New Media and Technology Law Blog

Federal Omnibus Spending Bill Includes CLOUD Act – Outlines Obligations of Providers to Turn over Electronic Communications Stored Overseas and Procedures to Quash for Comity Purposes

In the flurry of deal-making that resulted in a 2,232-page funding bill released Wednesday, lawmakers negotiated the inclusion of “The Clarifying Lawful Overseas Use of Data Act” (often referred to as the “CLOUD Act”) (see page 2,201 of the bill text).  The CLOUD Act provides a procedural structure for law enforcement to pursue the preservation or production of data and other information residing on servers located overseas that is within the possession, custody or control of the provider.

In this age of cloud computing, data can rest overseas or in multiple locations. As we’ve previously discussed, it is increasingly common to see extraterritorial legal disputes arise when parties attempt to apply laws passed before the digital age to our current landscape.

In some cases, a provider that is storing the data of a foreign subject on servers overseas may be under conflicting legal obligations (e.g., the U.S. Government or a foreign law enforcement agency may request disclosure of electronic communications or emails stored in the cloud, but disclosure of such electronic data without certain due process may be prohibited by foreign law).  While international agreements, such as mutual legal assistance treaties (MLATs) may provide a mechanism for the U.S. to obtain information overseas with certain nations, law enforcement agencies have bemoaned that such procedures can be burdensome in a time-sensitive investigation.  In balancing the interests of law enforcement with those of the providers, the CLOUD Act offers a mechanism for providers to bring a motion to quash requests for disclosure of a foreign individual’s communications, requiring a court to conduct a comity analysis to determine if based on the totality of the circumstances, the request would place the technology provider in violation of foreign law and the interests of justice dictates that the legal request for data should be modified or quashed.  The language of the bill also provides a framework for negotiating reciprocal treaties to request foreign-stored digital data.

If the CLOUD Act is passed, as appears to be imminent, one immediate question will be the impact (if any) on a case currently before the Supreme Court that concerns whether a U.S. provider of email services must comply with a probable cause-based warrant issued under the Stored Communications Act by disclosing electronic communications within its control, even if the data at issue was stored abroad. During oral argument, at least one justice noted that perhaps the most ideal solution to this thorny issue is a bipartisan legislative solution.

While the CLOUD Act has its supporters and detractors, it appears Congress attempted to create a solution that tries to balance the needs of law enforcement and the legal interests of technology providers (and the privacy interests of their users).  Moreover, as U.S. cloud computing providers operate around the world, the bill also assuages their concerns that a lack of legal protections over disclosure of user data to law enforcement might alienate foreign customers.

New York Court Rebuffs Ninth Circuit’s Copyright “Server Test,” Finds Embedded Tweet Displaying Copyrighted Image to Be Infringement

UPDATE: On March 19, 2018, the district court granted the defendant’s motion for certification of the court’s February 15th partial summary judgment decision for interlocutory appeal to the Second Circuit.  In allowing immediate appeal, the court agreed that its prior order “has created tremendous uncertainty for online publishers” and “given the frequency with which embedded images are ‘retweeted,’ the resolution of this legal question has an impact beyond this case.”  We will closely follow the appeal of this important copyright issue.

A New York district court recently held that a host of online news publishers and media websites that embedded certain tweets (containing unauthorized uploads of plaintiff’s copyrighted photo) on their websites violated the plaintiff’s exclusive display right, despite the fact that the image at issue was hosted on a server owned and operated by an unrelated third party (i.e., Twitter).  (See Goldman v. Breitbart News Network, LLC, No. 17-03144 (S.D.N.Y. Feb. 15, 2018)).  In doing so, the court declined to adopt the Ninth Circuit’s so-called “server test” first espoused in the 2007 Perfect 10 decision, which held that the infringement of the public display right in a photographic image depends, in part, on where the image was hosted.

Under the “server test,” only a server that actually stored the photographs and “serves that electronic information directly to the user (`i.e., physically sending ones and zeroes over the Internet to the user’s browser’) could infringe the copyright holder’s rights.” In its ruling, the Goldman court granted the plaintiff’s motion for partial summary judgment, and determined that the reasoning of the Perfect 10 decision, which applied to a search engine’s image search function and display of full-size images hosted on third-party servers to a user, was not applicable to the embedding practices the media sites engaged in.  Continue Reading

California Court Declines to Dismiss Illinois Facial Recognition/Biometric Privacy Suit against Facebook on Standing Grounds

UPDATE: On March 2, 2018, in a related biometric privacy litigation surrounding Tag Suggestions brought by non-users of Facebook, a California district court in a brief order declined to dismiss the action for lack of standing, citing its reasoning in the Patel opinion.  (Gullen v. Facebook, Inc., No. 16-00937 (N.D. Cal. Mar. 2, 2018)). While Facebook offered evidence that it does not store faceprint data on non-users, but only analyzes it to see if there is a match, the court stated such substantive arguments are best left for summary judgment or trial.  Note: the Gullen case is related to the consolidated Facebook biometric privacy litigation and as such, is being heard before the same judge. The difference between the two actions is that Gullen involves non-Facebook users, whereas the plaintiffs in In re Facebook are registered users.

