Header graphic for print

New Media and Technology Law Blog

Website Marketing Statements: The Achilles’Heel to CDA Protection?

Posted in Online Commerce, Online Content

It’s no secret that local directory/consumer review websites are popular among consumers looking for recommendations before dining out, hiring a contractor, or even picking a dentist or day spa. Yelp reported around 138 million monthly unique visitors in the second quarter of 2014, searching among over 61 million local reviews.  The bottom line is that solid reviews and multiple stars on local search sites can drive sales; on the other hand, and to the chagrin of business owners, low ratings and a spate of one-star rants displayed prominently at the top of a listing can drive customers away.

Review sites typically have to wrestle with the problem of unreliable or fictitious reviews, which are blurbs written by friends or employees of the listed business, paid reviews, and negative reviews written by business competitors.  Some sites use filtering software to identify and remove unreliable reviews – of course, such software is not perfect, and businesses have complained that some sites have filtered out legitimate reviews, but left in other fake reviews to the detriment of the reviewed businesses.

A number of businesses have brought suit against consumer review sites claiming that they purposely remove positive reviews (but leave up defamatory complaints), arbitrarily reorder the appearance of reviews, or otherwise wrongfully tinker with the algorithms that are supposed to weed out “fake” reviews presumably to encourage or “extort” businesses to purchase advertising or pay for additional features.

Most suits that have sought to hold sites responsible for defamatory content created by third-party users have been rejected by courts based upon CDA Section 230, which immunizes “interactive computer services” – such as a consumer review websites – where liability hinges on content independently created or developed by third-party users.

To get around the broad immunity, some businesses have urged courts to interpret an intent-based exception into Section 230, whereby the same conduct that would otherwise be immune under the statute (e.g., editorial decisions such as whether to publish or de-publish a particular review) would be actionable when motivated by an improper reason, such as to pressure businesses to advertise.  However, several courts have rejected this theory.

  • Reit v. Yelp!, Inc., 29 Misc 3d 713 (N.Y. Sup. Ct.  2010) (Yelp’s selection of the posts it maintains on its site can be considered the selection of material for publication, an action “quintessentially related to a publisher’s role,” and therefore protected by CDA immunity)
  • Levitt v. Yelp! Inc., 2011 WL 5079526 (N.D. Cal. Oct. 26, 2011) (our prior post on the Levitt opinion) (CDA Section 230 contains no explicit exception for impermissible editorial motive, particularly since traditional editorial functions often include subjective judgments that would be “problematic” to uncover, thereby creating a chilling effect on online speech that Congress sought to avoid).  Note, on appeal, the Ninth Circuit affirmed the district court’s dismissal of the plaintiffs’ claims – though not on the basis of CDA Section 230 – alleging Yelp extorted advertising payments from them by purpotedly manipulating user reviews.
  • Kimzey v. Yelp Inc., 2014 WL 1805551 (W.D. Wash. May 7, 2014) (mere fact that an interactive computer service “classifies” user characteristics and displays a “star rating system” that aggregates consumer reviews does not transform it into a developer of the underlying user-generated information)

However, in recent disputes, businesses have sought an end run around CDA Section 230, specifically by bringing claims that do not treat the websites as publishers or speakers of the defamatory or fictitious user reviews, but instead relate to the website’s marketing representations about such content.  At least two courts have allowed such claims to go forward, bypassing CDA immunity.

In one such case, Moving and Storage, Inc. v. Panayotov, 2014 WL 949830 (D. Mass. Mar. 12, 2014), the plaintiffs alleged that a moving company review website (that itself was operated by a moving company) intentionally deleted positive reviews of the plaintiffs’ companies and deleted negative reviews that criticized its own company to gain market share, all the while representing that the site offered “the most accurate and up to date rating information.”  The court concluded that CDA Section 230 did not bar plaintiffs’ false advertising and unfair competition claims because they were not based on information provided by “another information content provider,” and did not arise from the content of the reviews.

Most recently, a California appellate court reversed a lower court’s dismissal of an action against Yelp over alleged false advertising regarding its automated review filter.  In Demetriades v. Yelp, Inc., 2014 WL 3661491 (Cal. App. July 24, 2014), the plaintiff brought state law claims for unfair competition and false advertising alleging that Yelp engaged in false advertising based upon marketing statements stating that user reviews passed through a filter that gave consumers “the most trusted reviews” and only “suppresse[d] a small portion of reviews.”

The plaintiff alleged that Yelp’s statements about its filtering practices were misleading because its filter suppressed a substantial portion of reviews that were trustworthy and favored posts of the “most entertaining” reviews, regardless of the source.  The lower court had previously granted Yelp’s motion to strike the plaintiff’s complaint under California’s anti-SLAPP provisions, which aim to curb “lawsuits brought primarily to chill the valid exercise of the constitutional rights of freedom of speech and petition for the redress of grievances.”  Cal. Code Civ. Pro. §425.16 (a).  The appellate court reversed, holding that false advertising-like claims involving commercial speech fell outside the reach of the anti-SLAPP statute and that Yelp’s representations about its filtering software—as opposed to the content of the reviews themselves—were “commercial speech about the quality of its product.”

