New Media and Technology Law Blog

The Tor Browser Afforded CDA Immunity for Dark Web Transactions

The District of Utah ruled in late May that Section 230 of the Communications Decency Act, 47 U.S.C. §230 (“CDA”) shields The Tor Project, Inc. (“Tor”), the organization responsible for maintaining the Tor Browser, from claims for strict product liability, negligence, abnormally dangerous activity, and civil conspiracy.

The claims were asserted against Tor following an incident where a minor died after taking illegal narcotics purchased from a site on the “dark web” on the Tor Network. (Seaver v. Estate of Cazes, No. 18-00712 (D. Utah May 20, 2019)). The parents of the child sued, among others, Tor as the service provider through which the teenager was able to order the drug on the dark web. Tor argued that the claims against it should be barred by CDA immunity and the district court agreed.

The Onion Router, or “Tor” Network, was originally created by the U.S. Naval Research Laboratory for secure communications and is now freely available for anyone to download from the Tor website.  The Tor Network allows users to access the internet anonymously and allows some websites to operate only within the Tor network. Thus, the Tor Network attempts to provide anonymity protections both to operators of a hidden service and to visitors of a hidden service. The Tor browser masks a user’s true IP address by bouncing user communications around a distributed network of relay computers, called “nodes,” which are run by volunteers around the world. Many people and organizations use the Tor Network for legal purposes, such as for anonymous browsing by privacy-minded users, journalists, human rights organizations and dissidents living under repressive regimes. However, the Tor Network is also used as a forum and online bazaar for illicit activities and hidden services (known as the “dark web”). The defendant Tor Project is a Massachusetts non-profit organization responsible for maintaining the software underlying the Tor browser.

To qualify for immunity under the CDA, a defendant must show that 1) it is an “interactive computer service”; 2) its actions as a “publisher or speaker” form the basis for liability; and 3) “another information content provider” provided the information that forms the basis for liability. The first factor is generally not an issue in disputes where CDA immunity is invoked, as websites or social media platforms typically fit the definition of an “interactive computer service.” The court found that Tor qualified as an “interactive computer service” because it enables computer access by multiple users to computer servers via its Tor Browser.  The remaining factors were straightforward for the court to analyze, as the plaintiff sought to hold Tor liable as the publisher of third-party information (e.g., the listing for the illicit drug).

The outcome was not surprising, given that courts have previously dismissed tort claims against platforms or websites where illicit goods were purchased (such as the recent Armslist case decided by the Wisconsin Supreme Court where claims against a classified advertising website were deemed barred by the CDA).

The questions surrounding the court’s ability to even hear the case also posed interesting jurisdictional questions, as the details of the Tor network are shrouded in anonymity and there are no accurate figures as to how many users or nodes exist within the Utah forum.  The court determined that, under plaintiff’s rough estimation, there were around 3,000-4,000 Utah residents who used Tor daily and perhaps, became part of the service (“Plaintiff has set forth substantial evidence to support the assumption that many of these transactions and relays are occurring in Utah on a daily basis”). In a breezy analysis, the court found that plaintiff had provided sufficient evidence to set forth a prima facie showing that Tor maintains continuous and systematic contacts in the state of Utah so as to satisfy the general jurisdiction standard.

This case is a reminder of the breadth of the CDA, as well as a reminder that many of its applications result in painful and somewhat controversial outcomes.

On the Mark: Understanding the Supreme Court’s Latest Decision Regarding the Treatment of Trademark Licenses in Chapter 11

On May 20, 2019, in Mission Product Holdings, Inc. v. Tempnology, LLC, 587 U.S. ___ (2019), the Supreme Court resolved an area of ongoing concern for parties to trademark licenses. The court addressed a circuit split on whether a trademark licensee may continue to use a trademark for the term of the license, after the license has been rejected in bankruptcy.  In Mission, the debtor-licensor rejected a trademark license agreement and sought to terminate the licensee’s right to use the debtor’s trademark. This decision has important ramifications to parties to trademark licenses. Continue Reading

Get All of Your Bots in a Row: 2018 California Bot Disclosure Law Comes Online Soon

During the 2016 election, certain Russian operatives used fake social media profiles to influence voters and also created bot accounts to add likes to and share posts across the internet.  And more recently, in January 2019, the New York Attorney General and Office of the Florida Attorney General announced settlements with certain entities that sold fake social media engagement, such as followers, likes and views.  Moreover, many of the social media platforms have had recent purges of millions of fake accounts.  Thus, it’s clear that bots and automated activity on social media platforms has been on everyone’s radar…including state legislators’ too.

Indeed, California passed a chatbot disclosure law (SB-1001) last September that makes it unlawful for persons to mislead users about their artificial bot identity in certain circumstances, and it is only now coming into effect on July 1st.  In essence, the purpose of law was to inform users when they are interacting with a virtual assistant or chatbot or automated social media account so that users could change their behavior or expectations accordingly.  Entities that may interact online or via mobile applications with their customers regarding commercial transactions via a chatbot on their own website or automated account on another platform should certainly take note of the new California law’s disclosure requirements. Continue Reading

Quantum Computing in the News

Yesterday’s Wall Street Journal featured a substantial article on the growth of quantum computing, and the risks and opportunities it presents. It is a thoughtful article, and a must-read for people interested in the area.  We have been working with clients in the area, and identified it as an area of increasing importance in our blog’s 2017 and 2018 year-end reflections on what’s ahead. Much work is being done as we speak to both advance quantum computing and to deal with the challenges it presents to the existing information system infrastructure. (For more information on the race to build a quantum computer and post-quantum cryptography, see the NIST Quantum Revolution page). We will continue to keep readers apprised of significant new developments as they occur.

