Technology & Marketing Law Blog: Spam Archives

Technology & Marketing Law Blog

January 04, 2012

Nov.-Dec. 2011 Quick Links, Part 3

By Eric Goldman

Marketing and Advertising

* Facebook is putting Sponsored Stories in user newsfeeds. Naturally, they will make the ad label almost invisible. Yet another reason to hate Facebook, and what a desperate act of financial overreaching to goose their IPO. FWIW, I absolutely hate that Twitter does the same thing. It's terribly marked as an ad, and it takes me more time than it should to figure out why it's appearing in my stream. Boo for Twitter, and boo for Facebook.

* Then again, not all Twitter ads are objectionable. The most popular tweet of 2011? An ad from Wendy’s.

* Interesting NAD decision involving Coastal Contacts' offer of "free" glasses in exchange for Facebook likes. Compare the subsequent ruling in Fraley v. Facebook.

* Top 10 PR Blunders of 2011.

* FTC does another bust of health marketers who allegedly used affiliates to create fake news sites. Prior blog post.

* Rebecca reports on a lawsuit over marketing that chickens were “raised humanely.” Note to meat eaters: there's no such thing as mass-raising of animals "humanely" for our food consumption. Invariably, meat-eaters who actually take the effort to understand the process of manufacturing meat decide to reduce their meat consumption.

* NYT on caller ID spoofing. The FTC just announced another bust on this front.

* AdAge: FDA's Social-Media 'Guidelines' Befuddle Big Pharma.

* Yahoo Inc. v. XYZ Companies, 2011 WL 6072263 (S.D.N.Y. Dec 5, 2011). Yahoo gets a huge and uncollectable default judgment of $610M under CAN-SPAM against Nigerian spammers.

* Adware déjà vu: Facebook bitches about adware. Prior blog post.

* A table manufacturer tinkers with his AdWords account and discovers a correlation between AdWords and clicks on his organic links (1, 2). Prior blog post.

* Pom loses a jury trial against Ocean Spray over false advertising.

* Washington Post: An inside look at the world of TV news payola/“plugola.”

* Ad Naseum on reverse product placement, i.e., manufacturing virtual brands created for TVs and movies.

* NYT: In China, car brands have very different meanings to consumers than they do in the US (except for BMW, where the brand attributes are surprisingly the same).

* Cracked: 5 Black Friday Myths The Media Wants You to Believe.

Privacy

* In re Facebook Privacy Litigation, 2011 WL 6176208 (N.D. Cal. Nov. 22, 2011). Prior blog post. Judge Ware dismisses the Facebook/Zynga referrer ID case with prejudice. Wendy Davis' coverage. It appears the plaintiffs have appealed (sub nom Graf v. Zynga) to the Ninth Circuit.

* Facebook will make 45 privacy-related changes—almost none of them “important”—to appease the Irish Data Protection bureaucrats.

* Mark Zuckerberg has extensive experience apologizing to Facebook users for Facebook's privacy transgressions.

* USA Today on how Facebook tracks user activity at websites other than its own.

* Cohen v. Facebook appealed to the Ninth Circuit. I'm not sure how the Fraley v. Facebook ruling affects this. Prior blog post.

* Interesting visualization of Facebook’s creeping degradation of privacy for user-provided info.

* In the Matter of ScanScout, Inc., FTC File No. 1023185:

According to the FTC complaint, from at least April 2007 to December 2010, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout, the FTC charged. The claims by ScanScout were deceptive and violated the FTC Act, the complaint alleged.

* FTC bust of Skid-e-Kids for COPPA violations.

* Another cookie litigation settlement where the lawyers get almost all of the settlement value. PaidContent and MediaPost coverage.

* Weber v. Google, over Google toolbar snooping, was quietly dropped.

* Incorp Services, Inc. v. Does 1-10, 2011 WL 5444789 (N.D. Cal. Nov. 9, 2011). The court orders unmasking of alleged click fraudders:

By tracking the clicks over the course of several weeks and narrowing a substantial portion of the activity to only two IP addresses—both owned by the same ISP—Incorp has provided sufficient information to indicate that the responsible parties are “real person(s)” who may be sued in federal court. Incorp also has demonstrated that it took reasonable steps to identify Defendants. Because information pertaining to the assignee of an IP address is maintained by the third-party ISP, the only way in which Incorp is able to identify definitively the parties associated with the suspect IP addresses is by subpoena to the ISP.

* In re Application of the USA for an Order Pursuant to 2703(d), 1:11-dm-00003-TCB –LO (E.D. Va. Nov. 10, 2011). No Fourth Amendment privacy protection for IP addresses.

* NYT provides yet another update on some European regulators' efforts to kill Silicon Valley.

* Peter Fleischer: Harsher data protection sanctions are coming.

Contracts

* Stebbins v. Texas, 2011 WL 6130403 (N.D. Tex. October 24, 2011). Another court calls David Stebbins’ attempt to manufacture an arbitration award “frivolous,” saying “his factual assertions that the alleged contract was formed when Plaintiff sent an e-mail to Defendant with a blog link and a dollar bill describe fantastic or delusional scenarios that are clearly irrational and incredible.” Prior blog coverage (1, 2).

* Garon v. eBay, Inc., 2011 WL 6329089 (N.D.Cal. Nov. 30, 2011). No antitrust claims for vendors who eBay terminated for low ratings. I think eBay should have been able to use 47 USC 230(c)(2) (not discussed by the judge).

* Fadal Machining Centers, LLC v. Compumachine, Inc., 2011 WL 6254979 (9th Cir. Dec.15, 2011). In a B2B context, enforcing an arbitration clause posted to the web that was incorporated by reference in the vendor’s invoices.

* Spam Arrest v. Marketingesquire complaint: Spam Arrest sues an email marketer for violating its TOS by sending "spam."

* Wofford v. Apple Inc. (S.D. Cal. Nov. 9, 2011). Free software update to iPhone software did not constitute a "tangible good or service" for California CLRA purposes.

* How plaintiff firms are adapting to Concepcion.

* WSJ: Are We All Online Criminals?

Posted by Eric at 03:04 PM | Marketing , Privacy/Security , Spam | TrackBack

December 23, 2011

Old School Spam Plaintiff Rebuffed in the Ninth Circuit

[Post by Venkat Balasubramani]

Gordon v. BMG Columbia House, 10-35180 (9th Cir. Nov. 28, 2011)
Gordon v. Inviva, 10-35283 (9th Cir. Nov. 28, 2011)
Gordon v. Commonwealth Mktg. Group, 10-35030 (9th Cir. Nov. 28, 2011)

James Gordon has generated more than a few blog posts as a result of his quixotic quest to hold bulk emailers liable under CAN-SPAM, despite not fitting within the categories of persons or individuals who have standing under that statute to bring private causes of action. He was the plaintiff in the Virtumundo case, in which the Ninth Circuit rejected his claims and effectively put an end to the budding spam litigation cottage industry. ("An End to Spam Litigation Factories?--Gordon v. Virtumundo"; "CAN-SPAM Defendant Awarded $111k in Fees/Costs--Gordon v. Virtumundo.") Following Virtumundo, Gordon was the subject of some collections efforts, where he may have lost his home and belongings. (DirectMag: "Anti-Spammer Loses More than His Lawsuit.")

It turns out, despite his stunning string of failures in court, Gordon is still at it! But he doesn’t seem to be making much progress. The Ninth Circuit recently rejected his appeal in three pending cases. Proceeding pro se, Gordon appealed three district court grants of summary judgment against him. In all three cases, the court affirmed the district court judgments on the basis that Gordon lacked standing to sue under CAN-SPAM and his claims under Washington’s spam statute were preempted. He brought a few additional state law claims (consumer protection act, breach of contract) but the court doesn't give those more than a cursory sentence.

Virtumundo, along with Mummagraphics, the two leading appellate cases construing CAN-SPAM preemption, left a small window available to spam plaintiffs. There has been some attempts by plaintiffs to advance state law claims in California ("CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM"; "Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute"), but for the most part, plaintiffs suing under state anti-spam laws have been shut down elsewhere.

Posted by Venkat at 04:42 AM | Spam

December 12, 2011

Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank

[Post by Venkat Balasubramani]

Ryabyshchuk v. Citibank, 11-cv-1236 - IEG (S.D. Cal.; Nov. 28, 2011)

Plaintiff alleged that he contacted Citibank and inquired about a credit card. Later that day, he alleged he received the following unsolicited text from Citibank:

Free Text Msg: Citi Cards needs to talk with you regarding your recent application. Please call 866-365-8962. To Opt-Out reply STOP.

Plaintiff replied "STOP" and alleged that he received the following from Citibank:

Free Text Msg: Per your request you will no longer receive text alerts from Citi Cards Credit Dept. If you have any questions call 866-365-8962.

Plaintiff sued for violations of the Telephone Consumer Protection Act, seeking statutory damages ($500 per text) and treble damages. Citibank moved to dismiss.

The court says that text messages are "calls" within the meaning of the TCPA, and any text sent with equipment which has the capacity to store or produce telephone numbers using a random or sequential number generator falls within the TCPA. (See Satterfield v. Simon & Schuster.)

Citibank argued that plaintiff "consented" to the text and first relied on plaintiff's initial complaint where he alleged that he "provided his cell phone number" to Citibank in connection with the credit card application. Plaintiff amended his complaint to avoid any implication that he provided his number, instead alleging the second time around that he "contacted Citibank ... by telephone" in connection with a possible credit card. The court says that plaintiff should be allowed to revise his pleadings and there is nothing in the rules which prohibit plaintiffs from making inconsistent or even contradictory allegations in successive pleadings.

Citibank also relied on two FCC pronouncements to argue that plaintiff consented. The FCC stated in 1992 that people who "knowingly release their phone numbers have . . . given their invitation to . . . be called . . . absent instructions to the contrary." The FCC also stated in a 2008 ruling that calls to wireless numbers "in connection with an existing debt" fall under the 'prior express consent' exception to the TCPA. Specifically, the FCC stated:

the provision of a cell phone number to a creditor, e.g., as part of a credit application, reasonably evidences prior express consent by the cell phone subscriber to be contacted that that number regarding the debt.

The court says that it's unclear at the pleading stage whether plaintiff released his number "knowingly," and what limitations he attached to the release of his number. The court also says that the FCC has recognized the burden consumers may face in proving that they did not provide consent, and thus senders should bear the evidentiary burden of showing that consent was provided. Given the state of the pleadings, the court says the consent issue is better suited for adjudication at the summary judgment stage, rather than the pleadings stage.
__

Ouch. Not only does the initial text violate the TCPA (in the absence of consent), even the text which confirms Ryabyshchuk would not receive any further text messages can violate the statute.

The rules governing unsolicited text messaging leave little room for those who send unsolicited texts. Despite the texts relating to a proposed transaction which plaintiff admitted he contacted Citibank about, and despite Citibank apparently honoring plaintiff's opt-out request, Citibank may still be on the hook! Relying on a check-the-box opt-in that says "please send me text messages regarding various topics to XXX-XXX-XXXX" would seem to be the prudent choice. The defense that the recipient provided a phone number in the course of a proposed transaction does not insulate Citibank here. Although Citibank may ultimately prove consent, the fact that it was unable to get rid of the lawsuit at the pleading stage means that it has to deal with the expense of discovery and summary judgment.

The odd thing about this case is that Ryabyschuck obviously anticipated or implicitly requested additional contact with Citibank. He filled out a credit card application and included his phone number. Citibank would have to comply with certain restrictions, but it could have avoided the prospect of liability by calling Ryabyshuck on the phone. Because it chose to text him--which some would say is less intrusive--Citibank got tagged with a lawsuit.

Posted by Venkat at 12:58 PM | Spam

October 13, 2011

Court Dismisses Lawsuit Under Michigan Spam Statute Based on Preemption and Lack of Standing -- Hafke v. Rossdale Group, LLC

[Post by Venkat Balasubramani]

Hafke v. Rossdale Group, LLC, 11-cv-220 (W.D. Mich.; Oct. 7, 2011)

Hafke described himself as someone who is "attempting to stop Spam in Michigan." He sued Rossdale, a continuing legal education provider, complaining about six unsolicited email messages he received from Rossdale, and alleging that these emails violated Michigan's spam statute.

Rossdale removed the lawsuit to federal court, arguing that the claims are preempted by CAN-SPAM. On a motion to remand, the court agrees with Rossdale, and finds that the lawsuit belongs in federal court. For good measure, the court dismisses the case.

Michigan's anti-spam statutes (sections 445.2503 and 445.2504) contains a mix of elements from other state statutes. Although the statute prohibits misrepresentation of the point of origin or the transmission path of an email, the court notes that the statute does not "set a materiality standard for misrepresentation." Spam preemption cases have found that in order for a state spam claim based on misrepresentation to escape CAN-SPAM's preemption, the misrepresentation must be material. (See Eric's post on Omega World Travel v. Mummagraphics, "Fourth Circuit Rejects Anti-Spam Lawsuit," for background on this.) Because plaintiff did not allege any misrepresentations in the email that were material, the court finds the claims preempted:

The technical violations regarding header, sender, and opt-out information that Plaintiff alleges as violations of the Michigan statute are not allegations of materially deceptive actions. His allegations are thus subject to preemption under CAN-SPAM.

After finding that the claim are preempted, the court dismisses the lawsuit for lack of standing. CAN-SPAM creates standing for a discrete group (other than agencies): providers of "Internet access services" who have suffered "adverse effects" as a result of the spam. Citing to Virtumundo, the court concludes that plaintiff does not have standing under CAN-SPAM.
__

Ouch. A dismissal that is more or less sua sponte is rough, but it's an understandable reaction from the court given the circumstances. Case law established CAN-SPAM preemption standards years ago. While interesting preemption questions linger around the edges, the plaintiff in this case did not come close to alleging claims that escaped CAN-SPAM's broad preemption clause. Unsophisticated spam plaintiffs should take note that CAN-SPAM allows for an award of attorney's fees.

Eric mentioned that Virtumundo marked an end to spam litigation factories, and it mostly did. There have been a few cases in California where litigants continue to hash out causes of action under state spam statutes (see Hypertouch v. Valueclick and Balsam v. Trancos) but in most other jurisdictions, plaintiffs have had no luck.

Related posts:

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH
Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

Posted by Venkat at 03:43 PM | Spam

October 12, 2011

Spam Claims Covered by Contract's Indemnity Clause--Commonwealth Marketing Group v. IMG Assocs.

[Post by Venkat Balasubramani]

Commonwealth Mktg. Group v. IMG Assocs., 08-5074 (W.D. Wash. Sept. 28, 2011)

Commonwealth Marketing asserted claims for indemnification against IMG Associates, for underlying claims brought by prolific spam plaintiff James Gordon. Among other cases, Gordon is famous for litigating the Virtumundo case, which ended with the dismissal of his claims on standing and preemption grounds. See Eric's post titled "An End to Spam Litigation Factories?" for more background.

IMG provided marketing services to Commonwealth. The agreement between the parties contained an indemnification clause, which in relevant part read as follows:

IMG shall indemnify, defend (with legal counsel reasonably acceptable to [IMG]) and hold CMG . . . harmless at all times after the Effective Date of this Agreement, from and against and in respect of, any liability, claim, deficiency, loss, damage, penalty, or injury . . . suffered or incurred by CMG . . . arising from (i) any breach or default on the part of IMG . . . , (ii) any act outside the scope of IMG's duties . . ., (iii) any breach by IMG . . . of the CAN-SPAM Act of 2003 . . ., (iv) any misrepresentation by, or breach of any covenant or warranty of IMG contained in this Agreement . . .

IMG argued that since Gordon's claims turned out to be meritless, they were not covered by the indemnification clause. The court disagrees, and says:

the duty to defend arose when Mr. Gordon alleged statutory violations of the CAN-SPAM Act; the merit of those claims is irrelevant.

It was undisputed that Gordon's claims were premised on emails sent by IMG--the emails produced by Gordon in discovery indicated they were sent by IMG. End result: judgment in favor of Commonwealth in the amount of $131,938.93, the fees incurred by Commonwealth in defending against Gordon's claims (which were ultimately dismissed for lack of standing).
__

The indemnification clause did not obviously cover Commonwealth's claims for indemnification, and it's not surprising that IMG refused the initial tender. Indemnitors often refuse to accept a tender regardless of what the contract actually says. The indemnification clause in this case was tied to IMG's breach of IMG's contractual obligations, a representation or warranty, or "a breach . . . of . . . the CAN-SPAM of 2003." A catch-all clause which offered Commonwealth protection from "any third party claims alleging that IMG's marketing efforts violated applicable laws or third party rights" would have more clearly protected Commonwealth, but the court did not put the indemnification clause at issue under a microscope.

Gordon and other spam plaintiffs must have left a sea of similar indemnification claims in their wake. Fees are available in CAN-SPAM cases, but collecting against the likes of Gordon is no easy task. (See Serial Anti-Spam Lawsuit Filer Loses Appeal... And His Possessions.) A contract's indemnity clause does not often trigger an indemnity obligation, so Commonwealth has to feel good about this result.

Posted by Venkat at 03:45 PM | Spam

September 28, 2011

In Facebook's Lawsuit Against Alleged Spammer, Court Denies MaxBounty's Motion to Dismiss

[Post by Venkat Balasubramani]

Facebook v. MaxBounty, 10-Cv-04712 (N.D. Cal. Sept 14, 2011)

Facebook is suing MaxBounty for allegedly running an affiliate network which dupes people into fanning Facebook pages, promoting the page to their friends, and signing up for third party offers, all based on the promise of free items. Facebook brought a variety of claims, including common law fraud, CAN-SPAM, and the Computer Fraud and Abuse Act. The court previously found that Facebook wall posts can be considered "electronic mail messages" and thus are subject to CAN-SPAM. (Here's my post on this ruling: "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM.") However, the court said that Facebook had to be more specific regarding some of its allegations. This time around, the court finds that Facebook's allegations are sufficiently specific, and denies MaxBounty's motion to dismiss.

Fraud claims: Facebook alleged that MaxBounty's affiliate manager knew of and encouraged an affiliate that offered a free IKEA gift card. The affiliate manager allegedly provided technical assistance, assured the affiliate that the affiliate's actions were kosher and, when the affiliate expressed hesitation, offered the affiliate $30,000 to continue. Interestingly, the court doesn't quite specify what the fraudulent statements were and who was deceived by them. In some ways, this case is somewhat reminiscent of the Reunion.com case involving an alleged "spam a friend" scheme, while that case addressed the issue of whether claims under California's spam statute were preempted by CAN-SPAM. One other difference is that in this case, Facebook is the one bringing the fraud claims and it's unclear how Facebook has been duped. The court allows the fraud claim to go forward and also allows claims for aiding and abetting the fraud and for conspiracy.

CAN-SPAM claims: MaxBounty argued that Facebook's allegations fail to make out a claim that MaxBounty "procured or induced" the transmission of messages at issue. MaxBounty also argued that Facebook failed to specify how the messages at issue contained materially false header information. The court rejects these arguments, noting that the messages sent as part of the campaign do not identify MaxBounty as "the initiator" despite the fact that MaxBounty "initiated the messages by inducing Facebook users to execute malicious computer code that cause[d] messages to be sent automatically to all of their Facebook 'friends'."

Computer Fraud and Abuse Act claims: The court refuses to dismiss the CFAA claim, finding that access in violation of the stated restrictions (with a predicate act) can violate the Computer Fraud and Abuse Act. MaxBounty argued that because Facebook granted MaxBounty permission to access the site, MaxBounty did not engage in any "unauthorized access," but the court says no (citing to U.S. v. Nosal).
__

There are some interesting issues raised in the three claims discussed in the court's order, but since this lawsuit involves a large network trying to police against alleged spam, the court doesn't give MaxBounty's arguments a detailed treatment they may have otherwise deserved. As in many other cases where networks try to shut down interlopers, the causes of action end up being stretched pretty thin.

In the prior post, I mentioned that treating Facebook messages as email messages that are subject to CAN-SPAM does not necessarily jibe with the statute or its requirements. The court says that "none of the messages in question [identified] MaxBounty as the initiator." The court is not specific about what types of Facebook messages were involved, but it's possible to see the practical limitations of including this type of a notification on a Facebook message. This is one of the potential problems with calling messages on social networks "electronic mail messages" that are subject to CAN-SPAM.

The CFAA claims similarly push the envelope. Terms of use-based CFAA claims are widely recognized as being overly broad and encapsulating innocent conduct. (Facebook users better watch out!) Senators Franklin and Grassley recently proposed an amendment that would, among other things, remove access in excess of terms of use from the definition of "exceeding authorization." The court also does not get into the issue of whether MaxBounty can be held liable for the CFAA violations of third parties, a proposition that does not have clear support in the text of the statute or the case law.

Another thing to consider is that Facebook is a platform, and will be subject to attacks from third parties that seek to hold Facebook liable for the actions of third parties in its ecosystem. Could Facebook's overly broad legal arguments come back to haunt it? Mike Masnick makes a similar point about Craiglist's enforcement efforts here: "Craigslist Trying To Destroy The Life Of Someone Who Made Posting To Craigslist Easier." Facebook has ample legal hooks to go after rogues on its network, and it may want to think twice about going in with guns blazing and creating bad precedent in the process.

Posted by Venkat at 07:59 AM | Marketing , Spam , Trespass to Chattels

September 08, 2011

Lawyer Hit With $4.2 Million Judgment in Junk Fax Class Action -- Holtzman v. Turza

[Post by Venkat Balasubramani]

Holtzman v. Turza, 08 C 2014 (N.D. Ill. Aug. 29, 2011)

Apparently reports of the fax machine's death are greatly exaggerated. People still use fax machines.

Holtzman sued Turza for receiving unsolicited faxes. The court certified the lawsuit as a class action, and granted Holtzman's motion for summary judgment as to two issues: (1) the faxes in question were "advertisements" under the TCPA, and (2) the defendant would be liable for all faxes received on a "target list."

After conducting some discovery, Holtzman files a motion for summary judgment, largely directed at damages. Holtzman takes the deposition of Michael Richard, the CFO of VillageEDocs, which is a parent company to MessageVision, the service used by Turza to send out the faxes. Richard testifies as to the approximate number of faxes he sent out on behalf of Turza, what portion of faxes sent to the "target list" were reliably transmitted, and how much he billed Turza. It turns out MessageVision sent out 8,430 faxes. At $500 in statutory damages per fax, this amounts to a damage award of $4,215,000.

Turza raised a few arguments in opposition to Holtzman's motion, but the court isn't very impressed by any of them. Turza argued that because Richard is a CFO and not a technical expert, his testimony as to fax transmission rates was not reliable. The court finds this objection curious, since Turza himself relied on the "until-now unquestioned integrity of MessageVision's system to compute the number of successful fax receipts that resulted in the charges paid by [Turza]." Turza relied on new testimony from his expert but the court finds this evidence untimely and insufficient to create a factual dispute as to Richard's testimony. Turza also argued that there was no evidence that the class members did not consent to the faxes, but this was contradicted by Turza's own testimony that he did not procure consent from any of the recipients. Turza also raises the issue of whether class members owned the fax machines to which the faxes were sent. The court says that this does not preclude summary judgment, although it's something that may bear on the individual damage award to class members.

Finally, Turza also sought to decertify the class and argued that the imposition of a $4 million award violates Due Process. As to the certification issue, Turza argues that there are other methods to adjudicate the dispute, namely that the individual class members could pursue their own claims in small claims. The court says that even if a chunk of class members have sizeable claims (e.g., those amounting to $10,000 or more) this would not mean that a class action "would be less fair or efficient than individual litigation." Since statutory damages are at issue, TCPA claims are "arguably best suited" to class resolution.

With respect to Turza's due process argument, the court notes that the class award is not excessive because of the risk of Turza having to declare bankruptcy. Turza had insurance policies in place, and these policies should cover the awards at issue. The bulk of the bill will be borne by the insurance company and not by Turza at all!

This would be a pretty unremarkable case, except for the fact that the faxes were actually newsletters that were written on behalf of a lawyer. Here is Eric's previous post on the case: "Ghostwritten Attorney Newsletter is an "Ad" for TCPA Junk Fax Law Purposes." Professional courtesy aside, it's pretty scary that sending out a bunch of faxes which contained editorial but ghostwritten content can put you at risk of an award for four million dollars. Fortunately for Turza, his insurance company may end up footing the bill.

A big takeaway from this case is that it's risky behavior to send out marketing communications to lists that you have bought. I guess it also illustrates one of the many perils of using ghostwritten content.

Posted by Venkat at 02:51 PM | Marketing , Spam

September 02, 2011

Seventh Circuit Awards e360 a Whopping $3 in Damages Against Spamhaus -- e360 v. Spamhaus

[Post by Venkat Balasubramani]

e360 Insight, Inc. v. The Spamhaus Project, 10-3538 & 10-3539 (7th Cir. Sept. 2, 2011)

The lawsuit between e360 and Spamhaus was a long-running, tortured affair, and it looks like it finally came to a close. With e360 being awarded a whopping $3 in damages against Spamhaus. (Here's a link to Ars Technica's recap of the oral argument, where Judge Posner blasted e360's counsel: "This is just totally irresponsible litigation . . . .You can't just come into a court with a fly-by-night, nothing company and say 'I've lost $130 million.'")

Background: e360 sued Spamhaus, a UK entity, for damages allegedly resulting from being identified as a "known spammer." It sued Spamhaus for tortious interference and defamation. Spamhaus removed to federal court and asserted lack of personal jurisdiction. It then withdrew its answer and decided that it did not wish to defend against e360's claims. e360 sought and obtained a default judgment, and the district court granted e360's request for damages and awarded e360 $11,715,000 in damages. Spamhaus moved to set aside the judgment, and when this request was refused, appealed to the Seventh Circuit. The Seventh Circuit affirmed the default judgment but remanded for a proper determination of damages.

Back at the district court, e360 was left with the task of proving up its damages, but it suffered a slew of discovery foibles. e360's principal failed to appear for his deposition as scheduled and failed to respond to Spamhaus's interrogatory requests. Spamhaus moved to dismiss on the basis of e360's discovery failures, and the trial court gave e360 another opportunity to address the discovery issues. e360 supplemented its previous responses but added a slew of new witnesses. It also increased its damages estimate from $11.7 million to a "whopping $135 million." It also sought to reopen discovery. The trial court said no dice and struck the new witnesses listed by e360 and struck e360's requested damage award to the extent it exceeded the initial $11.7 million request. After a bench trial on damages, the trial court awarded e360 "a mere $27,002, a far cry from the millions of dollars that e360 sought." Both parties appealed.

Discussion: The Seventh Circuit affirmed the district court's sanction (of striking the new request for damages and the newly listed witnesses), finding that the district court exercised its discretion "with considerable restraint." It also affirmed the district court's exclusion of a spreadsheet prepared by e360's principal which listed e360's damages at $135,173,577. (The week before trial e360 revised this number to $122,271,346.) The Seventh Circuit also affirmed the district court's exclusion of the bulk of the testimony on e360's behalf:

The district court gave Linhardt's testimony no weight because he was not credible.

Finally, the court gets to the actual damage award of $27,000. The district court cited to Linhardt's testimony regarding contracts with three customers who collectively paid e360 $27,000 per month for services performed. As a result of Spamhaus's actions, the district court found that e360 lost these contracts. Spamhaus argued on appeal that it was not appropriate for the district court to award the entire contract amounts as this amount represented revenue rather than profit. The Seventh Circuit agreed, saying that although Linhardt may have adduced credible testimony as to these three contracts, e360's failure to put forth any evidence on what portion constituted profits versus overhead was fatal to the damage award.

Ultimately the court ends up awarding nominal damages as to the three claims raised by e360, for a whopping award of three dollars:

By failing to comply with its basic discovery obligations, a party can snatch defeat from the jaws of certain victory. After our earlier remand, all e360 needed to do was provide a reasonable estimate of the harm it suffered from Spamhaus's conduct. Rather than do so, however, e360 engaged in a pattern of delay that ultimately cost it the testimony of all but one witness with any personal knowledge of its damages. That lone witness lost all credibility when he painted a wildly unrealistic picture of e360's losses. Having squandered its opportunity to present its case, e360 must content itself with nominal damages on each of its claims, and nothing more.

Ouch.
____

Spamhaus ended up traveling the long road and ultimately defeating e360, but it's nice to see it prevail. As the Holomaxx v. Yahoo and Microsoft cases indicate, lawsuits brought by emailers against ISPs or filtering services face a long and uphill road, which should lead to a dead end. ("Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe;" "Court Affirms Robust ISP Protection For Blocking Bulk Emails -- Holomaxx v. Microsoft/Yahoo.")

Previous posts:

Judge Kocoras Cuts Down $11MM Award Against Spamhaus to $27,000 -- e360 v. Spamhaus

[h/t Mickey Chandler]

Posted by Venkat at 12:10 PM | Spam

August 24, 2011

Court Affirms Robust ISP Protection For Blocking Bulk Emails -- Holomaxx v. Microsoft/Yahoo

[Post by Venkat Balasubramani]

Holomaxx v. Microsoft, 2011 WL 3740813 (N.D. Cal. Aug, 23, 2011) [pdf]
Holomaxx v. Yahoo, 2011 WL 3740827 (N.D. Cal. Aug, 23, 2011) [pdf]

Eric and I both previously posted on the Holomaxx cases, where Holomaxx sued Yahoo and Microsoft for blocking or filtering bulk emails transmitted by Holomaxx. The court granted motions to dismiss filed against Holomaxx with leave to amend. ("Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe.") Holomaxx filed an amended complaint, but it produced no better results. The second time around, the court permanently shuts the door on Holomaxx's claims, finding again that Section 230(c)(2)(A) insulates the ISP's filtering decisions and dismissing without leave to amend.

The result was not terribly surprising, given that the court was initially skeptical of Holomaxx's vague allegations that the ISPs harbored some sort of bad faith when they blocked Holomaxx's bulk emails. As Laura Wise notes in her recap of the oral argument, Judge Fogel asked Holomaxx for its "absolute best argument" that Microsoft and Yahoo harbored some sort of bad faith intent, and he was not swayed by what Holomaxx had to offer. Judge Fogel concludes that the Messaging Anti-Abuse Working Group guidelines which Microsoft and Yahoo allegedly deviated from are not an "industry standard," so Microsoft or Yahoo could be faulted for not following them. He also concludes that the fact that the filtering efforts stopped and re-started is not in any way indicative of bad faith. While he acknowledged some tension between Section 230's robust grant of immunity and Judge Fisher's concern (in Zango v. Kaspersky) that a service provider may abuse filtering immunity by blocking content for "anticompetitive purposes or merely at its malicious whim," the court says that allowing Holomaxx to proceed with only its vague allegation of bad faith would undermine Section 230:

To permit Holomaxx to proceed solely on the basis of a conclusory allegation that [the ISP] acted in bad faith would essentially rewrite the CDA.

The court also dismisses Holomaxx's claims under the Wiretap Act and the Stored Communications Act based in part on Holomaxx's failure to articulate how exactly Microsoft and Yahoo violated these statutes in the course of their filtering efforts. (These statutes are excluded from Section 230 so the court deals with them separately.)

As with blocking or filtering decisions targeted at malware or spyware, complaining that the ISP was improperly filtering bulk email (spam) is likely to fall on unsympathetic ears. It would take a lot for a court to allow a bulk emailer to conduct discovery on the filtering processes and metrics employed by an ISP. (Hence the rulings on a 12b motion, rather than on summary judgment.) Here the court reiterates the "good faith" standard for 230(c)(2) is measured subjectively, not objectively. That puts a heavy burden on plaintiffs to show subjective bad faith. Eric's reaction to the Zango case--where the Ninth Circuit held that anti-spyware company Kaspersky's decision to classify Zango as adware was protected--largely alludes to this result:

this opinion is terrific news for vendors of anti-spam/anti-spyware/anti-virus services. Although we have long suspected that they would be protected under 230(c)(2), this opinion codifies their immunization as Ninth Circuit law. As a result, these vendors should continue to have a high degree of freedom to make judgments about how to best serve their customers. On the flip side, this opinion confirms that anyone blacklisted by these software vendors can’t use judicial proceedings to change the classification. Fortunately, most reputable vendors offer an extra-judicial mechanism to correct their misclassification errors.

The only difference is that Microsoft and Yahoo are ISPs, and they could use unfettered filtering discretion to block competitive content, links, or maybe even throttle users (or skew search results). Holomaxx's complaint did not credibly raise any such concerns, so the judge dismisses them.

Previous posts and other coverage:

* Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe
* Amendment was futile (Laura Wise)

Posted by Venkat at 11:13 AM | Content Regulation , Derivative Liability , Spam

July 26, 2011

Court Rejects First Amendment Challenge to CAN-SPAM Indictment -- US v. Smallwood

[Post by Venkat Balasubramani, with comments from Ethan Ackerman]

US v. Smallwood, 09-CR-00249 (N.D. Tex.; July 15, 2011)

First Amendment challenges to spam statutes are long shots at best, with Jaynes v. Virginia being the big exception. In this case, Smallwood was charged with a variety of criminal acts, including violations of CAN-SPAM's criminal provisions (18 U.S.C. 1037(a)(2) and (b)(2)(C)). The statute is aimed at anyone who:

uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages.

Subsection (C) kicks in where there is a significant volume of messages (2,500 during any 24 hour period, 25,000 during any 30-day period, or 250,000 during any 1-year period). Smallwood argued that the statutory provisions were vague and overbroad, because it chilled "protected anonymous speech."

The court rejects Smallwood's arguments that the statute is overly broad. Smallwood cited Jaynes v. Virginia, a case where the Virginia Supreme Court struck down a portion of Virginia's spam statute, but the court here distinguishes Jaynes from this case: CAN-SPAM only applies to commercial email messages. In contrast, the statute in Jaynes applies to all communications, including religious or political speech.

Smallwood's vagueness arguments fared no better. She argued that:

she could not have known from the statute the circumstances that would cause sending multiple emails to be unlawful, because the Internet is diverse in terms of origin identification, and because multiple emailings may have multiple sources, or origins; "origin" is a broad term, defying easy definition; and there is no clear notice as to the type of conduct that might mislead or deceive someone about the origin of the emailings.

The court agrees with the government that since Smallwood is charged with something which requires a showing of intent to deceive, common sense definitions of the term "deceive" or "mislead" provides sufficient notice as to the scope of the statute.
__

There were two aspects of the statute that caught my attention.

First, the statute covers emails that are misleading not only to recipients, but also to any "internet access service" as to the origin. This reminds me of Kleffman v. Vonage where the California Supreme Court construed the scope of the California spam statute. ("Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute.") In that case the plaintiff argued that using multiple domain names to bypass a spam filter violated California's spam statute. While the California Supreme Court rejected this argument, I wonder if the language in the statute (about deceiving an ISP) is aimed at something similar? Is there a legitimate vagueness argument on this point?

Second, it's interesting that the defendant is charged with providing "SPAMmers with equipment, bandwidth, corporate infrastructure, and IP addresses, and domain names from which their customers could send SPAM with the intent to mislead recipients and Internet access services as to the messages' origin." Once you start penalizing people who provide bandwidth, domain names, and infrastructure, you're pretty far afield from the people who are actually sending the emails. It looks like there's some sort of "knowingly" limitation on this (i.e., that she supplied the assistance knowing that the customers were spammers) but it still surprised me.

Not necessarily an earthshattering ruling, but given the dearth of cases dealing with First Amendment challenges to spam statutes, an interesting data point.

Ethan's comments:
It's worth noting that the Court's cursory dismissal of Smallwood's overbreadth argument isn't as uncontroversial as the Court suggests. The opinion dismisses Smallwood's overbreadth argument with a quote from Village of Hoffman Estates v. Flipside, Hoffman Estates, Inc., "the overbreadth doctrine does not apply to commercial speech." That quote was itself a footnoted description of Central Hudson's holding. Interestingly enough, Central Hudson doesn't actually say anything of the sort, noting only that commercial speech is less at risk of being chilled due to overbroad laws. Supreme Court caselaw on the overbreadth doctrine as applied to commercial speech is not as simple as "not applicable." Several Court cases describe it, like Central Hudson did, as being "seldom," or "unlikely to be," applicable. Bigelow v. Virginia says using the overbreadth doctrine to facially invalidate a statute restricting commercial speech is a remedy that should be used "sparingly," but then finds the statute in question overbroad. Only Hoffman describes the overbreadth doctrine as inapplicable to commercial speech.

The Court rejects Smallwood's vagueness challenge by adopting the Government's argument that the intent element of the crime remedies any arguable vagueness concerns for terms like "origin." If it explored deeper, the Court could have also pointed out that the challenged statutory terms are made rather clear by the other definitions in the Act--the defined terms "initiate," "procure," "sender," "header information," and "routine conveyance" use the contested terms, inform those terms, or provide categories that function to exclude some of those terms. It is an uphill battle to argue vagueness on a statute that has around twenty fairly specific definitions.

Previous related posts:

Internet Obscenity Conviction Requires Assessment of National Community Standards--US v. Kilbride
Still Standing? Catching Up on the Jaynes Case

Posted by Venkat at 01:57 PM | Spam

July 04, 2011

June 2011 Quick Links, Part 2

By Eric Goldman

Social Media

* The Third Circuit issued its en banc rulings in Layshock v. Hermitage School District and J.S. v. Blue Mountain School District, both involving school discipline against kids who created fake MySpace profiles of school administrators. Prior blog post on both cases. The good news is that the kids won in both cases; the courts held that the administrators overreacted. However, the decisions don't resolve any of the fundamental issues about the legitimacy of school discipline for kids discussing school-related issues online.

* Too Much Media, LLC v. Hale, 2011 WL 2305620 (N.J. June 7, 2011). A blog commenter doesn’t qualify for the NJ reporter shield law.

* Dr. T.S. v. Plain Dealer, No. 96201 (Ohio App. Ct. June 16, 2011). Uploading a 20 year old version of a newspaper doesn’t reset the single publication rule, even if the article becomes newly indexable in Google.

*Back in September 2010, Xcentric v. Bird settled in a no money deal. The settlement agreement. Ripoff Report's appended response to the original blog post. Prior blog post.

* Scott P. v. Craigslist dismissed. It appears Scott P. gave up against Craigslist. Prior blog post.

* News.com: Is the FTC going after Twitter...again?

* Another PR agency loses a client account over an ill-advised tweet.

* NY Times tries to deconstruct the Twitter hashtag convention.

* Art of Living Foundation v. Does, 2011 WL 2441898 (N.D. Cal. June 15, 2011). Griping bloggers about Ravi Shankar and his organization avoid defamation and trade secret liability for now.

* Jakobot v. American Airlines, 2011 U.S. Dist. LEXIS 64824 (S.D. Fla. June 20, 2011). In a battle over whether the plaintiff lives in Florida or Texas, the court says: “The internet is often filled with old, out-of-date, unsubstantiated, self-aggrandizing and misleading information. It is not enough to submit a selective chunk of Plaintiff's 'Google footprint' and note every time that a tie to Florida appears -- Defendant must do more to connect the dots.”

* State v. Hanson, 2011 WL 2301801(Minn. App. June 13, 2011). Statutory rape conviction reversed based on a mistake of age defense when the victim misreported her age to MySpace. Prior blog post.

* The Duluth doctor is appealing his defamation lawsuit loss against a patient's family member who criticized him online.

* Marin IJ: "A Greenbrae cosmetic surgeon who filed a defamation suit against an online reviewer was ordered to pay nearly $20,000 in attorney's fees after a judge dismissed the case."

* IT World: Is Facebook really 'hated' more than Bank of America?

* Job opening: Executive Director, Public Participation Project, to work towards a federal anti-SLAPP law. Spread the word!

Google

* Reuters on how the FTC's investigation of Google could chill innovation regardless of its outcome. Google's blog post about the investigation.

* In June, I participated in a TechFreedom panel on search engine bias on Capitol Hill. Declan McCullagh moderated. His writeup: "On Capitol Hill, it's all about beating down Google". The video.

* News.com: Google's Enemies: a Primer.

* Google hires TWELVE lobbying firms to fight the FTC (on top of the 6 they already had).

* Neeley is appealing his loss to Google. Prior blog coverage.

Spam

* Spam filters have taken a huge bite out of spam. See my 2003 article expressing confidence that technology would do a much better job fighting spam than legislation.

* Amazon's Kindle hit by spammed e-books. Another example that service providers have to exercise editorial control to curb spam.

Miscellaneous

* The FTC approved the final order in the Chitika case.

* CA enacts an Amazon tax and Amazon instantly tosses its affiliates overboard--including me! More evidence that the taxman will effectively kill the affiliate industry.

* Weinstein v. eBay Inc., 2011 WL 2555861 (S.D.N.Y. June 27, 2011). As a secondary market, StubHub does not need to comply with NY state law requiring printing the face value on tickets.

