Thursday, November 21, 2013

Can Spam Act preempts state SPAM law where misrepresentation is not material

DAVISON DESIGN & DEVELOPMENT INC. v. Riley, Dist. Court, ND California 2013

ISSUE: Is state cause of action for SPAM preempted by the Can Spam Act?

RULE: State SPAM laws are preempted by Can Spam Act, except when they address fraud or misrepresentation. 

HELD:  State cause of action preempted by Can Spam Act where misrepresentation was not material.


"First, the parties dispute the scope of the exception to CAN-SPAM preemption. Plaintiffs argue that Riley must allege a claim for fraud in order to avoid preemption, while Riley argues that the "falsity or deception" language used in the statute creates a broader exception, encompassing more than just claims for fraud. As an example, Riley points to Cal. Civ. Code § 1710, which defines the tort of "deceit," and which does not require the elements of common-law fraud, including reliance. While the relevant Ninth Circuit authority on this issue (Gordon v. Virtumundo, 575 F.3d 1040 (9th Cir. 2009)) does use the word "fraud" when discussing the preemption exception, the court agrees with Riley that Gordon does not necessarily limit the exception to fraud claims. And while Gordon did not answer the question of whether a party must plead reliance and damages in order to avoid CAN-SPAM preemption, the court agrees with and adopts the reasoning set forth in two post-Gordon district court cases, both of which held that "reliance and damages need not be demonstrated to save a lawsuit from preemption." Asis Internet Services v. Member Source Media, LLC, 2010 WL 1610066, at *3 (N.D. Cal. Apr. 20, 2010); see also Asis Internet Services v. Subscriberbase Inc., 2010 WL 1267763 (N.D. Cal. Apr. 2, 2010). Riley need not establish reliance and damages in order to avoid preemption; instead, as long as she can establish that plaintiffs "were responsible for making knowing and material misrepresentations," her counter-claim "will sound in `falsity or deception' and will not be preempted by the CAN-SPAM Act." See Subscriberbase, 2010 WL 1267763 at *13. Specifically, if Riley can establish that the presence of her own name in the "from" line of the seven emails at issue was materially false or deceptive, her counter-claims will avoid preemption.

"Applying that standard, the court finds that while the use of Riley's name in the "from" line was indeed false, the fact that Riley would have immediately recognized the use of her own name puts her counter-claims in the same category as the "non-deceptive statements" that were rejected by the Gordon court. Upon receiving the emails, Riley would have instantly known that she did not send those emails to herself, and thus, the emails could not have been deceptive in any meaningful way. Thus, any falsity or deception was not sufficiently "material" to avoid preemption. The court recognizes that the factual circumstances of this case are unique, and that a misrepresentation as to the identity of the sender of emails will indeed be material in many cases. For instance, if Riley had received emails from plaintiffs with the name of one of Riley's personal contacts in the "from" line, those emails might well give rise to a non-preempted claim. However, as to the seven emails at issue, the court fails to see how Riley could have been deceived into believing that she sent herself these emails, and fails to see how any reasonable person could be deceived by an email bearing his or her own name in the "from" line. Accordingly, the court finds that Riley's counter-claims are preempted by CAN-SPAM, and hereby GRANTS summary judgment in favor of plaintiffs on the preemption issue. As discussed above, and for the reasons stated in the court's September 13, 2013 order (Dkt. 212), in which the court declined to exercise jurisdiction over claims relating to 108 of the emails, the court similarly declines to exercise declaratory judgment jurisdiction over plaintiffs' claims relating to these seven emails."


Tuesday, November 12, 2013

PRO-CONCEPTS, LLC v. Resh, Dist. Court, ED Virginia 2013 #ACPA #DNS

PRO-CONCEPTS, LLC v. Resh, Dist. Court, ED Virginia 2013 :: Motion for preliminary injunction for violation of AntiCybersquatting Consumer Protection Act denied.  Offer to sell domain name and website to trademark owner not bad faith where domain name owner "did so, not for financial gain, but for reimbursement. The evidence, as presented to the Court, indicates that [domain name owner] attempted to transfer the site to the markholder for an amount equal to the cost of acquiring and maintaining the domain."

Sunday, November 03, 2013

[NIST] Initiating Review of Cryptographic Standards Development Process

NIST Initiating Review of Cryptographic Standards Development Process
(This news article is also available on the Computer Security Resource Center (CSRC) website at:
Recent news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines. NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST standards development process.

NIST has a proud history in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard. We strive for a consistently open and transparent process that enlists the worldwide cryptography community to help us develop and vet algorithms included in our cryptographic guidance. NIST endeavors to promote confidence in our cryptographic guidance through these inclusive and transparent development processes, which we believe are the best in use.

