Facebook Brings Suit against Developers of a Browser Extension That Harvested User Data

In continuing its efforts to enforce its terms and policies against developers that engage in unauthorized scraping of user data, this week Facebook brought suit against two marketing analytics firms, BrandTotal Ltd (“BrandTotal”) and Unimania, Inc. (“Unimania”) (collectively, the “Defendants”) (Facebook, Inc. v. BrandTotal Ltd., No. 20Civ04246 (Cal. Super. Ct., San Mateo Cty Filed Oct. 1, 2020)). Facebook alleges that the defendants developed and distributed malicious Chrome browser extensions that were essentially designed to scrape users’ data from various social media platforms (including Facebook and Instagram), all in contravention of Facebook and Instagram’s terms of service and commercial terms.

According to the Complaint, the defendants coaxed users to install their UpVoice and Ads Feed extensions by, among other things, offering gift cards in exchange for downloading and suggesting that users would become “panelists” impacting marketing strategies of large companies. Facebook further claims that defendant BrandTotal deceived visitors to its website into believing Facebook and other social media services were working with BrandTotal by identifying Facebook and the other companies as “participating sites,” when in fact Facebook never authorized the defendants to scrape user data. In fact, Facebook alleges that once installed, the browser extensions harvested, without Facebook’s authorization, the users’ profile information, user advertisement interest information and various public and nonpublic ad metrics when the users visited Facebook, Instagram or various other social sites (all despite users’ account privacy settings). As laid out in the Complaint, the defendants’ extensions were programmed to send commands to Facebook and Instagram servers appearing to originate from the user, not the defendants, and then scrape the data and transmit it back to the user, and then onto the defendants’ own servers. The data collected by defendants was then presumably used to provide “marketing intelligence” services about users and advertisers.

Facebook states that it undertook various technical measures against the defendants in September 2020, including disabling the defendants’ Facebook and Instagram accounts and pages, as well as asking Google to remove the extensions from the Chrome Store. And this week, Facebook filed suit against the defendants, advancing claims for breach of contract and unjust enrichment and requesting monetary damages and injunctive relief barring defendants from accessing and using Facebook’s services or developing browser extensions that access Facebook without authorization. It does not appear that the defendants have filed an answer to the state court action or otherwise responded to the suit by posting a statement on the BrandTotal website.

Beyond the issues discussed above, the instant dispute should also resonate with any entity that acquires anonymized social media analytics from third party vendors. As we’ve previously stated – and regardless of the outcome of this dispute – it is important for downstream recipients of aggregated web or user data or reports processing such data to understand how such data is collected and whether such collection comports with applicable law or contractual requirements.

Tags: breach of contract, browser extensions, data harvesting, platform terms and conditions, screen scraping, web scraping

DOJ Submits CDA Reform Proposal to Congress to Curtail Protections for Online Platforms

By Jeffrey Neuburger on October 1, 2020 Posted in Internet, Legislation, Online Commerce, Online Content, Social Media

Section 230 of the Communications Decency Act, 47 U.S.C. §230 (“Section 230” or the “CDA”), enacted in 1996, is generally viewed as the most important statute supporting the growth of Internet commerce. The key provision of the CDA, Section 230(c)(1)(a), only 26 words long, simply states: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This one sentence has been the source of bedrock service provider immunity for third party content made available through a provider’s infrastructure, thus enabling the growth of a vigorous online ecosystem. Without such immunity, providers would have to face what the Ninth Circuit once termed, “death by ten thousand duck-bites,” in having to fend off claims that they promoted or tacitly assented to objectionable third party content.

The brevity of this provision of the CDA is deceptive, however. The CDA – and the immunity it conveys – is controversial, and those 26 words have been the subject of hundreds, if not thousands, of litigations. Critics of the CDA point to the proliferation of hate speech, revenge porn, defamatory material, disinformation and other objectionable content – in many cases, the sites hosting such third party content (knowingly or unknowingly) are protected by the broad scope of the CDA. Other objections are merely based on unhappiness about the content of the speech, albeit in many cases true, such as comments that are critical of individuals, their businesses or their interests. Litigants upset about such content have sought various CDA workarounds over the past two decades in a mostly unsuccessful attempt to bypass the immunity and reach the underlying service providers.

The back-and-forth debate around the scope and effects of the CDA and the broad discretion afforded online providers regarding content hosting and moderation decisions is not new. However, it was brought into a new focus when the President, vexed at the way some of his more controversial posts were being treated by certain social media platforms, issued a May 20, 2020 Executive Order for the purpose of curtailing legal protections for online providers. The goal was to remedy what the White House believed was the online platforms’ “deceptive or pretextual actions stifling free and open debate by censoring certain viewpoints.”

