Digital Media Lawyer Blog

The recent certification of a national class action in the Citysearch click fraud case represents a major victory - at least for the plaintiffs' counsel. But whether adjudication of the case will produce significant recoveries for the plaintiffs is an open question.

The Citysearch click fraud class action (Menagerie Productions v. Citysearch, C.D. Cal., No. 2:08-cv-04263) was brought on behalf of some 10,000 advertisers on Citysearch.com websites. Citysearch operates dozens of websites that provide information about restaurants, shops, hotels and other services in individual cities around the U.S. For example, at dallas.citysearch.com, Citysearch provides information geared towards the DFW metroplex.

To earn revenue through these sites, Citysearch sells advertising. Much of this advertising is "pay-for-click", in which advertisers only pay when visitors clicked on their ads. The complaint claims that Citysearch entered into a standard form advertising agreement for these ads which claimed that: "We connect you to customers. You pay only for results." In its FAQ page for the agreement, Citysearch also stated as follow:

Q: How do I know that clicks to my website are legitimate?
A: Citysearch proactively researches and develops processes, policies, and technologies to identify invalid click activity with respect to our customers' advertising. Citysearch employs advanced security filters and blocks out clicks from spiders and robots.

The two named plaintiffs, Menagerie and Redwolf, claimed that despite paying up to $1,900 in advertising fees for pay-for-click ads over a period of several months, they received no new customers. There are many legitimate reasons that an ad campaign may not generate identifiable new revenue. However, the complaint alleged that the plaintiffs' failure to generate new customers was because of click-fraud. In click fraud, an on-line media source that is party to a click-through ad contract inflates the number of ad clicks to fraudulently increase its ad revenues.

The plaintiffs allege that Citysearch failed to track fraudulent clicks originating with its employees and "partner sites" and failed to inform advertisers that it did not employ methods to track fraudulent clicks -- but nevertheless charged customers for invalid clicks. The plaintiffs also allege that Citysearch falsely claims that customers will not be charged for invalid clicks, even though it knows or should know that these claims are false. The plaintiffs seek to recover the advertising fees they paid under breach of contract theories, as well as under California's unfair competition law.

To qualify as a class action, the named plaintiffs must meet two sets of requirements: First, they must first meet four requirements in Federal Rule of Civil Procedure 23(a) that test whether the class is sufficient numerous and whether the claims brought by the named plaintiffs adequately represent the rest of the plaintiffs in the class. The main dispute here centered on whether the claims by the named plaintiffs were typical of all of Citysearch's 10,000 pay-for-click advertisers.

Continue reading "Citysearch Click Fraud Class Action Certified -- but Proving Meaningful Damages May Remain a Problem for Plaintiffs" »

It seems unthinkable. How can a business that has registered and used a trademark for a decade lose an ACPA case against a serial cybersquatter who has been adjudicated to have used the mark at issue in bad faith? The fact is that it can and does happen. When a plaintiff sues under the Anti-Cybersquatting Consumer Protection Act, it must prove that it owns a valid trademark. 15 U.S.C. § 1125(d). This means that an ACPA suit puts the validity of the plaintiff's trademark at issue. And if the defendant chooses to put up a fight, the end result of an ACPA suit can be that the plaintiff's trade name loses protection as a trademark.

This was the result in American Blind. It also may be the result in Lahoti v. Vericheck, 9th Cir., No. 08-35001. Lahoti is the defendant in a trademark infringement and ACPA case brought by Vericheck, Inc. Vericheck is a Georgia corporation that provides electronic fund transaction processing services, including check verification and account verification. Vericheck has a website at vericheck.net and also owns the domain names vericheck.org, vericheck.cc, vericheck.us and vericheck.biz.

In 2001, Vericheck obtained a Georgia state service mark registration for its trademark, which consists of a checkmark over the word "VeriCheck." Vericheck attempted to get federal registration, but the U.S. Patent and Trademark Office denied the application because an Arizona company had already registered the name for use in check verification services. However, the Arizona company apparently never used the trademark for check verification and its mark expired in 2006.

According to the 9th Circuit, the defendant, David Lahoti, had previously registered over 400 domain names containing the trademarks of other companies, such as Nissan.org and ebays.com. In two cases, WIPO ordered him to give up control of domain names because they infringed on trademarks. In 2000, a Central District of California court found that Lahoti was a "cybersquatter" and that his registration and attempted sale of the estamps.com domain name violated the ACPA.

