Federal agents served a search warrant on plaintiff’s doctor’s office and thereby obtained access to plaintiff’s medical records, which were shared with a number of other parties involved in the criminal investigation of plaintiff’s doctor. Plaintiff sued under the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss that claim. The court granted the motion. The CFAA prohibits unauthorized access to a “protected computer”. In dismissing the case, the court found, among other things, that there were no specific allegations that defendants accessed plaintiff’s computer.
Micks-Harm v. Nichols, No. 18-12634, 2019 WL 4781342 (E.D. Michigan, September 30, 2019)
About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.
Court held this was an “exceptional case” and that trial court judge should have awarded plaintiff its attorneys’ fees under the Lanham Act.
While it is fairly common for successful litigants in copyright cases to be awarded the attorneys’ fees they incur in bringing or defending the case, that fee-shifting is not as common in trademark cases. There is a higher standard that must be met in trademark cases – the prevailing party must show that it has won an “exceptional case”. That recently occurred in the Seventh Circuit Court of Appeals.
Plaintiff home remodeling company and defendants – a manufacturer of storm shelters and one of its owners individually – found themselves in a trademark dispute over rights to use a mark plaintiff had developed to use as a distributor of defendants’ storm shelters.
Defendants disregarded on oral license agreement it had with plaintiff and used the mark for years outside the territorial scope of the license. The evidence showed that defendants intended to just buy the mark in the event plaintiff noticed defendants’ out-of-scope use.
Plaintiff indeed noticed and sued. The trademark infringement case went to trial. The trial court – though it found in plaintiff’s favor on the liability question and awarded more than $17 million in damages to plaintiff – declined to order defendants to pay plaintiff’s attorneys fees. Plaintiff sought review of the denial of attorney’s fees with the Seventh Circuit.
On appeal, the court reversed and remanded. It found that the trial court’s findings made this an “exceptional case” and thus appropriate for an award of attorneys’ fees.
Specifically, the court found that defendants’ conduct was willful, egregious and intentional. Likewise, defendants had acted in bad faith and maliciously, and refused to cease infringing activity, causing plaintiff unnecessary trouble and expense.
About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.
Plaintiff – one of the millions of people who have played Fortnite – sued Fortnite developer Epic Games based on a data vulnerability in the Fortnite platform and an apparent hacking incident that took place in 2018. After the case was moved from state court in Illinois to federal court there, and then to federal court in North Carolina, defendant moved to dismiss for failure to state a claim.
This young man is feeling anxiety and anguish. He probably would not have standing in a data breach case.
The court dismissed the case, finding that the court lacked subject matter jurisdiction, since plaintiff had not sufficiently alleged that he had suffered an “injury-in-fact”.
It held that the mere existence of a data vulnerability does not constitute injury-in-fact. Instead, a complaint must allege a sufficient factual basis from which to conclude either that plaintiff’s compromised data has been misused, or that it will be misused, such that concrete harms are actual or imminent.
In this case, plaintiff’s complaint contained no facts showing, or even suggesting, that his personal data had been used as a result of the cyber vulnerability. Plaintiff’s complaint did not even state that his data was taken, only that Fortnite had a cyber vulnerability that could have allowed hackers to access his data.
Plaintiff’s only alleged harms were “time and effort to mitigate the risk of identity theft” and “anxiety and anguish”. The court held that anxiety and anguish resulting from data breaches do not confer standing. And without a single fact alleged to show that future harms were certainly impending, the money, time, and effort spent by plaintiff were merely self-imposed harms in response to a speculative threat. In the court’s view, the threat of future injury was wholly speculative and insufficient for standing.
Krohm v. Epic Games, Inc., No. 19-173, 2019 WL 4861101 (E.D. N. Carolina, October 1, 2019)
About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.
Plaintiff sued defendant for violation of the Computer Fraud and Abuse Act (“CFAA”). For almost 20 years, defendant had worked for a company that developed plaintiff’s proprietary software system. In this capacity, defendant had access to plaintiff’s customer database, accounting system and other confidential information. After leaving the work he was performing for plaintiff, defendant founded his own competing venture.