Trust is crucial to the adoption of strong cryptographic algorithms. To ensure that our guidance has been developed according the highest standard of inclusiveness, transparency and security, NIST has initiated a formal review of our standards development efforts. We are compiling our goals and objectives, principles of operation, processes for identifying cryptographic algorithms for standardization, methods for reviewing and resolving public comments, and other important procedures necessary for a rigorous process.

Once complete, we will invite public comment on this process. We also will bring in an independent organization to conduct a formal review of our standards development approach and to suggest improvements. Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.

Furthermore, we will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines. If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible.

Our mission is to protect the nation’s IT infrastructure and information through strong cryptography. We cannot carry out that mission without the trust and assistance of the world’s cryptographic experts. We’re committed to continually earning that trust.

Thursday, October 24, 2013


MENZIES AVIATION (USA), INC. v. ROBERT WILCOX, SERVISAIR, LLC, Dist. Court, Minnesota Oct 17, 2013

This matter is before the Court on Plaintiff's Motion for a Temporary Restraining Order. [Docket No. 6] The Court heard oral argument on October 17, 2013. The Court denied the motion in an October 17 Order [Docket No. 40] with a memorandum of law to follow. Accordingly, the Court hereby enters the following Memorandum of Law.

. . . . . .

The Computer Fraud and Abuse Act "provides that one who suffers `damage or loss' because of a violation of the Act may bring a civil action for compensatory damages and injunctive relief." Mclean v. Mortgage One & Finance Corp., No. Civ.04-1158(PAM/JSM), 2004 WL 898440, at *2 (D. Minn. Apr. 9, 2004). A civil action may be brought by a person who suffers damage or loss of at least $5,000 by reason of a person's violation of the act by knowingly and with intent to defraud, accessing protected computers without authorization or in excess of his authorization and obtaining something of value of more than $5,000 in any 1-year period. 18 U.S.C. § 1030(a)(4); (c)(4)(A)(i), (g).

Menzies claims that Wilcox intentionally accessed Menzies' protected computer database and sent himself large amounts of confidential data in order to allow Servisair to unfairly compete with Menzies. The Court holds that, based on the record before it, assuming without deciding that Wilcox did engage in unauthorized access, Menzies is unlikely to be able to show that Wilcox caused any damages, let alone $5,000 in damages. The evidence in the record is that Sun Country switched from Menzies to Servisair based on reasons wholly unrelated to Wilcox and any information he may or may not have forwarded to himself.

Wednesday, October 23, 2013

Fwd: CT News Clips :: from Delicious/rcannon100 for 10/23/2013

Cybertelecom :: Federal Internet Law & Policy :: An Educational Project
Is this email not displaying correctly?
View it in your browser.
Updates from Cybertelecom Delicious

US government releases draft cybersecurity framework | Security & Privacy - CNET News

via CNET News
Read in browser »
share on Twitter Like US government releases draft cybersecurity framework | Security & Privacy - CNET News on Facebook

Facebook removes Mexican beheading video | Technology |

via Technology: Internet |
Read in browser »
share on Twitter Like Facebook removes Mexican beheading video | Technology | on Facebook

Warrant required for GPS tracking of vehicles, court rules - Computerworld

via Latest from Computerworld
Read in browser »
share on Twitter Like Warrant required for GPS tracking of vehicles, court rules - Computerworld on Facebook

Facebook Removes Beheading Video, Says It Will Tighten Rules : The Two-Way : NPR

via Technology
Read in browser »
share on Twitter Like Facebook Removes Beheading Video, Says It Will Tighten Rules : The Two-Way : NPR on Facebook

US Government Releases Cybersecurity Framework Proposal

via CircleID
Read in browser »
share on Twitter Like US Government Releases Cybersecurity Framework Proposal on Facebook

Michael Geist - Bell Claims Users Want to Be Monitored, Profiled and Tracked

via Michael Geist Blog
Read in browser »
share on Twitter Like Michael Geist - Bell Claims Users Want to Be Monitored, Profiled and Tracked on Facebook

Switchboard: Netflix subscriber base trumps HBO's - The Washington Post

via Technology News - The Washington Post
Read in browser »
share on Twitter Like Switchboard: Netflix subscriber base trumps HBO's - The Washington Post on Facebook

Level 3 Switch Failure Caused Weekend ISP Outages | DSLReports, ISP Information

via DSLreports - front page
Read in browser »
share on Twitter Like Level 3 Switch Failure Caused Weekend ISP Outages | DSLReports, ISP Information on Facebook

House privacy group to meet Wednesday with privacy groups, online ad rep - The Hill's Hillicon Valley

via Hillicon Valley
Read in browser »
share on Twitter Like House privacy group to meet Wednesday with privacy groups, online ad rep - The Hill's Hillicon Valley on Facebook