Continue reading "Lahoti v. Vericheck: How to Lose a Cybersqatting Case against a Serial Cybersquatter" »

There has been a lot of recent press touting manufacturers of Mac clones. Clone manufacturers attempt to unlock the tie between Apple software and hardware by selling non-Apple hardware that include copies of Apple's much-loved software. However, because Apple does not sell copies of its software for use on non-Mac hardware, the only way for this business to work economically is for the cloner to modify the Mac software and then create copies of this modified software for use on non-Mac computers. These are actions that necessarily would seem to violate Apple's copyrights over its software. And so found a court in a recent decision in favor of Apple. See Apple, Inc. v. Psystar Corp., N.D. Cal. 3:08-cv-03251, Order re Cross Motions for Summary Judgment (November 13, 2009).

The defendant in the case, Psystar, made a line of computers called Open Computers. Psystar purchased a copy of Mac OS X and modified it by removing the Mac OS X bootloader and kernel extension files and replacing them with files that would permit Mac OS X to run on non-Apple hardware. The modified copy of Mac OS X was used as new master copy for mass reproduction and installation on Psystar computers.

As Judge William Alsup found, Psystar's actions created a target-rich environment for infringement claims. Among Apple's exclusive rights that he found Psystar had violated were: (1) its reproduction rights (by downloading copies of Apple's software onto its clones, and creating copies in the computers' RAM when the computers were turned on); (2) its distribution right (by selling copies of Apple's software to the public), and (3) its right to create derivative versions (by making the modifications noted above to permit the use of Mac OS X on non-Apple hardware).

Continue reading "Apple v. Psystar: Installation of Modified Apple Software on Cloned Computers Constituted Copyright Infringement" »

Living on the west side of Los Angeles puts me smack in the middle of the entertainment industry. I have often seen promotional copies of DVDs of TV shows and feature films or music CDs being exchanged at parties, and even seen stacks of these being left out by the side of the street for trash pickup. Studios and labels don't want this content distributed to the public because early distribution can foul up marketing campaigns, and because promotional versions of content may be remixed or reedited. But can the studios and labels prevent recipients from giving away or even reselling these lightly-controlled promotional discs? A June 2008 case said "No".

The case is UMG Records, Inc. v. Augusto, C.D. Cal., No. CV-07-03106. UMG is a well-known record label and frequently produces promotional CDs. UMG's promotional CDs are labeled with language stating that "This CD is the property of the record company and is licensed to the intended recipient for personal use only. Acceptance of this CD shall constitute an agreement to comply with the terms of the license. Resale or transfer of possession is not allowed and may be punishable under federal and state laws."

The defendant Augusto was not one of the original recipients of UMGs CDs, but came into possession of many of these promotional CDs through music shops and online auctions. Augusto then resold the promotional CDs via eBay, as rare collectibles that were not available in stores. After discovering the sales, UMG attempted to get eBay to take down Augusto's auction sites. However, after initially taking them down, eBay eventually reinstated Augusto's sites.

UMG then filed suit against Augusto for copyright infringement, arguing that the language on its CDs created a license agreement precluding sale or distribution of the CDs. Augusto defended, relying primarily on the "first sale" doctrine. Under the first sale doctrine, a copyright holder's right to distribute a work is limited to the initial distribution of copies of a work, not to the resale or further transfer of possession of those copies. 17 U.S.C. § 109.
Central District Judge Otero held that principal issue in the case was whether UMG had transferred title when it sent out the promotional CDs. If the answer was yes, then the first sale doctrine applied and Augusto did not infringe UMG's distribution rights when he resold the CDs on eBay.

Continue reading "UMG Recordings v. Augusto: First Sale Doctrine Protects Reseller of Promo CDs" »

Employers often wonder how far they have to go in preventing employees from committing crimes or torts on the Internet. In a recent decision, the Wisconsin Court of Appeals found that an employer is only required to prevent on the job misconduct that is foreseeable. But "employers have no duty to supervise employees' private conduct or to persistently scan the word wide web to ferret out potential employee misconduct." Maypark v. Securitas Security Services USA, Inc., 2009 WI APP 145 (Sept. 1, 2009).

The Maypark case centered around a security guard named Schmidt who worked for Securitas, a security company. Schmidt was stationed at Polaris Industries, a Securitas client in Osceola, Wisconsin. Schmidt worked at a guard shack at the entrance to Polaris's parking lot, where he assisted in the control of visitor and employee access. Polaris employees wore photo identification badges, which Schmidt was responsible for producing.

Sometime during 2005, Schmidt copied photographs of some 50 female Polaris employees to a flash drive -- apparently from the guard shack computer. He took them home, performed unspeakable acts on them, and then posted pictures of the adulterated photos on adult blogs he created on Yahoo!.