Defendant moved to dismiss the CFAA claim. The court granted the motion to dismiss. The court held that defendant did not exceed the scope of his authorized access by accessing certain of plaintiff’s documents, files or drives for the benefit of his own venture. Citing to United States v. Nosal, 676 F.3d 854, (9th Cir. 2012), the court observed that the Ninth Circuit has defined “exceeds authorized access” narrowly to include only someone who is authorized to access only certain data or files but accesses unauthorized data or files – or to put it simply: hacking.
In this case, defendant was authorized to access plaintiff’s systems by virtue of the work he was hired to do in connection with plaintiff’s proprietary software systems. Plaintiff had attempted to draw a distinction between the work he was doing for his former employer and the actions he was undertaking to benefit his new venture (even though those actions were one and the same conduct). The court rejected this reasoning: “[E]ven if defendant accessed [plaintiff’s] information for the eventual benefit of [defendant’s new venture], that does not mean he could not have also accessed it for [his former employer’s] authorized purpose of building software.”
It is worth noting that the contours of “exceeding authorized access” under the CFAA give rise to a circuit split. It is fruitful to consider whether the outcome of this case may have been different, for example, in the Seventh Circuit, under the doctrines set out in Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir.2006).
Regal West Corporation v. Nguyen, No. 19-5374, 2019 WL 4748393 (W.D.Washington, September 30, 2019)
Facebook’s ability to decisively police the integrity of its platforms was without question a pressing public interest.
Plaintiffs provided software-as-a-service to help their clients locate social media content, gain approval to use that content, and then re-purpose it in the clients’ own advertising and marketing activities.
Previously, plaintiffs had operated in partnership with Facebook, whereby plaintiffs had access to the Facebook Open Graph API. In late August 2019 (a few weeks after a Business Insider article identified plaintiffs as misusing the Instagram platform) Facebook terminated the marketing partnership and access to the API.
After efforts to informally resolve the situation failed, plaintiffs, perhaps emboldened by the Ninth Circuit’s recent decision in hiQ v. LinkedIn, sued Facebook and Instagram asserting a number of claims, including breach of contract and tortious interference, and also sought a declaratory judgment that plaintiffs did not violate the Computer Fraud and Abuse Act. Plaintiffs sought a temporary restraining order that would have restored access to the platforms pending the case’s determination on the merits. But the court denied the motion.
No irreparable harm likely
The court rejected plaintiffs’ argument that they would suffer irreparable harm if access was not restored. It found that plaintiffs’ allegations of imminent harms shared a common fatal flaw in that they merely alleged speculative harm – they did not sufficiently demonstrate that irreparable harm was likely to occur.
Plaintiffs did establish for purposes of this motion that much (though not all) of the work they conducted for clients before losing API access involved Facebook. But the court found that plaintiffs had not sufficiently shown that they would actually lose current customers, or fail to acquire new prospective customers, if access were not restored.
Further, the court found that plaintiffs’ CEO’s statement that “this will soon reach a tipping point where [plaintiffs] can no longer operate” was not specific enough to demonstrate there was irreparable harm. “The extraordinary relief of a pre-adjudicatory injunction demands more precision with respect to when irreparable harm will occur than ‘soon.’ Such vague statements are insufficient evidence to show a threat of extinction.”
Not in the public’s interest
The court also found that the “public’s interest caution[ed] against issuing injunctive relief at this time.”
Plaintiffs argued that the public interest favored an injunction because one would prevent the imminent destruction of plaintiffs’ business, preserve employee jobs, and generally allow plaintiffs to continue operating. Additionally, they argued that the public interest would be served by enjoining defendants’ wrongful conduct.
Defendants argued that the public had an interest in allowing Facebook to exclude those who act impermissibly on its platform and jeopardize user privacy by, in this instance, automating data collection and scraping content en masse. Defendants argued that the public has an interest in allowing them latitude to enforce rules preventing abuse of their platforms.
