filtering constitutes the blocking of objectionable content contemplated by the statute. Further, agreeing with the Kaspersky case, the court says that any good faith requirement in the statute is subjective, not objective, and e360 didn't plead any evidence of subjective bad faith. Case dismissed.

This opinion adds to the burgeoning caselaw under 230(c)(2) showing that it will crunch claims by anyone upset that their communications are being filtered. As applied to an IAP like Comcast, I think this raises an interesting angle in the net neutrality debate. If you're looking for a paper topic, it seems like it would be timely to recap 230(c)(2) jurisprudence and analyze its interplay with other speech-preserving doctrines (must-carry laws, Constitutional free speech restrictions, net neutrality, consumer protection requirements of disclosure, etc.).

iBrattleboro

Mayhew v. Dunn, 580-11-07 (Vt. Superior Ct. March 18, 2008)

This is a simple and clean opinion. The defendants operate the iBrattleboro.com website. A third party posted material to the website that allegedly harmed the plaintiff. The website operators get a judgment on the pleadings. Case dismissed. This is a nice illustration of 230 working exactly as it should. Some useful color on the case from CMLP.

Posted by Eric at 10:27 AM | Derivative Liability , Publicity/Privacy Rights , Spam | TrackBack

April 21, 2008

Still Standing? Catching Up on the Jaynes Case

By Ethan Ackerman

Virginia's 1st-Amendment-deficient Spam law is still standing, but only because the Va. Supreme Court closely split over whether Jeremy Jaynes had standing to challenge it.

A cynic could dismiss the most recent ruling in this fairly well-covered and dissected criminal spamming case with the familiar legal adage - "bad facts make bad law." But cynics never read this blog...

So what happened?
Jeremy Jaynes was apparently quite the spammer, until he got caught in 2003 sending large volumes of commercial solicitations to AOL users via email messages with forged or misleading headers and From: addresses. As a result, he was charged with criminal violations of Virginia's spam laws. The initial appeal in this case was covered in an earlier post.

At the Va. Supreme Court, Jaynes brought up the same three primary challenges (lack of jurisdiction, Dormant Commerce Clause violations, and 1st Amendment overbreadth/vagueness violations) he raised at the Court of Appeals. He had the same unsatisfactory (for him) results. This previous post detailed where the Va. Court of Appeals' resulting opinion left things wanting on the First Amendment and jurisdiction front. If all was the same old-same old, however, I wouldn't be writing a separate post on the Va. Supreme Court's follow-up ruling. This opinion is a bit more rigorous, but runs into trouble (in my, and the 3 dissenters', minds) over First Amendment issues. As a result, this post is only going to focus on the First Amendment issues of the case. Spam law junkies looking for Dormant Commerce Clause, CAN-SPAM, or jurisdiction issues can read the next paragraph and then go here instead.

Hey wait? What about CAN-SPAM?
Astute readers may wonder where or if the federal anti-spam law comes into play here. The spamming in question took place in July 2003, before the passage of the effective date of the federal CAN-SPAM Act. While there's some question as to what degree this case, and other state laws on spam, could have been preempted by the federal anti-spam laws if it'd happened later, CAN-SPAM wasn't a retroactive law, and it didn't offer retroactive immunity.

On to the First Amendment (or outside it, in this case)
On appeal, Jaynes argued that the Virginia anti-spam statute swept overly broad in prohibiting some types of protected speech, in violation of the First Amendment. Virginia's particular prohibition on mislabeling or falsity in emails, commercial or otherwise, makes it particularly vulnerable to a First Amendment challenge. In fact, I'll come right out and say it: by not limiting itself to commercial emails, the law is almost certainly sweeping in emails that are protected under the First Amendment along with the unprotected fraudulent commercial speech that it can target.

There is vigorous First Amendment debate over each of the issues at play here. What degree of First Amendment protection does commercial speech have? Does commercial email get a different amount than other commercial speech? Does it matter if it's false? Misleading? Just in the headers, not in the content? Who decides? What if the emails are unsolicited, or sent in bulk? What if their headers are forged or altered? What if they're not commercial, but are still bulk? What if they're political? What if the 'altering' is just done to make the email effectively anonymous? Many spam cases at the state and federal level have turned on these distinctions. And the last issue - the scope of the First Amendment right to anonymous speech - drew a brief from the Virginia ACLU at each stage.

While the initial appellate opinion dealt unsatisfactorily with some of these issues, the Va. Supreme Court almost entirely sidestepped them. The Court found Jaynes' lacked 'standing' to even raise a First Amendment challenge to the law, and so declined to address the appeals court's findings on the merits of Jaynes' First Amendment claims. The funny thing is, in going out of its way to only decide standing and avoid a ruling on the merits, the Va. Supreme Court had to make almost all the legal and factual findings necessary to decide the merits.

A quick primer on Standing
'Standing' is a legal term of art that means it is proper for a particular person to be in court contesting something. Courts are vigilant about standing issues because most constitutions, state and federal, require that a particular person have it before they can challenge a law or bring a suit against another person. Standing decisions are also used to avoid deciding thorny issues before they're clearly at hand, or sometimes to avoid them altogether if the issue or law doesn't really apply to the person making the claim.

Take an animal lover in New York City, a wildlife watcher in Laramie, a commercial wildlife-watching guide operating in Yellowstone National Park, a wildlife biologist studying wolves at the University of Wyoming, and a wolf rancher operating a private free-range wolf farm outside of Cheyenne. Each of these people might be upset and allege harms related to a Wyoming statute that mandates the shooting of wolves. The law distinguishes between each of these categories by recognizing some and not others according to the principle of standing.

When someone is unfairly targeted by the way a law is enforced, or is actually prevented from doing something, or has been charged with committing a crime, they likely have standing to challenge the law - as it was applied to them. This is called an "as-applied" challenge to a law. It is a challenge only to the particular portion of the law applied to them in their particular facts and circumstances.

When a skateboarding youth contests her citation for loitering at the public park every time she joins up with her friends for a some skating, she's probably not alleging that the entire loitering statute is unconstitutional, or that the police can never issue a loitering ticket, but that a particular biased police officer is unfairly targeting her in a certain way that violates her First Amendment associational rights. This is an example of an "as applied" challenge.

On the other hand, in some cases a suit can be brought challenging a law outright, outside of a criminal or enforcement action. This particular head-on challenge is called a "facial" challenge to a law, and means that the law, as it is written, violates some other law or Constitutional principle. Facial challenges to a law are much less frequent precisely because many times standing is lacking. If Rosa Parks had sued Alabama over its bus segregation laws before she had ever been sent to the back of the bus, she would have had to allege that the law was unconstitutional "on its face," since it hadn't yet been "applied" to her.

Related to a facial challenge is an "overbreadth" challenge. It alleges that a partially acceptable law sweeps 'overly broad,' catching protected activities up along with those that may legitimately be restricted. A "no leafleting without a name and address on the leaflet" law might be constitutional when enforced against a commercial door-to-door vendor, but not when enforced against a political pamphleteer. These different types of challenges matter because many times whether or not a person has standing depends on what type of challenge - facial, as-applied, or overbreadth - they are bringing.

A breath-taking run through the First Amendment 'overbreadth' exception to standing rules.
As succinctly admitted by the Va. Supreme Court in Jaynes, a litigant may have standing to raise an 'overbreadth' claim against a statute even if they did not have standing to raise a facial or as applied challenge, because "the United States Supreme Court has recognized an exception to the ordinary rules of standing when Constitutional claims involve the First Amendment."

Why relax the otherwise good and useful principle of standing? If it works, it works, right? In general yes, but when it comes to speech, extra protection is a good thing, and chilling speech, even potentially, is a bad thing according to the Supreme Court. Better an occasional court case that is somewhat hypothetical than a wide-sweeping law that makes people reluctant to speak because they might step afoul of it. As the US Supreme court explained in Broadrick v. Oklahoma,

Litigants, therefore, are permitted to challenge a statute not because their own rights of free expression are violated, but because of a judicial prediction or assumption that the statute’s very existence may cause others not before the court to refrain from constitutionally protected speech or expression.

So the First Amendment "overbreadth" exception to standing serves to protect against laws that may chill speech. It's clearly a First Amendment protection device, and it's also clearly a procedural exception developed by courts. But which of those is it more like? That seemingly odd question turns out to make all the difference for Jeremy Jaynes' conviction.

A (not Constitutional?) means to a Constitutional End
If the overbreadth exception is an element of federal Constitutional law arising from the First Amendment, state (and federal) courts generally must follow it. Further, any prior Supreme Court rulings on the issue are binding on state courts as well. However, if it is just a rule of standing, albeit one that happens to protect important First Amendment interests, then state courts are generally free to apply it or reject it according to the laws of their own state. Much like setting filing fee prices, or specifying the number of days in which a motion must be filed, or whether a particular state recognizes "psychotherapist-client" privilege, standing rules can and do vary from state to state.

So is the overbreadth exception required by the First Amendment, or is it just a procedural rule that can be varied by pretty much any court or a state legislature? This kind of distinction - where a remedy or process guards a Constitutional right but (is or) isn't mandated by the Constitution - pops up in quite a few important Constitutional cases. Shockingly enough, reasonable people disagree, both in the US and in other countries with free speech laws facing similar questions.

Perhaps the most obvious US example of this distinction, and a helpful analogy, is the status of several procedural protections under the Fourth Amendment prohibition on warrantless searches. If police violate (or just plain don't get) a warrant but search a suspect or her premises anyway, does the Constitution require that any evidence seized be suppressed? Can the victim of the illegal search sue the police? The Supreme Court goes several ways depending on the question. In at least some cases, the Constitution itself provides a "Constitutional" right to sue, in other cases the suppression "remedy" or standing to sue turn on statutes or standing rules that may vary from state to state to federal law.

These types of inconsistencies seem to be creeping into overbreadth doctrine as well, with some legal scholars warning against the trend away from a Constitutional view and toward a 'mere' procedural standing view. The same challenge seems to be facing other common-law countries with free speech rights as well.

OK, OK, the answer already...
It turns out that the US Supreme Court may have already answered this particular question - or at least suggested a likely answer. In Virginia v. Hicks, even though the Court was ruling on the question of the degree to which enforcer discretion rendered a 'no loitering' statute overbroad, the Court also stated that state court standing rules, not the First Amendment or any other Constitutional considerations, determined whether the Virginia court even had to hear Hicks' overbreadth challenge. According to a brief paragraph in the unanimous majority opinion written by Justice Scalia, "Whether Virginia’s courts should have entertained this overbreadth challenge is entirely a matter of state law." The Virginia Supreme court says this answer is good enough - Virginia courts can choose whether to hear an overbreadth challenge.

But is this the full answer? Hicks is admittedly an on-point ruling on an overbreadth challenge. But is this really the best way to take Justice Scalia's preliminary (precatory?) statement? Concluding that state court protections of 1st Amendment rights are optional makes no sense. See Amendment 14, U.S. Constitution. Perhaps a better reading is that in Hicks, Scalia was saying that the Virginia court was free to choose whether to step above the federal constitutional overbreadth 'floor' and choose or decline to hear Hicks' overbreadth challenge because then-existing overbreadth doctrine didn't cover Hick's challenge. This 'overbreadth doctrine standing is a floor, not a ceiling' argument is perhaps the better reading.

To the State law, then...
In Jaynes, the Va. Supreme Court seized on the Hicks language in an effort to avoid admitting the Virginia spam statue is overbroad and infringes on the First Amendment. But how?

In a word, narrowly. 4-3, the state Supreme Court declined to hear Jaynes' First Amendment claims by holding that Virginia state law only required that overbreadth standing be granted to someone actually able to allege the statute in question was unconstitutional 'as applied' to them - effectively collapsing overbreadth challenges in state court into an 'as applied' challenge - at least in commercial speech cases. Of course the majority didn't couch its opinion like that, taking pains to state that the opinion preserved overbreadth standing in most cases but only denied it to those commercial actors whose speech was clearly outside of the protections the First Amendment grants commercial speech.

Wait, I thought they weren't going to decide the First Amendment issue?
There are several shortcomings with the Jaynes majority opinion. The most glaring inconsistency is the choice to decide that Jaynes' commercial speech, by virtue of its falsity or tendency to mislead, isn't the type of commercial speech entitled to First Amendment protection. The court says:

Jaynes’ commercial speech would fail the initial requirement for First Amendment review under Central Hudson Gas and Fox because it is “misleading” on its face. In that circumstance, it is reasonable not to accord the speaker of such misleading commercial speech, admittedly unprotected in its own right, standing to vicariously raise the First Amendment claims of others.

At first glance, this seems reasonable - it is, after all, a correct statement of First Amendment law under the so-called Central Hudson test. The Supreme Court's various First Amendment commercial speech tests all use truthfulness and non-deceptiveness as an initial threshold, one of the more certain principles in this somewhat varying field. Jaynes' commercial spamming rather clearly fell on the false/misleading/illegal side of the First Amendment line.

That non-controversial decision was a decision on the underlying First Amendment issue in the case, however. It is exactly what the Virginia Supreme Court majority was saying couldn't be made because Jaynes lacked standing. Jaynes petitioned the court to address the First Amendment issue of overbreadth. The Virginia Supreme Court declined, concluding "Because we hold the standing issue is dispositive, we do not address the [First Amendment merits] analysis." In other words, Jaynes lacked standing to raise a First Amendment issue, and so it would be inappropriate to rule on that First Amendment issue. But to come to that standing conclusion, the Court decided the First Amendment issue of whether Jaynes' speech was the type of speech entitled to First Amendment protection.