The Executive Order – which is currently being challenged in court as unconstitutional – directed several federal agencies to undertake certain legislative and regulatory efforts toward CDA reform. Consequently, in June 2020 the DOJ stated “that the time is ripe to realign the scope of Section 230 with the realities of the modern internet” and released a 28-page document with its preliminary recommendations for reform of Section 230. A month later, the Commerce Department submitted a petition requesting that the FCC write rules to limit the scope of CDA immunity and place potentially additional compliance requirements on many providers that host third party content. Then, on September 23, 2020, the DOJ announced that it had sent its legislative proposal for amending the CDA to Congress. The DOJ, in its cover letter to Congress, summed up the need for reform: “The proposed legislation accordingly seeks to align the scope of Section 230 immunities with the realities of the modern internet while ensuring that the internet remains a place for free and vibrant discussion.” Continue Reading

Tags: CDA immunity, CDA reform, CDA Section 230, DOJ Proposal, information content provider, online platforms, regulation of online content, third party content

Thoughtful Presentations of Terms of Use Crucial for Enforceability

By Jeffrey Neuburger on September 14, 2020 Posted in Contracts, Internet, Mobile, Online Commerce

Many online services feature comprehensive terms of use intended to protect their business from various types of risks. While it is often the case that a great deal of thought goes into the creation of those terms, frequently less attention is paid to how those terms are actually presented to users of the service. As case law continues to demonstrate, certain mobile and website presentations will be held to be enforceable, others will not. Courts continue to indicate that enforceability of terms accessible by hyperlink depends on the totality of the circumstances, namely the clarity and conspicuousness of the relevant interface (both web and mobile) presenting the terms to the user. In a prior post about electronic contracting this year, we outlined, among other things, the danger of having a cluttered registration screen. In this post, we will spotlight five recent rulings from the past few months where courts blessed the mobile contracting processes of e-commerce companies, as well as one case which demonstrates the danger of using a pre-checked box to indicate assent to online terms.

The moral of these stories is clear – the presentation of online terms is essential to enhancing the likelihood that they will be enforced, if need be. Thus, the design of the registration or sign-up page is not just an issue for the marketing, design and technical teams – the legal team must focus on how a court would likely view a registration interface, including pointing out the little things that can make a big difference in enforceability. A failure to present the terms properly could result in the most carefully drafted terms of service ultimately having no impact on the business at all. Continue Reading

Tags: arbitration, conspicuous terms, consumer assent, Electronic Contracting, enforceability, online agreements, presentation of terms, terms of use

Financial Data Aggregator Faces Consumer Privacy Suit over “Surreptitious” Collection of Banking Information

By Jeffrey Neuburger on August 31, 2020 Posted in Mobile, Online Commerce, Privacy

Last week, a putative privacy-related class action was filed in California district court against financial analytics firm Envestnet, Inc. (“Envestnet”), which operates Yodlee, Inc. (“Yodlee”). (Wesch v. Yodlee Inc., No. 20-05991 (N.D. Cal. filed Aug. 25, 2020)). According to the complaint, Yodlee is one of the largest financial data aggregators in the world and through its software platforms, which are built into various fintech products offered by financial institutions, it aggregates financial data such as bank balances and credit card transaction histories from individuals in the United States. The crux of the suit is that Yodlee collects and then sells access to such anonymized financial data without meaningful notice to consumers, and stores or transmits such data without adequate security, all in violation of California and federal privacy laws.

The timing of this case is interesting, as it comes on the heels of the recent settlement of the litigation the between the City Attorney of Los Angeles and the operator of a weather app over claims that locational information collected through the weather app was being sold to third parties without adequate permission from the user of the app. Continue Reading

Tags: anonymized data, big data, consumer consent, consumer financial data, data collection, financial data analytics, fintech apps

Eclipsed by Evolving Law, Policy and Technology, Seminal Mobile Location Data Case Settled

By Jeffrey Neuburger on August 18, 2020 Posted in Contracts, Mobile, Privacy

This past week, the operator of the popular Weather Channel (“TWC”) mobile phone app entered into a Stipulation of Settlement with the Los Angeles City Attorney, Mike Feuer (“City Attorney”), closing the books on one of the first litigations to focus on the collection of locational data through mobile phones. (People v. TWC Product and Technology, LLC, No. 19STCV00605 (Cal. Super., L.A. Cty, Stipulation Aug. 14, 2020)). While the settlement appears to allow TWC to continue to use locational information for app-related services and to serve advertising (as long the app includes some agreed-upon notices and screen prompts to consumers), what is glaringly absent from the settlement is a discussion of sharing locational information with third parties for purposes other than serving advertising or performing services in the app. Because applicable law, industry practice and the policies of Apple and Google themselves have narrowed the ability to share locational information for such purposes, the allegations of the case were, in a sense, subsumed in the tsunami of attention that locational information sharing has attracted. While some are viewing this settlement as a roadmap for locational information collection and sharing, in fact the settlement is quite narrow. Continue Reading

