Attorney Evan Brown

November 9, 2017 Section 230

Anti-malware provider immune under CDA for calling competitor’s product a security threat

kills_bugs

Plaintiff anti-malware software provider sued defendant – who also provides software that protects internet users from malware, adware etc. – bringing claims for false advertising under the Section 43(a) of Lanham Act, as well as other business torts. Plaintiff claimed that defendant wrongfully revised its software’s criteria to identify plaintiff’s software as a security threat when, according to plaintiff, its software is “legitimate” and posed no threat to users’ computers.

Defendant moved to dismiss the complaint for failure to state a claim upon which relief may be granted. It argued that the provisions of the Communications Decency Act at Section 230(c)(2) immunized it from plaintiff’s claims.

Section 230(c)(2) reads as follows:

No provider or user of an interactive computer service shall be held liable on account of—

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in [paragraph (A)].

Specifically, defendant argued that the provision of its software using the criteria it selected was an action taken to make available to others the technical means to restrict access to malware, which is objectionable material.

The court agreed with defendant’s argument that the facts of this case were “indistinguishable” from the Ninth Circuit’s opinion in in Zango, Inc. v. Kaspersky, 568 F.3d 1169 (9th Cir. 2009), in which the court found that Section 230 immunity applied in the anti-malware context.

Here, plaintiff had argued that immunity should not apply because malware is not within the scope of “objectionable” material that it is okay to seek to filter in accordance with 230(c)(2)(B). Under plaintiff’s theory, malware is “not remotely related to the content categories enumerated” in Section 230(c)(2)(A), which (B) refers to. In other words, the objectionableness of malware is of a different nature than the objectionableness of material that is obscene, lewd, lascivious, filthy, excessively violent, harassing. The court rejected this argument on the basis that the determination of whether something is objectionable is up to the provider’s discretion. Since defendant found plaintiff’s software “objectionable” in accordance with its own judgment, the software qualifies as “objectionable” under the statute.

Plaintiff also argued that immunity should not apply because defendant’s actions taken to warn of plaintiff’s software were not taken in good faith. But the court applied the plain meaning of the statute to reject this argument – the good faith requirement only applies to conduct under Section 230(c)(2)(A), not (c)(2)(B).

Finally, plaintiff had argued that immunity should not apply with respect to its Lanham Act claim because of Section 230(e)(2), which provides that “nothing in [Section 230] shall be construed to limit or expand any law pertaining to intellectual property.” The court rejected this argument because although the claim was brought under the Lanham Act, which includes provisions concerning trademark infringement (which clearly relates to intellectual property), the nature of the Lanham Act claim here was for unfair competition, which is not considered to be an intellectual property claim.

Enigma Software Group v. Malwarebytes Inc., 2017 WL 5153698 (N.D. Cal., November 7, 2017)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

November 8, 2017 First Amendment

Facebook did not violate user’s constitutional rights by suspending account for alleged spam

Plaintiff sued Facebook and several media companies (including CNN, PBS and NPR) after Facebook suspended his account for alleged spamming. Plaintiff had posted articles and comments in an effort to “set the record straight” regarding Kellyanne Conway’s comments on the “Bowling Green Massacre”. Plaintiff claimed, among other things, that Facebook and the other defendants violated the First, Fourth, Fifth, and Fourteenth Amendments.

The court granted defendants’ motion to dismiss for failure to state a claim. It observed the well-established principle that these provisions of the constitution only apply to governmental actors – and do not apply to private parties. Facebook and the other media defendants could not plausibly be considered governmental actors.

It also noted that efforts to apply the First Amendment to Facebook have consistently failed. See, for example, Forbes v. Facebook, Inc., 2016 WL 676396, at *2 (E.D.N.Y. Feb. 18, 2016) (finding that Facebook is not a state actor for Section 1983 First Amendment claim); and Young v. Facebook, Inc., 2010 WL 4269304, at *3 (N.D. Cal. Oct. 25, 2010) (holding that Facebook is not a state actor).

Shulman v. Facebook et al., 2017 WL 5129885 (D.N.J., November 6, 2017)

November 7, 2017 Uncategorized

Expedia’s online clickwrap agreement upheld

i_agree

Plaintiff airline ticket buyer sued Expedia in court for, among other things, fraud, claiming that he was entitled to a refund of the price of his ticket because he had to cancel for medical reasons. Expedia moved to compel arbitration. The court granted the motion.

It found that plaintiff manifested his clear agreement to the arbitration clause in Expedia’s online terms and conditions when he selected the “complete booking” button on the “Review and book your trip” screen during his ticket purchase process.

It also found that each of plaintiff’s claims were encompassed by the arbitration agreement found in the online terms. The arbitration agreement entered into by the parties stated that “[a]ny and all Claims will be resolved by binding arbitration.” There was no apparent exception for fraud or contract claims, and plaintiff did not argue that any exception existed.

