New Media and Technology Law Blog - Page 2 of 10 | Technology Lawyers

Ninth Circuit Ruling Trimming CFAA Claims for Misappropriation Reminds Employers that Technical Network Security is the First Defense

By Jeff Neuburger on April 13th, 2012 Posted in Computer Fraud and Abuse Act, Data Security

The Ninth Circuit, sitting en banc, has upheld a district court’s dismissal of criminal charges under the Computer Fraud and Abuse Act that were predicated on misappropriation of proprietary documents in violation of the employer’s computer use policy. United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS 7151 (9th Cir. Apr. 10, 2012). The ruling reinstates a split in the circuit courts on the question of when an employee’s access to an employer’s proprietary documents can trigger a cause of action under the CFAA. The Ninth Circuit ruled that when an employer has given employees access to such documents, they do not exceed their authorization to access those documents (and thus violate the CFAA) when they misappropriate those documents for the benefit of a competitor.

This is a case that may have important implications for the availability of a federal cause of action for data theft cases and also unauthorized access to Web sites and other online services; it could easily end up in the Supreme Court. But it can also serve as a useful lesson to employers that while a carefully drafted computer use policy is essential to the protection of digital assets, it is only one element of a digital asset protection strategy that should be focused, in the first instance, on physical, technological, and business-rule controls over data access.

The Computer Fraud and Abuse Act was enacted in 1984, and at the age of only 28, it’s showing its age. This is the latest example of a “technology statute” being applied to issues that were not even conceived of when the statute was enacted. The Act was drafted in a time when personal computer use was just beginning even in the business environment, and the primary model for computing was a mainframe or a minicomputer with tightly controlled, password protected access. The Act was directed at classical “hacking” activities, in which and individual’s access permission, and therefore what was “unauthorized” or exceeded authorized access, was much more readily determined. Both the criminal and civil provisions were routinely applied in hacking cases that arose in that environment. But the language of the Act is susceptible to broader application, and it has been brought to bear in many contexts beyond the hacking scenario.

One example is trade secret disputes involving misappropriation of proprietary information by insiders such as employees, where plaintiffs have leveraged state law trade secret and misappropriation claims into federal court by pleading violation of the Act. Some courts have resisted the application of the CFAA in such cases, finding that the Act does not extend to misuse or misappropriation of information, only to its unauthorized procurement or alteration. Other courts approved the broad application of the Act; most significantly, the Seventh Circuit in International Airport Centers v. Citrin (7th Cir.2006), which held that a breach of an employee’s duty of loyalty to the employer could give rise to a CFAA cause of action.

Outside the employer-employee context, courts have struggled with how to apply the Act in today’s intensely internetworked computing environment in which access rights to a computer network, i.e., a Web site or online database, may be defined in a clickwrap terms of use, or even in a Web wrap agreement. Complicating the picture is the fact that liberal application of the Act in a civil case can be applied in a CFAA prosecution and result in the criminalization of a broad swath of conduct. Perhaps the most extreme example is the federal prosecution in the so-called MySpace suicide case, in which CFAA charges were brought in the Central District of California against a woman who posted messages on the social networking site under a false identity. In United States v. Drew, the jury acquitted the woman on the felony CFAA charges and the District Court ultimately dismissed the remaining misdemeanor CFAA charges because the statute as interpreted by the Government was overly broad and vague. The court pointed out that under the Government’s theory of the case, the woman’s violation of the MySpace terms of use rendered her access to the site “unauthorized” within the meaning of the CFAA, and merely accessing a page on the site violated the Act.

This last concern, potential over-application of the Act, informs the perspective brought to the Nosal case by Judge Kozinski, who wrote the majority opinion. The ruling is replete with quotable quotes; in these passages, Judge Kozinski focuses on the potential for overbroad and arbitrary application of the CFAA:

In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government’s proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

***

Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their Sudoku skills behind bars.

The two-judge dissent, written by Judge Silverman, countered Judge Kozinski’s concerns with the comment that the case “has nothing to do with playing Sudoku, checking email, fibbing on dating sites,” and suggested that overly broad applications of the Act could be met with as-applied challenges.

Whether or not the Nosal ruling survives possible further appellate review, the lesson that employers and Web site operators might take from this ruling, is that well-drafted computer use policies or terms of use are only one part of a well-crafted and implemented plan for the protection of proprietary data and digital assets. Technical controls on access and robust security procedures are the first line of defense. A situation necessitating legal action, whether it is brought under the CFAA or any other law, means that a good part of the battle against misappropriation may have already been lost.

Will the Pinterest “Nopin” Tag Put Online Image Owners on the Defensive on Implied Copyright Licenses? Should We Look to Robots.txt as Precedent?

By Jeff Neuburger on March 12th, 2012 Posted in Copyright

Pinterest is the hot hot hot social media site that lets users create online “pinboards” of interesting or inspiring images. Although users may upload their own images to their pinboards, Pinterest emphasizes the pinning of images from third-party Web sites through the use of inline links.

This of course generates yet a new series of online copyright issues. Although Pinterest can drive traffic to the third-party sites, and some content owners are happy about that, the love of Pinterest is not universal. Many believe that traffic coming from Pinterest as a result of their images being pinned on the site is minimal. One commentator has referred to Pinterest as “the new Napster” and suggested that 99% of the “pins” on the site are in violation of the site’s Terms of Service (requiring the user to have right to “pin” an image.)