Regarding the application of CDA Section 230, the court rejected Yelp’s argument that plaintiff’s claims should be dismissed because courts have widely held that claims based on a website’s editorial decisions (publication, or failure to publish, certain third-party conduct) are barred by Section 230.  In a brief paragraph, the appellate court stated that the CDA was inapplicable because the plaintiff was not seeking to hold Yelp liable for the statements of third-party reviewers, but rather for its own statements regarding the accuracy of its automated review filter.

Companies, frustrated with their portrayal on online review sites, have mostly struck out when seeking to hold website operators liable for managing and displaying user-generated reviews.  However, this past year, some courts have offered companies another potential avenue at obtaining relief.  While the courts merely allowed the claims related to marketing representations to survive dismissal at the early stages of litigation, it is uncertain how either court will rule on the merits.

With this in mind, sites that collect and manage user-generated content, or otherwise use automated filtering software to manage content, should examine marketing statements on their websites for any language that goes beyond mere puffery and might be construed as misleading.

Browsewrap Agreement Held Unenforceable Against Consumer Due to Insufficient Notice

Posted in Contracts, Online Commerce

Many commercial websites rely on “browsewrap” agreements to bind visitors to commercial terms. A recent decision by the Ninth Circuit suggests that a review of how those terms are presented may be in order to ensure enforceability.

A browsewrap agreement is a set of terms which is accessible via a hyperlink located on the pages of a website.  The user does not have to view those terms and does not have to click on a button to agree to the terms expressly, and instead presumably gives his or her assent simply by using the website.

Courts have generally evaluated the validity of browsewrap agreements based on whether the user had actual or constructive knowledge of a website’s terms and conditions and whether the user manifested assent to those terms.

In a significant decision, the Ninth Circuit found that the presentation of a browsewrap agreement on a popular consumer e-commerce site provided insufficient notice of that site’s terms of use, and therefore were not enforceable against a user of the site.  See Nguyen v. Barnes & Noble Inc., 2014 WL 4056549 (9th Cir. Aug. 18, 2014).

In the Nguyen case, the plaintiff attempted to purchase a discontinued tablet computer that was offered at a steep discount on the Barnes & Noble (“B&N”) website, but, after completing the transaction, B&N cancelled the order due to unexpectedly high demand.  The plaintiff, on behalf of a putative class, brought deceptive practices and false advertising claims under state law, alleging that he suffered damages because he could not obtain the tablet at the discounted price and was forced to purchase a similar product at a higher price.

B&N moved to compel arbitration, arguing that plaintiff was bound by the arbitration agreement in the website’s terms of use, which were available via a conspicuous hyperlink on every page of the B&N website and stated, in part, that: “By visiting any area on the Barnes & Noble.com Site, creating an account, making a purchase via the Barnes & Noble.com Site . . . a User is deemed to have accepted the Terms of Use.”  The retailer contended that the placement of the “Terms of Use” hyperlink on its website put the plaintiff on constructive notice of the arbitration agreement and that such notice, combined with the plaintiff’s subsequent use of the website, was enough to bind him to the browsewrap agreement.  [It should be noted that no link to the terms of use, nor reference to them, was presented to the consumer as part of the online transaction].

The lower court disagreed, finding that B&N failed to provide reasonable notice of its terms of use and that the plaintiff did not affirmatively assent to the arbitration clause contained within the terms. Nguyen v. Barnes & Noble, Inc., 2012 WL 3711081 (C.D. Cal. Aug. 28, 2012). The Ninth Circuit affirmed.

The appeals court stated that, particularly in the case of individual consumers, whether a user has inquiry notice of a browsewrap agreement depends on the design and content of the website and the agreement’s webpage, noting that where the link to a website’s terms of use is buried at the bottom of the page or tucked away in obscure corners of the website, courts have refused to enforce such an agreement.  “On the other hand”, the court noted, “where the website contains an explicit textual notice that continued use will act as a manifestation of the user’s intent to be bound, courts have been more amenable to enforcing browsewrap agreements.”

It seems that B&N made it halfway to the finish line of enforceability, but no more.  The court noted:

[I]n keeping with courts’ traditional reluctance to enforce browsewrap agreements against individual consumers, we therefore hold that where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on—without more – is insufficient to give rise to constructive notice.

While the link to its terms were placed on the bottom-left corner of every page in somewhat close proximity to the buttons a user must click on to complete an online purchase, and were positioned on the same screen so a user would not have to scroll down to click the link, it still wasn’t enough for the Ninth Circuit to find an enforceable agreement.

Many website publishers rely on the enforceability of browsewrap agreements. The Nguyen decision suggests that a review be taken to ensure that the presentation of those agreements comport with the Ninth Circuit’s view on web design.

