Thursday, October 24, 2013

MENZIES AVIATION (USA), INC. v. ROBERT WILCOX, SERVISAIR, LLC, Dist. Court, Minnesota Oct. 17 2013 #CFAA

MENZIES AVIATION (USA), INC. v. ROBERT WILCOX, SERVISAIR, LLC, Dist. Court, Minnesota Oct 17, 2013

This matter is before the Court on Plaintiff's Motion for a Temporary Restraining Order. [Docket No. 6] The Court heard oral argument on October 17, 2013. The Court denied the motion in an October 17 Order [Docket No. 40] with a memorandum of law to follow. Accordingly, the Court hereby enters the following Memorandum of Law.

. . . . . .

The Computer Fraud and Abuse Act "provides that one who suffers `damage or loss' because of a violation of the Act may bring a civil action for compensatory damages and injunctive relief." Mclean v. Mortgage One & Finance Corp., No. Civ.04-1158(PAM/JSM), 2004 WL 898440, at *2 (D. Minn. Apr. 9, 2004). A civil action may be brought by a person who suffers damage or loss of at least $5,000 by reason of a person's violation of the act by knowingly and with intent to defraud, accessing protected computers without authorization or in excess of his authorization and obtaining something of value of more than $5,000 in any 1-year period. 18 U.S.C. § 1030(a)(4); (c)(4)(A)(i), (g).

Menzies claims that Wilcox intentionally accessed Menzies' protected computer database and sent himself large amounts of confidential data in order to allow Servisair to unfairly compete with Menzies. The Court holds that, based on the record before it, assuming without deciding that Wilcox did engage in unauthorized access, Menzies is unlikely to be able to show that Wilcox caused any damages, let alone $5,000 in damages. The evidence in the record is that Sun Country switched from Menzies to Servisair based on reasons wholly unrelated to Wilcox and any information he may or may not have forwarded to himself.

Wednesday, October 23, 2013

Fwd: CT News Clips :: from Delicious/rcannon100 for 10/23/2013


Cybertelecom :: Federal Internet Law & Policy :: An Educational Project
Is this email not displaying correctly?
View it in your browser.
Updates from Cybertelecom Delicious
Contents:

US government releases draft cybersecurity framework | Security & Privacy - CNET News

via CNET News http://news.cnet.com/
Read in browser »
share on Twitter Like US government releases draft cybersecurity framework | Security & Privacy - CNET News on Facebook

Facebook removes Mexican beheading video | Technology | theguardian.com

via Technology: Internet | theguardian.com http://www.theguardian.com/technology/internet
Read in browser »
share on Twitter Like Facebook removes Mexican beheading video | Technology | theguardian.com on Facebook

Warrant required for GPS tracking of vehicles, court rules - Computerworld

via Latest from Computerworld http://www.computerworld.com/
Read in browser »
share on Twitter Like Warrant required for GPS tracking of vehicles, court rules - Computerworld on Facebook

Facebook Removes Beheading Video, Says It Will Tighten Rules : The Two-Way : NPR

via Technology http://www.npr.org/templates/story/story.php?storyId=1019&ft=1&f=1019
Read in browser »
share on Twitter Like Facebook Removes Beheading Video, Says It Will Tighten Rules : The Two-Way : NPR on Facebook

US Government Releases Cybersecurity Framework Proposal

via CircleID http://www.circleid.com/
Read in browser »
share on Twitter Like US Government Releases Cybersecurity Framework Proposal on Facebook

Michael Geist - Bell Claims Users Want to Be Monitored, Profiled and Tracked

via Michael Geist Blog http://www.michaelgeist.ca
Read in browser »
share on Twitter Like Michael Geist - Bell Claims Users Want to Be Monitored, Profiled and Tracked on Facebook

Switchboard: Netflix subscriber base trumps HBO's - The Washington Post

via Technology News - The Washington Post http://www.washingtonpost.com/business/technology?wprss=rss_technology
Read in browser »
share on Twitter Like Switchboard: Netflix subscriber base trumps HBO's - The Washington Post on Facebook

