Header graphic for print

New Media and Technology Law Blog

FINRA Issues Investor Alert Concerning Bitcoin Trading and Speculation

Posted in Digital Currency, Online Commerce, Regulatory, Technology

Bitcoin remains fixed on the front pages of the business and technology news for both the salacious and the positive. Much attention has been paid to the collapse of the former top bitcoin exchange, Mt. Gox, stemming from the purported theft of nearly $500 million in bitcoins.  The temporary suspension of trading in the securities of one technology company producing a mobile bitcoin platform, the venture capital investment in bitcoin-related startups, and the rash of cyberhacking incidents against digital wallet services have all been prominently featured in the press.  In addition, the advent of alternative cryptocurrencies beyond bitcoin, the dubious discovery of mysterious bitcoin founder Satoshi Nakamoto, and the increased acceptance of bitcoin by major e-commerce sites have made the headlines as well.

Amid the news coverage, interest in bitcoin has grown, but so has the scrutiny.

On March 11, 2014, FINRA issued an Investor Alert to caution investors of the “significant risks” of buying and speculating in bitcoin and other digital currencies, as well as the risk of fraud and cybercrime related to online bitcoin exchanges and other bitcoin-related service providers.

Specifically, the alert outlines several risks surrounding the usage of and speculating in bitcoins, including:

  • Bitcoin and other digital currencies are not legal tender and if the trust built up among individual users and businesses should vanish, bitcoins would be valueless.
  • Online exchanges that allow users to buy and sell bitcoins and digital wallet services that allow users to store bitcoin are magnets for cyberthieves.  Unlike banks that offer federal protections for depositors, there are no safeguards for bitcoins stored with service providers.
  • Because bitcoin transactions are essentially anonymous, users must take extra care to avoid fraudsters posing as legitimate services.  Importantly, a completed bitcoin transaction cannot be reversed and refunds are contingent on the willingness of the parties.  The alert cautions that fraudulent schemes are not limited to the web – for instance, last year, the SEC brought suit against the operator of a bitcoin-related Ponzi scheme and even issued its own Investor Alert about Ponzi schemes involving virtual currencies.
  • Bitcoins have been used for illicit transactions and such activities could impact users and speculators if an online exchange or service is shut down by law enforcement.
  • Bitcoin speculation, like any investment, brings financial risk.  Price volatility has been bitcoin’s hallmark in recent years, and there is no uniform value of bitcoin across the various exchanges.  Moreover, outside events such as the collapse of an online exchange, a hacking incident of an e-wallet service or regulation imposed by a foreign government can dramatically affect the currency’s value.  As the alert states: “In short, bitcoin speculation is extremely risky.”

State regulators have also taken note of the risks to investors and users of bitcoin. Notably, the FINRA alert comes on the heels of the New York Department of Financial Services announcing that it is accepting formal proposals to operate digital currency exchanges in New York in conjunction with the agency establishing its oversight of the nascent industry, as well as the Texas Securities Commissioner entering an Emergency Cease and Desist Order against a Texas energy exploration company that sought bitcoins from potential investors.  The Texas State Securities Board also issued its own bitcoin Investor Alert.

Where is it all headed?  Given the variable nature of bitcoin, it’s hard to foresee the future.  Still, many questions remain: How will state or federal regulation affect the bitcoin ecosystem in the coming year?  Will volatility and data security lapses destroy confidence in bitcoin and chill speculation, or will bitcoin persevere and gain more legitimacy?  Will bitcoin emerge as a standard payment option, remain a niche product, or otherwise become less interesting, but more predictable under new regulations?

We will keep you posted as we learn more and work through these issues with our clients.

Bitcoins: Legal and Business Issues

Posted in Digital Currency, Technology

On Monday, the Senate Committee On Homeland Security and Governmental Affairs held the first of two days of hearings on Bitcoin and digital currencies — Beyond Silk Road: Potential Risks, Threats, and Promises of Virtual Currencies.  During the “surprisingly friendly” hearings, the price of bitcoin soared as regulators, officials, and academics offered cautious, but positive views on the prospect of bitcoin within the greater economy and the future challenges for law enforcement regarding digital currency.

I recently gave a presentation on bitcoins, entitled Bitcoin — Legal and Business Issues Surrounding the Digital Currency.  Among other things, I discussed:  bitcoins generally, the emerging bitcoin marketplace, the legal issues and data security concerns surrounding bitcoin, as well as practical business advice (including the risks and benefits) for merchants and e-retailers  that are considering accepting bitcoin.

Stay tuned for further developments!

No Expansion of CFAA Liability for Monetary Exploit of Software Bug

Posted in Computer Fraud and Abuse Act, Software, Videogames

In the game Monopoly, lucky players landing on Community Chest might turn over the highly desirable “Bank Error in Your Favor, Collect $200″ card.  By the next turn, the proceeds are usually invested in properties and houses, yet, some might wonder whether accepting such a windfall was proper in the first place…or could lead to criminal charges.