Proposed “Bitlicense” Regulations Published to the New York Register

Posted in Digital Currency, Regulatory, Technology

Today’s New York State Register includes a Notice of Proposed Rule Making from the New York State Department of Financial Services (the “NYSDFS”) regarding the regulation of virtual currency (“Regulation of the Conduct of Virtual Currency Businesses,” No. DFS-29-14-00015-P).  The proposed rule calls for the creation of the “bitlicense” which the NYSDFS has hinted at in the past.   New York is the first state to actually propose such a licensing requirement for virtual currency businesses.

The Notice, which refers to the full text of the proposed rule made available by NYSDFS a few days earlier, marks the beginning of a 45-day window for public comment on the proposed rule.

The proposed rule appears to be drafted to carefully exclude merchants and bitcoin miners from the scope of the licensing requirement, but includes exchanges, digital wallet services, merchant service providers and others in the virtual currency ecosystem.  It imposes many of the same types of requirements that we already have in the area of money transmission and clearing house services, including capital requirements, anti-money laundering safeguards, and “know your customer” type issues. It also includes requirements with respect to business continuity and cyber security issues.

All entities involved in or planning on being involved in virtual currency-related businesses should study this proposed rule carefully. There is still an opportunity to voice concerns and have the final rule reflect any issues that the NYSDFS views as important.  It is likely that whatever is enacted in New York will be used as a model in other states that wish to enact a similar virtual currency licensing structure.

Sixth Circuit Reinforces CDA Immunity – Reverses Lower Court in Jones v. Dirty World

Posted in Defamation, Online Content

On June 16th, 2014, the Sixth Circuit reversed the lower court’s holding that the gossip site, TheDirty.com, was responsible for its users’ defamatory posts and could not rely on immunity under CDA Section 230.   The appeals court ruled that even though the gossip site selected and edited user-generated posts for posting and added non-defamatory, albeit sophomoric, comments following each post, the site was protected by CDA immunity because it was neither the creator nor the developer of the challenged defamatory posts and did not materially contribute to the defamatory nature of the user postings.  See Jones v. Dirty World Entm’t Recordings,LLC, 2014 WL 2694184 (6th Cir. June 16, 2014).

For a detailed recap of the background of the case and the lower court ruling, see our earlier post.

The appeals court adopted the 9th Circuit’s Roommates.com “material contribution test” to determine whether a website operator is a “developer” of content under the CDA (i.e., “development” refers to not merely to augmenting the content generally, but to materially contributing to its alleged unlawfulness).  Flatly rejecting the lower court’s reasoning that websites lose CDA immunity based upon editing content for display and otherwise “encouraging” unlawful content (in this case, based upon the defendant’s suggestive domain name and selection of content), the Sixth Circuit stated:

[O]ther courts have declined to hold that websites were not entitled to the immunity furnished by the CDA because they selected and edited content for display, thereby encouraging the posting of similar content. […] More importantly, an encouragement test would inflate the meaning of “development” to the point of eclipsing the immunity from publisher-liability that Congress established.

The Sixth Circuit also rejected the lower court’s theory that the website operator “adopted” or “ratified” the defamatory content by adding his own pithy commentary after user posts and therefore lost CDA immunity, ruling that a website operator cannot be responsible for what makes another party’s statement actionable by “commenting on that statement post hoc.”

While we have long considered the lower court ruling an outlier, the Sixth Circuit confirmed this.  The opinion did not break new ground, but it did reaffirm the basic concepts of broad CDA immunity that protect online service providers for claims related to user-generated content.  The appeals court expounded on the broad immunity the CDA offers for website operators – even those who peddle in salacious content – that exercise traditional publisher functions and also stressed the “limited circumstances under which exercises of those functions are not protected.”

Mobile Alphabet Soup…What Exactly Is an ATDS under the TCPA?

Posted in Electronic Direct Marketing, Mobile, Privacy
An Important Issue for Text-Message Marketers

There has been an uptick in litigation under the federal Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227 – likely due to the increased use of mobile marketing (not to mention the availability of statutory damages between $500 and $1,500 per violation).  And with the growth of easy technologies to reach smartphone users, compliance remains a careful proposition…FCC Commissioner Michael O’Rielly, in a blog post, suggested that as the FCC and the courts have interpreted the TCPA in the face of new technologies, “the rules have become complex and unclear.”  Not surprisingly, companies have filed petitions with the FCC seeking clarification on how the latest marketing techniques and customer contact methods are covered under the TCPA.  However, except for a few situations, the FCC has yet to process the backlog of petitions for rulemaking or declaratory rulings.

Even as companies strive to offer users new services and social applications that facilitate communication and streamline e-commerce transactions, they are rightfully concerned they might misinterpret some provision of the TCPA and face a class action suit.

In the last decade, the legal debate surrounding the TCPA was over whether a text message was a “call” under the statute (it is) and whether the statute was implicated, absent certain exceptions, even if the user is not charged for receipt of a text message (it is).  In recent years, different legal issues are at the forefront: the contours of express consent and revocation of consent, the definition of non-telemarketing calls, a safe harbor for non-marketing calls and messages to discontinued mobile numbers, the status of one-time confirmatory text messages, class action certification, jurisdictional questions, as well as what constitutes an automatic telephone dialing system (an “ATDS”) under the statute.  Indeed, the latter issue – whether or not the call was made using an ATDS – is often the focus in the early stages of litigation since it is a prima facie element of a TCPA claim and companies try to knock out suits based upon the argument that the equipment used to transmit the messages in question does not implicate the TCPA.

