With the change in administrations in Washington, there has been a drive to enact or amend legislation in a variety of areas. However, most initiatives lack the zeal found with the bipartisan interest in “reining in social media” and pursuing reforms to Section 230 of the Communications Decency Act (CDA). As we have documented,, the parade of bills and approaches to curtail the scope of the immunities given to “interactive computer services” under CDA Section 230 has come from both sides of the aisle (even if the justifications for such reform differ along party lines). The latest came on February 5, 2021, when Senators Warner, Hirono and Klobuchar announced the SAFE TECH Act. The SAFE TECH Act would limit CDA immunity by enacting “targeted exceptions” to the law’s broad grant of immunity. Continue Reading
Southwest Airlines Sues to Stop Web Scraping of Fare Information
On January 14, 2021, Southwest Airlines Co. (“Southwest”) filed a complaint in a Texas district court against an online travel site, Kiwi.com, Inc. (“Kiwi”), alleging, among other things, that Kiwi’s scraping of fare information from Southwest’s website constituted a breach of contract and a violation of the Computer Fraud and Abuse Act (CFAA). (Southwest Airlines Co. v. Kiwi.com, Inc., No. 21-00098 (N.D. Tex. filed Jan. 14, 2021)). Southwest is no stranger in seeking and, in most cases, obtaining injunctive relief against businesses that have harvested its fare data without authorization – ranging as far back as the 2000s (See e.g., Southwest Airlines Co. v. BoardFirst, LLC, No. 06-0891 (N.D. Tex. Sept. 12, 2007), and as recently as two years ago, when we wrote about a 2019 settlement Southwest entered into with an online entity that scraped Southwest’s site and had offered a fare notification service, all contrary to Southwest’s terms.
According to the current complaint, Kiwi operates an online travel agency and engaged in the unauthorized scraping of Southwest flight and pricing data and the selling of Southwest tickets (along with allegedly charging unauthorized service fees), all in violation of the Southwest site terms. Upon learning of Kiwi’s scraping activities, Southwest sent multiple cease and desist letters informing Kiwi of its breach of the Southwest terms. It demanded that Kiwi cease scraping fare data, publishing fares on Kiwi’s site and using Southwest’s “Heart” logo in conjunction with the selling of tickets. Kiwi responded and sought to form a business relationship, an overture that Southwest refused. According to Southwest, when discussions failed to yield a resolution, Kiwi allegedly continued its prior activities, prompting the filing of the suit. Continue Reading
How to Respond to the SolarWinds “Orion” Supply Chain Attack
As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called SolarWinds. The compromised software, known as Orion, is enterprise network management software that helps organizations manage their networks, servers and networked devices. The software is widely-used by both public and private sector companies.
The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”), it is common for network administrators to configure Orion with pervasive privileges, which would allow it to bypass firewalls and other security measures, thus making it an enviable target for hackers. CISA categorized the SolarWinds attack as presenting a “grave risk” to government agencies and private entities.
The attack had been ongoing and undetected since perhaps March 2020 (or earlier, and certainly planned out for years). SolarWinds’s SEC filings last week estimated that about 18,000 of its customers may have downloaded the malware-laden software update for Orion. However, the number of organizations impacted may be even higher. Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers. And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.
It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion. “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.
While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a SolarWinds installation. While the disabling of the so-called Orion “Sunburst backdoor” and the confiscation of the original domain name that was receiving communications from the attacker should stop further data loss from the initial entry point, it will not stop further incidents if the attacker has already established persistent access within the network. Thus, it is important to note merely because an affected organization may have closed the initial vulnerability, it should not declare itself as contained too quickly as the hackers may have surreptitiously achieved persistent access beyond the Orion entry point.