This past week, a California district court again declined Facebook’s motion to dismiss an ongoing litigation involving claims under the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”), surrounding Tag Suggestions, its facial recognition-based system of photo tagging.  In 2016, the court declined to dismiss the action based upon, among other things, Facebook’s contention that BIPA categorically excludes digital photographs from its scope.  This time around, the court declined to dismiss the plaintiffs’ complaint for lack of standing under the Supreme Court’s 2016 Spokeo decision on the ground that plaintiffs have failed to allege a concrete injury in fact.  (Patel v. Facebook, Inc., No. 15-03747 (N.D. Cal. Feb. 26, 2018) (cases consolidated at In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal.)).  As a result, Facebook will be forced to continue to litigate this action.

This dispute is being closely watched as there are a number of similar pending BIPA suits relating to biometrics and facial recognition  and other defendants are looking at which of Facebook’s defenses might hold sway with a court.  Continue Reading

Data Aggregator Seeks Ruling Allowing It to Scrape Public LinkedIn Data

UPDATE:  On February 22, 2018, the district court granted 3taps’s motion to relate its action to the ongoing hiQ v. LinkedIn litigation. This motion was based upon a local Northern District of California rule that holds that cases should be related when the actions concern substantially the same parties, transaction or event, and there would be an “unduly burdensome duplication of labor…or conflicting results” if the cases were heard before different judges.  As a result, the 3taps case, over the opposition of LinkedIn, was reassigned to Judge Edward Chen, who also presided over the lower court proceedings in the hiQ v. LinkedIn litigation.

In the latest development in the legal controversy over scraping, 3taps, Inc. (“3taps”), a data aggregator and “exchange platform” for developers, filed suit against LinkedIn seeking a declaratory judgment that 3taps would not be in violation of the Computer Fraud and Abuse Act (CFAA) if it accesses and collects publicly-available data from LinkedIn’s website. (3Taps Inc. v. LinkedIn Corp., No. 18-00855 (C.D. Cal. filed Feb. 8, 2018)).  The basis of 3Taps’s complaint is last year’s hotly-debated California district court ruling (hiQ Labs, Inc. v. LinkedIn, Corp., 2017 WL 3473663 (N.D. Cal. Aug. 14, 2017)), where the court granted a preliminary injunction compelling LinkedIn to disable any technical measures it had employed to block a data analytics company from scraping the publicly available data on LinkedIn’s website. The hiQ ruling essentially limited the applicability of the CFAA as a tool against the scraping of publicly-available website data.  [For an analysis of the hiQ lower court decision, please read the Client Alert on our website]. Continue Reading

CFAA “Unauthorized Access” Web Scraping Claim against Ticket Broker Dismissed Because Revocation of Access Not Expressed in Cease and Desist Letter

A California district court issued an important opinion in a dispute between a ticket sales platform and a ticket broker that employed automated bots to purchase tickets in bulk. (Ticketmaster L.L.C. v. Prestige Entertainment, Inc., No. 17-07232 (C.D. Cal. Jan. 31, 2018)). For those of us who have been following the evolution of the law around the use of automation to scrape websites, this case is interesting. The decision interprets some of the major Ninth Circuit decisions of recent memory on liability for web scraping.  Indeed, two weeks ago, we wrote about a case in which the Ninth Circuit interpreted certain automated downloading practices under the CFAA and CDAFA. Also, we wrote about and are awaiting the decision in the hiQ v. LinkedIn appeal before the Ninth Circuit. Also prior posts on the topic include a discussion of a noteworthy appeals court opinion that examined scraping activity under copyright law and the scope of liability under the DMCA anticircumvention provisions.  These seminal decisions and the issues they raise were expressly or implicitly addressed in the instant case. While we will briefly review some of the highlights of this decision below, the case is a must-read for website operators and entities that engage in web scraping activities. Continue Reading

Will Facebook’s Recent Announcement of Changes to News Feed Affect Legal Immunities for User Content?

Facebook recently announced that it would make changes to its news feed to prioritize content that users share and discuss and material from “reputable publishers.”  These changes are part of what Mark Zuckerberg says is a refocusing of Facebook from “helping [users] find relevant content to helping [users] have more meaningful social interactions.”  This refocus highlights the tensions between Facebook’s conflicting roles as a social media platform on one hand, and, in effect, a distributor of third party content on the other.  We have discussed this issue in previous posts.