The Boss Is Watching: Tracking Technology Shakes Up Workplace -

via Technology
Read in browser »
share on Twitter Like The Boss Is Watching: Tracking Technology Shakes Up Workplace - on Facebook

More to read:

CT News Clips is posted to the Cybertelecom-l Google Group. You can manage your subscription through Google Groups.
You can unsubscribe or managed your Cybertelecom-l membership at Cybertelecom-l Google Group.
This is not a commercial email. You can subscribe directly to the news clips through MailChimp.
Email Marketing Powered by MailChimp

Thursday, October 17, 2013

In Which We Ponder Whether Sec. 230(c) is an Immunity or an Affirmative Defense; Evans v. HP

Procedure matters. It matters whether a defendant can dispose of a litigation right out of the gate, or whether the defendant must suffer the slings and arrows of discovery, motions, and trial before presenting a successful defense.

Procedurally, once a litigation has been initiated, defendant has a chance to say, "hey, wait a minute, there isn’t actually a cause of action here."  It's like someone suing me for being tall.  Well, yeah, but there is no recognized cause of action against being tall.  And a motion to dismiss for failure to state a claim would end the litigation right out of the gate.

Alternatively, defendant might have a defense, but must establish evidence supporting that defense. For example, I may have said that Zim is an Irken weenie, and Zim may sue me, but availing myself to truth-is-a-defense, I can prove in court that Zim is in fact an Irken weenie.  I may have been successful, but I will now receive a successful legal defense bill from my attorney.

47 U.S.C. § 230(c) protects interactive services from liability for third party content. But is this an immunity or an affirmative defense?  Can I use Sec. 230(c) to exterminate a litigation right out of the gate, or must I wait for the facts of the case to be developed? 

Today's case, Evans v. HEWLETT-PACKARD COMPANY, Dist. Court, ND California Oct. 10, 2013, explores this question.  It involves software called "The Chubby Checker" which was produced by a third-party and offered for sale through the HP App Catalogue. Suffice it to say that the title of the software was, as the court stated, "a vulgar pun."  Chubby Checker, the entertainer, sued.

Plaintiff alleged federal trademark infringement and dilution, and state causes of action including unfair competition, unauthorized use of his name, and unauthorized use of his likeness. Sec. 230(e) says that Sec. 230(c) has no effect on intellectual property law; thus the court did not dismiss those claims.  However, the rest of plaintiff's claims "were held barred by the preemption provision in Section 230."  Defendant's app store is an online interactive service; the app in question is content produced by a third party.

Plaintiff attempted to solve this problem by amending its complaint and adding some more causes of action.  Plaintiff argued, in the first place, that Sec. 230 is an affirmative defense and not proper for a motion to dismiss.  Before defendant can get out of this litigation, we need to get into the facts of the case, argues plaintiff.

Some courts have been uncomfortable with letting defendants cash-in their "Get Out of Litigation Free" cards so easily. For these courts, Sec. 230(c) does not create an immunity. See City of Chicago v. StubHub!, Inc., 624 F.3d 363, 366 (7th Cir. 2010); Barnesv. Yahoo!, Inc., 570 F.3d 1096, 1100 (9th Cir. 2009).  On the other hand, "[o]rdinarily, courts 'aim to resolve the question of § 230 immunity at the earliest possible stage of the case because that immunity protects websites not only from `ultimate liability,' but also from `having to fight costly and protracted legal battles.'' Nemet Chevrolet v., 591 F.3d 250, 255 (4th Cir. 2009). And while some courts have been hesitant to cash in those "Get Out of Litigation Free cards" (perhaps originally due to a lack of familiarity with the plumbing and business models of the Internet), the Evans court recognizes that a consensus has been developing across the courts of appeals "that § 230(c) provides broad immunity for publishing content provided primarily by third parties." Carafano v. Inc., 339 F.3d 1119, 1123 (9th Cir. 2003).  Consideration of Sec. 230 preemption is appropriate at the pleading state in a motion to dismiss; defendant can terminate the litigation right out of the gate.

But then, maybe this "is it an immunity or an affirmative defense" thing doesn't really matter.  The Evans court leaves us with this thought:

[O]ur court of appeals has held that "the assertion of an affirmative defense may be considered properly on a motion to dismiss where the `allegations in the complaint suffice to establish' the defense." 

In other words, whatever you call it, if plaintiff's complaint doesn't have a leg to stand on, there is no reason for the litigation to proceed.  If Sec. 230(c) protects interactive services from liability, it would be nice if it also protected interactive services from futile litigation expenses.