So what else is wrong?
The three member dissenting opinion of the Virginia Supreme Court (from p. 33 on) takes issue with the majority ruling. It does so not on the tangential issue of its internal inconsistency I raised, but head on. To paraphrase the dissent, 'you've got it wrong, there's a reason every other court, state and federal, does it the other way.' The dissent delves into the important First Amendment principle of avoiding laws with a chilling effect on speech. It reiterates that this vital principle is the reason for an exception to the general standing doctrines. The dissent emphasizes the inconsistency between state and federal law on this issue. The dissent notes, and wisely the majority previously conceded, that in federal court Jaynes would have had standing. That's not just inconsistent, the dissent notes, but it will push cases construing Virginia statutes out of Virginia courts (where they now can't be brought) and into federal courts. It's Virgina's courts' job to construe these laws, the dissent please, and Virginia courts' job to remedy them if needed.

Epilogue
As noted last time, Jaynes is out of any mandatory appeals. This Virginia Supreme Court case was a discretionary review. Any US Supreme Court case would also be discretionary. As other bloggers have noted, this case splits the general Supreme Court trends on First Amendment issues, furthering the Supremes' trend of narrowing standing, but also offering less First Amendment protection to commercial speech than the likely-more-protective current Supreme Court might.

UPDATE 9/12/08

Posted by Ethan Ackerman at 09:44 AM | Spam | TrackBack

March 2008 Quick Links, Part I

By Eric Goldman

It's a sign of my busy March/April that I am just now posting these...

Reputation/47 USC 230

* I have a lot to say about the JuicyCampus story (AP, MSNBC, Chronicle of Higher Education). Unfortunately, I ran out of time to write a full blog post on the subject. For now, some quick thoughts about this interesting and complex situation:
- Taken to its logical conclusion, 47 USC 230 naturally enables sites to do absolutely nothing to restrict harmful speech. (I'm not saying that accurately describes JuicyCampus--I don't have enough facts to make that claim). However, that's not an unexpected failure of the statute--it's the natural consequence of the statute's design. Any concerns about the costs of unrestricted speech fora need to compared with the costs of more regulated systems. It's not clear that one result is automatically better than the other, and certainly there are costs implicit in all solutions. Sam Bayard explores this issue more.
- Sites that lack credible information will face marketplace responses regardless of any legal rules. In JuicyCampus' case, the marketplace responses include consumers deeming the site not credible, plus intermediaries (in this case, universities) may simply block access by its core users.
- Any possible legal action by the New Jersey Attorney General over JuicyCampus' facilitation of harmful speech should be unambiguously preempted by 47 USC 230--even after Roommates.com.
- The attempted legal bypass to 47 USC 230--trying to convert a negative covenant from the users in the user agreement into an actionable affirmative marketing representation by JuicyCampus--is analytically corrupt. It's also not the law, and it's been rejected in several 230 cases (Noah v. AOL comes immediately to mind). Rebecca has more to say on this issue.
- If negative behavioral covenants by users in a user agreement are actionable affirmative marketing representations that such behavior isn't occurring, then the Internet is a target-rich ecosystem because I imagine that just about every Internet company is eligible for enforcement actions.
- Isn't it typical of an enforcement action to go after the target's vendors (in this case, JuicyCampus' ad networks) and watch them instantly fold?
- This issue reminds us that a website can't promise its users anonymity if it allows anyone else (such as an ad server) to serve up portions of its page and thereby have the ability to collect the same server log data.

* Ciolli v. Iravani: The AutoAdmit lawsuits spill over into a new battleground. As I said when I first blogged on the case, this is a "very messy situation" that has only gotten messier.

* Nemet v. ConsumerAffairs.com. Another lawsuit against an online consumer review site for publishing allegedly defamatory negative critiques.

* Steinbuch v. Cutler, 2008 WL 596747 (8th Cir. Mar. 6, 2008). Steinbuch's lawsuit against Hyperion, the publisher of the Washingtonienne book, can continue in Arkansas. His other claims must proceed in Washington DC if at all.

* Washington Post: Due to the speed at which gossip moves over the Internet, "compared with the pre-Internet era, politicians are less likely than ever to survive a sex scandal with their careers intact."

* H. Brian Holland, In Defense of Online Intermediary Immunity: Facilitating Communities of Modified Exceptionalism, 56 U. Kan. L. Rev. 369 (2008). Prof. Holland wrote a paper I had been meaning to write! He explains how 47 USC 230 enables online communities to use a variety of self-governance structures, while a different liability regime would give communities fewer choices and thereby inhibit community formation and management.

Search Engines

* A Canadian web network called Geosign received $160M of VC money but the company was rendered worthless overnight when Google changed its policies and cut off traffic. Domainers beware!

* New book worth checking out: WEB SEARCH: MULTIDISCIPLINARY PERSPECTIVES (Amanda Spink & Michael Zimmer, eds.) (Springer 2008). A nice cross-section of essays on search engine issues from multiple disciplines.

* Need some original content to improve your SEO? You can automatically generate it through splogging, or you can pay actual humans a small amount of money to write short articles. If the cost is low enough and the SEO credit for truly original content is high enough, the latter may end up being a better economic deal.

Spam

* The FTC has lost a jury trial against Impulse Media on its theory that Impulse Media is liable for the spam sent by its affiliates. This is a pretty important decision because (1) the FTC/DOJ rarely lose at trial, (2) their expansive theories about liability for affiliate behavior may be legally incorrect, and (3) the FTC has strong-armed numerous defendants into settlements based on its theory, and future defendants now be willing to fight back.

* On that topic, Cyberheat won an early round in litigation with the FTC over its affiliate practices but has now settled up with the FTC. The settlement gives some guidance about the FTC's thoughts of how marketers should police affiliates, but the Impulse Media jury loss may undermine the teaching of this settlement.

Posted by Eric at 08:32 AM | Derivative Liability , Licensing/Contracts , Marketing , Search Engines , Spam | TrackBack

March 02, 2008

Feb. 2008 Quick Links

By Eric Goldman

Advertising

* BusinessWeek: Monetizing social networking sites isn't as easy as everyone had hoped, clickthrough rates are through the floor (0.04%!), and ad proliferation on the sites is driving users away.

* Wilbur, Kenneth C. and Zhu, Yi, "Click Fraud" (January 2, 2008). This paper appears to argue that search engines can increase their profits by failing to disclose the true rate of click fraud on their network.

* In re Miva, Inc. Securities Litigation, 2008 WL 450037 (M.D. Fla. Feb. 15, 2008). This lawsuit alleges that Miva and some associated individuals understated or misreported Miva’s reliance on click fraud, spyware and third party distributors in its public statements and thus inflated the company's stock price. Last year, the court dismissed many of the allegations but let a couple survive. In this ruling, the court dismisses a few more defendants from some statements and lets the rest of the case proceed.

* Going-out-of-business sales are often just another scam. (HT ContractsProf). Note this is completely consistent with economists’ theoretical predictions of final-period behavior of trademark owners.

Google

* Google's stock has lost $70B in market cap in 7 weeks. Oh darn. Clickz offers some theories about why Google's clicks are declining. Could lower rates of click fraud be part of it?

* Hal Varian, Google's Chief Economist, argues that Google's marketplace success is solely due to its "secret sauce" (i.e., the advantage of learning by doing) rather than any defects in the marketplace.

Spam

* Jaynes v. Virginia (Va. Sup. Ct. Feb. 29, 2008). By a 4-3 vote, the Virginia Supreme Court upheld Jeremy Jaynes' 9 year sentence for violating Virginia’s spam law.

* Silverstein v. Experienced Internet.com, 2008 U.S. App. LEXIS 3364 (9th Cir. 2008). Ninth Circuit dismissed a CAN-SPAM lawsuit for lack of jurisdiction when the defendants attest that they didn't send the message and aren't local.

Domain Names

* NSI has been sued for its practice of grabbing pre-registration domain names based on WHOIS searches. The complaint. Good luck defending those practices, NSI!

* Two more breathy articles about the economics of domaining from the New York Times and Network World.

47 USC 230

* Johnson v. Barras, 2007 CA 001600 B (DC Superior Ct Feb. 1, 2008). Court dismisses a lawsuit against a website for republishing a defamatory story per 47 USC 230.

* Yet another doomed lawsuit against MySpace for facilitating communications between an adult male and an underage female that led to sex. Sam Bayard's comments.

Pornography

* NY Lawyer (login required): "Defense Bar Sees Growing Practice in Internet Sex Crimes"

* A federal obscenity prosecution for publishing graphic short stories (without pictures) on the Internet? As Tim Wu says, "astonishing."

* The Utah legislature is considering entering the marketplace again, this time through a certification mark program for Internet access providers who are willing to combat porn. See HB407. Of course, the Utah legislature has had terrific success in the past creating successful new business opportunities that the marketplace has overlooked.

User-Generated Content

* Nick Carr: "What we've seen happen with self-regulating communities, both real and virtual, is that they go through a brief initial period during which their performance improves - a kind of honeymoon period, when people are on their best behavior and rascals are quickly exposed and put to rout - but then, at some point, their performance turns downward. They begin, naturally, to decay." Like, I think, Wikipedia.

* Slate on the top-heavy nature of contributions to Wikipedia and Digg.

* Christian Science Monitor: Teachers Strike Back at Students' Online Pranks.

* Sam Bayard on a motion to quash in the AutoAdmit case.

Reputation

* eBay no longer lets sellers leave negative/neutral feedback for buyers. This putatively stops sellers from retaliating against buyers who leave legitimate complaints, but it also skews the database towards only positive reviews, which ultimately undercuts its credibility.

* In India, where courtships remain very brief by US standards and grooms can be paid dowries by the bride's families, there is an emerging trend for brides to hire "wedding detectives" to ferret out the scoop on grooms and whether their representations are correct.

* Funny article on being a secret shopper for Consumer Reports.

* Dan Solove's book, The Future of Reputation, is now available online for free. Ethan's review of the book.

Patents

* Six years later, eBay finally buys it now: eBay v. MercExchange settles with eBay buying out some of MercExchange's patents and licensing others.

* Mike Masnick: "Psst! Patent Examiners Do Not Scale"

Copyright

* Mike Masnick: “Why We Should All Want Politicians Who Plagiarize.”

* Do Not Resuscitate...My Copyrights (funny).

Miscellaneous

* Citizen Media Law Project has a useful discussion on getting insurance for cyberlaw risks.

* People v. Fernino, 2008 WL 382348 (N.Y. City Crim. Ct. Feb. 13, 2008) (woman violated a no-contact order when sending a MySpace message to the person).

* Mike Masnick: "We Need A Broadband Competition Act, Not A Net Neutrality Act"

* A retrospective on some of the leading dot-coms from the 1990s.

Posted by Eric at 05:32 PM | Content Regulation , Copyright , Derivative Liability , Domain Names , E-Commerce , Internet History , Marketing , Patents , Privacy/Security , Search Engines , Spam , Trademark | TrackBack

February 12, 2008

Jan. 2008 Quick Links (Non-IP Edition)

By Eric Goldman

47 USC 230

* Doe v. SexSearch, the case absolving a website for age verification of its users, has been appealed.

* The Supreme Court denied cert in Parker v. Google. See 2008 WL 114262.

* NYT update on the Subway v. Quiznos lawsuit. I'm still waiting to see how the CCBill case affects the legal analysis.

Ripoff Report

* CMLP reported that Energy Automation Systems v. Xcentric Ventures has settled.

* A lot of people would love to take down the Ripoff Report. The latest (perhaps unexpected) opponents--the SEO crowd. See here, here and here. Definitely not a group I'd want to have gunning for me...

* Sarah Bird wrote the blog post I wanted to write: a recap of all of the litigation involving the Ripoff Report and its related entities. She updates a number of cases I've blogged about here.

Privacy

* The quest to find defendants in the AutoAdmit lawsuit has spilled over to unrelated websites whose URLs were posted to AutoAdmit, on the theory that AutoAdmit users were likely to have visited there prior to or after the links were posted. See the plaintiff's motion. This has proven to be a controversial move; see critiques from Mike Masnick and Sam Bayard.

* World Privacy Forum's Top Ten Opt Outs.

* The Privacy Rights Clearinghouse has compiled a master list of all the data breaches that have been announced.

Spam

* Venkat on 4 years of CAN-SPAM. I think the best we can say is that CAN-SPAM hasn't destroyed email as a communication tool, but I am skeptical that its significant transaction costs are outweighed by its benefits.

* Search Engine Land shows Wired that its wiki isn't spam-proof and then apologizes for it.

Marketing/Advertising

* Greg Linden predicts a dot-com crash in 2008 where a dry-up of investment capital will lead to marketing desperation: "Much like we saw after the 2000 crash, it is likely that those with little to lose will attempt scary new forms of advertising. The Web will become polluted with spyware, intrusiveness, and horrible annoyances. None of this will work, of course, and there will be lawsuits and new privacy legislation, but we will have to endure it while it lasts."

* Oddee has some vintage ads that couldn't be made today.

Blogging

* Examples of how blogging is actually increasing some companies' sales.

* Giving in to cyberspace exceptionalism, a divorce court judge ordered a husband to stop blogging about the wife. Fortunately, the judge soon realized his error and reversed course, basically throwing up his hands saying "I don't know what to do here." Garrido v. Krasnansky, No. F 466-12-06 (Vt. Fam. Ct. Jan. 14, 2008).

Miscellaneous

* Once again, Mike Masnick says what I was thinking better than I could: "Both Microsoft And Google Are Probably Best Off Shutting Up About Monopolies."

* Wired has a great article on scraping data from major Internet players, many of whom themselves use scraping-like methodologies to gather data: "But beneath all the kumbayas, there's an awkward dance going on, an unregulated give-and-take of information for which the rules are still being worked out. And in many cases, some of the big guys that have been the source of that data are finding they can't — or simply don't want to — allow everyone to access their information, Web2.0 dogma be damned."