Van Den Heuvel v. Expedia Travel, 2017 WL 5133270 (E.D. Cal., November 6, 2017

November 6, 2017 Anonymity, Privacy

Puzzling privacy analysis in decision to unmask anonymous accused copyright infringers

Plaintiff porn company sued an unknown bittorrent user (identified as John Doe) alleging that defendant had downloaded and distributed more than 20 of plaintiff’s films. Plaintiff asked the court for leave to serve a subpoena on Optimum Online – the ISP associated with defendant’s IP address – prior to the Rule 26(f) conference. (As we have recently discussed, leave of court is required to start discovery before the Rule 26(f) conference, but a plaintiff cannot have that conference unless it knows who the defendant is.) Plaintiff already knew defendant’s IP address. It needed to serve the subpoena on the ISP to learn defendant’s real name and physical address so it could serve him with the complaint.

The court went through a well-established test to determine that good cause existed for allowing the expedited discovery. Drawing heavily on the case of Sony Music Entm’t, Inc. v. Does 1-40, 326 F. Supp. 2d 556 (S.D.N.Y. 2004), the court evaluated:

(1) the concreteness of the plaintiff’s showing of a prima facie claim of copyright infringement,

(2) the specificity of the discovery request,

(3) the absence of alternative means to obtain the subpoenaed information,

(4) the need for the subpoenaed information to advance the claim, and

(5) the objecting party’s expectation of privacy.

The court’s conclusions were not surprising on any of these elements. But it’s discussion under the fifth point, namely, the defendant’s expectation of privacy, was puzzling, and the court may have missed an important point.

It looked to the recent case involving Dred Pirate Roberts and Silk Road, namely, United States v. Ulbricht, 858 F.3d 71 (2d Cir. 2017). Leaning on the Ulbricht case, the court concluded that defendant had no reasonable expectation of privacy in the sought-after information (name and physical address) because there is no expectation of privacy in “subscriber information provided to an internet provider,” such as an IP address, and such information has been “voluntarily conveyed to third parties.”

While the court does not misquote the Ulbricht case, one is left to wonder why it would use that case to support discovery of the unknown subscriber’s name and physical address. At issue in Ulbricht was whether the government violated Dred Pirate Roberts’s Fourth Amendment rights when it obtained the IP address he was using. In this case, however, the plaintiff already knew the IP address from its forensic investigations. The sought-after information here was the name and physical address, not the IP address he used.

So looking to Ulbricht to say that the Doe defendant had no expectation of privacy in his IP address does nothing to shed information on the kind of expectation of privacy, if any, he should have had on his real name and physical address.

The court’s decision ultimately is not incorrect, but it did not need to consult with Ulbricht. As in the Sony Music case from which it drew the 5-part analysis, and in many other similar expedited discovery cases, the court could have simply found there was no reasonable expectation of privacy in the sought-after information, because the ISP’s terms of service put the subscriber on notice that it will turn over the information to third parties in certain circumstances like the ones arising in this case.

Strike 3 Holdings, LLC v. Doe, 2017 WL 5001474 (D.Conn., November 1, 2017)

November 3, 2017 Litigation, Section 230

Google can, at least for now, disregard Canadian court order requiring deindexing worldwide

U.S. federal court issues preliminary injunction, holding that enforcement of Canadian order requiring Google to remove search results would run afoul of the Communications Decency Act (at 47 U.S.C. 230)

canada-us
Canadian company Equustek prevailed in litigation in Canada against rival Datalink on claims relating to trade secret misappropriation and unfair competition. After the litigation, Equustek asked Google to remove Datalink search results worldwide. Google initially refused altogether, but after a Canadian court entered an injunction against Datalink, Google removed Datalink results from google.ca. Then a Canadian court ordered Google to delist worldwide, and Google complied. Google objected to the order requiring worldwide delisting, and took the case all the way up to the Canadian Supreme Court, which affirmed the lower courts’ orders requiring worldwide delisting.

So Google filed suit in federal court in the United States, seeking a declaratory judgment that being required to abide by the Canadian order would, among other things, be contrary to the protections afforded to interactive computer service providers under the Communications Decency Act, at 47 U.S.C. 230.

The court entered the preliminary injunction (i.e., it found in favor of Google pending a final trial on the merits), holding that (1) Google would likely succeed on its claim under the Communications Decency Act, (2) it would suffer irreparable harm in the absence of preliminary relief, (3) the balance of equities weighed in its favor, and (4) an injunction was in the public interest.

Section 230 of the Communications Decency Act immunizes providers of interactive computer services against liability arising from content created by third parties. It states that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” [More info about Section 230]

The court found that there was no question Google is a “provider” of an “interactive computer service.” Also, it found that Datalink—not Google—“provided” the information at issue. And finally, it found that the Canadian order would hold Google liable as the “publisher or speaker” of the information on Datalink’s websites. So the Canadian order treated Google as a publisher, and would impose liability for failing to remove third-party content from its search results. For these reasons, Section 230 applied.

Summarizing the holding, the court observed that:

The Canadian order would eliminate Section 230 immunity for service providers that link to third-party websites. By forcing intermediaries to remove links to third-party material, the Canadian order undermines the policy goals of Section 230 and threatens free speech on the global internet.

The case provides key insight into the evolving legal issues around global enforcement and governance.