As Facebook implements these newly-announced changes in the way third party content will be presented — focusing on “trusted content” — the operational  models powering Facebook’s use of third party content (user generated and otherwise) will also evolve.  Lawyers should keep an eye on what the changes might mean for Facebook from a liability perspective.   For example, will Facebook’s direct or indirect control of third party content impact its immunity from publisher and distributor liability under Section 230 of the Communication Decency Act? Or, rather will changes to its algorithm to prioritize trusted content still be deemed to be quintessential publisher conduct, and therefore within the scope of Section 230?  Also, to the extent that Facebook directly or indirectly curates third party content, could it possibly lose the benefits afforded by the safe harbors of the Digital Millennium Copyright Act?

Given the fact that the immunities and safe harbors for online service providers are so crucial for the business model of social media platforms such as Facebook, one can be sure that counsel to Facebook will highlight any changes that may call into question the availability of those immunities and safe harbors.  All the same, you can be sure that a creative plaintiff’s lawyer may attempt to use any change where Facebook is somehow more engaged in the curation, display or distribution of third party content to pierce through the CDA/DMCA armor to hold Facebook responsible for allegedly problematic third party content.

Ninth Circuit Issues Important Decision on Software Licensing Practices and Web Scraping

Earlier this month, the Ninth Circuit issued a noteworthy ruling in a dispute between an enterprise software licensor and a third-party support provider.  The case is particularly important as it addresses the common practice of using automated means to download information (in this case, software) from websites in contravention of website terms and conditions.  Also, the case examines and interprets fairly “standard” software licensing language in light of evolving business practices in the software industry. (Oracle USA, Inc. v. Rimini Street, Inc., No. 16-16832 (9th Cir. Jan. 8, 2018)). Continue Reading

Canadian Court Asserts Jurisdiction over Craigslist Based on Cloud-Based Virtual Presence in Canada

A Canadian appellate court ruled that a lower court had jurisdictional authority to issue a production order to craigslist based upon its virtual (but not physical) presence in British Columbia. The production order requested that Craigslist produce to Canadian officials documents relating to a user post in connection with a criminal investigation. (British Columbia (Attorney General) v. Brecknell, 2018 BCCA 5 (Jan. 9, 2018)).

This decision highlights another situation where a court blurred the distinction between a physical and virtual presence of a corporation that engages in global e-commerce.  Indeed, we had written about an important Canadian decision last year that involved an American company objecting to an order to delist certain search results globally.  With U.S. companies already concerned about the territorial scope of the EU’s GDPR, they also have to address legal risks associated with jurisdiction by a virtual presence north of the border (and possibly other jurisdictions).  Continue Reading

Google Extends Commitments with the FTC over Crawling of Third-Party Content for Use in Own “Vertical” Sites

In a blog post last month, Google announced that it would extend certain commitments it made to the FTC in 2012 that were set to expire relating to, among other things,  the scraping of third-party content for use on certain Google “vertical search” properties such as Google Shopping.  The announcement came days before the commitments were set to expire on December 27th and months after Yelp had claimed that Google was not living up to its promises by allegedly scraping Yelp local business photos for use in certain Google results (e.g., local business listings). Continue Reading

Google App Disables Art-Selfie Biometric Comparison Tool in Illinois and Texas

We have been closely following the legal and legislative developments relating to biometric privacy, and in particular, the flow of litigation under the Illinois biometrics privacy law.   It was interesting to see how the Illinois law (as well as a similar Texas law) influenced Google’s  offering of a new facial recognition feature on the Google Arts & Culture app. (It is also interesting to note that the media coverage of the app has made the Illinois and Texas laws subjects of mainstream discourse.)

The Google Arts & Culture app, which was originally released a couple years ago, offers users virtual tours of museums and a searchable database of other art-related content.  What recently made it one of the hottest free apps is a new entertaining tool that compares a selfie to a database of great works of art and presents the results that most closely match the user’s face.  [Note: My classical art doppelgänger is “Portrait of a Gentleman in Red” by Rosalba Carriera. What’s yours?].  However, out of an apparent abundance of caution, Google has disabled this art-twinning function in Illinois and Texas, presumably because those states have biometric privacy laws that regulate the collection and use of biometric identifiers like facial templates; while the Texas statute can only be enforced by the state attorney general, Illinois’s Biometric Information Privacy Act (BIPA) contains a private right of action and remedies that include statutory damages. Interestingly, Washington users are able to access this tool, despite Washington having enacted its own biometric privacy law last year.  Perhaps that is because, as described in the referenced blog post, compliance under the Washington statute is less demanding than under the Illinois or Texas statutes. Continue Reading