* The FTC has cracked down (again) on a website for inadequate security. This time, the e-tailer "Life is good" promised that "all information is kept in a secure file" but a hacker got good stuff (credit card #s, etc.) anyway. The FTC pointed to several deficiencies, including (1) the retailer's failure to store the sensitive data in encrypted format, (2) inadequate efforts to identify and patch security holes, and (3) inadequate monitoring of intrusions.

* Krause v. Chippas, 2007 WL 4563471 (N.D. Tex. Dec. 28, 2007). Court says a website user was bound to the contract when "lead page" of website said "USE OF THIS SITE AND OR SERVICES OFFERED WITHIN THIS FUTURESCOM.COM SITE SIGNIFIES YOUR AGREEMENT TO THIS SERVICE AND USAGE AGREEMENT."

* An interesting British study explains the downsides of government-mandated disclosures to consumers. HT Rebecca.

* I participated in a 30 minute podcasted conversation on the Lawyer 2 Lawyer show on the topic of social networking sites.

* I have 2 copies left of my 2007 Cyberspace Law course reader. First 2 people to email me with a request and their mailing address get them. [UPDATE: Gone!]

Posted by Eric at 05:50 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack

December 14, 2007

Oct.-Nov. 2007 Quick Links, Part 2

By Eric Goldman

Marketing/Branding

* To stimulate demand for its services, the British postal service is pointing out that snail mail is a good way to use olfactory marketing. Try to keep up with THAT, spammers! But doesn't this give new meaning to the observation that “junk mail stinks”...?

* Dunlop Tires offered a free set of tires to people who would get a tattoo of the company's logo. This tops a past promotion where they gave free tires to anyone who got tire tracks shaved into their hair. As a promotion, tattoos have an obvious advantage over hair-shaving because hair grows back. See my comprehensive post on tattoo advertising.

* As the Internet increases price competition and reduces margins in the jewelry market, diamond manufacturers are trying to prop up prices by branding their diamonds.

* Another lawsuit over the scorching-hot Hannah Montana concert tour—this time, alleging that the Hannah Montana fansite overpromised priority access to tickets.

* Anthony v. Yahoo, which involved a claim that Yahoo misled consumers of its dating service, has settled for $4M.

* I enjoyed this YouTube Video, Mr. Spam Man. Brought to mind the Spam-Free-or-Die video, which is still funny today.

Copyright

* William Patry on crazy copyright rulings against the “segOne,” a device that allows retailers showing broadcast TV to their patrons to substitute in ads sold by them instead of the ads sold by the broadcasters.

* Textile Secrets International, Inc. v. Ya-Ya Brand, Inc. (C.D. Cal. Oct. 31, 2007). 17 USC 1202 (the restriction on modification/removal of “copyright management information”) has been rarely interpreted, so this is a noteworthy case on that basis alone. This case involved the removal of CMI in offline activities. The court concludes "Court nevertheless cannot find that [1202] was intended to apply to circumstances that have no relation to the Internet, electronic commerce, automated copyright protections or management systems, public registers, or other technological measures or processes as contemplated in the DMCA as a whole."

* The Copyright Office has (finally) updated its electronic copy of Title 17.

Blogging

* David Hoffman discusses some considerations when structuring a group blogging LLC's operating agreement.

* U.S. v. Citgo Petroleum Corp., 2007 WL 4116066 (S.D. Tex. Nov. 19, 2007). An attendee at a trial blogs some of her observations about the jury. Her reward? One of the litigants can depose her as having potentially relevant information about jury impartiality. See my first-hand experience with potentially being deposed due to a blog post.

E-Commerce

* College students are ordering tires, pool tables and Winchester rifles online.

* The Canadian taxing authorities have won a victory allowing them to order eBay’s US company to disclose vast amounts of transactional data that presumably will be cross-checked against Canadian PowerSeller tax returns.

Miscellaneous

* Express Media Group, LLC, v. Express Corp., No. C 06-03504 WHA (N.D. Cal., May 10, 2007). Martin Samson's summary: "Court finds defendant, who claimed to have purchased plaintiffs' Express.com domain for $150,000 from someone who purported to be, but was not, the domain's Administrative Contact, guilty of conversion and directs defendant to return the domain to plaintiffs."

* Fallout from the Oracle v. SAP case: SAP may sell TomorrowNow, and several TN executives have been axed.

* A good use for a geolocated cellphone-mediated information service: the location of the nearest public toilet.

* Declan rallies against a federal "Do Not Track" list.

* NYT: US News & World Reports is getting into the consumer review business by aggregating third party opinions. According to the NYT, "The magazine has searched the work of dozens of automotive reviewers at newspapers and magazines, assigned a numerical value to each review (a process U.S. News describes as complex, rigorous and top secret), and then aggregated those into final scores. The Web site offers a description of each vehicle, sprinkled with snippets of quotes from those reviewers, so that it reads as much like a Zagat's restaurant blurb as something you might find in Consumer Reports."

* Don'tcensorme.com: a website for commenters who believe that their comments have been deleted by moderators on hubris overload.

* BusinessWeek: 101 Best Web Freebies.

Posted by Eric at 08:20 AM | Copyright , Domain Names , E-Commerce , Marketing , Privacy/Security , Spam | TrackBack

December 11, 2007

Facebook v. ConnectU Update

By Eric Goldman

Facebook, Inc. v. ConnectU LLC, 2007 WL 4249924 (N.D.Cal. Nov. 30, 2007) (denying sanctions); Facebook, Inc. v. ConnectU LLC, 2007 WL 4249926 (N.D.Cal. Nov. 30, 2007) (dismissing individual defendants)

You may recall the intertwined relationship between ConnectU and Facebook. ConnectU was a dorm-room project at Harvard. The students hired Mark Zuckerberg to help with the programming. Shortly thereafter, Zuckerberg started a competitive site called Facebook, instantly spawning acrimony between the parties that persists until today. Facebook is now allegedly worth $15B, ConnectU is worth a trivial fraction of that, and both parties seemed destined to pour their entire net worth into suing each other into oblivion. At the rate they are going/spending, all of the lawyers' kids will be able to afford Harvard where they can make their own "friends" in the dorms.

There are 2 main battlefronts. ConnectU and its owners are suing Facebook and Zuckerberg in Massachusetts alleging that Zuckerberg ripped off their IP. Facebook is suing ConnectU in California for allegedly harvesting user email addresses from Facebook and spamming the users with competitive exhortations. In my previous post on the Facebook v. ConnectU lawsuit, I explained how ConnectU cleaned out some of the harvesting/spam related claims.

These two latest rulings relate to the Facebook v. ConnectU lawsuit as well. In one ruling, the court dismisses three of the individual defendants (Cameron and Tyler Winklevoss and Divya Narendra) because they are not subject to jurisdiction in California. Facebook initially sued in California state court, which concluded that it lacked jurisdiction over these three individuals, a result that Facebook tried to relitigate in federal court. This court responds: "Even if the Superior Court reached an incorrect legal determination, the outcome is conclusive. Facebook 'does not now get a do-over.'"

In the other ruling, the judge rejects Facebook's claim for sanctions against ConnectU and some of the individual defendants. Facebook's argument is based on an apparent inconsistency in claims made by the defendants in the California state court and the Massachusetts court (in CA, defendants claimed that Narendra was a member of ConnectU's LLC; in Massachusetts, the defendants claimed he wasn't). The court determines that the facial inconsistency is actually reconcilable (due to a Delaware law that allows retroactive membership in an LLC combined with the different times the fact was asserted) and rejects sanctions accordingly, although the judge suggests that the Massachusetts court might feel differently about sanctions.

Collectively, these two rulings represent yet another preliminary skirmish between the parties before they reach any substantive evaluations of any of their respective claims. Given that the ConnectU v. Facebook lawsuit has been going on for 4 years, that's a lot of wheel-spinning. C'mon Facebook, throw the ConnectU folks a billion or two so that you can free up your time to focus on more pressing matters, like how to generate revenues without abusing your users' privacy.

Posted by Eric at 09:15 PM | Spam | TrackBack

December 10, 2007

Yale Reputation Economies Symposium Recap

By Eric Goldman

Reputation is a hot topic in Cyberlaw circles, so the Yale ISP conference on Reputation Economies in Cyberspace came at a propitious time. Some of my meta-observations from the talks.

1) We lack a uniformly accepted definition of reputation. During the conference, it was clear that most speakers were working with their own idiosyncratic definitions. Without a standardized definition, people can easily talk past each other.

2) Reputational systems are everywhere--FICO scores, letters of recommendation, Google PageRank, product review sites like Epinions, spam filters, employee evaluations, etc. I plan to catalog them in my next big paper. For now, Jonathan Zittrain gave two interesting examples: (1) British pubs are now taking patrons’ fingerprints and publishing a blacklist of rowdy pubgoers to other pubs, and (2) websites allow angry drivers to criticize bad drivers by license plate number.

3) We often treat reputation as a monolithic assessment (good or bad), but it is granular and contextual. Reputation systems need to reflect these nuances, and we’re seeing movement in that direction. For example, eBay is considering more granular feedback scores, which might entail different scores for product description accuracy and shipping speediness. However, increased granularity is subject to the accuracy/simplicity tradeoff—increased complexity improves accuracy but makes it more costly to participate in the system.

To overcome the accuracy/simplicity tradeoff and reduce collection costs, reputational data can be collected automatically. Bill McGeveran compared Facebook’s automatic collection of recommendations through Beacon with ratemyprofessor.com (a site I’ve critiqued before--1, 2, 3), where the communication costs discourage students from providing feedback unless they hold extreme views (i.e., love it/hate it).

Jonathan Zittrain suggested that people should be able to request that some information should not become part of their reputation. He gave robots.txt as an analogy; it is a voluntary standard that web publishers can use to keep content (that might have reputational implications) out of the search engines, which in turn significantly reduces its visibility. Although robots.txt is voluntary, it is widely followed. Jonathan thinks a similar voluntary system might be helpful for reputational data.

4) As noted by several speakers, reputation has economic value that can be converted into cash. For example, spammers have better delivery success—and thus make more money—if they can work with a high-reputation email address that is less likely to be blocked/filtered, and an seller with high feedback commands premium prices for his/her auctions. These payoffs create incentives for “bad guys” to capitalize on undeserved reputation, leading to the hijacking of high-feedback accounts and feedback-inflating activity (such the serial consummation of penny auctions) that can be used for a short but intense burst of fraud.

Bill McGeveran gave Facebook’s Beacon as another example of reputation’s selling power. In that case, Facebook and marketes are engaged in “reputational piggybacking” to get extra credit from the “recommending” user’s validation.

Because reputation has economic payoffs, we are tempted to provide property-like protections for reputation. Trademark law is an example of this in the commercial context. In contrast, with respect to individuals, damaged reputations can have significant non-economic harms that are not well-handled through property systems. Discussions about legal protection for reputations can get confusing when economic protectionism are conflated with these non-economic harms.

5) No reputational system will be perfectly accurate. Any system will have Type I and Type II errors. So how accurate must a reputational system be for it to be credible? We should assess this question by comparing a reputational system’s errors against the errors from alternative systems (or the absence of the system altogether).

A reputational system might be improved through more robust error correction mechanisms. Jonathan Zittrain gave the example of the Google News feature that allows a quoted individual to add comments right below the article. This reminded me a lot of Frank Pasquale’s asterisk proposal.

6) Reputational information is time-sensitive in that more recent reputational information is more useful to assessing reputation. Jonathan Zittrain proposed a concept of “reputational bankruptcy” where "old" information could be permanently suppressed because it is not useful to make future assessments. He analogized this to the time-based degrading of eBay’s feedback score, which segregates transactional information by date (i.e., 1 month, 6 month, all time).

More resources on this topic:
* notes from my talk
* my article on the intersection between online word of mouth and trademark law
* the collection of position papers from the event
* other recaps: the conference wiki, Jenny Ambrozek, James Grimmelmann, Aldon Hynes, Greg Lastowka, Andy Oram, Frank Pasquale (1, 2), Rebecca Tushnet (1, 2, 3, 4), Michael Zimmer

Posted by Eric at 10:27 PM | E-Commerce , Publicity/Privacy Rights , Spam , Trademark | TrackBack

November 21, 2007

Search Redirection Tool Could Be Trespass to Chattels--Burgess v. EForce

By Eric Goldman

Burgess v. EForce Media, Inc., 2007 WL 3355369 (W.D.N.C. Nov. 9, 2007)

Every now and then a consumer goes on a me-vs.-the-world bender and decides to unilaterally save society by suing everyone in sight. Burgess' anger over unwanted advertising may have sparked such a campaign. His previous appearance on the blog involved his pro se lawsuit against American Express and many other major brand names for unwanted pop-up ads. In that ruling, the court intimated that advertisers could be liable for contributory trespass to chattels.

In this companion action, Burgess sued a number of defendants for spam. The court rejects his CAN-SPAM claim for lack of standing (he doesn't qualify for the limited private causes of action).

Burgess also sued for the installation of search redirection client software, claiming it was a privacy invasion, trespass to chattels, and "illegal conduct." The defendants first tries to dismiss the claims as preempted by CAN-SPAM, but CAN-SPAM's preemption clause does not apply to generally applicable laws like privacy invasions and trespass to chattels. Nevertheless, the magistrate report (approved by the judge) dismisses the privacy invasion claim for failure to state a claim, saying:

While the undersigned shares in plaintiff's frustration with the internet and the unconscionable applications that interfere with one's use and enjoyment of technology--and at times display offensive websites--frustration of purpose is not an invasion of privacy. Further, the undersigned cannot find any North Carolina case recognizing a cause of action for invasion of privacy based on computer viruses that redirect internet searches or inquiries, or any cases that would suggest that similar such conduct in other fields would support such a claim.

The "illegal conduct" claim was also dismissed.

