Lawsuit Against Adware Vendor Fails–Halperin v. Text Enhance
Text Enhance, a program developed by Affluent Ads, scans web page text for certain keywords. When the user mouses over any of those keywords, the adware serves up a pop-up ad on the user’s computer. Halperin ended up with Text Enhance on his computer and sued Affluent Ads, alleging CFAA and ECPA claims as well as state law claims.
CFAA: The court does not delve into whether Text Enhance engaged in unauthorized access or some other CFAA violation. Instead, the court says Halperin did’t satisfy the CFAA’s $5,000 damage threshold requirement. Halperin’s damage was not alleged to have been $5,000 individually, and the court says that it can’t aggregate the harm to other putative class members to satisfy the damage threshold unless the damage arises out of a “single act.” And that poses a problem as the complaint is currently pled. The surreptitious install of the program by thousands of consumers (and putative class members) is not a “single act,” so Halperin can’t rely on this “act” when aggregating. Halperin argued that he shouldn’t be subject to the no-aggregation rule. However, the court says CFAA does not contain any provisions regarding aggregating, and in any event the dollar amount is a jurisdictional threshold (or a part of the claim).
ECPA: The ECPA claim focused on whether there was an interception of a wire or electronic communication. The problem for Halperin is that any scanning is done locally on Halperin’s computer, and the court says this is fatal to his claim. The court cites to keylogger cases to conclude that no interception of a communication occurred. However, the court allows Halperin leave to amend:
Halperin has not stated a viable claim under the Wiretap Act, which seems to be a poor fit to address the kind of invasive and annoying tactics that Text Enhance is alleged to employ. (By contrast, the CFAA might have been a good fit where it not for the $5,000 economic damages threshold.) It is, of course, possible that Text Enhance does record or retransmit to Defendants the contents of the webpages that Halperin visits, in which case Defendants would have “acquired” those contents; and if so, Halperin might well have a valid Wiretap Act claim.
That the CFAA no-aggregation rule ends up booting Halperin’s claims is a bummer for him, given that a CFAA claim may be a better fit for the facts. That said, the trend of the cases is in defendants’ favor. It’s possible that Halperin may come back and creatively allege some “single act” that allows him to take advantage of this exception, but it won’t be easy.
The ECPA claims are interesting, although the facts (and the court’s framing of plaintiff’s complaint) are somewhat unclear. What particular communications is plaintiff complaining Text Ads intercepted? The way I understood it, the software had some keyword-like triggers, and searched webpages the user accessed to see if any keywords matched. When one did, if he moused over the word, it would pull up an ad (an image from Affluent Ads’ or the advertisers’ server?) and then modify the display of the web page to contain the ad, or included the pop-up over it. (This sounds vaguely similar to the scanning practices of a certain big search entity.) The court seems to say that everything could occur locally so this means there’s no interception of the contents any communication between Halperin’s computer and a third party, but this would depend on some careful technical architecting on their part.
The court also cites favorably to Text Enhance’s argument that “did not actually acquire the contents of a communication”. Setting aside whether this is an accurate description of what occurs, it’s still unclear whether the court is making a distinction between the acquisition of a communication and the acquisition of the contents of a communication. The court doesn’t get into the weeds, but this brought to mind the question of whether search queries (and browser requests) are communications. (See “Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook“.) The court also notes that even if such acquisition (of the contents of any webpage) had occurred, it would not be clear that would have been “intercepted”, given that by the time Text Enhance sees anything, it has already reached its destination (Halperin’s computer). The auto-forwarding cases, where people are held for intercepting messages by auto-forwarding them may support Halperin’s arguments, but the court does not need to get there.
There’s also an argument, such as the one alluded to in the Gmail scanning cases, that no human ever read the contents of any communication; they were merely used by a computer for matching purposes. To my knowledge, no decision has taken that argument credibly, and it does not come up here.
Finally, there’s the question of Text Ads being notified when Halperin clicks on the rogue ads. That is also a communication between Halperin and the advertiser, but that falls under the one-party consent rule.
Overall, an interesting application of facts to these statutes. It does make you wonder about spyware statutes, and the fact that they appear to have seen little (if any) mileage in litigation. There was a wave of state legislation around spyware, but there is little case law under these statutes. It’s somewhat surprising that Halperin could not find a favorable statute to cast his claims under. California’s statute looks like a good contender.
Eric’s Comments: It’s jarring to see a 2005-style adware litigation battle in 2014. Didn’t we fight–and resolve–these issues a decade ago? At the height of the adware paranoia, I wrote a lengthy impassioned defense of adware, which got a little orphaned by the demise of adware. Even at the time, the battle was really about behavioral advertising but we didn’t have that vernacular then. We’ve now realized that adware isn’t the only way to gather highly reliable data for behavioral advertising (see, e.g., Facebook’s massive data-gathering tentacles), so the business case for adware has largely faded away.
Also jarring was that the court didn’t discuss Text Enhance’s EULA/contract at all. Text Enhance brought a motion to dismiss, so the court necessarily accepted Halperin’s assertion that Text Enhance was installed without consent. I assume consent will become relevant if this case makes it further. But the possible lack of consent makes this ruling even more remarkable–if Text Enhance installed adware without user consent and still can avoid liability, that would be quite remarkable.
As to Venkat’s point about the existence of anti-adware laws, Utah repealed its anti-adware law in 2010. As far as I know, Alaska’s anti-adware law is still on the books but I don’t believe it’s ever been used. Otherwise, a number of states adopted anti-“spyware” laws that turn on the existence of “intentionally deceptive” conduct. The court sidesteps Halperin’s state anti-spyware law claim by declining to exercise supplemental jurisdiction. Perhaps it will be reinvigorated in state court if the federal case doesn’t revive.
Finally, the ECPA discussion seems to have some significant implications for the Gmail/Yahoo email scanning cases. This ruling provides another data point suggesting that the ECPA shouldn’t regulate machine scanning of incoming electronic messages.
case citation: Halperin v. International Web Services, LLC, 13 C 8572 (N.D. Ill. Sept. 30, 2014).
Employer Isn’t Liable When Former Employee Linked His Apple Accounts To Its Devices–Sunbelt v. Victor
“Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook”
When Is It Appropriate To Monitor An Ex-Spouse’s Email Account? Never
Judge Koh Dismisses the Bulk of the Yahoo Email Scanning Class Action
Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed
Apple May Be Liable For Privacy Violations by Third Party Developed Apps
Google Wins Cookie Privacy Lawsuit
Wiretap Claims Against Gmail Scanning Survive Motion to Dismiss — In re: Google Inc. Gmail Litigation
Supervisor’s Post-Termination Access of Employee’s Gmail Account May Violate ECPA – Lazette v. Kulmatycki