* Ni v. Slocum, A128721 (Cal. App. Ct. June 30, 2011). Rejecting electronic signatures in support of a ballot petition. Contrast Anderson v Bell in Utah about the application of UETA to election petition signatures.

* Zamora Radio, LLC v. Last.fm LTD., 2011 WL 2580401 (S.D. Fla. June 28, 2011). A defense-favorable Internet personal jurisdiction ruling: "the AccuRadio website reflects a low quality of commercial activity; visitors cannot purchase products or download music and are primarily limited to live streaming audio. Moreover, Plaintiff has not established that (1) Florida constitutes a principal consumer base for AccuRadio's service; (2) AccuRadio.com makes any reference to Florida, or directs visitors to any Florida establishments; (3) AccuRadio has engaged in any print, radio, television, or Internet advertising targeting Florida residents; or (4) AccuRadio has in any way specifically encouraged Florida residents to visit AccuRadio.com." The court distinguishes co-defendant Last.fm: "AccuRadio users do not have to download a program to access and listen to AccuRadio's programming and AccuRadio users do not download music from AccuRadio's website....Further, AccuRadio's website is not specifically directed at Florida consumers and local information about concert events is not provided on AccuRadio's website."

* Take James Grimmelmann's Internet Law exam.

Posted by Eric at 08:43 AM | Content Regulation , E-Commerce , Search Engines , Spam | TrackBack

April 28, 2011

Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

[Post by Venkat Balasubramani]

Cyberlaw P.C. v. Thelaw.net, No 2009 CA 003615 (D.C. Sup. Ct. March 16, 2011) (complaint) (verdict form)

Lawyers receive a fair amount of spam from service providers and companies who offer CLEs and other services. Most lawyers simply hit the delete button, but not Eric Menhart. Menhart sued Thelaw.net alleging violations of the District of Columbia spam statute. Menhart is not just any lawyer. He is the one who tried to assert trademark rights over the term CyberLaw(TM). (See "Who Owns "CyberLaw"(TM)? Eric Menhart, a DC IP Attorney, Thinks He Does." After much (well deserved) public ridicule, including on this blog, he finally backed off: "Eric Menhart Backs Off CyberLaw Trademark Claim".))

Menhart alleged that he received 49 pieces of spam, and that the emails: (1) "contain[ed] false or misleading information in the subject line" and (2) had incorrect routing or transmission information.

The subject line claims: The subject line claims were a serious stretch to begin with. They included phrases such as "what you're missing with Westlaw," "Search Nationally in 2009!," and "make the transition." Most of them screamed "advertisement" and none of them suggested that they were from an acquaintance or contained a free offer. You can access a full list of the email subject lines on the verdict form here.

The routing information claim: Menhart did not detail his routing or transmission information claims, but the complaint cites to a listserv post which says that Thelaw.net "are constantly changing their email addresses" so their emails cannot be blocked.

___

Thelaw.net had solid preemption arguments with respect to both of these claims. CAN-SPAM cases have interpreted CAN-SPAM to only cover "material" errors or misstatements and to preempt any state causes of action which impose liability based on immaterial errors or misstatements. The claims in this case are precisely the type of claims based on non-material discrepancies or minor misstatements that CAN-SPAM preempts. The flagship cases for these principles are Omega World Travel v. Mummagraphics and Gordon v. Virtumundo; more recent examples of cases which have rejected precisely these types of claims are: Kleffman v. Vonage (use of multiple random domain names to bypass spam filter does not violate California's spam statute) and Martin v. CCH (claims for failure to label email using "AD:," and disclose alleged tracking preempted by CAN-SPAM).

It is unclear from the online record whether Thelaw.net argued preemption. Lawyers for Thelaw.net issued a press release following their victory, but expressing concern that the judge "ruled that whether an email subject line is false or misleading is a question of fact not law, which would mean future lawsuits under the DC statute, no matter how frivolous, could not be dismissed before trial." So maybe no one brought up the preemption issue?

The court should have dismissed this case and never have let it get this far. Menhart, who runs a law firm called CyberLaw(TM), should have known better. The CyberLaw trademark debacle may prompt lawyers to question Menhart's legal assessments from the standpoint of trademark law. It looks like the jury questioned his assessments (that the subject lines were misleading) as well.

Other coverage: "Jury Dismisses Spam Lawsuit Against Legal Research Company" (Wendy Davis)

Posted by Venkat at 12:14 PM | Spam

April 27, 2011

Court Says CAN-SPAM Plaintiff Can't Take Second Bite at the Apple -- Melaleuca v. Hansen

[Post by Venkat Balasubramani]

Melaleuca v Hansen, 10-cv-00553 (D. Idaho; Apr. 15, 2011)

This is a case where Melaleuca - a large multi-level marketing company - asserted spam claims against Daryl Hansen. That's probably a charitable way of putting it. Melaleuca looks like it had motives other than its injuries from allegedly receiving spam, and went after Melaleuca with legally unsustainable claims under CAN-SPAM.

Hansen, proceeding pro se, defeated Melaleuca's claims against him the first time around. The court concluded that Melaleuca was not a bona fide ISP and did not adequately allege damages (i.e., that it had suffered "adverse effects") as a result of the alleged spam. Melaleuca also argued in the first lawsuit that, even though it was not an ISP, it had obtained an assignment of claims from the ISP who received and processed the spam. The court was skeptical of this assignment, since it was procured after Melaleuca filed its complaint. (Here's the earlier blog post on the case and the court's rulings: "Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen." My instinct was the the district court's dismissal should have been with prejudice, but it turned out to not matter.)

Undaunted, Melaleuca filed a second lawsuit against Hansen. Hansen (again proceeding pro se) moved to dismiss, this time on the basis that the second suit was barred by preclusion principles. The court agrees with Hansen and dismisses the case. Melaleuca argued that the first decision was not a final decision on the merits, but the court rejects this argument. Both parties had the opportunity to brief the standing issue and the court issued a definitive order the first time around that was appealable (indeed, as the court notes, it was on appeal at the time of the second lawsuit). Melaleuca also argued that the deficiencies in its complaint were "curable," and it should be allowed to proceed. The court finds that while Melaleuca could have cleaned up the assignment (and obtained the assignment of claims prior to filing the complaint) it "alleges the same damages/types of harms as were raised in Melaleuca I that the court deemed insufficient to meet . . . CAN-SPAM . . . standing requirements." Regardless of whether Melaleuca should have been able to "cure" this deficiency, the court says Melaleuca did not bother to adequately allege injury the second time around!

The court was way too lenient with Melaleuca here. Maleleuca deserved a smackdown. I'm surprised the court did not consider sanctions, or at least a strong statement that sent a message to Melaleuca. Courts should do their best to strongly discourage this type of litigation. (CAN-SPAM has a fee-shifting provision (see "CAN-SPAM Defendant Awarded $111k in Fees/Costs"), but I'm not sure if Hansen can take advantage of it as a pro se defendant.)

Related: Professor Goldman previously posted on another dispute involving Melaleuca, this one involving an expedited DMCA subpoena which also touched on the copyrightability of a take-down letter: "Co-Blogger Identity Isn't Disclosed via 512(h), but Takedown Letters Are Copyrightable."

Posted by Venkat at 10:51 PM | Spam

April 19, 2011

Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe

By Eric Goldman

I've been so behind that it's taken me until now to blog these cases from last month. All three opinions involve the same basic fact pattern: a bulk emailer gets blocked by an email service provider (relying in part on third party filtering/blocking services) and sues to undo the block. These claims are largely preempted by 47 USC 230(c)(2), and the courts mostly get to the right place with the immunity (although not without small points of drama). The aggressive plaintiffs also assert claims not covered by 47 USC 230(c)(2), but these mostly don't go anywhere either. The lesson is pretty clear: if an email service provider blocks your email, the courts aren't going to help you out.

Holomaxx Technologies v. Microsoft Corp., 2011 WL 865278 (N.D. Cal. March 11, 2011), and
Holomaxx Technologies v. Yahoo, Inc., CV-10-4926-JF (N.D. Cal. March 11, 2011). Venkat's excellent prior blog post on the complaints. These rulings are substantially identical, so I'll discuss them together except where they diverge.

Holomaxx is a bulk email sender upset because Yahoo and Microsoft are blocking its emails based both on IP address blocks and reputation scores (including those provided by third parties). We've heard this refrain before in many cases over the years, and the law is pretty clear about this. Email service providers can't be obligated to carry emails they don't want to carry. There are a number of legal doctrines that help reach this conclusion, but the most salient one is 47 USC 230(c)(2), the immunity for filtering decisions.

In response to Holomaxx's lawsuit over the block, Microsoft and Yahoo interposed the 230(c)(2) defense on a 12(b)(6) motion to dismiss. Holomaxx objected that 230(c)(2) is an affirmative defense and not appropriate response for a 12(b)(6) dismissal motion. This is the issue that vexed the Ninth Circuit in the Barnes v. Yahoo case until they fixed the opinion. In this case, Judge Fogel properly concludes that 230(c)(2) can support a 12(b)(6) motion to dismiss. (He reached the same conclusion in Goddard v. Google).

Holomaxx then argued that 230(c)(2) does not prevent blocking of legitimate email because such a block doesn't fit within 230(c)(2)'s "otherwise objectionable" language. The judge says:

No court has articulated specific, objective criteria to be used in assessing whether a provider’s subjective determination of what is “objectionable” is protected by § 230(c)(2).

And Judge Fogel isn't going to be the first. Instead, he sidesteps the issue, holding that the service providers could deem the emails "harassing" because, even if Holomaxx had a 0.1% error rate, as it claimed in the Yahoo case, that still netted 2M bad emails/year. Therefore, the filtering decisions fit within the other statutory language in 230(c)(2). This is a cute intellectual move which potentially expands the scope of 230(c)(2) by reading "harassing" broadly.

Holomaxx also attacks the "good faith" requirement of 230(c)(2), but does so in a generalized way. The judge rejects the argument, saying (in the Yahoo case):

Holomaxx alleges no facts in support of its conclusory claim that Yahoo!’s filtering program is faulty, nor does it identify an objective industry standard that Yahoo! fails to meet. While it suggests that Yahoo! is “using cheap and ineffective technologies to avoid the expense of appropriately tracking and eliminating only spam email,” it offers no factual support for these allegations. Nor does Holomaxx cite any legal authority for its claim that Yahoo! has a duty to discuss in detail the particular reasons for blocking Holomaxx’s communications or to provide a remedy for such blocking. Indeed, imposing such a duty would be inconsistent with the intent of Congress to “remove disincentives for the development and utilization of blocking and filtering technologies.”

The Microsoft opinion's text is similar. Holomaxx gets another chance to marshal better allegations, but I'm guessing they won't be able to do so.

The court rejects the ECPA claim (which 230(c)(2) doesn’t immunize) because Holomaxx didn't explain clearly enough how the email service provider "intercepted," "used" or "disclosed" Holomaxx's email or how the ESP improperly accessed stored communications. The 17200 claim (which I think should be preempted by 230(c)(2), although that issue isn't discussed) also fails for lack of Holomaxx's specificity. A Microsoft-only defamation claim doesn't survive either:

Holomaxx alleges, on information and belief, that Microsoft "informed Dragon Networks in writing" that it had blocked all IP addresses originating from Dragon Networks because "certain of Holomaxx's .78 addresses had been rejected 'for policy reasons,' and were blocked manually 'or for spamming.'" Holomaxx does not explain how the alleged statement was defamatory or produce a copy of the alleged defamatory correspondence between Microsoft and Dragon Networks. Nor does it explain how the alleged communication amounts to "a statement of fact that is false."

As a result, the judge dismisses the lawsuit but with leave to amend.

Smith v. Trusted Universal Standards in Electronic Transactions, Inc. (d/b/a TRUSTe, Inc.), 2011 U.S. Dist. LEXIS 26757 (D. N.J. March 15, 2011).

Like Holomaxx, Smith sends a lot of email through Comcast. Comcast blocked his outgoing email twice. The first time, Comcast pointed to Microsoft's Frontbridge/Exchange Hosted Services (EHS) quarantine system. The second time, Comcast pointed to Cisco's IronPort/Senderbase blocklist. Smith sued all three entities (and others). Last year, the court rejected a 12(b)(6) motion to dismiss based on 47 USC 230(c)(2).

Ten months later, after presumably lots of wasted effort, the court converts Cisco's and Microsoft's 12(b)(6) motions into a summary judgment motion and grants the dismissal on 230(c)(2) grounds. I'm sure the defendants appreciate the dismissal, but I'm sure they would have been even more appreciative if the court had reached the result on the last go-around. The court still can't let the case go with respect to Comcast, however.

Cisco/SenderBase gets the 230(c)(2) defense as a blocklist provider. This may sound easy, but the statutory drafting makes the court’s analysis more arduous than it ought to be.

Cisco's senderbase.com website constitutes an ICS. This makes Cisco a "user" of an ICS because it uses its website to publish the blocklist. It is also a provider of an ICS because it runs the website. This is the issue that tripped up the court in the last ruling, and although it got to the right result, I don't think the court has fully wrapped its head around the statutory language. I read the court's discussion at least 6 times, and I couldn't make it make sense. Just know that a blocklist provider probably is both a provider and user of an ICS, so this element is met.

The blocklist easily satisfies the requirements of 230(c)(2)(B). As the court notes (citing Zango v. Kaspersky), whether material is "objectionable" is measured subjectively. Thus, the court dismisses Cisco, noting:

The Court notes that Plaintiff's breach of contract and defamation claims are dismissed because they specifically relate to Cisco's SenderBase service. Plaintiff defamation claim is based upon the fact that Cisco publishes IP scores. Plaintiff's breach of contract claim is based on the fact that Cisco refused to provide Plaintiff with the information that it used to calculate the reputation score for the IP address assigned to Plaintiff by Comcast.

Microsoft's EHS quarantine operates in the cloud by routing all email through its servers, which screen out emails based on its blocklist (as modified by customers' parameters). This should be even easier to qualify as a provider/user of an ICS. The court's discussion on this point doesn't make any sense either, but it reached the right result. As with Cisco, the court says the blocklist qualifies for 230(c)(2)(B) and the contract breach claim fails for the same reason.

Comcast doesn't get so lucky. The court once again finds that Comcast could have acted in "bad faith" which could disqualify it from 230(c)(2) coverage:

the Court finds that a reasonable jury could conclude that Comcast acted in bad faith when it failed to respond to Plaintiff's repeated requests for an explanation why it continually blocked Plaintiff's outgoing email...the Court is not convinced that an internet service provider acts in good faith when it simply ignores a subscriber's request for information concerning an allegedly improper email blockage...there is no reason why Comcast could not articulate its immunity (or provide another rationale for the blockage) when asked to do so by a paying customer.

Whoa. Hold on a sec. The court is saying that online providers have to provide explanations to their customers for their back-end choices. First, that's not in the statute. Second, Judge Fogel expressly rejected this argument in his Holomaxx rulings. Third, the court’s position is ridiculous. Being legally obligated to explain business decisions to affected customers would add an extra layer of expense/hassle to everyday business decisions, and the explanations will just become additional grist for the plaintiff's mill (see, e.g., Barnes v. Yahoo and the resulting incentives to tell customers less, not more). I'm 99%+ confident that an appellate court would reverse this judge on this point. I think he went off the rails. As a result, I don't plan to advise clients that they have to provide explanations for their blocking decisions, and I don't recommend you advise otherwise.

Although Comcast doesn't get the 230(c)(2) immunity, the court still ends up granting it summary judgment on all of the claims. There's some interesting discussion there too.

The court rejects Smith's ECPA claims and the substantively identical state claims. Cisco doesn't actually intercept emails, and Microsoft quarantines emails with its customers' consent.

Smith's contract breach and promissory estoppel claims against Comcast fail because Comcast didn't make any promises it failed to keep and because Smith was using a personal account for unpermitted commercial activities. (To me, this is facially inconsistent with any argument that Comcast had bad faith for 230(c)(2) purposes, but the court ignores that implicit contradiction).

Smith's NJ Consumer Fraud Act claim against Comcast also fails because he can't show fraud or ascertainable loss (because he only alleged that he lost time). The court dismisses a couple other claims, too.

Posted by Eric at 11:04 AM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam | TrackBack

April 07, 2011

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH

[Post by Venkat Balasubramani]

Martin v. CCH, 10-cv-3494 (N.D. Ill.; Mar. 24, 2011)

Plaintiff received two emails from CCH, with the following subject lines:

"Buy now pay Feb. 15"

[and]

"Offer extended - Buy now pay Feb. 15"

Based on these emails, plaintiffs files a putative class action against CCH alleging that CCH violated the Illinois spam statute. The court grants CCH's motion to dismiss, finding the claims preempted by CAN-SPAM.

The Illinois spam statute contains the standard prohibitions on misleading subject lines and falsifying the point of origin or transmission path of an email. The statute also requires email ads to contain "ADV: as its first 4 characters." Plaintiff alleged in the complaint that the emails were deceptive because

the subject lines do not state that the e-mails are advertisements, and the language used is misleading because it has the purpose and effect of making the recipient think the e-mail is from someone with whom he has a preexisting relationship.

The court finds that plaintiff "wisely" abandoned these arguments at the briefing stage. The emails both contained the word "buy" (and "pay") and it's hard to think of words that more clearly denote an invitation to engage in a commercial transaction. To the extent plaintiff argued that the emails were actionable because they were not labeled with "ADV:" this claim was "clearly" preempted by CAN-SPAM. With respect to plaintiff's claim that the emails improperly implied that the parties had some sort of pre-existing relationship, this did not rise to the level of fraud, or at worst, was a claim for "less than comprehensive information regarding the sender."

Plaintiff also argued that the emails were deceptive because they did not disclose the "'secret' 'information-harvesting' purpose of the e-mails." The court treats this as a misleading subject line claim. Citing to Virtumundo and Mummagraphics, the court finds that this claim is also preempted:

[t]hat claim also appears to be for 'incomplete' or 'less than comprehensive information' in the subject lines regarding the content of the e-mails. Plaintiff essentially argues that if Defendant had provided more information or 'complete' information, in the subject line, Plaintiff would not have opened the e-mail . . . . [T]wo circuits have held that less than comprehensive information outside the body of an e-mail is at best a technical allegation that finds no basis in traditional tort theories and thus falls within CAN-SPAM's express preemption clause (and outside the exception). And even if the omitted information could be deemed not only incomplete but also 'misleading,' Plaintiff's claim would still be preempted by the express language of the CAN-SPAM Act, which prohibits subject headings likely to 'mislead a recipient about a material fact regarding the contents of the message.'

In a footnote, the court also notes that the Illinois General Assembly is unlikely to have required - in the subject line of a commercial email - "a potentially lengthy and somewhat technical description of the process through which information is transmitted from recipient to sender when the recipient opens an e-mail." Indeed, in some instances, "it may not be possible to include on the subject line" the kind of disclosure plaintiff argued for.
__

Spam plaintiffs continue to come up with wacky theories of liability, and courts continue to reject these theories.

Posted by Venkat at 08:59 AM | Privacy/Security , Spam | TrackBack

April 01, 2011

N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty

[Post by Venkat Balasubramani]

Facebook, Inc. v. Maxbounty, Inc., CV-10-4712-JF (N.D. Cal.; Mar. 28, 2011)

The Northern District of California ruled that commercial posts to a Facebook user's wall, news feed, and home page constitute "electronic mail messages" that are subject to CAN-SPAM. Two other courts in California had taken a similar approach with respect to MySpace messages (MySpace v. Wallace and MySpace v. TheGlobe.com).

Facebook brought claims against Maxbounty, which it alleged set up an affiliate scheme in violation of Facebook's policies and procedures. As described in the complaint:

MaxBounty, through its network of affiliates, creates fake Facebook pages that are intended to re-direct unsuspecting Facebook users away from Facebook.com to third-party commercial sites . . . In the first step, MaxBounty establishes a network of affiliates; in the second step, MaxBounty's affiliates create numerous Facebook pages that function like (and in effect are) advertisements; in the third step, the page displays a message indicating that upon registration a user will be able to take advantage of a "limited time offer," such as receiving a gift card or becoming a product tester for a high-end product (e.g. an Apple iPad); in the fourth step, the Facebook user is induced by the page and begins the registration process. The registration process requires three discrete user actions: (1) to become a "fan" of the page, (2) to invite all of his or her Facebook friends to join to the page, and (3) to complete additional administrative registration requirements. Upon completion of these requirements, Facebook users are not sent the promised item but instead are directed "to a domain registered to and managed by Maxbounty that then redirects the user to a third-party commercial website . . . ." The third-party commercial site informs the user that he or she must complete still more steps in order to obtain the promised item. Such additional steps include signing up for numerous "sponsor offers," which typically are offers for memberships in subscription services.

CAN-SPAM has three broad requirements: (1) no misleading subject lines; (2) no false or misleading header information; and (3) inclusion of a means to opt-out. I'm not sure how these requirements track to Facebook posts. Maxbounty argued (among other things) that the Facebook posts by its affiliates were not "electronic mail messages" that are subject to CAN-SPAM. CAN-SPAM defines an electronic mail message as":

a message that is sent to a unique electronic mail address . . . [i.e.] a destination, commonly expressed as a string of characters, consisting of a unique user name of mailbox and a reference to an internet domain . . . whether or not displayed, to which an electronic mail message can be sent or delivered.

The court declines Maxbounty's invitation to construe CAN-SPAM's definition of electronic mail message narrowly, pointing to congressional intent in curtailing the scourge of spam and to the two prior cases that held that MySpace posts could constitute email messages that are subject to CAN-SPAM.

From a practical standpoint, the court's order omits one question - whether the Facebook users actually received the messages in question via email. Some Facebook users would not set their Facebook accounts to forward posts or messages via email, so although the messages may be "routed" by Facebook, they may never be received (or even viewed) by the user. There's also the issue that the users in question "liked" the pages in question. My understanding is that people (or companies) that you are not "friends" with cannot post messages to your wall or message you, so the people who received unwanted wall posts or messages in question had to take an affirmative step before they were sent the messages in question. Are these messages truly unsolicited?

This is a pretty expansive reading of CAN-SPAM. When you get to the point that social networking messages can constitute messages that are regulated by CAN-SPAM, there's really no stopping point. How about blog comments? Tweets? Are the Facebook posts in question subject to the Telephone Consumer Protection Act as well, if the user had set his or her Facebook account to forward messages via SMS?

A case from Utah deciding whether pop-up ads were emails illustrates some of the practical difficulties with treating Facebook wall posts as email messages. (Riddle v. Celebrity Cruises, Inc.) The Utah statute required commercial emails to be labeled as advertisements (with "ADV") and the court (which found that pop-up ads do not constitute email messages) noted:

[a]ny requirement to include the "ADV:" designation on the subject line of a pop-up ad would be meaningless because there is no subject line per se.

The same difficulties can arise when you treat Facebook messages as emails which are subject to CAN-SPAM.

Maxbounty also argued that Facebook failed to plead its Computer Fraud and Abuse Act claims with particularity. The court finds that CFAA claims are not subject to the heightened pleading standards of Rule 9(b), and that Facebook satisfied the lower pleading standard.

Posted by Venkat at 07:30 AM | Spam

March 03, 2011

Jan.-Feb. 2011 Quick Links, Part 4

By Eric Goldman

Internet Freedom

* The EFF points out the inconsistency between Hillary Clinton's speech championing Internet freedom abroad when our own US government has gone rogue on its own citizens, including unlawful domain name seizures and an obsessive vendetta against Wikileaks.

* Fast Company: Why Twitter stood up for its users against the "secret" Wikileaks subpoena when other sites didn't.

47 USC 230

* Fleming v. Duncan: Yahoo wins 47 USC 230 motion to dismiss in Georgia state court.

* Neeley v. NameMedia, Inc., 2010 WL 5677069 (W.D. Ark. Dec. 16, 2010). 47 USC 230 preempts "outrage" claim over displaying nude photos in search results. A complementary follow-up ruling: Neeley v. NameMedia, Inc., 2011 WL 336174 (W.D. Ark. Jan 31, 2011).

* Several professors contributed essays to a book critical of 47 USC 230. Paul Levy takes them on.

* Jonathan I. Ezor, Busting Blocks: Revisiting 47 U.S.C. § 230 To Address The Lack Of Effective Legal Recourse For Wrongful Inclusion In Spam Filters, Richmond Journal of Law and Technology (Fall, 2010).

Spam

* Facebook, Inc. v. Fisher, 2011 WL 250395 (N.D. Cal. Jan. 26, 2011). Facebook gets $360M default judgment against spammers.

* Goodmail shutting down.

History

* Antone Johnson on the dot-com hangover of 2000-2002.

* 25 Best Startup Failure Post-Mortems of All Time.

Miscellaneous

* You can watch video from Next Digital Decade event. More on that event: 1, 2, 3. If you haven’t looked yet, you should check out the book.

* Unique Products Solutions v. Hy-Grade Valve (N.D. Ohio Feb. 24, 2011). Patent false marking qui tam process is unconstitutional.

* Shrader v. Biddinger, 2011 WL 678386 (10th Cir.(Okla.) Feb 28, 2011). In this Internet jurisdiction case, the Tenth Circuit adopts ALS Scan v. DSC as its test rather than Zippo.

* FairSearch.org has a new partial rival, Faretransparency.org, the web front for the Open Allies for Airfare Transparency, "a coalition representing all of the stakeholders in the travel booking industry, works to promote price transparency and full access to airline pricing and fee information." It's chaos in the online travel booking industry right now!

* Very useful table: State Cyberstalking, Cyberharassment and Cyberbullying Laws

* Evony sues its user for automated mapping of its site.

* ABA Journal: "For Federal Plaintiffs, Twombly and Iqbal Still Present a Catch-22"

* Direct Marketing Association v. Huber, No. 10-cv-01546-REB-CBS (D. Colo. Jan. 26, 2011). Judge strikes down Colorado's attempt to impose an "Amazon" tax as unconstitutional. My previous reference to the law.

* In the Silicon Valley, being the "Craigslist Congressman" might be considered a compliment. Unfortunately, that term will now be pejorative.

* Segal v. Amazon, 2:11-cv-00227 (S.D. Fla. Feb. 4, 2011). Amazon's participation agreement's venue selection clause upheld.

* Rep. Matheson wants to require age authentication to access online porn. Been there/done that 13 years ago with COPA. Lest you forget, it was unconstitutional.

Funny Stuff

* French second-graders are shown items like an old Fisher Price record player and 3.5 and 5 inch floppies and are totally baffled by them. Funny video.

* Great Dilbert strip riffing on the old joke of how you know if a lawyer is lying.

Posted by Eric at 11:53 AM | Content Regulation , Derivative Liability , Internet History , Patents , Spam | TrackBack

February 12, 2011

Debt Collection Text May Result in Liability under the Telephone Consumer Protection Act -- Gutierrez v. Barclays Group

[Post by Venkat Balasubramani]

Gutierrez v. Barclays Group, Case No. 10cv1012 DMS (BGS) (S.D. Cal.; Feb. 9, 2011)

The Telephone Consumer Protection Act is a big stick. And it's being wielded against debt collectors.

Plaintiffs (a husband and wife) applied for a credit card. On the application, the husband listed his work number and his wife's cell phone number. Credit cards were issued to both the husband and the wife. At some point, when the couple were delinquent on their payments, Barclays began making collection calls to both numbers. It also sent text messages to the numbers. In response to one of the text messages, the husband asked (via text message) to cease further text messages. Although the court doesn't explicitly say this, presumably, the messages from Barclays continued. Plaintiffs filed claims under the TCPA.

Defendants argued that plaintiffs consented to the text message by listing their number on the credit application, and sought to dismiss the claims against the wife on the grounds that she was not the "called party." The court denies defendants' request for summary judgment.

Consent: The first question was whether the wife consented to listing her telephone number and provided the "prior express consent" that would allow defendants to argue that the communications fell under this exception to the TCPA. Defendants pointed to an FCC Report and Order which stated that calls made by a creditor to a debtor to the number which the debtor provided in the credit application fall under the "prior express consent" exception. However, the wife argued that since she did not fill out the application in question, she could not have consented. The court found that there was little case law on the issue of how this type of consent must be expressed. The court looked to the criminal context and found that courts find consent to a search by the defendant, but also by a third party who possessed "common authority over or other sufficient relationship to the premises or effects" in question. Defendants put forth evidence that the husband possessed "common authority" over the phone because he freely used it. On this basis, the court finds that the wife effectively gave prior express consent to receiving the calls.

Revocation of consent: Unfortunately for defendants, that was not the end of the story. Plaintiffs argued that they revoked the consent via text message. Defendants argued that the revocation had to be in writing, but the court disagrees, noting that if consent could be provided by telephone or other means, it would be odd to require a revocation to be in writing. Ouch!

Whether the wife was the proper plaintiff: Defendants finally tried to get the wife's claims dismissed on the basis that since she did not receive the texts in question, she was not the "called party" for purposes of the TCPA. The court looked to mixed rulings on the issue of who could sue for a TCPA violation. One case held that unintended and incidental recipients could not sue. At least one case held to the contrary that any recipient could sue. The court takes a different approach and rules that only the subscriber has a cause of action to sue under the TCPA.

The TCPA is a tough statute for people who send unsolicited text messages. Third party consent is unreliable in the marketing context (see "Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"), but it looks unreliable in general. When you add the fact that consent can be revoked by text message or orally, people who send unsolicited text messages are not left with much comfort. I think that's worth remembering is that unlike spam, it does not matter whether an unsolicited text message as sent for advertising purposes. It is also no defense that the recipient was not "separately charged" for the call. Debt collection text messages can violate the statute, absent consent (which can be easily revoked).

Unsolicited text message litigation has followed almost the opposite trajectory to spam litigation. Defendants just can't seem to get a break. Some of this is a result of the overzealous plaintiffs involved in spam litigation. Some of it is also the structure of the respective statutes. The TCPA is just much more of a plaintiff friendly animal.

Posted by Venkat at 11:16 AM | Publicity/Privacy Rights , Spam

January 29, 2011

Class Action Brought by "Lonely and Vulnerable" Men Against Online Cupid Site Moves Forward -- Badella v. Deniro Mktg.

[Post by Venkat Balasubramani with some comments by Eric]

Badella v. Deniro Marketing LLC, 10-03908 CRB (N.D. Cal.; Jan 24, 2011)

This is a good one.

A group of plaintiffs brought a putative class action against an online dating website that they alleged contained predominately fake profiles. As Judge Breyer describes it in more colorful language:

This is a putative class action purportedly a vast, fraudulent scheme centered around an internet dating website that lures 'often lonely and vulnerable men' into joining . . . with the false promise that they are communicating with real women in their area who are interested in dating and/or intimate relationships.

Plaintiffs brought claims for fraud, RICO and California's anti-spam statute against multiple defendants. They alleged that they were "drawn" to the website fraudulently (e.g., via "spam, internet pop-up ads, or social networking scams"), induced to sign up for free, and then induced to upgrade to paid memberships.

Fraud: With respect to the fraud claim, defendants argued that the website terms of use undermined plaintiffs' reliance on any purported misstatements. The website terms stated:

This Service is for Amusement Purposes only.
You understand and accept that our site, while built in the form of a personals service, is an entertainment service. . . You are not guaranteed that you will find a date, a companion, or an activity partner, or that you will meet any of our members in person.
Online CupidTM Communications: You understand, acknowledge and agree that some of the user profiles posted on this site may be fictitious, and are associated with . . . our "Online CupidsTM", ("OC"). Our OC's work for the Site in an effort to stimulate conversation with users, in order to encourage further and broader participation in all of our Site's services, including the posting of additional information a.or pictures to the users' profiles.

Judge Breyer found that the terms did not undercut reliance for three reasons: (1) plaintiffs alleged that nearly all (as opposed to some) of the profiles are fictitious; (2) the fake profiles were not always labeled "OC," as promised; and (3) the plaintiffs alleged a "widespread and pervasive effort on Defendants' part to make the website appear to be a legitimate dating service." The disclaimer did not defeat reliance because defendants allegedly used a "wealth of information" to create a false impression, and the disclaimer was not as prominent as the information which created the false impression. In rejecting the claims, the court suggested what an appropriate disclaimer would look like, and contrasted this with the one from the website terms:

THIS WEBSITE USES FICTITIOUS PROFILES - READ THIS DISCLAIMER [or] THE MAJORITY OF PROFILES YOU SEE WILL NOT CORRESPOND TO ACTUAL WOMEN - READ THIS DISCLAIMER.

Disclaimers have achieved mixed results against claims of misleading website practices. (See, e.g., Vistaprint; Easysaver Rewards; Duffy v. The Ticketreserve, Inc.) I found the court's conclusion plausible, although a part of me said that an average person reading this disclaimer would conclude that they weren't visiting a typical dating website. Maybe the court figured - as many people do - that people rarely read or digest website terms?

Defendants also argued that the fraud claims were not pled with particularity. The court held that with respect to initially being drawn to the site, the plaintiffs failed to allege the particulars of how they were fraudulently drawn to the site. With respect to being persuaded to register and upgrade to paid memberships, the court held that these allegations were pled with particularity, since plaintiffs' allegations referenced specific messages sent by fake profiles which were not so labeled. Interestingly, plaintiffs alleged that in order to make the fake profile messages more compelling, defendants did not rely on "canned or automatic messages . . . [they employed] actual individuals who control hundreds of fictitious profiles." [Reasonable minds can disagree about the quality of the copy, but my feeling was that anyone who has ever moderated blog comments or been exposed to blog spam would be able to spot this as the same type of copy from a mile away.]

RICO: For the RICO claim, plaintiffs argued that defendants engaged in a conspiracy to commit wire fraud and access device fraud. The underlying fraud plaintiffs alleged was that defendants set up numerous entities to fraudulently obtain merchant accounts and then used these merchant accounts to process credit card payment for the websites in question.

The court does not give defendants' argument much credit here and declines to dismiss the RICO claims. I didn't check to see whether RICO claims have been successfully brought in the online context, but this seems like a way to attack a bunch of people in the chain of a transaction and drastically expand the scope of liability. A charge of conspiracy was successfully brought by the government in Kilbride, a criminal CAN-SPAM case. "Defendants Convicted in 1st Criminal CAN-SPAM Trial." There, among other things the government alleged that defendants used fictitious entities to register domain names. The court in Kilbride also relied on the use of privacy protection services to register the domain names. The RICO claims will have to be fleshed out and no one knows how they will fare, but plaintiffs' theory sounds pretty expansive.

Spam claims: Plaintiffs brought claims under California's spam statute. The court concludes that these claims are barred by the one year statute of limitations, thus avoiding the preemption question that has been plaguing California courts for some time, including in Reunion.com, another case where plaintiffs alleged they were induced to sign up (and upgrade) using unsolicited messages and allegedly bogus "friend messages." ("Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com.") Interestingly, an appeals court in California recently held that under the California statute claims for actual damages must be brought within three years of the receipt of the emails, while claims for statutory damages can only be brought one year within the receipt of the emails. The court's opinion here does not contain a discussion of whether plaintiffs sought actual or statutory damages, but if they sought actual damages, the dismissal does not jibe with the recent appeals court ruling in Hypertouch. ("CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick.")
___

It's hard to not be judgmental about this suit. People - specifically "lonely and vulnerable men" - sign up for these random "dating" websites and then complain because a greater than anticipated number of the profiles are fake (??). I can just picture one of the plaintiffs saying: "I'm playing the odds by going on this site. I don't know what the odds are (no one does), but they were different from what you promised!" It's also hard to fault the court for deferring the underlying issue of whether the users were misled to the factfinder, but unless the plaintiffs are chosen carefully, they are not going to have an easy time credibly explaining how they were misled. In the meantime, we can take comfort that the interests of lonely and vulnerable men trolling internet dating sites for dates can be protected.
___

Comments by Eric: It's interesting how Venkat concludes his post, because in fact I have zero sympathy for the website (treating the allegations as true, as the court was required to do on this motion to dismiss). I'm trying to imagine a world where customers would pay substantial fees to a "dating" site where much/most of the interaction was with automated scripts. (I also couldn't get Austin Power's "fembots" out of my mind reading this case). The silly disclaimers--that the site was for "amusement" and that paying customers should expect automated interactions--clearly weren't likely to be read by anyone who actually paid money to the site. So it seems axiomatic to me that the only people who paid should have been the people who didn't get the message.

Thus, this seems like one of those cases where the fine print ("we're just going to send you canned messages if you pay us a lot of money") is designed to completely contradict the big print ("we're a dating site"). You can't do that.

This case brought to mind the old Anthony v. Yahoo case, where Yahoo allegedly retained profiles of expired/terminated members so that it looked like it had a bigger dating pool. (Yahoo ultimately settled for up to $4M). We talk about how it can be a jungle out there for single people, but oh man, at least their dating services shouldn't be lying to them. Clearly, before you starting "dating" your dating site, you need to diligence it too.
___

Related (coverage of a recently filed class action against Match.com over an alleged excessive number of inactive or fake profiles):

"Lawsuit Claims More Than Half Of Match.com Profiles Are Inactive Or Fake" (Joe Mullin)
"Love’s Labour’s Lost in Cyberspace" (Danielle Citron/Concurring Opinions)

Posted by Venkat at 08:30 AM | Content Regulation , E-Commerce , Marketing , Spam

January 20, 2011

CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick

[Post by Venkat Balasubramani with some comments from Eric]

Hypertouch, Inc. v. Valueclick, Inc., et al., B218603 (Cal. Ct. App.; Jan. 18, 2011)

A California appeals court weighed in on a long-running debate: whether CAN-SPAM preempts California's spam statute. This is a significant decision that covers a lot of ground (I think it mentions just about every major spam case), and it is sure to be appealed.

Background: Two of the seminal anti-anti-spam cases were Mummagraphics and Virtumundo. Mummagraphics said that CAN-SPAM is intended to cover material misstatements in emails and preempted contrary state laws (to the extent they imposed liability for immaterial misstatements). Virtumundo said that only legitimate ISPs that have suffered actual harm can sue under CAN-SPAM. In Virtumundo, the Ninth Circuit also rejected the plaintiff's claims under Washington's email statute. The plaintiff in Virtumundo was pushing the envelope, and it was unclear as to whether the Ninth Circuit's rejection of his state law claims was restricted to the plaintiff's fanciful claims which clearly stretched the scope of Washington's spam statute to the breaking point. Mummagraphics and Virtumundo were from the Fourth and Ninth Circuit respectively, and they left open the question of how other state spam statutes would fare, including California's, which is one of the most expansive (and important). Lower federal courts courts struggled with applying Virtumundo and Mummagraphics to the preemption question in California, and decisions were all over the place. Some courts held that CAN-SPAM's savings clause only saves state statutes that sound in traditional fraud, and since California's spam statute didn't require proof of reliance and damages, it did not fall into this category and was preempted. (Here's my April 2010 post on Hoang v. Reunion.com, a case that struggled with the preemption question: "Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com.")

Factual Background: Hypertouch brought claims against Valueclick, various Valueclick subsidiaries, and PrimaryAds for violating section 17529.5 (California's spam statute). As the court describes it, Hypertouch is a small provider of email service to about 100 customers. Valueclick provides online marketing services to:

third-party advertisers who promote retail products. . . . Valueclick contracts with these third-party advertisers to place promotional offers on websites that are owned and operated by various Valueclick entities. Consumers, in turn, can visit Valueclick's websites and earn rewards in exchange for participating in the advertised promotional offers.

Valueclick contracts affiliates who "drive traffic" through methods chosen by the affiliates in their discretion. Valueclick provides the affiliates the creatives for a promotion, and the affiliates promote as they see fit (in many cases hiring sub-affiliates to effect the promotions). Valueclick alleged that it had no "knowledge of, or control over, the email delivery methods or header information used by [affiliates] or their sub-affiliates." [This is a risky admission!] PrimaryAds looks like it's similar to Valueclick - PrimaryAds operates a website which contains third party offers. PrimaryAds contracts with affiliates who download materials from PrimaryAds' website, engage in promotions (which are tracked by PrimaryAds). PrimaryAds requires its affiliates to sign agreements stating that the affiliates will comply with all laws, including anti-spam laws, in carrying out their promotion activities. PrimaryAds also alleged that it had "no control over the email delivery methods used by affiliates."

Hypertouch argued that Valueclick and PrimaryAds were advertised via emails that violated California spam statute in three ways: (1) the emails contained deceptive header information (because the from and to fields did not accurately reflect the sender or recipient); (2) the subject lines were likely to mislead recipients into thinking they would receive free stuff; and (3) the emails used third party domain names without the third party's permission. The trial court granted defendants' motion for summary judgment. The trial court held that defendants could only be held liable for emails they sent or caused to be sent (which cut out a chunk of the emails in question). The trial court also found that CAN-SPAM preempted state spam statutes which regulated misleading emails, unless the statutes covered "common law fraud or deceit." Since the claims did not cover the elements of common law fraud, they were preempted. Significantly, the court awarded defendants $100,000 in costs.