The court decided that awarding injunctive relief at this stage would compel Facebook to permit a suspected abuser of its platform and its users’ privacy to continue to access its platform and users’ data for weeks longer, until a preliminary injunction motion could be resolved. Moreover, as precedent within Facebook’s policy-setting organization and potentially with other courts, issuing an injunction at this stage could handicap Facebook’s ability to decisively police its social-media platforms in the first instance. Facebook’s enforcement activities would be compromised if judicial review were expected to precede rather than follow its enforcement actions.
And although the public certainly has some interest in avoiding the dissolution of companies and the accompanying loss of employment, the court found that Facebook’s ability to decisively police the integrity of its platforms was without question a pressing public interest. In particular, the court noted, the public has a strong interest in the integrity of Facebook’s platforms, policing of those platforms for abuses, and protection of users’ privacy.
Stackla, Inc. v. Facebook Inc., No. 19-5849, 2019 WL 4738288 (N.D. Cal., September 27, 2019)
Plaintiff sued some unknown defendants for breach of contract and violations of the Computer Fraud and Abuse Act, based on the defendants’ deceptive conduct that tricked some internet users into signing up for plaintiff’s paid services. The unknown defendants would receive affiliate commissions from operating this scheme. This caused reputation problems for plaintiff.
Plaintiff sought early discovery to ascertain the identities of the unknown defendants. The court denied the motion.
The Federal Rules of Civil Procedure do not permit a party to seek discovery from the adverse parties in the case until all parties have conducted an initial conference under Rule 26(f). But when the defendants are unknown, that conference cannot take place. So the plaintiff needs to conduct discovery to find out who they are. In situations like these, for the required early discovery to occur and the unknown defendants to be identified (so that the conference can take place), the court must enter an order permitting early discovery.
A court can authorize early discovery to identify unknown defendants if there is good cause. In determining whether there is good cause, courts consider whether the plaintiff:
can identify the missing party with sufficient specificity such that the court can determine that defendant is a real person or entity who could be sued in federal court;
has identified all previous steps taken to locate the elusive defendant;
has articulated claims against defendant that would withstand a motion to dismiss; and
has demonstrated that there is a reasonable likelihood of being able to identify the defendant through discovery such that service of process would be possible.
In this case, the court found that plaintiff failed to identify the defendants with sufficient specificity, and did not demonstrate that each defendant was a real person or entity who would be subject to jurisdiction in the Northern District of California. Plaintiff had not explained why defendants would be subject to the jurisdiction of the court, as defendants’ activities seemed directed at Argentina, and plaintiff’s harm was felt in Argentina and other parts of Latin America. The only apparent connection defendants had with the Northern District of California was that they used domain name services from California companies. Plaintiff provided no authority to suggest this was sufficient to create jurisdiction.
Plaintiff also failed to explain what steps it had taken to locate defendants. Citing to Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573 (N.D. Cal. 1999), the court noted that “[t]his element is aimed at ensuring that plaintiffs make a good faith effort to comply with the requirements of service of process and specifically identifying defendants.”
In its motion, plaintiff only stated that there were no more practical measures that would permit it to identify the unknown defendants, but did not identify what measures – if any – were taken. For example, plaintiff was apparently able to identify defendants as affiliates, and that a contract existed, giving rise to legal liability. It was therefore not clear why plaintiff was unable to identify defendants based on the contract.
Binbit Argentina, S.A. v. Does 1-25, No. 19-5384, 2019 WL 4645159 (N.D. Cal., September 24, 2019)
Plaintiff sued defendant for copyright infringement over unlicensed use of plaintiff’s musical works in advertisements that defendant created and uploaded to YouTube. Defendant argued that the language and structure of plaintiff’s website – from which the works were downloaded – resulted in an express license or at least an implied license to use the musical works for commercial purposes. The court rejected these arguments and awarded summary judgment to plaintiff.
