New Media and Technology Law Blog

Supreme Court Denies Appeals of Notable Data Scraping, Computer Fraud Decisions from Ninth Circuit

This past week, the Supreme Court denied the petitions for certiorari in two noteworthy Ninth Circuit decisions that had interpreted the scope of liability under the federal Computer Fraud and Abuse Act (CFAA) in the context of wrongful access of company networks by employees and in instances involving unwanted data scraping from publicly available websites. (See Power Ventures, Inc. v. Facebook, Inc., 844 F.3d 1058 (9th Cir. 2016), cert. denied (Oct. 10, 2017); Nosal v. U.S., 828 F.3d 865 (9th Cir. 2016) (Nosal II), cert. denied (Oct. 10, 2017)).   Power Ventures involved a social media aggregation service that scraped Facebook user data with the permission of the user. There, the appeals court had held that while a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA, a commercial entity that accesses a public website after permission has been explicitly revoked can be civilly liable under the CFAA.  In Nosal II, the Ninth Circuit had ruled that a former employee, whose access has been revoked, and who uses a current employee’s login credentials to gain network access to his former company’s network, violated the CFAA.

With the Court declining to review, this important pair of rulings about the breadth of CFAA liability will stand.  What will be interesting – especially with respect to the nuanced issues surrounding CFAA liability for data scraping – is how the Ninth Circuit will clarify or refine its Power Ventures holding when it considers the appeal of the recent landmark decision from the Northern District of California in hiQ Labs, Inc. v. LinkedIn, Corp., 2017 WL 3473663 (N.D. Cal. Aug. 14, 2017), a ruling that distinguished Power Ventures and appeared to limit the applicability of the CFAA as a tool against scraping.

 

Ninth Circuit Rejects Claim That Amazon’s Terms and Conditions Are an Unconscionable Contract

In an unpublished opinion, the Ninth Circuit affirmed a lower court’s ruling that had sent a putative class action against Amazon over its pricing practices to arbitration, as per Amazon’s terms of service. (Wiseley v. Amazon.com, Inc., No. 15-56799 (9th Cir. Sept. 19, 2017) (unpublished)).  In finding that Amazon’s “Conditions of Use” were not unconscionable and presented in a reasonable manner, this holding differs from a Second Circuit decision from last year that declined to compel arbitration because reasonable minds could disagree regarding the sufficiency of notice provided to Amazon.com customers when placing an order through the website. (On remand, a New York magistrate judge ruled that the court should grant Amazon’s motion to compel arbitration on other grounds based upon the plaintiff’s constructive knowledge of the terms.) Continue Reading

LinkedIn Files Opening Brief with Ninth Circuit in Closely-Watched Data Scraping Dispute with hiQ

In a new development in an important scraping dispute, LinkedIn appealed the lower court’s decision to grant a preliminary injunction compelling LinkedIn to disable any technical measures it had employed to block the defendant’s data scraping activities.  LinkedIn’s brief was filed on October 3, 2017.  In it, LinkedIn asserts that the relevant issue is whether the lower court “erred as matter of law by holding—contrary to the CFAA’s unambiguous text and Circuit precedent—that LinkedIn could not invoke the CFAA after LinkedIn revoked hiQ’s access to its servers by sending a particularized cease-and-desist letter and imposing technical measures to block hiQ’s data-scraping bots.”

We will be watching the developments in this case closely.

For an analysis of the lower court’s August 14th decision, please read the Client Alert on our website.

Wow! Illinois Biometric Privacy Suits Proliferate

This month, in one of the many recently-filed Illinois biometric privacy suits, a class action complaint alleging violations of Illinois’s Biometric Information Privacy Act (BIPA) was lodged against Wow Bao, a restaurant chain, over its use of self-order kiosks that allow customers to use faceprints as a method to authenticate purchases. (Morris v. Wow Bao LLC, No. 2017-CH-12029 (Ill. Cir. Ct. filed Sept. 5, 2017)).  The suit against Wow Bao was not the only BIPA-related suit filed in September, as several businesses with an Illinois presence, including Crunch Fitness and Speedway, Inc., were served with complaints. And more than a week ago, an Illinois federal court refused to dismiss BIPA claims against photo storage service Shutterfly over claims that its photo tagging feature created a faceprint of the non-user plaintiff after a friend uploaded a group photo, and upon the service’s suggestion, then tagged the plaintiff, thereby storing plaintiff’s faceprint and name in Shutterfly’s database without his notice or consent. (Monroy v. Shutterfly, Inc., No. 16-10984 (N.D. Ill. Sept. 15, 2017)). Continue Reading

Apple X’s Face ID Feature Places Spotlight on Facial Recognition Technology, Raising Numerous Mobile Privacy and Data Usage Issues

This week’s Apple X announcement was not more than a few hours old, and the questions began to come in. Apple’s introduction of Face ID facial recognition on its new phone – although already available in some form on several Android phones – generated curiosity, concerns and creativity.  Unfortunately, the details about specifically how the recognition feature will really work are yet unknown.  All the public knows right now is that the phone’s facial “capture” function, powered by an updated camera and sensor array, will direct 30,000 infrared dots around a user’s face and create a hashed value that will presumably be matched against a user’s face during the unlocking procedure.