The appeals court's decision: The court reversed and ruled for Hypertouch, with an order that dramatically expands the reach of potential liability for products or companies that are advertised via email (regardless of whether they send the email). It's a blockbuster ruling for the anti-spam community.

Preemption: CAN-SPAM's preemption provision states that it preempts state statutes that regulate the use of commercial email "except to the extent that any such statute prohibits falsity or deception in any portion of a commercial email." The court acknowledges that CAN-SPAM's preemption was intended to accomplish a uniform standard for email regulation (to avoid requiring compliance with a "patchwork" of laws). The court also cites to a Senate Report that says that states laws prohibiting things like "fraudulent or deceptive headers, subject lines, or content" should not be preempted "because they target behavior that a legitimate business trying to comply with relevant laws would not be engaging in anyway."

The court disagrees with the trial court's conclusion on preemption and provides two main reasons, along with a lengthy discussion (and canvassing of the case law): (1) the language of the preemption clause does not support a finding of preemption; (2) allowing state law claims that reach misleading but not fraudulent emails would not undermine a national standard.

Hypertouch's claims survive summary judgment: Defendants argued that Hypertouch failed to put forth evidence that defendants either sent the emails or "knew" they were being sent by an affiliate in a misleading manner. The court responds that:

the plain text of 17529.5 indicates that its application is not limited to entities that 'send' the offending emails nor does it require plaintiff to establish that defendant had knowledge of such emails. Rather, the statute imposes liability on any 'person or entity' that 'advertises' in an email containing any of the forms of deceptive content described in section 17529.5 [(a)(1)-(3)].

Do the emails Violate the Statute?: Although plaintiffs asserted that the emails at issue violated three different prongs of section 17529.5, the court doesn't discuss the other two prongs, and merely focuses on the subject line prong. Section (a)(3) is the no misleading subject line prong, and the court finds that the following representative subject lines potentially violate the statute:

Get a FREE Golf Retreat to 1 of 10 destinations;

Let us know your opinion and win a free gift card;

Do you think Hillary will win? Participate now for a Visa card

In support of its summary judgment burden, Hypertouch put forth the testimony of its president (?) who says that he clicked on links in these emails and found out that in order to receive anything for free, you had to purchase something. As the court phrases it, the statute requires the subject line to mislead a recipient about a "material fact," and

if a subject line "creates the impression that the content of the email will allow the recipient to obtain a free gift by doing one act (such as opening the email or participating in a simple survey) and the content of the email reveal [sic] that the 'gift' can only be obtained by undertaking more onerous tasks . . . the subject line is misleading about the contents of the email.

1 year statute of limitations on liquidated damages claims: The California statute allows for statutory damages or actual damages. If the statutory damages are considered a penalty, then they are subject to a one year statute of limitations under California law. Hypertouch argued that statutory damages should not be subject to the one year time-bar because they are discretionary, but the court disagrees, holding that although the court has discretion with respect to the amount of damages it awards, it must award some amount of damages. Therefore, the court concludes that Hypertouch may seek actual damages for emails within three years of their receipt, but may only seek statutory damages for emails within one year of their receipt.

___

This is a big ruling on several levels.

The big practical effect is that it provides an avenue for California spam plaintiffs to seek relief under the California statute. Previous spam cases have backfired on spam plaintiffs due to over-reaching, but I wonder if the preemption argument backfired on defendants due to their over-reaching. Arguing that the preemption clause only saved claims which sounded in actual fraud was a stretch, and both Ethan and I expressed discomfort with rulings that embraced this standard. The court almost has an easy argument to knock down, and it happened to be an aggressive interpretation of the preemption clause that defendants were responsible for pushing.

The even bigger effect of this ruling is the fact that persons or entities who do not themselves send email but who are advertised in non-compliant email can now be held liable, without a showing that they knew or should have known that they were being promoted via non-compliant spam. This is going to throw a big monkey wrench in affiliate programs. Previous cases dealing with affiliate liability in the CAN-SPAM context required plaintiffs to show some sort of knowledge or facts sufficient to impute knowledge. ("Affiliate Spam Liability is Fact Question--US v. Cyberheat"; "Affiliate Liability Extravaganza".) .

In fact, the court expressly embraces a strict liability standard for affiliate liability. This is going to lead to some wacky results - for example, think of the case where a company located outside California is being promoted via email but does not know that its affiliates are emailing to California residents (the affiliates themselves may not know). All of a sudden, they find themselves subject to liability in California for violations of the California spam statute? (Does this present a section 230 issue, since neither of the defendants created the copy which allegedly violated the statute?)

The court's assessment of the substantive violations of the statute is cursory. The court tackles the subject line violations but where's the court's assessment of the violations of subsections (a)(1) (the domain name prong) and (a)(2) (misleading or forged header information prong). Setting aside the fact that the court's interpretation of the subject line prong is charitable (and aimed at protecting people who take on face value a claim via email that the recipient is getting something for free), there's no discussion from the court on how the emails violate the prong which prohibits the use of third party domain names without permission. The court similarly doesn't deal with the misleading header information prong, but Hypertouch's claims sound similar to the claims the Ninth Circuit rejected in virtumundo ("there is . . . nothing inherently deceptive in Virtumundo's use of fanciful domain names").

Interestingly, the California Supreme Court weighed on its spam statute just once. In a ruling last year in (Kleffman v. Vonage) the court held that use of random and multiple domain names even if they were intended to bypass spam filters does not violate California spam statute. ("Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage.")

Additional coverage: "C.A. Revives Action Charging Advertiser Under Anti-Spam Law" (Metropolitan News-Enterprise)
______

Comments by Eric:

This is an incredibly noteworthy opinion for several reasons.

First, published opinions on Internet law from California appeals courts are becoming rarer than a hen's tooth, so this is likely to be one of the few citable opinions by a California state court on spam issues for the foreseeable future (unless the Supreme Court takes it on appeal). As a practical matter, then, this opinion not only sets California law, but all federal courts interpreting federal law will also have to acknowledge this opinion. I anticipate this will be a heavily cited opinion in the future.

Second, the court's imposition of strict liability for advertisers promoted by spam is breathtaking. The court says "imposing strict liability on the advertisers who benefit from (and are the ultimate cause of) deceptive e-mails, forces those entities to take a more active role in supervising the complex web of affiliates who are promoting their products." Well, that's true in theory, but it's completely divorced from reality. Because of strict liability, even advertisers who undertake substantial efforts to police their affiliate network ARE STILL LIABLE FOR ANY PROBLEMS CREATED BY AFFILIATES. Maybe the court got confused about what it meant to impose STRICT LIABILITY. In reality, many advertisers won't rely on affiliates at all if they are strictly liable for what they do. I bet this court would view that as a perfectly fine outcome, but the it's disingenuous to say that strict liability will ratchet up the policing effort. A negligence standard might have done that; strict liability squashes the endeavor altogether.

For that reason, the strict liability standard for advertisers is the #1 thing (of a pretty long list) that needs to get fixed on appeal.

Venkat raised the issue of 47 USC 230's role here. I haven't had a chance to see if the issue was raised by the litigants, but my initial instinct is that an advertiser's 230 defense for ad copy written by a third party sounds pretty meritorious.

Overall, rulings like this reinforce to me how desperately we need to get states out of the business of trying to regulate the Internet. First, Congress built a structure to hold advertisers should be liable for spam violations in CAN-SPAM (a narrow liability scope, although I question the wisdom of even that). If California can impose a supplemental and much more expansive advertiser liability doctrine, Congress clearly did a crummy job with its preemption clause (so what else is new?). Second, this liability rule, if it sticks, is terrible policy destined to generate lots more of wasteful profit-seeking litigation. Third, it's unclear how California's policy would affect interstate advertising campaigns--a question we shouldn't even have to ask when dealing with Internet activities. We really, desperately, need to rethink our governance scheme that puts states in the business of regulating the Internet. IT DOESN'T WORK, and we lose a lot in the process.

Finally, a gossipy note. This is an unusual spam opinion in that it had big firm lawyers on both sides (Steptoe on the plaintiff side; Gibson Dunn on Valueclick's defense). I wonder if the court's decision to write a lengthy, detailed, footnoted and published opinion is the result of that.

Posted by Venkat at 05:22 PM | Derivative Liability , E-Commerce , Marketing , Spam

January 05, 2011

Lawyer-Spam Plaintiff Loses in the Sixth Circuit Over Allegedly Misleading DISH Network Emails -- Ferron v. Echostar

[Post by Venkat Balasubramani]

Ferron v. Echostar Satellite LLC, 09-4407 (6th Cir.; Dec. 28, 2010)

Ferron brought claims against Dish Network and its retail and marketing partners alleging that he had been deceived by the terms of email offers sent by defendants. According to defendants, Ferron's strategy was to actually sign up to receive emails which he claimed were deceptive. However, prior to receiving any emails, he allegedly called to verify the terms of Dish Network's service:

according to defendants, Ferron purposefully provided his email address to the approximately twelve satelitte dish websites from which he later received advertisements. Before he provided his email address to the websites, Ferron contacted Dish network call centers to obtain information about the terms and conditions of various Dish Network products and services. Accordingly, Ferron was aware of the terms allegedly excluded from the deceptive emails before he received them.

The trial court granted summary judgment, and the Sixth Circuit affirms in an unpublished opinion.

Ohio Consumer Protection Statute: Ferron claimed that he did not need to have been deceived personally to bring a claim under the OCSPA - it was sufficient that the emails contained objectively misleading information. The court disagrees. Citing overwhelming precedent in defendants' favor, the court concludes that a plaintiff must have been actually deceived in order to bring a claim under the OCSPA (i.e., individual plaintiffs cannot take the private attorney general route). Although Ferron argued that a ruling to this effect would foreclose legitimate claims, this argument didn't get much traction with the court:

Simply put, the only persons foreclosed by today's ruling are individuals who solicit emails from an advertiser after having researched and discovered the additional terms the advertisement allegedly excludes.

Ouch!

The Publisher Exception to the OCSPA: The Sixth Circuit also affirmed the trial court's ruling that one of the defendants (Hydra) who was a mere intermediary was entitled to the "publisher exception" to the OCSPA. As an initial matter, the court concludes that Hydra "was not involved in the creation of the . . . advertisements," and thus was precisely the type of entity who could take advantage of the publisher exception. Ferron argued that Hydra was not the type of publisher the legislature intended to fit within the exception, because Hydra received a referral fee each time a customer signed up (instead of a flat fee per ad, or a monthly fee). The court rejects this argument, reasoning that regardless of the fee structure, the publisher always has an interest in ensuring that customers respond to advertisements. Ferron also argued Hydra should not be entitled to take advantage of the publisher exception with respect to any ads transmitted by Hydra after the filing of the lawsuit. The court rejects this argument as well, since the mere filing of Ferron's complaint is not indicative of a violation of the statute (just that Ferron alleged that defendants violated the statute).

Request for Sanctions: Ferron requested sanctions on the basis that defendants did not maintain the ads in their native form (i.e., he could not click through and access the underlying links and graphics). The Sixth Circuit affirms the district court's rejection of Ferron's request for sanctions, noting that Ferron himself had the emails in question and should have saved them.
__

The court's description of the facts makes me think a section 230 defense may have been available to Hydra, not that it ended up needing it anyway.

The bigger takeaway? When it comes to spam litigation at least, courts seem more than able to ferret out what they see as unworthy claims. This is one of a long line of losses by plaintiffs who seem to have made it a part of their business to seek out and sue people to send them unsolicited email (see Gordon v Virtumundo, Mummagraphics, etc.).

A couple of days after the Sixth Circuit issued its opinion in this case, it issued its ruling in Charvat v. Echostar, a case where Ferron was counsel for the plaintiff. This case involved alleged do-not-call violations against Echostar and third parties brought by Philip Charvat, whom the court describes as not being "shy in taking on the role of private attorney general under the Telephone Consumer Protection Act" and listed him as a plaintiff in 13 TCPA lawsuits. The Sixth Circuit delves into the thorny jurisdictional issues, but ultimately ends up punting to the FCC on the interesting issue of whether Echostar could be liable for TCPA-violating calls made by third party independent contractors/affiliates. The FCC's amicus brief in this case suggests that it has an expansive (and perhaps troubling) view of such imputed liability.

Previous post: "Email Ad Network Isn't Liable for Unsolicited Email--Ferron v. Echostar"

Coverage of an earlier Ferron lawsuit: "Q1 2009 CAN-SPAM Quick Recaps"

Posted by Venkat at 02:14 PM | Content Regulation , Derivative Liability , E-Commerce , Spam

January 01, 2011

Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc.

[Post by Venkat Balasubramani]

Kramer v. Autobytel, Inc., et al., 10-cv-02722 CW (N.D. Cal.; Dec. 29, 2010)

We've blogged a bunch about cases involving defendants accused of sending text messages - none of them have resolved favorably in favor of the defendants:

"Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp."

"Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC"

"Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster"

"Cellphone Spam Violates TCPA--Joffe v. Acacia Mortgage"

This case is no exception. Plaintiff brought a putative class action on behalf of recipients of "thousands of" unwanted text messages, some of which were allegedly received after plaintiff opted out. Plaintiff settled against the named defendant (Autobytel), and the court dismissed the individual claims against Autobytel. The putative class claims against Autobytel were dismissed without prejudice, and proceeded against the remaining defendants. Defendants advanced two arguments in their motion to dismiss: (1) the Telephone Consumer Protection Act was vague in its requirement that the messages be sent without the recipients' "prior express consent"; and (2) the allegations in the complaint failed to state a claim.

The plaintiff's complaint alleged the classic transmission of messages through a list procured by or on behalf of the sender (a list which was allegedly passed on multiple times down the chain). Plaintiff alleged:

an effort to promote its automotive products to consumers, Autobytel, the proprietor of one of the nation's largest automotive referral services, through marketing partners such as LeadClick, engaged B2Mobile to conduct an especially pernicious form of marketing: the transmission of unauthorized advertisements in the form of 'text message' calls to the cellular phones of consumers throughout the nation. . . . In order to make their en masse transmission of text message advertisements economical, Defendants used lists of thousands of cellular telephone numbers of consumers acquired from third-parties. . . . Defendant B2Mobile contracted with third parties to acquire lists of phone numbers for the sole purpose of sending spam text messages on behalf of advertisers for its own monetary gain.Defendant Autobytel contracted with LeadClick, who there after contracted with B2Mobile, for the purpose of advertising Autobytel's products and services through spam text messages.

As Professor Goldman mentions in his post about Satterfield, this is exactly the sort of thing that is likely to land those who transmit mass text messages in trouble (i.e., relying on consent allegedly procured by third parties).

First Amendment Challenge: Citing the standard articulated by the Ninth Circuit in Satterfield which requires a "common sense interpretation" of "express consent," and FCC pronouncements that the TCPA applies to SMS spam, the court rejects defendants' constitutional challenge to the statute. I'm always pretty skeptical of First Amendment challenges to statutes regulating the unsolicited transmission of one-to-one communications. It wasn't a shocker that the court rejected defendants' constitutional arguments in this case.

Sufficiency of the Complaint: Defendants' challenge to the sufficiency of the complaint fared no better. Plaintiff alleged that the messages were transmitted "using equipment that . . . had the capacity to store or produce telephone numbers to be called, using a random or sequential number generator" (this was the standard articulated by the Ninth Circuit in Satterfield). Some of the defendants also contested the sufficiency of plaintiff's allegations regarding defendants' role in the transmission of the messages, but the court held that plaintiff's allegations were sufficient:

[plaintiff] stated plainly that he never consented to the receipt of such messages, and described his attempt to opt out of receiving messages from SMS code 77893, which was allegedly registered toB2Mobile. Kramer described the relationship between B2Mobile, Autobytel, and LeadClick, and the roles involved in text message advertising.

There's not a whole lot more to say about this case. It's a good reminder that relying on third party consent when you transmit unsolicited messages is risky behavior.

Posted by Venkat at 06:15 AM | Content Regulation , Spam

December 24, 2010

Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues

[Post by Venkat with comments by Eric]

Mortensen v. Bresnan Comm., CV 10-13-BLG-RFC (D. Mont. Dec. 13, 2010)

A district court in Montana hearing one of the many NebuAd "deep packet inspection" lawsuits partially granted a defendant's motion to dismiss. This lawsuit arises out of NebuAd's alleged attempt to monitor and use an end user's internet activity for advertisement targeting purposes - i.e., not using cookies or other tracking, but actually routing the communications themselves through NebuAd's "appliance." There have been a slew of lawsuits out of this practice; this lawsuit involved claims against Bresnan Communications, an Internet access provider, who is accused of letting NebuAd install the appliance for its profit.

Electronic Communication Privacy Act Claims: Bresnan first argued that it did not engage in any interception itself, so it could not be held liable under the ECPA. The court rejects this argument on the basis of plaintiff's allegation that Bresnan "allowed" NebuAd to install its device on Bresnan's network, and but for the appliance, the monitoring would not have occurred.

However, the court accepts Bresnan's argument that the plaintiffs agreed to the interception based on disclosures in the terms of service and elsewhere. The court quotes from Bresnan's "Online Privacy Notice," which says:

the equipment used to provide the service collects information . . . [including] information about . . . 'electronic browsing,' and the text of email or other electronic communications the [users] send or receive using [the] services.

The notice also references that the information that is collected will be disclosed to third parties. Bresnan's "Online Subscriber Agreement" contained similar disclosures. Finally, the court notes that Bresnan alleges that it provided customers "specific notice" and a link to opt-out from information collections.

Shockingly, plaintiffs did not contest that "they agreed, by way of Bresnan's Privacy Notice and Subscriber Agreement to the interception." (??) Instead, plaintiffs quibble with the scope of the documents in question and argued that Bresnan construes plaintiffs' consent "cavalierly." The court rejects plaintiffs' argument, and grants Bresnan's motion to dismiss the ECPA claim on the basis of consent.

Invasion of Privacy Claims: Plaintiffs brought a common law invasion of privacy claim. The court finds that the notice and disclosure (discussed above) undermines any expectation of privacy plaintiffs had in their use of the service. This ends the court's discussion.

Computer Fraud and Abuse Act Claims: Although the court rejects plaintiffs ECPA claim, the court allows plaintiffs' Computer Fraud and Abuse Claim to go forward. The court concludes (based on Bresnan's disclosures to its customers) that Bresnan's access of plaintiffs' computers had some authorization. Nevertheless, the court finds that Bresnan may have exceeded the authorization that was initially granted. The court bases this conclusion on the fact that the notices provided by Bresnan did not clearly apprise plaintiffs that "their computer settings were to be actively altered or tampered with by Bresnan." The court concludes that for purposes of surviving a motion to dismiss, plaintiffs have sufficiently alleged that:

Bresnan's act of tampering with the security and privacy protocols exceeded any authorization that Plaintiffs may have given.

The court also addresses the jurisdictional damage requirement, under which a CFAA plaintiff must show that the unauthorized access caused $5,000+ in damages. The court notes that plaintiffs' allegations of emotional distress are not compensable, since only economic losses are recoverable under the CFAA. However, the court finds that plaintiffs satisfy the jurisdictional damage threshold since they allege they were "forced to mitigate Bresnan's invasive actions by expending time, money and resources to investigate and repair their personal computer's diminished performance."

Trespass to Chattels: Finally, the court allows plaintiffs' trespass to chattel claims to go forward. With respect to the trespass claim, the court says that the plaintiffs sufficiently alleged an interference with their chattel (their computers).
__

Venkat's Comments:

This is one of many privacy lawsuits that are percolating through the courts right now. I think this one differs qualitatively from many of the others in that here, there is an allegation of improper monitoring of the contents of the plaintiffs' communications. It's one thing to surreptitiously find out what websites someone has been visiting or leak someone's unique user ID. It's another thing entirely to read their email and the contents of what they access while browsing. This is an important distinction to keep in mind. I don't think you can necessarily extrapolate a tentative result in the other cases based on this result. Apart from the damages issue (discussed below) a key unknown in the pending cases is to what extent the information that is captured or disclosed are covered by the statutes in question.

I was somewhat surprised to see little or no discussion from the court on whether the policies were presented in a "leak proof" manner, or whether the disclosure satisfied FTC standards. Was there evidence that plaintiffs could not access the service without encountering the policy? (See Prof. Goldman's post on that topic: "Clickthrough Agreement With Acknowledgement Checkbox Enforced.")

The court's conclusion on the consent issue is also somewhat perplexing, in light of the exact same judge's earlier order denying Bresnan's request to compel arbitration, which you can access here. BNA recaps the decision denying Bresnan's request to subject the claims to arbitration as follows: "A mandatory arbitration clause in an internet service provider's terms of service—which was presented in capitalized text in the ninth paragraph of the unsigned document—was an inconspicuous part of a contract of adhesion and unenforceable under Montana law."

On the other hand, if plaintiffs conceded the consent/disclosure issue, then the court did not need to get into it. [What were the plaintiffs thinking, conceding this? If you are bringing this type of a lawsuit, you have to be able to put together enough allegations of no-consent to get past the motion to dismiss stage.]

At the end of the day, if consent is going to be the basis to defend against these types of privacy claims, defendants would be well advised to really be thorough in procuring this consent. In fact, I'm surprised that Bresnan - given that it is an IAP allegedly engaging in gray area practices - didn't just secure written consent at the time it first provided the service.

I'm also surprised at the court's conclusion on the Computer Fraud and Abuse Act damage issue, given its conclusion on the ECPA issue. If it was going to split hairs on the notice and consent (as it did with respect to the CFAA claims), it could have probably done so on the ECPA claims as well. Courts often keep in claims they may otherwise dismiss if they decided that some claims are going to survive. Also, some cases construe the CFAA narrowly as requiring damage to the protected computer (or an interruption in data). It's conceivable that plaintiffs could have suffered the requisite loss (which can be aggregated in the class action context), but the court's discussion of plaintiffs' allegations made the damage allegations seem awfully light. (Two posts from Nick Akerman look at some recent CFAA dismissals and discuss the restrictive approach taken by some courts with respect to the CFAA's jurisdictional damage requirement: "Dismissal of CFAA Claim for Lack of Jurisdiction" and "Why Two District Courts Dismissed Valid Computer Fraud and Abuse Claims for Lack of Jurisdiction.")

The dismissal of the ECPA claim as opposed to the CFAA claim could have some ramifications on the damages front. Statutory damages are available under the ECPA, but not under the CFAA. For what it's worth, there's conflicting authority on the issue of whether non-economic damages are recoverable under the CFAA. (See Garland-Sash v. Lewis, 348 Fed. Appx. 639 (2d Cir. 2009) (construing the phrase "compensatory damages" - which was added to a provision of the CFAA after the DoubleClick case came down - to include damages for pain, suffering, and other emotional harms").) Even if for some reason the court decides that plaintiffs are entitled to non-economic damages, it will be interesting to see how plaintiffs prove up these damages.

The trespass claim is a bonus claim, but again, the court doesn't dig in to the damage issue with respect to common law trespass. Although the court cites to California law, the court does not discuss damage or slowdown to the machine in question as articulated by the California Supreme Court in Intel v. Hamidi (an email bombardment case) or as interpreted by the Fourth Circuit in the Omega v. Mummagraphics case.

I'm not sure how much light this ruling will shed on the many pending privacy lawsuits that involve things like surreptitious tracking, sniffing, and leakage of personal information. Damages issues aside, the ruling may highlight the importance of choice, consent, and the requirement that any disclosures or disclaimers be conspicuous, all issues the FTC seems to frequently opine on and issue reports about.

(h/t Wendy Davis)
__

Eric's Comments:

As Venkat notes, this ruling is an inconsistent mix of formalism and realism. In light of the judge's ruling last month that Bresnan made inadequate disclosures to uphold an arbitration clause, it's odd for the judge to now find that Bresnan made adequate disclosures to wipe away the ECPA and privacy invasion claims via dense/buried EULA language plus an opt-out notice; while that same consent wasn't good enough to wipe away the CFAA and Trespass to Chattels claim. The CFAA ruling on damages was also oddly formalist given the consent ruling. I respect formalist judges for being careful and methodical, but it would have been nice if this judge had been a little more aggressive about calling a spade a spade.

I am not a fan of deep packet inspection (DPI) by IAPs done on anything but an opt-in basis. We're basically back to the old battles about unwanted adware/spyware getting onto users' hard drives as part of some bundle. Sure, the adware vendors could claim user consent through a formalist reading of the contracts, but there wasn't true consumer consent, and we all knew it. I'm reminded a little of the FTC's bust of Sears for its trackware installations--Sears paid people for the installation, but the software did things far beyond anything users might have expected, even though these attributes were putatively explained deep in the EULA. If you're an IAP trying to implement DPI on an opt-out basis, bonne chance, and don't expect a lot of friends to rally around your cause.

At the same time, I'll be interested to see if the plaintiffs can marshal any true evidence of harm. If the plaintiffs are advancing a recycled version of the old, tired and completely laughable arguments that installing cookies on a user's computer creates cognizable harm, I hope this judge will quickly give them the boot they deserve. In that respect, I'm disappointed the judge didn't more aggressively police the trespass to chattels claim on the harm requirement per Hamidi. Personally, I think these plaintiffs should have been forced to put-up-or-shut-up on the harm issue early. Then again, this case came out the day before the Ninth Circuit's recent Starbucks case, but perhaps it's consistent with it.

Overall, this ruling is just another small data point in a much larger struggle over targetable consumer data. My Coasean Analysis of Marketing article doesn't directly address DPI by IAPs, but the article tells the story of how different intermediaries are fighting with each other to capture better datasets of targetable consumer behavior. After the flameout of the early 2000s model of adware, IAPs are trying to squeeze into the middle by using their more favorable position (compared to websites) to see more complete consumer data. Similarly, Facebook is trying to use tools like Beacon nee Instant Personalization to sweep up targetable consumer data from throughout the web, not just the smaller dataset it can capture at facebook.com. Meanwhile, Google is trying to move onto the desktop (the toolbar, Desktop, Chrome and its various OSes) to let it get closer to the honeypot of consumer data residing there, rather than just rely on the data it can get at google.com properties. Adware circa 2005 may be dead, but battles between different intermediaries fighting to get the good stuff is a perennial. For more, see my posts Adware is Dead and Relevancy Trumps Creepiness.

Posted by Venkat at 09:00 AM | Derivative Liability , Licensing/Contracts , Privacy/Security , Publicity/Privacy Rights , Spam , Trespass to Chattels

December 17, 2010

Domain Name Privacy Protection Services Not Liable for Failure to Disclose Identity of Alleged Spammer -- Balsam v. Tucows

[Post by Venkat]

Balsam v. Tucows, No. 09-17625 (9th Cir.; Dec. 16, 2010)

Prolific spam litigant Dan Balsam sued the registrant of [adultactioncam.com] under California's spam statute for allegedly sending Balsam thousands of pieces of spam. Balsam obtained a default judgment in the amount of $1,125,000 (!) against Angeles Technology, Inc., who was listed as the registrant of [adultactioncam.com]. Balsam was ultimately unable to recover against Angeles and then sued Tucows. His beef with Tucows was that Tucows refused to turn over the identity of the registrant of [adultactioncam.com] (when he conducted his initial search, apparently, Angeles was the registrant, but at some point later, Angeles opted into Tucows' privacy protection services). He demanded that Tucows disclose the identity of the registrant "or pay the default judgment." Tucows predictably refused, and Balsam sued, trying to hold Tucows liable. I should note that the court's description of the facts is much better than mine, although it's somewhat charitable to Balsam. The court concludes its recitation of facts by saying that "[a]lthough [Balsam's] approach is novel and creative, it cannot survive a motion to dismiss."

Balsam's main argument is that Tucows as the registrar is bound by the ICANN registrar accreditation agreement, which contains the following provision (Sec. 3.7.7.3):

A Registered Name Holder licensing use of a Registered [domain] Name . . . shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly disclosed the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.

As the court notes, Balsam's claim against Tucows depends on his status as a third party beneficiary to the RAA agreement between ICANN and Tucows. The court concludes that Balsam is not a third party beneficiary because among other things, the agreement contains an explicit "no third party beneficiary clause," and because the agreement itself does not contain terms applicable to ICANN or any registrar - it merely provides that a a registrar must include certain terms (including this one) in its domain name registration agreements. Balsam responded that the "no third party beneficiary" clause does not relieve Tucows of its obligation as a registrant (which it or one of its affiliated entities is in name when it provides privacy protection services) but the court rejects this argument as well. Tucows entered into the agreement as a registrar, and didn't agree to bind itself as a registrant.
__

Balsam has an uphill battle arguing that the RAA creates third party rights. See Register.com v. Verio, 356 F.3d 393 (2d Cir. 2004.) (Interestingly, Register v. Verio dealt with the use of WHOIS information where Verio sent unsolicited emails to Register registered domain names advertising Verio's services.) However, more relevant to the court's discussion is a recent case involving proxy registration services - Solid Host v. NameCheap - where the court found that NameCheap could be held liable for contributory cybersquatting based on the actions of the registrant-in-fact. Here's Prof. Goldman's post on the muddled ruling in that case: "Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap." As he mentions in that post, it's important to be clear about who is the registrar and registrant (and in what capacity a particular entity is acting when it's providing services). He raises the issue of whether registrars will shy away from providing privacy protection services. I don't know the answer to that, and although it may be early to assess the fallout (if any) of the NameCheap case, this case seems to indicate that proxy registrars don't roll over and readily disclose registrant information absent a court order.

In any event, I don't think Balsam had a strong argument here since Angeles's utilization of the privacy protection services did not contribute in any way to the alleged harm. Although the facts aren't crystal clear, it seemed like Balsam obtained a judgment (after having determined that Angeles was the registrant) and only then did Angeles opt in to the privacy protection feature. The damage (if any) was done by the time the privacy protection feature entered into the picture. Additionally, as the district court's order notes, the Angeles lawsuit was pending at the time Tucows declined to reveal the underlying registration info - Balsam had an obvious solution (which he failed to take advantage of). He could have issued a subpoena seeking the registrant information and could have easily obtained it. There may be some set of facts under which a refusal to reveal the registrant information could support a claim, but those facts were not present here.

This also raises the issue of the appropriate response from a company who provides private registration services. The registrars have an interest in not freely disclosing registrant information absent a court order, but NameCheap suggests that in some cases, a failure to disclose may result in liability to the provider of privacy protection services. (NameCheap raised the issue of whether the registrar was acting in its capacity as registrar or in another capacity - in its capacity as registrar, it may be able to take advantage of an ACPA safe harbor. As I mentioned in my previous post about this case, Tucows may have been able to take advantage of a Section 230 defense, although ultimately it didn't end up needing to invoke the protections of Section 230, given the court's ruling.) This case indicates that courts are reluctant to freely impose liability on a registrar who provides proxy registration services, which isn't necessarily a bad thing from the standpoint of protecting registrant anonymity and privacy. A finding of possible liability in this case could have resulted in registrars getting more nervous when they receive requests for the identity of the underlying registrant.

"Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap"

"Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute -- Balsam v. Trancos"

Posted by Venkat at 09:29 AM | Derivative Liability , Domain Names , Privacy/Security , Spam

November 27, 2010

Junk Fax Claim Fails Due to "Established Business Relationship" Exception -- Cardinal Partners v. Fernandez Discipline

[Post by Venkat]

Cardinal Partners, Ltd. v. Fernandez Discipline, LLC, Case No. L-10-1180 (Ohio Ct. App.; Nov. 19, 2010)

Background: Toledo chiropractor Dr. William J. Houttekier II shared a fax number with Cardinal Partners (they both apparently had the same fax number). Houttekier received a fax (advertising an upcoming two day marketing seminar) sent by Fernandez Discipline, a marketing consulting firm. [It's interesting to see marketing consultants advertise their services via communications that turn out to be unwelcome. I would think this does not engender much trust in the consulting services, but that's neither here nor there.] Houttekier threatened suit but offered to settle for $3,000. The parties did not settle, and ultimately Cardinal Partners (not Houttekier) filed a class action lawsuit alleging junk fax violations.

The procedural details are murky, but it appears the trial court dismissed (or denied certification of) the class action, and Cardinal Partners appealed. While the appeal was pending, the parties both moved for summary judgment. Cardinal Partners voluntarily dismissed its appeal, and the case moved forward on an individual basis in the trial court. The trial court granted summary judgment in favor of Fernandez Discipline, on the basis that Fernandez Discipline had an established business relationship with Houttekier, who "co-used the telephone number at which [the fax to Cardinal Partners] was received."

Discussion:

Was the "established business relationship exception" defense available?: The first question was whether the "established business relationship" was available as a defense to the fax at issue. The court looks at the TCPA (enacted in 1991), as amended by the Junk Fax Prevention Act (enacted in 2005), and concludes that although it was unclear as to whether the TCPA (as implemented by the FCC regulations) provided for an "established business relationship" exception to faxes, the enactment of the Junk Fax Prevention Act cleared this up, and since the fax at issue was sent after enactment of the Junk Fax Prevention Act, the exception was available.

Did Fernandez Discipline put forth sufficient evidence to demonstrate that it was entitled to the "established business relationship" exception?: In support of its motion for summary judgment, Fernandez Disciple submitted pages from an online directory which showed that Houttekier and Cardinal Partners shared the same telephone number. This evidence was uncontested. Although there were hearsay problems with the remainder of the evidence submitted by Fernandez Discipline, the court concluded that there was enough competent evidence to show that Fernandez Discipline had an "established business relationship" with Houttekier (who had attended several Fernandez Discipline seminars). Based on this, the court affirms the trial court's dismissal of the claims.
__

The case raises two questions, which the court does not really dig into. First, who has the cause of action when people share a telephone number? Presumably, the person or entity who the number was assigned to (in this case Cardinal Partners) does. Second, if two people share a number, does consent from (or a business relationship with) one undermine a cause of action for the other?

Posted by Venkat at 09:52 AM | Marketing , Spam

November 15, 2010

Melaleuca Files Second Lawsuit Following Dismissal of its CAN-SPAM Claims

[Post by Venkat]

Melaleuca v. Hansen, Case 1:10-cv-00553 EJL (D.Idaho) (Nov. 10, 2010)

I recently blogged about the dismissal of a CAN-SPAM case by a federal district court in Idaho. The district judge adopted the magistrate judge's recommendation, and dismissed the CAN-SPAM claims for lack of standing, a belated assignment of claims, and a finding of no "adverse effect." The dismissal was without prejudice and the plaintiff appealed the order dismissing the case. ("Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen.") I expressed surprise that Melaleuca decided to appeal the order dismissing its case.

Not only is Melaleuca appealing the case, it filed a second complaint which appears to be based on the same underlying conduct. You have to just shake your head when companies do stuff like this. One the one hand, it's trying to remedy the deficiency that got it kicked out in the first place, but on the other hand, you have to wonder if the company is throwing resources at a dispute where the recovery may well eclipse any potential recovery.

In any event, Melaleuca is definitely in a disadvantageous position, procedurally speaking. The Ninth Circuit may decide that the dismissal should have been with prejudice, or that Melaleuca is estopped from arguing certain facts. The district court may stay the case, pending resolution of the Ninth Circuit appeal. The district court may impose a bond requirement. Melaleuca may be bringing claims that are now barred by the statute of limitations. Finally, in the unlikely event that the merits of the case ever see the light of day, IP Applications' claims may not turn out to be viable either. Of course, all of this presupposes that CAN-SPAM claims are assignable, which is an open question.

Aggressive litigation tactics are one thing, but this has potential to backfire.

Previous posts:

"Idaho District Court Dismisses CAN-SPAM Claims Due to Non-ISP Status -- Melaleuca, Inc. v. Hansen"
"Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen"

Posted by Venkat at 09:15 PM | Spam

Holomaxx Sues Yahoo, Microsoft, and Others for Non-Delivery of Bulk Emails

[Post by Venkat]

Holomaxx Technologies v. Yahoo!, Inc. and IronPort Systems, LLC, Case No. CV10-4926 (N.D. Cal.) [Scribd]

Holomaxx Technologies v. Microsoft Corp. and Return Path, Inc., Case No. CV10-4924 (N.D. Cal.) [Justia Page]

In what may fit under the dictionary definition of chutzpah, Holomaxx, a (CAN-SPAM-compliant) bulk emailer, sued Yahoo, Cisco (IronPort), Microsoft, and Return Path (in two different lawsuits) for failing to deliver emails sent by Holomaxx. Microsoft and Yahoo are sued for refusing to transmit the emails, and IronPort and Return Path are sued for improperly flagging Holomaxx as a spammer. Holomaxx also alleges that the defendants improperly intercepted and disclosed the emails in the course of their filtering activities.

Holomaxx alleges that it has been sending emails (in bulk) for about ten years, and it sends approximately ten million emails a day on behalf of its clients. It "requires that its clients acquire their list subscribers in accordance with the CAN-SPAM Act . . . which provides federal standards for commercial email." The complaints state that the emails sent out by Holomaxx are all compliant with CAN-SPAM and don't have the characteristics of spam: (1) the emails contain accurate transmission and header information, (2) the emails are sent through a relatively small block of IP addresses, (3) the emails contain opt-out links and allow for unsubscribing through one click, and (4) the emails contain accurate subject lines and include the physical postal address for Holomaxx or its clients.

Holomaxx alleges that the ISPs (Yahoo and Microsoft) are interested in "lowering costs at the expense of commercial . . . speech and internet communications." Holomaxx alleges that the ISPs rely on faulty spam filters which flag emails as spam "without reference to whether the email in question actually violates the CAN-SPAM Act." Holomaxx further alleges that Ironport and Return Path improperly intercepted emails transmitted through the ISPs and also improperly assigned Holomaxx low "sender reputation scores" - i.e., labeled Holomaxx as a likely spammer. Finally, the complaint alleges that the ISPs have improperly forwarded emails sent through the ISPs to IronPort and Return Path.

As a result of defendants' conduct, Holomaxx claims that its reputation has suffered, its business relationships have been disrupted, and it has lost revenues. Holomaxx asserts claims under the Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, the California Wiretapping statute, and California's unfair competition law. It also asserts claims for defamation, and interference with contractual relationships. Holomaxx seeks a broad array of relief against defendants, including injunctive relief, and interestingly, disclosure of "the grounds for blocking Holomaxx's emails."

It's always tough to evaluate claims based on the complaint, but at least a chunk of Holomaxx's claims will likely face an uphill battle.

The Filtering Decision: As some who have been watching this case note, being compliant with CAN-SPAM does not mean that you have some right to force an ISP to transmit your emails. The CAN-SPAM Act states:

Nothing in this chapter shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages.

Additionally, section Section 230(c)(2) immunizes intermediaries for their good faith decisions to filter unwanted content:

No provider ... of an interactive computer service shall be held liable on account of -- (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be . . . objectionable, whether or not such material is constitutionally protected . . . [emphasis added]

In e360Insight v. Comcast, where e360 sued Comcast for filtering emails, the court held that section 230(c)(2) insulated Comcast, as long as Comcast's decisions were undertaken in good faith:

a mistaken choice to block, if made in good faith, cannot be the basis for liability under federal or state law. To force a provider like Comcast to litigate the question of whether what it blocked was or was not spam would render § 230(c)(2) nearly meaningless.

The Assignment of Low "Sender Reputation Scores": The claim that the assignment of low "sender reputation" scores to Holomaxx defamed Holomaxx is similarly tough. This activity may also fall under section 230(c)(2), and one case (Pallorium v. Jared) held that publishing a database of IP addresses that others may use for purposes of creating a blocklist falls under Section 230(c)(2). (Here's Professor Goldman's post on Pallorium: "Anti-Spammer Wins 230 Defense--Pallorium v. Jared.") Even in the absence of Section 230, attacking an entity who assigns a "reputation score," could present a First Amendment problem. A suit against lawyer-rating service Avvo was dismissed on the basis that "Avvo's ratings, even if generated through automated algorithms, are opinions, not facts, and thus fully qualify for First Amendment protection." ("Avvo Wins Big in Ratings Lawsuit--Browne v. Avvo.") The sender reputation scores assigned by Return Path and IronPort could very well fall into same category as Avvo's ratings.

Improperly Intercepting, Forwarding, and Disclosing Contents of Emails: The set of claims around alleged forwarding, interception, and disclosure of the emails by the ISPs are somewhat tougher to evaluate. The federal statutes governing the interception and disclosure of emails contain exceptions for these activities when they are "a necessary incident to the rendition of [the ISP's] service or to the protection of the rights or property of the provider of that service" I didn't come across any cases that discuss whether spam-filtering falls under this exception. A policy paper from the Center for Democracy & Technology [pdf] seems to indicate that "the latter prong [referencing the rights or property of the ISP] covers anti-spam and anti-virus monitoring and filtering and various anti-fraud activities . . . " Instinctively, I would think that some basic filtering would not run afoul of these federal statutes. Still, a quick search did not reveal much case law on this point. The Computer Fraud and Abuse Act claims look like losers. Accessing emails sent by Holomaxx does not equate with accessing Holomaxx's "protected computers" (unless I'm missing something).