Tags: anonymized data, CCPA, location data, location privacy, mobile geolocation data, mobile permission prompts, mobile privacy, settlement

Commerce Dept. Petitions FCC to Issue Rules Clarifying CDA Section 230

By Jeffrey Neuburger on July 30, 2020 Posted in Internet, Online Commerce, Online Content, Regulatory, Social Media

The currents around the Communications Decency Act just got a little more turbulent as the White House and executive branch try to reel in the big fish of CDA reform.

On July 27, 2020, the Commerce Department submitted a petition requesting the FCC initiate a rulemaking to clarify the provisions of Section 230 of the Communications Decency Act (CDA). Unrelated, but part of the same fervor in Washington to “rein in social media,” the leaders of the major technology companies appeared before the House Judiciary Antitrust Subcommittee at a hearing yesterday, July 29, 2020, to discuss the Committee’s ongoing investigation of competition in the digital marketplace, where some members inquired about content moderation practices. Moreover, last month, a pair of Senators introduced the PACT Act, a targeted (but still substantial) update to the CDA (and other CDA reform bills are also being debated, including a bill to carve out sexually exploitative material involving children from the CDA`s reach). Continue Reading

Tags: CDA immunity, CDA reform, Commerce Department, executive order, FCC rulemaking, free speech, Good Samaritan immunity, online platforms, petition, terms of service

hiQ Files Opposition Brief with Supreme Court in LinkedIn CFAA Data Scraping Dispute

By Jeffrey Neuburger on June 29, 2020 Posted in Computer Fraud and Abuse Act, Online Content, Screen Scraping, Social Media

Last week, hiQ Labs, Inc. (“hiQ”) filed its brief urging the Supreme Court to deny LinkedIn Corp.’s (“LinkedIn”) petition for a writ of certiorari in the Ninth Circuit’s blockbuster ruling in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019). The principal issue in the case concerns the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In the prior ruling, the appeals court affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles. Most notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing of that publicly available data will not constitute access “without authorization” under the CFAA. Considering the decision wrongly decided, LinkedIn filed its petition requesting Supreme Court review in March 2020. In it, LinkedIn declared that the hiQ decision was “unprecedented” and “denied operators of public-facing websites a critical means of protecting user data from unauthorized third-party scrapers.”

hiQ initially signaled its intent not to file any opposition, but the Court requested a response in April 2020.

In its opposition, hiQ framed the issue as:

“Whether a professional networking website may rely on the Computer Fraud and Abuse Act’s prohibition on ‘intentionally access[ing] a computer without authorization’ to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.”

Tags: CFAA, data scraping, hiQ case, opposition brief, PUBLIC SOCIAL MEDIA DATA, publicly available website data, Supreme Court petition, unauthrorized access

The Communication Decency Act and the DOJ’s Proposed Solution: No Easy Answers

By Jeffrey Neuburger on June 19, 2020 Posted in Internet, Online Content, Social Media

Section 230 of the Communications Decency Act (“CDA”), 47 U.S.C. §230, enacted in 1996, is often cited as the most important law supporting the Internet, e-commerce and the online economy. Yet, it continues to be subject to intense criticism, including from politicians from both sides of the aisle. Many argue that the CDA has been applied in situations far beyond the original intent of Congress when the statue was enacted. Critics point to the role the CDA has played in protecting purveyors of hate speech, revenge porn, defamation, disinformation and other objectionable content.

Critics of the CDA raise valid concerns. But what is the right way to address them? One must remember that for organizations that operate websites, mobile apps, social media networks, corporate networks and other online services, the CDA’s protections are extremely important. Many of those businesses could be impaired if they were subject to liability (or the threat of liability) for objectionable third party content residing on their systems.