Generally speaking, the three elements of a TCPA claim are: (1) the defendant called a cellular telephone number; (2) using an automatic telephone dialing system — the ATDS; (3) without the recipient’s prior express consent.  The term ATDS means equipment that has “the capacity (a) to store or produce telephone numbers to be called, using a random or sequential number generator; and (b) to dial such numbers.” 47 U.S.C. § 227(a)(1).  Importantly, a system need not actually store, produce, or call randomly or sequentially generated numbers, it need only have the capacity to do it.  The current debate is over what it means for an autodialing device to have the “capacity” to generate random numbers — whether that capacity may be theoretical or whether the device must possess the present capacity at the time the messages were transmitted.

A recent Illinois district court decision arguably took an expansive view of the definition of an ATDS in a dispute involving an allegedly unsolicited promotional text message sent by the social network, Path, Inc. In Sterk v. Path, Inc., No. 13-cv-02330 (N.D. Ill. May 30, 2014), the court ruled that the equipment Path used to send the text message was an ATDS, even though such equipment did not actually make the call using a random or sequential number generator.

The Ninth Circuit and a number of other courts have held that the operative determination is whether the equipment used to place a call could possibly be used to store or produce phone numbers using a random or sequential number generator, not whether the equipment was actually used in such a way to place the call or send the text messages at issue.  However, marketers have pointed out that this definition must have some outer limit because every smartphone could conceivably be engineered to store or produce numbers using a random or sequential number generator by simply downloading an app. The TCPA, the marketers note, surely does not mean to define every telephone or device as an ATDS subjecting the sender to liability for every unsolicited call or text message to a mobile phone.  Underneath this backdrop, courts have wrestled with whether the definition of an ATDS should rely on present capacity or potential capacity.

In a narrow ruling, the District Court for the Northeren District of Alabama court ruled that a telephone system is only covered by the TCPA if, at the time the calls at issue were made, the system had the capacity, without “substantial modification or alteration,” to store or produce numbers using a random or sequential number generator, even if the sender did not use that automatic dialing capacity.  See Hunt v. 21st Mortgage Corp., 2013 WL 5230061 (N.D. Ala. Sept. 17, 2013), further proceedings at Hunt v. 21st Mortgage Corp., 2014 WL 426275 (N.D. Ala. Feb. 4, 2014).  To meet the TCPA definition of an “automatic telephone dialing system,” the Hunt court stated that a system must have a present capacity, at the time the calls were being made, to store or produce and call numbers from a number generator, otherwise the sender cannot be liable under the TCPA.  This limitation of “present capacity” was echoed by a California state court in Stockwell v. Credit Management, L.P., No. 30-2012-00596110 (Cal. Super., Orange Cty. Oct. 3, 2013).  The Stockwell court focused on the present capacity of the defendant’s equipment, granting summary judgment in favor of the defendant because its calling device did not have a number generator.

The court in Sterk v. Path, Inc. arguably took a more expansive view of what constitutes an ATDS.  The Illinois court relied on FCC decisions that stated that an ATDS may include predictive dialing equipment that automatically dial numbers from a stored list without human intervention, even when the equipment lacks the capacity to dial telephone numbers using a random or sequential number generator.  In following the FCC’s guidance, the court stressed the main requirement for an ATDS is not the capacity to generate random or sequential numbers, but rather to “dial numbers without human intervention.”  See e.g., In re Rules & Regulations Implementing the TCPA, 18 FCC Rcd. 14014 (FCC 2003).  The court found that the equipment used by Path, which sent messages from a stored list without human intervention, was comparable to the predictive dialers that have been found by the FCC to constitute an ATDS – “The uploading of call lists from Path users is essentially the same as when a call list is entered by a telemarketer in a database. It is the ultimate calling from the list by the automated equipment that is the violation of the TCPA.” Path argued “human interaction” was present when users affirmatively clicked through prompts to upload their phone contacts to Path’s list, but the court stated that such conduct merely pertained to the collection of numbers, not the act of calling.

The court also rejected Path’s argument that such an interpretation would lead to the “absurd” result that every cell phone that could make calls from a list is an ATDS.  The Path court reasoned that the TCPA only prohibits improper use of an ATDS and that if a person uses a mobile phone to send countless unsolicited text messages that produce the harm envisioned under the statute, “it would not be an absurd result to find that the cell phone user had violated the TCPA.”

Given the potential exposure of a TCPA action involving numerous messages, companies will continue to use the ATDS defense to try to obtain a dismissal during the early stages of a case following limited discovery.  While it is a technical, factually-dependent argument that may require expert declarations explaining the capabilities of the dialing equipment in question, it is often more preferable than trying to argue consent, particularly given the stricter telemarketing rules that went into effect in October 2013.  As discussed, several decisions have been defense-friendly in limiting the scope of the ATDS definition, yet without clear guidance from the FCC, each court may take its own route to an interpretation. As always, companies should stay abreast of developments and review their mobile marketing practices and procedures to ensure that they are in compliance.

