Tuesday, July 23, 2013

As the Nebuad Litigation Turns.... Mortensen v. Bresnan Communications

The litigation fallout from ISPs partnership with Nebuad continues.  Today's decision is the latest chapter out a lawsuit against a Montana ISP:
In 2008, Bresnan [Defendant ISP] entered into a temporary arrangement with advertising company NebuAd, Inc. Under the arrangement, in exchange for a share of NebuAd's advertising revenue, Bresnan [Defendant ISP] allowed NebuAd to place an appliance in its Billings, Montana, network. The appliance allowed NebuAd to gather information and create profiles of subscribers in order to target them with preference-sensitive advertising. Bresnan contends that it provided specific notice to consumers about the NebuAd trial and allowed individuals to opt out. Under a heading labeled "About Advanced Advertising," the company website provided detailed information about the trial. It also gave a list of thirteen frequently asked questions with corresponding answers that assured customers that no personally identifying information, such as first and last name, physical street address, email address, telephone numbers, or social security numbers would be collected. Plaintiffs contend that this notice was misleading and that consent was never obtained.
Plaintiffs brought suit Defendant ISP for violations of the Electronic Communications Privacy Act (dismissed previously), the Computer Fraud and Abuse Act, Montana state privacy law (dismissed previously), and trespass to chattels. 

Today's decision takes a contortious turn, not on Internet law (my normal beat), but on the Supremacy Clause of the U.S. Constitution and Defendant ISP's choice of law provision in the terms of service.  Today's case involves a Montana subscriber, an ISP doing business in Montana, an action that transpired in Montana, and a claim for a violation of a Montana law.  Pop Quiz: what state's law should apply??

Hint: The ISP is headquartered in New York and incorporated in Delaware.

Hint two:  The terms of service say that the law of New York applies (thus a cause of action based on Montana law would be bupkis).

Hint Three: The terms of service says that all claims shall be submitted to arbitration pursuant to the Federal Arbitration Act.

Okay, that seems unfair.  The case involves a Montana subscriber, an ISP's operations in Montana, and a violation that purportedly transpired in Montana.  Why should New York's law apply?? 

And when its seems this unfair, and when the customer has no choice in the matter, we call this a contract of adhesion, void as a matter of public policy.  That's what the lower court concluded, stating that Montana citizens had a constitutional right to trail by jury and access to the courts. Therefore, Plaintiff's litigation should go forward.

Not so fast, said the appeals court.  You see, there is this federal law called the Federal Arbitration Act, and it strongly favors arbitration. "Any general state-law contract defense, based in unconscionability or otherwise, that has a disproportionate effect on arbitration is displaced by the FAA."  If you are going to say that a contractual provision requiring arbitration is unconscionable because of some Montana law, then that state law is preempted - you lose.

Now comes the twister:  The Federal Arbitration Act just kicked the legs out from Montana saying its citizens have a right to a trail over arbitration.  Okay, what about the choice of law?  Does Montana law or New York law apply?  "Montana uses the Restatement (Second) of Conflict of Laws § 187(2), which finds a choice-of-law provision overcome where 
(1) Montana has a materially greater interest in the transaction than the state whose law was selected by the parties and 
(2) application of the selected state's law would be contrary to Montana's public policy."
Does Montana have a greater interest in this case?  Sure, says the court.  "The contract was received by the consumers in Montana as part of their Welcome Kit, and the contract governed services provided in Montana to Montana residents. The subject matter of the contract and performance of it took place almost entirely in Montana."

But here's the problem.  With the preemption of Montana law by the Federal Arbitration Act, there is no longer a public policy conflict with Montana law.  New York law favors arbitration; Montana law does not - Montana's disfavorance of arbitration got the boot.  Lacking a public policy conflict, the test for overriding a choice-of-law provision in a contract now fails.

Outside of the legal holding and the status of this litigation, the Court provides background on how another Nebuad litigation was resolved:
After NebuAd's temporary arrangement with Bresnan to gather information from the subscribers ended, a class of plaintiffs, including those involved in the present action, brought suit in the United States District Court for the Northern District of California against NebuAd and several Internet service providers who hosted NebuAd appliances, including Bresnan. Bresnan and the other providers moved to dismiss the action for lack of personal jurisdiction and failure to state a claim. The district court granted this motion finding personal jurisdiction lacking. Valentine v. NebuAd, Inc., No. C08-05113 TEH, 2009 WL 8186130, at *3-10 (N.D. Cal. Oct. 6, 2009). NebuAd became the sole defendant in that action and eventually reached a court-approved settlement with the plaintiffs.
According to Wikipedia, "Due to fallout following public and Congressional concern, NebuAd's largest ISP customers have all pulled out. NebuAd closed for business in the UK in August 2008, followed by the US in May 2009. NebuAd UK Ltd was dissolved in February 2010."