Thursday, October 10, 2013

The Boundary Between Sec. 230 Immunity and Liability: Jones v. Dirty World Entertainment Recordings

Out in the wilderness of cyberspace is a boundary, marking the limits of Sec. 230 immunity. On the one side roams interactive services hosting third party content immune from liability for that third party content. On the other sides is the frontier, where interactive content hosts and creators meet, merge, and become one. Here host and author blend, collaborating to give rise to new creations. Hosts herd authors towards a potentially desolate land desecrated with insinuation, defamation, and slanderous allegations. Here, Sec. 230 has no power to protect. 

Photo by Ed Schipul, Flickr (cc)
We have been to the frontier before. The lead case unfolded in 2008: Fair Housing Council of San Fernando Valley v., LLC, 521 F.3d 1157, 1164-65 (9th Cir. 2008) (en banc). Here, according to the court, third-party authors that wished to post to were required to fill out a questionnaire and were required to answer questions that were alleged to violate federal and state housing discrimination laws. Where the host requires third-parties to answer certain questions, and answer in ways that are problematic, "such acts constituted the 'creation or development of information' and thus made the site an 'information content provider' within the scope of 47 U.S.C. § 230(c) and (f)(3)." Both host and third-party are now potentially liable for the created content. 

Jones v. Dirty World Entertainment Recordings, LLC (Eastern District Kentucky Aug. 2013) is the latest case to explore the frontier, and this litigation has been explored through two trials.  From the first trial, we are informed that:
Defendant Dirty World, LLC operates, from its principal place of business in Arizona, an Internet web site known as "the" This web site invites and publishes comments by individuals who visit the site, and defendant Hooman Karamian, a/k/a Nik Richie ("Richie"), responds to those posts and publishes his own comments on the subjects under discussion.
Plaintiff Sarah Jones is a citizen of Kentucky; a resident of Northern Kentucky; a teacher at Dixie Heights High School in Edgewood Kentucky; and a member of the Cincinnati BenGals, the cheerleading squad for the Cincinnati Bengals professional football team.
The conflicted ensued over comments posted to Defendant's website about plaintiff. 
[T]he evidence conclusively demonstrates that these postings and others like them were invited and encouraged by the defendants by using the name "" for the website and inciting the viewers of the site to form a loose organization dubbed "the Dirty Army," which was urged to have "a war mentality" against anyone who dared to object to having their character assassinated.
Specifically, defendant Richie added his own comments to the defamatory posts concerning plaintiff. For example, on December 7, 2009, a third-party posted, under a large photo of plaintiff:
Nik, here we have Sarah J, captain cheerleader of the playoff bound cinci bengals . . Most ppl see Sarah as a gorgeous cheerleader AND highschool teacher . . yes she's also a teacher . . but what most of you don't know is . . Her ex Nate . . cheated on her with over 50 girls in 4 yrs . . in that time he tested positive for Chlamydia Infection and Gonorrhea . . so im sure Sarah also has both . . whats worse is he brags about doing sarah in the gym . . football field . . her class room at the school she teaches at DIXIE Heights.
To this, Richie added his own tagline, in bold: "Why are all high school teachers freaks in the sack? — nik."  The tagline and original message appear on one page as a single story.
For the court, defendant's website has crossed into the frontier and is a participant in the content creation. Not only is defendant driving third-parties to make scandalous comments, defendant, by adding comments "effectively ratified and adopted the defamatory third-party post." According to the court, defendant continued to drive third parties by commenting: "I love how the DIRTY ARMY has war mentality;" "Never try to battle the DIRTY ARMY;" and "You dug your own grave here Sarah." The court concludes, defendant "played a significant role in 'developing' the offensive content such that he has no immunity under the CDA." 

There is a boundary between neutral host and content creator. When an interactive service traverses that boundary, the host potentially moves out from underneath the protection of Sec. 230 immunity. 

Sunday, October 06, 2013

In Which We Consider the Meaning of 'Authorized': GIVAUDAN FRAGRANCES CORPORATION v. Krivda

"When I use a word,' Humpty Dumpty said in rather a scornful tone, 'it means just what I choose it to mean — neither more nor less."
"The question is," said Alice, "whether you can make words mean so many different things."
"The question is," said Humpty Dumpty, "which is to be master— that's all."
- Lewis Carroll, Through the Looking Glass
What does authorized access mean? If an employee with authorized access to a computer system goes into that system, downloads company secrets, and hands that information over to the company's competitor, did that alleged misappropriation of company information constitute unauthorized access

This is no small question. If the access is unauthorized, the employee potentially violated the Computer Fraud and Abuse Act (CFAA). But courts get uncomfortable here. They are uncomfortable when contractual disputes morph into criminal violations. If, for example, a site's Terms of Service says that I must use my real name, and I use a pseudonym, is my access unauthorized? We have seen over-zealous prosecutors attempt to transform a TOS into something that can get you thrown on The Rock. Courts don't like it

But not all the court's agree; there is a split between the Circuit Courts that believe such actions by an employee constitute a criminal violation of the CFAA - and those courts that believe that the matter is best handled as a breach of contract between employer and employee. 

