A Green Light for Screen Scraping? Proceed With Caution…
UPDATE: As expected, LinkedIn appealed the lower court’s decision to grant a preliminary injunction compelling LinkedIn to disable any technical measures it had employed to block the defendant’s data scraping activities. LinkedIn’s brief was filed on October 3, 2017. In
No blockchain phenomenon has garnered more attention lately than Initial Coin Offerings (“ICOs”), which have exploded in value and raised more than $1.2 billion thus far this year.
In a typical ICO, a blockchain-based product or service provider offers proprietary digital assets (“tokens”) – rather than traditional forms of debt
Even though Washington passed its own biometric privacy law last month (HB 1493), and other states are currently debating their own bills, Illinois’s Biometric Information Privacy Act (BIPA) is still the crux of biometric and facial recognition privacy-related litigation. Such suits have typically involved social media services, video game makers or businesses that collect biometric data to authenticate customers. In a slight twist, on May 11, 2017, a putative class of employees filed suit against Roundy’s Supermarkets alleging violations of BIPA surrounding the collection and retention of employees’ fingerprints – as opposed to using last century’s analog time cards, Roundy’s requires employees to scan their fingers each time they clock “in” and “out” of their work shifts to verify their identities. In the suit, plaintiffs claim that Roundy’s failed to offer notice and obtain written consent prior to capturing employees’ fingerprints, or post a retention policy about how long the company stores the biometric data. (See Baron v. Roundy’s Supermarkets, Inc., No. 17-03588 (N.D. Ill. filed May 11, 2017)).
Screen scraping is a problem that has vexed website owners since the early days of e-commerce – how to make valuable content available to users and customers, but prevent competitors from accessing such content for commercial purposes. Even in the advent of social media, mobile commerce, and advanced software, the issue remains relevant to today’s companies, as evidenced by the craigslist’s victory this past week against an aggregator that had formerly scraped its user postings.
An ongoing dispute from this past winter that we have been watching has raised these long-standing issues anew.
Heritage Auctions, a major auction house that specializes in rare coins, entertainment memorabilia and natural historical items, has brought a multi-count suit against Christie’s, alleging that its competitor scraped millions of proprietary and copyrighted photos and listings from Heritage’s website and reposted them on its own subscriber-only auction site Collectrium. (Heritage Capital Corp. v. Christie’s, Inc., No. 16-03404 (N.D. Tex. filed Dec. 9, 2016)). Plaintiffs claim that Collectrium removed copyright notices from the original listings and photos and ported the data onto its own site, thereby saving significant costs from producing similar listings or paying licensing fees and allegedly causing harm to Heritage in additional IT-related costs and diverted or lost business.
The blockchain or “distributed ledger network” was originally conceived as the peer-to-peer technology platform that allows for the transfer of Bitcoin without the need for a trusted intermediary. However, the blockchain protocol is being implemented across many industries and in many applications beyond digital currencies. Of course, there are questions about the enforceability of blockchain-based transactions and related, self-executing “smart contracts.”
Late last month, Arizona Governor Doug Ducey signed HB 2417 into law. This law clarifies some of the enforceability issues associated with the use of blockchain and smart contracts under Arizona law, in particular with respect to transactions relating to the sale of goods, leases, and documents of title governed respectively under UCC Articles 2, 2A and 7.
For years, craigslist has aggressively used technological and legal methods to prevent unauthorized parties from violating its terms of use by scraping, linking to or accessing user postings for their own commercial purposes. In its latest judicial victory, on April 13, 2017, craigslist obtained a $60.5 million judgment against Radpad on various claims relating to harvesting content from craigslist’s site and sending unsolicited commercial emails to craigslist users. (Craigslist, Inc. v. RadPad, Inc., No. 16-01856 (N.D. Cal. Apr. 13, 2017)).
The blockchain protocol (a form of a ‘distributed ledger system’) was originally designed as a platform to process Bitcoin transactions. The protocol enables peer-to-peer transactions and eliminates the need for a trusted intermediary to verify and process the transactions.