There are two sobering consequences from this recognition. First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature. Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection. Accordingly, it may be necessary to revisit prior incidents thought long resolved. Continue Reading
Mobile Platforms to Block Data Broker from Collecting User Location Data
On December 9, 2020, the Wall Street Journal reported that Apple and Google will block the data broker X-Mode Social Inc. (“X-Mode”) from collecting location data from iPhone and Android users. Apple and Google have reportedly informed app developers to remove the X-Mode social tracking SDK from all of their apps within a short period of time or risk removal from the platforms’ app stores. This action apparently was prompted by reports that X-Mode was selling location data to certain defense contractors and government entities.
The WSJ report suggests that Apple and Google notified Senator Ron Wyden about this action. Senator Wyden and a group of other Senators have been soliciting government inquiries over the last several months into the sale of location data to government contractors and agencies. It is Senator Wyden’s position that such sales of users’ location data by commercial data brokers to government entities are unlawful without a warrant (citing the Supreme Court case, Carpenter v. United States, 138 S.Ct. 2206 (2018), which held that the acquisition of cell-site location information was a Fourth Amendment search).
Senator Wyden’s scrutiny over such practices does not seem to be limited to sale of location data to government sources, but more so toward the wider data tracking ecosystem. He was one of the senators that earlier this year sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Yodlee’s financial data collection practices were violating the FTC Act (a request which led to at least one civil investigative demand being issued by the FTC to Yodlee and a putative class action suit over such practices). In the WSJ article, Wyden is quoted as stating: “Apple and Google deserve credit for doing the right thing and exiling X-Mode Social, the most high-profile tracking company, from their app stores. But there’s still far more work to be done to protect Americans’ privacy, including rooting out the many other data brokers that are siphoning data from Americans’ phones.” Continue Reading
New York’s Automatic Renewal Law Coming in February 2021: New Compliance Issues to Follow
New York has enacted a new law, effective February 9, 2021, regulating automatic renewal and some “free trial” type agreements. While some organizations may have already taken steps to be in compliance with industry requirements, the federal Restore Online Shoppers’ Confidence Act (ROSCA), and similar auto-renewal laws in place in California and other states, all businesses should review their practices to ensure compliance with this new law.
The New York law is, in many ways, modelled after California’s comprehensive auto-renewal law. (See Cal. Bus. & Prof. Code § 17600 et seq.). With such a legislative template in mind, on November 11, 2020, New York’s Governor Cuomo signed into law S1475, which amends the General Business Law to enact New York’s own strict auto-renewal law. S1475 includes broad consumer protection requirements and imposes notice and transparency requirements regarding offer terms and cancellation options for automatic renewal plans and arrangements.
The new law is relevant to all consumer-facing businesses that might enter into automatic renewal or continuous service agreements, such as online businesses, media companies, subscription-based companies (including software providers), and many more entities in the consumer space.
For an in-depth discussion of the new law, please see our Client Alert posted on Proskauer’s website.
Supreme Court Hears Oral Argument in Its First CFAA Case
On November 30, 2020, the Supreme Court held oral argument in its first case interpreting the “unauthorized access” provision of the Computer Fraud and Abuse Act (CFAA). The CFAA in part prohibits knowingly accessing a computer “without authorization” or “exceeding authorized access” to a computer and thereby obtaining information and causing a “loss” under the statute. The case concerns an appeal of an Eleventh Circuit decision affirming the conviction of a police officer for violating the CFAA for accessing a police license plate database he was authorized to use but used instead for non-law enforcement purposes. (See U.S. v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019), pet. for cert. granted Van Buren v. U.S., No. 19-783 (Apr. 20, 2020)). The issue presented is: “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”
The defendant Van Buren argued that he is innocent because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason. He contended that the CFAA was being interpreted too broadly and that such a precedent could subject individuals to criminal liability merely for violating corporate computer use policies. During oral argument, Van Buren’s counsel suggested that such a wide interpretation of the CFAA was turning the statute into a “sweeping Internet police mandate” and that the Court shouldn’t construe a statute “simply on the assumption the government will use it responsibly.” In rebuttal, the Government countered that Van Buren’s misuse of access for personal gain was the type of “serious breaches of trust by insiders” that statutory language is designed to cover. Continue Reading
CDA “Reform” on the Horizon: Investors and Operators Take Note
The appetite for acquisitions and investment in online businesses has never been stronger, with many of the most attractive online opportunities being businesses that host, manage and leverage user-generated content. These businesses often rely on the immunities offered by Section 230 of the Communications Decency Act, 47 U.S.C. §230 (“Section 230” or the “CDA”) to protect them from liability associated with receiving, editing and posting or removing such content. And investors have relied on the existence of robust immunity under the CDA in evaluating the risk associated with such investments in such businesses. This seemed reasonable, as following the legacy of the landmark 1997 Zeran decision, for more than two decades courts have fairly consistently interpreted Section 230 to provide broad immunity for online providers of all types.