Level 3 Switch Failure Caused Weekend ISP Outages | DSLReports, ISP Information

via DSLreports - front page http://www.dslreports.com
Read in browser »
share on Twitter Like Level 3 Switch Failure Caused Weekend ISP Outages | DSLReports, ISP Information on Facebook

House privacy group to meet Wednesday with privacy groups, online ad rep - The Hill's Hillicon Valley

via Hillicon Valley http://thehill.com/blogs/hillicon-valley
Read in browser »
share on Twitter Like House privacy group to meet Wednesday with privacy groups, online ad rep - The Hill's Hillicon Valley on Facebook

The Boss Is Watching: Tracking Technology Shakes Up Workplace - WSJ.com

via WSJ.com: Technology http://online.wsj.com
Read in browser »
share on Twitter Like The Boss Is Watching: Tracking Technology Shakes Up Workplace - WSJ.com on Facebook

More to read:

CT News Clips is posted to the Cybertelecom-l Google Group. You can manage your subscription through Google Groups.
You can unsubscribe or managed your Cybertelecom-l membership at Cybertelecom-l Google Group.
This is not a commercial email. You can subscribe directly to the news clips through MailChimp.
Disclaimer
Email Marketing Powered by MailChimp




Thursday, October 17, 2013

In Which We Ponder Whether Sec. 230(c) is an Immunity or an Affirmative Defense; Evans v. HP

-->
Procedure matters. It matters whether a defendant can dispose of a litigation right out of the gate, or whether the defendant must suffer the slings and arrows of discovery, motions, and trial before presenting a successful defense.


Procedurally, once a litigation has been initiated, defendant has a chance to say, "hey, wait a minute, there isn’t actually a cause of action here."  It's like someone suing me for being tall.  Well, yeah, but there is no recognized cause of action against being tall.  And a motion to dismiss for failure to state a claim would end the litigation right out of the gate.



Alternatively, defendant might have a defense, but must establish evidence supporting that defense. For example, I may have said that Zim is an Irken weenie, and Zim may sue me, but availing myself to truth-is-a-defense, I can prove in court that Zim is in fact an Irken weenie.  I may have been successful, but I will now receive a successful legal defense bill from my attorney.



47 U.S.C. § 230(c) protects interactive services from liability for third party content. But is this an immunity or an affirmative defense?  Can I use Sec. 230(c) to exterminate a litigation right out of the gate, or must I wait for the facts of the case to be developed? 



Today's case, Evans v. HEWLETT-PACKARD COMPANY, Dist. Court, ND California Oct. 10, 2013, explores this question.  It involves software called "The Chubby Checker" which was produced by a third-party and offered for sale through the HP App Catalogue. Suffice it to say that the title of the software was, as the court stated, "a vulgar pun."  Chubby Checker, the entertainer, sued.



Plaintiff alleged federal trademark infringement and dilution, and state causes of action including unfair competition, unauthorized use of his name, and unauthorized use of his likeness. Sec. 230(e) says that Sec. 230(c) has no effect on intellectual property law; thus the court did not dismiss those claims.  However, the rest of plaintiff's claims "were held barred by the preemption provision in Section 230."  Defendant's app store is an online interactive service; the app in question is content produced by a third party.



Plaintiff attempted to solve this problem by amending its complaint and adding some more causes of action.  Plaintiff argued, in the first place, that Sec. 230 is an affirmative defense and not proper for a motion to dismiss.  Before defendant can get out of this litigation, we need to get into the facts of the case, argues plaintiff.



Some courts have been uncomfortable with letting defendants cash-in their "Get Out of Litigation Free" cards so easily. For these courts, Sec. 230(c) does not create an immunity. See City of Chicago v. StubHub!, Inc., 624 F.3d 363, 366 (7th Cir. 2010); Barnesv. Yahoo!, Inc., 570 F.3d 1096, 1100 (9th Cir. 2009).  On the other hand, "[o]rdinarily, courts 'aim to resolve the question of § 230 immunity at the earliest possible stage of the case because that immunity protects websites not only from `ultimate liability,' but also from `having to fight costly and protracted legal battles.'' Nemet Chevrolet v. Consumeraffairs.com, 591 F.3d 250, 255 (4th Cir. 2009). And while some courts have been hesitant to cash in those "Get Out of Litigation Free cards" (perhaps originally due to a lack of familiarity with the plumbing and business models of the Internet), the Evans court recognizes that a consensus has been developing across the courts of appeals "that § 230(c) provides broad immunity for publishing content provided primarily by third parties." Carafano v. Metrosplash.com Inc., 339 F.3d 1119, 1123 (9th Cir. 2003).  Consideration of Sec. 230 preemption is appropriate at the pleading state in a motion to dismiss; defendant can terminate the litigation right out of the gate.