On the other hand, building on Burgess prior ruling in state court, this court refuses to dismiss the trespass to chattels claim. Citing to Sotelo and others, the court says that Burgess' "pro se pleadings are not a model of clarity but nevertheless suffice to state a claim for trespass to chattels. He sufficiently alleges actual possession of his computer and 'unauthorized, unlawful interference' with his use of this personal property." So the Sotelo precedent marches on, even though this court (as with the prior Burgess court) doesn't acknowledge Hamidi, Mummagraphics or the other cases that would put these expansive trespass to chattels rulings in serious doubt.

As a result, Burgess' case lives to see another day. I'm sure we haven't heard the last from him!

Posted by Eric at 02:32 PM | Adware/Spyware , Publicity/Privacy Rights , Search Engines , Spam , Trespass to Chattels | TrackBack

October 09, 2007

Spam Crime Loss Not Measured by Defendant's Gain--US v. Kilbride

By Eric Goldman

US v. Kilbride, 2007 WL 2774487 (D. Ariz. Sept. 21, 2007)

Kilbride and his co-defendants are porn spammers who have been convicted of obscenity charges and criminal violations of CAN-SPAM. They face very long jail sentences. Their prosecution has produced a number of interesting/groundbreaking rulings, but this post focuses on the court's discussion about sentencing for CAN-SPAM crimes.

Spam crime sentences are governed by Sec. 2B1.1, the sentencing guideline applicable to theft. In 2004 comments to the Sentencing Commission, my former Marquette colleague Michael O'Hear and I expressed some concern about this model for measuring spam losses, particularly that it would significantly overcount the harms caused by spam.

As far as I know, this is the first case discussing the measurement of harm/loss in a CAN-SPAM crime sentencing. The court does a good job evaluating the evidence. First, contrary to the fears Michael and I expressed, the judge correctly ignores any alleged harm to end user-recipients because there was no evidence these individuals suffered a pecuniary loss. Second, the court largely rejects the government's argument that the loss should be measured by the defendants' gain (over $1.1M in profits). Instead, the judge only gives credit to the evidence showing that AOL suffered less than $10,000 of "loss" from the porn spam, computed by AOL's cost to investigate complaints over the spam (the government did not present evidence for other email service providers). As Michael and I explained in our comment, I'm not even sure AOL's investigation costs should count as a loss attributable to the defendants, but at least the dollar amount is comparatively low.

So while I'm still not sure 2B1.1's loss table is the right way to measure spam harms, it's heartening to see the judge resist overcounting. At the same time, it's impossible to ignore the significant litigation costs over this issue. Porn spammers have lots of money and face long jail sentences, so it isn't surprising that they will fight vociferously over loss calculations. Perhaps there are better ways of measuring loss that would reach fair results without these heavy litigation costs.

UPDATE: The defendants were sentenced to 5 years each.

Posted by Eric at 01:19 PM | Spam | TrackBack

August 13, 2007

2007 Cyberspace Law Syllabus

By Eric Goldman

I've posted my 2007 Cyberlaw syllabus. Unlike the past few years, which were a little slow cyberlaw-wise, the past 12 months saw a lot of important developments. Let me recap some of changes I made to my reader reflecting these developments:

Additions

Copyright: I added the Cablevision case (after editing out some of the mind-numbing description of cable technology), which provides an interesting exposition on how the source of bits matters in copyright law (we'll reinforce that message with the Amazon.com "server test"). I companioned the Cablevision with the Field case to show a very different philosophy about "volitional" server activity, so I'll ask the students to see if they can reconcile the two cases.

I struggled with how to handle the Ninth Circuit's troika of Perfect 10 opinions. The opinions are long, complicated and irresolute, but it's hard to discuss one without discussing the other two. I decided to include all three but I don't feel great about that decision, given that it takes 115 pages (about 1/6 of my total reader) to work through the three cases, and I'm not sure students will come away any smarter about Ninth Circuit online copyright law after reading all three.

Trademark. I substituted the FragranceNet case for the 1-800 Contacts v. WhenU case. The 1-800 Contacts case remains a very important keyword law precedent, but as a teaching case it was just so-so. The adware subject matter increased the complexity, and it punted on the most interesting question of search engine liability. However, most of the other recent keyword law cases have been even less teachable. Fortunately, the FragranceNet case does a pretty job of recapping the 1-800 Contacts case as well as other recent decisions, and it frames the policy issues nicely. I've paired it with the Playboy v. Netscape case, which will make a good compare/contrast. However, if the Second Circuit gets off its duff, I'd be thrilled to substitute in the court's opinion in the Rescuecom appeal. (I'd be even more thrilled if the court reaches the "right" result!).

I also updated my materials to reflect the Trademark Dilution Revision Act.

230. I continue to stick by the seminal Zeran case, which remains both powerful precedent and a colorful teaching case. However, this year I added the Ninth Circuit hairball Roommates.com opinion. I really didn't want to--it's such a messy opinion--but I think for now the case represents a vitally important incursion into 230 law that any good Cyberlawyer needs to know about it (even if they don't know what to do about it). If we're lucky, perhaps the Ninth Circuit will rehear the case en banc and issue a new and more lucid opinion before I have to teach the existing opinion.

In addition, I created a new module on "blogs and social networking sites" and added the Doe v. MySpace case, a great opinion for exploring the differences between online and offline "premises."

Spam. I teach spam at the semester's end, when time is running out, so we'll see what I'm actually able to cover this year. I've added two recent cases: the Mummagraphics case, which wiped out a lot of state anti-spam laws and has a nice interplay with trespass to chattels, and the MySpace v. theglobe.com case, which has an odd contrast with Mummagraphics on the state anti-spam statutory analysis; plus it shows how online contracts can substitute for legislative rights.

Other. I added some explanatory material, including my standard dog-and-pony CLE presentations on keyword law and blog law and my brief distillation of social networking site law. I also updated the CRS on Spyware.

Other Changes

* I eliminated my standalone section on "search engines" and folded the material into the rest of the reader. I think there's pedagogical value to isolating and deeply exploring search engine issues, which is why I initially segregated the material. However, search engine issues crop up throughout the foundational material, so I'm not sure that segregation worked.

* I deleted the following material:
- Corbis v. Amazon. This was an excellent case to teach 512, but I think the ccBill case superseded it in a number of respects.
- the district court opinion in Perfect 10 v. Google, which was superseded by the Perfect 10 v. Amazon Ninth Circuit opinion.
- 1-800 Contacts v. WhenU (as discussed above)
- Alaska SB 140, which I ran out of time to discuss last year.

Deliberately Excluded

* The Utah anti-keyword advertising law represents one of the most important statutory changes of the year, but I omitted it because I anticipate Utah will modify it, and there's no point teaching a moot law.

* I skipped the Unlawful Internet Gambling Enforcement Act. I've generally shied away from teaching online gambling in Cyberlaw; the topic requires a lot of time to teach, making it hard to squeeze into a semester-long survey course. Plus, the new law is an analytical mess, so I'm not sure what the students would get out of the discussion.

* We were so excited to get the California Supreme Court's Barrett v. Rosenthal ruling, but the actual opinion doesn't add much to Zeran, so I thought it wasn't worth the time.

Posted by Eric at 07:57 AM | Adware/Spyware , Copyright , Derivative Liability , Internet History , Search Engines , Spam , Trademark | TrackBack

August 06, 2007

CAN-SPAM Defendant Awarded $111k in Fees/Costs--Gordon v. Virtumundo

By Eric Goldman

Gordon v. Virtumundo, 06-0204-JCC (W.D. Wash. Aug. 1, 2007)

I believe this ruling represents the first time that a CAN-SPAM plaintiff has been ordered to pay attorneys' fees and costs to a defendant. As a result, it's a leading example that courts can and do grow tired of bogus anti-marketing lawsuits, and perhaps it will serve as an expensive warning to CAN-SPAM plaintiffs to ensure the merits of their lawsuit.

Gordon is an uber anti-spam plaintiff, leading countless CAN-SPAM lawsuits. (Ethan blogged a little on Gordon's litigation here). As the court describes, Gordon runs a "spam business"--basically, a for-profit plaintiff litigation shop to go after spammers (the court also calls it a "litigation factory"). The court doesn't seem very impressed with this business model. Having already dismissed the lawsuit's substance, the court repeatedly rips on Gordon for bringing a junk lawsuit, saying that "The Court finds that Plaintiffs’ instant lawsuit is an excellent example of the ill-motivated, unreasonable, and frivolous type of lawsuit that justifies an award of attorneys’ fees to Defendants" and "the Court finds that the goal of deterrence is particularly relevant here. Plaintiffs should be deterred from further litigating their numerous other CAN-SPAM lawsuits now that they are aware their lack of CAN-SPAM standing."

Along the way, the court interprets the appropriate standard for awarding fees under the CAN-SPAM fee shifting provision. Informed by Gordon's litigation abuses, the court decides that the fee-shifting provision should use the more defendant-favorable "even-handed" standard when evaluating a defendant's fee requests (like it is in the copyright context) instead of the "dual standard" where the plaintiff gets a favorable review on both its fee requests and defendant's fee requests (the latter standard thus encourages plaintiffs to bring lawsuits without the fear of a loser-pays ruling). The court correctly notes that Congress really wasn't trying to enable lots of private lawsuits from CAN-SPAM, so the risk of chilled plaintiffs is appropriate in this context. As the court says, "Promotion of prolific private CAN-SPAM litigation is not what Congress intended." Thus, this ruling paves the way for CAN-SPAM defendants to request and get attorneys' fees when faced with bogus CAN-SPAM claims.

More generally, I remain frustrated that so much regulatory attention is focused on curbing marketers' abuse while comparatively little attention is given to curbing marketing plaintiffs' abuse. But make no mistake--every new anti-marketing law with a private right of action will stir up more action than some chum thrown into shark-infested waters. As I think I've mentioned before, I have a Westlaw alert set up on TCPA cases, usually triggering several alerts each week, and the amount of wasted judicial resources is stunning--there is a steady and mind-numbing stream of rulings over whether TCPA lawsuits are covered by advertising injury insurance; whether (in light of the business relationship exception) TCPA plaintiffs have enough in common to form a class; whether the TCPA preempts state law; and lawsuits where plaintiffs try to get standing to sue under TCPA provisions that are clearly specified as enforced only by the FTC or FCC. In other words, most of the rulings relate to largely procedural squabbling before the parties even get to the substance of the marketer's allegedly impermissible behavior. What a colossal waste of society's resources.

Fortunately, rulings like this one (and others I've blogged about based on anti-SLAPP and Rule 11 sanctions) suggest that plaintiffs can and do go too far and that courts won't ignore this either. But it remains to be seen how well these sanctions work at curbing litigation abuse. At minimum, I hope this award convinces Gordon that his "spam business" may not be as profitable as he initially thought.

HT: Venkat

Posted by Eric at 01:45 PM | Spam | TrackBack

August 01, 2007

July 2007 Quick Links, Part II

By Eric Goldman

Virtual Worlds

* After a remarkable run as media darlings, Second Life is now experiencing some of the inevitable backlash. Case in point: Wired's "How Madison Avenue Is Wasting Millions on a Deserted Second Life." In this respect, Second Life reminds me a little of Keen.com--both provide fantastic platforms for monetizing user-generated content, but that powerful economic platform is likely to take root primarily in the sin businesses (porn, gambling, etc.). (FWIW, Keen.com appears to have cleaned up the dial-a-porn and is now focused exclusively on dial-a-horoscopes). As a result, it will be interesting to see what happens to Second Life's numbers in response to their anti-gambling crackdown. Meanwhile, lawyers--the classic late adopters--are gushing about Second Life's potential as a business generator--an interesting counter-perspective to the Wired article.

* World Copyright Law Report: "Some residents have been using a rogue version of a program called CopyBot to make a copy of anything in the Second Life world, thus threatening to undermine the whole basis of the Second Life economy."

Wikipedia

* More marketers wake up to the value of inserting links into Wikipedia despite Wikipedia's nofollow tag. See my earlier explanation of this. Meanwhile, a Wikipedia administrator talks about what Wikipedians consider white hat practices for marketers.

* Willing to cite to Wikipedia in your legal briefs? Need some custom-tailored authority to support your argument? Edit Wikipedia to say what you want!

* Mike Godwin has become Wikimedia’s GC. You may recall that Mike and I bet about Wikipedia’s future; it appears he has raised the stakes on that bet substantially!

User Generated Content

* "GC's Client from Hell": Whole Food's CEO John Mackey pseudonymously posted about his company's stock and his competitor's stock on Yahoo Finance. The WSJ article has some of the juiciest postings. The NYT on CEO "sock puppetry."

* A restaurant owner used consumer reviews from Yelp as part of deciding to fire employees.

* Interesting interview with the pseudonymous founder of a pay-for-Diggs business.

Blogs

* The ABA Journal has entered the crowded field of blawg directories with one of their own.

* Blawgworld 2007: 77 blawgers chose their favorite posts, which were compiled into an e-book. The compilation turns out to be a great way to get noisy blawgers to promote their brilliant contributions to the e-book, which generates traffic and link love for the publisher, which in turn creates a nice delivery vehicle for sponsored content/advertising.

Miscellaneous

* Asch Webhosting, Inc. v. Adelphia Business Solutions Investment, LLC, 2007 U.S. Dist. LEXIS 52932 (D. N.J. July 23, 2007). IAP terminates customer based on complaints that customer was a spammer. Court holds that the consequential damages waiver applies, effectively negating customer's alleged damages. Rejecting the customer's argument that the termination was in bad faith, the court says: "Plaintiff’s arguments about the accuracy of the spamming complaints do not change the Court’s determination because regardless of the ultimate accuracy or veracity of the spamming complaints, defendant was entitled to rely on those complaints so long as it did so in good faith, and plaintiff has not demonstrated any bad faith by defendant." HT: Technology Law Update.