Pinterest announced in February that it had implemented a technological measure to address copyright concerns, the “nopin” tag. The code, when implemented on a content-owner’s Web site, blocks attempts to pin that site’s images via inline linking. When a Pinterest user attempts to pin an image from the target site, the code generates a message informing the Pinterest user that the target site doesn’t allowing pinning. (Note that the “nopin” code does not inhibit the ability of a Pinterest user to download an image from a target site and then upload the image to Pinterest as the user’s own image.)

The availability of the “nopin” tag raises many legal issues. Does a site have an obligation to use the “nopin” tag to prevent pinning of its images? Does the failure to use the tag constitute the grant of an implied license to pin? What role do the restrictions on use found in the target site’s terms and conditions play in all of this? Could the failure to deploy a “nopin” tag impair a copyright holder’s ability to utilize the DMCA takedown procedure to remove infringing images from Pinterest?

Although many copyright holders would quickly say “no, of course I do not have an obligation to use the nopin tag,” it is interesting to look at a similar issue that has been litigated in the context of the “robots.txt” protocol. The robots.txt protocol allows site owners to indicate whether, and to what extent, they consent to having their sites crawled and cached by Web crawlers and spiders that are utilized not only by major search engines like Google and Yahoo! but also by price comparison sites or even the competitors of the crawled sites.

In Field v. Google, Inc., 412 F. Supp 2d. 1106 (D. Nev. 2006), a claim of copyright infringement stemming from search engine crawling and caching was rejected based upon the lack of a robots.txt file on the copyright owner’s site. The court concluded that the content owner’s knowing failure to deploy a robots.txt file that said “no” to crawling and caching had given search engines an implied license to crawl and cache. It should be noted that the court believed the plaintiff had deliberately invited the crawling and caching and was acting in less than good faith. However, a similar result was reached on more balanced facts in Parker v. Yahoo!, Inc., 2008 U.S. Dist. LEXIS 74512 (E.D. Pa. Sept. 26, 2008). In neither of these cases did the courts consider the crawled sites’ terms of use, if any.

Is the failure to use robots.txt a grant of an implied license to spider and cache? Could the failure to deploy the nopin tag similarly be considered the grant of an implied license? If so, when the non-deploying copyright holder sends a DMCA takedown notice, could Pinterest or the user argue that they were acting pursuant to an implied license (and thus the notice was improper)? To the extent that the terms of use prohibit commercial use or linking, would that be viewed as superseded by the site’s failure to deploy the “nopin” tag?

There is a very significant difference between Pinterest’s “nopin” code and the robots.txt protocol, at least at the present time. The robots.txt protocol is a long-established and widely accepted standard acknowledged by Web professionals. The courts in Field v. Google and Parker v. Yahoo! both relied on the widespread acceptance of the robots.txt protocol in their rulings. The Pinterest “nopin” code, however, is being promulgated unilaterally by a single Web site operator with an obvious interest in putting the burden on content owners to take action to protect their content. But given the widespread popularity of Pinterest, and the inevitable launch of numerous copycat sites with similar nopin-type codes, this type of code has the potential to develop into a de facto standard for controlling content sharing.

The interplay between codes like “nopin,” the robots.txt precedent, the doctrine of implied licensing, the DMCA and the role of Web site terms of use, is likely to receive increased legal attention and could be the basis of some interesting litigation in the near future.

U. S. Supreme Court Unanimously Rule that GPS Installation and Tracking of a Vehicle Constitutes a Search, But The Justices Disagree on Rationale – Are Lines Being Drawn on Privacy Rights and New Technology?

By Jeff Neuburger on January 23rd, 2012 Posted in Privacy

In a narrowly-drawn majority opinion, the United States Supreme Court ruled in United States v. Antoine Jones that the Government’s attachment of a GPS-tracking device to a vehicle, and the subsequent monitoring of the movements of that vehicle on public streets, constitutes a search. Because the Government conceded in the case that it did not comply with the warrant that it had obtained, and argued on appeal only that a warrant was not required to engage in the installation and tracking, Justice Scalia’s opinion lost little time in upholding the ruling of the United States Court of Appeals for the District of Columbia Circuit (captioned below, United States v. Maynard) that the evidence gained via the tracking of a drug suspect had to be suppressed.

The GPS-tracking issue reminds us once again, that technology leads, and the law struggles to follow. Despite the unanimous result, the Justices were not in agreement on why GPS installation and tracking constitute a search under the Fourth Amendment. The respective opinions will provide plenty of fodder for discussion over the Justices’ views of the Fourth Amendment in criminal cases. And likely, it will spark discussion of the Justices’ views of privacy in the civil context, particularly where new technologies are being utilized.

Justice Scalia’s majority opinion, joined by Justices Roberts, Kennedy and Thomas, focused on the language of the Fourth Amendment, that expresses the “right of the people to be secure in their persons, houses, paper, and effects, against unreasonable searches and seizures….” An automobile is an “effect,” the Court ruled, and the attachment of the device and subsequent tracking constituted a search, because “the Government physically occupied private property for the purpose of obtaining information.” Justice Scalia stressed the 18th Century roots of the Fourth Amendment in concepts of physical trespass, while at the same time appearing to question the “reasonable expectation of privacy” jurisprudence that developed in technical eavesdropping and wiretapping cases such as Katz v. United States (U.S. 1967).