At any rate, Holomaxx's core claims face an uphill battle. Courts don't like to interfere with filtering decisions, and here Section 230(c)(2) should apply to the basic filtering decisions of the ISPs. As to whether a part of the complaint survives, we'll see.

Other coverage:

John Levine: "How Now to Get Your Email Delivered"
The Magill Report: "Email Marketer Sues Microsoft, Yahoo, Return Path, Cisco Ironport"
Al Iverson: "Holomaxx suing Microsoft, others" & "Holomaxx Link Roundup"
TechEye: "Holomaxx sues Microsoft over mass emailing ban"

Topically related posts:

"Internet Access Provider & Blocklist Publishers Denied 230(c)(2) Immunity for Anti-Spam Efforts"
"Anti-Spyware Company Protected by 47 USC 230(c)(2)--Zango v. Kaspersky"
"7Search Sues McAfee For Red Flagging It"

Posted by Venkat at 09:58 AM | Spam

November 07, 2010

Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen

[Post by Venkat]

Melaleuca, Inc. v. Hansen, No. CV 07-212-E-EJL-MHW (D. Idaho; Sept. 30, 2010)

I blogged in June about a CAN-SPAM case in the District of Idaho involving CAN-SPAM and state law claims asserted by Melaleuca, a "multi-level marketing company," against Daryl Hansen. Melaleuca is the registrant of "iglide.net" domain name. Melaleuca provided its "marketing executives" internet access and email services "through a third-party Internet service provider." Hansen allegedly sent emails to individuals at their "iglide.net" email addresses, and Melaleuca asserted CAN-SPAM and state law claims based on Hansen's conduct. The magistrate judge (citing Gordon v. Virtumundo) found that Melaleuca was not a bona fide ISP, and as a result, recommended dismissal of the CAN-SPAM claims, and recommended that the court decline to take jurisdiction over the state law claims.

Melaleuca objected to the magistrate judge's recommendation. The district judge overrules Melaleuca's objections, and finds that Melaleuca is not entitled to bring claims under CAN-SPAM because it is not a bona fide ISP. As the court finds:

Melaleuca provides email and internet access through a third party internet service provider, IP Applications. Melaleuca does not own or operate IP Applications. Melaleuca does not have access or control over the hardware that enables internet access to iglide.net customers. Melaleuca does not control the spam filters applied to emails by IP Applications.

As such, the court finds that Melaleuca does not fall within the limited class of plaintiffs who can bring claims under CAN-SPAM. Melaleuca argued that it had obtained an assignment of claims from IP Applications, but the court notes that this occurred "after [Melaleuca filed] its complaint and before [Melaleuca filed] its response." Since standing is determined at the time of filing, Melaleuca's attempt to create standing through the assignment fails. The court also finds that Melaleuca was not "adversely affected" by the emails at issue. While the court agrees with Melaleuca that "spam 'in general' increases the cost [Melaleuca] has to pay to its ISP," the court finds that "Melaleuca has not established any direct adverse affect or additional costs" due to the emails at issue. The court also rejects Melaleuca's speculation that it somehow lost "goodwill" based on the six complaints it received due to the emails at issue.

Surprisingly, the court dismisses the CAN-SPAM claims without prejudice. I may be missing something, but as the court notes, although Hansen filed a motion to dismiss, the magistrate judge converted the motion into a motion for summary judgment and properly considered the motion under summary judgment standards. The court's determination on the no "adverse effect" issue should be conclusive, and Melaleuca should not get another shot at asserting these claims (and neither should IP Applications, since it assigned the claims to Melaleuca).

Even more surprisingly, Melaleuca is appealing this decision. I can't see the Ninth Circuit viewing this appeal with much favor. Additionally, as I mentioned in my previous post on this case, Melaleuca may have to deal with an adverse fee award, since Hansen (as the prevailing party) may be entitled to fees under CAN-SPAM.

Added: John Levine comments on this ruling at CircleID ("Yet Another Unfortunate CAN SPAM Case"). John notes an interesting quote from the court's order:

[T]he harm must be both real and of the type experienced by ISPs. While the harm need not be significant in the sense that it is grave or serious, the harm must be of significant to a bona fide IAS provider, something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business.

While John concludes that the judge here correctly followed the law, he finds that Ninth Circuit precedent is really the problem: "[the] unfortunate fact is that if you want to have any hope of winning a CAN SPAM case, don't file it on the west coast." I'm not so sure about this. This case is one of many (many) examples of CAN-SPAM plaintiffs going to court with flimsy damage arguments. While the line quoted by John hints at an evidentiary problem that a real CAN-SPAM plaintiff could face, the evidence in this case was clear that Melaleuca did not offer any internet access services. It contracted with a third party to do so, and then tried to assert the third party's claims relying on a belated assignment of claims. Courts have sniffed out these attempts to "create damages" time and time again. Also, it's worth noting that the seminal appeals court precedent that was unfavorable to CAN-SPAM plaintiffs came from the Fourth Circuit (in Mummagraphics), and not the Ninth Circuit. (See "Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics.")

Previous post: "Idaho District Court Dismisses CAN-SPAM Claims Due to Non-ISP Status -- Melaleuca, Inc. v. Hansen."

Posted by Venkat at 09:01 PM | Spam

November 04, 2010

Spam Filter Excuse for Missing a Deadline Flies in the Northern District of Illinois -- Pace et al. vs. AIG

[Post by Venkat]

Pace et al. vs. AIG, 8 C 945 (N.D. Ill.; Nov. 1, 2010)

As the court notes in this case, 'I missed a deadline because I did not receive electronic notice of a filing' is becoming the "modern [lawyer's] version of the classic 'my dog ate my homework' line."

The court granted AIG's motion for summary judgment on March 30, 2010. The notice of appeal would have been due on April 29, 2010. After the due date, on May 27, 2010, Appellants moved for an extension of the deadline to file a notice of appeal. Initially, they argued that they never received a copy of the court's March 30, 2010 order, but they wisely changed course and blamed it on their overzealous spam filter.

Ultimately, the court grants the motion and extends the deadline, even though six lawyers were listed as counsel on the case, and a local rule requires local counsel to be responsible for receiving notices and notifying "the designating attorney of their receipt and contents." In the process of granting the extension, the court beats up on counsel for appellants, noting that "[t]here can be no doubt that Appellants are guilty of neglect in this case . . . " The court runs through the numerous other cases where courts have rejected the spam filter excuse, but finds that in many of those cases, the failure to act on an e-filed document was part of an overall pattern of lack of diligence or lack of credibility on the part of the lawyer who offered this excuse:

in the cases where courts have held attorneys accountable for failing to monitor the docket, the attorneys' neglect far surpasses the neglect conceded in this case. Unlike here, the cases cited by AIG involve situations where an attorney's malfunctioning e-mail is just one example of the attorney's overall lack of diligence. See Fox v. American Airlines, Inc., 389 F.3d 1291, 1295, 363 U.S. App. D.C. 459 (D.C. Cir. 2004) (affirming denial of plaintiffs' Rule 59(e) motion to vacate dismissal of amended complaint where counsel claimed that he never received electronic notice of defendant's second motion to dismiss even though his later filing repeatedly referred to a pending motion to dismiss and his failure to receive a timely answer to the amended complaint should have aroused his suspicion and prompted him to check the docket); Tobin v. Granite Gaming Group II, LLC, No. 2:07-CV-577-BES-PAL, 2008 U.S. Dist. LEXIS 20906, 2008 WL 723337 (D. Nev. Mar. 17, 2008) (discounting counsel's spam filter excuse where she repeatedly failed to comply with court orders, discovery obligations, and federal and local rules and routinely failed to appear in court); In re Philbert, 340 Br. 886, 891 (Bkrtcy. N.D. Ind. 2006) (rejecting spam filter excuse where counsel failed to show up for hearing on his motion to stay because "counsel knew he was initiating proceedings that had to be dealt with expeditiously," selected the deadlines for objections to his motion, and should have expected imminent activity in the case). Additionally, in some of the cases cited by AIG, courts rejected excuses like Appellants out of disbelief. See Moore v. U.S., No. S 04-0423 FCD JFM, 2005 WL 1984745, at *3 (E.D. Cal. Aug. 17, 2005), rev'd, 262 Fed.Appx. 828 (7th Cir. 2008) (rejecting counsel's spam filter excuse where "serious questions cast doubt on his explanation" and the court of appeals later found that counsel's overall non-responsiveness amounted to gross negligence); Tobin, 2008 U.S. Dist. LEXIS 20906, 2008 WL 723337, at *10 ("Even if the Court were to accept this explanation regarding the spam filter, which it does not, Plaintiff's counsel was clearly on notice that motions were pending before this Court . . ."). Unlike these cases, the Court has no reason to doubt the veracity of counsel's explanation here, which is supported by an affidavit and evidence from his firm's information technology manager.

Posted by Venkat at 12:43 PM | Spam

October 22, 2010

Former Employee's 'Email Barrage' Does Not Support CAN-SPAM or Computer Fraud and Abuse Act Claims -- Nyack Hosp. v. Moran

[Post by Venkat]

Nyack Hosp. v. Moran, 08 Civ. 11112 (SCR)(PED) (S.D.N.Y.; Oct. 20, 2010)

Moran was employed by Nyack Hospital. When the employment relationship ended he:

sent [an unspecified number of] e-mails, including a 17-page attachment, to over "100 . . . senior managers and employees [at the Hospital]" and others and misrepresented the source of the e-mails as David Freed, the president of the Hospital. The e-mails, as characterized by [the Hospital] "leaked certain aspects of an internal confidential employee survey, defamed the Hospital's reputation and the reputations of several Hospital employees . . . and urged the . . . recipients to report the alleged wrongdoings to the Hospital's Board of Trustees and the Rockland Journal News."

The Hospital sued Moran under CAN-SPAM and the Computer Fraud and Abuse Act. Moran, acting pro se, defeated the claims.

CAN-SPAM claims: The Hospital alleged that Moran violated the subject line and header information prongs of CAN-SPAM. The court concludes that because the emails were not "commercial electronic mail messages," there could be no subject line violation. With respect to the header information prong, there could be no violation unless the messages are found to be "commercial email messages" or "transactional or relationship messages." Having already concluded that the messages were not commercial in nature, the court analyzes whether the messages were "transactional or relationship messages." The Hospital made the flimsy argument that the messages were transactional or relationship messages because the messages "provide[d] information directly related to an employment relationship." The court rejects this argument, noting that the "transactional or relationship messages" were intended by the statute to be a sub-category of commercial email messages (with respect to which CAN-SPAM relaxes certain requirements). Of course, even assuming that the messages were commercial in nature, the Hospital would have had a tough time showing that it suffered any "adverse effects," a point which the court alludes to in a footnote (citing Virtumundo).

Computer Fraud and Abuse Act Claim: The Hospital alleged that Moran violated the CFAA by "transmitting information" to a protected computer and as a result of such transmission intentionally causing damage. While pre-CAN SPAM cases (e.g., AOL v. National Health Care Discount, Inc.) grappled with the issue of whether the CFAA was ever intended to cover spam, the court easily rejects the Hospital's claim on the basis that the Hospital did not allege Moran's emails caused any damage to the Hospital's computer system. In the process, the court cites to Czech v. Wall Street on Demand, a case which rejected CFAA claims based on unsolicited text messages.

The Hospital here took Moran's acts and tried to shoehorn them into CAN-SPAM and the Computer Fraud and Abuse Act. In the process, it made some arguments that were pretty far out in left field.

Claims around advocacy through email bombardment haven't fared well, absent some showing that the emails caused damage on the receiving end. Intel v. Hamidi was an email bombardment case involving a former employee where the court rejected trespass claims for failure to show damage. Intel brought common law claims, and this case is a good indicator of how CAN-SPAM and CFAA claims would have fared had Intel brought them. I recently blogged about Pulte Homes, Inc. v. LiUNA, where the court held that a union's email campaign on behalf of former employees did not violate the Computer Fraud and Abuse Act. ("Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act.") Also, as mentioned in the post about Pulte Homes, the Seventh Circuit recently vacated the district court's contempt order based on emails sent by supporters of Kevin Trudeau. ("Seventh Circuit Vacates Contempt for E-Mail Barrage.")

I didn't think the issue of whether the emails were commercial in nature was a close question. The emails were not reproduced by the court in its order, but the emails were cloaked in whistleblower language (I wondered whether an anti-SLAPP motion was a possibility). For a loosely related case on this issue (that looks at whether a [ghostwritten] attorney newsletter is an ad) see Holtzman v. Turza ("Ghostwritten Attorney Newsletter is an "Ad" for TCPA Junk Fax Law Purposes").

At the end of the day, this seemed like a garden variety employment dispute that didn't really implicate laws which cover spam or hacking. Maybe the Hospital brought the CAN-SPAM and CFAA claims in an attempt to preempt any claims which Moran had threatened to raise? It's possible that the Hospital succeeded in achieving its ultimate purpose, although it suffered a smackdown in the process.

Posted by Venkat at 12:05 AM | Spam , Trespass to Chattels

October 12, 2010

Sending Politically Charged Emails Does Not Support Disturbing the Peace Conviction -- State v. Drahota

[Post by Venkat]

State v. Drahota, 280 Neb. 627 (Sept. 24, 2010) [pdf]

Background: Drahota was a student at the University of Nebraska who corresponded via email with his political science professor Avery. According to the opinion, they "shared a passion for politics," although they apparently resided on different ends of the political spectrum.

Drahota traded 18 emails with Avery on topics ranging from "terrorism, the Bush presidency, and the Clinton impeachment." Predictably, at some point, their email exchange went south:

In early February 2006, the exchange came to a head. Drahota sent Avery a lengthy e-mail suggesting that indiscriminately massacring those living in the Middle East would save American lives after first suggesting that Democrats, including Avery, were full of hate.

Avery responded:

I am tired of this shit. You have accused me of being anti-American, unpatriotic, and having a mental disorder, among other things. I find this offensive and I will not engage in anymore of this with you. I served my country in uniform honorably for four years. How many have you served? Since you are so pure, so pro-American, so absolutely correct, and wonderfully patriotic, I suggest you sign-up for duty in Iraq right away and put all your claims to the test. But, of course, you will not do that. You, Michael Savage, and the “Chicken Hawks” in the Bush Administration don’t have the guts!!

Of course, Drahota felt compelled to retort:

Fuck you! You don’t know me one bit. You are a liberal American coward. If it were up to you, you would imprison Bush before bin Laden because you have such a fascination with it. I am tired of your brainwashing students who are in the process of molding their minds. I spent 18 months in Pensacola Florida before I was honorably discharged for a neck injury. You can go fuck yourself if you are going to get that way. I’d kick your ass had you said that right in front of me, but YOU don’t have the guts to say that. If you think you do, just try me. You have done nothing for this country, but bad things in recent years. Once again, if you have the courage to say that to my face, I’ll let you do it, but don’t you EVER talk anything about the military with me. We call you people turncoats and I’ll be dammed if I’m going to take that kind of disrespect from someone who is so clueless as to my military background. As long as we’re on the topic, how many years did your hero Clinton serve? You contradict yourself so much that I want to puke. Your website is also a farce. You lie so much and don’t show the true you. I guess, you’re a politician. You’ve really pissed me off.

Drahota later apologized. Apparently, he didn't get back into good graces with Avery, who asked Drahota to not contact him again. In June, Drahota sent Avery two other emails. He sent the emails from averylovesalqueda@yahoo.com. The first email asked whether Avery was sad that Al-Zarqawi was killed in Iraq, and the second email (with the subject line that said "traitor") informed Avery that a friend of Drahota thought Avery was a "Benedict Arnold," in light of Avery's support for Michael Moore, the ACLU, and John Murtha. The closing sentence of this email said that "Libs like [Avery] are the lowest form of life on this planet."

Upon receiving these emails, Avery contacted the police department, who traced the emails to the house of a woman with whom Drahota was living. When confronted with this fact, Drahota admitted to sending the emails. He was charged with disturbing the peace, and fined $250.

The Court's Decision: The Nebraska Supreme Court held that Drahota could not be convicted of breach of the peace for sending the emails, on the basis that regardless of whether the words inflicted emotional injury, the proper test was whether the words would tend to provoke an immediate violent reaction. Here, the court held that the emails would not tend to provoke such a reaction, because the parties were engaged in an "ongoing political debate," in the context of which, both parties had made "provocative statements." The court also noted that at the time of the emails, in addition to being a teacher, Avery was also running for office, which brought Drahota's emails into the realm of political speech. At the end of the day, the circumstances did not support a conclusion that the emails would have provoked an immediate violent reaction in Avery, because among other things, he did not even know who sent the emails or where to find the author.

The State belatedly raised another argument at oral argument (which it left out in its brief). It argued that Avery had the "right to be let alone" after he asked Drahota to stop emailing him, and since Drahota sent emails after Avery's request, regardless of the content, the emails constituted a breach of the peace. The court disagreed, and rejected the State's argument that Rowan v. Post Office Dept. supported its position. Rowan is a case from the 1970s which involved a federal statute that allowed a homeowner to request a vendor to remove his or her name from a mailing list if the homeowner found the material sent by the vendor to be sexually provocative. [Is there anyone out there would not support a statute like this that would let you ban mail order catalogs from your mail box?] The Supreme Court upheld this statute against a challenge brought by bulk mailers. The court in Drahota distinguished Rowan primarily on the basis that there was no Nebraska statute in place like the one at issue in Rowan. Further, the statute in Rowan merely allowed the government to enforce the homeowner's preference "and had no part in deciding what was objectionable." According to the court, in contrast to Rowan, in the present case, the decision of whether the communications were objectionable where left in the prosecutor's hands, who enjoyed the discretion to bring a prosecution for a breach of the peace. [Rowan also mentions the quasi-physical intrusion associated with receiving unwanted mail.]
__

As Professor Volokh - who represented Drahota - notes, the decision is not remarkable as a matter of First Amendment law ("Nebraska Supreme Court Decision on Offensive E-Mails"). One point that was interesting was the court's conclusion that the emails could not rise to the level of fighting words because the recipient in this case was far removed physically from the sender. The court says this is because Avery did not even know who sent the emails, but I'm guessing he figured this out pretty quickly. Some of the commenters at the Volokh Conspiracy raised the question of whether emails can ever constitute fighting words. I don't know the answer to this question, although some decisions hold (right or wrong) that repeated unwanted emails can result in liability for harassment. In answering the question, I think it's worth distinguishing harassment or stalking from a "breach of the peace," which is what Drahota was charged with here.

[Physical proximity seems to be a big factor in our views on whether electronic communications can constitute fighting words. However, we may want to keep in mind the story of the woman who supposedly traveled 200 miles to try to kill an internet commenter: "Woman Travels 200 Miles, With Gun in Hand, to Kill Mean Internet Commenter." No comment as to whether this is reasonable or typical.]

On a related note, I happened to listen to the oral argument in Snyder v. Phelps, the funeral picketing case. Some of the discussion focused on the posting of videos online. As Dahlia Lithwick notes in Slate:

Justice Stephen Breyer—who has had a good deal to say about the Internet and incitement and free speech and balancing tests in recent weeks—also wonders whether the interesting part of this case is the handful of signs at Matthew Snyder's funeral, which Albert Snyder never saw, or the television broadcasts and Internet postings that followed. And so he's off: "Do you think that a person can put anything on the Internet? Do you think they can put anything on television, even if it attacks, say, the most private things of a private individual?"

I haven't followed the case closely (other than in the news), so I can't say whether the Supreme Court will squarely address the issue of how the internet postings will figure into whether the funeral protesters can be held liable for their speech, but I thought it was worth noting that it came up during the argument.

Congrats to Professor Volokh, whose involvement in the case was, coincidentally, the result of an email.

Added: I forgot to mention the "Twitter joke trial" case from the UK, where Paul Chambers was convicted for "sending a menacing message over a public telecommunications system" based on the following tweet:

Crap! Robin Hood Airport is closed. You've got a week... otherwise I'm blowing the airport sky high!

He is appealing is conviction. You can check out details about the case at the "Jack of Kent" blog ("Why the Paul Chambers Case Matters") and at the New Statesman ("A brief guide to the Twitter Joke Trial").

Posted by Venkat at 10:36 AM | Content Regulation , Spam

September 26, 2010

New York Court Dismisses Putative Class Action Brought Under California Spam Statute -- Bank v. Hydra Group, LLC

[Post by Venkat]

Bank v.Hydra Group LLC, 10-CV-1770 (JG) (E.D.N.Y. Sept. 24, 2010)

Todd Bank brought a putative spam class action against Hydra Group. The court dismissed the lawsuit for lack of subject matter jurisdiction.

Bank alleged that he received three pieces of spam:

[the] subject lines all contained the phrase “ATTN: Your Auto Insurance Renewal Reminder,” but the bodies contained only advertisements for an auto insurance broker.

Claiming that his was one of a million pieces of spam sent out by defendant Hydra Group, Bank styles his lawsuit as a class action. (But see footnote 1 of the order, where Bank admits this number is based on his "'general knowledge' of the industry.") Hydra Group, which is headquartered in California, brought a motion to dismiss for lack of personal jurisdiction and for failure to state a claim. The court on its own motion raises the issue of subject matter jurisdiction, and dismisses the lawsuit for lack of subject matter jurisdiction.

Bank asserted the Class Action Fairness Act of 2005 (which requires the amount in controversy to exceed five million dollars) as the basis of subject matter jurisdiction. However, the statute he sued under had a cap of $1 million per “incident.” (Cal. Bus. & Prof. Code § 17529.5(b)(1)(B)(ii) (“A person or entity bringing an action . . . may recover . . . [l]iquidated damages of . . . up to one million dollars ($1,000,000) per incident.”).) The statute defines incident as “a single transmission or delivery to a single recipient or to multiple recipients of an unsolicited commercial e-mail advertisement containing substantially similar content.” Bank argued that the cap was a limit on the recovery per plaintiff and not an aggregate cap on a defendant's liability. The court disagreed:

First, if the liability-limiting provision is interpreted as Banks suggests it should be, it would rarely, if ever, limit a plaintiff’s recovery. A plaintiff would have to receive more than 1000 unsolicited messages of substantially similar content from the same defendant in a single transmission to trigger the provision. On the other hand, if the provision is read as a cap on a defendant’s per-incident liability, it would be triggered more frequently -- whenever a defendant sent more than a thousand messages of substantially similar content in a single transmission, whether the messages went to one recipient or many more.

Furthermore, the statute evinces an intent to limit a defendant’s liability even further if the defendant has made efforts to comply with it. In the case of a defendant that has “established and implemented, with due care, practices and procedures reasonably designed to effectively prevent unsolicited commercial e-mail advertisements that are in violation of this section,” the statute limits liquidated damages to $100,000 per incident. Id. § 17529.5(b)(2). This reduced cap would provide far less of a reward, and therefore far less of an incentive, for defendants to avoid sending spam if, instead of limiting a defendant’s total liability for each transmission, it merely limited the amount a defendant had to pay to each plaintiff. For this reason as well, the damages provision is best interpreted as a limit on total liability rather than individual recovery.

At first glance, this may seem like a harsh turn of events for a pro se plaintiff. However, Bank is far from the typical pro se plaintiff who is typically accorded some leeway by courts -- he is a lawyer. In a previous case, Bank (or someone who shares his name, including his middle initial) tried to assert a section 1983 claim in federal court based on a state court judge's denial of his request to wear jeans and a hat in court: "Lawyer Has No First Amendment Right to Wear Hat in Court, Federal Judge Decides."

Throwing out the dispute on subject matter (rather than personal jurisdiction) grounds, kicks the lawsuit out of the federal system. In the process, the court expresses some skepticism at Bank's claims for damages:

I have difficulty conceiving of a statutory provision, concededly intended to limit liability in at least some cases, that nevertheless fails to operate in this case -- thus permitting the recovery of $3 billion in damages for the receipt of misleadingly labeled insurance advertisements. The inartful drafting of the provision is no justification for such a bizarre result.

Added: In 2008, Bank suffered a loss in the Second Circuit, which affirmed the dismissal of his claims under the Telephone Consumer Protection Act: "2nd Circuit Rejects Lawsuit Over Unsolicited Fax Ads." (h/t @LearnedElbow)

Other cases involving subject line claims under California's spam statute:

Email Header Information Claim Preempted by CAN-SPAM, But Subject Line Claim Not Preempted -- Asis Internet Servs. v. Member Source Media, LLC

Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com

Posted by Venkat at 10:21 AM | Spam

September 22, 2010

Reunion.com Back to District Court -- Hoang et al v. Reunion.com Inc

[Post by Venkat]

Hoang et al v. Reunion.com Inc., Case No. 08-cv-03518-MMC (N.D. Cal.)

Reunion.com is a spam case that's generated some blog fodder, to say the least: "CAN-Spam-a-Friend?--Hoang v. Reunion.com," "Reunion.com Revisited," and "Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM." In the last round, the trial court reconsidered its prior orders and decided that the claims asserted by plaintiffs under California law were not preempted by CAN-SPAM.

Reunion sought to appeal this order. Denials of motions to dismiss are not typically appealable, but here Reunion sought and obtained an order from the district court certifying the court's most recent order (denying Reunion's motion to dismiss) for immediate appeal. Reunion then sought permission in the Ninth Circuit to have the appeal heard. The Ninth Circuit recently issued an order declining to hear the interlocutory appeal. This means that the case is now back in Judge Chesney's court. Judge Chesney also granted Reunion's request to stay discovery pending the appeal to the Ninth Circuit. As a result, the case is now just getting under way, a full two years after it was first filed! It's also worth mentioning that one of the two lawyers representing plaintiffs withdrew. I wouldn't read anything into this, but I only mention it because I mentioned this firm in a previous post, as having represented defendants in spam lawsuits (who happened to be on the plaintiffs' side in this case). [Correction: one of the lawyers working for one of the firms on the plaintiffs' side is no longer working on the case. I misread this and thought one of the firms withdrew. My mistake, and thanks for the heads up!]

Posted by Venkat at 12:01 PM | Spam

September 10, 2010

Veteran Spam Plaintiff Abandons Spam Lawsuit -- Asis Internet v. Subscriberbase

[Post by Venkat]

Asis Internet Servs. v. Subscriberbase, 2010 U.S. Dist. LEXIS 93518 (N.D. Cal. Sept. 8, 2010).

Asis is a veteran spam plaintiff, whose lawsuits have generated a fair amount of blog fodder. (See, for example, posts here, here, and here, discussing Asis lawsuits.) In May of this year, it suffered a bit of a setback when a federal court awarded approximately $800,000 in attorneys' fees against it: "CAN-SPAM Plaintiff Slammed With $800K Attorney Fee Award."

It had at least one spam lawsuit ongoing at the time, and it recently moved to dismiss its lawsuit against Subscriberbase with prejudice. The court granted the motion, but retained jurisdiction over the lawsuit, in case Subscriberbase (the defendant in this lawsuit) wanted to argue that Asis's litigation was "abusive." We'll see what happens in this case, but this certainly seems like the end of the road for Asis's litigation efforts. It acknowledged the $800,000 attorneys' fees award against it and argued that it "can no longer afford to prosecute the [lawsuit against Subscriberbase]," because the attorneys' fees award previously assessed against Asis "threatens to place Asis in either bankruptcy or corporate dissolution."

Another plaintiff (represented by the same lawyers) did not move to dismiss and presumably will continue to prosecute the case.

Posted by Venkat at 01:35 AM | Spam

August 24, 2010

Ghostwritten Attorney Newsletter is an "Ad" for TCPA Junk Fax Law Purposes--Holtzman v. Turza

By Eric Goldman

Holtzman v. Turza, 08 C 2014 (N.D. Ill. Aug. 3, 2010)

This case is a unremarkable straight-down-the-middle analysis of when editorial content becomes a regulated ad, which in turn makes it a remarkable case. Most editorial-content-as-ad cases have quirky hooks that undercut their broader applicability.

The defendant is an Illinois lawyer. The court says:

In August 2006, he hired Top of Mind Solutions, LLC ("Top of Mind") to create and distribute by fax and email one-page documents titled the "Daily Plan-It" to a list of persons supplied by defendant. Defendant's target list included a combination of contact information he purchased from the Illinois CPA Society and numbers he obtained from business contacts and students.

Top of Mind issued 41 versions of the Daily Plan-It on defendant's behalf, every two weeks, from August 2006 to March 2008. All 41 versions include a masthead with the words "The `Daily Plan-It'" in italicized, bolded, and underlined text. "Gregory P. Turza, JD" appears just below the masthead along with the date, volume and issue number of the document. Beneath this title, the page is divided into two columns that contain an editorial article offering advice about various topics. Each article runs the length of the left column of the page and concludes in the middle of the right column....

The content of each Daily Plan-It was created entirely by Steven Patrick Riley ("Riley"), Top of Mind's owner. Defendant did not contribute to the editorial content. At the end of each article, in the lower right corner, defendant's name is listed (in a font larger than any other type on the page, with the exception of "The `Daily Plan-It'"). He is identified as an attorney and counselor at law, and the words "estate planning," "post mortem administration," and "business succession planning" appear before his name. Each fax also includes two or three graphic images: defendant's business logo, a photo of the building in which defendant has his office, or a head shot of defendant. Also included are his business address, telephone and fax numbers, e-mail address, and website address. At the bottom of the fax the document repeats defendant's name and phone number. This "identifying information" occupies approximately 20 to 25 percent of total area of the fax.

Three things stand out from this recitation of facts:

* it was bad form to buy a list of fax numbers and start blasting fax messages every 2 weeks. I've repeatedly noted that I think the days of buying email lists are long dead. Buying fax lists strikes me as an even worse idea.

* it's interesting to think that a lawyer would rely upon a vendor to generate editorial copy that goes out under the lawyer's name. The facts don't indicate if Turza reviewed and approved the content before it went out. I don't use ghostwritten material; I usually even extensively rewrite co-authored material.

* while the content's marketing intent is clear and unmistakable, the newsletter's substance is also unambiguously editorial content however broadly or narrowly we conceive of it. The law doesn't handle editorial-content-as-marketing overlaps very well, unfortunately.

The court applies the FCC's interpretation that faxed editorial newsletters aren't regulated advertising so long as any advertising content in the newsletter is "incidental," which in turn depends on whether the ad is a "bona fide informational communication." As you can see, the quest for synonyms doesn't really advance the analysis; it just shows that if you don't know how to parse between ads and editorial content, synonym proliferation tries to mask that fact (unsuccessfully, I might add).

The court concludes that the newsletter is regulated advertising. The court appears to focus on the sender's intent: "the record is replete with evidence demonstrating that the primary purpose of defendant's agreement with Top of Mind was to generate awareness of defendant's services and build his client base." The court continues: "defendant has provided no facts to show that his genuine, primary motivation in paying Top of Mind to distribute the Daily Plan-It was to educate CPAs and his business contacts on various industry-related topics rather than to build brand recognition and solicit business referrals for his law practice."

To me, this suggests the case would have been much harder if the editorial content hadn't been ghostwritten because the newsletter's educative intent would be clearer. Nevertheless, the court's sender-payoff-oriented standard--"to generate awareness of defendant's services and build his client base"--is unworkable because those payoffs are exactly what most professional service providers seek every time they publish editorial content.

UPDATE: Carolyn Elefant has more to say about this case.

Posted by Eric at 03:30 PM | Marketing , Spam | TrackBack

July 26, 2010

Facebook's Anti-Spam Filter Blocks Legitimate Conversations about Power.com

By Eric Goldman

On Friday, Venkat and I posted about the latest ruling in Facebook v. Power.com. After Venkat or I make a blog post, I typically post the blog headline and URL to Twitter. I have enabled the app that makes my Twitter posts into my Facebook status reports as well, so the headline and URL on Twitter should automatically propagate to Facebook. On Friday, I tweeted the following:

"Blog Post: Important ruling on California's anti-computer trespass statute--Facebook v. Power.com http://bit.ly/bM7hQT"

However, I noticed that the Twitter-to-Facebook app didn't work properly and the headline didn't appear. So I tried to manually enter the headline and URL and got this message from Facebook:

"This message contains blocked content that has previously been flagged as abusive or spammy. Let us know if you think this is an error."

I do think that's an error, and I reported the problem through Facebook's automated reporting tool on Friday. Not surprisingly, I still haven't gotten a response to that. But I was baffled how my headline and URL could have been "flagged as abusive or spammy." Who flagged it? Why?

After a little more experimentation, I discovered that every instance of the character string "power.com" is blocked in Facebook. Therefore, every time I put "power.com" into my status reports or in comments to those status reports--even if it's the only content in the post/comment--I get the "blocked content" message. However, it's easily avoided; I can post "power . com" (notice the spaces before and after the period) just fine. Basically, Facebook is using a very dumb word filter.

I emailed my PR contacts at Facebook about this. They pointed to their anti-spam filter and this blog post from June. The blog post explains that "we've been working to improve our warnings and make them more clear" and that "people misunderstand one of these systems. They incorrectly believe that Facebook is restricting speech because we've blocked them from posting a specific link."

So this is where things have gone wrong. Facebook told me it has blocked Power.com because "we found that Power was spreading links to its pages in a way that violated our Statement of Rights and Responsibilities. For example, when a Power user accessed Facebook, Power would automatically create an event on Facebook (typically called 'Power.com Party' or something similar) without the person's knowledge or permission. It would then send invitations to all of the user's friends." Fair enough, and I'm glad Facebook is trying to keep its system safe for users.

However, Facebook's dumb word filter block means that every reference to "power.com," even if it's in plaintext and not linkable, is still treated as a link and therefore is blocked as well. The messaging then disparages the plaintext reference as "blocked content that has previously been flagged as abusive or spammy" when, in fact, a link to the URL, not the plaintext reference I made, has been flagged. So much for clearer error messages.

I pointed out to Facebook's spokespeople the difference between a plaintext reference to a company's name ("Power.com") and a spammy URL/link. Their response? "Spammers turning their malicious urls into plain text is the oldest trick in the book. Not blocking all of the variations of a bad URL leaves a gaping hole."

There is a kernel of truth to this, of course. A plaintext URL is not materially different from an active hypertext link--if the user chooses to cut-and-paste the link into the browser (or right-clicks on it, or whatever). However, Facebook's method of blocking spammy links by blacklisting every instance of the character string actually has the effect of blocking *every* discussion of a blacklisted company with the name [noun].[tld]. Because the main word in the name is a noun (e.g., "Power"), referencing the name without the TLD can lead to semantic ambiguity. However, the system prevents me from using the complete name (Power.com) because it can't distinguish between a link and a plaintext reference to a company's name that acts as a URL. I received a private email that another Facebook user encountered a similar block with the string seppukoo.com, the Facebook suicide tool.

In my case, the net consequence is that Facebook automatically blocks any conversations involving the string "power.com"--including my headline to my blog post--and provides an error message telling me that I am posting spammy/abusive content when I try to make the posting, which makes me feel like I did something wrong. With all of the bright engineers at Facebook, I bet they could figure out a way to more precisely tune the filter so that a plaintext reference to [noun].[tld] gets through while active links to that URL, or more fulsome plaintext URLs, remain blocked.

That is, assuming Facebook actually wants to enable Facebook users to talk about Power.com or Seppukoo.com or other enterprises that threaten the Facebook franchise. Frankly, I haven't seen much evidence of Facebook's interest in those conversations. In light of Power.com's antitrust challenges against Facebook, the fact that Facebook's system suppresses legitimate conversations about Power.com (whether it had a censorious intent or not) struck me as particularly noteworthy.

Posted by Eric at 10:33 AM | Content Regulation , Domain Names , Privacy/Security , Spam | TrackBack

July 02, 2010

Idaho District Court Dismisses CAN-SPAM Claims Due to Non-ISP Status -- Melaleuca, Inc. v. Hansen

[Post by Venkat]

Melaleuca, Inc. v. Hansen, Case No. CV 07-212-E-EJL-MHW (D.Id; June 29, 2010)

A federal magistrate judge in the District of Idaho dismissed spam claims brought by Melaleuca, Inc., in a (recommended) decision that's not particularly noteworthy, except for the fact that it's a carbon copy of Gordon v. Virtumundo.

Background: Hansen was an "independent marketing executive for a multi-level marketing company called ITV." Melaleuca was and is engaged in a similar business. Melaleuca "encourages its customers to become marketing executives by referring family and friends to Melaleuca to purchase its products and allowing them to earn commission on any orders made by the referred individuals." (Sounds Amway-like, from what little I know of Amway, but that's neither here nor there.) Hansen sent out emails while working for ITV inquiring as to whether the recipients "would be interested in hearing about a new business opportunity." Some of his emails were sent to Melaleuca marketing executives.

Melaleuca used an email service called "iglide.net," through which it provided email services to its customers. Melaleuca also used an ISP called "IP Applications," through which it provided internet access to its customers. It did not have control over (or even access to) the hardware that enabled the internet access. According to the court, Melaleuca was a customer of IP Applications and iglide.net, and simply made the services provided by these companies available to its customers.

Discussion: The court holds that Melaleuca did not fall under the definition of an "internet access provider," citing to the fact that Melaleuca did not play more than a "nominal role" in providing internet-related services. The court also finds that even if Melaleuca falls under this definition, it could not maintain claims under CAN-SPAM because it was not "adversely affected." In Virtumundo, the court noted that Congress intended private CAN-SPAM plaintiffs to be able to sue only when they suffer the type of harm that is "uniquely encountered by IAS providers." Typical consumer harm - such as calling technical support and having to undergo the inconvenience of deleting unsolicited emails - did not suffice. Melaleuca did not put forth evidence that it required hardware upgrades or even more bandwidth due to the emails at issue (or as a result of increased spam in general). No luck for Melaleuca.

Melaleuca argued that it obtained an assignment of claims from its ISP, but the court found that the assignment could not rescue Melaleuca's claims. The assignment occurred more than a year after the case was filed. (The precise nature of the relationship between Melaleuca and the ISP is unclear, but if nothing more, the assignment shows that they are friendly parties.)

The court declines to address Hansen's preemption arguments as to the state law claims, leaving those to be addressed in state court. While Melaleuca has another shot at its state law spam claims, it may have to contend with some sort of adverse fee award, which the court may well award to Hansen.

Posted by Venkat at 11:30 AM | Spam

June 21, 2010

Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage

[Post by Venkat]

Kleffman v. Vonage Holdings Corp., Case No. S169195 (Calif. Supreme Ct.; June 21, 2010)

The California Supreme Court issued its opinion in Kleffman v. Vonage, a case certified from the Ninth Circuit. The California Supreme Court held that the transmission of "commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters" does not violate California's spam statute. Kleffman was a putative class action, and in bringing claims based on the transmission of accurate emails from multiple domain names, plaintiffs tried to stretch the bounds of California's spam statute to the limit. The California Supreme Court - citing preemption, among other considerations - rightly rejected the arguments brought by Kleffman.

Background: Kleffman sued in state court, alleging that the transmission of emails on behalf of Vonage through domain names such as 'superhugeterm.com,' 'formmycompanysite.com,' 'ursunrchcntr.com,' and 'urgrtquirks.com' violated section 17519.5(a)(2), a provision of California's spam statute which prohibits the use of "falsified, misrepresented, or forged header information." Vonage removed to federal court (in the Central District of California). The Central District dismissed the lawsuit without leave to amend, finding that Kleffman's failure to allege anything misleading about the emails doomed the claims, and the claims were preempted anyway. Kleffman appealed to the Ninth Circuit, which certified the following question to the California Supreme Court:

Does sending unsolicited commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters constitute falsified, misrepresented, or forged header information under Cal. Bus. & Prof. Code § 17529.5(a)(2)?

Discussion: The court starts out the discussion by noting a fact that to me starts and ends the discussion:

There is . . . no dispute . . . that the domain names used to send Vonage's e-mail advertisements . . . actually exist and are technically accurate, literally correct, and fully traceable to Vonage's marketing agents.

There's another case that turned a similar issue - Mummagraphics, covered by Professor Goldman here: "Fourth Circuit Rejects Anti-Spam Lawsuit." In that case, "the . . . header information [for the emails] incorrectly indicated that the e-mails originated from the server 'FL-Broadcast.net,' and [] the messages' 'from' address read cruisedeals@cruise.com, although that e-mail address was apparently non-functional' but the court says that these mistakes are immaterial because the 'e-mails at issue were chock full of methods to 'identify, locate, or respond to' the sender or to "investigate [an] alleged violation' of the CAN-SPAM Act." The court held that these immaterial errors do not state a claim under CAN-SPAM, and to the extent state law allows claims under these facts, it would be preempted. It's hard to see if the claims in Mummagraphics failed, how Kleffman's claims would be viable.