* Consumer Law & Policy Blog: "companies in two recently filed federal cases explicitly invoke [the recent Supreme Court decision in] Leegin as a justification for terminating the eBay auctions of competitors that charge lower prices online."

* Declan on whether anti-spyware vendors are screening for "fedware" (government keystroke loggers designed to capture data before it's encrypted).

Fun

* More proof that technology can save lives: During a power outage at a hospital, doctors were able to complete a surgery using the light of open cellphones.

* I’m a new fan of Oddee. Some recent posts (it helps to think about sexual connotations when interpreting the photos):
- "15 Unfortunately Placed Ads."
- "Most Unfortunate Logos Ever"
- "Unfortunate Business Names.”

Posted by Eric at 11:06 AM | Adware/Spyware , E-Commerce , General , Internet History , Marketing , Spam , Virtual Worlds | TrackBack

July 02, 2007

June 2007 Quick Links

By Eric Goldman

Email

* Spam cases are coming at a regular clip, and it's tricky divining the latest state of the law. Two recent cases that caught my attention:
- US v. Impulse Media Group, 2007 WL 1725560 (W.D. Wash. June 8, 2007). This case involved a porn site that used affiliate marketers who didn't comply with the porn spam labeling requirements. The government argued that the advertiser should be strictly liable for this breach, but the court fairly emphatically rejected that (same as Cyberheat). But the news isn't all good for the defense, as the court also rejected its SJ motion, showing that the question of scienter about affiliate behavior remains a tough one for courts. Venkat's writeup.
- Kleffman v. Vonage Holdings Corp., No. 07-2406 (C.D. Cal. May 22, 2007). A nice complement to the Facebook v. ConnectU case, each holding that aspects of California's anti-spam laws are preempted by CAN-SPAM. In this case, the targeted behavior was the fact that the emailer may have used multiple email addresses to bypass electronic spam filters, but there wasn't anything false/deceptive about each email itself. See the BNA write-up and Venkat's writeup. I've lost track of the preemption cases, but it seems like state anti-spam laws are really getting munched after the Mummagraphics case.

* NYT on the pros/cons of captchas.

* Goodmail has expanded its pay-to-email system to Comcast, Cox, Roadrunner and Verizon.

Intellectual Property

* In Explorologist v. Sapient, involving the posting of a video deconstructing Uri Geller's act, the defendant is arguing (per CCBill) that 47 USC 230 preempts British copyright law.

* A rushed high school yearbook editor downloads lots of Facebook photos and adds them to the yearbook to fill space. Not a good idea!

* Techdirt: Who owns the right to license the design of military weapons to toy manufacturers?

* Marty on intellectual property protection for sexual activity.

Contracts

* A California man claims he bought a Gateway computer that never displayed text properly. Is he bound to the clickthrough agreement displayed on bootup? If this is the only way Gateway presented its contract, the answer should be no.

* At a conference at Southwestern Law School, I heard Prof. Lon Sobel talk about "idea submission" law. He illustrated the phenomenon that "where there's a hit, there's a writ": he suggested that hit TV shows produce an average of 6 "you stole my idea” demand letters. The great 1980s movie Coming to America produced 12 such letters, which resulted in 7 actual lawsuits. Interestingly, Prof. Sobel made the case (implicitly, not explicitly) that there is no separate law of "idea submissions," but rather any such doctrines are subsumed within standard contract law.

eBay

* eBay has changed its stance towards fighting counterfeiters, and it now does more policing itself.

* eBay shill bidder pays $400k to settle with NY AG.

Social Networking/Blogs

* The NCAA kicked a reporter out of the stadium for live-blogging the event. Tip to NCAA: It’s neither possible nor wise to control the flow of real-time information. Get over it. HT: Techdirt.

* Just came across this article: Stacey Schesser, MySpace on the record: The admissibility of social website content under the Federal Rules of Evidence, First Monday, volume 11, number 12 (December 2006).

* Wired: 7 MySpace sex offenders busted.

Marketing/Advertising

* AMCO Ins. Co. v. Lauren-Spencer, Inc., 2007 WL 1795970 (S.D. Ohio June 20, 2007). Insured offers jewelry from a website. Third party claims that the insured's jewelry constituted copyright infringement. Insured tenders the lawsuit to her insurance company under the advertising injury policy. Insurance company seeks a DJ of no coverage. The court says that the website constitutes advertising for the products, and so the policy applies to photos of the allegedly infringing jewelry items, even if the photos themselves were created by the insured. Observation #1: The advertising injury policy is very helpful to web businesses. Observation #2: Due to cases like this, I suspect insurance companies are reducing their willingness to offer advertising injury coverage to web businesses.

* Taylor v. XRG, Inc., 2007 WL 1816142 (Ohio App. Ct. June 21, 2007). The defendant was a vendor retained by bulk fax senders that handled consumer responses, including opt-outs from future faxes. Court held that the vendor wasn't liable for any TCPA/state anti-junk fax laws allegedly broken by the fax sender.

* Newish ad format: ads running 2 seconds in duration.

Search

* It's taken me a while to digest some of Google's new efforts. First, Google released two tools (a new toolbar button and a new personalized tab) to anticipate searchers' needs based on their past searches. Second, Google expanded its search history to incorporate all aspects of a user's searching through its services (what it calls "web history"). Meanwhile, Google has reduced its storage of personalized search data from 18-24 months to 18 months before that data gets anonymized. FWIW, I've been using Google personalized search since November 2005 (presumably, some of my data will be flushed any time now). Google has now captured almost 12,000 searches (with a high so far of 255 searches in a single day). Despite this, Google still doesn’t do a good job making predictions for me.

* Another great study from Jim Jansen (see the last one I blogged about). This one presented identical search results branded from different search engines and found that consumer ratings of relevancy varied based on the brand (Yahoo and Google came out on top). The logical inference--branding does matter to perceptions of relevancy. HT: SEL.

* Matt Cutts on the various ways humans affect Google search.

Domain Names

* Denmark's .dk TLD registry has enacted rules targeted at wiping out domainers. See here (Sec. 8.3.6).

* What's hotter than iPhones? iPhone-related domain names.

Adware/Spyware

* Declan on the latest legislative rally against spyware, the Senate's Counter SPY Act.

* The FTC issued final approval for the DirectRevenue settlement of $1.5M. Commissioner Leibowitz dissented, saying the cash payment was too light.

Online Reputations

* Avvo has filed a motion to dismiss the lawsuit over its ratings of attorneys. The motion is very heavy on the 1st amendment and very light on 230. HT: WSJ Law Blog.

* The Washington Post gushes about Reputation Defender and its competitors, without really acknowledging the value of reputational accountability or the potential for takedown/pushdown abuse.

* Entrepreneurs figured out a way to game FICO scores. Fair Isaac will try to close the loophole.

* Ed Magedson of Rip-Off Report was the victim of a vicious harassment campaign demanding that he remove complaints from the site.

* Lengthy NYT article on Wikpedia. Not much new there, but it does hint at the young age of Wikipedians, and it talks about how "pride of ownership" motivates Wikipedians.

Other

* June 26 was the 10 year anniversary of the classic Reno v. ACLU Supreme Court opinion.

* The NYT has launched a new technology blog called BITS.

Posted by Eric at 02:37 PM | Adware/Spyware , Content Regulation , Copyright , Derivative Liability , Domain Names , Internet History , Licensing/Contracts , Marketing , Search Engines , Spam , Trademark | TrackBack

June 03, 2007

May 2007 Quick Links

By Eric Goldman

Spam

* MySpace Inc. v. The Globe.com Inc., No. CV 06-3391 RGK (C.D. Cal. Feb. 27, 2007). This case has some personal interest because theglobe.com was one of my flagship clients before I left the law firm in 2000. This ruling held theglobe.com liable under CAN-SPAM, California's anti-spam law and the user agreement for spamming within the MySpace network. See the BNA writeup. Among other remarkable angles of this ruling, the court upholds the liquidated damages clause based on the anti-spam restrictions in the contract. Based on this adverse judgment, in April the parties settled for over $2.5M —basically, all of theglobe.com’s remaining cash, leaving its survival in serious jeopardy.

Domain Names

* Domainers are hot. Business 2.0 article on Kevin Ham, a major domainer who has wildcarded Cameroon's .cm TLD. NYT article on NameMedia, which owns 725,000 domains.

* From the AP: Entrepreneurs loaded up on Virginia Tech- and victim-related domain names following the massacre.

Marketing

* Broadway producer Scott Rudin was annoyed that the New York Times' website published user-submitted reviews of his play. To tweak them for doing so, the play cherry-picked some comments from the users' submissions and ran them in ads for the play with the attribution "The New York Times Online." An NYT editor objected to that attribution because it connoted an editorial judgment of the paper, rather than the paper's readers. Read the fun back-and-forth between Rudin and the editor.

* From the Washington Post: Billboards are the second-fastest growing ad category (after the Internet) due to increased traffic congestion and new digital billboard technology. And a technologist has developed eye-tracking technology that may let billboard advertisers accurately count eyeballs.

* Optima Funding, Inc. v. Strang, 2007 WL 1430699 (Cal. Ct. App. May 16, 2007). A mortgage company said it never sent unsolicited faxes or authorized anyone to do so on its behalf, but it did use lead generation companies. Strang sued Optima repeatedly in small claims court for TCPA violations. Optima struck back with a 17200 claim, basically saying that Strang was falsifying evidence to connect Optima to the faxes. In this ruling, the California Appellate Court upholds Strang's anti-SLAPP motion to strike.

* NYT: Custom postage stamps haven't really caught on. (Note: I just tested on them in my IP course exam).

* NYT: "The High Price of Creating Free Ads." Advertisers may not save any money by relying on user-generated ads. See my previous blog post about the legal costs of UGC ads.

* Rebecca discusses false advertising developments in one of our least favorite 1201 cases, Static Control v. Lexmark.

* AP: Wisconsin bar owner gets a ticket for serving Coors Light beer using a Miller Lite-branded tap. He should have known better than to cross the only major brewery still in Brewtown by serving Colorado beer.

Search Engines

* Brodsky v. Yahoo (C.D. Cal. complaint filed May 11, 2007). A stockholder derivative lawsuit against Yahoo alleging that Yahoo inflated its stock price by hyping its ad businesses. I read through the lengthy complaint and found it mostly nonsensical. For example, consider this allegation of wrongdoing: "whereas Yahoo!’s rivals were paying high-traffic vendors to route traffic through their Web sites, Yahoo! was charging large vendors for access and was dependent on that revenue to make its revenue targets, making Yahoo!’s Web site a less desirable location for vendors to drive traffic to." Huh? Search Engine Land has more.

* Google has blacklisted all term paper websites from its AdWords program. Reminds me a little of Macellari v. Carroll

Intellectual Property

* Grisman v. YouTube, Inc., C-07-2518 (N.D. Cal. May 10, 2007). Second class action lawsuit against YouTube (and third major broadside, including the Viacom lawsuit). Appears to be highly derivative of the Football Association Premier League lawsuit (see the WSJ Law Blog for more on this).

* Clark v. Amazon.com, CIV S-05-2187 (E.D. Cal. May 10, 2007). Clark published a book, sold 187 copies and gave away 234. He sued Amazon (and other online booksellers) claiming that he alone had the exclusive right to distribute the book, so their resales were infringing. Amazon responded that the resales were covered by the First Sale doctrine. Clark responded by saying that Amazon sold more copies than he sold/gave away, but that's because Clark mistakenly believed that a seller's lifetime transactions rating were all based on sales of his book. Summary judgment for Amazon.

* Like other content producers, pornographers are feeling the sting of online competition--especially due to the low barriers to entry of amateur-produced content.

* From Washingon Post: Appraisers are going to war over recycling of data they generate during appraisals, which they claim violates promises made to them. When I was guest-blogging at Concurring Opinions, I blogged on the possible IP angles of this dispute.

* BusinessWeek: "Faking out the Fakers: Faced with a tidal wave of counterfeit goods, companies are turning to secretive sci-fi technology. But crooks catch on fast." It's like the analog version of DRM.

* The USPTO's collection of aural TMs.

Miscellaneous

* Bray v. QFA Royalties LLC, 2007 WL 1306517 (D. Colo. May 3, 2007). Posting a suicide note on a private franchisee-group's website isn't grounds for termination of franchises. See Wiggin and Dana's writeup.

* Nazaruk v. eBay, Inc., 2007 WL 1417287 (10th Cir. May 15, 2007). In a non-substantive opinion, the 10th Circuit upheld the venue clause in eBay's user agreement. My post on the district court opinion.

* Washington Post article on individuals declaring "email bankruptcy," i.e., deleting everything in their in-box and starting afresh.

* To mitigate risk, the Concurring Opinions multi-contributor blog has been converted into an LLC.

* University of San Francisco has created a single page aggregating blogs from the entire USF community.

Posted by Eric at 12:59 PM | Content Regulation , Copyright , Derivative Liability , Domain Names , Internet History , Licensing/Contracts , Marketing , Search Engines , Spam , Trademark | TrackBack

May 31, 2007

Pew 2007 Spam Survey

Pew has updated its periodic survey on user attitudes towards spam. Its conclusion:

Spam continues to plague the internet as more Americans than ever say they are getting more spam than in the past. But while American internet users report increasing volumes of spam, they also indicate that they are less bothered by it than before. Users have become more sophisticated about dealing with spam; fully 71% of email users use filters offered by their email provider or employer to block spam. Users also report less exposure to pornographic spam, which to many people is the most offensive type of unsolicited email. Spam has not become a significant deterrent to the use of email, as some observers speculated it might when unsolicited email first began flooding users’ inboxes several years ago. But it continues to degrade the integrity of email. Some 55% of email users say they have lost trust in email because of spam.