Justice Scalia declined to take up the rationale that supported the ruling of the D.C. Circuit – that GPS tracking over a month-long period was constitutionally offensive, while tracking over a shorter period might not be. The D.C. Circuit opinion, relying on Katz v. United States and its “reasonable expectation of privacy” analysis, expressed what is being referred to by commentators as the “mosaic theory.” The reasoning is that tracking over a significant period of time, even though the GPS device is tracking an individual’s movements in public, rises to the level of a privacy violation because the sustained tracking can reveal information that is not apparent as a result of short-term tracking.

Justice Sotomayor concurred in the majority opinion, but wrote separately to, among other things, write supportively of the “reasonable expectation of privacy” jurisprudence that Justice Scalia seemed to reject, or at least be attempting to marginalize. On the contrary, Justice Sotomayor’s concurrence engaged the very arguments that Justice Scalia’s opinion was determined to avoid: The effect of technology on the public’s reasonable expectations of privacy, and the potential for Government abuse of information-gathering technology. Justice Sotomayor’s most telling comment-to-watch in future Internet-related privacy cases:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as JUSTICE ALITO notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” *** and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

Justice Alito, joined by Justices Ginsburg, Breyer and Kagan, declined to sign on to the majority opinion and concurred only in the judgment. In contrast to Justice Scalia’s 18th-Century-centric analysis, Justice Alito engaged the issues that are presented by the use of tracking technologies, not only in criminal cases but generally. His opinion was much more receptive to the “mosaic theory” expressed in the Court of Appeals ruling: that while limited tracking may not violate an individual’s privacy, sustained tracking may cross the line. This is a disagreement that was telegraphed to some extent in the oral argument in United States v. Jones.

Justice Scalia’s and Justice Alito’s respective views on how new technologies must be considered also echo their similar diametric divide in Brown v. Entertainment Merchant’s Association (U.S. 2011). In Brown, the Justices agreed that video games are entitled to First Amendment protection, with Justice Scalia writing for the majority, that a video game is no different than a book. Justice Alito agreed with the result in Brown but suggested in a concurring opinion that video games are not the same as books, and that in the future. consideration would have to be given to the impact that this new technology might have on constitutional values.

Justice Alito takes a similar approach in United States v. Jones to his view in Brown. Although a point-by-point analysis of his opinion is beyond the scope of this blog post, it should be required reading (along with all the opinions in Jones) for technology lawyers interested in the attitude of the nation’s highest court toward developments in technology. Justice Alito argues for the “reasonable expectations of privacy” test, although recognizing the challenge that test may present in a world in which smartphone GPS tracking, closed circuit video monitoring, toll-road electronic and other electronic tracking may have on such expectations.

We’ll close with this quotation from Justice Alito’s concurring opinion in Brown v. Entertainment Merchants Association, expressing sentiments that easily could find a place in his most recent opinion in Jones:

In considering the application of unchanging constitutional principles to new and rapidly evolving technology, this Court should proceed with caution. We should make every effort to understand the new technology. We should take into account the possibility that developing technology may have important societal implications that will become apparent only with time. We should not jump to the conclusion that new technology is fundamentally the same as some older thing with which we are familiar.

There’s No Sense Waiting to See What the U.S. Supreme Court Has to Say about GPS Tracking

By Jeff Neuburger on January 5th, 2012 Posted in Privacy

That appears to be the opinion of Magistrate Judge David Noce in United States v. Robinson, No. 4:11-cr-00361 (D. Mo. Dec. 27, 2011), who ruled that GPS tracking of a public official suspected of having a no-show municipal job did not require a warrant. This is, of course, the issue that is before the U.S. Supreme Court in United States v. Antoine Jones, No.10-1259 (U.S. cert. granted June 27, 2011), a fact that the magistrate judge recognized in his opinion.

Judge Noce noted precedent in the Eighth Circuit, as well as other circuits, for warrantless GPS tracking in similar situations. Relying on that precedent, he concluded that the tracking did not constitute either a search or a seizure, nor did it violate the defendant’s First Amendment associational rights.

The GPS tracking of the defendant’s automobile was conducted by the public corruption squad of the FBI, whose agents tracked the defendant using physical surveillance techniques for an unspecified period of time. This personnel-intensive technique was later replaced by a GPS tracking device that was magnetically attached to the defendant’s automobile while it was parked on a public street near his residence. The result was 24-hour tracking of the defendant’s automobile over a three-month period. The tracking revealed, according to the Government, that the defendant’s employment time sheets were false.

In concluding that the installation of the device did not constitute a search requiring a warrant, the magistrate in United States v. Robinson relied on United States v. Marquez, 605 F.3d 604 (8th Cir. 2010), which involved GPS tracking of a drug suspect for six months. The court in Marquez concluded that the GPS tracking did not constitute a search because the defendant did not have a reasonable expectation of privacy in the exterior of his vehicle; the installation of the GPS tracker was “non-invasive” and the vehicle was in a public place when the device was attached.