But then, maybe this "is it an immunity or an affirmative defense" thing doesn't really matter.  The Evans court leaves us with this thought:



[O]ur court of appeals has held that "the assertion of an affirmative defense may be considered properly on a motion to dismiss where the `allegations in the complaint suffice to establish' the defense." 



In other words, whatever you call it, if plaintiff's complaint doesn't have a leg to stand on, there is no reason for the litigation to proceed.  If Sec. 230(c) protects interactive services from liability, it would be nice if it also protected interactive services from futile litigation expenses.


Thursday, October 10, 2013

The Boundary Between Sec. 230 Immunity and Liability: Jones v. Dirty World Entertainment Recordings

Out in the wilderness of cyberspace is a boundary, marking the limits of Sec. 230 immunity. On the one side roams interactive services hosting third party content immune from liability for that third party content. On the other sides is the frontier, where interactive content hosts and creators meet, merge, and become one. Here host and author blend, collaborating to give rise to new creations. Hosts herd authors towards a potentially desolate land desecrated with insinuation, defamation, and slanderous allegations. Here, Sec. 230 has no power to protect. 

Photo by Ed Schipul, Flickr (cc)
We have been to the frontier before. The lead case unfolded in 2008: Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157, 1164-65 (9th Cir. 2008) (en banc). Here, according to the court, third-party authors that wished to post to Roommates.com were required to fill out a questionnaire and were required to answer questions that were alleged to violate federal and state housing discrimination laws. Where the host requires third-parties to answer certain questions, and answer in ways that are problematic, "such acts constituted the 'creation or development of information' and thus made the site an 'information content provider' within the scope of 47 U.S.C. § 230(c) and (f)(3)." Both host and third-party are now potentially liable for the created content. 

Jones v. Dirty World Entertainment Recordings, LLC (Eastern District Kentucky Aug. 2013) is the latest case to explore the frontier, and this litigation has been explored through two trials.  From the first trial, we are informed that:
Defendant Dirty World, LLC operates, from its principal place of business in Arizona, an Internet web site known as "the dirty.com." This web site invites and publishes comments by individuals who visit the site, and defendant Hooman Karamian, a/k/a Nik Richie ("Richie"), responds to those posts and publishes his own comments on the subjects under discussion.
Plaintiff Sarah Jones is a citizen of Kentucky; a resident of Northern Kentucky; a teacher at Dixie Heights High School in Edgewood Kentucky; and a member of the Cincinnati BenGals, the cheerleading squad for the Cincinnati Bengals professional football team.
The conflicted ensued over comments posted to Defendant's website about plaintiff. 
[T]he evidence conclusively demonstrates that these postings and others like them were invited and encouraged by the defendants by using the name "Dirty.com" for the website and inciting the viewers of the site to form a loose organization dubbed "the Dirty Army," which was urged to have "a war mentality" against anyone who dared to object to having their character assassinated.
Specifically, defendant Richie added his own comments to the defamatory posts concerning plaintiff. For example, on December 7, 2009, a third-party posted, under a large photo of plaintiff:
Nik, here we have Sarah J, captain cheerleader of the playoff bound cinci bengals . . Most ppl see Sarah as a gorgeous cheerleader AND highschool teacher . . yes she's also a teacher . . but what most of you don't know is . . Her ex Nate . . cheated on her with over 50 girls in 4 yrs . . in that time he tested positive for Chlamydia Infection and Gonorrhea . . so im sure Sarah also has both . . whats worse is he brags about doing sarah in the gym . . football field . . her class room at the school she teaches at DIXIE Heights.
To this, Richie added his own tagline, in bold: "Why are all high school teachers freaks in the sack? — nik."  The tagline and original message appear on one page as a single story.
For the court, defendant's website has crossed into the frontier and is a participant in the content creation. Not only is defendant driving third-parties to make scandalous comments, defendant, by adding comments "effectively ratified and adopted the defamatory third-party post." According to the court, defendant continued to drive third parties by commenting: "I love how the DIRTY ARMY has war mentality;" "Never try to battle the DIRTY ARMY;" and "You dug your own grave here Sarah." The court concludes, defendant "played a significant role in 'developing' the offensive content such that he has no immunity under the CDA." 