This concept was tested when police arrested two video poker players who were exploiting a software bug that allowed them to multiply jackpots with just a sequence of pushed buttons.  See United States v. Kane, No 11-mj-00001 (D. Nev. filed Jan. 19, 2011).  The defendants were charged with violations of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that prohibits computer hacking and unauthorized access into computer networks.  The question was whether the defendants “exceeded authorized access” when they took advantage of an exploit in a video poker machine to win hundreds of thousands of dollars.

The CFAA was enacted in 1984 and provides, in pertinent part, that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains. . . information from any protected computer” commits a crime. 18 U.S.C. § 1030(a)(2)(C). It defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6).

The Kane prosecution is a recent example of a “technology statute” being aggressively applied to issues or disputes that were not even conceived of when the statute was enacted. The CFAA was directed at classic computer “hacking” activities where it was easier to determine when an outsider lacked “authorized access” to a network.  But the language of the Act is susceptible to broader application, and it has been brought to bear in many contexts beyond the hacking scenario, including employee misappropriation of company data, unwanted copying or misuse of website data, and now, the “gaming” of video poker machines.

In Kane, the Government alleged that the defendants discovered an exploit in certain video poker machines that allowed the players, over the course of two years at different casinos, to falsely maximize the payouts for a winning hand.  Apparently, the defendant Kane uncovered the glitch in the machine after hours and hours of playing.  In short, once the “double up” feature of the poker machine was activated (i.e., an option that allowed players to make double-or-nothing bets), the defendants then legitimately played until they obtained a winning hand.  Then, after using a complex combination of game changes, bill insertions and cash outs — a sequence of pushed buttons — they would use the “double up” feature to change the stakes in the middle of the game to the highest denomination, and trigger a second jackpot. Because of a series of programming errors, the machine re-evaluated the original game at the new, higher denomination, paying a jackpot which paid out at a higher denomination than the defendants had initially wagered. [click here for Wired's excellent account of the entire caper].  The Government did not allege that the defendants physically tampered with the video poker machines.

After winning several large jackpots at a Las Vegas casino in one afternoon, the management became suspicious and summoned Nevada Gaming Control Board engineers who discovered the software anomaly in the machine.  The defendants were later arrested and charged with conspiracy to commit wire fraud and violations of the CFAA based upon allegations that they exceeded authorized access to a protected computer in furtherance of fraud.

The defendants had moved to dismiss the CFAA claims and last year the magistrate issued a report recommending that the district court dismiss those charges.  See United States v. Kane, No. 11-cr-00022 (D. Nev. Report and Recommendation Oct. 15, 2012).  The defendants asserted that the CFAA claim should be dismissed because: (1) a video poker machine is not a “protected computer” under the statute (i.e., a computer “which is used in or affecting interstate or foreign commerce or communication”); and (2) the defendants did not “exceed [their] authorized access” to the video poker machines.

In recommending dismissal, the magistrate first found that a video poker machine was not a “protected computer” under the statute because, unlike a computer network or online database connected to the internet, a video poker machine was a standalone computerized machine unconnected to interstate commerce. The magistrate also found that the defendants did not exceed authorized access to the video poker machine.  The court rejected the Government’s argument that while the defendants were authorized to play video poker, the defendants were not authorized to configure play in a manner that produced false payouts not intended by the casino.  Unlike the employer-employee situation, where the use of computer use policies, password protection, encryption and system monitoring defines the level of “access,” gamblers do not agree to any terms of use and the bounds of play are enforced by the video poker software itself.

The magistrate cited United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where an en banc Ninth Circuit upheld the lower court’s dismissal of CFAA charges stemming from an ex-employee’s misappropriation of proprietary documents in violation of his employer’s computer use policy. [For additional information about the case, see our prior post].

In recommending dismissal of the CFAA charges, the magistrate stated that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions:

Here, the Government has asserted that, although the Defendants were authorized to play the video poker machines and access information for that purpose, the way that they used the information exceeded their authorization. This argument is directly analogous to the government’s argument in Nosal and it fares no better here. As Nosal makes clear, the CFAA does not regulate the way individuals use the information which they are otherwise authorized to access. Here, the Defendants’ alleged actions did not exceed their authorized access.

Following the magistrate’s report, the district court ordered supplemental briefing from the parties regarding whether the defendants exceeded authorized access under the CFAA in light of the Nosal ruling and whether the defendants’ conduct could be comparable to hacking or misuse under the statute.  This past spring, the Government voluntarily dismissed the CFAA charges, leaving the defendants to face the wire fraud claims.  After several continuances, the trial is currently set for December 3, 2013 on the remaining counts.

As evidenced in Kane, the Ninth Circuit’s Nosal ruling continues to have important implications for the availability of a federal cause of action for misappropriation of data, as well as cases involving unauthorized access to websites and other computerized services.

Staving Off Scrapers of User-Generated Content with Electronic Copyright Transfers… A Legal (But, Perhaps Not a Practical) Solution

Posted in Copyright, Internet, Licensing, Online Content

It’s a problem that has vexed website owners since the days of the dot-com boom – how to make certain user-generated content available to users or subscribers, but also prevent competitors and other unauthorized parties from scraping, linking to or otherwise accessing that content for their own commercial purposes.