The criticism surrounding the CDA hit a fever pitch on May 28, 2020 when the President weighed in on the issue by signing an Executive Order attempting to curtail legal protections under Section 230. While the Executive Order was roundly labelled as political theater – and is currently being challenged in court as unconstitutional – it notably directed the Justice Department to submit draft proposed legislation (i.e., a CDA reform bill) to accomplish the policy objectives of the Order. This week, on June 17, 2020, the DOJ announced “that the time is ripe to realign the scope of Section 230 with the realities of the modern internet” and released a document with its recommendations for legislative reform of Section 230. This is on the heels of a recent initiative by several GOP lawmakers to introduce their own version of a reform bill. Continue Reading

Tags: CDA immunity, CDA reform, CDA Section 230, DOJ recommendations, online platforms, regulation of online content, third party content

Wholesale Scraping of “Public” Data May Be Trade Secret Misappropriation

By Jeffrey Neuburger on June 17, 2020 Posted in Licensing, Online Content, Screen Scraping, Software, Trade Secrets

In what could be prove to be an important decision within the context of scraping of “public” data, in a recent case the Eleventh Circuit reversed a lower court’s dismissal of trade secret claims relating to the scraping of insurance quotes. (Compulife Software, Inc. v. Newman, No. 18-12004 (11th Cir. May 20, 2020)). The appellate court agreed with the lower court that while Compulife’s insurance quote database was a trade secret, manually accessing life insurance quote information from the plaintiff’s publicly web-accessible database would generally not constitute the improper acquisition of trade secret information. However, the court disagreed with the lower court in finding that the use of automated techniques to scrape large portions of the database could constitute “improper means” under state trade secret law. In reversing the lower court’s dismissal of the trade secret claims, the appeals court stressed that “the simple fact that the quotes taken were publicly available does not automatically resolve the question in the defendants’ favor.” Even though there was no definitive ruling in the case – as the appeals court remanded the case for further proceedings – it is certainly one to watch, as there are very few cases where trade secrets claims are plead following instances of data scraping.

Tags: improper means, misappropriation, online database, public data, publicly available website data, trade secret claim, web scraping

President Signs Executive Order Directing Agencies to Probe the Contours of CDA Immunity

By Jeffrey Neuburger on May 28, 2020 Posted in Online Content, Regulatory, Social Media

President Trump signed an Executive Order today attempting to curtail legal protections under Section 230 of the Communications Decency Act (“Section 230” or the “CDA”). The Executive Order strives to clarify that Section 230 immunity “should not extend beyond its text and purpose to provide protection for those who purport to provide users a forum for free and open speech, but in reality use their power over a vital means of communication to engage in deceptive or pretextual actions stifling free and open debate by censoring certain viewpoints.”

Section 230 protects online providers in many respects concerning the hosting of user-generated content and bars the imposition of distributor or publisher liability against a provider for the exercise of its editorial and self-regulatory functions with respect to such user content. In response to certain moderation efforts toward the President’s own social media posts this week, the Executive Order seeks to remedy what the President claims is the social media platforms’ “selective censorship” of user content and the “flagging” of content that does not violate a provider’s terms of service.

The Executive Order does a number of things. It first directs:

The Commerce Department to file a petition for rulemaking with the FCC to clarify certain aspect of CDA immunity for online providers, namely Good Samaritan immunity under 47 U.S.C. §230(c)(2). Good Samaritan immunity provides that an interactive computer service provider may not be made liable “on account of” its decision in “good faith” to restrict access to content that it considers to be “obscene, lewd, lascivious, filthy, excessively violent, harassing or otherwise objectionable.”
- The provision essentially gives providers leeway to screen out or remove objectionable content in good faith from their platforms without fear of liability. Courts have generally held that the section does not require that the material actually be objectionable; rather, the CDA affords protection for blocking material that the provider or user considers to be “objectionable.” However, Section 230(c)(2)(A) requires that providers act in “good faith” in screening objectionable content.
- The Executive Order states that this provision should not be “distorted” to protect providers that engage in “deceptive or pretextual actions (often contrary to their stated terms of service) to stifle viewpoints with which they disagree.” The order asks the FCC to clarify “the conditions under which an action restricting access to or availability of material is not ‘taken in good faith’” within the meaning of the CDA, specifically when such decisions are inconsistent with a provider’s terms of service or taken without adequate notice to the user.
- Interestingly, the Order also directs the FCC to clarify if there are any circumstances where a provider that screens out content under the CDA’s Good Samaritan protection but fails to meet the statutory requirements should still be able to claim protection under CDA Section 230(c)(1) for “publisher” immunity (as, according to the Order, such decisions would be the provider’s own “editorial” decisions).
- To be sure, courts in recent years have dismissed claims against services for terminating user accounts or screening out content that violates content policies using the more familiar Section 230(c)(1) publisher immunity, stating repeatedly that decisions to terminate an account (or not publish user content) are publisher decisions, and are protected under the CDA. It appears that the Executive Order is suggesting that years of federal court precedent – from the landmark 1997 Zeran case until today – that have espoused broad immunity under the CDA for providers’ “traditional editorial functions” regarding third party content (which include the decision whether to publish, withdraw, postpone or alter content provided by another) were perhaps decided in error.

Tags: CDA immunity, CDA reform, executive order, free speech, FTC enforcement, Good Samaritan immunity, online platforms, terms of service