Deborah Fallows, the report writer, speculates on why users are less bothered by spam, She hypothesizes:

* users are receiving less porn spam
* users are savvier about identifying spam
* more users are using filters, hiding their email addresses and engaging in other smart practices

Interestingly, these explanations appear to be largely independent of legislative efforts to curb spam. Obviously CAN-SPAM targeted porn spam, and the FTC has brought some enforcement actions, but my gut tells me that any reduction in porn spam is due to improved technological filtering, not the law. Otherwise, it seems like technology and evolving social practices are helping users cope with spam.

Previous material on this topic:

* Spyware, the Pew Report, Anti-Terrorism Efforts and Coping with Spam

* Where's the Beef? Dissecting Spam's Purported Harms. Lamenting the passage of CAN-SPAM, I wrote:

Even if CAN-SPAM beneficially affects the flow of unwanted e-mails, any legislative solution seems inherently empty. Without legislative intervention, society will find ways to cope with spam, just as we have with other media. Meanwhile, entrepreneurs will continue to develop better tools to sort wanted and unwanted communications. Thus, more patience with the spam “problem” might have facilitated the development of superior results organically.

Posted by Eric at 11:17 AM | Spam | TrackBack

May 28, 2007

Facebook's Lawsuit Against Competitive Email Harvesting Continues--Facebook v. ConnectU

By Eric Goldman

Facebook, Inc. v. ConnectU LLC, 2007 WL 1514783 (N.D. Cal. May 21, 2007)

A universal truth of the digital era: a website displaying user email addresses will be targeted by email harvesters sweeping up those email addresses to spam the users--either to poach a competitor or to send bona fide spam. This is hardly a new phenomenon; I can't believe it's been almost a decade since eBay's competitor Onsale harvested eBay users' addresses and sent competitive spam (an action which prompted eBay to encourage users to adopt handles that weren't the users' email addresses).

Social networking sites have lots of user contact info that makes them juicy targets for the harvesters, so they have had to be particularly vigilant against spammers. In this case, Facebook sued a competitive social networking site, ConnectU, for a harvesting/spam attack. (This isn't the only battlefront between the parties; in separate litigation, ConnectU claims that Facebook stole ConnectU IP). In this ruling, ConnectU moves to dismiss Facebook's claims, with limited success.

The most interesting ruling relates to California Penal Code 502. If you haven't looked at this statute recently, you'll be amazed at its breadth and the fact that it provides for civil remedies in the penal code. The operative provision here restricts "Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network." Apparently, ConnectU provided a tool that enabled Facebook users to provide ConnectU with their login credentials, which ConnectU then used to grab data from Facebook's servers. (I tested on very similar facts in my 2006 Cyberlaw exam--see Q2). The court has no problem saying that, as alleged, ConnectU knew it was accessing Facebook's servers and took data without Facebook's permission. There have been other 502 rulings in California, but this ruling reminds us of the statute's scope and its utility as an anti-trespass doctrine.

The court also dismisses (with a grudging leave to amend) Facebook's various anti-spam statutory claims. First, the court holds that Cal. B&P 17529.4 and 17538.45 are both preempted by CAN-SPAM. I've lost track of all of the state anti-spam preemption cases, but I think it's significant that the court casually wiped these two California statutes off the books. Second, the court dismisses Facebook's federal CAN-SPAM claim because Facebook didn't allege that ConnectU's emails contained false/misleading header info. (Even if there was falsity, the Mummagraphics court suggests it would have to be material to be actionable).

Posted by Eric at 09:35 AM | Internet History , Spam , Trespass to Chattels | TrackBack

May 02, 2007

Utah's "Don't Email the Kids" Registry a "Financial Failure"

By Eric Goldman

A couple of years ago, Utah and Michigan adopted laws creating "don't email the kids" registries (called the "Child Protection Registry"--see Utah's and Michigan's). These laws allow parents to register email addresses held by kids and requires marketers sending email/spam that's inappropriate for kids to check the registry and screen out the kids' addresses.

Policy-wise, these laws are broadly appealing. First, everyone hates spam, so anything that might reduce spam is ipso facto a good thing. Second, this law is designed to protect kids from Internet evils—a politician’s nirvana!

However, I don’t think either of these rationales (reduce spam or protect kids) capture the real reason why these laws were enacted. Instead, I suspect pure-and-simple economic opportunism. In practice, the law is just an email tax. Legitimate companies concerned about legal compliance will pay to check the registry, creating a stream of new tax revenues mostly generated from out-of-staters. (Naturally, illegitimate spammers won’t comply with the law under any circumstance). You can imagine how politicians would eagerly leap at the opportunity to get a couple farthings' tax on email traffic. CA-CHING!

Meanwhile, only one company--Unspam, a for-profit company--operates a "don't email the kids" registry. I can imagine how this could be a great sales pitch to generate demand for Unspam’s services: Hey legislators, enact the law, generate new tax revenues on email traffic, you get an economic windfall, we get a cut, and EVERYONE WINS!

Despite this seductive pitch, we’ve learned that the "don't email the kids" laws are riddled with problems. For example, mechanically Unspam's registry doesn’t try to authenticate that registered emails are associated with kids, turning the registry into an across-the-board do-not-spam registry (something I think isn’t good policy). The law also suffers from the sheer illogic of trying to erect geographic borders on email traffic; a federal district court didn't agree with this concern, but we may not have heard the final word on this point.

Plus, there's the challenge of protecting the privacy of kids' email addresses in the database. As Wendy Davis of MediaPost reported last Fall:

It's now come to light that several weeks ago, a state employee in Utah released the e-mail addresses of four minors to the Email Sender and Provider Coalition. That gaffe occurred even though Unspam--the private agency managing the list--said it was inconceivable that the list would ever be divulged. "Even if ordered by a court or held at gunpoint, there is no feasible way that I, any Unspam employee, or any state official could provide you even a single address that has been submitted for compliance by any sender," Prince reportedly said in an affidavit.

WHOOPS!

Even more problematically, according to the Salt Lake Tribune, the law has been a "financial failure": the law was projected to bring $3-6M in revenues to the state, but gross revenues have been $187,224, split 80% to Unspam and 20% to Utah—netting Utah a grand total of $37,445. Worse, the law has cost Utah a lot of money, including the following directly attributable expenses:

* $58,000-a-year in prosecutorial fees (estimated cost in original law--not sure if this money has been spent)
* $75,000-a-year for a full-time Department of Commerce investigator (estimated cost in original law--not sure if this money has been spent)
* $100,000 for a private lawyer to defend the law in court (under a contract that could cost up to $200,000). Utah undertook this expense only after Unspam incurred $70,000 of defense costs itself and then cried “no mas,” although the Salt Lake Tribune article indicates that during pre-passage discussions, Unspam may have suggested that it would solely bear the defense costs.

I'm sure this law imposes other "soft" costs throughout the Utah governmental system, plus there are the transaction costs and deadweight losses inherent in any tax. But ignoring these indirect costs and evaluating the law strictly on a cash basis, this law still looks like a bad economic decision for Utah.

There is a meta-lesson here: legislatures rarely can add to state coffers via Internet regulation. Unfortunately, Utah hasn’t yet internalized this lesson despite two highly visible failures. First, in 1995, Utah enacted a digital signature law designed to capture a little piece of the e-commerce pie by becoming the safe haven for digital signature vendors--but there were no takers, so the law sat on the books unused for a decade before Utah repealed the law last year. Second, Utah tried again with this "don't email the kids" law and appears to have struck out financially as well.

Amazingly, despite these precedents, Utah keeps trying! Its latest attempt to get a little Internet gravy is the Utah Trademark Protection Act, where Utah plans to tax (mostly out-of-state) keyword advertisers. As Sen. Eastman told BNA, “Utah can be the trademark registration capital of the country, just as Delaware is the incorporation capital.” Not only would the registration fees flow back to Utah and perhaps to a Utah-based registry vendor such as Unspam (which expressed some interest in bidding on the registry contract), but Sen. Eastman thinks the law may stimulate demand for Utah’s trademark lawyers. However, there are good historical reasons to believe that the Utah Trademark Protection Act isn’t likely to fulfill these dreams of prosperity. This is yet another good reason for the Utah legislature to reconsider the law.

Posted by Eric at 03:23 PM | Content Regulation , Internet History , Spam , Trademark | TrackBack

May 01, 2007

April 2007 Quick Links

By Eric Goldman

* Rebecca blogs on CollegeNET, Inc. v. XAP Corp., 2007 WL 927946 (D. Or. March 26, 2007), where a jury awarded $4.5M in damages under 43(a) because the defendant had a privacy policy saying it wouldn't disclose personal information to third parties "without the user's express consent and direction," but when users affirmatively said “yes” to "Are you interested in receiving information about students loans and financial aid?," the defendant sold the name to a third party. This is the right result because the combination of the two statements--we won't disclose to third parties, and a lack of pronouns about who would send the information about loans/financial aid—clearly imply that the information would come only from the defendant. However, it would have been easy to avoid this result! As the court points out, the defendant could have added one more line to the privacy policy ("If you ask for more info on loans/financial aid, we may provide your name to third parties") or pronouns to the call-to-action ("Are you interested in receiving information about students loans and financial aid from us or selected third party vendors?"). While the result is right, the damages sure seem high.

* Claria has taken its PersonalWeb tool out of beta. This tool creates a personalized navigation page for consumers by inferring their preferences rather than requiring them to proactively customize the personalization, which only 10% of users did.

* From BusinessWeek: To capture interest in a hot story, media entities buy keywords like "Virginia Tech massacre" immediately following tragedies.

* MailChannels' technology deliberately introduces latency into its server's handshakes, effectively creating a slow lane for spammers.

* Internet Archive v. Shell has settled. John O. may have more thoughts on this.

* Latest evidence that consumers don't always want to have their say: less than 0.2% of visits to YouTube and Flickr are for the purpose of uploading content.

* Todd J. Hollis' lawsuit against dontdatehimgirl.com has been dismissed for lack of jurisdiction. Unfortunately, the court deliberately sidestepped the 47 USC 230 issue, which would have been a simple way to clear the docket permanently.

* BusinessWeek article on how dictionary-makers are struggling to sort through the proliferation of new well-known words via the web.

* A historian raises some quality concerns about Google's book scanning efforts. I think the metadata issue is particularly serious, as many people will expect Google's metadata to be accurate and will cite it accordingly. HT Rebecca.

* Lawsuit over a botched tattoo. Whoops! Speaking of bad-idea tattoos, check out my archive post on tattoo advertising.

* New York councilman wants to ban "menu spam."

* Thyroff v. Nationwide Mutual Insurance Co., No. 41, 2007 N.Y. LEXIS 264 (N.Y. Mar. 22, 2007), holding that electronic records are protected by a state law against "conversion." This is certainly consistent with some precedent, such as Kremen v. Cohen, 325 F.3d 1035 (9th Cir. 2003) saying that domain names can be converted, but this broad holding seems plainly wrong. With respect to copyrightable electronic records, federal copyright law should preempt state anti-conversion laws. What am I missing?

* Some items that made me laugh this month:

- Dilbert on crowded trademark namespaces

- Comedy Central has the amazing story of My-T-Boy, the cute branded character who lapsed into the public domain

- Marge Simpson googles herself and doesn't like what she sees from the satellite image of her home. Very funny!

Posted by Eric at 06:20 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam , Trademark | TrackBack

April 07, 2007

When Congress Giveth, is the Dormant Commerce Clause Taken Away?--Free Speech Coalition v. Shurtleff

by Ethan Ackerman

Free Speech Coalition, Inc. v. Shurtleff, 2:05CV949DAK (D. Utah March 23, 2007)

Why do courts seem eager to use CAN-SPAM's preemption language to give state email laws a free pass from the Dormant Commerce Clause?

Utah's courts and legislatures are earning some scrutiny lately. Seems like the general meme in Salt Lake City is to write laws that pretty clearly reach outside the Wasatch and Cottonwood valleys and touch stuff all over the internets. While some lawyers (like the state legislature's drafting counsel) are trying to reign things in, a recent Utah federal District Court ruling seems to be whipping the horses on.

The Free Speech Coalition, a trade association of "adult" publishers and marketers, has been tackling Utah's Child Protection Registry on several legal fronts for some time, and the challenges have received some coverage (see, e.g., here and here). A recent ruling in the case upholding the Utah act on several fronts has enough interesting tidbits to merit several entries, so this entry will focus on just one - the rather unique results from the intersection of preemption doctrines and the CAN-SPAM Act's preemption safe harbors.

The Harbor that Swallowed the Doctrine?

The District Court denied the Free Speech Coalition's request for a preliminary injunction of the Utah act. Contrary to the Coalition's assertions, the judge said the Utah act did not violate the Dormant Commerce Clause because it was authorized by Congress in the CAN-SPAM act. Several amici supported this argument, including the US Department of Justice and (perhaps somewhat self-interestedly) unspam, the for-profit operator of the Utah registry.

We’ve covered the Dormant Commerce Clause here before. Briefly, the Dormant Commerce Clause (DCC) constitutionally constrains some state laws, but it does not apply when federal law affirmatively authorizes those state laws. The rationale? Congress, not the states, can regulate interstate commerce - but Congress can, if it wants to, delegate its power to the states to do what they couldn't otherwise do.

Judge Kimball says that’s what happened here. Due to CAN-SPAM, he said that "Congress has expressly allowed states to regulate commercial email" by choosing not to preempt some types of state laws related to email. By creating safe harbors for some state laws, Congress effectively immunized them from DCC challenges. Judge Kimball bolstered this conclusion by citing to the similar holding in Beyond Systems v. Keynetics, which also rejected a DCC challenge against a Maryland anti-spam law on the grounds that it was covered by CAN-SPAM's safe harbor.