The law on scraping and linking remains undeveloped, and has not provided clear remedies for this kind of access.  Given the state of the law, sites often employ the “kitchen sink” strategy against scraping competitors: throwing multiple claims at the unauthorized party in the hope that at least one viable legal theory survives.  We last wrote about this approach in a May 2009 post when Facebook brought a multi-count suit against Power Ventures, an online service that allowed social networking users to access all of their accounts through one interface.

One tool that website owners would like to have to combat unauthorized use of user-generated content is copyright — that is, the ability to allege that the unauthorized use of user-generated content constitutes an infringement of the website publisher’s copyright.  Unfortunately, there is a problem….

Website providers that collect user-generated content typically include licensing provisions in their terms of use whereby users grant the site a non-exclusive license to content while (implicitly or explicitly) providing that the ownership of any copyright in such content remains with the user.  The use of a clickwrap agreement to convey a non-exclusive license to such content is a standard practice. Under Copyright Act Section 501, however, a non-exclusive licensee may not bring an action for copyright infringement.

Accordingly, a website provider that wants legal standing to bring a copyright claim against unwanted entities scraping content needs an online agreement that grants additional rights – namely, an exclusive license or an actual transfer of ownership in the underlying copyright.  Putting aside – for a moment – the issue of how users will react if a website owner tries to do this, the question is, from a legal perspective, can one obtain an exclusive license or assignment of copyright through online terms of use assented to by users?

This issue was recently addressed by the Fourth Circuit in a dispute between a real estate multiple listing service and an online real estate information aggregator over the copying of photographs and listing information. The listing service provider asserted claims with respect to user-submitted photographs as a copyright owner, based upon an agreement presented to its users when they uploaded photographs to the provider’s database. We previously discussed this dispute in a prior post when the lower court granted a preliminary injunction against the defendant-aggregator. Metropolitan Regional Information Sys., Inc. v. American Home Realty Network, Inc., 888 F. Supp. 2d 691 (D. Md. 2012).  The defendant filed an interlocutory appeal challenging the order and the Fourth Circuit affirmed the lower court’s ruling.  Metropolitan Regional Info. Sys., Inc. v. American Home Realty Network, Inc., 2013 WL 3722365 (4th Cir. July 17, 2013).

In the case, the parties were competitors in the real estate listing business. The plaintiff (“MRIS”) operated an online fee-based “multiple listing service” for real estate brokers and agents. Brokers and agents who entered into a subscriber agreement with MRIS could upload their listing information, including photographs of properties, to the MRIS site, and then display those and other listings on their own websites.  By uploading information, brokers and agents agreed to terms containing the following provision:

All images submitted to the MRIS Service become the exclusive property of [MRIS]. By submitting an image, you hereby irrevocably assign (and agree to assign) to MRIS, free and clear of any restrictions or encumbrances, all of your rights, title and interest in and to the image submitted. This assignment includes, without limitation, all worldwide copyrights in and to the image, and the right to sue for past and future infringements. [emphasis added]

The defendant (“AHRN”) was an aggregator that took listing data from public domain sources and online databases like MRIS and made it directly available to consumers on its “real estate referral” website.  AHRN had not acquired permission from MRIS to reproduce, display, or otherwise use the MRIS Database.  MRIS brought copyright infringement claims against AHRN for the alleged unauthorized use of MRIS listings, particularly the uploaded photographs of properties. The lower court entered a preliminary injunction order prohibiting AHRN’s display of MRIS’s photographs on AHRN website, and in a subsequent decision, clarified the scope of the injunction, stating that the injunction only covered AHRN’s use of MRIS’s photographs–not the database compilation itself or any textual elements that might be considered part of the compilation.

On appeal, the court addressed, among other things, the issue of whether a MRIS subscriber who assented to online terms of use prior to uploading copyrighted photographs signed a written copyright assignment in those photographs consistent with Section 204(a) of the Copyright Act, 17 U.S.C. § 204(a). Specifically, the defendant AHRN argued that a subscriber’s electronic assent to the MRIS terms did not operate as an assignment of rights under § 204. The plaintiff MRIS responded that an electronic transfer satisfies § 204’s writing and signature requirements, particularly in light of the later-enacted E-Sign Act, 15 U.S.C. § 7001.

Under §204(a), a transfer of one or more of the exclusive rights of copyright ownership by assignment or exclusive license “is not valid unless an instrument of conveyance, or a note or memorandum of the transfer, is in writing and signed by the owner of the rights conveyed or such owner’s duly authorized agent.” Generally speaking, a qualifying writing under Section 204(a) need not contain an elaborate explanation or any particular “magic words.”

The E-Sign Act, which sought to bring uniformity to state electronic signatures law, mandates that no signature be denied legal effect simply because it is in electronic form and that, barring certain exceptions, a contract may not be denied legal effect solely because an electronic signature or electronic record was used in its formation. 15 U.S.C. §§ 7001(a)(1), (a)(2).