No express license
The basis for defendant’s argument that plaintiff’s website gave rise to an express license is not clear. In any event, plaintiff argued that a browsewrap agreement in place on the website established that the works could not be used for commercial purposes without the payment of a license fee. Citing to the well-known browsewrap case of Specht v. Netscape, 306 F.3d 17 (2d Cir. 2002), defendant argued that it did not have notice of the terms and conditions of the browsewrap agreement.
The court distinguished this case from Specht. In this case, plaintiff’s home page contained – similar to the case of Major v. McCallister, 302 S.W.3d 227 (Mo. Ct. App. 2009) – “immediately visible” hyperlinks that referenced terms of use and licensing information. A user did not have to scroll to find these links. So the terms and conditions of the browsewrap agreement were enforceable. Since the browsewrap agreement contained provisions requiring a license for commercial use, no reasonable jury could find that plaintiff had granted defendant an express license to use the musical works for commercial purposes free of charge.
No implied license
Defendant argued in the alternative that plaintiff had granted defendant an implied license to use the musical works, based on (1) plaintiff’s company name “Freeplay,” and (2) the absence of any conspicuous warning that the works were not available for commercial use.
The court found these arguments to be “easily disposed of.” Citing to I.A.E., Inc. v. Shaver, 74 F.3d 768 (7th Cir. 1996), the court noted that an implied license exists only when:
a person (the licensee) requests the creation of a work,
the creator (the licensor) makes that particular work and delivers it to the licensee who requested it, and
the licensor intends that the licensee-requestor copy and distribute his work.
The court found that defendant failed to prove any of these elements. Defendant never asked plaintiff to create any works. Nor did plaintiff make any works at defendant’s request to be used in defendant’s YouTube videos. Moreover, given plaintiff’s paid license requirements for business use of the copyrighted works available on its website, it could not be said that plaintiff intended that defendant download and distribute those works free of charge. Accordingly, the court found that no implied license existed.
Freeplay Music, LLC v. Dave Arbogast Buick-GMC, Inc., No. 17-42, 2019 WL 4647305 (S.D. Ohio, September 24, 2019)
About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.
Plaintiff freelance photojournalist sued defendant website publisher for copyright infringement over photos plaintiff took of a luxury maximum security prison in Norway in 2010. Defendants posted the photos on its website in 2011 without permission, in connection with a widely-publicized story of a notorious mass shooter being relocated there. Plaintiff registered the copyright in his photos in 2015 and filed suit in 2018, claiming that he did not learn of the alleged infringement until 2016.
Each party filed motions for summary judgment. Plaintiff claimed that the court should enter summary judgment in his favor because he had a valid copyright to the photographs, and there was no dispute that defendant published several of them without authorization. Defendant asserted that plaintiff’s claims were time-barred by the Copyright Act’s three-year statute of limitations, because he knew, or should have known, of the infringement when interest in the photos spiked following the remand of the alleged mass murderer to the prison where the photos were taken.
Photos included in copyright registration
The court found there was no genuine issue as to any material fact concerning plaintiff’s ownership of the copyright in the photos. And defendant conceded it published the photos without authorization. Defendant had challenged whether plaintiff’s copyright registration covered the photos at issue. Plaintiff had not introduced the deposit materials, but had submitted a sworn statement saying the photos had been included in the registration. The court found the sworn statement to carry the issue – had the defendant filed a motion to compel or sought the deposit materials from the copyright office, it may have been able to show the photos were not included. But on these facts, it was clear to the court that the copyright registration covered the photos.
Statute of limitations – no duty to scour
The court denied defendant’s motion for summary judgment, finding that the copyright infringement claims were not barred by the statute of limitations. Civil actions for copyright infringement must be “commenced within three years after the claim accrued.” 17 U.S.C. § 507(b). The Second Circuit has stated that the “discovery rule” governs when the statute of limitations begins to run: an infringement claim does not ‘accrue’ until the copyright holder discovers, or with due diligence should have discovered, the infringement.