When Polaris was alerted to the photos, its information systems department did a search of the guard shack computer and figured who the perpetrator was. Polaris informed Securitas, which immediately terminated Schmidt after he admitted posting the images. Polaris then demanded that Schmidt remove the images from Yahoo!, which he did.

Polaris notified the Osceola police, who declined to prosecute Schmidt. Ten plaintiffs then sued Schmidt and Securitas. After a bench trial, the judge found Schmidt liable for defamation and invasion of privacy and Securitas liable for negligent training and supervision. Securitas appealed.

The Wisconsin Court of Appeal reversed based on the "foreseeability" test. To find a defendant liable on a negligence tort, a court must find that the defendant owed the plaintiff a duty of care. A common test to determine if a duty of care exists is whether it was foreseeable that the harm caused to the plaintiff would be caused by the defendant's action. A party cannot be held to be negligent if it was not reasonably foreseeable that harm might result from its act or failure to act. Sigler v. Kobinsky, 2008 WI App 183. "Failure to guard against the bare possibility of injury is not actionable negligence." Grube v. Marks, 56 Wisc.2d 424 (1972) (emphasis added).

Continue reading "How Far Must an Employer Go in Preventing Employee Internet Misconduct?" »

In a recent ruling, a judge in the Central District of California ordered a defendant in a cybersquatting case to turn over hundreds of domain names that incorporated the names of professional athletes to the plaintiff, Toronto Raptors power forward Christopher Bosh. As the result of the order, Bosh is now the owner of domain names such as mikedunleavy.com, deronwilliams.com, krishumphries.com, amarestoudemire.com, shaunlivingston.com and daleearnhardtjr38.com. See Bosh v. Zavala, C.D. Cal. No. 2:08-cv-04851, Amended Order (Sept. 29, 2009). While some might laud the Court's intentions, the order violates both the Federal Rules of Civil Procedure and California law. It also creates as many problems as it solves.

This case began in July 2008 when Bosh filed a cybersquatting suit against Zavala, whom he alleged to be operating a domain name parking scheme. According to the complaint, Zavala had registered over 778 domain names that incorporated the names of famous basketball players such as Steve Nash of the Phoenix Suns, Shawn Marion of the Miami Heat, Cedric Bozeman of the Atlanta Hawks, Sam Cassell of the Boston Celtics, celebrities such as Scarlett Johanson and business names such as World Cup and Century 21. Bosh alleged that Zavala used a third party "parking service" to post websites at these domain names that included the athlete's names and advertising hyperlinks. When Internet users searched for the athletes' names, they would arrive at Zavala's Internet sites, click on the advertising, thus generating revenue for Zavala.

Bosh specifically sued Zavala for his alleged creation of a site with the name chrisbosh.com. The complaint included a claims under the Anticyberquatting Consumer Protection Act (ACPA) (15 U.S.C. § 1125(b)) and the California Right of Publicity Act (Cal. Civ. Code § 3344). Bosh's complaint was brought solely on behalf of himself, and did not join as plaintiffs any of the other persons whose names Zavala had allegedly co-opted for his website. See Bosh v. Zavala, C.D. Cal., No. 2:08-cv-04851, Complaint (July 24, 2008).

Zavala did not answer the complaint and the judge eventually entered a default judgment against him. The ACPA provides a list of remedies that a judge may impose against a defendant in a cyber-squatting case, including "the forfeiture or cancellation of the domain name or the transfer of the domain name to the owner of the mark." 15 U.S.C. § 1125(d)(1)(C). Accordingly, as part of the default judgment, the judge ordered that the chrisbosh.com domain name to be transferred to the plaintiff, Chris Bosh. See Bosh v. Zavala, C.D. Cal., No. 2:08-cv-04851, Amended Order Granting Default (April 7, 2009). The judgment also included a statutory damages award of $100,000. So far, so good.

However, in September 2009, the Plaintiff then took matters a step further, and requested that the judge issue a different kind of turnover order. This time Bosh asked the Court to order Zavala to turn over all 778 domain names that Zavala controlled directly to Bosh. Bosh claimed that the judge had the authority to issue this order because California Code of Civil Procedure Section 699.040 states that a court may order personal property of a judgment debtor to be turned over to "the levying officer" for sale to satisfy his debts.

Continue reading "Bosh v. Zavala: Was the Court's Order that a Cybersquatter to Turn Over 700 Domain Names that Incorporated Names of Non-appearing Parties to a Plaintiff Proper?" »

Judge Jean Hamilton's recent order in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC, E.D. Missouri (October 26, 2009) held that an ex-employee who accesses information on a company-issued laptop for a purpose adverse to the company can be liable under the federal Stored Communications Act (SCA). Judge Hamilton's ruling also suggests that even current employees can be held liable under the SCA as well, if they access information from a laptop for a purpose that violates their duty of loyalty to the company.