So why the trend away from applying the DCC? Prior to CAN-SPAM, a court had to evaluate whether a state law impermissibly burdened out-of-state commerce, and no medium is more interstate—and even international—than the Internet. Certainly the judge wasn't declining to apply a rigorous DCC analysis because it was too much work - Judge Kimball did the analysis in a belt-and-suspenders alternate holding. What magical flick of Congress' pen all of the sudden relieves a judge from evaluating the Constitutionality of a state law?

The judges in both Beyond Systems and Free Speech Coalition may be correct that state regulation explicitly authorized by federal law isn't susceptible to a DCC challenge, but it's a big jump to say that this Utah law was explicitly authorized by CAN-SPAM. To reach this conclusion, a court must pile several suspect conclusions on top of each other.

Strictly speaking, Congress didn't explicitly authorize either the Utah or Maryland acts. Instead, it referred to a class of anti-spam laws generally in the CAN-SPAM act. That's not a big deal. Congress can’t easily enumerate every unpreempted state law, and it’s impractical to have Congress update the safe harbor every time a new state law is passed or an existing one is amended. But that's also the Achilles heel of preempting state laws by general reference - we can't really tell if Congress intended to preserve a state law that wasn't even written, or was subsequently amended, when Congress drafted the safe harbor. Thus, in my opinion, the prudent approach is to construe the authorization very narrowly.

In this case, the Utah law only arguably fits into a CAN-SPAM safe harbor. CAN-SPAM has two relevant safe harbors for (1) anti-deception email-only laws, and (2) non-email-specific computer crime laws. He said the Utah act may not fit in the first category but fit into the second category of computer crime laws.

However, to reach this conclusion, the Judge had to wrestle with an internal contradiction: the Utah Act had to relate to spam to qualify for CAN-SPAM’s preemption from DCC analysis, yet the court had to simultaneously say that the law was not email-specific enough that it qualified for the non-email-specific safe harbor.

The likely analytical error here is that CAN-SPAM's preemption safe harbor intentionally sweeps wide beyond email - it's trying not to preempt any laws that don't relate to email. But that same breadth shouldn't act as a DCC shield too. Congress wasn't actually affirmatively blessing certain state email laws. It was merely acknowledging that some state laws might apply to lots of behavior (including email) that Congress would have no problem with. By rough analogy, a federal insurance law might preempt some, but not all, state insurance laws. Unrelated state insurance fraud laws would almost certainly NOT be preempted by the federal law, but that shouldn't excuse those state fraud laws from a DCC analysis.

___

Eric's Comment: I just want to reinforce one point in Ethan's analysis. Based on a straight reading of the CAN-SPAM statute, it is fairly clear to me that CAN-SPAM's exclusion for state computer crime laws meant only medium-neutral laws. Thus, a state email-only crime--like Utah's law here--should be preempted by CAN-SPAM. Otherwise, as Ethan points out, the exception effectively eliminates all preemptive effect of CAN-SPAM because states can freely enact any anti-spam laws--even those that conflict with CAN-SPAM or with other states' laws-- so long as the states attach criminal sanctions to the restrictions. It's possible Congress just screwed this up massively, but for now, my hypothesis is that Congress drafted the preemption language properly and it's this judge who screwed up.

Posted by Ethan Ackerman at 11:12 AM | Spam | TrackBack

March 12, 2007

Affiliate Spam Liability is Fact Question--US v. Cyberheat

By Eric Goldman

U.S. v. Cyberheat, Inc., 2007 WL 686678 (D. Ariz. March 2, 2007)

This case deals with one of the great unresolved Cyberlaw questions: when is an online advertiser liable for the downstream behavior of its media outlets? This question is so important because advertising fuels the Internet economy, both the good--such as the great social benefits produced by ad-supported search engines--and the bad--such as unwanted spam and pernicious spyware. Accordingly, it is critical that advertiser liability policy be set very carefully. Set correctly, bad spam/spyware could dry up. Set incorrectly, the Internet ecology could be destroyed.

Typically, consumer protection advocates favor strict liability for online advertisers. Thus, regardless of advertiser scienter, advertisers should have absolute liability for running ads via unwanted adware or spam. On the plus side, such a theory would probably have the desired benefit of cutting off the flow of advertising to spam and adware.

On the minus side, strict liability for online advertisers also would reduce online advertising across-the-board. Advertisers don’t want the additional liability, nor would they want to spend the time/money to monitor downstream behavior. Perhaps more importantly, I am not aware of any equivalent liability on the part of offline advertisers, so strict liability for online advertisers would represent a type of cyberspace exceptionalism that would likely direct dollars away from online advertisement back to offline advertising.

Interestingly, we have surprisingly little law involving online advertiser liability for media outlets. Statutorily, advertiser liability was enacted in CAN-SPAM and the Utah/Alaska anti-adware laws, but I'm not aware of other statutes. From a case law standpoint, there is surprisingly little precedent. Two relatively recent spam cases, Fenn and Hypertouch, have implicitly rejected strict liability for advertisers (the Fenn case dealt with Utah's anti-spam statute, not CAN-SPAM); in both cases, the advertiser’s use of a contract prohibiting advertising by spam was sufficient to cut off liability for downstream behavior. The Cyberheat case pointed to another case I hadn’t caught before, the Fare Deals v. World Choice Travel.com case, 180 F. Supp. 2d 678 (D. Md. 2001), which also rejected advertiser liability (in that case, for ads running on a website that allegedly infringed trademarks). Finally, there was the recently hyped settlement between the NY Attorney Generals' office and three adware advertisers. However, it's hard to divine much precedent from a settlement, and the chicken-scratch settlement terms imply that the defendants didn't settle because they were quaking in their boots over their legal liability.

(There are other cases, and I haven't done a complete regression to validate this point--but I trust the point is clear that the case law is scrappy and defense-favorable).

The dearth of relevant case law makes the newest case on the topic, US v. Cyberheat, so interesting. The FTC went guns ablazin’ after a porn website for spam sent by its affiliates that allegedly violated CAN-SPAM, arguing under the terms of the statutory advertising liability provision that the advertiser is strictly liable for these spam or should be liable under an implied negligence theory (the case doesn’t use the term “implied negligence,” but the term is designed to characterize the FTC's theory that the facts so clearly establish negligence that the defendant should be liable without any further showing about its mental state).

This tussle over the appropriate scienter requirement appeared to overwhelm the judge, and we get a pretty garbled opinion in response. However, we get one clear statement here: the judge unambiguously rejects strict liability for the affiliate's behavior. Instead, after chasing his tail articulating various vicarious liability/respondeat superior/agency theories, the judge concludes that the advertiser is liable for the affiliate spam only if the advertiser had sufficient knowledge of and control over the affiliates' behavior.

But...how much knowledge and control is sufficient? I have no idea, and frankly, I don't think the judge does either. However, let's look at the facts alleged by the FTC that weren't sufficient to win summary judgment:

* the advertiser didn't have a significant screening process for retaining affiliates
* the advertiser didn't ask affiliates if they planned to do email marketing
* the advertiser had an agreement prohibiting spam but terminated affiliates slowly/inconsistently even when the advertiser received consumer complaints about an affiliate's behavior
* when the advertiser terminated affiliates, it didn't always terminate multiple accounts held by the same affiliate
* the advertiser provided web hosting, marketing and promotional tools to affiliates, including (I believe) serving up the porn images displayed in the emails when opened

The advertiser's principal counterarguments were that it had its contract restriction against spam and that the affiliates were independent contractors. (It was unclear to what extent the advertiser disputed the other facts alleged by the FTC).

So this case will go to trial to determine the advertiser's knowledge/control and whether it acted reasonably under these circumstances. While the FTC might still win this case, this ruling nevertheless must be a sobering wake-up call that the government can't simply allege that liability follows ad dollars and expect to win.

More commentary on this case: Venkat and Reasonable Basis.

Posted by Eric at 03:42 PM | Adware/Spyware , Derivative Liability , Marketing , Spam | TrackBack

March 01, 2007

February 2007 Quick Links

By Eric Goldman

* The California Highway Patrol (which, for reasons unclear to me, has investigatory power here) has concluded that the Angelides campaign did not break any laws when they reverse-guessed URLs on Schwarzenegger's website and found an unrestricted page with a video of the Gov wondering about Assemblywoman Bonnie Garcia's "hot'' temperament because of her mixture of "black blood'' and "Latino blood'' and referring to Assembly Republicans as a "wild bunch." The CHP did recommend that Schwarzenegger's team tighten up their website security. Silly reminder: if you really want keep information a secret, don't put it on a website without password protection.

UPDATE: Greg Haverkamp points me to this document, which explains that the CHP has enforcement power over Penal Code 502 violations involving state computers. Interesting. In my mind, I see Erik Estrada revving up his PowerBook to bust some baddies...

* Voda v. Cordis Corp., 2007 WL 269431 (Fed. Cir. Feb. 1, 2007). Patent owner can't litigate infringement of foreign patent rights in US court as part of supplemental jurisdiction over a US patent infringement claim. Patry's writeup.

* NYT on how YouTube indirectly motivates teens to deliberately do stupid things just for the opportunity to post them and perhaps get notoriety. I had a first-hand observation of this when I trolled through YouTube looking for a Listerine commercial that I might show in class while teaching a case involving Listerine. A search for the word "Listerine" in YouTube produces video after video of people doing stupid things with Listerine, like eating big stacks of their breath film or snorting the breath spray and then writhing in pain. Watching video after video of people repetitively doing stupid stunts, I felt like shouting to these people: "IF YOU'RE GOING TO DO SOMETHING STUPID ON YOUTUBE, AT LEAST BE ORIGINAL!"

* From Steve Bryant at eWeek: Shannon Stovall sues Yahoo for including her photo in Yahoo's welcome email, claiming Yahoo violated her rights of publicity/privacy to the tune of $10M compensatory damages and $10M punitive damages.

* Digg users may mark content they don't agree with as "spam." The most recent example is Danny Sullivan's post on SEO, which got Dugg and then was eliminated when anti-SEO Digg users flagged it as spam. If a website defers content grading to its users, it has to trust that they are reporting their feedback accurately. If they aren't, the whole user grading process breaks down. And speaking of breakdowns, there is an active secondary market for Digg votes--check out how Annalee Newitz bought front page placement on Digg for about $100.

* The always-colorful Chris Hoofnagle has released a new paper, "The Denialists' Deck of Cards: An Illustrated Taxonomy of Rhetoric Used to Frustrate Consumer Protection Efforts." By his standards, I suspect I've dealt a full house with some of my rhetoric! Now, I wonder if he's going to create a complementary deck for bogus rhetorical tactics used by consumer protection "advocates"?

* From the EFF: "Debbie Foster, a single mom who was improperly sued by the RIAA back in 2004 for file sharing, has won back her attorneys' fees." Capitol Records v. Foster, No. 04-1569-W (W.D. Okla. Feb. 6, 2007). Unfortunately, that hasn't stopped the plaintiff from advancing nonsense arguments in the case, including the specious argument that a computer owner is automatically responsible if third parties use the computer to infringe copyrights. Fred at the EFF rightly debunks this argument.

* Wikipedia article: "Wikipedia is Failing." Your perspective about success or failure may be influenced by the impressive traffic gains that Wikipedia is experiencing--Wikipedia is now one of the top 10 most trafficked websites. Most of that traffic is coming from Google.

* Doe v. Josef Silney & Assoc., No 07-04167CA15 (Fla. Cir. Ct. complaint dated Feb., 13, 2007). Golfer Fuzzy Zoeller sues an alleged vandal of his Wikipedia page for defamation and related torts. Fortunately, he left Wikipedia out of the suit. However, he only knows the IP address of the person who modified the page, and that IP address is registered to the defendant. Is owning the IP address enough to establish liability? Or is this like an RIAA blunderbuss sue-first, ask-questions-later approach? It seems like the lawsuit should have been against a Doe, with a subpoena to find out who actually edited the page using that IP address.

* US v. Twombly, 2007 U.S. Dist. Lexis 12664 (S.D. Cal. Feb. 22, 2007). A spammer challenges some criminal provisions of CAN-SPAM as vague and overbroad, but the judge has no problems reading the statute to facilitate sending spammers to the slammer. Venkat's writeup.

* CDT groks (and mostly bashes) a variety of online kid-protection bills proposed in Congress.

* From the NYT: Nancy Pelosi posted some videos from C-SPAN to her blog. The Republicans immediately attack her for "pirating" the videos. Turns out that those videos were actually recorded by the government, so they are in the public domain. Whoops! The Republicans had to issue a mea culpa retraction. However, Nancy did grab a C-SPAN-owned video elsewhere which she had to take down. If our legislative leaders can't figure out what video they can recycle, how in the world can less-trained lay people do so? Patry has more.

* A bearish view on domain name speculation from CircleID. I share the sentiment that domain names don't matter, so domaining and typosquatting strike me as a short-term arbitrage opportunity that inevitably will be mooted by a variety of forces. Thus, the idea of paying 40 or 60 years worth of revenue for a domain name is laugh-out-loud funny to me.

* The Long Tail notes that some brands, trying to build a more esoteric image, try to hide their ownership by mainstream mass-market brands, a phenomenon he calls "brand dis-synergy." Examples: Dagoba Organic Chocolate, Joseph Schmidt, Cacao Reserve and Scharffen Berger chocolates (all owned by Hershey) and Converse (owned by Nike).

* Veritas busted for manufacturing revenues via round-tripping with AOL (Veritas bought AOL ads and AOL bought Veritas software; each at inflated prices).

* What does "or" mean? According to the 8th Circuit, it can mean "and." Ken Adams is on the case.