 

FINRA Issues Investor Alert Concerning Bitcoin Trading and Speculation

Posted in Digital Currency, Online Commerce, Regulatory, Technology

Bitcoin remains fixed on the front pages of the business and technology news for both the salacious and the positive. Much attention has been paid to the collapse of the former top bitcoin exchange, Mt. Gox, stemming from the purported theft of nearly $500 million in bitcoins.  The temporary suspension of trading in the securities of one technology company producing a mobile bitcoin platform, the venture capital investment in bitcoin-related startups, and the rash of cyberhacking incidents against digital wallet services have all been prominently featured in the press.  In addition, the advent of alternative cryptocurrencies beyond bitcoin, the dubious discovery of mysterious bitcoin founder Satoshi Nakamoto, and the increased acceptance of bitcoin by major e-commerce sites have made the headlines as well.

Amid the news coverage, interest in bitcoin has grown, but so has the scrutiny.

On March 11, 2014, FINRA issued an Investor Alert to caution investors of the “significant risks” of buying and speculating in bitcoin and other digital currencies, as well as the risk of fraud and cybercrime related to online bitcoin exchanges and other bitcoin-related service providers.

Specifically, the alert outlines several risks surrounding the usage of and speculating in bitcoins, including:

  • Bitcoin and other digital currencies are not legal tender and if the trust built up among individual users and businesses should vanish, bitcoins would be valueless.
  • Online exchanges that allow users to buy and sell bitcoins and digital wallet services that allow users to store bitcoin are magnets for cyberthieves.  Unlike banks that offer federal protections for depositors, there are no safeguards for bitcoins stored with service providers.
  • Because bitcoin transactions are essentially anonymous, users must take extra care to avoid fraudsters posing as legitimate services.  Importantly, a completed bitcoin transaction cannot be reversed and refunds are contingent on the willingness of the parties.  The alert cautions that fraudulent schemes are not limited to the web – for instance, last year, the SEC brought suit against the operator of a bitcoin-related Ponzi scheme and even issued its own Investor Alert about Ponzi schemes involving virtual currencies.
  • Bitcoins have been used for illicit transactions and such activities could impact users and speculators if an online exchange or service is shut down by law enforcement.
  • Bitcoin speculation, like any investment, brings financial risk.  Price volatility has been bitcoin’s hallmark in recent years, and there is no uniform value of bitcoin across the various exchanges.  Moreover, outside events such as the collapse of an online exchange, a hacking incident of an e-wallet service or regulation imposed by a foreign government can dramatically affect the currency’s value.  As the alert states: “In short, bitcoin speculation is extremely risky.”

State regulators have also taken note of the risks to investors and users of bitcoin. Notably, the FINRA alert comes on the heels of the New York Department of Financial Services announcing that it is accepting formal proposals to operate digital currency exchanges in New York in conjunction with the agency establishing its oversight of the nascent industry, as well as the Texas Securities Commissioner entering an Emergency Cease and Desist Order against a Texas energy exploration company that sought bitcoins from potential investors.  The Texas State Securities Board also issued its own bitcoin Investor Alert.

Where is it all headed?  Given the variable nature of bitcoin, it’s hard to foresee the future.  Still, many questions remain: How will state or federal regulation affect the bitcoin ecosystem in the coming year?  Will volatility and data security lapses destroy confidence in bitcoin and chill speculation, or will bitcoin persevere and gain more legitimacy?  Will bitcoin emerge as a standard payment option, remain a niche product, or otherwise become less interesting, but more predictable under new regulations?

We will keep you posted as we learn more and work through these issues with our clients.

Bitcoins: Legal and Business Issues

Posted in Digital Currency, Technology

On Monday, the Senate Committee On Homeland Security and Governmental Affairs held the first of two days of hearings on Bitcoin and digital currencies — Beyond Silk Road: Potential Risks, Threats, and Promises of Virtual Currencies.  During the “surprisingly friendly” hearings, the price of bitcoin soared as regulators, officials, and academics offered cautious, but positive views on the prospect of bitcoin within the greater economy and the future challenges for law enforcement regarding digital currency.

I recently gave a presentation on bitcoins, entitled Bitcoin — Legal and Business Issues Surrounding the Digital Currency.  Among other things, I discussed:  bitcoins generally, the emerging bitcoin marketplace, the legal issues and data security concerns surrounding bitcoin, as well as practical business advice (including the risks and benefits) for merchants and e-retailers  that are considering accepting bitcoin.

Stay tuned for further developments!

No Expansion of CFAA Liability for Monetary Exploit of Software Bug

Posted in Computer Fraud and Abuse Act, Software, Videogames

In the game Monopoly, lucky players landing on Community Chest might turn over the highly desirable “Bank Error in Your Favor, Collect $200″ card.  By the next turn, the proceeds are usually invested in properties and houses, yet, some might wonder whether accepting such a windfall was proper in the first place…or could lead to criminal charges.