However, in the last five years or so, the bipartisan critics of the CDA have gotten more full-throated in decrying the presence of hate speech, revenge porn, defamation, disinformation and other objectionable content on online platforms. This issue has been building throughout the past year, and has reached a fever pitch in the weeks leading up to the election. The government’s zeal for “reining in social media” and pursuing reforms to Section 230, again, on a bipartisan basis, has come through loud and clear (even if the justifications for such reform differ on party lines). While we cannot predict exactly what structure these reforms will take, the political winds suggest that regardless of the administration in charge, change is afoot for the CDA in late 2020 or 2021. Operating businesses must take note, and investors should keep this in mind when conducting diligence reviews concerning potential investments. Continue Reading
Facebook Brings Suit against Developers of a Browser Extension That Harvested User Data
In continuing its efforts to enforce its terms and policies against developers that engage in unauthorized scraping of user data, this week Facebook brought suit against two marketing analytics firms, BrandTotal Ltd (“BrandTotal”) and Unimania, Inc. (“Unimania”) (collectively, the “Defendants”) (Facebook, Inc. v. BrandTotal Ltd., No. 20Civ04246 (Cal. Super. Ct., San Mateo Cty Filed Oct. 1, 2020)). Facebook alleges that the defendants developed and distributed malicious Chrome browser extensions that were essentially designed to scrape users’ data from various social media platforms (including Facebook and Instagram), all in contravention of Facebook and Instagram’s terms of service and commercial terms.
According to the Complaint, the defendants coaxed users to install their UpVoice and Ads Feed extensions by, among other things, offering gift cards in exchange for downloading and suggesting that users would become “panelists” impacting marketing strategies of large companies. Facebook further claims that defendant BrandTotal deceived visitors to its website into believing Facebook and other social media services were working with BrandTotal by identifying Facebook and the other companies as “participating sites,” when in fact Facebook never authorized the defendants to scrape user data. In fact, Facebook alleges that once installed, the browser extensions harvested, without Facebook’s authorization, the users’ profile information, user advertisement interest information and various public and nonpublic ad metrics when the users visited Facebook, Instagram or various other social sites (all despite users’ account privacy settings). As laid out in the Complaint, the defendants’ extensions were programmed to send commands to Facebook and Instagram servers appearing to originate from the user, not the defendants, and then scrape the data and transmit it back to the user, and then onto the defendants’ own servers. The data collected by defendants was then presumably used to provide “marketing intelligence” services about users and advertisers.
Facebook states that it undertook various technical measures against the defendants in September 2020, including disabling the defendants’ Facebook and Instagram accounts and pages, as well as asking Google to remove the extensions from the Chrome Store. And this week, Facebook filed suit against the defendants, advancing claims for breach of contract and unjust enrichment and requesting monetary damages and injunctive relief barring defendants from accessing and using Facebook’s services or developing browser extensions that access Facebook without authorization. It does not appear that the defendants have filed an answer to the state court action or otherwise responded to the suit by posting a statement on the BrandTotal website.
Beyond the issues discussed above, the instant dispute should also resonate with any entity that acquires anonymized social media analytics from third party vendors. As we’ve previously stated – and regardless of the outcome of this dispute – it is important for downstream recipients of aggregated web or user data or reports processing such data to understand how such data is collected and whether such collection comports with applicable law or contractual requirements.