Neither was there a seizure of the defendant’s property as a result of the GPS device installation, the magistrate concluded, referencing the Seventh Circuit ruling in United States v. Garcia, 474 F.3d 994 (7th Cir.), cert. denied, 552 U.S. 883 (2007). That ruling also focused on the non-intrusive nature of the GPS device and the fact that it was battery-powered and did not utilize the car’s power system; did not affect its driving qualities or carrying capacity or even alter the vehicle’s appearance.

The magistrate separately considered the use of the GPS device to obtain tracking information, and concluded that it did not constitute a search requiring a warrant, again relying on Garcia and Marquez, as well as the Ninth Circuit ruling in United States v. Pineda-Moreno, 591 F.3d 1212 (9th Cir. 2010).

The magistrate also discussed the District of Columbia Circuit Court of Appeals ruling that is now before the Supreme Court in United States v. Antoine Jones (captioned below, United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010). The Maynard opinion includes the notable passage that distinguishes the privacy implications of GPS tracking of a single public journey with prolonged, 24/7 GPS tracking of numerous journeys that cumulatively may reveal “information about one’s lifestyle, personal affairs, and other intimate matters.”

Judge Noce was unmoved by the so-called “mosaic theory” expressed in the Maynard opinion; in fact, he commented that the rulings in the Jones/Maynard case and the Marquez ruling were not so very far apart, and “disagreed in degree, not principle: Marquez permits warrantless use of a GPS tracker device ‘for a reasonable period of time’ while Maynard prohibits ‘prolonged’ warrantless GPS surveillance.” Although it should be noted, the Marquez ruling OK’d warrantless tracking over a six-month period, while the D.C. Circuit in the Jones/Maynard case had problems with tracking over a one-month period.

The oral argument before the Supreme Court in United States v. Antoine Jones appeared to reveal a court that was not so sure as Judge Noce of the right result with respect to GPS tracking. In fact, some commentators who heard the oral argument have judged the ultimate ruling in Jones as too close to call, including criminal law expert Orin Kerr, and Greg Nojeim, Senior Counsel for the Center for Democracy and Technology. Nojeim has even predicted that the result in Jones might cut across the Court’s traditional liberal/conservative lines. That would recall the result in another recent case in which the Court struggled with the implications of new technology: Brown v. Entertainment Merchants Association (U.S. June 27, 2011), in which the Court struck down the California violent videogames law. Justice Scalia, writing for a majority that included Justices Kennedy, Ginsburg, Sotomayor and Kagan, held that violent videogames were entitled to the same constitutional protection as violent books. The gist of his opinion is that use of new technology doesn’t justify the creation of new legal principles. Justices Thomas and Breyer each dissented, with Justice Breyer in particular expressing concern over the potential negative effects of new media such as videogames.

But of course, the Justices expressed attitudes toward new content delivery technology won’t necessarily map to their views on the use of GPS technology for surveillance.

If you have a spare hour, you can judge for yourself how the Court may rule on GPS tracking; the audio recording of the oral argument is available on C-SPAN.

Note also, that Magistrate Judge Noce’s opinion is a Report and Recommendation that may be overruled by the District Court. The parties’ objections to the Report are due on January 13, 2012.

An Old Wine – New Bottles Analogy Leads to Dismissal of Indictment for Alleged Twitter Stalking

By Jeff Neuburger on December 22nd, 2011 Posted in First Amendment

The Twitter micro-blogging service is just like the bulletin boards that Colonial Americans might have had in their front yards to communicate with one another at the time the Bill of Rights was adopted, said a federal district court judge in United States v. Cassidy, No. TWT 11-091 (D. Md. Dec. 15, 2011). The court made the bulletin board analogy in the course of analyzing the application of the First Amendment in a criminal prosecution involving thousands of tweets and blog posts, a number of which are alleged to have caused emotional distress to their subject, the leader of a Buddhist religious sect.

(Of course, Colonial Americans probably didn’t have bulletin boards in their front yards, or if they did, it has escaped the notice of history. But they had town criers, newspapers, letters and tavern gossip, with which they managed to launch a Revolution. But I digress.)

The indictment charged violations of the federal interstate stalking statute, 18 U.S.C. §§ 2261A, which criminalizes the use of interstate communications to engage in a course of conduct with the intent to place a person in reasonable fear of death or serious bodily injury. As amended in 2006, the statute additionally criminalizes the use of interstate communications, including an interactive computer service, with the intent to harass or intimidate or cause “substantial emotional distress.” As the court in United States v. Cassidy noted, the 2006 amendments to the statute significantly broaded its scope.

Cassidy moved to dismiss the indictment, alleging that the statute was unconstitutionally overbroad and vague, and was unconstitutional as applied to him.

The court assumed for purposes of analysis that the tweets and blog posts that Cassidy was alleged to have published anonymously in fact inflicted substantial emotional distress on their target; the court described them as “anonymous, uncomfortable Internet speech addressing religious matters.” (The messages are catalogued in an appendix to the court’s opinion.) Nevertheless, the court concluded that Cassidy’s publications are not within one of the categories of speech that fall outside of First Amendment protection: “obscenity, fraud, defamation, true threats, incitement or speech integral to criminal conduct.” Citing both Reno v. American Civil Liberties Union (U.S. 1997) and the Supreme Court’s recent ruling in Brown v. Entertainment Merchants Association (U.S. 2011), the court commented: “Even though the Internet is the newest medium for anonymous, uncomfortable expression touching on political or religious matters, online speech is equally protected under the First Amendment….” Slip. Op. at 12.