This concept was tested when police arrested two video poker players who were exploiting a software bug that allowed them to multiply jackpots with just a sequence of pushed buttons.  See United States v. Kane, No 11-mj-00001 (D. Nev. filed Jan. 19, 2011).  The defendants were charged with violations of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that prohibits computer hacking and unauthorized access into computer networks.  The question was whether the defendants “exceeded authorized access” when they took advantage of an exploit in a video poker machine to win hundreds of thousands of dollars.

The CFAA was enacted in 1984 and provides, in pertinent part, that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains. . . information from any protected computer” commits a crime. 18 U.S.C. § 1030(a)(2)(C). It defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6).

The Kane prosecution is a recent example of a “technology statute” being aggressively applied to issues or disputes that were not even conceived of when the statute was enacted. The CFAA was directed at classic computer “hacking” activities where it was easier to determine when an outsider lacked “authorized access” to a network.  But the language of the Act is susceptible to broader application, and it has been brought to bear in many contexts beyond the hacking scenario, including employee misappropriation of company data, unwanted copying or misuse of website data, and now, the “gaming” of video poker machines.

In Kane, the Government alleged that the defendants discovered an exploit in certain video poker machines that allowed the players, over the course of two years at different casinos, to falsely maximize the payouts for a winning hand.  Apparently, the defendant Kane uncovered the glitch in the machine after hours and hours of playing.  In short, once the “double up” feature of the poker machine was activated (i.e., an option that allowed players to make double-or-nothing bets), the defendants then legitimately played until they obtained a winning hand.  Then, after using a complex combination of game changes, bill insertions and cash outs — a sequence of pushed buttons — they would use the “double up” feature to change the stakes in the middle of the game to the highest denomination, and trigger a second jackpot. Because of a series of programming errors, the machine re-evaluated the original game at the new, higher denomination, paying a jackpot which paid out at a higher denomination than the defendants had initially wagered. [click here for Wired's excellent account of the entire caper].  The Government did not allege that the defendants physically tampered with the video poker machines.

After winning several large jackpots at a Las Vegas casino in one afternoon, the management became suspicious and summoned Nevada Gaming Control Board engineers who discovered the software anomaly in the machine.  The defendants were later arrested and charged with conspiracy to commit wire fraud and violations of the CFAA based upon allegations that they exceeded authorized access to a protected computer in furtherance of fraud.

The defendants had moved to dismiss the CFAA claims and last year the magistrate issued a report recommending that the district court dismiss those charges.  See United States v. Kane, No. 11-cr-00022 (D. Nev. Report and Recommendation Oct. 15, 2012).  The defendants asserted that the CFAA claim should be dismissed because: (1) a video poker machine is not a “protected computer” under the statute (i.e., a computer “which is used in or affecting interstate or foreign commerce or communication”); and (2) the defendants did not “exceed [their] authorized access” to the video poker machines.

In recommending dismissal, the magistrate first found that a video poker machine was not a “protected computer” under the statute because, unlike a computer network or online database connected to the internet, a video poker machine was a standalone computerized machine unconnected to interstate commerce. The magistrate also found that the defendants did not exceed authorized access to the video poker machine.  The court rejected the Government’s argument that while the defendants were authorized to play video poker, the defendants were not authorized to configure play in a manner that produced false payouts not intended by the casino.  Unlike the employer-employee situation, where the use of computer use policies, password protection, encryption and system monitoring defines the level of “access,” gamblers do not agree to any terms of use and the bounds of play are enforced by the video poker software itself.

The magistrate cited United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where an en banc Ninth Circuit upheld the lower court’s dismissal of CFAA charges stemming from an ex-employee’s misappropriation of proprietary documents in violation of his employer’s computer use policy. [For additional information about the case, see our prior post].

In recommending dismissal of the CFAA charges, the magistrate stated that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions:

Here, the Government has asserted that, although the Defendants were authorized to play the video poker machines and access information for that purpose, the way that they used the information exceeded their authorization. This argument is directly analogous to the government’s argument in Nosal and it fares no better here. As Nosal makes clear, the CFAA does not regulate the way individuals use the information which they are otherwise authorized to access. Here, the Defendants’ alleged actions did not exceed their authorized access.

Following the magistrate’s report, the district court ordered supplemental briefing from the parties regarding whether the defendants exceeded authorized access under the CFAA in light of the Nosal ruling and whether the defendants’ conduct could be comparable to hacking or misuse under the statute.  This past spring, the Government voluntarily dismissed the CFAA charges, leaving the defendants to face the wire fraud claims.  After several continuances, the trial is currently set for December 3, 2013 on the remaining counts.

As evidenced in Kane, the Ninth Circuit’s Nosal ruling continues to have important implications for the availability of a federal cause of action for misappropriation of data, as well as cases involving unauthorized access to websites and other computerized services.