Today's court decision comes from the District Court in New Jersey (which is in the 3rd Circuit): GIVAUDAN FRAGRANCES CORPORATION v. Krivda, Dist. Court, D. New Jersey Sept. 26, 2013. The facts of this case are as might be expected:
In early May, 2008, Krivda resigned his employment with Plaintiff, Givaudan Fragrances ("Givaudan") where he was a perfumer. Prior to his last day on the job, Krivda allegedly downloaded and copied a number of formulas for fragrances. The parties acknowledge the formulas as trade secrets. Soon thereafter, Krivda commenced employment as a perfumer with Mane USA (Mane), a Givaudan competitor. Givaudan alleges that Krivda gave the formulas to Mane — an act of misappropriation.
Plaintiff Givaudan sued. Before the court is Defendant Krivda's Motion to Dismiss the CFAA cause of action. Defendant argued that since his alleged access of Plaintiff's computers while employed was authorized, it could not constitute unauthorized access pursuant to the CFAA. 

The New Jersey District Court looks to the 9th Circuit (the West Coast) as one of the lead Circuits that has considered this issue.
Generally, the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information. The Ninth Circuit has explained that "a person who `intentionally accesses a computer without authorization' . . . accesses a computer without any permission at all, while a person who `exceeds authorized access' . . . has permission to access the computer, but accesses information on the computer that the person is not entitled to access." The inquiry depends not on the employee's motivation for accessing the information, but rather whether the access to that information was authorized. While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer.
(Citations and other stuff omitted). 

In the case at hand, the defendant employee had, at the time, authorization to access plaintiff's computers and to the specific information at issue. The phrase in the CFAA about someone exceeding their authorization doesn't help plaintiff either; this refers to the situation where someone has authority to access one system, and then accesses another system beyond the one they are authorized to access. That aint here. Plaintiff argues, "Well, defendant didn't have our authority to review and print the information." To which the court responds, "oh come on!" 

Defendant's Motion to Dismiss Plaintiff's CFAA claim was granted. Defendant may have other trouble with Plaintiff, but violating the federal Computer Fraud and Abuse Act aint one of them.

Monday, September 30, 2013

NJ Content Liability Law Ruled Inconsistent with Sec. 230 (just like a Washington Law and a Tennessee Law)

Unfortunate problems give rise to unfortunate solutions.

Back in a time before most members of Congress or prosecutors knew that there was an Internet, there was Prodigy. Prodigy, as part of its service, ran family-friendly chat rooms that it moderated in an effort to keep kids protected from unfortunate content. In a different Prodigy chat room, some unknown third party said something apparently bad about an investment firm Stratton-Oakmont. Stratton-Oakmont didn't like that very much, and sued. But not able to reach out and touch the third party, Stratton-Oakmont sued the intermediary Prodigy. The court observed Prodigy taking discretion with what could and could not be posted in the family-friendly chat room, and determined that Prodigy was acting in an editorial capacity, was a publisher, and was therefore responsible for all content published on its service - including the negative third-party comment about Stratton-Oakmont.

Parable of the Good Samaritan
Congress didn't like that very much. Congress had been warned that there was unfortunate content on the Internet. And Congress had been told that Prodigy, as a result of ifs efforts to make the Internet safer, was punished with liability. Congress was also told that it was next to impossible for online services to monitor the massive amounts of content that flowed through its pipes or is hosted on its servers. Therefore, Congress passed the Good Samaritan Provision, 47 U.S.C. § 230 (an amendment to the Communications Decency Act, which was in turn an amendment to the Telecommunications Act of 1996).

The Good Samaritan Provision established two principles: First, interactive online services (broadly defined) are not liable for third party content. Second, interactive services are not liable for actions taken to make the Internet safer. Sec. 230 has been wildly successful, has been described as the greatest Internet law, and as the necessary legal condition to make the interactive Internet possible (of course, back in the real good old day, when the communications network was not liable for the content it carried, this was a tenant of 'common carriage.').

Unfortunately, as Miss Texas Teen USA observed in 1998*, "There's a lot of weirdos on the Internet." The Attorneys' General job is to fight those weirdos and the unfortunate things they do. In order to promote their unfortunate behavior, weirdos place ads on services like Craiglist, Backpage, and other online advertisement services. The Attorneys General want this unfortunate activity stopped, and since they have trouble sometimes reaching out and touching those weirdos, the Attorneys General reach out and touch the intermediary online services. The Attorneys General have tried very hard to change the rules, to change Sec. 230, and to make online services liable for the unfortunate content of third-party weirdos, out of the belief that this will somehow make things better.

