Web 3.0 and the promise of the metaverse has generated excitement about new markets for businesses large and small. But as with any technological frontier, legal uncertainties cause new risks to emerge alongside the opportunities. One area currently full of legal questions is trademark law. We will examine what we
Social Media
Taking Cue from the Supreme Court’s Van Buren Decision, Ninth Circuit Releases New Opinion Holding Scraping of Publicly Available Website Data Falls Outside of CFAA
On remand from the U.S. Supreme Court, the Ninth Circuit earlier this week again affirmed the lower court’s order preliminarily enjoining LinkedIn Corp. (“LinkedIn”) from blocking data analytics company hiQ Labs, Inc.’s (“hiQ”) access to publicly available LinkedIn member profiles. (hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Apr. 18, 2022)) (“hiQ II”). In what might be considered an emphatic, pro-scraping decision (even more so than its first, now-vacated 2019 decision), the appeals court found that hiQ “raised at least serious questions” that its scraping of public LinkedIn member profile data, even after having had its access revoked and blocked by LinkedIn, is lawful under the federal Computer Fraud and Abuse Act (CFAA).
The panel concluded that the reasoning of last year’s Supreme Court decision in Van Buren v. U.S., which interpreted the “exceeds authorized access” provision of the CFAA, reinforced the Ninth Circuit’s interpretation that the concept of “without authorization” under the CFAA does not apply to public websites. Thus, while the law relating to screen scraping remains unclear in many respects – particularly as scraping technology and the applied uses of public website data continue to evolve – this important new decision by the Ninth Circuit carries the reasoning forward from Van Buren and limits the applicability of the CFAA as a tool against the scraping of publicly available website data.
Last June, following Van Buren and the Supreme Court’s separate ruling vacating and remanding the Ninth Circuit’s prior decision in the hiQ case, we had a few questions about how the appeals court would interpret the CFAA’s “without authorization” provision on remand in light of the so-called “gates up or down” approach to the CFAA espoused by the Supreme Court in Van Buren. In particular, we were waiting to see whether the appeals court would consider a website owner’s technical measures to selectively block a specific entity’s access to public website data as effectively bringing crashing down the “gates” of authorized access (and, with it, potential CFAA liability). The long wait is over and the Ninth Circuit has answered these questions with its pro-scraping, open web interpretation of the CFAA (with respect to public websites). While some additional legal questions remain unanswered in this case, it appears the CFAA “without authorization” issue has been firmly resolved, at least as far as the Ninth Circuit is concerned.
However, though one issue may has been resolved, others remain. As stated in our 2017 Client Alert about the lower court’s hiQ decision, entities engaged in scraping should still tread carefully. As the Ninth Circuit itself says in hiQ II: “Entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply.”
Also, of course, this litigation does not involve the also-controversial practice of scraping mobile applications. Because the methodology involved in that type of scraping is significantly different, it is possible that a court could come to a different conclusion with respect to the CFAA in that circumstance.
In the Coming ‘Metaverse’, There May Be Excitement but There Certainly Will Be Legal Issues
The concept of the “metaverse” has garnered much press coverage of late, addressing such topics as the new appetite for metaverse investment opportunities, a recent virtual land boom, or just the promise of it all, where “crypto, gaming and capitalism collide.” The term “metaverse,” which comes from Neal Stephenson’s 1992 science fiction novel “Snow Crash,” is generally used to refer to the development of virtual reality (VR) and augmented reality (AR) technologies, featuring a mashup of massive multiplayer gaming, virtual worlds, virtual workspaces, and remote education to create a decentralized wonderland and collaborative space. The grand concept is that the metaverse will be the next iteration of the mobile internet and a major part of both digital and real life.
Don’t feel like going out tonight in the real world? Why not stay “in” and catch a show or meet people/avatars/smart bots in the metaverse?
As currently conceived, the metaverse, “Web 3.0,” would feature a synchronous environment giving users a seamless experience across different realms, even if such discrete areas of the virtual world are operated by different developers. It would boast its own economy where users and their avatars interact socially and use digital assets based in both virtual and actual reality, a place where commerce would presumably be heavily based in decentralized finance, DeFi. No single company or platform would operate the metaverse, but rather, it would be administered by many entities in a decentralized manner (presumably on some open source metaverse OS) and work across multiple computing platforms. At the outset, the metaverse would look like a virtual world featuring enhanced experiences interfaced via VR headsets, mobile devices, gaming consoles and haptic gear that makes you “feel” virtual things. Later, the contours of the metaverse would be shaped by user preferences, monetary opportunities and incremental innovations by developers building on what came before.