Staving Off Scrapers of User-Generated Content with Electronic Copyright Transfers… A Legal (But, Perhaps Not a Practical) Solution

Posted in Copyright, Internet, Licensing, Online Content

It’s a problem that has vexed website owners since the days of the dot-com boom – how to make certain user-generated content available to users or subscribers, but also prevent competitors and other unauthorized parties from scraping, linking to or otherwise accessing that content for their own commercial purposes.

The law on scraping and linking remains undeveloped, and has not provided clear remedies for this kind of access.  Given the state of the law, sites often employ the “kitchen sink” strategy against scraping competitors: throwing multiple claims at the unauthorized party in the hope that at least one viable legal theory survives.  We last wrote about this approach in a May 2009 post when Facebook brought a multi-count suit against Power Ventures, an online service that allowed social networking users to access all of their accounts through one interface.

One tool that website owners would like to have to combat unauthorized use of user-generated content is copyright — that is, the ability to allege that the unauthorized use of user-generated content constitutes an infringement of the website publisher’s copyright.  Unfortunately, there is a problem….

Website providers that collect user-generated content typically include licensing provisions in their terms of use whereby users grant the site a non-exclusive license to content while (implicitly or explicitly) providing that the ownership of any copyright in such content remains with the user.  The use of a clickwrap agreement to convey a non-exclusive license to such content is a standard practice. Under Copyright Act Section 501, however, a non-exclusive licensee may not bring an action for copyright infringement.

Accordingly, a website provider that wants legal standing to bring a copyright claim against unwanted entities scraping content needs an online agreement that grants additional rights – namely, an exclusive license or an actual transfer of ownership in the underlying copyright.  Putting aside – for a moment – the issue of how users will react if a website owner tries to do this, the question is, from a legal perspective, can one obtain an exclusive license or assignment of copyright through online terms of use assented to by users?

This issue was recently addressed by the Fourth Circuit in a dispute between a real estate multiple listing service and an online real estate information aggregator over the copying of photographs and listing information. The listing service provider asserted claims with respect to user-submitted photographs as a copyright owner, based upon an agreement presented to its users when they uploaded photographs to the provider’s database. We previously discussed this dispute in a prior post when the lower court granted a preliminary injunction against the defendant-aggregator. Metropolitan Regional Information Sys., Inc. v. American Home Realty Network, Inc., 888 F. Supp. 2d 691 (D. Md. 2012).  The defendant filed an interlocutory appeal challenging the order and the Fourth Circuit affirmed the lower court’s ruling.  Metropolitan Regional Info. Sys., Inc. v. American Home Realty Network, Inc., 2013 WL 3722365 (4th Cir. July 17, 2013).

In the case, the parties were competitors in the real estate listing business. The plaintiff (“MRIS”) operated an online fee-based “multiple listing service” for real estate brokers and agents. Brokers and agents who entered into a subscriber agreement with MRIS could upload their listing information, including photographs of properties, to the MRIS site, and then display those and other listings on their own websites.  By uploading information, brokers and agents agreed to terms containing the following provision:

All images submitted to the MRIS Service become the exclusive property of [MRIS]. By submitting an image, you hereby irrevocably assign (and agree to assign) to MRIS, free and clear of any restrictions or encumbrances, all of your rights, title and interest in and to the image submitted. This assignment includes, without limitation, all worldwide copyrights in and to the image, and the right to sue for past and future infringements. [emphasis added]

The defendant (“AHRN”) was an aggregator that took listing data from public domain sources and online databases like MRIS and made it directly available to consumers on its “real estate referral” website.  AHRN had not acquired permission from MRIS to reproduce, display, or otherwise use the MRIS Database.  MRIS brought copyright infringement claims against AHRN for the alleged unauthorized use of MRIS listings, particularly the uploaded photographs of properties. The lower court entered a preliminary injunction order prohibiting AHRN’s display of MRIS’s photographs on AHRN website, and in a subsequent decision, clarified the scope of the injunction, stating that the injunction only covered AHRN’s use of MRIS’s photographs–not the database compilation itself or any textual elements that might be considered part of the compilation.

On appeal, the court addressed, among other things, the issue of whether a MRIS subscriber who assented to online terms of use prior to uploading copyrighted photographs signed a written copyright assignment in those photographs consistent with Section 204(a) of the Copyright Act, 17 U.S.C. § 204(a). Specifically, the defendant AHRN argued that a subscriber’s electronic assent to the MRIS terms did not operate as an assignment of rights under § 204. The plaintiff MRIS responded that an electronic transfer satisfies § 204’s writing and signature requirements, particularly in light of the later-enacted E-Sign Act, 15 U.S.C. § 7001.

Under §204(a), a transfer of one or more of the exclusive rights of copyright ownership by assignment or exclusive license “is not valid unless an instrument of conveyance, or a note or memorandum of the transfer, is in writing and signed by the owner of the rights conveyed or such owner’s duly authorized agent.” Generally speaking, a qualifying writing under Section 204(a) need not contain an elaborate explanation or any particular “magic words.”