This ruling is important, because the SCA provides for criminal penalties, as well civil actions, against offenders. 18 U.S.C. §§ 2701(b), 2707. Tens of millions of U.S. employees are issued company-owned laptops, and countless employees download information from these computers for purposes adverse to their former employer's interests, both during and after leaving the company. Under Judge Hamilton's ruling, many thousands of these employees theoretically stand in jeopardy of federal prison time.

But is Judge Hamilton's ruling right? At least one other recent ruling suggests that the SCA cannot be used in this situation at all. See Thule Towing Systems, LLC v. McNallie, E.D.Mich., No. 2:09-cv-10905, Order (July 15, 2009). Other case law suggests that the SCA only reaches employees who access to emails and other communications stored on company-owned computers has been expressly revoked.

Judge Hamilton's decision was based on SCA Section 2701, which provides that "whoever (1) intentionally accesses without authorization a facility through which an electronics communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such a system shall be punished as provided in subsection (b) of this section." 18 U.S.C. § 2701(a).

Here, Lasco had alleged that the defendants, Shaw and Hall, were long-time Lasco sales executives and had been provided with company laptops for use in company business. In 2008, Shaw and Hall decided to start a competing restaurant food supply. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly "accessed, printed, copied and/or downloaded" a substantial amount of data from their laptops, as well as from Lasco's network, for use in their competing business. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).

Using principles of agency laws, Judge Hamilton reasoned as follows:

"While Lasco afforded Defendants access to its computers, networks and information for purposes of their employment, Lasco alleged that Hall and Shaw accessed Lasco's Information to benefit the interests of Defendants, not Lasco. Defendant Hall and Shaw's authorization to access this information ceased when they breached their duty of loyalty to Lasco and their employment terminated" (emphasis added).

Continue reading "Lasco Foods v. Hall and Shaw: Can an Employee Be Liable Under Federal Wiretap Laws for Accessing an Email on a Company Laptop for Purposes Adverse to the Company?" »

We have been watching closely the development of a Circuit split over whether Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030 -- claims can be brought against persons who have been given authority to access a computer, but then exceed the scope of this authority. The 7th Circuit holds that an employee has accessed his employer's computer "without authorization" and can be sued under CFAA, if he uses legitimately-acquired access rights to advance an interest that is adverse to his employer. A recent ruling by a District Court in the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, confirms that courts in the 8th Circuit are lining up behind this minority viewpoint.

The Lasco Foods case involves a common litigation scenario in which an executive has left a company to start a competing business. The defendants, Shaw and Hall, were long-time Lasco sales executives. Both were allegedly provided Lasco-owned laptops for use in company business. According to the complaint, in 2008, Shaw and Hall decided to start a competing business. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly "accessed, printed, copied and/or downloaded" a substantial amount of data from their laptops, as well as Lasco's network. Among this data allegedly was customer contact information stored in Shaw's Outlook "Contacts" file. Shaw allegedly deleted the Contacts file from his laptop before returning it to Lasco -- thus depriving the company of customer information that it had paid to develop. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).

Several state law remedies address what we will call the "absconding executive" situation, including interference with business relations, conversion, and trespass to chattels causes of action. However, companies have often attempted to sue absconding executives under CFAA, as well.

CFAA Section (a)(5) contains three provisions that permit suits against persons who knowingly access a "protected computer" and intentionally or recklessly cause damage. (A protected computer includes any computer which is used in interstate or foreign communication. 18 U.S.C. § 1030(e)(2). In today's internet age, it includes just about every computer in the country.) However, each of these three provisions require that the defendant have accessed the computer "without authorization." Therein lies the rub. As discussed in our September 24 and October 1 posts, the federal courts are divided on when an employee's access to a computer is "without authorization." The majority position, which was recently adopted by the 9th Circuit, is that "without authorization" only refers to persons who do not have permission to access the company's computer in the first place. LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). Under this interpretation, Shaw and Hall could not be sued under CFAA, because they had originally received permission from Lasco to access its computers.

Continue reading "Update on CFAA Circuit Split: District Courts in 8th Circuit Adopt Minority View, Permitting Claims Where Defendant Exceeds His Authority to Access Computer" »

Digital media law update: A judge in the Southern District of New York has upheld a clause contained in a click-wrap user agreement that required any suit regarding use of the Match.com site to be brought in north Texas. The opinion actually commended Match.com for including this forum selection clause in its User Agreement. It noted that Match.com's headquarters are in Dallas, Texas and that failure to include such a clause in its User Agreements would have subjected Match to suit in all 50 states.