The blockchain protocol as a platform is actually independent of Bitcoin, and is therefore transferable to other applications. Naturally, because blockchain was conceived of as supporting a specific digital payment system, the initial and most obvious use of the blockchain outside of Bitcoin is “fintech” – technology-based payment and financial transaction systems. The goal of recent experimentation and development in fintech is to reduce inefficiencies in the existing payments, clearance and settlement systems. Conceivably, many of these functions could be conducted through a “smart contract” – a completely automated process, executed via a software application that runs “on chain.” In pursuit of these goals, many in the financial services area have made significant investments in research, development, and pilot programs, in many cases through coalitions or in partnership with large technology companies as well as with blockchain-focused startup companies.
Beyond fintech, however, blockchain offers many other opportunities. The digital values that are tracked and processed through a blockchain implementation can represent any other type of information or assets. This capability has evoked the early development of new applications and technological developments involving many industries beyond financial services.
Update: On March 9, 2017, Google filed a motion requesting the court certify an interlocutory appeal. In particular, Google contends that the following question satisfies the statutory criteria: whether the term “biometric identifier,” as defined in Illinois Biometric Privacy Act, includes information derived from photographs.
We’ve closely followed the numerous biometric privacy disputes and legislative developments surrounding the Illinois Biometric Information Privacy Act (BIPA), which precludes the unauthorized collection and storing of some types of biometric data. In the latest ruling, an Illinois district court refused to dismiss a putative class action alleging that the cloud-based Google Photos service violated BIPA by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. (Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. Feb. 27, 2017)).
This is the third instance where a district court refused, at an early stage of a litigation, to dismiss BIPA claims relating to the online collection of facial templates for photo-tagging purposes. Unlike those prior courts’ relatively cursory interpretations, however, the Rivera court’s expansive 30-page opinion is the deepest dive yet into the statutory scheme (and purported vagaries) of the Illinois statute. The decision is the latest must-read for mobile or online services that collect and store biometric data from users as to what extent their activities might fall under the Illinois biometric privacy statute. It may well turn out that the plaintiffs’ claims in Rivera (as well as the ongoing biometric privacy litigation going on in California) may prove unsuccessful on procedural or statutory grounds, yet, these initial takes on the scope of BIPA stress the importance of examining current practices and rollouts of new services that feature biometrics.
We’ve written extensively about the numerous lawsuits, dismissals and settlements surrounding the Illinois Biometric Information Privacy Act (BIPA). The statute, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice and consent and data retention requirements. The statute contains defined terms and limitations, and parties in ongoing suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute. Moreover, in two instances in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing.
Thus, the epicenter of biometric privacy compliance and litigation has been the Illinois statute. A Texas biometric statute offers similar protections, but does not contain a private right of action.
The biometrics landscape may be about to get more complicated. An amendment has been proposed to the Illinois biometric privacy, and a number of biometric privacy bills mostly resembling BIPA have been introduced in other state legislatures. While most of the new proposed statutes are roughly consistent with the Illinois statute, as noted below, the Washington state proposal is, in many ways, very different. If any or all of these bills are enacted, they will further shape and define the legal landscape for biometrics.
For the second time in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing. In Vigil v. Take-Two Interactive Software, Inc., No. 15-8211 (S.D.N.Y. Jan. 27, 2017), the court dismissed Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized virtual avatar for in-game play. In a lengthy opinion, the New York court provided Take-Two with a resounding victory when it ruled that procedural violations of the notice and consent provisions of the Illinois biometric privacy statute are not in-of-themselves sufficient to confer standing.
Biometric technology such as facial recognition, iris scans, or fingerprint authentication is being used and further developed to improve the security of financial and other sensitive transactions. At the same time, social media sites, mobile apps, videogame developers and others are employing biometrics for other cutting edge uses to improve services. The current Vigil ruling is particularly important, however, as it may buoy companies that collect biometric data under reasonable notice and usage policies, as they hope that the approval applied in Vigil is affirmed, if appealed, and followed in other jurisdictions.