The E-Sign Act, which sought to bring uniformity to state electronic signatures law, mandates that no signature be denied legal effect simply because it is in electronic form and that, barring certain exceptions, a contract may not be denied legal effect solely because an electronic signature or electronic record was used in its formation. 15 U.S.C. §§ 7001(a)(1), (a)(2).

The court first found that because Section 204(a) of the Copyright Act requires transfers be “written” and “signed,” the E-Sign Act’s dictates on electronic signatures would apply to the copyright transfer provisions.  The court ultimately held that an electronic agreement may effect a valid transfer of copyright interests under Section 204 of the Copyright Act, affirming the lower court’s ruling that MRIS was likely to succeed against AHRN in establishing its ownership of copyright interests in the copied photographs.

This ruling is important for online businesses that want an alternative litigation strategy to protect their user-generated content from scraping by competitors for commercial purposes.  However, this strategy may not be feasible in every instance; the user “politics” on each site are different.  For example, while the users of the business-to-business MRIS online database were professional real estate agents who may have accepted the concept of assigning the copyright in listing photographs, other consumer-oriented social media sites or photo sharing services have experienced user backlash over similar changes to website terms of use. Indeed, last year, the online classified ad provider Craigslist encountered a flurry of controversy when it changed its terms of service for a limited time to gain exclusive rights to user content, in preparation to litigate claims against certain aggregators that were scraping content from its site and republishing it on websites and mobile apps (See generally Craigslist, Inc. v. 3Taps, Inc., 2013 WL 1819999 (N.D. Cal. Apr. 30, 2013).

 

 

Trade Dress Can Be Viable Means of Protecting Websites from Competitor’s Look-Alike Sites

Posted in Online Content, Technology

Somewhere between a well-recognized website design like Google’s home page and a fledgling e-commerce venture built with free web building software lives most other websites.  Depending on the investment in the development and the operator’s design ethic, some websites may display unique, distinctive portals that are key to attracting and retaining customers.  For those with a unique look, it might be possible that the “trade dress” of their sites – the unique look and feel – could be protectable, and therefore useful in fending off competitors who copy their online presence.

This past August, a Louisiana district court joined courts in the Western District of Pennsylvania, the Western District of Washington, the Western District of Texas, and the Northern District of California in recognizing the viability of a trade dress infringement claim based on a website’s look and feel. Express Lien (“Zlien”) alleged that a competitor, National Association of Credit Management (“NACM”), a Maryland non-profit corporation, had mimicked the “look and feel” of its website and caused consumer confusion.  Express Lien Inc. v. National Ass’n of Credit Management Inc., 2013 WL 4517944 (E.D. La. August 23, 2013).

Generally speaking, the “trade dress” of a product concerns the total image of a product and may include features such as size, shape, color or color combinations, texture or graphics and it may be eligible for protection if it is nonfunctional and distinctive (or has acquired secondary meaning in the marketplace as being identified with its producer or source). To maintain an action for trade dress infringement, a plaintiff must allege that a competitor’s product design or packaging is likely to confuse consumers as to the product source. Most trade dress infringement actions involve the packaging or labeling of goods; however, in the last decade, courts have begun to entertain trade dress claims based upon website design or “look and feel.”    

In this case, Zlien is an online business that provides information to the construction industry, such as legal forms and information on state lien statutes. Zlien alleged substantial investment in its website, including in the color, code elements and orientation. According to Zlien, the website design was widely recognized by consumers and helped drive sales. In its complaint, Zlien claimed that NACM copied Zlien’s stylistic choices of color, font, hyperlinks, and content, so much so that that the similarities were “likely to cause confusion” and caused Zlien to suffer damages to its profits, sales and business. Zlein also alleged copyright infringement, based on NACM’s use of content from the Zlien site’s pages.

 In response, NACM filed a motion to dismiss Zlien’s complaint. 

The court rejected NACM’s argument that Zlien failed to plead the necessary elements for trade dress infringement because it did not own a registered trademark in its website. The court held that trade dress protection is not dependent on registration. NACM’s argument that a comparison of the websites revealed no trade dress infringement also failed. The court found that alleging that there were some differences between the websites on corresponding pages was not significant enough to warrant dismissal at this early stage of the litigation.

The court also rejected NACM’s motion to dismiss Zlein’s copyright claims. NACM argued that the underlying information on Zlien’s website, state statutes, is not copyrightable, to which Zlien responded that the content of the website qualifies as a compilation. The court reasoned that NACM did not prove that the material at issue was not a compilation as a matter of law.

While this case is far from over, the Express Lien decision follows recent decisions that have allowed properly pleaded website related trade dress claims to survive dismissal.  See e.g., Sleep Science Partners v. Lieberman, 2010 WL 1881770 (N.D. Cal. May 10, 2010).

Meanwhile, if a company wants to preserve trade dress protection for a website it maintains or is building, the website trade dress needs to be distinctive and synonymous with the company or its products and services. Further, it is important that the trade dress elements are not functional or standard or essential to the operation of any website.

Once again, this is an example where the lawyers, designers and technologists in an organization should be in communication to ensure maximum protection for the online assets of the organization.