There is a boundary between neutral host and content creator. When an interactive service traverses that boundary, the host potentially moves out from underneath the protection of Sec. 230 immunity. 

Sunday, October 06, 2013

In Which We Consider the Meaning of 'Authorized': GIVAUDAN FRAGRANCES CORPORATION v. Krivda

"When I use a word,' Humpty Dumpty said in rather a scornful tone, 'it means just what I choose it to mean — neither more nor less."
"The question is," said Alice, "whether you can make words mean so many different things."
"The question is," said Humpty Dumpty, "which is to be master— that's all."
- Lewis Carroll, Through the Looking Glass
What does authorized access mean? If an employee with authorized access to a computer system goes into that system, downloads company secrets, and hands that information over to the company's competitor, did that alleged misappropriation of company information constitute unauthorized access

This is no small question. If the access is unauthorized, the employee potentially violated the Computer Fraud and Abuse Act (CFAA). But courts get uncomfortable here. They are uncomfortable when contractual disputes morph into criminal violations. If, for example, a site's Terms of Service says that I must use my real name, and I use a pseudonym, is my access unauthorized? We have seen over-zealous prosecutors attempt to transform a TOS into something that can get you thrown on The Rock. Courts don't like it

But not all the court's agree; there is a split between the Circuit Courts that believe such actions by an employee constitute a criminal violation of the CFAA - and those courts that believe that the matter is best handled as a breach of contract between employer and employee. 

Today's court decision comes from the District Court in New Jersey (which is in the 3rd Circuit): GIVAUDAN FRAGRANCES CORPORATION v. Krivda, Dist. Court, D. New Jersey Sept. 26, 2013. The facts of this case are as might be expected:
In early May, 2008, Krivda resigned his employment with Plaintiff, Givaudan Fragrances ("Givaudan") where he was a perfumer. Prior to his last day on the job, Krivda allegedly downloaded and copied a number of formulas for fragrances. The parties acknowledge the formulas as trade secrets. Soon thereafter, Krivda commenced employment as a perfumer with Mane USA (Mane), a Givaudan competitor. Givaudan alleges that Krivda gave the formulas to Mane — an act of misappropriation.
Plaintiff Givaudan sued. Before the court is Defendant Krivda's Motion to Dismiss the CFAA cause of action. Defendant argued that since his alleged access of Plaintiff's computers while employed was authorized, it could not constitute unauthorized access pursuant to the CFAA. 

The New Jersey District Court looks to the 9th Circuit (the West Coast) as one of the lead Circuits that has considered this issue.
Generally, the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information. The Ninth Circuit has explained that "a person who `intentionally accesses a computer without authorization' . . . accesses a computer without any permission at all, while a person who `exceeds authorized access' . . . has permission to access the computer, but accesses information on the computer that the person is not entitled to access." The inquiry depends not on the employee's motivation for accessing the information, but rather whether the access to that information was authorized. While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer.
(Citations and other stuff omitted). 

In the case at hand, the defendant employee had, at the time, authorization to access plaintiff's computers and to the specific information at issue. The phrase in the CFAA about someone exceeding their authorization doesn't help plaintiff either; this refers to the situation where someone has authority to access one system, and then accesses another system beyond the one they are authorized to access. That aint here. Plaintiff argues, "Well, defendant didn't have our authority to review and print the information." To which the court responds, "oh come on!" 

Defendant's Motion to Dismiss Plaintiff's CFAA claim was granted. Defendant may have other trouble with Plaintiff, but violating the federal Computer Fraud and Abuse Act aint one of them.