Wednesday, July 17, 2013

Braverman Take Two - When Sec. 230 Meets Data Mash-Up

At first, I thought Braverman v. YELP, INC., 2013 NY Slip Op 31407 - NY: Supreme Court 2013 was another roll-your-eyes, when-are-local-attorneys-going-to-learning-about-Sec.-230 case.  After all it fits the stereotypical mold: third-party patronizes merchant; third-party writes negative review on website; merchant sues website; website boots lawsuit based on Sec. 230.  The program for this case is not new; you've seen this drama play out through and through.

But the more I pondered this court decision, the more it elucidated a hidden conundrum.  The court in Roommate.com established that there is some mystic line that websites cross, moving from hosts of third-party content to becoming creators of content.  In Roommates.com, the website asked potentially discriminatory questions and required users to answer the questions as a condition of setting up profiles. In requiring users to create inappropriate content, the website's actions, the court concluded, rose above permissible minor edits or selecting which third-party content to publish. The website had become a producer of the questionable content and therefore was not immune from liability under Sec. 230.

Braverman involves Yelp, a dentist, and a negative review.  The dentist didn't like the review and therefore sued Yelp. Yelp whipped out its copy of United States Code, Title 47, and checked to see if Sec. 230 was still in it. It was. Therefore, Yelp filed that same motion that has been filed 1000s of times before by review sites: motion to dismiss for failure to state a cause of action, Rule 12(b)(6); a review site is not liable for third-party content. Third-party reviews are the responsibility of the author of the review and not the website. The Court agreed.

"But wait a minute," argued Plaintiff's attorney.  Yelp is not just some neutral actor here.  If you frequent Yelp, you might know that Yelp has filters with which Yelp selects some reviews to show and other reviews to hide (you can see them if you solve a CAPTCHA). This has led to consternation and controversy. Yelp's selection of which reviews to show can significantly alter the appearance of the merchant in question - and because of this, Yelp, Plaintiff's attorney argued, became a publisher of the negative review in question.

Nope, says the court.  Selecting which third-party content to publish is protected by Sec. 230: 
Yelp's alleged act of filtering out positive reviews does not make Yelp the creator or developer of the alleged defamatory reviews. Yelp's choice to publish certain reviews — whether positive or negative — is an exercise of a publisher's traditional editorial function protected by the CDA. Batzel v. Smith, 333 F.3d 1018, 1030 (9th Cir. 2003) (finding that it is an editorial function to "choose among proferred material"); Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009) (finding that it is an editorial function to decide "whether to publish or to withdraw from publication third-party content"). Moreover, Section 230 does not distinguish between neutral and selective publishers in its grant of immunity. Shiamili, 17 N.Y.3d at 289.
Okay, but, wait.  I mean, come on.  Hear me out on this one.

Roommate.com established that Sec. 230 is not absolute - that there is a point where the line between the third-party and the website becomes blurred, and the website can no longer claim to have never met the third-party on the street. Yelp is playing a numbers game. By manipulating the numbers, Yelp changes review outcomes - controlling the flow of consumer business as consumers follow the top reviews. Given most sets of third-party reviews, Yelp can select certain reviews and make a merchant look marvelous or miserable. It isn’t the third parties creating that aggregated data representation of the merchant - it's Yelp through Yelp's manipulation of the data.

Let's go to the videotape.  At the time of this blog post (not at the time of the court case), the dentist in question had 30 reviews.  Three were visible; 27 were hidden.  The reviewers could give one to five stars. The visible average rating was "1." The average rating of all the reviews (hidden and unhidden) was "4.3;" the median rating of all reviews was "5." That's a rather significantly different average rating than the visible "1."  There were five ratings of "1;" one rating of "4;" and twenty-four ratings of "5."  Charted out, we get something that looks like this:

Does this dentist look like a "1"? Again, if we display the data as a donut chart, we get the following:

Why plot it out as a donut chart?  I like donuts!

Eighty percent of the reviews were "5;" 83% were "4" or above.  Only 17% of the reviews were a "1." And yet somehow, through Yelp's selection of certain reviews and hiding of others - Yelp manipulates the result.

Yelp isn’t presenting third-party content here; the third-party content - the data - says this dentist is pretty good. Yelp is manipulating data to produce new content. This isn’t content that the third-parties provided; this is content that Yelp created by its interaction with data.  And through this interaction, Yelp can turn any highly-rated merchant into a stink-pot, and any stinky merchant into king-of-the-hill. 

And it can do so with impunity according to this court.  This begs the question of whether we have here crossed that Roommates line between content host and content creator.