In short, the vision is that multiple companies, developers and creators will come together to create one metaverse (as opposed to proprietary, closed platforms) and have it evolve into an embodied mobile internet, one that is open and interoperable and would include many facets of life (i.e., work, social interactions, entertainment) in one hybrid space.
In order for the metaverse to become a reality – that is, successfully link current gaming and communications platforms with other new technologies into a massive new online destination – many obstacles will have to be overcome, even beyond the hardware, software and integration issues. The legal issues stand out, front and center. Indeed, the concept of the metaverse presents a law school final exam’s worth of legal questions to sort out. Meanwhile, we are still trying to resolve the myriad of legal issues presented by “Web 2.0,” the Internet we know it today. Adding the metaverse to the picture will certainly make things even more complicated.
Another NY Court Repudiates Ninth Circuit “Server Test” in Case over Embedded Video
On July 30, 2021, a New York district court declined to dismiss copyright infringement claims with respect to an online article that included an “embedded” video (i.e., shown via a link to a video hosted on another site). The case involved a video hosted on a social media platform that made embedding available as a function of the platform. The court ruled that the plaintiff-photographer plausibly alleged that the defendants’ “embed” may constitute copyright infringement and violate his display right in the copyrighted video, rejecting the defendants’ argument that embedding is not a “display” when the image at issue remains on a third-party’s server (Nicklen v. Sinclair Broadcast Group, Inc., No. 20-10300 (S.D.N.Y. July 30, 2021)). Notably, this is the second New York court to decline to adopt the Ninth Circuit’s “server test” first adopted in the 2007 Perfect 10 decision, which held that the infringement of the public display right in a photographic image depends, in part, on where the image was hosted. With this being the latest New York court finding the server test inapt for an online infringement case outside of the search engine context (even if other meritorious defenses may exist), website publishers have received another stark reminder to reexamine inline linking practices.
Second Circuit Vacates CDA Decision and Reissues a Narrower Opinion Reaching Same Conclusion, Providing Some Practical CDA Lessons for the Future
Less than one week after issuing an order vacating its own March 2021 opinion in an important Communications Decency Act (“CDA”) case and granting a petition for rehearing, the Second Circuit issued a new opinion reaffirming “protection” under Section 230 of the CDA for video-sharing site Vimeo, Inc. (“Vimeo”) (Domen v. Vimeo, Inc., No. 20-616 (2d Cir. July 21, 2021) (amended opinion)).
It’s not completely clear why the Second Circuit decided to grant a rehearing and amend its original opinion to only reach essentially the same holding. It is possible that given the attention surrounding the CDA, the court thought it best to narrow the language of its original holding so it could insulate its ruling from possible Supreme Court review (recall, Justice Thomas previously issued a statement following denial of certiorari in a prior CDA case, that “in an appropriate case,” the Court should consider whether the text of the CDA “aligns with the current state of immunity enjoyed by Internet platforms”). The Second Circuit’s second decision arguably watered down some of its stronger statements in its earlier opinion enunciating broad CDA immunity (e.g., even swapping out the word “immunity” for “protection” when discussing the CDA). The court even mused in dicta near the end of the opinion about the types of claims that might fall outside of CDA protection, as if to intimate that CDA Section 230 immunity is broad, but not as broad as its detractors suggest.
Yet, despite the narrowing of its original opinion, the court reached the same result under the same reasoning. As in the original (now vacated) opinion from March 2021, the Second Circuit’s amended decision relied on Section 230(c)(2), the Good Samaritan provision, which allows online providers to self-regulate the moderation of third party content in good faith without fear of liability. Unlike the original opinion, in the second go-round the appeals court also knocked out the plaintiff’s claims on the merits, finding allegations of discrimination based on the presence of similar videos uploaded by other users that were left up on the site as “vanishingly thin” (thereby further reducing the chance of Supreme Court review).
Supreme Court Vacates LinkedIn-HiQ Scraping Decision, Remands to Ninth Circuit for Another Look
On June 14, 2021, in a closely-watched dispute involving the Computer Fraud and Abuse Act (CFAA), the Supreme Court granted LinkedIn Corp.’s (“LinkedIn”) petition for certiorari filed in the hiQ web scraping case. It subsequently vacated the Ninth Circuit 2019 opinion and remanded the case to the Ninth Circuit for further consideration in light of the Supreme Court’s decision from earlier this month in Van Buren v. United States, 593 U. S. ___ (June 3, 2021). (LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116, 593 U.S. ___ (GVR Order June 14, 2021)).
In Van Buren, the Supreme Court reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the CFAA, ruling that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him or her.