The court rejected the Government’s argument that the Government has a compelling interest in protecting victims from emotional distress sustained through an interactive computer service, and further rejected the argument that the statute regulated conduct rather than speech. It is on this point that the court’s analogy between Colonial bulletin boards and blogs was brought to bear.

While prosecutions for making harassing telephone calls have been upheld, the court acknowledged, phone calls and e-mails are communications that are directed at a particular victim and received outside a public forum. In contrast, the court concluded, “Twitter and and Blogs are today’s equivalent of a bulletin board that one is free to disregard ….”

Having found that the statute was unconstitutional as applied to Cassidy, the court declined to reach his facial overbreadth and vagueness challenges to the statute.

It will be interesting to see if the court’s analysis holds up in other cases, either under the federal statute or under a similar state law. The Amicus Brief submitted by the National Center for Victims of Crime and Maryland Crime Victims’ Resource Center in support of the Government’s position pointed out that anti-stalking laws have been enacted in all 50 states, and some of those statutes encompass so-called “cyberstalking,” “cyberharassment” or “cyberbullying,” variously defined.

Who Owns an Employee’s Twitter and Other Online Accounts?

By Jeff Neuburger on December 8th, 2011 Posted in Contracts

In this era of multiple online communication channels, and in an environment of increased employee mobility, employers need to focus on the legal and practical ways of securing their ownership of online company accounts that are registered or otherwise created by employees or contractors. In the three cases discussed below, organizations learned that lesson the hard way.

Whose Tweet Is It Anyway?

PhoneDog LLC v. Kravitz, No. 113474 (N.D. Cal. Nov. 8, 2011), involves a Twitter account that was used by an employee to publish product reviews and other messages on behalf of his employer. The handle on the account, “@PhoneDog_Noah,” incorporated both the employer’s name and the employee’s name. According to the employer’s complaint, the employee was quite successful in his marketing efforts using the account, generating approximately 17,000 Twitter followers.

When the employee quit, he retained the account and began using it on behalf of a competitor of the employer, having changed the handle on the account to his own name, “@noahkravitz.” The employer brought an action in federal court alleging claims of trade secret misappropriation, intentional and negligent interference with prospective advantage and conversion, and asserting damages in excess of the jurisdictional amount of $75,000. Specifically, the employer alleged that the value of each individual Twitter follower, according to “industry standards,” is $2.50 per month; multiplied by 17,000 followers, multiplied by eight months (the period of time over which the employee refused to turn over the account) yields damages of $340,000. In the context of determining whether the federal jurisdictional minimum was met, the court concluded that the employer’s calculation of the value of the account was sufficient, but only as a preliminary matter.

The court refused to dismiss the employer’s trade secret claims, finding that the complaint had sufficiently alleged that both the password and the names of the followers were protected trade secrets. The court also refused to dismiss the employer’s conversion claim finding that it had sufficiently alleged that it owns or has the right to possess the account, and that the employee knowingly or intentionally refused to relinquish the account.

But the court dismissed the employer’s intentional and negligent interference with prospective economic advantage claims, finding that actual disruption of the employer’s relationship with the Twitter followers and economic harm had not been sufficiently alleged.

Although the employer has been at least partially successful on some preliminary motions in this dispute, as a practical matter, nothing has changed and the employee still maintains control of the Twitter account. What could the employer have done differently to avoid this problem?

Whose Blog Is It Anyway?

Ardis Health, LLC v. Nankivell, 2011 U.S. Dist. LEXIS 120738 (S.D.N.Y. Oct. 19, 2011), involves a situation similar to that in PhoneDog v. Kravitz, and is instructive on legal measures that an employer can take to improve its position with respect to a dispute over an online account. In Ardis, the employee had control over a number of social network and Web site accounts that the employer used to advertise its business, and was able to obtain a preliminary order requiring the turnover of the accounts.

The court concluded that the employer’s reliance on its online presence to advertise its business supported a finding of irreparable harm and the issuance of the preliminary injunction requiring the turnover of usernames and passwords enabling access to the Web sites and online service accounts controlled by the former employee. The court noted that the employer required access to the sites to continuously update profile information and pages and react to online trends, and that its inability to do so would have an unquestionably negative effect on its reputation and ability to remain competitive.

The court also suggested that the unauthorized retention of the account access information could form the basis for a claim of conversion, citing Thyroff v. Nationwide Mutual Insurance Co. (2d Cir. 2006). Unlike the situation in PhoneDog, where the employee claimed the right to control the Twitter account, the court in Ardis found that there was no dispute that the employer owned the rights to the accounts in question. The court noted that the employee had executed a Work Product Agreement that required, among other things, the return of the employer’s confidential information upon request, and providing that any breach of the agreement would cause the employer irreparable damage and injury.

Whose Tea Party Is It Anyway?

The Tea Party Patriots, a nonprofit organization that grew from a small group of like-minded activists to a force in U.S. politics, learned that disputes over ownership and control of online accounts can impair the ability of an nonprofit organization to pursue its business and require costly litigation to resolve.