The court first found that because Section 204(a) of the Copyright Act requires transfers be “written” and “signed,” the E-Sign Act’s dictates on electronic signatures would apply to the copyright transfer provisions.  The court ultimately held that an electronic agreement may effect a valid transfer of copyright interests under Section 204 of the Copyright Act, affirming the lower court’s ruling that MRIS was likely to succeed against AHRN in establishing its ownership of copyright interests in the copied photographs.

This ruling is important for online businesses that want an alternative litigation strategy to protect their user-generated content from scraping by competitors for commercial purposes.  However, this strategy may not be feasible in every instance; the user “politics” on each site are different.  For example, while the users of the business-to-business MRIS online database were professional real estate agents who may have accepted the concept of assigning the copyright in listing photographs, other consumer-oriented social media sites or photo sharing services have experienced user backlash over similar changes to website terms of use. Indeed, last year, the online classified ad provider Craigslist encountered a flurry of controversy when it changed its terms of service for a limited time to gain exclusive rights to user content, in preparation to litigate claims against certain aggregators that were scraping content from its site and republishing it on websites and mobile apps (See generally Craigslist, Inc. v. 3Taps, Inc., 2013 WL 1819999 (N.D. Cal. Apr. 30, 2013).



Trade Dress Can Be Viable Means of Protecting Websites from Competitor’s Look-Alike Sites

Posted in Online Content, Technology

Somewhere between a well-recognized website design like Google’s home page and a fledgling e-commerce venture built with free web building software lives most other websites.  Depending on the investment in the development and the operator’s design ethic, some websites may display unique, distinctive portals that are key to attracting and retaining customers.  For those with a unique look, it might be possible that the “trade dress” of their sites – the unique look and feel – could be protectable, and therefore useful in fending off competitors who copy their online presence.

This past August, a Louisiana district court joined courts in the Western District of Pennsylvania, the Western District of Washington, the Western District of Texas, and the Northern District of California in recognizing the viability of a trade dress infringement claim based on a website’s look and feel. Express Lien (“Zlien”) alleged that a competitor, National Association of Credit Management (“NACM”), a Maryland non-profit corporation, had mimicked the “look and feel” of its website and caused consumer confusion.  Express Lien Inc. v. National Ass’n of Credit Management Inc., 2013 WL 4517944 (E.D. La. August 23, 2013).

Generally speaking, the “trade dress” of a product concerns the total image of a product and may include features such as size, shape, color or color combinations, texture or graphics and it may be eligible for protection if it is nonfunctional and distinctive (or has acquired secondary meaning in the marketplace as being identified with its producer or source). To maintain an action for trade dress infringement, a plaintiff must allege that a competitor’s product design or packaging is likely to confuse consumers as to the product source. Most trade dress infringement actions involve the packaging or labeling of goods; however, in the last decade, courts have begun to entertain trade dress claims based upon website design or “look and feel.”    

In this case, Zlien is an online business that provides information to the construction industry, such as legal forms and information on state lien statutes. Zlien alleged substantial investment in its website, including in the color, code elements and orientation. According to Zlien, the website design was widely recognized by consumers and helped drive sales. In its complaint, Zlien claimed that NACM copied Zlien’s stylistic choices of color, font, hyperlinks, and content, so much so that that the similarities were “likely to cause confusion” and caused Zlien to suffer damages to its profits, sales and business. Zlein also alleged copyright infringement, based on NACM’s use of content from the Zlien site’s pages.

 In response, NACM filed a motion to dismiss Zlien’s complaint. 

The court rejected NACM’s argument that Zlien failed to plead the necessary elements for trade dress infringement because it did not own a registered trademark in its website. The court held that trade dress protection is not dependent on registration. NACM’s argument that a comparison of the websites revealed no trade dress infringement also failed. The court found that alleging that there were some differences between the websites on corresponding pages was not significant enough to warrant dismissal at this early stage of the litigation.

The court also rejected NACM’s motion to dismiss Zlein’s copyright claims. NACM argued that the underlying information on Zlien’s website, state statutes, is not copyrightable, to which Zlien responded that the content of the website qualifies as a compilation. The court reasoned that NACM did not prove that the material at issue was not a compilation as a matter of law.

While this case is far from over, the Express Lien decision follows recent decisions that have allowed properly pleaded website related trade dress claims to survive dismissal.  See e.g., Sleep Science Partners v. Lieberman, 2010 WL 1881770 (N.D. Cal. May 10, 2010).

Meanwhile, if a company wants to preserve trade dress protection for a website it maintains or is building, the website trade dress needs to be distinctive and synonymous with the company or its products and services. Further, it is important that the trade dress elements are not functional or standard or essential to the operation of any website.

Once again, this is an example where the lawyers, designers and technologists in an organization should be in communication to ensure maximum protection for the online assets of the organization.