The case is Brodsky v. Match.com LLC, S.D.N.Y., No. 1:09-cv-05328, a class action that alleged that subscribers to Match.com allegedly suffered harm from a misleading distinction between users and subscribers and from problems with email communications between these two groups. The complaint alleged causes of action under RICO, New York's deceptive trade practices and false advertising laws, and common law, for breach of contract and fraud. The plaintiffs included people from around the country, including persons from New York, California, Connecticut, Michigan and Florida.

Prior to completing the registration process, each of the class members was required to check a box on the website which stated "I agree to the Match.com terms of use." This statement was hyperlinked to an 11-page User Agreement. The first paragraph of the User Agreement stated, "If you object to anything in this Agreement or the Match.com Privacy Policy, do not use the Website or the Service." The User Agreement also contained a choice of law clause in favor of Texas law and a forum selection clause in favor of jurisdiction in Dallas or Collin County -- adjacent counties in north Texas.

On Match.com's motion, Judge Naomi Buchwald ordered that the case be transferred to the Northern District of Texas.

Continue reading "Brodsky v. Match.com: Court Upholds Forum Selection Clause Contained in Click-Wrap Agreement" »

Digital media law update: Can a physician be held liable for disclosing "before and after" photographs of one of his patients to a third party, if the photos don't show her face or state her identity? According to a judge in the Eastern District of Missouri, is "yes" -- but only if the photos provide sufficient detail for someone to figure out who she is.

The case, Doe v. Young, E.D. Missouri, No. 4:08-cv-00197, involves a woman who received plastic surgery in St. Louis, Missouri to removed excess loose skin after she lost substantial weight through water aerobics. The defendants, who were her plastic surgeons, took 65 photos of the woman before and after her surgery. These depicted her face, head, hairstyle, hair and chin, as well as her body in full frontal and posterior naked poses.

Prior to her surgery, the woman filled out a "Photo Consent Form" in which she agreed to the use of her photos for "insurance predeterminations, medical presentations and/or articles." However, she expressly refused to consent to the disclosure of the photos for a list of other purposes, including seminars for prospective patients, websites, advertisements or television.

Nevertheless, the surgeons provided a disk to a reporter for a St. Louis newspaper, the Riverfront Times, which contained photos of the patient's torso, head, hair, and chin, and also provided her initials and written information about her medical history. The Times then published an article about the surgeons that included two photographs of the patient, one before and one after surgery, that depicted her from the neck down to the mid-calf, without showing her head or face. The article appeared in both the Times' print and on-line editions.

The patient, who was living in Georgia at the time the article appeared, learned about it a year later, and filed suit against the surgeons for invasion of privacy under intrusion on seclusion, public disclosure of private facts and misappropriation of name and likeness theories.

The surgeons filed a motion for summary judgment claiming that they could not be held liable for invasion of privacy because the plaintiff could not be identified from the photographs. The argued that the photos did not identify the plaintiff by name and did not contain any identifiable features about her, and that no individual had recognized her from the photos.

While the judge denied the surgeons' motion, he agreed with the notion that to recover for any invasion of privacy claim, the plaintiff's identify must have been disclosed. For example, in Rawls v. Conde Nast Publications, 446 F.2d 313, 318 (5th Cir. 1971), the 5th Circuit denied a claim for invasion of privacy where a photograph of the plaintiffs' home was published, but all possibility of identification was carefully obliterated before publication. The 5th Circuit reasoned that "the plaintiff may not recover for invasion of privacy when, as here, her privacy remains inviolate."

Continue reading "Doe v. Young: Can a Physician Be Liable for Invasion of Privacy for Disclosing Anonymized Photos of a Plaintiff's Torso to a Reporter?" »

The enactment of the Federal CAN-SPAM Act preempted many State laws that attempted to prohibit marketers from sending mass commercial emails. However, CAN-SPAM did leave one key area of enforcement open to the states. The State may still enforce laws restricting commercial emails to the extent that such laws prohibit "falsity or deception." 15 U.S.C. § 7707(b)(1). However, this exception is proving about as narrow as the Grand Canyon.

The latest examples of State enforcement of spam are the actions by the New York and Texas Attorneys General against Tagged, Inc., which were both resolved in the past week. See Attorney General of New York, Internet Bureau, In the matter of: Tagged, Inc., Assurance of Discontinuance (Nov. 6, 2009), Texas v. Tagged, Inc., Travis County District Court, No. D-1-GV-09-002032, Agreed Final Judgment and Permanent Injunction (Nov 9, 2009).