The Attorneys General reached out to state legislatures and convinced them that something needed to be done. And therefore several states passed laws that would make online services liable for third-party weirdo advertisements of unfortunate things. These states include Washington, Tennessee, and New Jersey. Online Services didn't like that very much - and sued.

The Attorneys General lost in Washington and they lost in Tennessee. And now the Attorneys General have lost in New Jersey. And they lost big. In Washington, sued and a temporary injunction was immediately granted. Its request for a permanent injunction was granted after a hearing. The state of Washington agreed not to pursue the matter further and agreed to pay's attorneys fees.

Tennessee passed similar legislation. again sued and again received an injunction. The trial court wrote
The Constitution tells us that when freedom of speech hangs in the balance—the state may not use a butcher knife on a problem that requires a scalpel to fix. Nor may a state enforce a law that flatly conflicts with federal law. Yet, this appears to be what the Tennessee legislature has done in passing the law at issue.
Tennessee agreed not to pursue the matter further and the entered into a final judgment invalidating the law.

But we're not done. In early 2013, New Jersey enacted legislation making a crime if
the person knowingly publishes, disseminates, or displays, or causes directly or indirectly, to be published, disseminated, or displayed, any advertisement for a commercial sex act, which is to take place in this State and which includes the depiction of a minor;
This NJ law was modeled after the Washington law. And while the unfortunate content in question makes the heart cry of anyone who reads it, it does not mean that making interactive online services liable for the unfortunate content of third parties is coherent, feasible, effective, or consistent with the First Amendment.

Once again a federal court in v. John Jay Hoffman, Acting Attorney General of the State of New Jersey (D.N.J. Aug. 20, 2013) struck down the law. There are multiple problems with the NJ law.

First, when a state law and a federal law conflict, the federal law preempts the state law pursuant to the Constitution's Supremacy Clause. The state law would make interactive services liable for the content of third parties; the federal law 47 U.S.C. § 230 states that interactive services are not liable for third party content. The Federal law preempts the state law.

But there is a further Sec. 230 problem that the court highlights. Sec. 230 was designed to protect interactive services that seek to make their services safer. The NJ law would have made it a crime to knowingly publish unfortunate content. This creates an unintended and unwanted incentive on the part of interactive services to not know what they are publishing - or in other words, to take no steps toward making their services safe. Again, this is a conflict between the state law and the federal law, and the federal law trumps.

The NJ statute also runs afoul of the First Amendment. According to the First Amendment, to the extent that you actually can be liable for publishing content, you must knowingly publish that content. The statute as written, in addition to knowing publications, would make an online service liable if it, without knowledge, directly or indirectly, causes the content to be published, disseminated, or displayed. As Congress concluded with the passage of Sec. 230, interactive services have little ability to monitor, review, or know all the content that flows over, is hosted on, or is posted to their services. The NJ statute is unconstitutional to the extent that it would make interactive services liable for the posting of content of which they have no knowledge.

Second, the law is not the least restrictive means of achieving a compelling government interest (going after individuals engaged in abuse of children would be more effective and less restrictive, than indirectly going after intermediary communications services). Third, the NJ statute is filled with vague terms and overbroad requirements. Finally, the Court finds that the NJ statute would violate the Commerce Clause.

Unfortunate problems give rise to unfortunate solutions. Too often when confronted with unfortunate problems, those in authority feel that they must do "something," regardless of whether that "something" is such a good idea. Frequently the "something" is a thing that is immediate and visible, and gives a false sense of security. It gives the feeling that the government has acted, where in fact it has not - and it may have even made things worse.

There is no denying that there is darkness out there that needs to be confronted. But as Congress rightly determined almost 20 years ago, attacking communications intermediaries for third party content is not the solution.

Tuesday, August 06, 2013

IP Address =/= Individual Culpability. Breaking Glass Pictures v Does, DAZ 2013 #230 #CDA #copyright

Oh, I really like this decision.  Here is a court that understands that vagaries of the Internet.

Pop Quiz:  Something bad happens online.  I can tie that something-bad back to an IP address.  Do I know who did the bad thing??

Answer: N'ah!  According to the court, an IP address may identify an account owner; it does not identify who was using the Internet at that particular time and who may be responsible for the actions in question.

Ouch! But its right.  Imagine.... (oh I hate analogies).... imagine a TV set is on in a house... and for some reason that is bad.  Do I know who was watching the TV?  Of course not.  And in certain houses (group houses, duplexes, apartment buildings, dormitories, office buildings) that could be a lot of people.  And even if only one person lives at that house, it could be a guest or it could be the guy outside walking his dog who happens to look in the window.  There is a plethora of people who could watching that TV at any given moment in any given living arrangement.