One of the founders of the organization, Amy Kremer, registered domain names and set up a Web site and social network accounts on behalf of the organization in 2009. But Kremer was ousted from the group’s board of directors following a dispute over the group’s policies. Kremer retained control over some of the accounts, as well as an online e-mail list, allegedly after having changed the account password.

The group’s remaining board members filed suit against Kremer in Georgia state court. The board ultimately prevailed, but only after a week-long jury trial over the ownership of the accounts. No reported opinion was issued in this case.

Practical Lessons

One important difference between these three cases is that the Work Product agreement in Ardis v. Nankivell appeared to foreclose any argument over ownership rights in the accounts. In the employment context, employers should consider explicitly nailing down that issue even further in their proprietary rights agreements with employees, as well as their Internet use and similar policies that cover the use of company online accounts on behalf of the employer, with an express provision covering the ownership of such accounts.

Employers should also consider a practical protocol covering online accounts that requires registration in the name of the employer where possible, or inclusion of the employer’s identifying information in the account registration. Duplicate recordation of account registration and access information in a place within the company’s control should also be required. Quick action by the employer to change account access information when an employee leaves may avoid the cost and delay involved in litigation to recover account control.

It is also important to note that this issue arises not only in the case of employees, but also in the context of agents and contractors as well. For example, often an advertising agency will register a Twitter account for a client, or a developer or designer will register a domain name, create a blog or other online presence. It is essential that the agreements with such agents expressly address ownership of the credentials to such accounts, and that the agent is expressly required to provide those credentials to its principal.

Service Provider’s Intent in Removing Positive Reviews Irrelevant in Assessing Availability of CDA Section 230 Protection

By Jeff Neuburger on November 10th, 2011 Posted in Online Content

A lawsuit against consumer review site Yelp! has yielded an opinion that demonstrates the breadth of the protection afforded interactive service providers under Section 230 of the Communications Decency Act. In Levitt v. Yelp! Inc., 2011 U.S. Dist. LEXIS 124082 (N.D. Cal. Oct. 26, 2011), a group of putative class action plaintiffs filed an action against the site under Section 17200 of the California Business and Professions Code, claiming that the site manipulated its consumer review functionality to extort advertising revenues from the plaintiff businesses.

A key element of the business owners’ claims against Yelp! was the attempt to construct a theory of liability that would avoid the protection from liability for user content that is afforded interactive service providers under CDA Section 230. The business owners’ complaint based its claims on alleged conduct on the part of Yelp! and its employees. This approach has succeeded in a very small group of cases, e.g., Barnes v. Yahoo!, Inc., No. 05-36189 (9th Cir. May 7, 2009) (as amended June 22, 2009) (see our prior blog post here) and Anthony v. Yahoo! Inc., 2006 WL 708572 (N.D. Cal. March 17, 2006) (see Prof. Eric Goldman’s blog post here).

In an opinion rendered last spring, Judge Marilyn Patel rejected most of the business owners’ claims of “implied extortion” that were based upon allegations that Yelp! manipulated reviews in order to coerce businesses into purchasing advertising on the site, but granted leave to amend the complaint. Levitt v. Yelp! Inc, 2011 U.S. Dist. LEXIS 99372 (N.D. Cal. Mar. 22, 2011). A Third Amended Complaint was filed and Yelp! renewed its motion to dismiss. Judge Edward Chen, now assigned to the case, concluded that the Third Amended Complaint failed to cure the pleading and substantive defects identified by Judge Patel and finally dismissed the complaint without leave to amend.

The plaintiffs’ Third Amended Complaint allege!d several different categories of conduct by Yelp!: that the service removed positive reviews, resulting in a lowered overall “star” rating for a business; that the service retained negative reviews, even if those reviews violated the service’s terms of use; that the service’s own employees wrote negative reviews; and that the service said it would manipulate reviews in a positive direction for businesses that paid for advertising on the service.

Judge Chen found that the allegations that Yelp!’s own employees wrote negative reviews or paid users to do so were speculative. They relied, he said, on factually unsupported allegations that one of the plaintiffs was told by an unnamed source that Yelp! employees had been discharged for unspecified “scamming relating to advertising.”

Judge Chen then concluded that allegations that Yelp! either removed user reviews, or changed their order on the site in order to extort businesses, fall within CDA Section 230(c)(1), which prohibits treatment of a provider as the publisher or speaker of information provided by a third party. Decisions to remove or reorder user content fall within the publisher’s “traditional editorial functions,” he concluded, citing, e.g., Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157 (9th Cir. 2008) (en banc).

The court also rejected the theory that Yelp! created the overall “star” reviews of businesses, which were derived from aggregating the ratings of individual reviews, finding that the aggregation of user content to generate the reviews did not make Yelp! a content provider. On this point, the court cited Gentry v. eBay, Inc., 99 Cal. App. 4th 816, 834, 121 Cal. Rptr. 2d 703 (2002), which absolved eBay of liability for its star ratings of users based upon user-generated data.