Tagged, which was founded by serial Internet entrepreneur Greg Tseng, has been reported to be the third-largest social networking site in the world by Hitwise. While its market share traffic is still a fraction of that enjoyed by Facebook and MySpace, according to Hitwise, it is in a major growth phase, and has increased its share by 47% from September 2008 to September 2009. Id.

However, according to the statements made by the New York and Texas AG's, much of this growth was due to Tagged's deceptive marketing and spamming practices. These practices allegedly included the following:

• Tagged allegedly accessed the email address books of visitors, without clear and conspicuous disclosure that this was occurring, or obtaining permission. Tagged then used these contacts to initiate a campaign to sign up additional members.

• It sent invitation email messages to visitor contacts that falsely stated that a person who had signed up on Tagged had sent photos to the recipient that could be viewed on Tagged. According to the New York AG, "In reality . . . Tagged generated the email invitation automatically without regard to whether the person had ever uploaded photographs to Tagged.com or intended to share them with her contacts."

• Even though the invitation emails were generated by Tagged, Tagged inputted the name and email address of the person who had registered at Tagged in the "from" field of each email. If the registrant had uploaded a photo, the invitation emails also included this photo.

• The invitation message body included a box for the recipient to click "yes" or "no" in response to whether she wanted to view the photos. The message also said "Please respond or [name] may think you said no :(" -- despite the fact that the registrant had nothing to do with the sending of the invitation email. The purpose of this was to play on the emotions of the recipient, falsely suggesting that their friend's feelings might be hurt if they did not visit the Tagged site and view the photos.

Continue reading "The Tagged.com Spam Cases: New York and Texas Attorney General Actions Show the Effectiveness of States' Retained Powers to Regulate Spam" »

On October 23, 2009, Judge Vaughn Walker did something that doesn't happen very often. He rejected final approval of a class action settlement that was opposed by less than .001% of the members of the plaintiffs' class. The reason: he had come to believe that while the settlement would cost Ameritrade millions, and pay $1.87 million to the plaintiffs' counsel, it ultimately provided the plaintiffs themselves with no real benefits.

The case is the In re TD Ameritrade Accountholder Litigation, N.D. Cal. C-07-2852, a class action that was originally filed in 2007 regarding an allegedly long-term data security breach at Ameritrade. Ameritrade is a well-known brick and mortar and on-line stock broker, whose commercials star Sam Waterston of Law and Order fame.

In October 2006, Ameritrade customer Matthew Elvey, who graduated from Yale with a B.S. in computer science and mechanical engineering, and works as a website infrastructure consultant (as he describes his business, see his bio at http://www.elvey.com/) decided to test Ameritrade's data security system. So he provided Ameritrade with a unique email address that he had never provided to any other person. In November 2007, Elvey allegedly began to receive stock spam directed to this secret address. The spam allegedly touted low-priced, speculative stock of smaller companies that are traded over-the-counter, and was part of stock "pump and dump" schemes.

Elvey filed a class action against Ameritrade in 2007. The complaint focused on Ameritrade's Privacy Statement which allegedly told customers that "Ameritrade does not sell, license, lease or otherwise disclose your personal information to any third party for any reason . . . " According to Elvey's complaint, the "spam received by Plaintiffs was not consistent" with these representations.

The Elvey suit was later consolidated with a class suit filed by lead plaintiff Brad Zigler. The combined class action sued Ameritrade on breach of fiduciary duty, CFAA, and Nebraska and California unfair trade practices grounds. The plaintiffs claimed that Ameritrade had breached its duties to them by knowingly failing to correct defects in its security system and by failing to disclose the security breach that had led to the spam attacks on its customers. The plaintiffs claimed that they were damaged by "losing the benefit of the bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement . . . ."

While TD Ameritrade filed a motion to dismiss the original Elvey complaint -- a motion that was never heard -- it did not file a similar motion for the consolidated complaint. Instead, it began settlement negotiations with the Plaintiffs. This resulted, in October 2008, with a proposed settlement which released Ameritrade for any damage claim, "of any kind," based on "any legal theory whatsoever," that "is, has been, or could have been asserted by" a member of the settlement class for: (i) an unauthorized disclosure of their information by Ameritrade, (ii) their receipt of SPAM e-mail and (iii) misrepresentations in Ameritrade's privacy statement. The settlement applied to any person who had provided Ameritrade with a physical or email address on or before September 14, 2007. It did carve-out a right for individuals to file identity theft claims on their own behalves -- but not as part of a class action.