Filtering Actions by Anti-Malware Software Provider Protected by CDA “Good Samaritan” Immunity

Three recent court decisions affirmed the robust immunity under the Communications Decency Act (CDA), 47 U.S.C. §230(c), for online providers that host third-party content: the Second Circuit’s decision in Herrick v. Grindr LLC, No. 18-396 (2d Cir. Mar. 27, 2019) (summary order), the Wisconsin Supreme Court’s opinion in Daniel v. Armslist, LLC, No. 2017AP344, 2019 WI 47 (Wis. Apr. 30, 2019),  and the Northern District of California’s decision in P.C. Drivers Headquarters, LP v. Malwarebytes Inc., No. 18-05409 (N.D. Cal. Mar. 6, 2019). Continue Reading

CFAA Claim Dismissed in Scraping Suit, While Contract Claim Survives

This month, an Illinois district court considered another in the series of web scraping disputes that have been working their way through our courts.  In this dispute, CouponCabin, Inc. v. PriceTrace, LLC, No. 18-7525 (N.D. Ill. Apr. 11, 2019), CouponCabin alleged that a competitor, PriceTrace, scraped coupon codes from CouponCabin’s website without authorization and displayed them on its own website.

After discovering PriceTrace’s scraping activities, CouponCabin sent PriceTrace a cease and desist letter demanding that PriceTrace stop scraping data from CouponCabin’s website.  CouponCabin alleged that PriceTrace continued to access and scrape data from CouponCabin’s website even after the C&D letter was sent. As a result, CouponCabin brought several causes of action against PriceTrace, including claims under the Computer Fraud and Abuse Act (CFAA), tortious interference and breach of contract.

The court found that CouponCabin’s C&D letter had revoked PriceTrace’s access to its site and that PriceTrace’s alleged continued access to the website plausibly stated a violation of the CFAA’s “unauthorized access” provision (18 U.S.C. §1030(a)(2)(C)).  Ultimately, however, the court dismissed the CFAA claims with leave to amend, due to plaintiff’s failure to plead the requisite amount of damage or loss as required to maintain a civil action under the CFAA.

“CouponCabin is simply alleging that PriceTrace was able to circumvent CouponCabin’s website security, with no allegation that such evasion impairs or harm the website. Absent allegation of impairment, CouponCabin has merely alleged that PriceTrace accessed CouponCabin’s website without authorization.”

Continue Reading

Recent Bill Introduced in Illinois Legislature Would Curtail BIPA Litigation

UPDATE:  Both bills failed to be reported out of committee by March 28, 2019 and were not debated during this year’s legislative session.

In the wake of the Illinois Supreme Court decision that held that claimants need only allege a procedural violation to have standing to bring an action under the Illinois Biometric Information Privacy Act (BIPA) and the continued wave of BIPA-related litigation, the Illinois legislature is considering an amendment to BIPA that would strip the statute of its private right of action. SB2134, as currently written, would amend BIPA by deleting the private right of action and instead provide for enforcement under the Department of Labor (for violations concerning employment-related biometric data collection) or generally by the state attorney general under the state’s consumer protection statute. The end result would be a statute similar to Texas and Washington’s biometric privacy bills which may only be enforced by the respective state attorney general. [Note: There is also another BIPA amendment pending, HB3024, which would expand the definition of “biometric identifier” to include “an electrocardiography result from a wearable device” in an effort to keep up with the latest technologies]. Continue Reading

Bipartisan Facial Recognition Privacy Bill Introduced in Congress

Senators Brian Schatz (D) and Roy Blunt (R) recently introduced S.847, the “Commercial Facial Recognition Privacy Act of 2019,” a bill that would, subject to certain important exceptions,  generally prohibit the commercial use of facial recognition technology to identify and track consumers without consent. The bill, as drafted would place limitations on the third-party sharing of collected faceprint data, as well as require covered entities to meet certain minimum data security standards. As this bill wends its way through Congress (it has been referred to the Committee of Commerce, Science and Transportation), it is worth watching because it is a bipartisan bill with a narrow scope that has garnered the early conceptual support of Microsoft and other technology companies. Continue Reading

Registrations, not Applications: Supreme Court Says Copyright Owners Must Wait to Sue

This Monday, the Supreme Court unanimously ruled in Fourth Estate Public Benefit Corp. v. Wall-Street.com, LLC, 586 U.S. ____ (Mar. 4, 2019), that a copyright owner may commence an infringement suit only when the Copyright Office determines whether or not to register a copyright, as opposed to when the owner submits an application and fee for registration. The widely-followed case resolves a simple question, but has far-reaching practical implications for U.S. copyright litigation. Continue Reading

Digital Currency App’s Electronic User Agreement Held Enforceable

In a recent blog post, we wrote about how the Second Circuit found the arbitration clause in a web service’s terms and conditions unenforceable because the user did not have reasonable notice of the terms that were communicated via a hyperlink in a post-sale email. In contrast, a New York district court recently upheld an arbitration clause in Coinbase’s account registration process and granted its motion to compel arbitration concerning claims brought by a user (Sultan v. Coinbase, Inc., No. 18-934 (E.D.N.Y. Jan. 24, 2019)).

This case sheds further light on the do’s and don’ts of online electronic contracting and the enforceability of app-based terms and conditions. The decision reinforces the point that for purposes of establishing a binding agreement with a user – particularly in the context of a mobile app – simplicity and clarity of the user interface is desired. And, in particular, this case reinforces the point that has been illustrated in many cases before that the design of user registration pages should be done with the input of legal analysis as to likely enforceability. Continue Reading

LexBlog