Kleffman tried to argue that the term "misrepresented" in section 17529.5(a)(2) should be construed with reference to other unfair business practices-type statutes, namely, the notoriously amorphous section 17200. According the Kleffman, the spam statute should cover not only header information that is deceptive, but also header information that's "likely to deceive." The court finds that Kleffman's argument is untenable as a matter of statutory construction (the specific provision of the spam statute uses the term "misrepresented," and does not use the term "misleading"). Second, the header information prong, which uses the term "misrepresented," can be contrasted with the subject line prong, which actually uses the term "misleading," and which the court implies has a much broader reach. The court also notes that there's a specific section in California's spam statute which speaks to the use of multiple domain names (17529.4), but section 17529.5(a)(2) says nothing about the use of multiple domain names. Finally, the court notes that the construction urged by Kleffman presents a huge preemption problem (citing Virtumundo).

___

It's nice to see the California Supreme Court come out on the right side on this one. That said, it's painful to see that the dispute had to be litigated through three different courts to achieve a clear answer. This is one of those arguments that anti-spam plaintiffs often make that is out in left field. At least there's some case law to point to in answer to these arguments.

Where does this leave us? In California at least, subject line claims continue to be viable under the broad "likely to mislead" standard. Header information claims, on the other hand, will be much harder to bring. As long as you don't violate any other rules in registering the domain names or acquiring the recipient's email addresses, sending emails from multiple (albeit accurate) sources is not a violation of either federal or state spam laws.

[corrected to note that the decision came to the Ninth Circuit from the Central District of California and to make a few edits (reversed "misrepresented" and "misleading")]

Posted by Venkat at 10:13 AM | Spam

June 15, 2010

Judge Kocoras Cuts Down $11MM Award Against Spamhaus to $27,000 -- e360 v. Spamhaus

[Post by Venkat]

e360 Insight, LLC v. The Spamhaus Project, (N.D. Ill June 11, 2010)

e360 v. Spamhaus is one of these cases that's been around so long it feels like an old friend. A few years ago, e360 got some press for winning an eleven million dollar damage award against Spamhaus. In a less heralded development, following a bench trial on damages, last week a district judge modified e360's damage award down to only $27,000 on its tortious interference and defamation claims. I'm not sure what it is about spam that spawns wasteful litigation, but this is yet another example of a lengthy spam dispute which consumed a lot of resources but which ultimately ended with a whimper.

Background: e360 is (was) a company that provided marketing services (including email marketing) to its customers. Spamhaus is a company which maintains a list of alleged spammers and provides "blacklisting" services. In 2006 Spamhaus "listed e360 and [its principal] Linhardt as being involved in transmitting unsolicited email, colloquially referred to as 'spam.'"

e360 sued Spamhaus alleging claims for tortious interference and defamation. Spamhaus, which is located in the UK, initially appeared, but then "withdrew both its counsel and its answer." The court entered default in late 2006. e360 then moved for default judgment, relying on the declaration of its executive, David Linhardt. The declaration stated that Spamhaus's actions resulted in the cancellation of three contracts e360 had with customers, and the loss of the opportunity to work with prospective customers. e360 claimed a total in damages of $11,715,000, and the district judge awarded this amount.

Spamhaus then appealed, challenging jurisdiction, service, and pretty much everything else. The Seventh Circuit rejected most of Spamhaus's challenges, but found that "a more extensive inquiry" was required on the damages issue. So the case came back to Judge Kocoras for a determination of damages.

Damages: Despite litigating the case vigorously up to this point, when it came to damages, e360 seemed to muster a lot less energy. According to the court, e360 was "slow to provide information requested by Spamhaus . . . [and] missed several [d]eadlines." I'll spare readers a detailed discussion on damages, but the court's take can be summed up as follows:

The unreliability of [e360's] approaches is unmistakably demonstrated by the profound differences in claimed damages profferred at various points during these proceedings. Finally, it strains credulity that a company that made only a fraction of the profits [e360] asks for over the course of its five-year lifespan would have garnered profits in the amounts [e360] set out in [its] testimony or documentary evidence. The profit and loss statement [e360 provided] sets out the company's overall profits at $332,000. . . . .

At the time of default judgment, the damages claimed were $11,715,000. During discovery, Exhibit 5 was proffered reflecting damages of $135,173,577. At trial, proffered Exhibit 5(a) showed damages of $122,271,346. During final argument, the claimed amount was $30,000,000.

Note to plaintiffs: if your damages estimates vary by more than $100M from one iteration to the next, chances are you're not going to get any.

Everyone has their own calculus for when and how far to litigate a dispute, but a case that spanned almost four years and a Seventh Circuit appeal and which resulted in a final judgment of $27,002 doesn't sound like a particularly good outcome for the plaintiff. If you're wondering where the odd two dollars came from, the court awarded nominal damages on the tortious interference with prospective economic advantage and defamation claims. The court declined to award injunctive relief.

Spamhaus had a viable Section 230 argument here, but this argument got lost in the procedural quagmire. Section 230(c)(2) protects filtering judgments and insulates "action taken to enable or make available to information content providers or others the technical means to restrict access to material [that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable]." (See Professor Goldman's post discussing Pallorium v. Jared, a California state appeals court case where the court held that a publisher of list of IP addresses for open relays could not be held liable. See also Zango v. Kaspersky.)

The decision contains a detailed discussion of the volume of emails transmitted by e360, and which customers many emails were sent on behalf of. Ironically, through litigating this dispute, e360 caused to be memorialized in a court order, facts about its email practices (and the email marketing industry in general) that I'm guessing it would prefer not be in the public eye. Two facts jumped out at me from the order. First, e360 sent out 6.6 billion (!) emails through the course of its five year existence. Second, there were some familiar faces among the list of its customers: SmartBargains and Optinbig.

Posted by Venkat at 02:09 PM | Spam

May 20, 2010

CAN-SPAM Plaintiff Slammed With $800K Attorney Fee Award -- Asis Internet v. Optin Global

[Post by Venkat]

Asis Internet Servs. v. Optin Global, Inc., et al., Case No. C-05-05124JCS (N.D. Cal. May 19, 2010)

A federal court granted a request for attorney's fees (in the amount of $806,978.84) against prolific CAN-SPAM plaintiff Asis Internet. I thought things were looking good for Asis - whose lawsuits have generated substantial blog fodder - when it recently obtained a 2.5 million dollar default judgment in a spam case. I don't know the details of Asis's financial situation, other than the fact that it's a small ISP that once argued a bond should not be imposed against it due to its financial situation. At the least, this fee award will take some spring out of its step. More importantly, it stands as a warning to CAN-SPAM plaintiffs everywhere.

The court's order contains a good summary of the procedural history of the case. In 2008, the court granted summary judgment in favor of Azoogle, finding that Asis lacked standing and there was insufficient evidence for a reasonable jury to conclude that Azoogle "procured" the emails in question. Asis then moved for fees. The court denied the fee request without prejudice, but awarded costs ($34,825.24). Asis appealed both the summary judgment order and the cost order to the Ninth Circuit. The Ninth Circuit summarily affirmed. (Here's my blog post on that Ninth Circuit ruling.) Although the Ninth Circuit affirmed both the summary judgment order and the cost order, it didn't comment on the proper standard to be used for awarding costs in CAN-SPAM cases. Asis urged a plaintiff-friendly approach that is used in civil rights cases. Azoogle argued that the more neutral Fogerty standard (which is used in copyright cases) was appropriate.

The court finds the Fogerty standard to be appropriate and grants Azoogle's request for attorney's fees and costs. Azoogle also filed a Rule 11 request for sanctions along with its request for fees. The court awards the fees and costs under CAN-SPAM and doesn't make a finding as to whether Rule 11 sanctions are appropriate:

the Court concludes that while Asis may not have acted out of bad faith in initiating litigation against Azoogle, it at least acted unreasonably. Even assuming Asis might have reasonably believed when it initially named Azoogle as a defendant that it would establish standing - a question that turned on an as-yet unresolved issue of law - there was never any evidence that Azoogle sent or procured the emails on which Asis based its claims. Rather it is apparent that Asis sued Azoogle based on little more than speculation that there might be a connection between those emails and Azoogle. Asis then continued to litigate even as its discovery efforts turned up no evidence in support of its claims against Azoogle. Having initiated over 20 similar actions, and sued over 20 defendants in this action alone, an award of attorneys' fees here is necessary to deter Asis and other plaintiffs hoping to profit under the CAN-SPAM Act from casting such a wide net. [emphasis mine]

Ouch! The court also cites to Gordon v. Virtumundo, where Judge Coughenour awarded Virtumundo $110K in fees and costs. Finally, the court finds that expert fees are unavailable under CAN-SPAM, and declines to award the $105,435 in expert fees which Azoogle requested.

Asis's filings in response to Azoogle's fee request provide a window into the approach frequently taken by Asis and other spam-plaintiffs. Despite being unable to marshal sufficient evidence to withstand summary judgment on the core issues, Asis maintained that it shouldn't be hit with a fee award because the emails at issue "were 'clear violations' of the CAN-SPAM Act." (??)

As reported by Ken Magill in 2009, Gordon (the plaintiff in Virtumundo) lost more than his spam case - he lost his house ("Anti-Spammer Loses More than His Lawsuit"). I expect Azoogle will be fairly aggressive in its collections efforts here. Only time will tell as to whether Asis will suffer the same fate as Gordon. Regardless, this is definitely a wake-up ruling for CAN-SPAM plaintiffs everywhere.

Posted by Venkat at 10:52 AM | Spam

May 19, 2010

Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act -- Pulte Homes, Inc. v. LiUNA

[Post by Venkat]

Pulte Homes, Inc. v. Laborers' International Union of North America, et al. (E.D. Mich.) (May 12, 2010)

Background: Pulte Homes, "the largest new home builder in the United States" terminated eight employees. Defendant Laborers' International Union of North America (LiUNA) is a labor organization that represents workers in the construction industry. LiUNA claimed that seven of the eight employees were fired for expressing support for LiUNA. Plaintiff alleged that in response to the terminations LiUNA began a "targeted effort to sabotage and interrupt" plaintiff's business operations. Plaintiff argued that LiUNA's email campaign was a violation of the Computer Fraud and Abuse Act (sections 1030(a)(5)(A), 1030(a)(B), and 1030(a)(C)):

Defendants have encouraged LiUNA supporters to inundate Plaintiff with mass quantities of phone calls and e-mails . . . . LiUNA's website featured a 'call to action,' which provided a pre-typed e-mail voicing opposition to Plaintiff's alleged termination of employees for supporting the union. This e-mail was pre-addressed to Plaintiff and allowed users to send it to Plaintiff with the click of a few buttons.

The Court's Ruling:

Unlawful transmissions: The unlawful transmission prong of the CFAA requires the transmission of information as a result of which the defendant "intentionally causes" damage to a protected computer. The court dismissed this claim because plaintiff failed to allege that LiUNA's email campaign caused any appreciable damage to plaintiff's computer system.

Unauthorized access: The unauthorized transmission prong of the statute requires intentional access "without authorization," along with resulting loss. The court concludes that LiUNA did not "access [plaintiff's] computer under the CFAA merely by leaving a voice-mail or sending an e-mail." The court rejects plaintiff's attempt to rely on an older AOL spam case (AOL v. National Health Care Discount, Inc.) where the Northern District of Iowa held that the transmission of bulk email through AOL's servers could constitute a violation of the CFAA. (The court there expressed serious reservations as to whether the Computer Fraud and Abuse Act even covered unsolicited bulk emails: "it is not clear that a violation of AOL's membership agreements results in 'unauthorized access.'") The AOL case was decided pre-CAN-SPAM, and as the court recognized, stretched the bounds of the Computer Fraud and Abuse Act. It's tough to conclude that sending an email to an email address that's designed to receive emails from the general public constitutes "unauthorized access" under the Computer Fraud and Abuse Act. AOL argued that mass emails were "unauthorized," because they were a violation of AOL's terms of service, but this argument suffers from the same problems that any terms of service-based Computer Fraud and Abuse Act claim suffers from.

[Anyone engaging in this sort of a mass email campaign may want to stagger the emails or otherwise take steps to minimize potential damage or slowdowns to the recipient's servers. Where there's no damage or slowdown, courts are reluctant to find liability.]
__

This case is reminiscent of Intel v. Hamidi, another case involving a departing employee who was sued for sending mass emails. In Hamidi, the California Supreme Court held that the departing employee could not be held liable under a trespass to chattels theory because the emails he sent did not damage Intel's servers. As in this case, in Hamidi, the plaintiff seemed more concerned about the content or peripheral effects of the emails, rather than any effect the emails had on plaintiff's servers.

Related:

The case also brings to mind the contempt order slapped on "television-pitchman" Kevin Trudeau. Trudeau was a defendant in a case brought by the FTC who exhorted "his radio and web followers to deluge U.S. District Judge Robert Gettleman with e-mail" in an attempt to persuade the judge to side with Trudeau in the FTC proceeding. Judge Gettleman found that this interfered with his administration of justice, and sentenced Trudeau to 30 days. That decision is on appeal to the Seventh Circuit. (See coverage from Wired's Threat Level blog here.)

Another union activity case which Prof. Goldman blogged about recently (in that case, involving trademarks) is Cintas v. Unite Here ("Union Organizers' Activist/Gripe Sites Don't Support Trademark Claims").

UPDATE FROM ERIC: This case also vaguely reminds me of the Utube v. YouTube lawsuit, where Utube claimed that YouTube was trespassing its domain name because people were lousy spellers.

Posted by Venkat at 11:28 PM | Privacy/Security , Spam , Trespass to Chattels

May 11, 2010

Internet Access Provider & Blocklist Publishers Denied 230(c)(2) Immunity for Anti-Spam Efforts

By Eric Goldman

Smith v. Trusted Universal Standards in Electronic Transactions, Inc., 2010 WL 1799456 (D.N.J. May 4, 2010)

It's usually a drag to read opinions in pro se lawsuits. Most of the time, the litigant gets flattened mercilessly. Occasionally, however, the judge bends over backwards to give the litigant the benefit of the doubt. Either way, the opinions are messy and untrustworthy.

This case fits that description. The judge says he can't figure out the facts from the complaint. but here's his best guess. It appears that Smith is a Comcast Internet subscriber. Comcast blocked his outgoing mail twice because he was allegedly sending spam. When pressed why it thought Smith's emails were spam, Comcast pointed the finger at IronPort (owned by Cisco), who in turn pointed the finger at Spamhaus. Smith then filed a "Consumer Watchdog" complaint against Comcast with TRUSTe (misnamed as the lead defendant).

Independently, Microsoft put Smith's email server on its Frontbridge blocklist. Smith separately filed a TRUSTe complaint against Microsoft for that. Smith ultimately decided to sue TRUSTe, Comcast, Cisco and Microsoft for 8 different legal violations in one big litigation fiesta.

Smith's claims go nowhere. The court dismisses all of them with leave to amend the complaint, so the story turns out largely happily for the defendants. Unfortunately, the plaintiff does get one more chance, and he even attached a massive 404 page (!) draft amended complaint. (Note: this is 404 pages, not a 404 error, although it certainly is an error). The court reminds the plaintiff that the rules require a short and plain statement of the claims.

Along the way, the court reaches a decidedly defendant-unfriendly conclusion by rejecting Comcast's, Cisco's and Microsoft's 230(c)(2) defense, the statutory immunity for online filtering decisions--and the often overlooked cousin of 230(c)(1) which I have blogged about many times. Worse, the court reaches its conclusion in the face of several clearly applicable precedent cases. In my opinion, this is an example of how Smith's pro se status causes the court to be overly cautious…to the point of reaching the wrong result.

The court starts off right by concluding that spam could qualify as "otherwise objectionable" content under 230(c)(2) (cite to e360insight v. Comcast). Doing a light ejusdem generis analysis, the court says "nothing about the context before or after that phrase limits it to just patently offensive items."

However, Comcast is denied 230(c)(2) on a motion to dismiss because Smith alleged that Comcast acted in bad faith. In support of this, Smith alleged that Comcast told him that they didn't mind his emails, but he just needed to upgrade to a more expensive subscription. The court says if this is true, "Comcast was not concerned that people were receiving large quantities of emails, or concerned about the content of the emails, but rather was concerned that Plaintiff had not purchased a sufficient level of service. This is not a good faith belief that the emails were objectionable, but rather a belief that they violated a service agreement."

This is a garbled statement at best. What I think the court was trying to say is that Comcast had a pink contract that allowed spam if the user paid enough money, and Smith hadn't gotten a pink contract. If so, then I can see the court's point that Comcast is being duplicitous arguing that spam is objectionable content because Comcast's assessments could be bought.

I was uncomfortable with the court's almost off-hand reference that "One would expect that if an interactive computer service had acted in good faith, it could and would come forward with the legitimate basis for its actions when questioned (though the Court is not suggesting they must do so)." First, as the court notes, this is a motion to dismiss, so Comcast can't proffer new evidence. Second, this is a burden-shift. As regular readers know, I believe 230 is an immunity against suit, not an affirmative defense, so the plaintiff has the burden to show why the service provider did not possess the requisite subjective good faith when making its filtering decision. It's not Comcast's responsibility to prove its own subjective good faith beliefs. (How does one prove those in any case?)

Cisco and Microsoft both published blocklist-type information. They try to fit into 230(c)(2)’s statutory definition of "access software providers," which requires them to show that they "provide or enable computer access by multiple users to a computer server." This issue was litigated in the Zango v. Kaspersky case, where Kaspersky distributed anti-spyware software that phoned home for new definitions. The Ninth Circuit said that the phone home feature satisfied the statutory requirement. In contrast, the court appears to say that pure blocklist publishers (i.e. those who do not distribute accompanying software with a phone home capacity) do not; this reading effectively kicks blocklist publishers out of the statute.

As the court acknowledges, this conclusion seemingly conflicts with the 2004 OptInRealBig decision, where the court held that IronPort as a blocklist publisher qualified for the statute because it was a user of an interactive computer service. The court doesn't explain why IronPort doesn't still qualify as an ICS user except to say that IronPort didn't make the requisite showing. The court also does not note that the OptInRealBig case was a 230(c)(1) decision (not a 230(c)(2)) because IronPort republished third party reports, and that should have applied here as well. The court also does not address the extensive 230(c)(1) precedent effectively treating online content publishers (which would include blocklist publishers) as "users" of ICSs, ranging from Barrett v. Rosenthal to the implicit conclusion in Novins v. Cannon.

More specific to 230(c)(2), the court doesn't explore either Pallorium v. Jared or MAPS v. Black Ice (an old 2000 case), both of which arguably contradict this particular conclusion in the 230(c)(2) context. Thus, because the court did not engage the applicable precedent, was overly solicitous to a pro se litigant, and knew that its discussion was dicta because it was ruling for the defendants anyways, the court chunks the analysis.

For more on 230(c)(2), see my 230(c)(2) talk notes from last summer.

One other noteworthy aspect of the ruling. Smith alleges that Comcast breached its privacy policy, but the court dismisses the contract claim because he doesn't show any loss from the alleged breach. This is yet another case holding that merely breaching a privacy policy isn't an actionable contract breach without more. See, e.g., the cited JetBlue case.

UPDATE: John Levine provides some perspectives about what might have happened.

Posted by Eric at 10:37 AM | Content Regulation , Derivative Liability , Privacy/Security , Spam | TrackBack

May 05, 2010

Asis Internet Awarded $2.5mm on CAN-SPAM Claims -- Asis Internet v. Rausch

[Post by Venkat]

Asis Internet Servs. v. Rausch, Case No. 08-03186 EDL (N.D. Cal.) (May 03, 2010)

Asis Internet was recently awarded summary judgment on its CAN-SPAM claims which it brought against a business known as "Find a Quote." Although not technically a default judgment, the defendant against whom summary judgment was entered did not respond to Requests for Admission (or otherwise participate). This may blunt the value of the ruling. Regardless, Asis certainly hit the jackpot, at least on paper.

Facts: Some facts about Asis and the case:

- it has "just under 1,000 internet access and email customers"
- four employees
- it receives 200,000 spam emails a day
- it costs Asis approximately $3,000 per month to "process" spam emails
- it maintains agreements with Postini, Falcon Knight and other vendors
- it brought claims based on 24,724 emails
- the emails were received "first on its filtering services . . . then transferred, processed and stored . . . "

Asis issues RFAs to defendant Heckerson, who failed to respond. Asis sent a follow up letter which also prompted no response. The court deems the facts that are the subject of the RFAs admitted and grants summary judgment.

The Court's Ruling:

Standing: The court concludes that Asis has standing. Unlike Gordon from Virtumundo, Asis actually has assets and provides a service, even if it's to a small group of people. (Gordon's "service appeared to be limited to using a control panel via an ordinary Internet connection through an ISP to set up email accounts . . . he had a nominal role in providing internet services.")

Adversely Affected: On the question of whether Asis was adversely affected, the court acknowledged that while Virtumundo did not decide whether there needed to be a "direct causal link" between the emails and harms, the court stated that there must be some sort of showing of relationship between the email and the harm (or that the emails contribute in the larger sense to ISP-type harms). Asis satisfied this element by showing that it paid $3,000 per month to "process" spam, it experienced network slow downs, its employees spent time assisting customers with the spam issue (22 hours), and Asis lost customers and revenue.

The CAN-SPAM Claims: Asis had included questions in its RFAs which pretty much went to the core question of whether defendants violated CAN-SPAM. The court relied on these facts. By failing to respond to the RFAs, Heckerson admitted that he "knew his affiliates were sending or hiring others to send commercial electronic mail advertisements with misleading information." He also admitted that he engaged in "a pattern and practice of using spammers to acquire sales leads." (Asis has litigated the affiliate liability issue before, and lost, against Epic Advertising (formerly Azoogle). See this article from MediaPost discussing the summary judgment ruling against Asis, where the court also found that Asis lacked standing.)

Damages: The damages were the most interesting part of the ruling. Asis sought $3,090,500.00 in damages (!) The court looked to the ruling in Facebook's case against Sanford Wallace where Facebook was awarded $711,237,650.00 for 14 million emails (or violations). The court also looked to the recent Tagged case where the court awarded Tagged $25 per violation for a total of $151,975. (The Tagged lawsuit drew this humorous response: "The Supreme Court of Irony Investigating Tagged.com Lawsuit.") The court found the Tagged scenario more analogous and awarded Asis $25 per violation of section 7704(a)(1) and $10 per violation of section 7704(a)(2), for statutory damages of $865,340.00. [The court briefly notes that it's not considering the issue of whether the statutory damage award would violate due process.]

The court also found that Asis put forth persuasive evidence that it is entitled to treble damages. First, it put forth evidence that defendant had to have engaged in harvesting emails because defendant obtained the names of email account holders, and the names or customer information attached to the emails did not exist anywhere else. This satisfies one of the aggravating factors under section 7704(b)(1)(A), entitling Asis to treble damages under 7706(g)(C). Asis also puts forth evidence that defendant used automated scripts to create email accounts from which it sent spam messages. This is an aggravating factor under section 7704(b)(2).

When all is said and done the court awards Asis a whopping $2,596,020.00.
___

This is more or less a default judgment so it's tough to know what to make of it. There are probably collectability issues lurking in the background that could turn this into a pyrrhic victory.

The fact that Asis "received the emails first on its filtering service operated by Postini, then transferred, processed and stored the emails on its server . . . " is interesting. So Postini does a fine job filtering out the spam received by Asis (maybe spam is not the grave $2.5 million problem Asis claims?). And Asis actually moves the messages from the spam filter to its own folder where the messages are "processed"? This brought to mind Judge Gould's concurrence in Virtumundo, which talked about how the common law "did not develop remedies for people who gratuitously create . . . circumstances that would support a legal claim and act . . . with the chief aim of collecting a damage award."

Either way, Asis deserves credit for soldiering on.

Posted by Venkat at 03:40 PM | Spam

May 02, 2010

Email Header Information Claim Preempted by CAN-SPAM, But Subject Line Claim Not Preempted -- Asis Internet Servs. v. Member Source Media, LLC

[Post by Venkat]

Asis Internet Services v. Member Source Media, LLC, No. C-08-1321 EMC (N.D. Cal.) (April 20, 2010)

Yet another CAN-SPAM preemption ruling, this one is also from the Northern District of California and it also involves veteran spam plaintiff Asis Internet! Of the recent decisions that have grappled with whether CAN-SPAM preempts the California spam statute I think this one gets it most right.

Background: Asis brought claims under CAN-SPAM and section 17529.5 (one provision of California's spam statute) alleging that it received email sent by Member Source Media which had misleading header information and subject lines. The court dismissed the CAN-SPAM claims based on standing and now looks at whether the state law claims are preempted by CAN-SPAM.

The Court's Ruling: The court acknowledges that Virtumundo did not address the precise issue before the court "i.e., whether a plaintiff must plead reliance and damages in order for its state law claim to be saved from preemption." To resolve this question, the court looks to Judge Conti's ruling in the Subscriberbase (which also involved Asis Internet) where Judge Conti found that a plaintiff was not required to plead the fraud elements of reliance and damages in order to escape CAN-SPAM preemption. (Here's my previous post covering the Subscriber base ruling.) The court in this case is persuaded by Judge Conti's reasoning, and similarly concludes that "Asis need not plead reliance and damages in order for its claim to be excepted from preemption." However, the court notes Congress's concerns about "frivolous lawsuits and the scope of plaintiffs allowed to bring suit against email advertisers." The court also gives a nod to Judge Gould's concurring opinion in Virtumundo which expresses concern that allowing anyone to sue could result in the creation of "litigation factories," which Congress obviously did not intend. With this background in mind, the court turns to the specific header and subject line-based claims brought by Asis.

Header Claims: Asis argued that Member Source violated the header information prong of the California statute by sending emails from domain names such as "greenthe.com," "consumerbargrewards.com," and innocenttruthrevealed.com" Asis argued that it had to undertake a WHOIS search to find out where the emails came from, and many of the domains were registered through privacy protection services so these searches came up empty. Finally, Asis argued that certain internet protocol addresses used by the emailers were obtained through false representations because "the purported sub-lessee of the IP addresses, Frank Peters, provided a mailing address and Asis' investigation indicated that no Frank Peters resided at the address."

The court finds that these claims were similar to the claims brought by Gordon -- i.e., they were premised on "technical and immaterial . . . header deficiencies". To the extent Asis argues that domain names must somehow clearly identify Member Source, these claims are preempted under CAN-SPAM. The court contrasted Asis's claims with the claims brought against Reunion.com, which another Northern District judge found were not preempted. In the Reunion.com case, the plaintiff argued that the emails purported to come from a friend or acquaintance but they actually came from Reunion. In contrast, in this case, there was nothing inherently misleading about the header information so the court rejects these claims.

Two quick notes here. First, Professor Goldman previously blogged about US v. Kilbride, a criminal case where the court cited to the use of privacy protection services as supporting the government's case that the defendants violated the header information prong of CAN-SPAM. It's nice to see the court reject (or give nothing more than a passing reference to) Asis's argument that the email headers were somehow misleading under California law because proxy registration was used. Second, I'm not sure what's up with plaintiffs repeatedly making arguments that "fanciful" or "random" domain names can't be used to send emails. There's nothing in CAN-SPAM (or any other spam statute) that says you can't register a bunch of domain names that don't incorporate the name of your company to send out emails. Companies do this (legitimately) all the time. To me, this whole line of argument shows how much plaintiff's are trying to stretch spam laws when bringing claims. Kleffman v. Vonage is another case (certified from the 9th Circuit to the California Supreme Court) where plaintiffs make this argument, and Value Click filed a nice amicus brief [scribd link] that persuasively lays out why this argument is untenable.

Subject Line Claims: The subject line claims were based on subject lines such as "Wal-Mart 500 Dollar Gift Card Inside," and "Second Attempt: $500 Target Gift Card Inside." The court found these claims fall under the garden variety deception category (in contrast to the header information claims) and were not preempted.

End Result: The court finds the header information claim preempted and dismisses this claim with prejudice. The subject line claim is not preempted, and the court declines to exercise supplemental jurisdiction over this claim (Asis can pursue it in state court if it chooses to refile).

The court notes that this case has been going on for over two years. I wonder if Member Source will seek fees, which are available under CAN-SPAM. Fees were awarded against Gordon, the Virtumundo plaintiff. Asis in one of its own filings expressed concerns about its financial situation. It has lost a bunch of rulings over the years, but surprisingly, I haven't seen much about people trying to seek fees against it.

N.D. Cal Rejects Preemption and Standing Defenses Against Claims Under CA Spam Statute -- Asis Internet Servs. v. Subscriberbase Inc. (April 1, 2010)

Posted by Venkat at 08:12 AM | Spam

April 23, 2010

Beverly Stayart Strikes Again! This Time, Stayart Sues Google

By Eric Goldman

Stayart v. Google, Inc., 2:10-cv-00336-LA (E.D. Wis. complaint filed April 20, 2010)

I've previously blogged about Beverly Stayart (a/k/a Bev Stayart) and her mockable lawsuit against Yahoo. She has repeatedly declared that she is the only Beverly Stayart / Bev Stayart in the world and that her name--due to the cachet she has built up from being a quality human being--is being used to peddle sex-related pharmaceuticals. She lost her first foray against Yahoo on 47 USC 230 grounds but nevertheless is trying again.

Now, she has launched another effort to defend her name—this time she is suing Google for similar concerns. (Like we couldn't see that coming!). She objects to the fact that Google Suggest prompts searchers on "bev stayart" to search for "bev stayart levitra." (para. 13). Anticipating a 47 USC 230 defense, she argues (para. 15) that Google Suggest represents first party editorial content that drops out of 230 coverage. The complaint also seems to raise the question of whether selling a personal name as a keyword trigger constitutes a publicity rights violation; but the complaint does not appear to evidence any understanding of broad matching, i.e., that a search for "bev stayart levitra" will deliver Levitra-related broad-matched ads for reasons having nothing to do with Bev Stayart. (See this recurring defect in paras. 90-109).

(Note: this prompted me to check out a search for "eric goldman levitra." My first result, from www.hosmersoda.com, looks pretty sploggy to me, but there's no way I'm going to click on these links!!!)

Some unsolicited advice for Bev Stayart: stop suing search engines, and stop running vanity searches on the search engines. Life is too short to fret about sploggers!

Two final notes: Bev's attorney is, once again, Gregory A. Stayart, her employer and presumably a family relation. Also, searches for "Bev Stayart" and "Beverly Stayart" are worth a look—I can’t recall other search results quite like that.

Posted by Eric at 09:29 AM | Derivative Liability , Publicity/Privacy Rights , Search Engines , Spam | TrackBack

April 20, 2010

Spammer Convicted on Wire Fraud Charges -- United States v. Diamreyan

[Post by Venkat]

United States v. Diamreyan, 09-cr-0260 (JCH) (D. Conn.) (April 16, 2010)

Earlier this year Okpako Mike Diamreyan was found guilty of wire fraud. The district court recently denied his motion for judgment of acquittal.

Diamreyan "was charged with devising a scheme to defraud known as an 'advance fee.'" As the court describes it, this is a "scam . . . where a person asks an individual to pay an advance fee in order to obtain a larger sum of money, which the individual [victim] never receives."

The government presented evidence that defendant used a Yahoo email account (miklymyx@yahoo.com) for over ten years, and presented evidence of emails sent to victims, telephone calls made, and wire transfers which were initiated by the victims.

The stories about Diamreyan's purported identity, the amount of money available, the reason it was tied up, the money needed to free it, and the name of the contact person changed from email to email, but the overall scam was the same. Frequently, Diamreyan would include his phone number (one of those listed on his visa application) in the email and ask people to contact someone by a different name at that number. For example, in one email, Diamreyan told the email recipient that he was in Sierra Leone, and his family's $23.4 million was on consignment at the airport. He then asked the recipient to contact the airport director, Rev. Dr. Richard Camaro, to release the money from this consignment.

Defendant's arguments in favor of a judgment of acquittal did not end up carrying the day.

Two things about the case struck me. First, people who respond to these emails (from miklymyx@yahoo.com, no less) and transfer money to complete strangers in the hopes of receiving more money do in fact exist. Second, the amounts transferred were nominal. In this case, the amounts were between $50 and $250. (I'm curious as to what the government will end up arguing as a loss amount for sentencing purposes. I'm sure it will present some sort of projection of how much money defendant must have gained.) [Update: one of the filings contained a spreadsheet [link] which listed amounts transferred to defendant and to third parties. The amounts were more than "nominal".]

Here's the press release from the US Attorney's Office: "Federal Jury Finds Nigerian Citizen Guilty of Charges Related to Internet 'Advance Fee' Fraud Scheme." According to the press release he faces up to 20 years and a fine of up to $250,000. [I don't have a good frame of reference, but this seems absurdly high.] Also, not to make light of the plight of the victims, but you would think the government has bigger fish to fry?

Related: Two interesting radio programs on those who take matters in their own hands when dealing with internet scammers: (1) Xeni Jardin on NPR's Day to Day: "Scam-Baiters' Turn Tables on Would-Be Cons"; and (2) This American Life -- Act two of Episode 363 ("Enforcers"): "Hanging in Chad." Both programs reference "419 Eater", a website that documents "scambaiting" (scamming the scammers).

Posted by Venkat at 10:34 AM | Spam

April 16, 2010

Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com

[Post by Venkat]

Hoang v. Reunion.com, No. C-08-3518 MMC (March 31, 2010)

Reunion.com is a long-running case that's been blogged extensively by Ethan and others. A group of plaintiffs who received emails through Reunion's alleged "invite your friends whether you like it or not" program sued under California spam laws. They alleged three claims: (1) a subject line claim that the emails misleadingly said "[Your friend] is looking for you"; (2) a from line claim that the from lines of the emails contained an email address (e.g., edmorphic@yahoo.com) through a domain that the sender did not have permission to use; and (3) a from line claim that the emails misrepresented that they were from specific individuals (i.e., friends), rather than from Reunion.

The Court Dismisses the Amended Complaint: The court (in December 2008) dismissed the amended complaint on the basis that CAN-SPAM preempts all but "torts" involving misrepresentations. Plaintiffs failed to allege that they relied on any of the misleading statements in the emails to their detriment so they failed to state a claim under state law. The court cites to CAN-SPAM's legislative history, noting that CAN-SPAM's preemption clause was designed to ensure a "national standard," and thus only laws that touch "fraud or deception" would be left surviving under the preemption clause. As an alternative argument, the court found that plaintiffs lacked standing to sue in federal court.

[The complaint asserted state law causes only but is in federal court under the Class Action Fairness Act of 2005.]

The Court Reconsiders Its December 2008 Order: The latest order (issued on March 31, 2010) focuses on Gordon v. Virtumundo, a 9th Circuit case many thought would sharply curtail spam litigation. (Prof. Goldman's post: "An End to Spam Litigation Factories?--Gordon v. Virtumundo".) The court "reads [Virtumundo] as implicitly finding [that the Washington email] statute was intended to confer standing based solely" on receipt of emails. [The discussion about Virtumundo and standing is somewhat confusing to me.] Ultimately, the court concludes that in light of Virtumundo, in order to have standing under state law, a spam plaintiff need not allege reliance and actual damage.

The court tackles preemption next. The court relies on the presumption against preemption (citing Virtumundo) and relies on CAN-SPAM's legislative history to find that the plaintiffs' claims against Reunion are not preempted. The court's order almost reads like an opposition brief to its earlier order. The court concludes that "plaintiffs' failure to allege they relied to their detriment on the alleged false statements in defendant's emails does not constitute a ground for dismissal of their claims."

Finally, the court addresses defendant's materiality argument. The court compares the misstatements in Virtumundo to the misstatements here. In Virtumundo, the plaintiff complained that he received emails from addresses such as "Criminal Justice@vm-mail.com," while in this case, plaintiffs allege they received emails which appeared to be sent from people they knew. Given these differences, at least at the pleading stage, the court could not conclude that the misstatements were not material.
__

What to Make of the Latest Reunion.com Order?

1. Ethan's posts are good reading for background: "CAN-Spam-a-Friend?--Hoang v. Reunion.com" and "Reunion.com Revisited". Judge Chesney's most recent order vindicates his view.

2. It's tough to figure out the current state of CAN-SPAM preemption. One way of looking at it is that Mummagraphics and Virtumundo involved claims based on state email statutes for emails that were not misleading. Reunion.com emails, on the other hand, are arguably misleading. (Are reasonable people really misled by "your friend is looking for you" emails?) The big question is: where is the line? Of course, email marketers would benefit from having a bright line which they can adhere to without fear of getting sued in any one of the fifty states.

3. There's a discrepancy between how California plaintiffs are faring versus how plaintiffs in other states such as Washington are faring. John Levine notes at Circle ID that another Washington spam case - this one brought by Bennett Haselton and Peacefire - was recently dismissed: "Another Spam Case Lost in Washington, or Gordon Strikes Again." The plaintiff in Virtumundo (James Gordon) has also had a slew of Washington spam cases recently dismissed. Although the most recent court order in the Peacefire case focused on the CAN-SPAM claims and not on state law claims (the court in footnote 1 notes that "it [appeared] plaintiffs . . . abandoned" their state law claim), the fact that similar lawsuits are moving ahead in California but failing in Washington is problematic. [Correction: it looks like Peacefire is pursuing a claim under the Washington spam statute as well as a claim under Washington's consumer protection statute. The court indicates that he abandoned the CPA claim but not the claim under the Washington spam statute.] This is one of the things preemption is designed to avoid.

4. There are two ways at looking at possible "from line" claims: (1) they could cover spoofing (where an email is sent to look like it's coming from an email address when it's not) or (2) they could more broadly cover "unauthorized" use of a domain name to transmit an email. There's a third view that's pressed by plaintiffs such as Gordon, which is that the address in the from line has to refer to an actual person, but this argument has never gotten much mileage. With respect to the second view, accepting the proposition that you can state a claim where an email is transmitted through a Yahoo email address in violation of Yahoo's terms of use (which would make it technically "unauthorized") has never sat well with me. It would be great if courts construe the from line prong of state email statutes to only cover spoofing.

5. On the bright side, we should hopefully get some clarity soon. Kleffman v. Vonage, another California spam case which raises similar issues (which the 9th Circuit certified to the California Supreme Court), is scheduled for argument in front of the California Supreme Court on May 6. Also, Reunion.com moved for a stay and permission to file an interlocutory appeal. It's a long shot, but who knows, maybe this case will end up sooner rather than later in front of the 9th Circuit? I was unpersuaded that the standards for reconsideration were satisfied here. The court pretty much did a 360 on its earlier ruling, and the court should recognize this when it considers defendant's request for leave to file an interlocutory appeal.

6. Finally, it's worth noting that counsel for the plaintiffs here are on the defense side in Asis Internet v. Subscriberbase, a case which raises similar preemption issues which I blogged about last week ("N.D. Cal Rejects Preemption and Standing Defenses Against Claims Under CA Spam Statute"). The defendant in Reunion devoted some energy to raising this issue to the court and trying to argue a conflict, but Judge Chesney wasn't swayed by this. (see page 3, footnote 3)

Related: See additional coverage from Wendy Davis here: "Judge Brings Reunion.com And Spam Suit Together Again".

Also, Tagged.com, a company that allegedly scrapes the contact lists of people who join to invite other potential members to join, recently settled up with the San Francisco DA's office by paying $650,000. This comes on the heels of other similar settlements between Tagged.com and regulators.

Posted by Venkat at 09:30 AM | Spam

April 06, 2010

Fourth Circuit: Email, ECF, and Domain Name Woes do not Excuse Failure to Respond to Summary Judgment Motion -- Robinson v. Wix Filtration

[Post by Venkat]

Robinson v. Wix Filtration Corp. LLC, 4th Cir. (Mar. 26, 2010) [scribd]

The Fourth Circuit recently held that the district court properly granted summary judgment in favor of a defendant, and rejected plaintiff's argument that counsel's failure to respond to a defense motion for summary judgment was excusable due to email, malware, and domain name issues.

As described by the court, plaintiff's counsel "was afflicted by a malware virus and . . . his counsel's firm's domain name had temporarily expired when the motion for summary judgment was filed." Counsel re-registered the domain name but the "e-mail accounts associated with the domain name were 'blacklisted' causing further e-mail problems."

The court found that plaintiff's failure to receive notice of the motion "resulted from counsel's conscious choice not to take any action with respect to his computer troubles." In the words of the court: "counsel made the affirmative decision to remain in the dark." Finding that a client must bear the consequences of his or her attorney's conduct, the court found that it was not an abuse of discretion for the trial court to refuse to set aside the judgment. The court found that plaintiff was not entitled to relief under either Rule 59(e) or 60(b).