The First Amendment Goes Digital – Clicking “Like” on Facebook is Speech

Posted in First Amendment, Online Content, Technology

With around 1.15 billion members, Facebook is a massive, global forum for communicating with friends and the world.  For many users, it often feels as if their news feeds are clogged with vapid comments about the weather, meal choices or the ever-present need for coffee.  But under other circumstances, such as the Arab Spring or in the wake of a controversial Supreme Court opinion, Facebook can become a powerful tool for political speech.  Beyond postings, photos and videos, drilling down to the most basic level, one click of a “Like” button can speak volumes.

In a decision that expands the First Amendment’s definition of protectable speech, the United States Court of Appeals for the Fourth Circuit held in Bland v. Roberts, 2013 WL 5228033 (4th Cir. Sept. 18, 2013)  that clicking the “like” button on a Facebook page qualifies as speech.

In Bland, former sheriff’s deputies of the Sherriff’s Office in Hampton, Virginia alleged that the Sheriff violated their First Amendment rights by choosing not to reappoint them based upon their lack of political affiliation with him during the election campaign.  One plaintiff, Daniel Ray Carter, Jr., expressed his political views via Facebook by, among other things, clicking “like” on the Facebook page of the Sheriff’s opponent and posting comments indicating support for the Sheriff’s opponent on the same Facebook page.  The Sheriff, upon learning about the actions of Carter, warned them that such actions “would cost him his job.”  Upon being re-elected, the Sheriff did not reappoint any of the plaintiffs to their previous positions in the Sheriff’s Office.  Carter alleged that the Sheriff violated his First Amendment rights when he refused to reappoint him based upon his apparent lack of political allegiance to the Sheriff evidenced by Carter’s Facebook “like” of the Sheriff’s opponent.

The lower court ruled that Carter’s Facebook “like” was not expressive speech and that he failed to prove a causal link between his support of the Sheriff’s opponent and his non-reappointment. However, the Fourth Circuit reversed as to Carter’s claims and held that “liking” a Facebook page fell within the bounds of constitutionally protected speech (to be sure, although the appeals court reinstated Carter’s claim, it held that Carter could only seek reinstatement as a remedy, as the Sheriff was protected against a claim of monetary damages due to qualified immunity). 

The court’s reasoning was buttressed by its understanding of the expressive effect of a Facebook “like” in the online realm. According to the court, clicking “like” on the Sheriff’s opponent’s Facebook page caused the page’s name and a photo of the candidate to show up on the user’s own Facebook page, as well as triggering an item to appear on the news feed of the user’s Facebook friends. Clicking on the “like” button, as the Court noted, “literally causes to be published the statement that the User ‘likes’ something, which is itself a substantive statement.”  In fact, the court stressed that social media offers individuals a powerful message board to communicate political and other views to the larger public through the mere use of a tiny button: “That a user may use a single mouse click to produce that message that he likes the page instead of typing the same message with several individual key strokes is of no constitutional significance.”   By pressing the “like” button, represented by a thumbs-up icon, Carter symbolically conveyed his support for the Sheriff’s opponent — the “Internet equivalent of displaying a political sign in one’s front yard, which the Supreme Court has held is substantive speech.”   

While James Madison likely did not have Facebook in mind when he drafted the First Amendment, the Court’s decision modernizes the First Amendment a bit. With the ubiquity of social media, it’s a welcome treat that the court took time to understand the technology and adapt the law to the evolving digital age.”

New California Law Impacts Use of Information from Minors, Offers Right to Delete

Posted in Legislation, Online Content, Privacy

Law Targets Sites and Mobile Apps Directed to Minors, Offers “Online Eraser”     

Likely to Have Nationwide Effect

On July 1st of this year, new amendments to the Children’s Online Privacy Protection Act Rule (COPPA Rule) came into effect, with perhaps the most pronounced changes being the expansion of COPPA to apply to geolocation information and persistent identifiers used in behavioral advertising.  Critics called the amendments jumbled and a compliance headache, while privacy advocates were buoyed, but thought the changes did not go far enough to protect the online privacy of children.  Still others contended that federal law contains a gap that fails to offer privacy protections for teenage users.

Once again, the California state government has stepped up to fill what it perceives to be a void in federal online privacy protection, this time to address certain restrictions on the use of information collected from minors and to give minors an online “eraser” of sorts. In late September, Gov. Brown signed S.B.568, which expanded the privacy rights for California minors in the digital world.

“Minors”, by the way, are defined under the law as residents of California under age 18 – this definition in itself is an expansion of the protections afforded to children under COPPA, which addresses the collection and use of information from children under 13.  That is not the only expansion of COPPA presented by this new law.  The federal COPPA Rule is primarily concerned with mandating notice and parental consent mechanisms before qualifying sites or mobile apps can engage in certain data collection and data tracking activities with respect to children under 13.  The California statute’s marketing restrictions for minors contain no parental consent procedures  – rather, restrictions for covered web services directed to minors that relate to certain specified categories of activities that are illegal for individuals under 18 years of age.

As a practical matter, compliance with this law will require certain changes in the way website publishers collect and process user information.  For example, it is much easier for online operators to determine whether their websites are directed to children under 13 as opposed to “directed to minors” under 18.  Going forward, sites and apps will have to reevaluate their intended audience, as well as establish procedures for when a minor user self-reports his or her age, triggering the site having actual knowledge of a minor using its service.