In  Breaking Glass Pictures v Does, DAZ 2013, Plaintiff brought a claim for copyright infringement, wants early discovery, but the court is refusing.  Plaintiff wants an ISP to identify the subscribers that are matched to certain IP addresses so that Plaintiff can then sue those defendants in place of the "Does."

In a previous order, the court concluded that this effort 'was not "very likely" to uncover the identities of individuals who could legitimately be named as Defendants.'  Connecting an IP address to a subscriber gets you only the name of the subscriber, not the name of the person who was engaged in the conduct at issue.  To put it simply, Plaintiff cannot merely guess at who engaged in the conduct - Plaintiff must allege some basis that the defendant in question is the person engaged in the conduct.  Lacking that, Plaintiff does not get to just keep suing until he gets it right.
But the complication that Plaintiff fails to discuss is that it is not enough to simply identify the subscribers behind particular IP addresses to state a plausible claim for copyright infringement against those individuals. Instead, a plausible claim must be supported by factual allegations establishing that the particular person identified as a defendant was, in fact, the individual who engaged in wrongful conduct. In other words, discovery to identify the ISP subscribers is only the starting point. Plaintiff will also need to conduct discovery to determine who was using the Internet connection at the time the alleged infringement occurred. Plaintiff will then have to amend its complaint to allege the facts supporting its claim against each individual. The fact that Plaintiff needs discovery to unearth the factual basis for its claims is precisely the conundrum referenced in the Court's prior order regarding recent Supreme Court authority.
According to the Supreme Court, "a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009) (quotations omitted). It is not enough for a complaint to plead facts "that are merely consistent with a defendant's liability." Id. at 678 (quotation omitted). Instead, the complaint must go further and "nudge[] [the] claims . . . across the line from conceivable to plausible." Id. at 680 (quotation omitted). And "where the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged — but it has not shown — that the pleader is entitled to relief." Id. at 679.
Plaintiff's current complaint alleges the subscribers, identified as John and Jane Does, engaged in direct copyright infringement. (Doc. 1 at 14). But the complaint contains no factual allegations setting forth that the subscribers were, in fact, the individuals using the Internet connections at the relevant time. Thus, it is conceivable that the subscribers were using the connection but it is equally plausible that someone other than the subscribers were using the connection. In fact, the motion for reconsideration concedes this point. (Doc. 10 at 7). Thus, the complaint does nothing more than make vague allegations that are consistent with the subscribers' liability for copyright infringement. Because those allegations are also consistent with the subscribers not being liable, Plaintiff has not stated plausible claims against the subscribers.
It is not enough that the subscriber associated with an IP address might have been the person engaged in the questionable conduct - the Plaintiff must have sufficient evidence that the person named as defendant actually was the person that engaged in the questionable conduct.  Suing until you get it right dont work.

Defendant then trots out an old argument that the subscriber of an Internet access service is responsible for everything that happens on that service.  In other words, the subscriber would be negligent for letting bad things happen; the subscriber would be negligent for improperly securing their Internet access.
The courts that have addressed this issue, however, have concluded there is no duty to secure your Internet connection. See, e.g., New Sensations, Inc. v. Does 1-426, 2012 WL 4675281 at *6 (N.D. Cal. Oct. 1, 2012) (rejecting negligence claim based on failure to secure Internet connection by stating "common sense dictates most people in the United States would be astounded to learn that they had such a legal duty"). And absent a recognized duty, the negligence claim is fatally flawed.
Even if the Court were to assume the subscribers had a duty to secure their Internet connections, Plaintiff's negligence claim likely would be preempted by the Copyright Act or barred by the Communications Decency Act. See, e.g., AF Holdings, LLC v. Doe, 2012 WL 4747170 at * (N.D. Cal. Oct. 3, 2012).
Okay, let's see how the umpires score this:  
Early discovery is denied because
  • IP addresses reveal account subscribers; not the individual using the Internet and engaged in the conduct at issue;
  • Subscribers have no duty to secure their Internet connection; and 
  • Subscribers are not liable for what other people do over their Internet connections.
The subscriber to an Internet account is an intermediary.  It is the person who negotiates with the ISP and pays the bill.  But who uses that account can range in the multitude.  And as we have seen time and again over history, it can be extremely difficult if not impossible for that intermediary to monitor and control everything that transpires over that connection.  That is why Congress prudently passed 47 USC 230 which makes clear that online services (including subscribers) are not responsible for what other people do and say online. To hold otherwise would be to so encumber Internet access that there could be no public WiFi points, no sharing your Internet with your guests, and ridiculous indemnity forms for checking your email. It's just a bad idea.