One judge concurred, finding that the dismissal was a result of "counsel's unwise and misplaced strategic choice to litigate, ostrich-like, with his head in the sand." The concurring judge noted critically (in a footnote) that periodically checking the CM/ECF docketing system "simply was not a part of [counsel's] practice."

Judge King filed a spirited dissent, among other things, arguing that the Fourth Circuit's decision creates a "duty to monitor," and that the party should not in this case made to bear the consequences of counsel's actions. Interestingly, Judge King also argues that the exception to the rule (taken for granted as a matter of practice in many ECF jurisdictions) that ECF filing constitutes service should come into play. The dissenting opinion argues that once defense counsel became aware that plaintiff's counsel had email issues, defense counsel should have sent a paper copy of the motion in order to complete service. (The rules provide that ECF filing "is not effective if the serving party learns that [the Notice of Electronic Filing ] . . . did not reach the intended recipient," but by the time the defendant had notice of the other side's email problems, it was pretty much too late. And plaintiff's counsel should have probably checked the docket anyway, to see if a dispositive motion was filed when the deadline came and went.) Judge King also notes that imposing a "duty to monitor" will result in additional costs (in the form of PACER fees) which will fall on the shoulders of clients.

___

It's tough to not be sympathetic to plaintiff and to counsel for plaintiff. Everyone will have an email gaffe at some point in their career. (I'm not sure the failure to check the docket is as excusable.) That said, courts are not very tolerant of arguments that counsel did not respond to a motion or a deadline due to a failure to receive electronic notice. The "spam filter ate my CM/ECF notice" is often offered as an argument in these situations, but this argument typically does not get a lot of mileage. (See Shuey v. Schwab discussed in this post (court remands for consideration of the merits) and the other cases mentioned there.)

(h/t ABA Journal: "Lawyer’s Computer Virus Doesn’t Excuse Missed Dismissal Motion, 4th Circuit Says")

Posted by Venkat at 12:20 PM | Adware/Spyware , Spam

April 05, 2010

N.D. Cal Rejects Preemption and Standing Defenses Against Claims Under CA Spam Statute -- Asis Internet Servs. v. Subscriberbase Inc.

[Post by Venkat]

Asis Internet Services v. Subscriberbase Inc., (N.D. Cal.) Case No. 09-3505 SC; April 1, 2010 [scribd]

Judge Conti (in the Northern District of California) issued a potentially significant decision last week that keeps the door open for plaintiffs alleging claims under California's spam statute. This is good news for anti-spam plaintiffs, and comes on the heels of last month's state court trial win for another spam plaintiff which resulted in an award of $7000. (Balsam v. Trancos)

Background: The Ninth Circuit in Gordon v. Virtumundo held that veteran spam plaintiff James Gordon could not sue under CAN-SPAM because he was not a bona-fide ISP (or provider of an "internet access service") and because he did not suffer any "adverse effects" from the spam he received. He was harmed as any email recipient would be and thus was not among the class of plaintiffs entitled to sue under CAN-SPAM. The court also held that CAN-SPAM preempted Gordon's claims under Washington's spam statute. Here is Prof. Goldman's post discussing that ruling. The post asked whether Virtumundo would spell an end to "spam litigation factories". Following Virtumundo, courts knocked out Gordon's many pending cases. Plaintiffs who appear similarly situated to Gordon have persevered in California, trying to assert claims under California's spam statute.

One issue that was left unresolved was whether CAN-SPAM preempted California's anti-spam statute (and how much of it was preempted). A few courts have dealt with this issue. One court held that a plaintiff must satisfy the "actual fraud" standard in order to assert a claim under a state spam statute. (Hoang v. Reunion.com, discussed by Ethan here and here.) Other courts (Asis Internet v. Vistaprint and Asis Internet v. Consumerbargaingiveaways, discussed by Ethan here) have taken a less restrictive view, rejecting Reunion.com's premise that only claims satisfying the traditional "actual fraud" standard survive CAN-SPAM's broad preemption clause.

This case takes a fresh look at the issue and rejects the Reunion.com view. Regardless of the outcome of this dispute, portions of California's spam statute, such as the provisions imposing a blanket ban and those requiring labeling are preempted. The issue is whether there's room to allege that emails are misleading based on information in the subject lines, from lines, or headers, and make a claim under California's spam statute.

The Court's Ruling:

1. Were the Subject Lines Were Likely to Deceive Recipients: Defendants argued that the subject lines were not likely to deceive recipients. Section 17529.5(a)(3) prohibits subject lines that are likely to mislead "about a material fact regarding the contents or subject matters of the message." The court predictably refuses to conclude as a matter of law that the email subject lines are not deceptive. I don't know if anyone reasonably believes that email subject lines which offer free products (for example: "Review & Keep Designer Handbags worth $1500 Dollars-guys invited too") actually offer free products. But given the statutory language, it would have been tough for the court to conclude as a matter of law that the subject lines were not "likely to mislead." Once you use the word "free," if something is not actually free, you will have an uphill battle getting a court to conclude that the marketing copy is not misleading as a matter of law.

[Tip to marketers: avoid using "free" unless something truly is free, particularly when this claim is made in an email or online!]

2. Did Defendants Have Knowledge That the Subject Lines Were Likely to Deceive: Defendants also argued that the complaint did not sufficiently allege that defendants knew the subject lines were likely to deceive, in light of the fact that defendants did not transmit the messages. Plaintiffs earlier lost a case on this precise issue, where a district court held that the defendants could not be held liable for spam received by plaintiffs because the defendants in that case neither sent nor "knowingly procured" the messages. (Here's Professor Goldman's post discussing that ruling, along with other affiliate liability issues. As mentioned below, this ruling was affirmed by the Ninth Circuit.) In light of the fact that plaintiffs previously lost on this issue, it's irritating for plaintiffs to get another chance here. Defendants will likely have to fight this one out on summary judgment, rather than at the motion to dismiss stage. It would have been nice for the court to require some specific allegations regarding defendants' supposed knowledge.

3. Do Plaintiffs have Standing Under California Law: Defendants' first standing argument was that Proposition 64, which amended California's false advertising and unfair competition laws to provide that only plaintiffs who "suffered injury in fact and has lost money or property" could bring claims, applied to section 17529.5 and barred the claims asserted by plaintiffs. The court rejected this argument, noting that section 17529.5 included "independent, non-exclusive standing and remedy provisions" which authorize ISPs (defined as "electronic mail service providers") to bring suit. The court acknowledged the effect of Prop 64 was unclear, and reasoned that Prop 64 was designed to curb the practice of members of the general public bringing lawsuits to enforce advertising and unfair competition rules, rather than change the standing requirements of statutes which only applied to a narrower (more specific) class of plaintiffs. According to the court, since California's spam statute only authorized a narrow class of plaintiffs to bring claims to begin with, the statute was left unaffected by Prop 64.

4. Are Plaintiffs' Claims Preempted by CAN-SPAM: Defendants relied on Gordon v. Virtumundo and argued that plaintiffs' claims were preempted by CAN-SPAM. The court acknowledged that other courts in California had reached differing results on the preemption issue. Hoang v, Reunion.com held that CAN-SPAM's preemption clause only leaves room for state law causes of action based on "common law fraud," which requires allegations of reliance and actual harm. On the other hand, two judges in the Northern District of California (Asis Internet v. Vistaprint and Asis Internet v. Consumerbargaingiveaways) came to a different conclusion, finding that section 17529.5 was not preempted, even though this statute does not require a showing of reliance or damages. (Odd sidenote: the Reunion plaintiffs are represented by the same lawyers who are representing defendants in this case.)

Judge Conti found that Virtumundo "did not clearly resolve this split." In his view, the Ninth Circuit in Virtumundo found the plaintiff's claims under Washington's spam statute preempted because those claims reached "non-deceptive statements." The court focused on the fact that in Virtumundo, plaintiffs were complaining about immaterial errors in emails (the fact that an advertiser's name did not "expressly appear in the 'from lines,'" and Virtumundo's use of "fanciful domain names"). Judge Conti viewed Virtumundo (and Mummagraphics) as standing for the proposition that only state law claims that reach immaterial errors and omissions were preempted. The court's discussion on preemption is in depth, and worth reading. Ultimately, the court concludes that requiring the elements of reliance and damages would have one practical consequence:

[i]t would limit the scope of entities that are entitled to bring suit under section 17529.5. It would restrict enforcement suits to the (presumably more rare) case where a plaintiff actually been duped by a misleading subject line. The bulk of deceptive email would go unpunished, until such an email happened to mislead someone with the resources and wherewithal to pursue a private claim.

The court found that Congress could not have intended this result under CAN-SPAM.

5. Whether the Enforcement Mechanism of Section 17529.5 Conflicts With CAN-SPAM: The final issue (which it sounds like defendants didn't press, but which to me was the most interesting) was whether the enforcement mechanism of the California spam statute conflicts with CAN-SPAM. CAN-SPAM only allows for enforcement by two classes of entities: (1) certain government actors and agencies and (2) bona-fide ISPs who have been been "adversely affected". The California spam statute on the other hand allows the Attorney General, ISPs, and recipients of emails to bring suit. As the court notes, allowing a broader class of plaintiffs to sue under state law may "disturb . . . the fine balance struck by Congress . . . ." However, the court concludes that it would not upset the balance intended by Congress because CAN-SPAM's preemption savings clause only speaks to the subject of state law (rather than the class of plaintiffs authorized to sue). The court also noted that there was no evidence of Congressional intent to "occupy the field."

____

My Reaction: The court is right that Virtumundo and Mummagraphics found the state law claims in those cases to be preempted by CAN-SPAM because those claims relied on immaterial errors. However, California plaintiffs typically raise similar claims, and courts have not been the most vigilant about scrutinizing them. Plaintiffs seem to construe California's spam statute pretty broadly. For example, in Trancos, the recent decision following trial, and Kleffman v. Vonage, a case pending in front of the California Supreme Court, some of the arguments raised by plaintiffs were similar to the arguments raised by Gordon in Virtumundo. The preemption structure only works if courts dealing with the state law claims use the same standard for what is false or deceptive.

The practical consequence of the court's ruling is to open a gaping exception to the enforcement structure that Congress may have intended. Congress intended only two classes of actors to enforce CAN-SPAM: (1) the authorities and government agencies and (2) bona-fide ISPs who were adversely effected. CAN-SPAM does not allow for enforcement by mere recipients of email, and doesn't allow for enforcement where the recipient does not suffer any injury, and the court's ruling opens the doors to this enforcement. This is particularly troubling, given that many plaintiffs do not take steps to avoid email and may even invite the harm in question. To the extent they are trolling for spam emails in order to bring lawsuits, they are really no different from a member of the general public.

Another issue to consider is the scope of affiliate liability. It wouldn't make sense for state laws to hold a broader category of actors liable (under a lower standard) than CAN-SPAM, but this could be a practical result of allowing these types of claims to proceed under California's spam statute.

Finally, I'm not sure there's anything wrong with allowing ISPs and those with sufficient resources to sue, when they actually have been harmed. I doubt we've derived much benefit from the proliferation of the anti-spam litigation "cottage industry."

What Does the Ruling Mean For Spam Litigation: The ruling gives spam plaintiffs in California some breathing room. With respect to subject line violations at least, plaintiffs can continue to bring claims under California's spam statute, and unfortunately, can continue to try to sue affiliates as well. They can bring claims in state court (as in Trancos) or in federal court, to the extent they are able to independently satisfy jurisdictional requirements. There is a case pending in front of the California Supreme Court (Kleffman v. Vonage - oral argument is set for May) which should clarify the scope of California's anti-spam statute and whether it's preempted, and Reunion.com is likely to be appealed as well, once it makes its way out of the trial court. But until then, plaintiffs will probably cite to this case for the proposition that subject line claims and other claims based on allegedly misleading aspects of emails that don't necessarily violate CAN-SPAM are not knocked out by CAN-SPAM's preemption clause.

Other Asis Cases: Asis has filed many many different spam lawsuits. 13 alone according to a Justia search. There's been ongoing activity on several of those cases recently:

Asis Internet . Azoogle.com, Case Nos. 08-15979 and 08-17779 (9th Cir.) (Dec. 2, 2009): 9th Cir. affirms dismissal of claims brought against various entities for lack of standing and because Asis failed to prove affiliate liability.

Asis Internet v. Member Source Media, Case No. C-08-1321 EMC (Jan. 28, 2010): CAN-SPAM claims dismissed.

Asis Internet v. Active Response Group, Case No. C07-06211 TEH (Feb. 9, 2010): dismissed for lack of standing under CAN-SPAM; state law claims dismissed without prejudice.

Posted by Venkat at 08:00 AM | Spam

March 27, 2010

Another Court Finds that TCPA Applies to Text Messages -- Lozano v. Twentieth Century Fox Film Corp.

[Post by Venkat]

Lozano v. Twentieth Century Fox Film Corp., Case No. Civ. 09-cv-6344 (N.D. Ill) [scribd]

A court in Illinois rejected a motion to dismiss filed by defendants in a class action brought on behalf of plaintiffs who received SMS spam marketing an animated film called "Robots". The court's ruling is not surprising, given the other cases which have come to a similar conclusion. (Abbas v. Selling Source, LLC; Satterfield v. Simon & Schuster)

Are Text Messages "Calls" Under the TCPA: The court grants the FCC's interpretation some deference and finds that text messages are "calls" for purposes of the Telephone Consumer Protection Act.

Do SMS Spam Plaintiffs Have to Allege They Were Charged for the Text Messages: The court concludes that "the plain language of the TCPA does not require Plaintiff to allege that he was charged for the relevant call at issue in order to state a claim" under the TCPA. The defendants in Selling Source raised a similar argument which the court in that case rejected.

Does Section 227 of the TCPA Violate the First Amendment: First Amendment challenges in the context of laws regulating unsolicited communications rarely get any traction. Predictably, the court in this case rejects the First Amendment challenge raised by defendants.
___

Taken together, several recent cases have concluded that: (1) text messages are "calls" under the TCPA, (2) a message can violate the TCPA if it is sent with equipment that has the capacity to send or store messages using a "random or sequential number generator," and (3) a plaintiff need not allege that he or she was separately charged for the message in order to bring a claim under the TCPA. This does not leave much room for a company trying to market through text messages. Marketers are forced to rely on a recipient's consent/opt-in, and as the Satterfield case illustrates, this is a risky road to go down.

The cases all acknowledge that the TCPA was not enacted with text messages in mind, since text messaging was not around when the TCPA was enacted. The laws have some catching up to do, and it will be near impossible for the law in this context to keep pace with rapidly changing technologies. Either way, this case serves as a good reminder as to the perils of marketing through text messages.

Posted by Venkat at 01:42 PM | Spam

March 25, 2010

Craigslist Wins $1.3M Default Judgment Against Autoposting Facilitator -- craigslist v. Naturemarket

[Post by Venkat]

craigslist, Inc. v. Naturemarket, Inc., Case No. C 08-05065 PJH (MEJ) (N.D. Cal. March 5, 2010) [scribd] (report and recommendation adopted on February 5, 2010)

Craigslist obtained a 1.3 million dollar default judgment against defendants Naturemarket, Inc. and Igor Gasov.

Naturemarket (doing business as powerpostings.com [typical bad choice of name]) sold software which allowed its customers to automatically post listings to craigslist. As advertised by defendants, the software made "the difficult craigslist posting process child's play and [helped users] manage and multi-post . . . ads." Defendants also advertised "posting agent" services where defendants would post ads on behalf of customers. Finally, defendants sold software that scraped email addresses from the craigslist site.

Craigslist sued alleging claims under (1) copyright; (2) DMCA; (3) the Computer Fraud and Abuse Act; (4) trademark; (5) breach of contract/terms of use. Defendants failed to contest the suit. The court granted default judgment against defendants:

Copyright Infringement: Craigslist alleged it registered protectable elements of its site (the "post to classified, account registration and log-in features") and that defendants copied these elements of the craigslist site when developing, testing, and using their auto-posting software. The court accepted these allegations at face value, notwithstanding questions as to what parts of the craigslist site were copyrightable (minus the listings themselves, obviously), how the copying here was different from search engine copying under an implied license, and the fact that it's awkward to conclude that browsing in excess of the terms of use constitutes copyright infringement.

DMCA Violations: The court agreed with craigslist that defendants violated two provisions of the DMCA through making available, among other things, "pre-verified craigslist accounts and CAPTCHA credits." There's precedent that supports the proposition that at least some of these types of acts do not violate the DMCA. (See, for example Egilman v. Keller & Heckman, LLP, 401 F. Supp. 2d 105, 113-14 (D.D.C. 2005) ("using a username/password combination as intended--by entering a valid username and password, albeit without authorization--does not constitute circumvention under the DMCA.").) Real made a similar argument to the one defendants would have made here, but this argument was rejected. Either way, the trouble with the court's conclusion is that it's not clear that a violation should be based on use of an anti-circumvention mechanism in a way that's not authorized. This isn't the type of conduct that the DMCA is necessarily meant to address. Mike Masnick flags this aspect of the ruling here.

Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act claims were premised on access of craigslist computers in violation of the craigslist terms of service. This argument is often used in civil cases, but most recently received attention in the Lori Drew case, a criminal case. The Lori Drew case illustrated many of the problems with imposing Computer Fraud and Abuse Act liability based on violations of a terms of use. Professor Goldman's post when the case first started is a good read.

Trademark Infringement: Craigslist alleged that defendants used the craigslist mark "in the text and . . . the headings of sponsored links on internet search engines to advertise their auto-posting products and services." The court cites to American Blinds for the proposition that this will cause "initial customer confusion". (Here's one of Prof. Goldman's posts on American Blinds.) It's odd to see craigslist arguing initial interest confusion. These are the types of arguments one would expect to see against craigslist (for example by someone suing it for trademark infringement, not made by craigslist.

Breach of Contract/Terms of Service: Craigslist pointed to provisions in its terms of use which prohibited the use of automated means and posting agents to post listings. Craigslist argued that defendants violated these provisions and induced craigslist users (who were customers of defendants) to violate these provisions. The court awards $840,000 in liquidated damages based on the terms of use claims asserted by craigslist. Craigslist argued that defendants posted at least 18,200 ads or alternatively defendants posted 4,200 ads as a posting agent. The court assumes for purposes of calculating damages, that the lower number is correct and awards $840,000 based on this number. For each listing posted in violation of the terms of service, the court awarded $100 in liquidated damages (and an extra $100 for each item posted as a "posting agent"). [Note to self: be careful about posting items in violation of the craigslist terms of service!]

Attorney's fees: Craigslist sought $83,614.45 in fees, for the work performed by 5 lawyers and one paralegal. The court found the hours expended reasonable, but reduced the hourly rate slightly, ultimately awarding $65,038.20 in fees. (As a side note, what's up with the reduction in billing rates by one dollar in the April-June 2009 time period. The hourly rates for one partner went from $525 in 2009 to $550 in January-March 2009, to $549 in April-June 2009. Does the one dollar change in someone's hourly rate really matter?)

____

This case is similar in many ways to Ticketmaster v. RMG, where Ticketmaster sued RMG, a company that automated the ticket buying process on behalf of its customers. Following the issuance of an injunction, Professor Goldman noted that this case was "a troubling Cyberlaw development." The claims asserted by craigslist here suffered from some of the same weaknesses as those in Ticketmaster. On the other hand, this was in the context of a default judgment, where the good faith allegations in the complaint are taken as true, and craigslist knew it had to only make colorable arguments. It wants to keep out certain perceived bad actors. In the default judgment context, I'm not sure how much it can be faulted for not fine-tuning its legal arguments. That said, it's always tough to read through these types of rulings without cringing.

One of the more troubling things about the ruling is how the terms of use supports three separate claims: the copyright claims, the Computer Fraud and Abuse Act claim and, of course, the breach of contract claim. It's unsettling to see the website terms of service (which are typically tough to read and digest, rarely read by end users, and incredibly one sided) be given enough clout to support serious statutory violations. But this is nothing new, and courts always seem to be willing to accept these types of arguments.

Another issue for craigslist to consider is whether any of the arguments could come back to bite craigslist. I haven't thought through whether there was a good section 230 argument to be made here, I'm guessing not. Assuming there was, it doesn't seem like such a good idea for craigslist to knock down that argument. It's the classic section 230 beneficiary. At any rate, at a basic level, craigslist is ultimately suing Naturemarket based on harm caused by end users. This is exactly what state regulators did to craigslist. The initial interest confusion argument is also one that does not seem like it's in craigslist's interest to push.

Finally, I'm always curious as to what these damage awards accomplish. How often does the company chase down the defendant's assets? More likely, this is something that can be waved around to other potential defendants to get them to comply and/or settle.

Related: Mike Masnick discusses some of these issues in a post flagging an early round of lawsuits filed by craigslist against spammers: "Craigslist's Dumb Lawsuit Against Spam Tool Provider"

Posted by Venkat at 09:25 AM | Content Regulation , Copyright , Licensing/Contracts , Spam , Trademark

March 22, 2010

Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute -- Balsam v. Trancos

[Post by Venkat]

Balsam v. Trancos, Inc., Cal Sup. Ct. Case No. (Civ.) 471791; March 10, 2010 [scribd]

Although spam lawsuits have not gone particularly well for individual (non-ISP) plaintiffs, Dan Balsam recently took a case to trial in San Mateo Superior Court and was awarded $7,000 in damages.

Balsam sued under the California Legal Remedies Act (1750) and California's anti-spam statute (section 17529). The court held that Balsam could not maintain an action under section 1750 because he was not a "consumer" and did not sustain any damages, and dismissed the 1750 claim. His claim under section 17529 was tried to the bench and he was awarded $1,000 in statutory damages per email.

Background: Defendant Trancos registered numerous domain names through DomainsByProxy. Through Defendant's "Meridian" division, Defendant entered into a deal with Hi-Speed Media/ValueClick under which Defendant "managed" several email lists and sent out emails. Trancos and Hi-Speed Media shared revenues generated from transmission of the emails. Trancos discontinued this conduct in 2007 and according to the court had "stopped the allegedly wrongful conduct of which [Balsam complained]."

The Emails: The trial was over eight email messages. The emails were sent through various domain names (privately) registered to Trancos: misstepoutcome.com, modalworship.com, moussetogether.com, mucousmarquise.com, minuteprovenance.com, minecyclic.com, mythicaldumbwaiter.com, and nationalukulele.com. (How on earth did Trancos come up with these domain names!) The subject lines of the emails were typical unsolicited email fare, and ranged from inviting people to take surveys and get paid ("Get paid 5 dollars for 1 survey") to dating-related invitations ("It's a Great Time to Say Hello to Someone New!"; "Date Single Christians"). The emails did not purport to be from anyone particular. The "from" email addresses were from accounts such as "franchisegater@modalworship.com," and "dating@mythicaldumbwaiter.com". The emails contained varying opt-out text and (in some cases) links.

The Court's Ruling: The court held that Balsam's claim under section 17529 was not preempted under federal law. Defendant pointed to Virtumundo and argued that CAN-SPAM preempts state email statutes which reach immaterial errors in emails. The court rejected this argument noting that in Virtumundo, the plaintiff did not put forth any evidence that the emails at issue rose to the level of "falsity and deception" excluded from CAN-SPAM's preemption clause, and on the basis that the Washington statute was different from the California statute (nothing in the Washington statute required any misrepresentations to be "material").

The court looked to the "from" addresses in the emails and held that the "'senders' identified in the headers of the . . . emails do not exist or are otherwise misrepresented . . . [i]n those same headers reflecting the 'from' line of the email, the referenced sender email is a non-existence [sic] entity using a nonsensical domain name reflecting no actual company . . . ." The court also relied on the fact that the address at the end of the email messages (a PO Box in Santa Monica) was registered in the name of a non-existent entity.

Although the plaintiff "was not tricked into believing that [the] emails were anything other than commercial advertisements . . . and was not tricked into seeking to purchase any goods or services," the court held that seven of the emails violated 17529.5(a)(2) because the emails had "falsified, misrepresented, or forged header information." The emails came from Trancos, "but none of the emails disclose[d] this in the header."

Observations: The two significant preemption CAN-SPAM cases (Mummagraphics and Virtumundo) both held that state laws which prohibit immaterial misstatements in emails are preempted. There's another district court case which went beyond this and held that a plaintiff had to satisfy the "actual fraud" standard in order to successfully assert a spam claim under state law (Reunion). The cases in this context often look to whether the plaintiff could have easily ascertained where the email came from. In Mummagraphics the court relied on the fact that the plaintiff could have easily determined where the email originated from in finding the error immaterial (and the claim preempted). In Kilbride, a criminal case, the court imposed liability, finding that the sender's use of GoDaddy's privacy protection services was evidence of the sender's intent to mislead the recipient. In this case, there were similar facts. None of the emails at issue in this case stated where they originated from (or on whose behalf they were sent). Defendant used a lot of names of companies that did not exist, and got a PO Box for the company in the name of another non-existent company. That said, the violations didn't fit nicely within the statute.

17529.2: The court quoted section 17529.2, which is a blanket prohibition on the transmission of unsolicited email to or from a California email address. This section of the statute is obviously dead on preemption grounds and can't support liability.

17529.5: The court also looked to section 17529.5 which is similar to the anti-spam statutes of many states, including Washington. This section prohibits the transmission of email that (1) "contains or is accompanied by" a third party's domain name without permission; (2) "contains or is accompanied by falsified, misrepresented, or forged header information;" or (3) has a misleading subject line. The court found that the subject lines were not likely to mislead and in fact Balsam was not misled by the subject lines. The court didn't expressly find that the emails contained or were accompanied by a third party's domain name without permission. There was no violation of this provision since there was no dispute that Trancos owned the domain names at issue.

The court found that Trancos violated the header information prong, because there was no such person or entity referenced in the "from" line. It's tough to see how this is the case, since the header information was not forged. If you own or control a domain name, you are free to create any number of email addresses that can send emails through the domain name, and no one sees anti-spam statutes as requiring the reference in the from line to refer to an actual living person. I have received numerous emails from "customer support" or "orders" at Amazon.com and I'm fairly confident that there's no such person at Amazon.

What this section of the statute actually gets at is the transmission of emails that appear to come from someone when they actually don't, or the obfuscation of header information. There was no evidence of either in this case. The plaintiff in Virtumundo raised somewhat similar arguments, which were rejected by the trial court. On appeal, the court found that the claims were similar to the ones raised by the plaintiff in Mummagraphics (arguably because accurate WHOIS information could have readily identified the sender of the emails) and held that the claims were preempted under Washington's email statute. There's a colorable argument to be made that nothing in Virtumundo precludes a claim under 17529.5(2), but the differences in the statutory language cut against Balsam's claims. The California statute prohibits "falsified, misrepresented, or forged header information," while the Washington statute prohibits emails where the sender "misrepresents or obscures any information in identifying the point of origin or the transmission path." The Washington statute incorporates a "point of origin" concept that makes it easier to argue that a violation occurs if you include an email address in the from line that's related to a non-existent company.

The final point to consider is that Balsam admitted that he didn't suffer any "adverse effects" of the sort that the court held were required to support a claim under CAN-SPAM. Balsam didn't expend any funds on bandwidth, filtering, infrastructure, etc. His sole injury was the fact that he mistakenly opened the message, and presumably, expended sums litigating his claims.
___

As the court notes, the California Supreme Court is currently considering Kleffman v. Vonage, a case that deals with the scope of California's anti-spam statute. Also, the Reunion case, dealing with the scope of CAN-SPAM preemption, is still stuck in the district court (in the Northern District of California). It's likely to be appealed to the Ninth Circuit.

It will be interesting to see how this plays out. In the meantime, kudos are due to Balsam and his counsel, who unlike James Gordon, Asis Internet, and other spam plaintiffs, are at least generating positive cash flow (if Trancos ever pays up).

Added: "Save the Mail Blog" asks whether it was worth it ("Lawyer Awarded $7k in Spam Suit: We do the Math"). SFGate also covers the ruling ("S.F. lawyer awarded $7,000 from e-mail spammer").

Posted by Venkat at 12:08 PM | Marketing , Spam

March 05, 2010

Eighth Circuit: No Derivative Liability Under Iowa Spam Statute -- Kramer v. Bartok

[Post by Venkat]

Kramer v. Bartok, Case No. 08-3841 (8th Cir. Feb. 19, 2010) (scribd link).

The Eighth Circuit recently reversed an award of $236 million in damages against a spam defendant based on a theory of secondary liability. The court found that the clear language of the Iowa statute only allowed for the imposition of liability against the sender.

Background: Kramer sued defendants Bartok, Perez, and Brown after allegedly receiving millions of spam emails advertising mortgage refinancing services. Kramer asserted claims, including claims under the Iowa's spam statute (then Iowa Chapter Code 714E, which while the suit was pending was replaced with Iowa Chapter Code 716A (which looks fairly different, and does not contain the term "initiate")), the Computer Fraud and Abuse Act, and trespass. According the Eighth Circuit, Kramer (who ran an ISP) actually only received twenty three offending emails, as the remaining millions of emails were blocked by Kramer's spam filter. Defendants produced no evidence at trial, and the lower court found that one of the defendants "dissembled" and sold the computers used by the enterprise. Kramer did not produce evidence that defendant Bartok actually sent the messages in question. The only evidence of Bartok's involvement was that she was "half owner of a business whose sole source of income was predicated on spamming," she signed an agreement for the procurement of mortgage leads, and she assisted Perez in destroying some of the relevant records in question.

The lower court found that Kramer produced no evidence of "actual damages," and rejected all of the claims except for the claims under Iowa's spam statute. With respect to this claim the court awarded $236 million in statutory damages ($10 per spam email).

The Eighth Circuit's ruling: The Eighth Circuit looked to the plain language of the statute and found that the statute only imposed liability on those who "use an interactive computer service to initiate the sending of bulk electronic mail." In other words, the statute was clear that it only imposed liability on someone who actually hit the send button.

Kramer argued that he had produced sufficient evidence of a civil conspiracy between Bartok and the other defendants to sustain a finding of derivative liability, but the court rejected this theory. In the court's view, if the statute didn't authorize the imposition of liability on those who conspired with the person(s) who initiated transmission of the messages (through the use of an interactive computer service), the court was not free to imply a cause of action based on this theory. While Kramer argued a common law conspiracy claim, the court found that Kramer's failure to produce evidence of actual damages precluded the imposition of derivative liability on Bartok. To allow Kramer to assert liability against Bartok based on a conspiracy theory absent evidence of actual damages would be an end-run around the statute's limited focus on those who actually sent the offending messages.

My thoughts: Derivative liability regarding spam and other types of advertising is a favorite topic of Professor Goldman's. I agree that absent clear standards, liability can move up the chain to advertisers and service providers, and this can cause obvious problems.

Here, the court interpreted a statute which by its terms only imposed liability on the person who initiated the transmission of the messages, so the court's conclusion isn't particularly surprising. The fact that the plaintiff in this case only produced 23 emails and was awarded a whopping $236 million in damages (despite having failed to put forth evidence of actual damages) was probably not lost on the court either.

How does this relate to CAN-SPAM: In the context of CAN-SPAM, the standards are slightly different. CAN-SPAM imposes liability on those who "initiate" or "procure" the initiation of noncompliant messages. "Initiate" is defined as "to originate or transmit [messages] or to procure the origination or transmission of [messages] . . . ." "Procure" is defined as "intentionally, to pay or provide other consideration to, or induce, another person to initiate [messages] on one's behalf." Where a civil claim is brought by an ISP, the term procure contains an actual knowledge or a conscious avoidance limitation. (section 7706(g)(2)) CAN-SPAM thus allows for the imposition of derivative liability, but makes it more difficult when the ISP is the one enforcing.

How have CAN-SPAM plaintiffs fared when they sought to impose this type of liability? Not very well. I haven’t done an exhaustive tally, but on the civil side there have been several defense wins (Hypertouch v. Kennedy Western, Asis Internet v. Optin Global, Fenn v. Redmond Venture). On the affiliate liability issue, these cases are typically resolved in favor of defendants on the basis that defendants were not (and had no reason to be) aware of the underlying violations. With respect to enforcement efforts by the FTC, the FTC lost a jury trial (Impulse Media), settled one case after the court found that affiliate liability is a question of fact (Cyberheat), and obtained a conviction (US v. Kilbride). (Oddly, after losing the jury trial in the Impulse Media case, the FTC sought to obtain injunctive relief against Impulse Media. The court denied this request.) Overall, the case law is largely defense favorable. Although CAN-SPAM allows for derivative liability, courts and juries have not been quick to impose it.

Related posts: "Affiliate Liability Talk Notes From SMX West"

Posted by Venkat at 09:15 AM | Derivative Liability , Marketing , Spam

January 31, 2010

January 2010 Quick Links

By Eric Goldman

Copyright

* An English translation of Google's December loss in France on a Google Book Search lawsuit.

* Ed Felten reports on a survey of files available via BitTorrent. Acknowledging some methodological limits, he estimates ~99% were likely copyright infringing.

* Elsevier B.V. v. UnitedHealth Group, Inc., 2010 WL 150167 (S.D.N.Y. Jan 14, 2010). Denying copyright statutory damages and attorneys' fees to unregistered foreign works is constitutional because the Berne Convention (which Elsevier argued prohibits the statutory formalities) is not self-executing.

* Techdirt: Singapore Court Rules That Online DVR Is Infringing...While Noting How Copyright Law Isn't Really Set Up For This

* Techdirt: If Banning The Internet For Sex Offenders Is Unfair, Is Banning The Internet For Copyright Infringers Fair?

* The Copyright Office issued new regulations on the deposit of online-only works: “The regulation establishes that online–only works are exempt from mandatory deposit until a demand for deposit of copies or phonorecords of such works is issued by the Copyright Office.”

Trademark/Publicity Rights

* American Airlines v. Yahoo settled. Previous coverage:
- Yahoo Subpoenas Expedia in American Airlines Lawsuit
- Fifth Circuit Denies Yahoo's Jurisdictional Appeal in American Airlines Case
- American Airlines v. Yahoo Venue Transfer Denied
- Yahoo Countersues American Airlines for Declaratory Judgment
- American Airlines Sues Yahoo for Selling Keyword Advertising

* Duplicity alert! Rescuecom is in court defending its keyword ads triggered by competitor Best Buy's TMs.

* Bev Stayart sues Yahoo again over publicity rights. My September 2009 blog post on her prior loss against Yahoo.

Pornography

* Clark v. Commonwealth, 2009 WL 5125009 (Ky. App. Ct. Dec. 30, 2009). Upholding a conviction when "Clark knowingly used a computer for the purpose of getting a minor, or a peace officer whom Clark believed was a minor, to take a sexually explicit photograph of herself."

* Am. Booksellers Found. for Free Expression v. Cordray, Slip Opinion No. 2010-Ohio-149 (Jan. 27, 2010). Ohio's Supreme Court partially upholds its state law restricting Internet distribution of harmful to juveniles material to juveniles when the communications are to recipients known or believed to be juveniles.

Spam

* United States v. Zein (E.D. Mich. 2009). Posting an ad on Craigslist constituted a "mass marketing" activity sufficient to trigger a 2 level sentencing enhancement.

* Comcast and e360 settled their lawsuit. Previous blog coverage.

Blogs/Social Networking Sites

* Sieber v. Brownstone Publishing Company, 2007 CA 002549 B (D.C. Superior Ct. Dec. 23, 2009). A building contractor sued Angie's List and other people over consumer reviews. My prior mention of the case. After 2 years of litigation, a DC trial judge dismissed all defendants on summary judgment and awarded one defendant-counterclaimant $18k+. The entire text of the memo opinion:

MEMORANDUM OPINION AND ORDER GRANTING MOTIONS FOR SUMMARY JUDGMENT OF ALL DEFENDANTS, DENYING PLAINTIFFS' MOTIONS FOR SUMMARY JUDGMENT, and GRANTING POOLE'S MOTION FOR SUMMARY JUDGMENT ON HIS COUNTERCLAIM signed by Judge Long, efiled, eserved, and docketed in chambers on December 23, 2009. It is ORDERED that the Motions for Summary Judgment of Brownstone Publishing Co., the Washington Post Company, John Kelly, and John W. Poole are granted; and it is FURTHER ORDERED that the Motions for Summary Judgment filed on behalf of the plaintiffs are denied; and it is FURTHER ORDERED that judgment shall be entered in favor of all defendants against the plaintiffs as to all claims in the Second Amended Complaint; and it is FURTHER ORDERED that judgment shall be entered in favor of defendant Poole and against plaintiff SCS Contracting Group LP as to Poole's Counterclaim against plaintiff SCS Contracting Group for $18,300 plus 6% (six percent) per annum interest, and a separate money judgment for this sum shall be docketed. Court Jacket not in chambers.

* FINRA Regulatory Notice 10-06: Guidance on Blogs and Social Networking Web Sites.

* Duer v. Henderson, 2009-Ohio-6815 (Ohio App. Ct. Dec. 23, 2009). A web publication telling a ghost story and describing the location of purportedly paranormal phenomenon on private property is not liable for any resulting trespass to real property.

* The “moldy tweet” lawsuit was dismissed.

* Two lawsuits holding that bloggers aren't subject to jurisdiction in the plaintiff's home court:
- Silver v. Brown, 2009 WL 5220297 (D. N.M. Nov. 30, 2009).
- Workman Sec. Corp. v. Phillip Roy Financial Services, LLC, 2010 WL 155525 (D. Minn. Jan 11, 2010)

* BBC: France ponders a right-to-forget law.

E-commerce

* Appliance Zone, LLC v. NexTag Inc., No:4-09-cv-0089-SEB-WGH (S.D. Indiana Dec. 22, 2009). Upholding NextTag's clickthrough-formed advertiser agreement. Mehmet Munur’s comments.

* Edward A. Zelinsky, “New York’s 'Amazon Law': Constitutional But Unwise.”

* Largo Cargo v. Google, a new complaint over allegedly mismanaged AdWord bids. This is the latest incarnation of the Almeida case. I think Largo Cargo’s complaint is still a no go.

* The NYT catalogs an impressive roster of futility for US dot coms trying to compete in China.

Miscellaneous

* Gmail will consult the user's prior emails to pick an ad if a particular email doesn't lend itself to a good ad.

* Illustrating the divergence between the open source community and the Wikipedia community, APC reports that 75% of Linux code is now written by paid developers.

* Oddee: 15 Funny Facebook Fails.

* I expect to be in the Netherlands May 23-30. Let me know if you would like to meet up there.

Posted by Eric at 01:19 PM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Marketing , Publicity/Privacy Rights , Search Engines , Spam , Trademark | TrackBack

January 27, 2010

Utah May Repeal Its Spyware Control Act--SB 26

By Eric Goldman

It's that time of year again. The Utah legislature is back in session and cooking up new schemes to regulate the Internet. So far I only see one Internet-specific bill in queue, SB 26. Surprisingly, it does not directly attempt to regulate keyword advertising.

SB 26 is sponsored by Sen. Stephen H. Urquhart, who rocketed to national cyberlaw fame (infamy?) in 2004 when he sponsored Utah's Spyware Control Act. It was such a misguided law that it motivated me (in part) to write a 71 page magnum opus explaining its policy deficiencies. It was also hampered by its fairly obvious unconstitutionality, which was confirmed by a Utah court a few months after passage. (Note: I helped write an amicus brief in that court challenge, so you might interpret my assessment as an advocacy statement). Following the judicial thumping, then-Rep. Urquhart shepherded an amendment to the Spyware Control Act in 2005 that effectively neutered the law. Since then, I believe the law has sat largely dormant. The only court citation I know of was in the 2008 Overstock v. SmartBargains case, easily rejecting Overstock's mystifying attempt to make a claim under the superseded 2004 version of the law.

Among other items I'll discuss in a moment, SB 26 proposes to repeal the Spyware Control Act entirely. If passed, that would be a remarkable development because most legislators let their failed laws sit on the books unused. It takes some work to repeal a law, plus it can be a little embarrassing to repeal a law--especially after hyping up the law to get it passed initially (Urquhart had a lot of tough talk about spyware/adware in 2004-05, see, e.g., here). Kudos to Sen. Urquhart for having the fortitude to admit and fix his errors publicly.

While repealing the law would be a remarkable step on its own, it's even more remarkable in the context of the Utah legislature's track record of Internet regulation. By my count, repealing the Spyware Control Act would be at least the THIRD Utah Internet law that its legislature repealed in the past few years--the other two being Utah's 1995 digital signature act and its infamous Trademark Protection Act. For a legislature that meets only a couple of months a year, a trifecta of repealed Internet laws in the past couple of years is a stunning waste of scarce legislative resources. Wow.

As bad as that is, the three repealed laws don't even tell the full story of the Utah legislature's incompetence when it comes to Internet regulation. Recall Utah's failed attempt to line its coffers by taxing email (which turned into a big money-loser), and don't forget its repeated attempts to regulate Internet content that have spawned years of costly litigation (see, e.g., Free Speech Coalition v. Shurtleff). From my perspective, anyone looking objectively at the Utah legislature's track record of regulating the Internet would logically conclude that they should cut their losses and focus on other legislative priorities.