S.B.568 has two principal parts:  minor marketing restrictions and the data “eraser.”

Marketing Restrictions: The new California law prohibits an operator of a website, online service or mobile app directed to minors or one with actual knowledge that a minor is using its online site or mobile app from marketing or advertising specified types of products or services to minors. The law also prohibits an operator from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Moreover, the law makes this prohibition applicable to an advertising service that is notified by a covered operator that the site, service, or application is directed to a minor.  The statute lists 19 categories of prohibited content covered by the law’s marketing restrictions, including, firearms, alcohol, tobacco, drug paraphernalia, vandalism tools and fireworks.  Notably, the law does not require an operator to collect or retain the ages of users, and provides operators with a safe harbor for “reasonable actions in good faith” designed to avoid violations of the marketing restrictions.

Online Eraser: The second part of S.B. 568 requires operators of websites and applications that are directed to minors, or that know that a minor is using its site or application, to allow minors that are registered users, to remove (or to request and obtain removal of) their own posted content. The operators must also provide notice and clear instructions to minors explaining their rights regarding removal of their own content. Notably, SB 568 does not require operators to completely delete the content from its servers; it only requires that the content be no longer visible to other users of the service and the public.  There are certain exceptions to this “online eraser” right, such as circumstances where any other provision of federal or state law requires the operator or third party to maintain the content, the content is stored on or posted to the operator’s site or application by a third party, the operator anonymizes the content, the minor fails to follow the instructions regarding removal, or the minor has received “compensation or other consideration for providing the content.”

Both prongs of the law raise many questions:

  • How does a site or application owner determine whether it is covered by S.B.568? Under the statute, a website, online service, or mobile app “directed to minors” means an “Internet Web site, online service, online application, or mobile application, or a portion thereof, that is created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults.”
  • What will qualify for “reasonable actions in good faith” under the safe harbor?  What are the legal ramifications of an independent online ad network serving unlawful ads to minors without the knowledge of an otherwise compliant site operator?
  • How does a site implement the “eraser” function? With user tools to eliminate UGC, or will the site control the removal process via an online request form?  Will a removal request necessarily cause the removal of other users’ content (e.g. social media postings of other users that comment on a removed comment or submitted photo)?
  • The online eraser right seemingly applies only to minors.  How should a site or app handle requests from adults wishing to remove content they posted when they were minors?  Should sites simply offer the tool to all users to avoid compliance issues?
  • What qualifies as “compensation or other consideration for providing the content” under the exceptions to the online eraser right? Would this include free products, coupon codes, or the right to receive exclusive ‘limited time’ offers?
  • What changes are required in the site’s privacy policies?

The law will come into effect on January 1, 2015. Any company with a website that can be accessed by California residents should assess the impact of these new requirements in the coming year. Considering that most, if not all, major websites and apps necessarily have or will have California-based users, this state law may become a de facto national standard, particularly since technical controls to screen or segregate California users may be unworkable.

[Incidentally, California also recently enacted a new law addressing online tracking, so it appears that the California legislature continues its focus on web privacy].

Sixth Circuit Affirms ‘Dirtiest Hotel’ Defamation Ruling

Posted in Defamation, Online Content

We previously wrote about a Tennessee district court’s decision holding that a hotel’s inclusion at the top of the 2011 TripAdvisor “Dirtiest Hotels” list constituted hyperbolic opinion and rhetorical exaggeration, and thus was not actionable under Tennessee defamation law.  This past month, a circuit court upheld the ruling.

On appeal, the Sixth Circuit affirmed the lower court’s grant of TripAdvisor’s motion to dismiss, ruling that the plaintiff could not prove falsity on its defamation claim because the placement of hotels on TripAdvisor’s list constituted protected opinion.  Seaton v. TripAdvisor LLC, 2013 WL 4525870 (6th Cir. Aug. 28, 2013).  In brief, the appeals court found that TripAdvisor’s “dirtiest” top ten list amounted to rhetorical hyperbole and that the general tenor of the “2011 Dirtiest Hotels” list undermined any impression that TripAdvisor was seriously maintaining that the plaintiff’s hotel was, in fact, the dirtiest hotel in the country.  The court also noted that the list’s explanatory caption — “Dirtiest Hotels – United States as reported by travelers on TripAdvisor” – clearly indicated that TripAdvisor’s rankings were based on the subjective views of its users, not on objectively verifiable facts or the results of a scientific survey.

Lists and rankings are rampant on the web, and the court found that reasonable people likely understand the vast majority of them to be mere opinion.  What we might call the ‘Top Ten List/Just a Bit of Hyperbole’ defense is not novel, and was also successfully used at least once before in a California case to defeat defamation claims – See Vogel v. Felice, 26 Cal. Rptr. 3d 350, 361 (Cal. App. 2005) (while the defendant’s website was decidedly “puerile,” “it is inconceivable that placement on the ‘Top Ten Dumb Asses’ list could be understood to convey any imputation of provable defamatory fact.”).