DOJ Submits CDA Reform Proposal to Congress to Curtail Protections for Online Platforms
Section 230 of the Communications Decency Act, 47 U.S.C. §230 (“Section 230” or the “CDA”), enacted in 1996, is generally viewed as the most important statute supporting the growth of Internet commerce. The key provision of the CDA, Section 230(c)(1)(a), only 26 words long, simply states: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This one sentence has been the source of bedrock service provider immunity for third party content made available through a provider’s infrastructure, thus enabling the growth of a vigorous online ecosystem. Without such immunity, providers would have to face what the Ninth Circuit once termed, “death by ten thousand duck-bites,” in having to fend off claims that they promoted or tacitly assented to objectionable third party content.
The brevity of this provision of the CDA is deceptive, however. The CDA – and the immunity it conveys – is controversial, and those 26 words have been the subject of hundreds, if not thousands, of litigations. Critics of the CDA point to the proliferation of hate speech, revenge porn, defamatory material, disinformation and other objectionable content – in many cases, the sites hosting such third party content (knowingly or unknowingly) are protected by the broad scope of the CDA. Other objections are merely based on unhappiness about the content of the speech, albeit in many cases true, such as comments that are critical of individuals, their businesses or their interests. Litigants upset about such content have sought various CDA workarounds over the past two decades in a mostly unsuccessful attempt to bypass the immunity and reach the underlying service providers.
The back-and-forth debate around the scope and effects of the CDA and the broad discretion afforded online providers regarding content hosting and moderation decisions is not new. However, it was brought into a new focus when the President, vexed at the way some of his more controversial posts were being treated by certain social media platforms, issued a May 20, 2020 Executive Order for the purpose of curtailing legal protections for online providers. The goal was to remedy what the White House believed was the online platforms’ “deceptive or pretextual actions stifling free and open debate by censoring certain viewpoints.”
The Executive Order – which is currently being challenged in court as unconstitutional – directed several federal agencies to undertake certain legislative and regulatory efforts toward CDA reform. Consequently, in June 2020 the DOJ stated “that the time is ripe to realign the scope of Section 230 with the realities of the modern internet” and released a 28-page document with its preliminary recommendations for reform of Section 230. A month later, the Commerce Department submitted a petition requesting that the FCC write rules to limit the scope of CDA immunity and place potentially additional compliance requirements on many providers that host third party content. Then, on September 23, 2020, the DOJ announced that it had sent its legislative proposal for amending the CDA to Congress. The DOJ, in its cover letter to Congress, summed up the need for reform: “The proposed legislation accordingly seeks to align the scope of Section 230 immunities with the realities of the modern internet while ensuring that the internet remains a place for free and vibrant discussion.” Continue Reading
Thoughtful Presentations of Terms of Use Crucial for Enforceability
Many online services feature comprehensive terms of use intended to protect their business from various types of risks. While it is often the case that a great deal of thought goes into the creation of those terms, frequently less attention is paid to how those terms are actually presented to users of the service. As case law continues to demonstrate, certain mobile and website presentations will be held to be enforceable, others will not. Courts continue to indicate that enforceability of terms accessible by hyperlink depends on the totality of the circumstances, namely the clarity and conspicuousness of the relevant interface (both web and mobile) presenting the terms to the user. In a prior post about electronic contracting this year, we outlined, among other things, the danger of having a cluttered registration screen. In this post, we will spotlight five recent rulings from the past few months where courts blessed the mobile contracting processes of e-commerce companies, as well as one case which demonstrates the danger of using a pre-checked box to indicate assent to online terms.
The moral of these stories is clear – the presentation of online terms is essential to enhancing the likelihood that they will be enforced, if need be. Thus, the design of the registration or sign-up page is not just an issue for the marketing, design and technical teams – the legal team must focus on how a court would likely view a registration interface, including pointing out the little things that can make a big difference in enforceability. A failure to present the terms properly could result in the most carefully drafted terms of service ultimately having no impact on the business at all. Continue Reading