The court recognized that there was a distinction in Yelp! based on the business owners’ allegations that the provider included and excluded certain user reviews upon which Yelp! star ratings are based. But Judge Chen noted that the plaintiffs’ did not argue that the inclusion and exclusion of certain reviews per se fell outside of CDA Section 230(c)(1). Rather, they argued that the inclusion and exclusion of certain reviews was done in bad faith. The court framed the issue as whether the exercise of a traditional editorial function, otherwise protected by CDA Section 230, falls outside of that protection when the provider has a bad faith motive.

Judge Chen concluded that, despite the “ethical underpinnings” of the business owners’ position, a provider’s motive in exercising its editorial function is irrelevant under the language of Section 230 as well as prior court interpretations, which have not recognized an intent test for the application of Section 230(c)(1). The court pointed out that while Section 230(c)(2), which protects a provider’s actions taken to restrict obscene and otherwise objectionable material, includes a good faith requirement, Section 230(c)(1) contains no good faith language. As to the policy of protecting possible bad-faith exercises of editorial functions, Judge Chen referred to the strong policy of Section 230 to protect providers from lawsuits over third-party content:

Furthermore, it should be noted that traditional editorial functions often include subjective judgments informed by political and financial considerations. *** Determining what motives are permissible and what are not could prove problematic. Indeed, from a policy perspective, permitting litigation and scrutiny motive could result in the "death by ten thousand duck-bites" against which the Ninth Circuit cautioned in interpreting § 230(c)(1) [citing Fair Housing Council v. Roommates]. *** As illustrated by the case at bar, finding a bad faith exception to immunity under § 230(c)(1) could force Yelp to defend its editorial decisions in the future on a case by case basis and reveal how it decides what to publish and what not to publish. Such exposure could lead Yelp to resist filtering out false/unreliable reviews (as someone could claim an improper motive for its decision), or to immediately remove all negative reviews about which businesses complained (as failure to do so could expose Yelp to a business’s claim that Yelp was strong-arming the business for advertising money). The Ninth Circuit has made it clear that the need to defend against a proliferation of lawsuits, regardless of whether the provider ultimately prevails, undermines the purpose of section 230.

In accordance with this conclusion, the court dismissed the business owners’ claims under California Business and Professions Code § 17200, as well as civil extortion and attempted extortion claims.

Plaintiffs Boris Levitt, et al, filed a notice of appeal to the Ninth Circuit on November 7, 2011.

Ninth Circuit Will Rehear Important Employee Data Theft Case under the Computer Fraud and Abuse Act

By Jeff Neuburger on November 1st, 2011 Posted in Computer Fraud and Abuse Act

On October 27, 2011, the United States Court of Appeals for the Ninth Circuit agreed to rehear the appeal in United States v. Nosal, 642 F.3d 781 (9th Cir. Apr. 28, 2011). Nosal involves a prosecution under the Computer Fraud and Abuse Act for alleged employee theft of confidential data from an employer’s network for the benefit of a competitor. The circumstances under which an insider with a disloyal purpose, such as an employee who has permission to use the employer’s network resources, can be charged either civilly or criminally under the CFAA with unauthorized access to a network, or access exceeding authorization, has been the subject of disagreement in the federal courts.

As we wrote last April, the panel in Nosal ruled that an employee exceeds authorized access within the meaning of the CFAA “when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.” The Nosal ruling narrowly interpreted a prior Ninth Circuit panel opinion in a civil action under the CFAA, LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). (See prior blog post here.) There, a different panel ruled that under the plain language of the CFAA, an act of disloyalty to an employer, e.g., access to a employer’s network for purposes of providing data to a competitor, does not render the employee’s access unauthorized within the meaning of the CFAA.

The key distinction that the panel in Nosal made from the facts of LVRC v. Brekka, was the existence in Nosal of “a computer use policy that placed clear and conspicuous restrictions on the employees’ access” both to employer’s computer system in general and to specific data in question. No such agreement was in place in LVRC v. Brekka.

The implications of the issues in LVRC v. Brekka and Nosal go beyond the employer-employee context. In its Amicus Brief filed urging the Ninth Circuit to rehear the Nosal case en banc, the Electronic Frontier Foundation argued that the panel opinion in Nosal would criminalize routine, mundane acts committed by Internet users that were deemed to violate provisions in broadly written Internet Terms of Service.

It is important to note that other federal courts of appeal have upheld broad readings of the CFAA in the employee-employer context. In the civil context, see, e.g., International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); and in the criminal context, see, e.g., United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).

Oral argument in the rehearing en banc is scheduled for some time in the week of December 12, 2011.

Novell Prevails in Long-Running Dispute over Ownership of UNIX Copyrights – And Open Source Software Moves On

By Jeff Neuburger on August 31st, 2011 Posted in Contracts, Copyright, Open Source

The dispute between The SCO Group and Novell, Inc. over the ownership of copyrights in the code to certain versions of the UNIX operating system, which started eight years ago, appears to have been handed its retirement papers by the Tenth Circuit. Yesterday, on the case’s second visit to the circuit, the court upheld the jury verdict in Novell’s favor on the issue of copyright ownership. The SCO Group v. Novell, Inc., No. 10-4122 (10th Cir. Aug. 30, 2011).