Tuesday, July 23, 2013

As the Nebuad Litigation Turns.... Mortensen v. Bresnan Communications

The litigation fallout from ISPs partnership with Nebuad continues.  Today's decision is the latest chapter out a lawsuit against a Montana ISP:
In 2008, Bresnan [Defendant ISP] entered into a temporary arrangement with advertising company NebuAd, Inc. Under the arrangement, in exchange for a share of NebuAd's advertising revenue, Bresnan [Defendant ISP] allowed NebuAd to place an appliance in its Billings, Montana, network. The appliance allowed NebuAd to gather information and create profiles of subscribers in order to target them with preference-sensitive advertising. Bresnan contends that it provided specific notice to consumers about the NebuAd trial and allowed individuals to opt out. Under a heading labeled "About Advanced Advertising," the company website provided detailed information about the trial. It also gave a list of thirteen frequently asked questions with corresponding answers that assured customers that no personally identifying information, such as first and last name, physical street address, email address, telephone numbers, or social security numbers would be collected. Plaintiffs contend that this notice was misleading and that consent was never obtained.
Plaintiffs brought suit Defendant ISP for violations of the Electronic Communications Privacy Act (dismissed previously), the Computer Fraud and Abuse Act, Montana state privacy law (dismissed previously), and trespass to chattels. 

Today's decision takes a contortious turn, not on Internet law (my normal beat), but on the Supremacy Clause of the U.S. Constitution and Defendant ISP's choice of law provision in the terms of service.  Today's case involves a Montana subscriber, an ISP doing business in Montana, an action that transpired in Montana, and a claim for a violation of a Montana law.  Pop Quiz: what state's law should apply??

Hint: The ISP is headquartered in New York and incorporated in Delaware.

Hint two:  The terms of service say that the law of New York applies (thus a cause of action based on Montana law would be bupkis).

Hint Three: The terms of service says that all claims shall be submitted to arbitration pursuant to the Federal Arbitration Act.

Okay, that seems unfair.  The case involves a Montana subscriber, an ISP's operations in Montana, and a violation that purportedly transpired in Montana.  Why should New York's law apply?? 

And when its seems this unfair, and when the customer has no choice in the matter, we call this a contract of adhesion, void as a matter of public policy.  That's what the lower court concluded, stating that Montana citizens had a constitutional right to trail by jury and access to the courts. Therefore, Plaintiff's litigation should go forward.

Not so fast, said the appeals court.  You see, there is this federal law called the Federal Arbitration Act, and it strongly favors arbitration. "Any general state-law contract defense, based in unconscionability or otherwise, that has a disproportionate effect on arbitration is displaced by the FAA."  If you are going to say that a contractual provision requiring arbitration is unconscionable because of some Montana law, then that state law is preempted - you lose.

Now comes the twister:  The Federal Arbitration Act just kicked the legs out from Montana saying its citizens have a right to a trail over arbitration.  Okay, what about the choice of law?  Does Montana law or New York law apply?  "Montana uses the Restatement (Second) of Conflict of Laws § 187(2), which finds a choice-of-law provision overcome where 
(1) Montana has a materially greater interest in the transaction than the state whose law was selected by the parties and 
(2) application of the selected state's law would be contrary to Montana's public policy."
Does Montana have a greater interest in this case?  Sure, says the court.  "The contract was received by the consumers in Montana as part of their Welcome Kit, and the contract governed services provided in Montana to Montana residents. The subject matter of the contract and performance of it took place almost entirely in Montana."

But here's the problem.  With the preemption of Montana law by the Federal Arbitration Act, there is no longer a public policy conflict with Montana law.  New York law favors arbitration; Montana law does not - Montana's disfavorance of arbitration got the boot.  Lacking a public policy conflict, the test for overriding a choice-of-law provision in a contract now fails.

Outside of the legal holding and the status of this litigation, the Court provides background on how another Nebuad litigation was resolved:
After NebuAd's temporary arrangement with Bresnan to gather information from the subscribers ended, a class of plaintiffs, including those involved in the present action, brought suit in the United States District Court for the Northern District of California against NebuAd and several Internet service providers who hosted NebuAd appliances, including Bresnan. Bresnan and the other providers moved to dismiss the action for lack of personal jurisdiction and failure to state a claim. The district court granted this motion finding personal jurisdiction lacking. Valentine v. NebuAd, Inc., No. C08-05113 TEH, 2009 WL 8186130, at *3-10 (N.D. Cal. Oct. 6, 2009). NebuAd became the sole defendant in that action and eventually reached a court-approved settlement with the plaintiffs.
According to Wikipedia, "Due to fallout following public and Congressional concern, NebuAd's largest ISP customers have all pulled out. NebuAd closed for business in the UK in August 2008, followed by the US in May 2009. NebuAd UK Ltd was dissolved in February 2010."