The questions and issues this raises are too numerous and varied to address in a single blog post. I will simply point out that the concerns over Face ID range from spoofing (e.g., Can the phone be unlocked by a picture? [Apple says no, explaining that the system will map the depth of faces]) to security (e.g., Is the “face map” or hashed value stored in a database which can be breached? [Apple, says no, like fingerprints in Apple’s current Touch ID feature, the face map will be securely stored locally on the device]).

One issue that I thought was particularly interesting, however, relates to the ability of apps residing on a phone to interact with facial captures. Unless disabled, Face ID could potentially be “always on,” ready to capture facial images to authenticate the unlocking of the phone, and possibly capturing facial images as the user interacts with the unlocked phone.  So, clients have asked: Will the apps on the phone be able to access and use those facial captures? Continue Reading

Online Vacation Rental Marketplace Sends Claims Packing with Carefully Drafted Terms

In a resounding victory for well-drafted terms and conditions and robust immunity under Section 230 of the Communications Decency Act, 47 U.S.C. § 230 (“CDA Section 230”), a Massachusetts district court granted summary judgment in favor of HomeAway, the online vacation rental marketplace, on two users’ claims stemming from a dispute over a property listing on the VRBO.com site. (Hiam v. HomeAway.com, Inc., No. 16-10360 (D. Mass. July 27, 2017)).   In its opinion, the court not only held that CDA Section 230 bars HomeAway from being treated as a “seller of travel services” under state consumer protection regulations, but also that HomeAway’s terms and conditions and privacy policy expressly disavowed any promises to pre-screen or monitor rental listings or release member information upon a user’s request. Continue Reading

Second Circuit Upholds Uber’s Mobile Contracting Process, Establishing Template for Mobile Online Contracting

In recent years, courts have issued varying rulings as to whether online or mobile users adequately consented to user agreements or terms of service when completing an online purchase or registering for a service.  In each case, judges have examined the facts closely, particularly the user interface that presents the terms to the user before he or she completes a transaction.  In an important ruling vindicating Uber’s user registration and electronic contracting process, the Second Circuit reversed the lower court and held that the notice of Uber’s terms of service was reasonably conspicuous and that the plaintiff unambiguously manifested assent to the terms, and therefore agreed to arbitrate his claims with Uber. (Meyer v. Uber Technologies, Inc., 2017 WL 3526682 (2d Cir. Aug. 17, 2017)).  While clearly good news for Uber in this litigation, in blessing Uber’s mobile contracting process, the court also established something of a template for other mobile apps to follow to ensure that their terms and conditions will be enforceable against their members or users.  Continue Reading

Ending Data Scraping Dispute, Craigslist Reaches $31M Settlement with Instamotor

Craigslist has used a variety of technological and legal methods to prevent unauthorized parties from violating its terms of use by scraping, linking to, or accessing user postings for their own commercial purposes. For example, in April, craigslist obtained a $60.5 million judgment against a real estate listings site that had allegedly received scraped craigslist data from another entity. And craigslist recently reached a $31 million settlement and stipulated judgment with Instamotor, an online and app-based used car listing service, over claims that Instamotor scraped craigslist content to create listings on its own service and sent unsolicited emails to craigslist users for promotional purposes.  (Craigslist, Inc. v. Instamotor, Inc., No. 17-02449 (Stipulated Judgment and Permanent Injunction Aug. 3, 2017)).   Continue Reading

Court Issues Injunction Barring Blocking of Scraping and Holds CFAA Likely Doesn’t Apply

A Green Light for Screen Scraping? Proceed With Caution…

UPDATE:  As expected, LinkedIn appealed the lower court’s decision to grant a preliminary injunction compelling LinkedIn to disable any technical measures it had employed to block the defendant’s data scraping activities.  LinkedIn’s brief was filed on October 3, 2017.  In it, LinkedIn asserts that the relevant issue is whether the lower court “erred as matter of law by holding—contrary to the CFAA’s unambiguous text and Circuit precedent—that LinkedIn could not invoke the CFAA after LinkedIn revoked hiQ’s access to its servers by sending a particularized cease-and-desist letter and imposing technical measures to block hiQ’s data-scraping bots.”  We will be watching the developments in this case closely.

While the law relating to screen scraping  is unclear, a recent landmark decision from the Northern District of California, hiQ Labs, Inc. v. LinkedIn, Corp., 2017 WL 3473663 (N.D. Cal. Aug. 14, 2017), appears to limit the applicability of the CFAA as a tool against scraping. Indeed, in granting injunctive relief against LinkedIn’s blocking of hiQ’s scraping activities, the hiQ court noted that, by invoking the CFAA, “[c]ompanies could prevent competitors or consumer groups from visiting their websites to learn about their products or analyze pricing.” While the hiQ decision suggests that, at least in some circumstances, scraping of publicly available websites does not give rise to a cause of action under the CFAA, scrapers beware – the road may still have some rough patches ahead.

Read the full Client Alert on our website.

Delaware Authorizes Stocks on Blockchain

On July 21st, Delaware Governor John Carney Jr. signed SB 69 into law. SB 69 amends the Delaware General Corporation Law (“DGCL”) to explicitly authorize the use of distributed ledger technology in the administration of Delaware corporate records, including stock ledgers.

Distributed ledger (or “blockchain”) technology-based platforms enable peer-to-peer transactions and eliminate the need for a trusted intermediary to verify and process the transactions. The potential applications of such technology in the administration of corporate records, and stock ledgers in particular, are tremendous. Continue Reading

LexBlog