* Ricky Hoggard Holman, a 18 year old high schooler in Sudbury, Canada, correctly blogged all 24 of the American Idol finalists. How? Online research, such as researching the MySpace pages of contestants and emailing their MySpace friends. He also talked to some of the booted final 40 contestants, a few of whom broke their punitive-laden confidentiality agreement to dish some dirt. Maybe he wasn't studying, but clearly he's learned a few things about the power of good old-fashioned research. (The article says he's a straight A student, so he clearly can balance many things). Nice job, Ricky!

Posted by Eric at 12:03 PM | Content Regulation , Copyright , Derivative Liability , Domain Names , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines , Spam , Trademark | TrackBack

February 06, 2007

Ezor on Email Blocklists

By Eric Goldman

Jonthan Ezor has posted a short paper (10 pages + endnotes), Busting Blocks: Appropriate Legal Remedies For Wrongful Inclusion In Spam Filters Under U.S. Law, to SSRN. This article deals with thorny issues created by email blocklist services, although he focuses specifically on volunteer organizations. The article discusses an email marketer's recourse for incorrectly being listed as a spammer on a spam blocklist, including defamation and intentional interference with prospective business relationship claims, as well as the limits of those claims under 230(c)(1) and 230(c)(2). He concludes that blocklist vendors should use objective criteria, should have an appeals process to correct mistaken listings, and should be surgical in blocklisting IP addresses. He also concludes that vendors should be:

held to professional standards of conduct, including objectivity, reasonable care, and (to the extent their activities cause harm) accountability. The alternative, relying on their good faith and internal procedures, is no longer acceptable, given how critical e-mail has become.

The issues raised by blocklist services are complex, and they span a variety of rating services online, including spyware filters, Google's PageRank and eBay's feedback forum. On the one hand, filters are simply in the opinion "industry," and they add significant value by centralizing behavior monitoring because it's too expensive for each of us to independently form our own opinions.

On the other hand, by ceding control to filter vendors, we have to trust that these vendors will make good choices. There have been plenty of examples where filter vendors have made questionable choices--the RBL was notorious for being arbitrary and unresponsive, but I've heard plenty of complaints from software vendors upset by their characterizations as adware/spyware and even more complaints from websites unhappy about the operation of Google's PageRank filter. So the centralization of opinion formation can have significant private (and perhaps social) costs if done poorly, and I'm not entirely clear that the market for centralized opinions is particularly efficient.

Thus, opinion vendors can have a lot of power but may not be fully accountable for wielding that power unwisely. Despite this, I favor the production of such opinions, so from a legal standpoint, I think filters should be broadly protected for their choices. On the other hand, we as consumers of filters need to be vigilant about the filters we trust.

Posted by Eric at 10:43 AM | Adware/Spyware , Derivative Liability , Spam | TrackBack

February 02, 2007

January 2007 Quick Links

By Eric Goldman

* Marketers (including Microsoft) are paying authors to write Wikipedia entries. Surprised?!

* Also on the topic of Wikipedia and marketers, Wikipedia has tagged all of their pages NOFOLLOW so that there's no way a marketer or website can get PageRank credit from inserting a link in Wikipedia. A reporter emailed me to ask "Do you think this move staves off the potential demise you have predicted?" My response: "No. This was actually raised in the comments to my initial post on the topic in Dec. 2005. Two points: (1) People who recycle Wikipedia content on their own site (such as Answers.com) may not use the nofollow attribute, so there still may be a PageRank payoff by inserting links on Wikipedia pages. (2) More importantly, marketers may want Wikipedia traffic directly (rather than the indirect boost in search engines). Wikipedia is already highly placed in the search engines, so it is a big traffic source in its own right."

* Speaking of my prediction of Wikipedia’s future, NPR picked up on it.

* Now that MyBlogLog is owned by Yahoo and thus increasing its traffic, Greg Linden reports that it's getting spammed.

* I previously reported that ICANN was thinking about retiring some TLDs. The first casualty? .um (for US Minor Outlying Islands, such as the Midway and Johnston Atolls), which got chucked because the registry operator didn't want to continue operating it and there were no registrations in the TLD.

* "The Search Tax: Are Search Engines Leeches?" This article discusses the role of search engines as intermediaries between consumers and marketers, able to charge marketers for access to consumers (hence, the "tax" reference). The article also discusses the value of buying trademarked keywords:

What's difficult for marketers to swallow, however, is the clear evidence the search engines (and affiliate marketers with good organic rank on brand terms) have the power to insert themselves between the consumer and the brand, even when consumers clearly have an interest in the brand (as indicated by their search query containing the brand or trademark).

Marketers' temptation may be to refuse to pay for brand keywords, sticking instead to the generic keywords that are also clearly aimed at any given target audience. In every case we've tested (and I have tested many and will likely test many more), that would be a mistake, even when the marketer has high organic rank on his brand. The results of every test we've executed indicate the incremental gain received when paying for traffic on a brand term has a very high net ROI (define) because: [1] Significant additional screen real estate on the SERP is gained. [2] The total control over title and description allows for greater offer control. [3] Top positions on one's brand usually aren't very expensive due to the engines' relevance algorithms. [4] The ability to control and tune the landing page results in a conversion rate percentage in many cases is higher for the combined pages than for one alone.

* We might consider the contrast between the prior post and this one: "Should Google Pay Off Brand Owners With Cut Of Keyword Sales?"

* Brand advertisers resist using Google because Google doesn't allow third party ad serving technology. But compare a BusinessWeek article reporting that big brands are buying up CPC inventory and pricing out small- and medium-sized advertisers.

* Google revised its algorithm to eliminate most of the famous Googlebombs (like "miserable failure"). Danny's recap. Google hasn't specified details, but I'm assuming that Google has somehow reduced the weight given to anchor text.

* A search engine marketer predicts the death of SEO with the emergence of personalized search. I agree! (HT: Greg Linden).

* eBay is blocking the auction of virtual assets due to the "legal complexities" of such sales. Because of its differentiated EULA, Second Life virtual assets can still be auctioned. The News.com article suggests that these transactions will move from eBay to other trading fora. Even so, this might inhibit the liquidity of these secondary market transactions, which could reduce the return of virtual asset speculators.

* According to Jakob Nielsen, about 1/2 of online giftcard recipients either junked their email notification or didn't trust it (i.e., thought it was phishing).

* HER, Inc. v. Re/Max First Choice, LLC, 2007 WL 43747 (SD Ohio Jan. 5, 2007). Competitor 1 registers domain names containing Competitor 2's trademarks, Competitor 2's principals' names and the principals' home address and phone number. The domains roll over to Competitor 1's website. Competitor 1 then sends a couple of gripe spam to Competitor 2's employees from some of the registered domain names bashing Competitor 2's business practices. The court isn't sympathetic, granting a PI based on ACPA and trademark infringement. While this type of competitor-bashing isn't permissible (and, frankly, registering domain names with the target people's home address and phone number is bizarre), Competitor 1 should have been able to find ways to deliver the same content without running afoul of the law.

* Google has lost an appeal at the OHIM in Europe over the rights to use the trademark "Gmail" for its email services.

* Does a "lactivist's" t-shirt saying "the other white milk" infringe the Pork Board's trademark in "the other white meat"? No, and what a dumb question!

* The RipOffReport.com has appeared on this blog several times (see here and here, among others). The Phoenix New Times (the local Phoenix alternative weekly) runs a lengthy and interesting story about the Ripoff Report and its principal, Ed Magedson. Worth reading.

Posted by Eric at 02:08 PM | Domain Names , E-Commerce , Licensing/Contracts , Marketing , Search Engines , Spam , Trademark , Virtual Worlds | TrackBack

January 24, 2007

Anti-Spammer Wins 230 Defense--Pallorium v. Jared

By Eric Goldman

Pallorium v. Jared, G036124 (Cal. Ct. App. Jan. 11, 2007)

This case is another 230 defense win (using the rarely used 230(c)(2) provision) protecting anti-spammers for their efforts to combat spam.

Jared published a list of IP addresses for open relays so that others could use this as a blocklist. Pallorium's IP addresses got added to the list, and Jared allegedly refused a request to remove the IP addresses. So Pallorium sued Jared.

Jared defended on 47 USC 230(c)(2)(B), which says "No provider or user of an interactive computer service shall be held liable on account of...any action taken to enable or make available to information content providers or others the technical means to restrict access to material [that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable]." This rarely used provision suggests that filtering software vendors should not be liable for their filtering judgments, so on its face it looks like a useful defense here.

Pallorium attacked the 230 defense on 3 grounds:

1) Jared wasn't an ICS provider/user. Following the rationale of a long string of courts, the court rejects this by saying that publishing content via a web server accessible to multiple users makes him an ICS provider.
2) The statute does not protect blocking decisions based on a server's status as an open relay. The court rejects this by saying that so long as Jared deemed the content subjectively objectionable, his judgments were protected even if they were overinclusive.
3) Jared didn't provide "technical means to restrict access." The court says that Jared's system of automatically checking if a server was an open relay qualified as a technical means.

I wouldn't say that I was persuaded by the judge's explication on these three points, but the judges reached the right result. I think it's pretty clear that 230(c)(2) protects filtering judgments, and Jared was squarely in that sweet spot as a filtering database provider.

HT: Declan at News.com.

Posted by Eric at 09:58 PM | Derivative Liability , Spam | TrackBack

December 15, 2006

Top Cyberlaw Developments of 2006

By Eric Goldman and John Ottaviani

[Eric’s Note: I will be in Israel for the rest of the year. So while it’s a little premature to publish an end-of-the-year recap, this may be my last post for the year. John O. has the keys to the blog in my absence, so please keep coming back to see what he has to say. I’ll see you in 2007!]

For several years, we have developed a list of the top 10 Internet IP cases in the previous year (see the 2005 list). While we hope to continue that tradition, this year had a number of noteworthy Cyberlaw developments that seemed worth cataloging...and besides, who doesn’t like top 10 lists?

Before we get into the list, some developments we deliberately left off the list:

* National Federation for the Blind v. Target. Some have claimed that this case requires websites to comply with the ADA. At best, this overreads the case. The case reasoning only applies to entities that tightly integrate their websites

Search

Archives

Recent Entries

May 07, 2013

Crazy SOPA-Like Attempt to Hold International Banks Liable for Pharmacy Spam Fails on Jurisdiction Grounds--Unspam v. Chernuk

February 20, 2013

Telephone Consumer Protection Act Case Update – February 2013 Edition

November 15, 2012

Court: Customer Consents to Receive Texts by Providing Phone Number to Pharmacy – Pinkard v. Wal-Mart Stores, Inc.

November 05, 2012

Confirmatory Opt-out Text Message Not Actionable Under the TCPA -- Ryabyshchuck v. Citibank

October 20, 2012

9th Circuit Zings Best Buy Over Robocalls – Chesbro v. Best Buy

September 10, 2012

Courts Allows Text Spam Class Action Against Voxer, a Cell Phone Walkie-Talkie App -- Hickey v. Voxernet

July 25, 2012

Franchisor Isn't Liable Under the TCPA for Franchisees' Text Message Campaign – Thomas v. Taco Bell

July 06, 2012

Confirmatory Opt-Out Text Message Doesn't Violate TCPA – Ibey v. Taco Bell

July 05, 2012

Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal

June 27, 2012

Court Refuses to Dismiss Claims Against Alleged Twitter-Bot Spammer--Twitter v. Skootle

May 30, 2012

Is SOPA's "Follow the Money" Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does

March 17, 2012

Text Spam Class Action Against Jiffy Lube Moves Forward – In re Jiffy Lube Int’l, Inc., Text Spam Litigation

March 09, 2012

Group Text Services Grapple with TCPA Class Actions

February 29, 2012

California Appeals Court Says Emails That Don't Identify Sender Violate State Spam Statute – Balsam v. Trancos

February 21, 2012

Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures -- Facebook v. Power Ventures

January 04, 2012

Nov.-Dec. 2011 Quick Links, Part 3

December 23, 2011

Old School Spam Plaintiff Rebuffed in the Ninth Circuit

December 12, 2011

Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank

October 13, 2011

Court Dismisses Lawsuit Under Michigan Spam Statute Based on Preemption and Lack of Standing -- Hafke v. Rossdale Group, LLC

October 12, 2011

Spam Claims Covered by Contract's Indemnity Clause--Commonwealth Marketing Group v. IMG Assocs.

September 28, 2011

In Facebook's Lawsuit Against Alleged Spammer, Court Denies MaxBounty's Motion to Dismiss

September 08, 2011

Lawyer Hit With $4.2 Million Judgment in Junk Fax Class Action -- Holtzman v. Turza

September 02, 2011

Seventh Circuit Awards e360 a Whopping $3 in Damages Against Spamhaus -- e360 v. Spamhaus

August 24, 2011

Court Affirms Robust ISP Protection For Blocking Bulk Emails -- Holomaxx v. Microsoft/Yahoo

July 26, 2011

Court Rejects First Amendment Challenge to CAN-SPAM Indictment -- US v. Smallwood

July 04, 2011

June 2011 Quick Links, Part 2

April 28, 2011

Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

April 27, 2011

Court Says CAN-SPAM Plaintiff Can't Take Second Bite at the Apple -- Melaleuca v. Hansen

April 19, 2011

Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe

April 07, 2011

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH

April 01, 2011

N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty

March 03, 2011

Jan.-Feb. 2011 Quick Links, Part 4

February 12, 2011

Debt Collection Text May Result in Liability under the Telephone Consumer Protection Act -- Gutierrez v. Barclays Group

January 29, 2011

Class Action Brought by "Lonely and Vulnerable" Men Against Online Cupid Site Moves Forward -- Badella v. Deniro Mktg.

January 20, 2011

CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick

January 05, 2011

Lawyer-Spam Plaintiff Loses in the Sixth Circuit Over Allegedly Misleading DISH Network Emails -- Ferron v. Echostar

January 01, 2011

Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc.

December 24, 2010

Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues

December 17, 2010