The LinkedIn-hiQ dispute involves a different part of the CFAA’s “unauthorized access” section than the Van Buren case. The question in the hiQ dispute concerns the scope of CFAA liability to unwanted web scraping of publicly available social media profile data and whether once data analytics firm hiQ received a cease-and-desist letter from LinkedIn demanding it stop scraping public profiles, any further scraping of such data was “without authorization” within the meaning of the CFAA. In 2017 the lower court issued a preliminary injunction, expressing “serious doubt” as to whether LinkedIn’s revocation of permission to access the public portions of its site rendered hiQ’s access “without authorization” within the meaning of the CFAA. On appeal, in 2019 the Ninth Circuit affirmed, notably ruling that: “It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.” In 2020 LinkedIn filed a petition for a writ of certiorari asking the Supreme Court to overturn the Ninth Circuit’s ruling. And now, in the wake of Van Buren, the Supreme Court has vacated the appeals court ruling and sent the case back to the Ninth Circuit for further consideration.
So what’s next? Some thoughts:
Some Interesting CDA Section 230 Developments: A Novel FCRA Victory, a Negligent Design Exception and a Startling New State Law
In the past month, there have been some notable developments surrounding Section 230 of the Communications Decency Act (“CDA” or “Section 230”) beyond the ongoing debate in Congress over the potential for legislative reform. These include a novel application of CDA in a FCRA online privacy case (Henderson v. The Source for Public Data, No. 20-294 (E.D. Va. May 19, 2021)) and the denial of CDA immunity in another case involving an alleged design defect in a social media app (Lemmon v. Snap Inc., No. 20-55295 (9th Cir. May 4, 2021), as well as the uncertainties surrounding a new Florida law that attempts to regulate content moderation decisions and user policies of large online platforms.
The President Revokes Prior Administration’s Executive Order on CDA Section 230
On May 14, 2021, President Biden issued an executive order revoking, among other things, his predecessor’s action (Executive Order 13295 of May 28, 2020) that directed the executive branch to clarify certain provisions under Section 230 of the Communications Decency Act (“Section 230” or the “CDA”) and remedy what former President Trump had claimed was the social media platforms’ “selective censorship” of user content and the “flagging” of content that does not violate a provider’s terms of service. The now-revoked executive order had, among other things, directed the Commerce Department to petition for rulemaking with the FCC to clarify certain aspect of CDA immunity for online providers (the FCC invited public input on the topic, but did not ultimately move forward with a proposed rulemaking) and requested the DOJ to draft proposed legislation curtailing the protections under the CDA (the DOJ submitted a reform proposal to Congress last October).
Trove of Online LinkedIn User Data Fuels LinkedIn’s Anti-Scraping Position
Last week, the Italian data protection authority (the “GPDP”) opened an investigation after reports that a dataset allegedly containing data compiled from 500 million LinkedIn profiles and other websites was available for sale on a hacker forum. Apparently, this data represents more than two-thirds of LinkedIn’s estimated 740 million users. The hacker reportedly posted approximately two million records visibly online as evidence of the dataset, and offered to sell the rest for an undisclosed bitcoin payment.
According to a statement by LinkedIn, the company investigated the posting and determined that it is “an aggregation of data from a number of websites and companies,” including publicly viewable LinkedIn member profile data that apparently was scraped from LinkedIn’s site. LinkedIn stated that it was not a data breach because no private member profile data was included in the dataset it was able to review. LinkedIn stated that such scraping of data violated its terms.
The posting of this scraped data immediately reminds us of the ongoing scraping dispute between LinkedIn and data analytics start-up hiQ, Inc. (“hiQ”). The principal issue in the case concerns the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In a prior ruling, the Ninth Circuit affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles.
Mobile App Platform Entitled to CDA Immunity over State Law Claims Related to In-App Purchases of Loot Boxes
Happy Silver Anniversary to Section 230 of Communications Decency Act (“CDA” or “Section 230”), which was signed into law by President Bill Clinton in February 1996. At that time, Congress enacted CDA Section 230 in response to case law that raised the specter of liability for any online service provider that attempted to moderate its platform, thus discouraging the screening out and blocking of offensive material. As has been extensively reported on this blog, the world of social media and user-generated content is supported by protections afforded by Section 230. Now, 25 years later, the CDA is at a crossroads of sorts and its protections have stoked some controversy. Yet, as it stands, Section 230 continues to provide robust immunity for online providers.
In a recent case, Google LLC (“Google”) successfully argued for the application of Section 230, resulting in a California district court dismissing, with leave to amend, a putative class action alleging consumer protection law claims against the Google Play App Store. The claims concerned the offering for download of third party mobile video games that allow users to buy Loot Boxes, which are in-app purchases that contain a randomized assortment of items that can improve a player’s chances at advancing in a videogame. The plaintiffs claimed these offerings constituted illegal “slot machines or devices” under California law. (Coffee v. Google LLC, No. 20-03901 (N.D. Cal. Feb. 10, 2021)).