Continue reading "In re. Ameritrade Accountholder Litigation: Court Rejects Class Settlement He Viewed as Providing Members of Plaintiff Class with No Real Benefits" »

Digital media law: The 9th Circuit has done it again. In its ruling last week in U.S. v. Kilbride, the 9th Circuit announced that "a national community standard must be applied in regulating obscene speech on the Internet, including obscenity disseminated by email." (Case Nos. 07-10528, 07-10534, October 28, 2009). The 9th Circuit stated that its holding followed the view expressed by a majority of U.S. Supreme Court Justices in Ashcroft v ACLU, 535 U.S. 564 (2002) that application of a national community standard in Internet obscenity cases would not "generate serious constitutional concerns."

The Justices said no such thing. To the contrary, Justice Kennedy, whom the 9th Circuit includes in the majority supposedly agreeing with its holding, wrote that "it is neither realistic nor beyond constitutional doubt for Congress, in effect, to impose the community standards of Maine or Mississippi on Las Vegas and New York" through a national obscenity law. Ashcroft v. ACLU, 535 U.S. at 597. If the U.S. Supreme Court takes the appeal of Kilbride, the 9th Circuit's ruling here could well be reversed.

The Kilbride case involves the appeal of the criminal convictions of two spammers, Jeffrey Kilbride and James Schaffer, who distributed two sexually explicit images via email throughout the U.S. The Defendants' spam operation was enormous and generated some 662,000 complaints to the FTC from persons around the country.

The Defendants were ultimately charged with violations of two Federal obscenity laws -- 18 U.S.C. § 1462 and 1465, which prohibit the importation into the U.S., and the transportation in interstate commerce, of "obscene, lewd, lascivious, or filthy" books, pictures and other media. Both statutes apply to distribution of materials via the Internet, and specifically include distribution via an "interactive computer service," as defined by the Communications Decency Act. A conviction under Section 1465 has been upheld for images sent from a computer bulletin board in one state to a personal computer in another state. U.S. v. Thomas, 74 F.3d 701 (6th Cir. 1996).

Prior U.S. Supreme Court decisions have held that obscenity is to be determined by the standards of the local community in which the publication was made. However in Kilbride, the Defendants were prosecuted for their national distribution of obscene materials. As part of its case, the government called eight witnesses from various parts of the country who had filed complaints with the FTC about the Defendants' emails. These witnesses testified about the circumstances under which they had received the Defendants' emails, their reaction and attitudes towards these images and their views on pornography generally. The government also introduced evidence regarding the 662,000 other complaints they had received about the images. For its part, the defense introduced evidence regarding community attitudes towards pornography drawn solely from Arizona -- the judicial district where the case was prosecuted.

At the close of evidence, the jury was instructed that it should use the standards of the "community as a whole, that is to say by society at large, or people in general" in determining whether the images distributed by the Defendants were obscene. This community was "not defined by a precise geographic area", so the jury could consider evidence of standards existing outside Arizona. They were also told that they could consider their "own experience and judgment" as well as the evidence presented in making this determination. The jury ultimately returned a verdict finding the Defendants guilty under the two statutes.

On appeal to the 9th Circuit, the Defendants argued that these instructions were improper, because they asked the jury to apply a global or societal standard for obscenity. The Defendants claimed that because the distribution of the emails was made nationally, the District Court should have instructed the jury to apply a "national" obscenity standard.

The 9th Circuit agreed that the Defendants had a point. It cited a 2002 plurality U.S. Supreme Court decision regarding the Child Online Protection Act (COPA), in which two Justices, O'Connor and Breyer, had stated that a "national standard" should be used for laws involving distribution of obscene material over the Internet. Ashcroft v. ACLU, 535 U.S. 564, 122 S.Ct. 1700 (2002). Justice O'Connor stated that community standards for obscenity vary greatly throughout the country. However, persons using the Internet to publish materials are unable to control the geographic location of their audience. As a result, requiring Internet publishers to hold to a "local community" standard for obscenity, would require them to adopt the most restrictive view of obscenity taken by any community in the country. In Justice O'Connor's view, this would "potentially suppress an inordinate amount of expression." Id. at 587.

Continue reading "U.S. v. Kilbride: 9th Circuit's Holding that Internet Obscenity Laws Should Be Governed by a National Standard Rests on Shaky Grounds" »

Digital media law update: I recently attended a panel discussion on digital media law, and was surprised when the panel members were unable to cite to statutes or other authority requiring the posting of privacy policies for websites. In fact, a number of international, federal and state regulations require the creation and posting of privacy policies. Here is a list of some of the more important rules:

State privacy policy laws:

• California

The most broad-reaching privacy policy law is California's Online Privacy Protection Act (OPPA). See California Business & Professions Code § 22575-79. OPPA requires all operators of websites or online services that collect "personally identifiable information" about California consumers to post a privacy policy on their websites. While the Act ostensibly only applies to websites that collect information about California residents, it effectively reaches any website that collects information on a national scale -- because it is impractical (and undesirable) to screen out California residents.