Unfortunately, SB 26 indicates that either hope springs eternal in the Utah legislature or they are doomed to forget the lessons of history. Despite doing some good by putting down the Spyware Control Act, the bill amazingly proposes more regulations of the Internet! To Sen. Urquhart's credit, the bill is largely clone-and-revise proposals from other places and not drafted from scratch, which may contribute less from a regulatory standpoint but at least they aren't quite as error prone. The proposed law has three main components:

1) anti-phishing/anti-pharming restrictions. I'm not sure where the original text came from. California has an anti-phishing law but I don't think this is a clone-and-revise of that law. Maybe it's cloned from another state's anti-phishing law. In any case, the anti-"phishing" proposal is noteworthy because the regulation doesn't restrict itself to email (presumably to avoid any risk of CAN-SPAM preemption). As a result, as currently drafted, it's an unlimited anti-pretexting law applicable to both online and offline conduct.

2) anti-spyware restrictions. After wiping out the Spyware Control Act, the new anti-spyware proposals are based on the California model of state anti-spyware laws, which have been followed by a couple dozen other states. The California model regulates various types of "intentionally deceptive" conduct regarding software activity. This is what Utah should have done in 2004-05 rather than trying to develop its own sui generis law. I generally don't have a problem with regulating intentionally deceptive software behavior, but it seems a little late to be enacting the laws now. Most of the regulations contemplate practices more common in 2003-06 and largely defunct now, so Utah is showing up late to a party that ended years ago.

3) a state version of the federal Anti-Cybersquatting Consumer Protection Act. I know some other states have enacted domain name protection laws (California comes to mind), but it's not clear what benefits these state laws have. As far as I know, California's law is almost never used. Tom O'Toole speculates that this bill will make it easier for Utah trademark owners to bring in rem lawsuits, but it's not clear to me how much this law will help given the rarity of ACPA in rem lawsuits (UDRPs are usually cheaper and faster for the same results) and already expansive jurisdictional principles under ACPA. Further, I wonder if this law is preempted either by the dormant commerce clause or via field preemption of the federal ACPA.

I should add that I’ve observed that Utah bills can change radically from draft to draft with little warning, even if the law is on the legislative floor for a final vote, so we'll have to see if this law transmogrifies through the process. And I am keeping a vigilant watch for any resurrected attempts to regulate keyword advertising.

Posted by Eric at 09:58 AM | Adware/Spyware , Domain Names , Internet History , Spam , Trademark | TrackBack

January 11, 2010

Top Cyberlaw Developments of 2009 (Eric's List)

By Eric Goldman

Guest blogger John Ottaviani recently dropped by to offer his perspectives on 2009’s top Cyberlaw developments. While I like his list a lot, I independently developed my own top 10 list that has a different emphasis. You might enjoy the contrasts. My list:

#10: Louis Vuitton v. Akanoc. After the judge ordered a web host to stand trial, a jury awarded the trademark owner $32 million due to the web host’s contributions to trademark infringement by its customers. This case stands out for the big damages award and as a rare example where an online provider was held liable under a contributory trademark liability theory. Many trademark practitioners are scratching their heads trying to figure out the import of this case, however. Does this case represent a dangerous new frontier of online liability? Was this a bad jury verdict fueled by poor defense lawyering? Or was this an appropriate outcome because the web host actually engaged in bad behavior that distinguishes it from most “legitimate” web hosts? 2010 may help us understand if this case is part of a new trend or an aberration.

#9: Gordon v. Virtumundo. We’ve seen a lot of silly anti-spam litigation, including the emergence of an entirely new group of entrepreneurs called “spam litigation entrepreneurs” who try to make a living on anti-spam lawsuits. These folks have a true love-hate relationship with spam; they hate it so much that they devote their lives to fighting it, but they love getting spam because each one is a potential revenue source. In general, judges hate spam a lot too, so over the years we have seen a number of doctrinally unsupportable results where judges bent the law to make sure spammers lost.

However, the judicial pendulum has swung in the opposite direction, and in Gordon v. Virtumundo, the Ninth Circuit destroyed a serial anti-spam plaintiff’s entrepreneurial business in a doctrinally questionable but strongly worded opinion. In short order, a number of other spam litigation entrepreneurs have seen their lawsuits shut down with emphasis. Due to this ruling, the era of anti-spammers partying in courts may be on the wane.

#8: Zango v. Kaspersky. The question raised in this issue is simple to state but hard to answer: who should decide what constitutes spam, spyware or a virus? Vendors of software designed to curb these threats would like unfettered discretion to make their classifications; businesses who are classified as a threat would like judges to overturn adverse decisions. As it turns out, in a relatively obscure provision (47 USC 230(c)(2)), in 1996 Congress said that software vendors get to make classifications decisions and unhappy businesses can’t complain about them. In June, the Ninth Circuit upheld Kaspersky’s decision to classify Zango’s software as a threat and rejected Zango’s efforts to take the classification decision out of Kaspersky’s hands. This ruling gives enormous freedom to vendors of anti-spam/anti-spyware/anti-virus software to do their best to keep us safe.

#7: Columbia Pictures v. Fung. This case came out just before the Christmas holiday, so it got lost in the holiday hoopla a bit, but it’s a case of potentially significant import. First, it held that the specific torrent sites at issue induced copyright infringement. Second, the court denied the torrent sites’ eligibility for the DMCA online safe harbors. In part, the court said that an inducing website was categorically disqualified from the DMCA online safe harbors. Like the Akanoc case, it’s not entirely clear if this result was a legal aberration or an appropriate reaction to the defendants’ poor choices. Either way, it is possible that more “legitimate” websites may change their behavior to minimize their exposure based on the legal precedents in this case. If they do, this case could have a major impact on UGC websites.

#6: Lori Drew’s acquittal. Megan Maier’s suicide remains a heartbreaking tragedy, but unfortunately, overzealous prosecutors compounded the tragedy by prosecuting Lori Drew using bogus legal doctrines. The tragic facts got a jury to convict Drew of some misdemeanor crimes. Fortunately, the judge recognized the legal errors of the prosecution’s theory and the jury’s conclusions and granted Drew an acquittal despite the jury findings. The judge finally got to the right result as a matter of Cyberlaw, but the case remains a chilling testament to prosecutorial power.

#5: Harris v. Blockbuster. The rule is really clear. Service providers can't amend online user agreements in the provider’s sole discretion without notice. As the Ninth Circuit informed us in 2007, those contracts don’t fare well in court. So although these provisions are in just about every online user agreement, they don’t work--as Blockbuster found out the hard way.

As part of the litigation detritus from the Facebook Beacon experiment, users sued Blockbuster for sharing their rental transactions with Facebook and all of their friends, allegedly in violation of the Video Privacy Protection Act. Blockbuster tried to bust the class action by invoking the contract’s arbitration clause. Instead, because Blockbuster had the impermissible amendment provision in its user agreement, the court said the contract was illusory and refused to send the case to arbitration.

This case should signal the end of the ridiculous amendment clauses. We’ll see how long it takes the lawyers to give the provisions up.

#4: Battles Over the First Sale Doctrine. We have seen numerous legal battles this year over the First Sale defenses in both copyright and trademark law.

Copyright owners try to engage in price discrimination by carving up the world into geographic territories with different prices for the same product. If they can use copyright law to keep the cheap products from entering the other geographic market, this keeps the product from effectively price-competing with itself.

This year, two cases involved European textbooks which were functionally equivalent to the textbooks being sold in the United States at higher prices. Entrepreneurs were buying the cheap European texts, shipping them to the US and then selling them online. The entrepreneurs invoked the First Sale doctrine, which says that copyright law can’t prohibit the legitimate purchaser of a tangible copyrighted item from reselling the item to whomever they want at whatever price they want.

However, copyright law has another provision that allows copyright owners to block the importation of copyrighted works into the United States. In the 1998 Quality King case, the US Supreme Court said that the First Sale doctrine trumped the importation right when the goods were manufactured in the US, sold overseas, and then imported back to the US. However, in Pearson v. Liu and John Wiley & Sons v. Kirtsaeng, the judges said that the importation right trumps the First Sale doctrine when the goods were initially manufactured overseas. This issue is ripe for further adjudication, though. A similar importation case, Costco v. Omega, is pending before the US Supreme Court, which is deciding whether or not it wants to hear the case. If it does, we may get clearer instructions about the interplay between the First Sale doctrine and the copyright importation right.

Copyright’s First Sale doctrine was also at issue in Vernor v. Autodesk, where the purchaser of a software disk wanted to resell the disk on eBay despite restrictions in the software licensing agreement barring such resales. The court held that the First Sale doctrine applied and allowed the resale. There are other cases percolating through the court system involving the resale of tangible media contained copyrighted material despite contractual restrictions on resale, so this issue remains a hot one.

Trademark owners also try to prevent competition with their products that leak out of their official channels of distribution. eBay has been the site of a couple battles over the First Sale doctrine in trademark law. In Mary Kay v. Weber, the court held that the trademark First Sale doctrine may not permit the eBay resale of expired cosmetics by a Mary Kay independent beauty consultant. In Beltronics v. Midwest, a trademark owner shut down the eBay resale of radar detectors that had leaked out of the manufacturer’s channel and were being sold (at a cheaper price) without the manufacturer’s warranty.

Clearly, the First Sale doctrine matters a lot to eBay and other consumer-to-consumer e-commerce websites. With a possible pending Supreme Court case and lots of IP owners looking to stifle competition from goods they have already profited from, expect the First Sale doctrines to get lots of attention in 2010.

#3: 47 USC 230. In my opinion, 47 USC 230 is the most important Cyberlaw statute, so new 230 developments will make my top 10 list for the foreseeable future. This year, there were three federal appellate court rulings interpreting 47 USC 230(c)(1):

* in Barnes v. Yahoo, the Ninth Circuit held that 230 protected a website’s negligent delay in removing user content. However, if the website had promised removal to the user, the user could have a viable claim for promissory estoppel that would not be preempted by 230.
* in FTC v. Accusearch, the Tenth Circuit held that a website’s resale of pretexted phone records—even if those records were supplied by third party suppliers—did not qualify for 47 USC 230 protection because of their illegality.
* in Nemet Chevrolet v. ConsumerAffairs.com, the Fourth Circuit held that a consumer review website was not liable for user-supplied reviews, even when the website worked with the user to submit the review, and despite the plaintiff’s unsubstantiated claims that the website had fabricated the reviews itself.

Really, the big 47 USC 230 news in 2009 is the absence of big news. Specifically, 2009 reinforced that the Ninth Circuit’s 2008 Roommates.com decision—one of the most significant defense losses under 47 USC 230—did not rip open a major hole in the statutory protection of websites. Of the 13 cases that I have seen that have cited the Roommates.com en banc opinion, eleven have cited the case in favor of the defense. (See the list here). The two exceptions are the Accusearch case, mentioned above, and the New England Patriots’ lawsuit against StubHub over season ticket resales, an odd opinion that may not have much influence. Therefore, despite our fears about Roommates.com, the 47 USC 230 immunity remained healthy and vibrant in 2009. For more on this topic, see my special recap of 47 USC 230's year-in-review for 2009.

#2: Keyword Advertising Battles. Keyword advertising battles are another perennial topic on these year-in-review lists. A multi-billion dollar a year industry has sprung up around the sale of keyword-triggered advertising, including some keywords that may be third party trademarks, and trademark owners don’t like it at all. This has led to a multi-front battle between trademark owners, keyword advertising sellers (such as Google), and keyword advertising buyers.

One of the biggest Cyberlaw cases of the year was the Second Circuit’s ruling in Rescuecom v. Google. In the district court in 2006, Google won an easy victory against a trademark owner because the court said that Google did not make the requisite “use in commerce” of the trademark. The Second Circuit reversed the district court, sending the case back for further proceedings. The reversal does not ensure Google’s defeat; Google will now litigate other legal doctrines and might very well win on one of those. However, the Second Circuit’s opinion largely spells the end of any “use in commerce” defense by either keyword advertising sellers or buyers.

Because of the “use in commerce” defense’s demise, keyword advertising cases will now likely turn on whether the advertisements create a likelihood of consumer confusion. One case, Hearts on Fire v. Blue Nile, offered up a new and complicated test for gauging consumer confusion. If other courts adopt this test, keyword advertising cases will get even more expensive and complicated—highlighting how important it was that the Rescuecom case eliminated an easy way to end these lawsuits early.

Meanwhile, despite the fact that keyword advertising battles have been taking place for at least a decade, we have not heard what a jury thinks about the practice—until the November jury ruling in Fair Isaac v. Experian. In that case, the jury found for the defense that the keyword-triggered ads did not create the requisite likelihood of consumer confusion. It remains to be seen if other juries reach the same conclusion. If they do, keyword advertising lawsuits should slowly fade away over time because the trademark owners can’t win in the end.

As for now, keyword litigation is going strong and hardly fading away. In Spring, Google made two changes to its trademark policies where it voluntarily agrees to take down certain types of ads at the trademark owner’s request. In May, Google extended its more liberal US-based policy to nearly 200 other countries, replacing the more restrictive policies it had in place there. Shortly thereafter, Google modified its US policy to do less for trademark owners in situations involving product resales, review websites and sales of complementary/replacement parts. Trademark owners were none too pleased with these changes. In response to these changes and the door opened by the Second Circuit Rescuecom decision, Google got hit with about a dozen new lawsuits, including some class action lawsuits, of which I believe 10 are currently still active.

Finally, all of the wrangling in court and over voluntary trademark policies could be mooted by legislative action, and for the third time, the Utah state legislature considered resolving the keyword advertising issue itself. A law regulating keyword advertising passed the Utah house but died in the Utah senate. Expect the pro-regulatory forces to round up the troops for a fourth try in 2010.

#1: FTC Endorsement Guidelines for Bloggers. The Obama administration has breathed new life into a pro-regulatory FTC, and the FTC sure is interested in all things Internet. The FTC has been nosing around Internet privacy and Internet marketing practices pretty carefully, and I expect 2010 to bring more FTC pronouncements designed to tackle the Internet.

But nothing stirred up a hornet’s nest of confusion and anger in 2009 like the FTC’s Endorsement and Testimonials Guidelines. I think it’s fair to say that the FTC’s guidelines rollout was a complete failure. As usual, the FTC’s guidelines were mealy-mouthed and filled with conditional statements (the FTC hates to lay out bright line rules that might constrain their future discretion). However, the FTC’s general gist was clear: bloggers should disclose when they receive financial or other consideration for their blog posts.

Unfortunately, this general principle leaves open some fairly fundamental questions, like when is disclosure required in situations less clear than straight cash-for-posting, and where should disclosure be made, especially in space-constrained media like Twitter. Needless to say, unhappy bloggers can be very noisy, so blogger response to the FTC’s announcement was loud and vituperative. The FTC tried to backpedal a little by saying that it did not intend to pursue individual bloggers, but this announcement only reinforced that bloggers do not understand what the FTC wants from them.

Meanwhile, the FTC’s proposed guidelines also took an interesting position about an advertiser’s liability for rogue blogger’s posts. This position is generally consistent with government enforcement agencies’ views that commercial players can be legally responsible for content they endorse or link to (see, e.g., my comments on the SEC’s liability-for-linking policy), but this position runs directly contrary to 47 USC 230’s provisions that say A isn’t liable for B’s online content. As a result, I believe that part of the FTC’s proposed guidelines violate 47 USC 230 and would not survive a court challenge.

Overall, the firestorm over the FTC’s Endorsement and Testimonials guidelines is a small part of a larger effort to regulatorily separate advertising from content. The Internet has collapsed those distinctions, perhaps irreparably, so regulators may be trying to accomplish the impossible. Nevertheless, the FTC seems determined to prop up the distinction, and I expect 2010 will bring more FTC efforts on this front.

* * * * *

While that concludes my top 10 list, there were a number of other interesting developments in 2009 that are worth a brief note:

* Moreno v. Hanford Sentinel. A woman trashed her hometown in an obscure but public MySpace posting and learned there is no “do-over” for Internet content publication. My vote for the most factually interesting Cyberlaw case of 2009.

* Google’s keyword metatag announcement. Courts generally treat the inclusion of third party trademarks in keyword metatags as per se trademark infringement. But Google has confirmed that it ignores keyword metatags. Will courts get the message?

* Google Book Search settlement. If the Google Book Search settlement ever gets approved, it may reshape the book industry, redefine libraries, and make all kinds of other socially significant changes. But the list of opponents to the settlement is long and growing. Professor James Grimmelmann of New York Law School is our community’s maven for all things “GBS.”

* Kindle book deletion. The Kindle store sold e-books it didn’t have the right to sell, so it took them back. Users learned of a key factual difference between physical books and e-books—the vendor can remotely make e-books go poof.

* States’ efforts to impose sales tax efforts based on marketing affiliates. For years, states have been looking for ways to make online retailers collect sales tax for them. They are generally stopped by Supreme Court precedent, but in 2008 New York finally figured out a workaround. The New York statute said that marketing affiliates were like traveling salespeople and thus created the physical nexus required for a state to impose sales tax collection obligations. The New York statute survived its first legal challenge, which opened the floodgates of other states passing similar laws hoping to get their piece of the action. Meanwhile, online retailers aren’t just rolling over; instead, they are threatening to cut off (or actually cutting off) marketing affiliates in states that enact these laws—thus potentially costing the states income tax from the marketing affiliates’ revenue, and creating the potential for the entire affiliate industry to be torn apart.

* Maine kids privacy law. Maine thought it could pass a law banning marketing to kids. It was wrong. The state had to withdraw the law and go back to the drawing board.

* UMG v. Veoh. Veoh won another nice DMCA online safe harbor victory.

* US v. Kilbride. The Ninth Circuit says that online obscenity prosecutions need to evaluate national attitudes towards obscene content, not local community standards.

* Kentucky domain name seizure. Kentucky tried to grab 141 domain names that enabled Kentucky residents to engage in illegal gambling. But those domain names also serviced customers for whom the gambling was completely legal, so the Kentucky courts are rethinking the grab.

* FTC v. Sears. As another example of the new pro-regulatory winds blowing through the FTC, the FTC cracked down on Sears for installing spyware on users’ computers that looked at the users’ hard drives, even though Sears paid the users for the installation and disclosed the spyware’s snooping in the user agreement (though in an inconspicuous manner). This case has made a lot of lawyers concerned that adverse disclosures in user agreements won’t satisfy the FTC.

* Facebook the Drama Queen. Ah, Facebook. Love it. Hate it. Facebook is a pretty nifty site and part of my daily routine, but boy, they sure do have a knack for stirring up trouble.

- In February, they made a relatively modest change to their user agreement that caused people to freak out.
- In response to this, Facebook took the provocative step towards user self-governance. Facebook let users vote on some choices and promised to be bound by the results, but with an asterisk: Facebook decided what options users could vote on, and Facebook would honor those choices only if a prohibitively large number of users exercised their franchise. Still, it was a nice gesture towards cyberspace community self-governance.
- In summer, they tried to settle their Beacon litigation, but that also reminded folks of how much Beacon irritated them in the first place.
- Summer also brought allegations of click fraud on Facebook, and lawsuits followed.
- Finally, in Thanksgiving, Facebook rolled out some changes to its privacy options that it pitched as giving users more choices, but it also took away some choices and defaulted users into some options that surprised them.

Given this track record, is it unrealistic to expect more Facebook drama in 2010?

* Estavillo v. Sony. Speaking of self-governance, virtual world enthusiasts would love to establish the legal proposition that virtual worlds are legally equivalent to governments and therefore obligated to restrain their actions just like governments are. One virtual world enthusiast sued Sony for kicking him off the network, claiming that Sony was legally governed as a “company town” and therefore lacked the discretion to kick him off. WRONG (and it wasn’t even close).

* Wikipedia's policy change. In August, the English-language Wikipedia announced that it was going to tighten up its editorial policies, and people Freaked Out. (In fact, I have predicted that Wikipedia cannot avoid increased editorial restrictions over time, so this change should not have been surprising). However, it turns out that everyone got it wrong, and Wikipedia’s editorial changes are far less dramatic (and consequential) than initially reported. I will post a separate recap on Wikipedia shortly.

If you would like a stroll down memory lane, you can see my previous top 10 lists from 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.

Posted by Eric at 10:46 AM | Content Regulation , Copyright , Derivative Liability , Domain Names , E-Commerce , Internet History , Licensing/Contracts , Marketing , Publicity/Privacy Rights , Search Engines , Spam , Trademark , Virtual Worlds | TrackBack

December 17, 2009

Court Finds that SMS Spam Messages are Subject to the TCPA and Rejects First Amendment Defense -- Abbas v. Selling Source, LLC

[Post by Venkat]

Abbas v. Selling Source, LLC, Case no. 09 CV 3413 (N.D. Ill.; Dec. 14, 2009).

I didn't think there was much dispute as to whether SMS spam falls under the Telephone Consumer Protection Act, but Judge Gottschall's order in Abbas v. Selling Source, LLC, tackles this issue and concludes that SMS spam messages are "calls," under the Telephone Consumer Protection Act. Along the way, the court addresses a few other interesting arguments, including defendant Selling Source's First Amendment defenses.

Abbas allegedly received SMS spam from Selling Source. Abbas sued Selling Source in state court under the TCPA. Selling Source removed and filed a motion to dismiss. The court rejected the crux of Selling Source's arguments.

Was Abbas Charged for the Text Messages? Selling Source's first argument was that Abbas did not allege he was charged for the text messages, and that the TCPA only applies to messages for which the recipient is charged. Due to lazy drafting, the statute is not totally clear on this issue. It contains a list of services to which the TCPA applies, but adds a catch-all: "or any service for which the called party is charged for the call." The question for the court is whether this modifier applies to numbers assigned to all types of services, or whether it's just a separate catch-all category. Following passage of the TCPA, the FCC concluded that the TCPA did not apply to calls to cellular customers for which the called party is not charged. Shortly after this FCC pronouncement, Congress passed a law that allowed the FCC to exempt from the scope of the TCPA any calls for which the called party is not charged. The court looked to this Congressional amendment and concluded that the TCPA applies to both "charged and uncharged calls." [Sidenote: should the applicability of the TCPA to "uncharged calls" affect the First Amendment analysis?]

Did Selling Source Use an Automatic Telephone Dialing System? Selling Source argued that Abbas failed to adequately allege that Selling Source used an auto-dialing system to send the messages. The Ninth Circuit dealt with this issue in Satterfield (discussed by Prof. Goldman here and Jeff Neuburger here), where it held that the TCPA only required that the calling mechanism have the capacity to store or produce numbers using a "random or sequential number generator," not that this mechanism was used to initiate the calls (messages). I'm not really sure what to make of this argument in the context of this case, since it's unclear exactly what equipment Selling Source used. Plaintiff certainly has no way of knowing this information at this stage in the litigation. Whatever it means for a piece of equipment to have the "capacity" to store or produce random or sequential numbers, I would guess - given the analysis in Satterfield and in this case - that any reasonably sophisticated piece of equipment fits the bill.

Does the TCPA Apply to SMS messages? Selling Source argued that the TCPA only applies to
"calls," and not to text messages (or that text messages were not "calls" under the TCPA). The court engages in a fairly lengthy analysis (which is worth reading) before concluding that "an SMS message is a 'call' within the meaning of the TCPA." Most people treat this as a foregone conclusion (or at least assume this is likely the case), given that the FCC has long held (starting from a 2003 FCC order) that text messages are "calls" within the TCPA. But Selling Source made some creative arguments that the court seemed to grapple with. Interestingly, the court declined to give the 2003 FCC order concluding that text messages were calls under the TCPA Chevron deference. (The court undertakes an independent look at the issue and concludes that SMS messages are "calls" within the meaning of the TCPA.)

Selling Source's First Amendment Challenge: Finally, the court rejects Selling Source's First Amendment challenge. Jaynes (and the Virginia spam statute) notwithstanding, First Amendment challenges to unsolicited marketing laws are a losing proposition. It wasn't a big surprise that the court didn't buy Selling Source's First Amendment arguments, but cost-shifting is typically advanced as one of the big evils sought to be addressed by unsolicited marketing laws. The court's interpretation of the TCPA potentially takes this out of the equation, at least in some cases. This leaves the privacy rationale, but accepting that rationale as a justification for laws governing unsolicited marketing may make way for lot broader regulation than most people think is appropriate from a First Amendment standpoint. I'm not quarreling with the court's conclusion, and I haven't taken a close look at the issue, but I thought this was worth noting.

***

It's worth mentioning that the court grants Selling Source's motion to dismiss on the basis of specificity. Although it finds plaintiff's claims viable as a matter of law, plaintiff is required to re-file and allege specifics regarding the receipt of the text messages in question.

It's also worth noting that last week a district court dismissed Computer Fraud and Abuse Act claims based on the receipt of SMS spam messages. See, my post here for a discussion of Czech v. Wall Street on Demand, Inc. As I mentioned in that post, the TCPA is a possible avenue for plaintiffs who receive SMS spam messages.

Posted by Venkat at 09:09 PM | Spam

December 11, 2009

Court Rejects Computer Fraud & Abuse Act Claim Based on Unsolicited Text Messages--Czech v. Wall Street on Demand

[Post by Venkat]

Czech v. Wall Street on Demand, Inc., No. 09-180 (DWF/RLE) (Dec. 8, 2009).

A Minnesota district judge rejected claims brought under the Computer Fraud and Abuse Act based on the receipt of unsolicited text messages. There's not much to the facts, except that plaintiff received unwanted text messages from Wall Street on Demand, Inc. She did not have a prior business relationship with WSOD. She (vaguely) alleged that she incurred fees and charges related to her receipt of these messages. Based on her receipt of unwanted text messages, she filed a claim against WSOD alleging violations of the Computer Fraud and Abuse Act and state statutes.

The Court's Ruling: The court dismisses plaintiff's amended complaint in an order that helpfully provides a summary of the Computer Fraud and Abuse Act (and recent 2008 tweaks) as it's used in the civil context. Plaintiff brings three possible claims: (1) a claim for obtaining information from her phone; (2) a claim for transmitting information or code through her phone; and (3) a claim for "accessing" her phone.

Information Claim: The court rejects the information-based claim because there's no information that WSOD allegedly obtained through accessing the plaintiff's phone. Plaintiff analogizes to websites and argues that any time someone sends a message to a mobile phone, information is "obtained" in the same way that information is obtained any time someone accesses a website. The court rejects this analogy, finding that "there is a fundamental difference between viewing websites and communicating with wireless devices such as cell phones by sending text messages." Even if the transmission of an unwanted text message somehow resulted in the "obtaining of information," the court concludes that there's no loss as a result of defendant having obtained the information.

Transmission Claim: The transmission claim requires plaintiff to allege that WSOD caused the transmission of code or information and as a result "intentionally caused damage without authorization" to plaintiff's device. The complaint fails on both counts. There wasn't a credible allegation of damage (there was no allegation of impairment to the machine) or of WSOD's intent to cause the damage.

Access Claim: The court rejects the access claim since plaintiff does not adequately allege that the unauthorized access was intentional.

My Take: The Computer Fraud and Abuse Act is an often abused statute, and this seemed like another example of a situation where the statute is being stretched to fit the conduct/harm that was not intended to be covered by the statute. I was surprised that plaintiffs cited to the Lori Drew case [link], which many people view as a classic example of stretching the statute to its breaking point. In some ways this case is reminiscent of ISPs using the Computer Fraud and Abuse Act to attack spam. Some courts were open to this; other courts expressed reservations to the applicability of the Computer Fraud and Abuse Act to spam. See, e.g., America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp. 2d 1255, 1275 (N.D. Iowa 2000) ("A disturbing issue is whether subsection (a)(5)(c) is intended to address UBE at all.").

The case is also somewhat reminiscent of Abrams v. Facebook, a lawsuit based on the fact that Facebook sent SMS messages to cellphone numbers provided by its users and would keep sending those messages even if the cellphone number changed owners. In a lengthy article, Prof. Goldman discussed the weaknesses of using phone numbers as identity authenticators.

Advice to plaintiffs. If the court dismisses your complaint, come back with additional facts. Do not merely add what the court here calls "background discussion" about the issue you are complaining about. In five or six separate instances, the court mentions the fact that the amended complaint is just a bulkier, more "dressed up version" of the old complaint . . . with no new facts. At a broader level, the court's understandable skepticism towards the damage claims in this case illustrates how difficult it is to bring claims based on unsolicited marketing communications (whether received via your phone or your computer).

Advice to defendants. Transmitting unsolicited text messages is not free of risk. The Telephone Consumer Protection Act is one possible avenue for plaintiffs, and courts are not always deferential to broadly (and poorly) worded opt-ins. (See Eric's post on Satterfield v. Simon & Schuster here.)

Posted by Venkat at 12:27 PM | Marketing , Privacy/Security , Spam

December 04, 2009

Ninth Circuit Rebuffs Another CAN-SPAM Plaintiff -- Asis Internet Services v. Azoogle.com, Inc.

[Post by Venkat]

The Ninth Circuit recently rejected [pdf] two appeals brought by CAN-SPAM plaintiff Asis Internet Services. The trial court granted summary judgment in favor of Azoogle and awarded costs. See Eric's earlier blog post on that ruling. Asis has brought numerous lawsuits against different defendants. While this ruling won't necessarily be used preclusively against Asis it will definitely be cited by the defendants in those cases.

Citing Gordon v. Virtumundo, the court finds that:

the mere costs of carrying SPAM emails over Plaintiff's facilities does not constitute a harm as required by the statute. While Plaintiff argues that employee time was spent on spam-related issues, Plaintiff concedes that it has no records detailing employee time. Plaintiff also spent money on email filtering, though the cost of email filtering did not increase due to the emails at issue. Such ordinary filtering costs do not constitute a harm. [cite omitted] Thus, Plaintiff has not suffered a harm within the meaning of the statute and lacks standing.

The entire memo opinion is about two pages, and the court spends a sentence noting that Asis is not entitled to relief under the California statute (17529.5) because Azoogle "neither sent nor procured the emails at issue, and therefore did not 'advertise' within the meaning of the statute."

The big take away is that courts seem to be able to sniff out people who they view as pursuing litigation for the wrong reasons. It's unlikely that Asis was truly damaged to the extent of even a fraction of fees and resources it spent on this case.

Plaintiffs who aren't large ISPs or social networking websites haven't found a very sympathetic audience, particularly at the appellate level. We're probably left with a regime where only larger ISPs, social networking websites, and state actors are able to effectively bring anti-spam lawsuits. The scope of preemption of California's anti-spam statute is still unclear (Kleffman v. Vonage was certified to the California Supreme Court) so this is one possible option for plaintiffs, but I can't imagine they'll be spending much energy on this.

Posted by Venkat at 07:31 AM | Derivative Liability , Marketing , Spam

December 01, 2009

"Spam Filter Ate My Electronic Filing Notice" Plaintiffs Get Another Chance -- Shuey v. Schwab

[Post by Venkat]

The "spam filter ate my electronic filing notice" excuse was an inevitable byproduct of the CM/ECF electronic filing system now in place in federal courts. As expected, courts have not been very sympathetic to this excuse. In an unpublished decision, the Third Circuit gave a party who advanced this excuse another chance. (The case caption is Shuey v. Schwab, Case No. 08-4727 (3rd Cir.; November 3, 2009). Here's a link to the Justia page.)

Plaintiffs brought civil rights claims against a township and certain police officers alleging excessive force. Defendants moved to dismiss. Plaintiffs failed to respond. The court issued an order directing plaintiffs to respond or "otherwise communicate with the court." Plaintiffs did not respond to this order either, and the court dismissed the action with prejudice. After the dismissal was entered, plaintiffs sought reconsideration, alleging among other things that their failure to respond was caused by "technological error." Specifically, counsel "explained that the court's electronically filed order was errantly tagged as 'spam' in counsel's email system and therefore was never delivered." The district court denied plaintiffs' request for reconsideration.

On appeal, the Third Circuit reversed, holding that before dismissing a case as a sanction the trial court must engage in some sort of merits analysis. The court's ruling doesn't directly address the "spam filter ate my CM/ECF notice" excuse, but gives the lawsuit a small dose of oxygen.

Although I'm sure we'll see parties continue to assert this excuse, I don't think courts will be very sympathetic. I guess common sense is the best advice here. Get a good spam filter and whitelist all domain names through which you are likely to receive electronic notices. When all else fails, keep track of your cases by checking PACER (or RECAP) once in a while!

Related: You can see my take on the ruling below here: "The Spam Filter Ate My CM/ECF Notice?," and posts on other cases where parties have asserted this excuse here (Russo v. Network Solutions, Inc.), here (American Boat Company, Inc. v. United States), and here (Stewart v. Avaya, Inc.).

Posted by Venkat at 10:15 AM | Spam

November 12, 2009

Tagged Settles Spam and Address Book Harvesting Claims Brought by NY and TX Authorities

[Post by Venkat]

Tagged, which is supposedly the "third-largest social networking site in the world" (whatever this means) recently settled enforcement actions brought by New York and Texas Attorneys General. (See coverage at Bits and Media Post.)

The basic allegations were that Tagged sent emails to people which falsely implied that the people were depicted (or "tagged") in photos in order to get people to sign up for the service. At sign up Tagged also allegedly failed to disclose that Tagged would access the address books of users and send emails trying to get friends of these users to sign up.

The Tagged settlements - details of which are recapped by David Johnson here - required Tagged to pay 250,000 and 500,000 to Texas and New York, respectively. The settlements also require Tagged to provide users with greater disclosure and require Tagged to jump through certain hoops before accessing the address book of a user. David notes that the enforcement actions were brought under a variety of New York statutes including New York's deceptive trade practices law and false advertising statutes. He notes that those statutes "would not be preempted by CAN-SPAM . . . [but] we will never know" for sure, since Tagged settled.

Although Tagged chose not to fight the battle, there's another case pending in California that is roughly analogous, where the court ruled that claims arising out of similar conduct were preempted by CAN-SPAM. (Hoang v. Reunion.com, discussed by Ethan here and here.) As Ethan notes, in the Reunion case, Judge Chesney ruled that CAN-SPAM preempted pretty much every type of email-based claim except for those sounding in common law fraud. Common law fraud has a high damage threshold and because none of the plaintiffs were able to show that they actually relied on, or suffered out of pocket loss due to, misstatements in any Reunion emails, Judge Chesney dismissed the claims against Reunion. (Incidentally, that case is mired at the district court level. Plaintiffs have indicated they plan to appeal, but defendants moved for sanctions based on the fact that plaintiffs represented to the court that they could file a third amended complaint containing adequate damage allegations but ultimately changed their minds and decided they wanted to appeal. The court deferred ruling on the pending motions and requested additional briefing from the parties.)

Tagged is also defending against a class action filed in California. The plaintiffs in this case allege claims under the Computer Fraud and Abuse Act and the Stored Communications Act, among other statutes. (You can access a copy of the complaint here (scroll down).)

So, what to make of these lawsuits against Tagged and Reunion?

1. I'm inclined to agree with Ethan that Reunion went too far in concluding that only claims for common law fraud are carved out of CAN-SPAM's preemption clause. Mummagraphics - the early appellate preemption case - concluded that immaterial errors are not actionable, but that's a far cry from the high bar set by the court in the Reunion case.

2. CAN-SPAM's preemption clause has a second exception for laws that "are not specific to electronic mail," I don't understand why plaintiffs don't try to rely on non-email specific laws. The Reunion plaintiffs brought claims under California spam statutes. Maybe there were structural (standing or damages-related) reasons for why they did so, but I was surprised they didn't just bring claims under California's unfair business practices statute. On a related note, with respect to the Tagged class action, the Computer Fraud and Abuse Act and Stored Communications Act don't seem like a good fit for these types of claims. The Computer Fraud and Abuse Act has a damage threshold that is probably tough to satisfy, and the Stored Communications Act regulates access to the contents of communications.

3. There isn't a ton of law on the scope of California's anti-spam statute, but the Ninth Circuit certified an issue to the California Supreme Court in Kleffman v. Vonage. I'm not sure if this ruling will add to the mix, but it should be interesting to see what the court does here.

4. It's tough to say whether these lawsuits illustrate that enforcement is better left in the hands of government regulators or whether private parties should play a role in enforcement. Excluding large ISPs, private plaintiffs don't seem to have accomplished very much by way of stopping spam. If anything, they have pushed the envelope, and ended up with a framework that makes private enforcement much harder. That said, here the Texas and New York enforcement actions followed the California class action against Tagged, so it's tough to say.

5. Where is the FTC in all of this? Busy regulating paid endorsements by bloggers I guess.

Posted by Venkat at 08:54 AM | Spam

November 02, 2009

October 2009 Quick Links

By Eric Goldman

Just a reminder that I am posting most of these types of links exclusively to my Twitter feed.

* Tricome v. eBay, Inc., 2009 WL 3365873 (E.D.Pa. Oct 19, 2009). Court upholds eBay user agreement's venue selection clause. Evan Brown covers the case.

* The AutoAdmit case is over. Above the Law and the Yale newspaper.

* Google doesn't want to hear your complaints about your reputation management.

* Moneygram settles with the FTC (to the tune of $18M) that its money wiring service was used to perpetrate fraud.

* The FTC scores a rare COPPA settlement, this time with Iconix for $250,000.

* John Wiley & Sons, Inc. v. Kirtsaeng, 2009 U.S. Dist. LEXIS 96520 (SDNY Oct. 19, 2009). Another federal court holds that the purchase of foreign-manufactured textbooks and resale in the US via the Internet is blocked by the importation right and not excused by the First Sale doctrine. My coverage of the analogous Pearson v. Liu ruling.

* Utah's "Don't Spam the Kids" registry survived a constitutional challenge. That doesn't make it good policy!

* Saadi v. Maroun. Blogger hit with $90k judgment for defamation. MLRC coverage. My initial blog post on the case.

* Erik Estavillo, the gamer who sued for being kicked off the PlayStation Network, is appealing his district court loss to the Ninth Circuit. I guess he wants to lock in the adverse ruling as the binding law of the Western United States. My blog post on the district court ruling.

* Susan Gindin, When are a Posted Privacy Policy and 'Enforceable' Terms of Use Not Enough? The Many Lessons Learned and Questions Raised by the FTC’s Action Against Sears.

* Rep. Paul Kanjorski wants to end 47 USC 230 with respect to bogus stock investing info? This legislation needs careful monitoring due to its potential perniciousness.

* Venkat has his own version of Quick Links on his site.

Posted by Eric at 05:08 PM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Privacy/Security , Spam | TrackBack

October 30, 2009

Internet Obscenity Conviction Requires Assessment of National Community Standards--US v. Kilbride

By Eric Goldman

U.S. v. Kilbride, 2009 WL 3448360 (9th Cir. Oct. 28, 2009)

Jeffrey Kilbride and James Schaffer were porn spammers, operating through Ganymede Marketing, a Mauritian company. I previously blogged on their case in 2007. Their spam failed to comply with CAN-SPAM in several respects, including forged headers, fake email addresses and bogus contact info. The FTC claimed that it had received over 662,000 complaints about their spam. After a 3 week trial, a jury convicted them of criminal CAN-SPAM violations, criminal obscenity for 2 spammed images and other charges. Kilbride was sentenced to 6 1/2 years and Schaffer got over 5 years. Both appealed their convictions.

In the resulting Ninth Circuit opinion, the most important discussion relates to their obscenity convictions. The Supreme Court defined obscene material in the Miller case as:

(a) whether the average person, applying contemporary community standards would find that the work, taken as a whole, appeals to the prurient interest; (b) whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable ... law; and (c) whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value [emphasis added]

On the Internet, the question arises: whose community standards? The Miller test anticipates that geographically dispersed communities could have different norms, and in theory an Internet content publisher needs to conform to all of them or at least the most restrictive ones. For an early example of this, see United States v. Thomas, 74 F.3d 701 (6th Cir. 1996) (involving a dial-in BBS). However, the cost and limitations of geographic authentication technology means that many Internet content publishers can't steer their content into or away from a particular geography. Personally, I think this is especially true for publishing content by email because I know of no effective way to accurately authenticate the geography of most email recipients.

The US Supreme Court squarely wrestled with the issue of disparate geographic communities being collapsed on the Internet in 2002 in its first Ashcroft v. ACLU ruling (this should be distinguished with the more influential second Ashcroft v. ACLU opinion from 2004, which I still teach today in Cyberlaw). That case involved a challenge to the 1998 Child Online Protection Act (COPA), and the Third Circuit had affirmed a preliminary injunction against COPA on the grounds that the application of a "contemporary community standards" clause to Internet publication was constitutionally infirm due to disparate community standards. In 2002, the US Supreme Court reversed the Third Circuit in a massively fractured way, with 5 different opinions and no clear consensus on anything.