Interestingly, the court also rejected the plaintiff’s argument that the defendant used a faulty methodology or arbitrary method in compiling the rankings. The court stated that such an allegation would not undermine the conclusion that placement on the top ten list could not be interpreted as stating actual facts and therefore the subjective weighing of factors could not be proven false and could not form the basis of a defamation claim.

“[E]ven if Seaton is correct that TripAdvisor employed a ‘flawed methodology’ in creating the list, his claim for defamation still fails because TripAdvisor’s method of compiling its user reviews and surveys, as alleged by Seaton, is ‘inherently subjective [in] nature’…”

The court’s only reference to Section 230 of the Communications Decency Act (the “CDA”) was in a footnote to the opinion, which asserted that TripAdvisor would not have been liable for any defamatory statements of its users. See Seaton v. TripAdvisor LLC, 2013 WL 4525870 at FN 8. Thus, the issue of how the CDA applies to a “Top Ten List” scenario was not addressed in this case, although it seems like it could have been.  No worries, however…it seems like there is no shortage of interesting CDA cases coming down the pike.

Sixth Circuit to Construe Scope of CDA Section 230 Immunity on Appeal of Unusual Jones v. Dirty World Decision

Posted in Internet, Online Content

How can a website operator lose the broad immunity for liability associated with user-generated content conferred by Section 230 of the Communications Decency Act (CDA)? 

Section 230 has been consistently interpreted by most courts to protect website operators against claims arising out of third-party content, despite some less than honorable conduct by operators.  See, for example, our previous post here.  Courts have applied Section 230 even when they have found it problematic to do so, such as in Directory Assistants, Inc. v. Supermedia, LLC, 2012 WL 3329615 (E.D. Va. May 30, 2012), in which the court wrote, “The prospect of blanket immunity for those who intentionally redistribute defamatory statements could have widespread and potentially catastrophic consequences for individuals and entities alike.  Nevertheless, under the CDA the Court’s hands are tied.”

Thus, it is with great interest that we watch the appeal to the Sixth Circuit, filed on July 15, 2013, of the U.S. District Court for the Eastern District of Kentucky’s unusual decision in Jones v. Dirty World, 840 F.Supp.2d 1008 (E.D. Ky. 2012).  In Jones, the court dismissed the defendant website operators’ motion for summary judgment based on Section 230, leading to a jury award this past July of $380,000 in compensatory and punitive damages against the defendants for defamation and invasion of privacy.  In the court’s opinion, and in its supplemental memorandum opinion issued after the jury verdict to “explain further” its rationale, Judge William O. Bertelsman drew a line less favorable to website operators with respect to third-party content than other courts have generally adopted.

We will be monitoring the appeal to see whether the District Court’s decision was merely an anomalous example of how “bad facts make bad law” or a warning shot that actually leaves a dent in the armor of Section 230.

CDA Section 230

Section 230 immunizes providers of “interactive computer services,” such as websites to which users can post content, against certain types of liability arising from third-party-created material: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  47 U.S.C. § 230(c)(1).  The CDA defines “information content provider” as “any person or entity that is responsible, in whole or in part, for the creation or development of” the content.  47 U.S.C. § 230(f)(3).

Although Section 230 does not confer immunity with respect to all types of claims (for example, it explicitly excludes intellectual property law and certain criminal laws from its purview), it does immunize website operators against defamation claims arising out of third-party content.  Without this immunity, website operators might be vulnerable for defamatory statements made by others on their websites.

Jones v. Dirty World

In Jones, plaintiff Sarah Jones alleged that the operator of gossip website TheDirty.com, Hooman Karamian (alias, “Nik Richie”), and the companies through which he operates it, were liable for defamation and invasion of privacy due to two user-submitted posts published on TheDirty.com.

TheDirty.com invites users to submit, through an online form, posts that describe “what’s happening,” specify the relevant “City,” “College,” and “Category,” and include photos.  The submission form does not require that a post be about any particular topic or individual, and the “Category” field allows the user to make a selection from a wide range of options, including “Business,” “News,” and “Spring Break.”  Karamian screens the user submissions and selects some for publication, often adding his own jeering quip at the end of a post.  Users can also freely post comments on published stories.

The first post at issue in Jones consisted of a photo of Jones, a schoolteacher and cheerleader for the Cincinnati Bengals pro football team at the time, standing next to a Bengals team-member, with a message proclaiming Jones’s supposed promiscuity among the players.  The second post contained a picture of Jones in a bikini and a salacious message about her former marriage and allegations that her ex-husband was a serial adulterer that had tested positive for chlamydia and gonorrhea, and that the poster was “sure Sarah also has both.”  At the end of the second post, Karamian wrote, “Why are all high school teachers freaks in the sack? – nik.”

In evaluating the defendants’ claim of immunity under Section 230, the court stated in its supplemental memorandum opinion that “a website owner who intentionally encourages illegal or actionable third-party postings to which he adds his own comments ratifying or adopting the posts becomes a ‘creator’ or ‘developer’ of that content and is not entitled to immunity.”