Convinced?  Okay, what if I were to tell you that the data itself was garbage.  As you may know, there are companies out there that now are in the business of "reputation management."  For a price, they will go out and ensure that the third-party reviews of the merchant are the reviews that the merchant paid for. They will take necessary steps to ensure that a stink-pot merchant looks like king-of-the-hill for a price.

Companies like Yelp struggle to keep the value of their review sites by weeding out bogus reviews. They weed out duplicates; sandbaggers; and content that lacks credibility.  They are constantly battling with "reputation management" services that have opposing agendas.

In the case in question, it appears, for whatever reason (and it may be entirely legitimate), that eight of the reviews are duplicates.  You can see at one point one of the reviewers states "I don't know why my reviews never show up…" and proceeds to write a duplicate five-star review. 

Was this a frustrated reviewer who kept getting his reviews hidden by Yelp's tactics, or was this Yelp struggling to purge the reviews of ratings that were less than reliable?  Who knows.  But what is true is that review sites that want their reviews to be valuable struggle with invalid reviews and merchants attempting to manipulate the system. And in fact, Sec. 230 was designed exactly for this purpose.  It was designed to protect those online hosts of third party content - who take some "editorial" like actions - in order to protect the quality of the content on their service and protect users from fraud and other malicious garbally gook. Congress did not want services that attempted to do good by policing their content to be transformed into publishers, liable for third party content.

So, um, where do we come out on this?

Simple answer: case dismissed; Yelp is not liable for third party reviews.

Complex answer: To understand data and big data, there is a difference between third party content and how that data is handled in the aggregate. Manipulation of data produces results that may not be true to or consistent with that third party data. Manipulation of data produces new content created by the manipulator, not by the third-parties. Who is responsible for the new content created through the manipulation of data?

"If this sentence is quoted from a third party, is the sentence mine or the third party's?" 

"If" "every" "word" "in" "this" "sentence" "is" "quoted" "from" "a" "third" "party," "is" "the" "sentence" "mine" "or" "the" "third" "party's?"

"I""f" "e""v""e""r""y"" "l""e""t""t""e""r""… oh you get the idea.

There is a point where we cross the magical Roommates.com line, where third-party content, aggregated, manipulated, and machinated by me, becomes new content.

Sunday, July 14, 2013

VID :: Douglas Engelbart 2002 Interview by John Markoff (Computer History Museum)

An absolutely marvelous interview by technology reporter John Markoff of Douglas Engelbart about his life and his path to becoming a computer pioneer. Produced by the Computer History Museum and posted to Youtube July 10, 2013.

Monday, July 08, 2013

ART :: Sunberg, Danielle E., Reining in the Rogue Employee: The Fourth Circuit Limits Employee Liability Under the CFAA (June 27, 2013). American University Law Review

Sunberg, Danielle E., Reining in the Rogue Employee: The Fourth Circuit Limits Employee Liability Under the CFAA (June 27, 2013). American University Law Review, Vol. 62, No. 5, 2013. Available at SSRN: http://ssrn.com/abstract=2286316

Abstract: The Fourth Circuit’s opinion in WEC Carolina Energy LLC v. Miller reflects a growing trend among the courts to adopt a narrow code approach to employee liability under the Computer Fraud and Abuse Act. The case exacerbates the existing circuit split and reinforces the need for reconciling when an employee accesses a computer “without authorization.” While resolution from the judiciary remains remote, Congress is engaged in a lively debate over the proper interpretation of the term “without authorization.” Recent legislative proposals suggest that Congress has united in support of limiting liability for unauthorized access under the CFAA to the circumvention of technological barriers. Support for this restrictive interpretation signifies that until the ambiguity in the law is clarified, future undecided courts should follow in the Fourth Circuit’s footsteps and adopt the code approach to determine employee liability under the CFAA.

ART :: Schwartz, Paul M., Information Privacy in the Cloud (May 1, 2013). University of Pennsylvania Law Review

Schwartz, Paul M., Information Privacy in the Cloud (May 1, 2013). University of Pennsylvania Law Review, Vol. 161, No. 1623 (2013). Available at SSRN: http://ssrn.com/abstract=2290303

Abstract:  Cloud computing is the locating of computing resources on the Internet in a fashion that makes them highly dynamic and scalable. This kind of distributed computing environment can quickly expand to handle a greater system load or take on new tasks. Cloud computing thereby permits dramatic flexibility in processing decisions – and on a global basis. The rise of the cloud has also significantly challenged established legal paradigms. This Article analyzes current shortcomings of information privacy law in the context of the cloud. It also develops normative proposals to allow the cloud to become a central part of the evolving Internet. These proposals rest on strong and effective protections for information privacy that are sensitive to technological changes.