The court found that plaintiff’s knowledge about general interest in the prison following the news stories about the mass shooter being relocated there was not sufficient to constitute constructive discovery that his photographs of that prison were being infringed. Plaintiff did not have knowledge of any infringement of his work and there was no reason for him to think, or duty for him to scour the internet to find out if, anyone was using his photographs without his consent. The court cited Wu v. John Wiley & Sons, Inc., 2015 WL 5254885 (S.D.N.Y. Sept. 10, 2015) to observe that “[i]f that were the expectation, then stock photo agencies and photographers likely would spend more money monitoring their licenses than they receive from issuing licenses.”
Masi v. Moguldom Media Group, 2019 WL 3287819 (S.D.N.Y., July 22, 2019)
Plaintiffs owned and operated a Facebook page that Facebook shut down in 2018 because of concerns the page was associated with Russian interference with the 2016 U.S. presidential election. After getting shut down, plaintiffs sued Facebook alleging a number of claims, including:
damages under 42 U.S.C. §1983 for deprivation of a constitutional right by one acting under color of state law;
civil rights violations under California law;
breach of contract; and
breach of implied covenant of good faith and fair dealing.
Facebook moved to dismiss these claims under the Communications Decency Act at 47 U.S.C. §230. The court granted the motion to dismiss.
Section 230 immunizes defendants from liability if:
defendant is a provider or user of an interactive computer service;
the information for which plaintiff seeks to hold defendant liable is information provided by another information content provider; and
plaintiff’s claim seeks to hold defendant liable as the publisher or speaker of that information.
In this case, there was no dispute Facebook met the first two elements, i.e., it is a provider of an interactive computer service and the information (namely, the content of plaintiffs’ page) was provided by a party other than Facebook. The real dispute came under the third element.
Plaintiffs argued that Section 230 should not immunize Facebook because this case did not concern obscenity or any other form of unprotected speech. Instead, plaintiffs argued, the case concerned political speech that strikes at the heart of the First Amendment. The court rejected this argument, holding that immunity under the Communications Decency Act does not contain a political speech exception. The statutory text provides that no “provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider. (Emphasis added). No distinction is made between political speech and non-political speech.
Plaintiff also argued that granting Facebook immunity would be counter to congressional intent behind the Communications Decency Act. But the court borrowed language from Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009) on this point: “Both parties make a lot of sound and fury on the congressional intent of the immunity under section 230, but such noise ultimately signifies nothing. It is the language of the statute that defines and enacts the concerns and aims of Congress; a particular concern does not rewrite the language.” Looking to Fair Hous. Council of San Fernando Valley v. Roommates.Com, LLC, 521 F.3d 1157 (9th Cir. 2008), the court noted that Ninth Circuit case law interpreting the language of the Communications Decency Act has held that “activity that can be boiled down to deciding whether to exclude material that third parties seek to post online is perforce immune under section 230.”
Federal Agency of News LLC v. Facebook, Inc., 2019 WL 3254208 (N.D. Cal. July 20, 2019)
Defendant entered into a software license agreement with plaintiff that allowed defendant to use plaintiff’s software in China. Plaintiff filed suit, accusing defendant of violating the anticircumvention provisions of the Digital Millennium Copyright Act (DMCA), which enabled defendant to use the software in California. It sought a preliminary injunction and the court granted the motion.
The DMCA at 17 U.S.C. § 1201(a)(1) prohibits “circumvention of technological measures that effectively control access to a copyrighted work.” The court found that plaintiff was likely to succeed on this claim: defendant’s computers contained evidence of crack files used to gain unauthorized access to plaintiff’s software, and these cracking tools were used to circumvent anti-piracy measures by unlocking the software. Also, defendant manually changed the MAC addresses of 11 computers in the United States, which also allowed defendant to circumvent plaintiff’s anti-piracy measures.
The court also found that plaintiff could prove violation of § 1201(a)(2), which prohibits importing and manufacturing “technology that circumvents a technological measure that ‘effectively controls access’ to a copyrighted work.” The forensic evidence collected from defendant’s computers showed that defendant imported a crack file from an Iranian software piracy website and obtained license key generator software from a Chinese website known to host pirated software.
Synopsys v. Innogrit, 2019 WL 2617091 (N.D. Cal. June 26, 2019)