The case is important because the issue of UNIX copyright ownership underlies the copyright litigation campaign that SCO commented in 2003, targeting the LINUX open source operating system. When SCO filed multiple lawsuits claiming that the LINUX OS infringed its UNIX copyrights, it raised concerns that users of LINUX could be held liable for infringement, and subject to the payment of royalties to SCO. The ruling that SCO does not own the copyrights that it asserted in those litigations puts an end to that threat.

Despite the concerns raised in 2003 that the threat of copyright litigation and royalty payments would stall not only the adoption of the LINUX OS but also other open source software, users appeared to factor in the threat of future liability. Both LINUX and other open source software projects marched on as the SCO litigations ground on.

Last week, the LINUX OS turned 20. As this CNN article observes, LINUX is now invisible and ubiquitous. While its share of the desktop operating system remains miniscule, LINUX code is present in 30% and 43% of tablets and smartphones, respectively, as part of the Android operating system. And LINUX code is present in the firmware of countless other devices, and is pervasive in enterprise data systems.

As for open source generally, as long as we’re keeping score, it’s a good time to note that the Apple operating system is based on open source code as well. In fact, it has the same roots as the code at issue in SCO v. Novell – the earliest versions of the UNIX operating system.

Notwithstanding that SCO may seek en banc review and even file a petition for certiorari to the U.S. Supreme Court (it’s done that before), the SCO v. Novell case appears to be, finally, over. Ultimately, the related SCO litigations, including its copyright infringement case against IBM, will fold up as well.

There are a few lessons for technology lawyers in the SCO v. Novell litigation, which you can read about in our prior blog post.

The SCO v. Novell endgame doesn’t seem to have gotten a lot of press, at least so far. Perhaps this is because attention has already turned to the next big “open source” battle – the complex web of litigations involving Google’s Android operating system. This time, the battle isn’t for the desktop, it’s for mobile market share.

Hurricane Irene Storms Through Force Majeure Provisions

By Jeff Neuburger on August 29th, 2011 Posted in Contracts

Update: A little over a year after Hurricane Irene blew through, Hurricane Sandy dealt a devastating blow to the Eastern Seaboard. And our advice remains the same: review of force majeure clauses is in order, first to assess their implications for the current crisis, and for the long term, to prepare for the next time.

***

The gusts of hurricane Irene were still blowing outside as the winds of “force majeure” gathered force in the minds of lawyers around the country. Long before the storm subsided, storm-related interruptions in contract-procured services caused clients and their lawyers to wonder, “what does the force majeure clause say?”

The service interruptions caused by the hurricane are sure to lead to claims and disputes centered on that often-overlooked clause found in many service contracts. While not typically one of the most heavily negotiated clauses of a typical contract, when a hurricane like Irene causes a significant disruption in service, force majeure clauses take center stage in determining each party’s rights, responsibilities and remedies.

Is the question as simple as whether or not a hurricane is a “force majeure” event? No, in fact, this may the simplest of the questions to answer. There are, however, many other issues involved.

First, and most basic, is the question of whether a party’s performance is actually excused. Often, specific obligations are carved out of force majeure clauses. For example, the payment of money is often an exception to the clause.

Second, what are the conditions to the invocation of the force majeure clause? A service provider’s ability to be relieved for a force majeure event is often conditioned on their taking certain steps immediately upon the occurrence of the event – even if, like Hurricane Irene, it occurs on a weekend. For example, often a service provider agrees to have a disaster recovery or similar plan in place to avoid disruption in service in the event of a disaster. Sometimes, relief is only available under a force majeure clause if the service provider activates that plan in a timely manner. In addition, failure to spring the plan into action could be a breach in its own right, which may not be subject to relief under the force majeure clause. Other time-sensitive requirements and conditions could include providing notice to the recipient of the services, taking certain steps to transfer data files or processing, or taking other steps to mitigate the effect of the event.

Third, exactly what performances are to be excused by the clause? Is the clause written specifically to say that only the obligations directly impeded by the force majeure event are excused, or does the clause give the party a broader waiver? For example, if the storm interferes with the service provider’s ability to provide customer support, does the force majeure clause relieve the service provider from data security requirements?

Fourth, what level of diligence and effort does a party have to exercise to minimize the effect of the force majeure event on its ability to perform? Once a party invokes the force majeure clause, what do they have to do to overcome the problem?

Fifth, if one party’s obligations are excused because of a force majeure event, what about the obligations of the other party? Are they excused as well or must they continue to perform?

Finally, other than excusing non-performance, what are the other implications of a force majeure clause? Sometimes, force majeure provisions have termination rights associated with them, whereby the party not affected by the event can terminate the contract if the inability to perform extends beyond a certain amount of time. To the extent Hurricane Irene leaves service providers out of commission for any extended period of time, this may become relevant. Also, an inability to perform due to a force majeure event sometimes allows the client to procure the services from an alternate supplier – and sometimes converts an exclusive relationship to a non-exclusive one.

Companies affected by Irene – either themselves or through the impact of the storm on business partners – should be thinking about their force majeure clauses. Service providers should consider whether the force majeure clauses in their contracts offer any relief to hurricane-related problems. Customers should be asking what are their service provider’s rights and responsibilities regarding hurricane-related problems.

In any case, attorneys are well-advised to keep Irene in mind the next time they are tempted to skim over the force majeure provision in a difficult contract negotiation.