OPPA's definition of personally identifiable information (termed "PII") is very broad and includes such things as the person's first and last name, address, email address, telephone number, social security number, any other identifier that permits the person to be contacted, and any other information about the person that is collected along with such PII. So if your website asks users to do something as simple as provide their name and email address, you are required create and post a privacy policy. Cal. Bus. & Prof. Code §22577.

The statute requires three "policy" elements to be included in a privacy policy: (i) identification of the categories of PII collected and the third parties with whom this PII may be shared, (ii) a description of the website's process, if any, by which a person may review and make changes to his PII, and (iii) a description of the process by which the website notifies consumers of material changes to its privacy policy. Cal. Bus & Prof. Code § 22575.

The privacy policy must be conspicuously posted on the home page, on the first significant page after home page, or via a hyperlink that boldly includes the word "privacy." Cal. Bus. & Prof. Code § 22577.

• Texas

Texas Business & Commerce Code § 501.052 provides that if a business requires an individual to disclose his social security number to obtain goods or services, then it must adopt a privacy policy and make it available to the public.

The privacy policy must provide that the individual's social security number will be maintained privately and securely. In addition to this, the policy must disclose how personal information is collected and used, who has access to the personal information; and the method of disposal of the personal information. By its nature, this statute applies to website operators, as well as non-web-based businesses.

Continue reading "Do I Need a Privacy Policy?: When Websites Are Required to Post Privacy Policies" »

A Tennessee trial court adopted a version of the "heavy" Dendrite standard for permitting discovery of the identity of the anonymous poster of an allegedly defamatory blog. However, as interpreted by the trial court, this standard was not insuperable, and resulted in an order that the plaintiffs were entitled to discovery of the identity and personal information of the blogger.

The plaintiffs in the case (Swartz v. Doe, Sixth Circuit Court for Davidson County, Tenn., No. 08C-431), Donald and Terry Swartz, are residents of Old Hickory, Tennessee, and are involved in widely varied businesses, including rehabilitation and sale of real estate and operation of recovery facilities for substance abusers. (It seems likely that the businesses are related. Perhaps the Swartzs convert the buildings they rehabilitate into recovery centers)

The main defendant in the case, John Doe #1, is the author of a blog entitled "Stop Schwartz", located a http://stopschwartz.blogspot.com. The blog allegedly accused the Swartzs of arson, improper management of rehabilitation facilities, exploitation of recovering substance abusers, inferior construction work, etc. Perhaps Doe #1 is a neighbor of some of the Swartz properties and doesn't like addicts being moved into buildings on his block. (Note: the blog was still up as of October 30, 2009, but the allegedly offensive posts had long been removed and no entries had been posted for several months).

The Swartzs filed suit in 2008 against Doe #1. They then issued subpoenas to Google seeking to discover his name and address. Google sent a notice to the blogger stating that it would comply with the subpoena unless he filed a motion to quash the subpoena within 3 weeks. Doe #1 then hired a lawyer who filed the motion to quash. A year later, Judge Thomas Brothers of Davidson County issued his final ruling on this motion to quash, as well as on a related motion to dismiss.

Judge Brothers began by noting the important role that anonymous speech has had throughout history. However, he stated that "internet anonymous speech is not entitled to absolute protection." Rather, "the free speech interest of the Defendant must be balanced with the reputation and privacy interests of the Plaintiffs."

He then reviewed the variety of standards applied by courts today for revealing the identity of anonymous bloggers. Finding that "a growing number of courts have begun to follow the standard" in Dendrite International, Inc. v. John Doe, 775 A.2d 456, 760-61 (N.J. Super. Ct. App. Div. 2001), Judge Brothers stated his intention to follow this test. Under the Dendrite test, a plaintiff must: (i) attempt to notify the anonymous blogger that he is the subject of a discovery procedure, (ii) give the blogger a reasonable time to oppose this discovery, (iii) identify the exact statements by the blogger that give rise to his claim, (iv) make a prima facia or substantial showing for each element of each cause of action, and (v) if the plaintiff establishes these elements, the court must the balance the First Amendment interests of the defendant against the strength of the plaintiff's case and the plaintiff's need for the disclosure to proceed on his claims.

Continue reading "Swartz v. Doe: Tennessee Ruling Provides Clarity on Showing Needed to Uncover Identity of Anonymous Blogger in Defamation/Privacy Case" »