The Jones court distinguished certain other cases that found CDA immunity because, the court asserted, the defendant website operators in those cases did not induce anyone to post unlawful content or add their own comments implicitly adopting an offensive posting and encouraging similar posts.  In finding that TheDirty.com “specifically encourage[d] development of what is offensive about the content,” Judge Bertelsman focused on the negative connotation of the name, “The Dirty,” and the facts that Karamian hand-selected user-submissions for publication, added his own comments to published posts, and incited users to form a loose organization dubbed “the Dirty Army” and take “a war mentality.” For those reasons, the court held that the operators of the TheDirty.com were “information content providers” of the posts and therefore ineligible for Section 230 immunity. 

It is interesting to note that some of the factors identified by the Jones court have, in fact, been present in other cases interpreting the CDA, and, notwithstanding the existence of those factors, in those cases the CDA was still held to immunize the web site operators.  We have discussed some of those cases here and here.

Subsequent Developments

After the Jones court issued its original opinion, TheDirty.com successfully asserted Section 230 protection in S.C. v. Dirty World, 2012 WL 3335284 (W.D. Mo. Mar. 12, 2012), a case brought against the operators of TheDirty.com based on a post similar to those at issue in Jones.  In S.C., the court found that the operators of TheDirty.com did not “develop” the post at issue, because they did not do anything to induce a post specifically directed at the plaintiff, did not add to or otherwise alter the substance of the post, and did not require users to post actionable material.  The court also refused to find that Karamian’s selection of posts disqualified him from Section 230 protection, stating that Section 230 protects such editorial choices and that “merely encouraging defamatory posts is not sufficient to defeat CDA immunity.”  Finally, the S.C. court distanced itself from the Jones ruling by stating it “appears to adopt a relatively narrow interpretation of CDA immunity” that conflicts with the broad immunity interpretations in the Eighth Circuit.

Was the Jones decision an outlier that will be reversed on appeal, or will the Sixth Circuit follow the lower court’s lead in reining in the breadth of Section 230 protection?  We look forward to the Sixth Circuit’s contribution to this evolving area of law.

Infringing Copyright? Think Twice Before Removing the Copyright Notice–It Could be Deemed “Copyright Management Information” Under the DMCA

Posted in Copyright, Internet

A simple copyright notice (e.g., “© [Year of First Publication] [Owner]”) on a website can imply an assertion of ownership in individual elements of the website and constitute “copyright management information” under the Digital Millennium Copyright Act (DMCA), a Texas district court held.  A Texas investment company learned this lesson the hard way when it removed the copyright notice from an image, used the modified image on its website without authorization, and was subsequently ordered by the court to pay enhanced damages for willful copyright infringement and statutory damages for violating the DMCA.

The original image at issue, a graphic juxtaposing two road signs, was created by a graphics company in Texas and federally registered with the U.S. Copyright Office.  In 2012, the graphics company discovered an unauthorized copy of the image on the investment company’s website.  The image had been stripped of the copyright notice that was part of the original image such that the investment company’s notice of copyright ownership at the bottom of the webpage was the only copyright information associated with it.

The graphics company filed a complaint alleging willful copyright infringement under the Copyright Act and a violation of Section 1202 of the DMCA, which prohibits the intentional removal or false provision of “copyright management information.”  The investment company failed to respond, earning a default judgment against it in John Perez Graphics & Design, LLC v. Green Tree Investment Group, Inc., 2013 U.S. Dist. LEXIS 61928 (N.D. Tex. May 1, 2013). 

The court awarded the graphics company enhanced damages for willful copyright infringement totaling $7,500, finding evidence of willfulness in the investment company’s removal of the copyright notice and use of the modified image on a webpage containing the investment company’s own copyright notice, which the court determined constituted an assertion of ownership of the image.  While the amounts at stake were relatively small for copyright infringement, under different facts the exposure could have been much greater.

Further, the court held that the investment company’s removal of the original copyright notice and substitution of its own constituted the provision of false copyright management information in violation of the copyright management provision of the DMCA.  17 U.S.C. § 1202.  This determination supported an additional award of $10,000 in statutory damages under the DMCA civil remedies provision, 17 U.S.C. § 1203, which allows for an award of up to $25,000 for each violation.

This double whammy might have been subject to challenge had the investment company litigated the issue, as there is disagreement in the federal courts as to whether a simple copyright notice constitutes “copyright management information” within the meaning of the DMCA. For an in-depth discussion of the issue, see Susuk Lim, A Survey of the DMCA’s Copyright Management Information Protections: The DMCA’s CMI Landscape after All Headline News and McClatchey, 6 Wash J.L. Tech. & Arts 297 (2011). As discussed in that article, some courts have limited the application of the DMCA copyright management provision to information that is part of a digital rights management technology.

The potential for simple copyright notices to constitute copyright management information raises a question for further thought:  As Section 1202 of the DMCA does not explicitly make an exception for fair use, would the removal or alteration of copyright management information in a context that constitutes “fair use” under Section 107 of the Copyright Act still run afoul of the DMCA and trigger statutory penalties?