This Article examines three areas of change in personal data processing due to the cloud. The first area of change concerns the nature of information processing at companies. For many organizations, data transmissions are no longer point-to-point transactions within one country; they are now increasingly international in nature. As a result of this development, the legal distinction between national and international data processing is less meaningful than in the past. Computing activities now shift from country to country depending on load capacity, time of day, and a variety of other concerns. The jurisdictional concepts of EU law do not fit well with these changes in the scale and nature of international data processing.

A second legal issue concerns the multi-directional nature of modern data flows, which occur today as a networked series of processes made to deliver a business result. Due to this development, established concepts of privacy law, such as the definition of “personal information” and the meaning of “automated processing” have become problematic. There is also no international harmonization of these concepts. As a result, European Union and U.S. officials may differ on whether certain activities in the cloud implicate privacy law.

A final change relates to a shift to a process-oriented management approach. Users no longer need to own technology, whether software or hardware, that is placed in the cloud. Rather, different parties in the cloud can contribute inputs and outputs and execute other kinds of actions. In short, technology has provided new answers to a question that Ronald Coase first posed in “The Nature of the Firm.” New technologies and accompanying business models now allow firms to approach “make or buy” decisions in innovative ways. Yet, privacy law’s approach to liability for privacy violations and data losses in the new “make or buy” world of the cloud may not create adequate incentives for the multiple parties who handle personal data. 

VIDEO :: NAF :: The New Digital Age

From the New America Foundation 2013 Annual Conference

Friday, July 05, 2013

RFC :: NIST :: Draft Outline of Cybersecurity Framework for Critical Infrastructure :: Commets Due July 10th

NIST has released a draft outline of the Cybersecurity Framework in preparation for the upcoming July 10th Cybersecurity Framework Workshop in San Diego.  Comments are requested on or before the workshop.
NIST Tech Beat July 2, 2013: As part of its efforts to develop a voluntary framework to improve cybersecurity in the nation's critical infrastructure, the National Institute of Standards and Technology (NIST) has posted a draft outline of the document to invite public review and gather comments.
The Executive Order calling for NIST to develop the framework directs the agency to collaborate with the public and private sectors. The draft outline reflects input received in response to a February 2013 Request for Information, discussions at two workshops and other forms of stakeholder engagement.
The outline proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need and application of the framework in business. Reflecting received comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts.
"We are pleased that many private-sector organizations have put significant time and resources into the framework development process," said Adam Sedgewick, senior information technology policy advisor at NIST. "We believe that both large and small organizations will be able use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management."
NIST also released a draft compendium of informative references composed of existing standards, practices and guidelines to reduce cyber risks to critical infrastructure industries. This material was released to foster discussion at upcoming workshops and to further encourage private-sector input before NIST publishes the official draft Cybersecurity Framework for public comment in October 2013.
Interested parties are invited to review the draft framework outline and offer comments before and during the next workshop, July 10-12, 2013, in San Diego. Direct comments should be forwarded to cyberframework@nist.gov. The draft outline and other documents related to the Cybersecurity Framework are available at http://www.nist.gov/itl/cyberframework.cfm.

Monday, July 01, 2013

RFC :: FNPRM :: Data Practices, Computer III Further Remand: Bell Operating Companies Provision of Enhanced Services

Fed Reg Notice July 1


In this Further Notice of Proposed Rulemaking (Further Notice), the Federal Communications Commission (Commission) seeks comment on how to streamline or eliminate legacy regulations contained in the Computer Inquiry proceedings and that are applicable to the Bell Operating Companies (BOCs). The FNPRM: Seeks data on the changing market for narrowband enhanced services, in particular, the extent to which enhanced service providers (ESPs) continue to need access to the BOCs' basic network transmission services offered through comparably efficient interconnection (CEI) and open network architecture (ONA) services; proposes eliminating CEI requirements and seeks comment on whether to retain only limited ONA inputs that ESPs require in areas where there are no competitive alternatives; and seeks comment on the need for the continuing application of the All-Carrier Rule that requires non-BOC incumbent local exchange carriers (LECs) to offer non-discriminatory access to basic network services for unaffiliated ESPs.


Comments are due July 31, 2013, and reply comments are due August 30, 2013. Written comments on the paperwork Reduction Act proposed or modified information collection requirements must be submitted by the public, Office of Management and Budget (OMB), and other interested parties on or before [date].


Interested parties may submit comments, identified by CC Docket No. 00-175, by any of the following methods:
  • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
  • Federal Communications Commission's Web site: http://fjallfoss.fcc.gov/ecfs2/. Follow the instructions for submitting comments.
  • People with Disabilities: Contact the FCC to request reasonable accommodations (accessible format documents, sign language interpreters, CART, etc.) by email: FCC504@fcc.gov or phone: (202) 418-0530 or TTY: (202) 418-0432.
For detailed instructions for submitting comments and additional information on the rulemaking process, see theSUPPLEMENTARY INFORMATIONsection of this document.

. . . . .