To resolve this appeal, the Ninth Circuit had to divine a single rule of law from this mess-o-opinions. After parsing the inscrutable Supreme Court opinions, the Ninth Circuit concluded that "a national community standard must be applied in regulating obscene speech on the Internet, including obscenity disseminated via email." Whether or not the Ninth Circuit read the Ashcroft v. ACLU precedent correctly, it reached the only logical outcome for a communication medium without clear geographic authentication. Nevertheless, this is hardly an unquestionable conclusion; the Miller case expressly rejected a national standard (whatever that means): "obscenity is to be determined by applying 'contemporary community standards'...not 'national standards.'" Presumably, the 2002 Ashcroft v. ACLU opinion overwrote this statement from Miller (and similar statements in earlier obscenity cases), but no one really understands what the Supreme Court said in 2002.

While the Ninth Circuit reached a sound result, its ruling doesn't help these appellants. Even though the district court provided different jury instructions, the Ninth Circuit concluded that the district court's instructions were not "plain error" (the applicable review standard), so the convictions stand. Harsh.

Even if appellants wrested a reversal, I'm not sure it would matter because I have never fully understood the import of regionally disparate "contemporary community standards." The phrase only explicitly modifies the Miller test’s determination of whether a work "appeals to the prurient interests"--basically, whether the work appeals to content consumers' interest in sex. Community standards can also implicitly come into play with the determination of what is "patently offensive" or the perceived value of the work, but these are not explicitly referenced in the Miller test.

With respect to the prurient interest reference, I could imagine regional differences about some borderline cases (say, a sex education tutorial) or with respect to niche sexual interests, where the niche audience would find that the work appeals to their esoteric interests and the remainder of a region's population might find the work so unappealing that it’s not viewed as sexually interesting at all. But for a lot of "mainstream" pornography, my guess is that there are not meaningful regional differences about the work's sexual appeal. I haven't seen the 2 images at issue in this case, so maybe they fall into the borderline cases. Otherwise, I wonder if a new trial using national community standards would actually change the result. (Another reason for skepticism: our rage towards spam frequently causes us to ignore the rule of law when we have a chance to punish spammers).

In the ruling, the Ninth Circuit also rejected the defendants' facial and as-applied challenges to the criminal CAN-SPAM provisions. The defendants focused their attack on CAN-SPAM restrictions on falsifying information in a way that would "impair" spam blocking. The court concludes that none of the provisions are constitutionally too vague. This wasn't really a close case for the as-applied challenge because of the defendants' egregious handling of their email campaigns. In contrast, I would like to think the facial challenge has not been resolved permanently; these were clearly not the right defendants to raise or litigate the facial issues.

Along the way, the Ninth Circuit takes a swipe at domain name proxy registrations. Pulling a quote only slightly out of context, the court says "Based on the plain meaning of the relevant terms discussed above, private registration for the purpose of concealing the actual registrant's identity would constitute 'material falsification'" (one of the elements of a CAN-SPAM crime). You may also recall the recent Solid Host v. NameCheap case suggesting that proxy service providers could face contributory ACPA liability. Collectively, these two opinions indicate legally disadvantageous treatment for proxy service usage. Given this disconcerting trend, I don't see the domain name proxy business as a growth industry.

Thomas O'Toole also discusses the ruling.

Posted by Eric at 03:00 PM | Content Regulation , Domain Names , Spam | TrackBack

October 25, 2009

Tucows Not Liable for Spam Judgment Against 3rd Party Based on Private Registration Services -- Balsam v. Tucows

[Post by Venkat]

Judge Breyer (N.D. Cal.) rejected an attempt by a spam plaintiff to hold a registrar liable for a judgment against a third party based on private registration services provided by the registrar. (Balsam v. Tucows Inc., et al., CV 09-03585 CRB (N.D. Cal. Oct. 23, 2009). Access a copy of the order at Scribd here.) Incidentally, the plaintiff - Dan Balsam - is a recent law school grad who catalogues his extensive anti-spam efforts at his website: "danhatesspam.com."

Facts: As recounted by the court, Balsam received 1,125 pieces of spam advertising an adult-oriented website over a seven month period. Balsam performed a WHOIS lookup and found that the website was registered to Angeles Technology Inc. Some time later, Angeles started utilizing private registration services provided by Tucows. Balsam sued Angeles, and obtained a default judgment for $1,125,000. After Balsam brought suit but before he obtained judgment, Balsam requested the registrant’s identity from Tucows. Tucows refused to provide the name without a court order.

Balsam tried unsuccessfully to collect against Angeles and have garnished revenues from the website's payment processor. He even tried to have the underlying domain name seized. Understandably miffed, he brought suit against Tucows, arguing that Tucows was liable for the judgment due to its failure to disclose the identity of the person who held the beneficial interest in the domain name.

The Court's Ruling: Balsam sought to hold Tucows liable based on a variety of claims, but they were all premised on Balsam being a third party beneficiary to the "Registrar Accreditation Agreement" which registrars are required to sign with ICANN. Specifically, the RAA contains a clause which requires all registrars to enter into agreements which obligates registrants to provide accurate information and also for each registrar (referred to as a "Registered Name Holder") who provides private (or nominee) registration services to "accept liability for harm caused by wrongful use of the [domain name], unless [the registrar] promptly discloses the identity of the licensee to a party providing [the nominee registrar] reasonable evidence of actionable harm." I've reproduced the actual clause below at the end of this post. (Arguably, the reference in section 3.7.7.3 to the "registered name holder" should not necessarily be seen as a reference to the registrar. Registrars often wear multiple hats, and this results in some confusion. But to me it doesn't seem like the fact that registrars often provide private registration services through subsidiaries or related entities should be a determining factor. At the end of the day, the clause speaks to the person or entity in whose name the domain name is registered, which in the case of private registration services is the registrar or its subsidiary.)

Judge Breyer held that Balsam was not a third party beneficiary under the RAA and thus all of Balsam's claims failed.

Thoughts: To begin with, Balsam was fighting against the weight of precedent in arguing third party beneficiary claims under the RAA. Courts have refused to find that the RAA creates obligations enforceable by third parties. (See, e.g., Register.com v. Verio, 356 F.3d 393 (2d Cir. 2004).) Also, this isn't the first time a court has looked specifically at whether section 3.7.7.3 of the RAA creates a class of third party beneficiaries. As Professor Goldman previously noted, in Solid Host NL v. NameCheap, Inc. (No. 08-5414) (C.D. Cal. May 19, 2009), a judge in the Central District of California denied a registrar's motion to dismiss where a plaintiff sought to hold a registrar liable for cybersquatting under theories of direct and contributory liability (among other theories). That case also involved a registrar's failure to disclose the identity of the person or entity using the private registration services. Oddly, the court in Balsam cites NameCheap for the proposition that section 3.7.7.3 does not create an intended class of third party beneficiaries. I actually read NameCheap to say that third party beneficiary status was possible, depended on the facts as to intent and construction of the agreement, and thus could not be resolved on a motion to dismiss. (See pp. 39-49 of the NameCheap order.)

Balsam's case is somewhat tougher to make than Solid Host's, in that Balsam obtained a default judgment of over a million dollars. No judge is going to put the registrar on the hook for this type of a damage award absent some serious facts showing misconduct (i.e., the type of evidence the jury found persuasive in the Louis Vuitton case mentioned below). And that's where Balsam falls short in my opinion. It's tough to see where the real harm is to Balsam from the use by Angeles of private registration services. Balsam already knew the identity of the registrant, since the registrant he proceeded against started using the privacy protection services after Balsam after discovered its identity. (Stepping back, it's tough to see how a thousand emails should result in a million dollar damage award, but that's a separate issue.) Balsam only alleges that the failure by Tucows to reveal the identity of the beneficial registrant 'complicated' Balsam's ability to collect against Angeles Technology Inc. Regardless of how the third party beneficiary status discussion plays out, to me this casts a shadow over Balsam's claim.

As a side note, I agree with Professor Goldman that the court's reasoning in NameCheap isn't crystal clear, but I think it's a closer question as to whether - based on section 3.7.7.3 - a registrar should be held liable for harm flowing from a delay in disclosure. Regardless of whether the parties intended to create a class of third party beneficiaries, the thrust of section 3.7.7.3 is that if a registrant offers privacy protection services (i.e., register the domain name in your own legal name and allow someone else to be the beneficial owner), it seems to have a contractual obligation to disclose the identity of the beneficial owner upon request by an injured party. The fact that the RAA is an agreement registrars enter into with ICANN (which is a quasi-public entity) as a condition of being accredited and being allowed to offer domain name registration services also weighs in favor of the third party beneficiary argument. On the other hand, accepting that the RAA creates third party beneficiaries would result in a variety of problems and create unintended classes of plaintiffs and causes of action. Ultimately I don't think it's a very good idea, and courts have not been very receptive in general to third party beneficiary claims under the RAA.

To the extent the third party beneficiary argument flies, Solid Host had a stronger argument for why it should be treated as a third party beneficiary. Solid Host involved wrangling over a domain name that was originally registered in the name of Solid Host. Solid Host arguably relied on the provisions in the RAA in registering its domain name in the first place. (Note: to the extent a court accepts the third party beneficiary argument this leaves registrars in an arguably tricky spot. Section 3.7.7.3 does not limit itself to harm caused by the failure to disclose. It seems to cover harm "caused by wrongful use of [the domain name] . . .")

In any event, trying to hold a registrar (or someone else in the chain) liable for ACPA or trademark claims raises a host of thorny issues that courts struggle with. To the extent they can be unpacked, I'll admit I'm incapable of unpacking these issues in a blog post, or even a series of blog posts. I'll leave that to Professor Goldman. (See posts from Professor Goldman on the Solid Host case here and on the recent jury verdict for contributory liability for trademark infringement ($32MM!) obtained by Louis Vuitton here.) Suffice it to say that facts often dictate the result, and here, it just didn't pass the gut test to hold Tucows liable for a significant default judgment based on failure to disclose by Tucows. Particularly when in the court's view Balsam's evidence connecting the failure to disclose by Tucows with the underlying harm wasn't particularly strong.

As I read Balsam v. Tucows, I wondered whether Tucows had a Section 230 argument lurking in the background. My tentative thought is that it could have a viable 230 argument, since Balsam is seeking to hold Tucows liable based on third party content. Although Balsam could argue that under Barnes v. Yahoo Tucows could be viewed as having a contractual obligation which it didn't fulfill, this could be a tough argument to make, given that Tucows did not make any promises to Balsam directly. (See the two rulings in Goddard v. Google, Inc. (rejecting attempts to bring claims against Google based on third party beneficiary status under Google's advertising terms); see also Morrison v. America Online, Inc., 153 F. Supp. 2d 930, 934 (N.D. Ind. 2001) (rejecting attempt to evade § 230 immunity by claiming to be third-party beneficiary of AOL’s member agreement with chat-room users).) Given his interest in Section 230, I'll leave this issue to Professor Goldman as well.
__

ICANN Registrar Accreditation Agreement (pre-May 21, 2009):

3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the following provisions:
3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.

Posted by Venkat at 10:45 PM | Domain Names , Spam

October 22, 2009

Power.com Counterclaims Dismissed -- Facebook v. Power Ventures

[Post by Venkat]

Facebook and Power Ventures have been involved in a lawsuit over whether Power.com can allow its users to access user data on Facebook's network. Facebook brought suit against Power.com asserting a slew of claims ranging from copyright infringement to violations of the Computer Fraud and Abuse Act. Power.com brought a motion to dismiss, which the court denied. This ruling was noteworthy, among other reasons because it recognized Facebook's potentially tenuous copyright claims and gave credence to Facebook's argument that access of user data by Power.com (or Power.com users) in violation of Facebook's terms of use was potentially actionable by Facebook. (For comments on this ruling, see Cyberlaw Cases; BNA's TechLaw blog; Jeff Neuberger; and an earlier post from me.) After the court denied Power.com's motion to dismiss, Power.com answered the complaint and asserted counterclaims against Facebook. Power.com's counterclaims garnered some attention, likely due to the fact Power.com alleged that Facebook engaged in anti-competitive conduct by restricting consumers' access to their data. (See, e.g., NYT/Bits Blog ("Power.com Fights Back Against Facebook").)

In a recent order, Judge Fogel granted Facebook's motion to dismiss, finding that Power.com failed to sufficiently articulate the bases for its counterclaims. (Access a copy of the order here: [pdf].) There's not much to say about Judge Fogel's order, except that it was brief (four pages!), and the court was not moved by Power.com's vague allegations of misconduct by Facebook. As noted by the court:

Power's Answer and Counter-Complaint contains a seven and a half page 'Introduction and Background' narrative untethered to any specific claim. The claims themselves each consist of a conclusory recitation of the applicable legal standard and a general 'reference [to] all allegations of all prior paragraphs' . . . .[T]his form of pleading does not enable the Court to surmise which facts in the introductory narrative support which claims, if in fact they do.

The court observes that antitrust claims require a heightened standard of pleading, and throws in a reference to Twombly for good measure. The court also strikes Power.com's affirmative defenses (of misuse and estoppel) as unsupported by "any factual allegations." Although the court grants Power.com leave to amend its counterclaims and affirmative defenses, I would guess Power.com will think twice about filing amended counterclaims unless these claims have solid factual backup.

Rumors of an impending settlement between the parties swirled around, even after Facebook filed its complaint. Then it looked like Power.com was looking to fight back. It's always tough to tell from the win or loss of a particular motion which way the lawsuit will go, but Judge Fogel's order certainly lets the air out of Power.com's counterclaims. To the extent Power.com was looking to gain leverage by asserting counterclaims, it may be out of luck.

Posted by Venkat at 08:39 PM | Copyright , Spam

October 18, 2009

Q3 2009 Quick Links, Part 4

By Eric Goldman

Spam

* Ars Technica: "a disturbing number of e-mail users respond to spam, and not just because they're dumb—some of them did so because they were actually interested in the product or service." I collected some empirical research establishing this point in 2004.

* SpamFighter: Software Creator Admits to Aiding & Abetting Spam

Fraud

* Reuters: A virtual bank rips off depositors in EVE Online.

* Click fraud concerns at Facebook: TechCrunch; Unified ECM v. Facebook complaint (one of at least three pending).

* There can be legitimate circumstances where it makes sense for a vendor to automatically pass a user's credit card number to another vendor, but the practice seems ripe for regulation.

Contracts

* BNA: End of the Notice Paradigm?: FTC's Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements (BNA Subscription required)

* In August, the NYT interviewed David Vladeck, who suggests that the FTC v. Sears settlement could signal a changing of the guard at the FTC.

* Jonathan Ezor on common drafting mistakes in privacy policies.

* Hines v. Overstock.com, Inc., 2009 U.S. Dist. LEXIS 81204 (E.D.N.Y. Sept. 4, 2009). Browsewrap terms aren’t enforceable “because the website did not prompt her to review the Terms and Conditions and because the link to the Terms and Conditions was not prominently displayed so as to provide reasonable notice of the Terms and conditions.”

* Timothy D. Cedrone, Morals? Who Cares About Morals? An Examination of Morals Clauses in Talent Contracts and What Talent Needs to Know, Seton Hall Journal of Sports & Entertainment Law. I have given my first year contracts students an exercise involving morals clauses that I think worked pretty well (see the links on this page under the "endorsement contract" bullet).

Miscellaneous

* The USPTO has not renewed the peer-to-patent program.

* ABA Journal: E-Discovery is $4B/yr industry but is experiencing consolidation.

* Paul Ohm's paper on re-identification of putatively anonymous databases. This may be one of the more important privacy law papers in some time, as it indicates that we cannot meaningfully distinguish between personally identifiable and non-personally identifiable information.

Posted by Eric at 02:43 PM | E-Commerce , Licensing/Contracts , Patents , Privacy/Security , Spam , Virtual Worlds | TrackBack

October 08, 2009

CAN-SPAM Doesn't Preempt CA Privacy Law--Powers v. Pottery Barn

by Ethan Ackerman

On Sept. 19th, a California state appellate court held that CAN-SPAM doesn't categorically trump state laws that may address email. Defendant retail store Pottery Barn was hoping it would agree with the initial ruling of the California trial court and hold that the federal CAN-SPAM law preempted the state law at issue, the Song-Beverly Credit Card Act.

The Song-Beverly Credit Card Act (apparently the enemy of corporate defense attorneys everywhere judging from google search results) generally prohibits the collection of certain personal information as a condition of processing a credit card transaction. Powers sued Pottery Barn under this law over its practice of collecting email addresses at the time of payment. Faced with these fairly uncontested facts, Pottery Barn argued at the trial court that the federal CAN-SPAM Act, regulating the sending and content of email, should preempt the state law.

Putting aside the obvious difference between a law that governs the collecting of personal information and a law that governs the sending and content of commercial email, the California Court of Appeals took the arguably easier route in addressing the issue - it read the preemption exceptions contained in the federal statute.

Readers interested in the details and holding logic can read the actual opinion. My short summary:

The California court read the preemption exceptions in CAN-SPAM and rightfully held that since the federal statute itself said it didn't preempt general state laws not specific to email, Song-Beverly wasn't preempted by CAN-SPAM.

"By its terms CAN-SPAM does not pre-empt state statutes which are not specific to e-mail and have only such incidental impact on e-mail use. (Tit.15, U.S.C. § 7707(b)(2).)"

In thinking of just how weak the preemption argument is, it's not hard to come up with other instances of state law addressing the collection or use of email addresses that aren't specific to "the use of electronic mail to send commercial messages." Indeed, the court rules of all state courts in California address the redaction of certain types of personal information (although not ultimately email addresses in the rules' present version.) I suspect the state's freedom of information laws have similar provisions addressing personal identifiers. I don't imagine that defendant's counsel would have relished acknowledging that the logical extension of defendant's argument was that the courts own filing rules were preempted.

Tom O'Toole at BNA has more.

[Eric's comment: while I agree with Ethan that the court correctly concluded that the Song-Beverly law isn't preempted by CAN-SPAM, I remain a little confused and troubled by the implications of the plaintiffs' arguments. It seems to me like the logical extension of their arguments is that it is illegal to collect email addresses when accepting credit card payments online. If this is the direction the case heads, then this case could have disconcerting implications for virtually the entire e-commerce industry. UPDATE: Ethan has pointed out that Saulic v. Symantec and some other cases have constrained the application of the Song-Beverly law to online commerce, a point I had forgotten. I hope that precedent will help put this lawsuit to rest, but it does make me wonder why the defendant accelerated CAN-SPAM preemption argument, a weaker one, to the front of the line,]

Posted by Ethan Ackerman at 04:34 PM | E-Commerce , Spam | TrackBack

August 25, 2009

Why More Wikipedia Editing Restrictions Are Inevitable, and Some Comments on Flagged Revisions for Living People's Biographies

By Eric Goldman

I have posted my latest article, "Wikipedia’s Labor Squeeze and its Consequences," to SSRN. The article will be published in the Journal of Telecommunications and High Technology Law in the relatively near future. The article is still in draft form, and I gratefully welcome your comments. Please take a look.

The article traces its roots to my Dec. 2005 prediction that Wikipedia will fail in 5 years. I have continued to blog informally about Wikipedia since then, but I only decided to write a more formal academic defense of my prediction late last year. This article is that defense, but you'll notice that I don't refer to "failure" in the article. In my presentations and earlier drafts of this article, I found that predicting Wikipedia's "failure" produced very emotional responses that overwhelmed consideration of my argument's merits. I still think my 2005 predictions look pretty good (using my self-selected definition of "failure"), but I deliberately directed the article towards the "why" rather than the "when."

As a result, the article explains why evolutionary changes in Wikipedia's labor supply is forcing Wikipedia to change its basic architectural design of permissive user editability. Flagged revisions is a prime example of the ongoing architectural shift. With flagged revisions, every user has the technical capacity to edit a Wikipedia entry, but submitted revisions remain hidden from public view until a trusted editor approves them for publication. Accordingly, flagged revisions significantly changes the Wikipedia experience. It delays publication of most contributions, it buries some contributions without ever being published at all, and it creates a significant workload for editors. For example, the German Wikipedia deploys flagged revisions site-wide and publication delays are up to three weeks.

Yesterday, Wikipedia announced that it is deploying Flagged Revisions for biographies of living people. Wikipedia has been on red alert with biographies since the John Seigenthaler incident in September 2005, so it's not surprising that Wikipedia will tighten the reins there first.

However, I think this change is just one more intermediate step in Wikipedia's ongoing process of restricting user editability, and it is not the final restrictive step Wikipedia will take. For reasons I outline in the article, I expect Wikipedia eventually will deploy Flagged Revisions, or some other stringent form of editorial lock-down, across the entire site, not just for living people's biographies. I explore some other possible alternatives in the paper, but I conclude that substantial restrictions to user editability are Wikipedia's only viable long-term solution to preserve site credibility.

People who have reviewed the article have asked about the article's relationship to Benkler's Wealth of Networks and its related commentary. Those works have explored the phenomenon and implications of large-scale online volunteerism, including a convincing proof that people will contribute their labor to online collaborative enterprises without any direct financial compensation. However, I've seen less attention paid to the exact reasons why people volunteer for these projects. My article focuses on the "why" in some detail, but even then, I make some assumptions and guesses. Despite extensive academic research into the Wikipedia community, we still lack a complete and clear empirical picture of why people join the community and, perhaps just as important, why people leave. I offer up my theoretical considerations, but more empirical work remains to be done.

If you want more discussion on this topic, during the paper's development, I gave a talk at University of Colorado Boulder that sparked some online responses:

* the talk itself (in the middle of the video)
* Ars Technica coverage
* ZDNet's paraphrase of the Ars Technica post
* p2pnet
* Blorge
* Thinking Spaces
* Futureismic

The presentation led to an NPR Interview with more comments and a response from What Jeff Learned Today.

Posted by Eric at 09:09 AM | Internet History , Marketing , Spam | TrackBack

August 07, 2009

An End to Spam Litigation Factories?--Gordon v. Virtumundo

By Eric Goldman

Gordon v. Virtumundo, Inc., No. 07-35487 (9th Cir. Aug. 6, 2009)

When CAN-SPAM was passed in 2003, it was fairly clear that Congress wasn’t trying to enable broad private enforcement. Everyone knew that rabid anti-spammers would seize any new statutory right for a litigation frenzy. As this court says, "lawmakers were wary of the possibility, if not the likelihood, that the siren song of substantial statutory damages would entice opportunistic plaintiffs to join the fray, which would lead to undesirable results." Although I personally think Congress would better served all of us by omitting all private enforcement rights in CAN-SPAM, unquestionably the private rights in CAN-SPAM are drafted narrowly to prevent their abuses.

That hasn't stopped some zealous anti-spammers from testing the limits of CAN-SPAM's private enforcement remedies anyway. James Gordon has been one of the most active. He is a "professional plaintiff" who has operated a spam "litigation factory" by configuring his technology to try to trap spammers. In effect, he goes out of his way to look for spam. As the court says, “the burdens Gordon complains of are almost exclusively self-imposed and purposefully undertaken."

As it turns out, this business model does not fare well in court. He lost this case in the district court and subsequently was ordered to pay over $100k in legal fees to the defendant under CAN-SPAM's fee-switching provision. On appeal, the Ninth Circuit has even less kind words for him, saying that CAN-SPAM “was enacted to protect individuals and legitimate businesses—not to support a litigation mill for entrepreneurs like Gordon." As a result, the court issues a broad but muddy opinion that shuts down Gordon’s litigation factory and presumably others like his, but has a less clear effect on other CAN-SPAM defendants.

"Internet Access Service"

CAN-SPAM's private enforcement rights only accrue to "Internet access services." This phrase is troublesome in part because it differs from other possible statutory synonyms for online actors like "interactive computer service" (47 USC 230), "online service provider" (DMCA), "electronic communication service" and "remote computer service" (ECPA), etc. This verbiage proliferation raises questions about the scope of governed entities (who’s covered and who isn’t) and why different online actors are being treated differently (if they are). I hope future legislative drafters will recognize the costs of using different terms for online actors.

In CAN-SPAM, Congress defined an “Internet access service” as "a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services." Check out Ethan’s lengthy but irresolute deconstruction of this definition from last year.

Read literally, this definition seemingly covers all Internet services because they allow users to access their "other" services. However, the Ninth Circuit doesn’t think that's what Congress meant, although it’s not sure about the boundaries either. Instead, the Ninth Circuit "decline[s] this opportunity to set forth a general test or define the outer bounds of what it means to be a provider of ‘Internet access service.’" Gee, thanks.

Nevertheless, the Ninth Circuit had no problem saying that Gordon wasn't an Internet access service. I can’t pin down a specific reason why Gordon wasn’t covered while, according to the court, his service providers (Verizon and GoDaddy) might be. Ultimately, I think the court rejects Gordon's transparent efforts to manufacture a claim.

"Adversely Affected"

A CAN-SPAM private litigant also needs to show that it was “adversely affected” by the spam. The court doesn’t offer a single definition of adverse effect, but it does try to draw some boundaries that leave Gordon out.

In general, the court tries to narrow the scope of cognizable harms in two ways. First, the court segregates consumer-related harms from service provider-related harms. I was heartened to see this because better harm delineation was a central point of my (uncited) 2004 article "Where's the Beef? Dissecting Spam's Purported Harms." Back in the earlier part of this decade, anti-spam advocates would routinely lump together a laundry list of gripes about spam in ways that would degrade policy-makers’ ability to target policy responses to the harm. For example, CAN-SPAM suffers heavily from this schizophrenia about the targeted harm. This court makes it clear that consumer-related harms aren’t part of the CAN-SPAM private litigation calculus.

Second, the court tries to distinguish between the fixed and variable costs of spam fighting and implies that the fixed costs should be ignored when calculating adverse effect. The court’s handling of this distinction is hardly deft. It says repeatedly that we have to assume that IAS providers are absorbing some spam costs as part of their normal costs of operation. For example, the court says:

the harm must be of significance to a bona fide IAS provider—something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business. In most cases, evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail would suffice

And the court says:

We expect a legitimate service provider to secure adequate bandwidth and storage capacity and take reasonable precautions, such as implementing spam filters, as part of its normal operations….network slowdowns, server crashes, increased bandwidth usage, and hardware and software upgrades bear no inherent relationship to spam or spamming practices. On the contrary, we expect these issues to arise as a matter of course and for legitimate reasons as technology, online media, and Internet services continue to advance and develop. Therefore, evidence of what could be routine business concerns and operating costs is not alone sufficient to unlock the treasure trove of the CAN-SPAM Act’s statutory damages.

Reading these quotes, it seems like the court is trying to zero out the fixed costs borne by anyone connected to the Internet, which would then focus the analysis on only those marginal/variable consequences attributable to a specific spam campaign. However, the court does not want to raise the bar that high, at least not for “legitimate” service providers (which the court thinks clearly excludes Gordon). As the court says:

the threshold of standing should not pose a high bar for the legitimate service operations contemplated by Congress. In some civil actions—where, for example, well-recognized ISPs or plainly legitimate Internet access service providers file suit—adequate harm might be presumed because any reasonable person would agree that such entities dedicate considerable resources to and incur significant financial costs in dealing with spam.

So I’m not quite sure what to make of this language. On the one hand, the court’s acknowledgement that complex societies impose some unwanted but unavoidable costs seems to raise the harm bar pretty high for CAN-SPAM plaintiffs. On the other hand, the court is willing to presume harm for “good” plaintiffs. So why won’t the court make such presumptions for Gordon? Mostly because he “came to the nuisance” (my words, not the court). As the court says:

Gordon purposefully refuses to implement spam filters in a typical manner or otherwise make any attempt to block allegedly unwanted spam or exclude such messages from users’ email inboxes...Gordon made no real effort to avoid, block, or delete commercial e-mail, but instead has voluntarily assumed the role of a spam sleuth. He expends time and resources seeking out and capturing massive volumes of spam, which he collects and then organizes for use in his prolific lawsuits. He admits setting up domains as “spam traps” with the sole purpose of snagging as many e-mail marketing messages as possible.

So my reading of this discussion is that the court sets up a bifurcated “adverse effect” analysis. If you’re a commercial email service provider, you presumptively get access to CAN-SPAM’s “treasure trove.” If you’re a spam troll, nuts to you.

Preemption of State Laws

One of CAN-SPAM's main raisons d'etre was to preempt the rapid proliferation of state anti-spam laws in the early part of this decade (especially California's opt-in anti-spam law). I naively assumed that CAN-SPAM's preemption clause would drive states out of the anti-spam regulation business altogether (a separate rant, but I'm not a fan of any state attempts to regulate Internet activity). No such luck. Following CAN-SPAM’s enactment, nearly every state enacted NEW anti-spam laws designed to fit within the preemption exceptions. This renewed activity at the state level has contributed to the anti-spam litigation frenzy, because the plaintiffs can use both state and federal claims to extract settlements and concessions from defendants.

In 2006, in Omega Travel v. Mummagraphics, the Fourth Circuit took a lot of the wind out of plaintiffs' sails by holding that state anti-spam laws survived CAN-SPAM preemption only as applied to fraud or material misrepresentations, not garden-variety errors or immaterial deception. Here, the Ninth Circuit adopts the Mummagraphics standard, which presumably eviscerates several state laws in Ninth Circuit-governed jurisdictions.

Applying the Mummagraphics’ standard to Gordon’s case wipes out his Washington state anti-spam claim. Gordon argued that, although he was not misled or deceived, Virtumundo’s “from line” violated Washington law because it does not clearly identify Virtumundo as the sender. He also argued that to avoid being deceptive, Virtumundo’s email subject lines must have either Virtumundo’s or its client’s name. The court rejects these arguments because "Gordon offers no proof that any headers have been altered to impair a recipient’s ability to identify, locate, or respond to the person who initiated the email. Nor does he present evidence that Virtumundo’s practice is aimed at misleading recipients as to the identity of the sender."

Expect to see more state laws bite the dust in the face of this preemption analysis.

Implications

This case is exceedingly interesting and important because it destroys the arguments of anti-spam plaintiffs trying to manufacture technical violations of CAN-SPAM for their profit. Not only does the opinion send an unmistakable message to the lower courts to toss these plaintiffs out on their keister, but it sends the harsh message that these plaintiffs ought to rethink their legal hubris. As the court says, “As should be apparent here, ‘the law’ that Gordon purportedly enforces relates more to his subjective view of what the law ought to be, and differs substantially from the law itself.” Ouch. The court has apparently just invalidated the fantastic laws that some anti-spam plaintiffs dream up in their heads.

This case is also important because it puts state anti-spam laws even more clearly on the ropes. It has been an impressive but pathetic display of futility watching the states trip over themselves trying to show that they are tough on spam when their efforts are all irrelevant in light of the Fourth Circuit's and now Ninth Circuit's interpretations of CAN-SPAM. Fortunately (?), most of the states have moved on to being tough on cyberbullying instead of beating up on spammers.

It is less clear to me if the court’s discussion about “Internet access services” and “adverse effect” will have broader import on private CAN-SPAM litigation. The court deliberately sidestepped definitive interpretations of both terms, so I expect the interpretive slate is mostly clean outside of the spam litigation factories.

One final point. Spam remains actively litigated in the courts and the subject of some policy discussion, but do you still fret about the spam you receive personally? I get the sense that this panel was not that impressed with Gordon’s efforts in part because spam isn’t as big a deal for the judges as it used to be. Certainly that’s true in my case. I get about 100 spams a day, 90+% of which Gmail appropriately filters into my spam folder (with very few misclassifications of legit email as spam). As a result, it takes me just a minute or two a day to burn through the spam accruals. Not surprisingly, at least for me, good spam filters have solved the problem much better than any legislative intervention.

I understand that spam is a bigger issue for email service providers, especially now that more than 100% of all emails are spam (according to the ridiculously overhyped stats put out by vendors of anti-spam solutions). CAN-SPAM partially offers a solution to these individuals, along with other doctrines like the Computer Fraud & Abuse Act and possibly the common law trespass to chattels doctrine. However, at this point, so much of the anti-spam battle has to be fought technologically, not in the courts, due to the sheer volume and dispersed nature of the putative defendants. As a result, it doesn’t really seem to matter to the overall quantum of spam in our society if courts read CAN-SPAM broadly or narrowly.

Other comments on this case:
* Venkat
* Jeff Neuburger

UPDATE: Ken Magill reports on how Gordon has lost his house belongings due to his persistence.

Posted by Eric at 12:40 PM | Internet History , Marketing , Spam | TrackBack

July 03, 2009

Ninth Circuit Revives TCPA Claim--Satterfield v. Simon & Schuster

By Eric Goldman

Satterfield v. Simon & Schuster, Inc., No. 07-16356 (9th Circuit June 19, 2009)

Satterfield sued Simon & Schuster (and its mobile ad agency) for sending text messages to her cellphone without the requisite permission. The district court dismissed her lawsuit; but in this ruling, the Ninth Circuit revives it. Three aspects of this ruling make it noteworthy.

When is a Text Message a Telephone Call?

The court holds that a text message to a cellphone is a "call" for purposes of the Telephone Consumer Protection Act (TCPA). This isn't unprecedented. The FCC took this position in 2003, and in 2005, I blogged on the Joffe v. Acacia Mortgage case reaching the same conclusion. Nevertheless, as I pointed out in response to the Joffe case, it reminds us of the silliness of medium-specific anti-marketing restrictions when the media collapse into each other. See my Coasean Analysis of Marketing paper for more.

Poor Consent Language

Satterfield signed up for a free ringtone from Nextones. As part of the registration process, Satterfield affirmatively checked off a box next to the following language:

Yes! I would like to receive promotions from Nextones affiliates and brands. Please note, that by declining you may not be eligible for our FREE content.

This language is hardly a model of clarity. What are "Nextones brands"? What are "Nextones affiliates"? The court adopts a trademark-style definition for "brands" and a corporate governance-rooted definition for "affiliates." Interestingly, Nextones posted its own definition of affiliates elsewhere on its site to mean other companies who “sell mobile content such as ringtones and graphics.” As the court points out, "Simon & Schuster does not fall within Nextones’ own definition." Whoops.

Obviously, better drafting could have easily avoided this problem and probably would have had little effect on conversion rates. Say what you mean, and mean what you say!

For what it's worth, one of my past Cyberlaw exams involved an ambiguously drafted online checkbox consent, a problem partially based on a real-life situation encountered by Yahoo. See the exam and sample answer.

Complex Chain of Distribution

Satterfield's cellphone number/text message address fell into Simon & Schuster's hands through a complex chain of distribution as follows:

Satterfield gives # to Nextones =>
Nextones gives # to MIA, its "exclusive agent for licensing the numbers of Nextones subscribers" (huh?) =>
MIA gives # to ipsh!, which describes itself as "the world's award-winning, full-service mobile marketing and advertising agency" =>
ipsh! gives # to mBlox, an aggregator who "handled the actual transmission of the text messages to the wireless carriers" =>
Simon & Schuster contracts with ipsh! to run a text message campaign for Simon & Schuster's new Steven King novel Cell. (Ironic name? Maybe this lawsuit will spur Stephen King to write a sequel, Cellphone).

As you know, lawyers aren't very good at math, but according to my count, it looks like four different intermediaries "touched" Satterfield's number (Nextones, MIA, ipsh! and mBlox) before it was used by Simon & Schuster, the ultimate advertiser. With that many intermediaries, there are significant additional transaction costs to reach cellphone subscribers.

More importantly, this complex chain creates a sizable risk that one or more of the entities along the way would misinterpret or forget any restrictions on the customer's grant of permissions. Certainly, I can't figure out how Nextones/MIA thought this distribution chain fit within the checkbox consent it asked for and received. (Interestingly, neither Nextones nor MIA are defendants in the case).

I also cannot figure out how ipsh!/Simon & Schuster failed to detect this permissions problem in their diligence. They did diligence the source of the cellphone numbers...didn't they? They didn't just blindly assume that they could purchase a package of random cellphone numbers and party on...did they?

Posted by Eric at 09:51 AM | Marketing , Spam | TrackBack

Search

Archives

Recent Entries

January 04, 2012

Nov.-Dec. 2011 Quick Links, Part 3

December 23, 2011

Old School Spam Plaintiff Rebuffed in the Ninth Circuit

December 12, 2011

Text Spam Lawsuit Against Citibank Moves Forward Despite Vague Allegations of Consent -- Ryabyshchuk v. Citibank

October 13, 2011

Court Dismisses Lawsuit Under Michigan Spam Statute Based on Preemption and Lack of Standing -- Hafke v. Rossdale Group, LLC

October 12, 2011

Spam Claims Covered by Contract's Indemnity Clause--Commonwealth Marketing Group v. IMG Assocs.

September 28, 2011

In Facebook's Lawsuit Against Alleged Spammer, Court Denies MaxBounty's Motion to Dismiss

September 08, 2011

Lawyer Hit With $4.2 Million Judgment in Junk Fax Class Action -- Holtzman v. Turza

September 02, 2011

Seventh Circuit Awards e360 a Whopping $3 in Damages Against Spamhaus -- e360 v. Spamhaus

August 24, 2011

Court Affirms Robust ISP Protection For Blocking Bulk Emails -- Holomaxx v. Microsoft/Yahoo

July 26, 2011

Court Rejects First Amendment Challenge to CAN-SPAM Indictment -- US v. Smallwood

July 04, 2011

June 2011 Quick Links, Part 2

April 28, 2011

Jury Rejects Lawyer's Claims Under DC's Anti-Spam Law -- CyberLaw v. Thelaw.net

April 27, 2011

Court Says CAN-SPAM Plaintiff Can't Take Second Bite at the Apple -- Melaleuca v. Hansen

April 19, 2011

Bulk Emailers (Mostly) Lose Three 47 USC 230(c)(2) Rulings--Holomaxx v. Microsoft/Yahoo & Smith v. TRUSTe

April 07, 2011

Claims that Emails were not Labeled as Ads and did not Disclose Tracking Preempted by CAN-SPAM -- Martin v. CCH

April 01, 2011

N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty

March 03, 2011

Jan.-Feb. 2011 Quick Links, Part 4

February 12, 2011

Debt Collection Text May Result in Liability under the Telephone Consumer Protection Act -- Gutierrez v. Barclays Group

January 29, 2011

Class Action Brought by "Lonely and Vulnerable" Men Against Online Cupid Site Moves Forward -- Badella v. Deniro Mktg.

January 20, 2011

CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick

January 05, 2011

Lawyer-Spam Plaintiff Loses in the Sixth Circuit Over Allegedly Misleading DISH Network Emails -- Ferron v. Echostar

January 01, 2011

Court Rejects Constitutional Challenge to TCPA Based on Vagueness in "Prior Express Consent" Exception -- Kramer v. Autobytel, Inc.

December 24, 2010

Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues

December 17, 2010

Domain Name Privacy Protection Services Not Liable for Failure to Disclose Identity of Alleged Spammer -- Balsam v. Tucows

November 27, 2010

Junk Fax Claim Fails Due to "Established Business Relationship" Exception -- Cardinal Partners v. Fernandez Discipline

November 15, 2010

Melaleuca Files Second Lawsuit Following Dismissal of its CAN-SPAM Claims

Holomaxx Sues Yahoo, Microsoft, and Others for Non-Delivery of Bulk Emails

November 07, 2010

Another Federal Court Dismisses CAN-SPAM Claims Due to Lack of Standing - Melaleuca, Inc. v. Hansen

November 04, 2010

Spam Filter Excuse for Missing a Deadline Flies in the Northern District of Illinois -- Pace et al. vs. AIG

October 22, 2010

Former Employee's 'Email Barrage' Does Not Support CAN-SPAM or Computer Fraud and Abuse Act Claims -- Nyack Hosp. v. Moran

October 12, 2010

Sending Politically Charged Emails Does Not Support Disturbing the Peace Conviction -- State v. Drahota

September 26, 2010

New York Court Dismisses Putative Class Action Brought Under California Spam Statute -- Bank v. Hydra Group, LLC

September 22, 2010

Reunion.com Back to District Court -- Hoang et al v. Reunion.com Inc

September 10, 2010

Veteran Spam Plaintiff Abandons Spam Lawsuit -- Asis Internet v. Subscriberbase

August 24, 2010

Ghostwritten Attorney Newsletter is an "Ad" for TCPA Junk Fax Law Purposes--Holtzman v. Turza

July 26, 2010

Facebook's Anti-Spam Filter Blocks Legitimate Conversations about Power.com

July 02, 2010

Idaho District Court Dismisses CAN-SPAM Claims Due to Non-ISP Status -- Melaleuca, Inc. v. Hansen

June 21, 2010

Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage

June 15, 2010

Judge Kocoras Cuts Down $11MM Award Against Spamhaus to $27,000 -- e360 v. Spamhaus