Google, Inc. v. Equustek Solutions, Inc., 2017 WL 5000834 (N.D. Cal. November 2, 2017)

November 3, 2017 Anonymity, Copyright, Electronic Discovery, Litigation

Court allows Microsoft to unmask unknown Comcast users accused of infringement

A federal court in Washington state has given the green light for Microsoft to subpoena records from Comcast to discover the identity of the person or persons associated with an IP address used to activate thousands of unauthorized copies of Microsoft software.

Statue_of_Anonymus_(Budapest,_2013)

Generally, in federal court litigation, a party cannot serve discovery requests or subpoenas until after the plaintiff and defendant have conferred (in a Rule 26(f) conference). But when the plaintiff does not know the identity of the defendant, there is a bootstrapping problem – discovery needs to be taken to find out the defendant with whom to conduct the conference. In situations like this, the plaintiff seeking to unmask an unknown defendant will file its complaint against one or more “John Does,” then ask the court for leave to serve discovery prior to the Rule 26(f) conference.

That is what happened in this case. It is a common tactic used by parties legitimately seeking to enforce intellectual property, as well as parties that may be considered copyright trolls. See, e.g., this early bittorrent case from 2011.

Microsoft filed its complaint and also filed a motion for leave to take discovery prior to the Rule 26(f) conference. Finding that good cause existed for the early discovery, the court granted the motion.

It held that

(1) Microsoft had associated the John Doe Defendants with specific acts of activating unauthorized software using product keys that were known to have been stolen from Microsoft, and had been used more times than were authorized for the particular software,

(2) Microsoft had adequately described the steps it took in an effort to locate and identify the John Doe defendants, specifically by utilizing its “cyberforensics” technology to analyze product key activation data, identifying patterns and characteristics which indicate software piracy,

(3) Microsoft had pleaded the essential elements to state a claim for copyright and trademark infringement, and

(4) the information proposed to be sought through a subpoena appeared likely to lead to identifying information that would allow Microsoft to serve the defendants with the lawsuit.

Microsoft Corp. v. John Does 1-10, 2017 WL 4958047 (W.D. Wash., November 1, 2017)

Image courtesy Dmitrij Rodionov under Creative Commons Attribution-Share Alike 3.0 Unported license. Licensed granted hereby under same terms.

November 2, 2017 Copyright

Website liable for statutory damages and attorney’s fees for copyright infringement

Plaintiff photojournalism company sued defendant retail website operator for copyright infringement arising from the publication on the site of two celebrity photographs. Plaintiff moved for summary judgment on its copyright infringement claim. The court granted the motion.

Infringement Claim

Defendant argued that the copyright registration – which was a compilation of photographs taken over a couple of months – did not cover the photographs in question, because the registration made no specific mention of the photos. But the court rejected this argument, finding that the registration certificate for the compilation was valid because (a) all the photographs were by the same photographer, (b) all the photographs were published in the same calendar year, and (c) all the photographs had the same copyright claimant. Defendant could not point to any specific evidence in the record to cast doubt on the validity of the registration.

The parties did not dispute that defendant’s employees copied and reposted the photographs. Accordingly, the court found that plaintiff had established the elements required for a copyright infringement claim.

But defendant argued that it had a license to reuse the photographs, based on the terms of the E! website from which it obtained the photos. The court easily rejected this argument, noting that the defendant had not provided a copy of that purported license agreement, nor come up with any other evidence to support the claim.

Statutory Damages and Attorney’s Fees

The court awarded $750 in statutory damages – the minimum amount that the Copyright Act authorizes. The court based this in part on looking at the actual licensing fees charged for the photographs. Plaintiffs had charged E! a license fee of $75 for use of the photos. Even trebling this amount would not bring the damage calculation within the statutory minimum. So the court raised it to the lowest threshold permitted under the act.

As for attorney’s fees, the court found it appropriate to award fees to promote the stated purposes of the Copyright Act. Specifically, shifting fees here, in the court’s view, served to encourage and reward innovators for their contributions in the march toward progress rather than burdening them with the costs of defending their protected works.

Fameflynet, Inc. v. The Shoshanna Collection, — F.Supp.3d —, 2017 WL 4402568 (S.D.N.Y. October 2, 2017)

November 1, 2017 Cybersquatting, Evidence

Confusing UDRP decision regarding proof required for showing of no rights or legitimate interests

(This is a cross-post from UDRP Tracker.)

In the case of BroadPath Healthcare Solutions / Jerry Robertson v. Maria Piro / Nova Nordisk, a one-member NAF Panel held that the Complainant failed to meet the second UDRP element, namely, it failed to establish that the Respondent lacked rights or legitimate interests in the disputed domain name <broad-path.org>.

The decision is confusing because the opinion appears to be self-contradictory. The Panel noted that the Complainant alleged (1) the Respondent is not commonly known by the disputed domain name, (2) that the Complainant had not authorized, licensed, or otherwise permitted the Respondent to use the Complainant’s mark, and (3) that the Respondent does not use the disputed domain name in connection with a bona fide offering of goods or services or legitimate noncommercial or fair use. Rather, the Complainant argued, the Respondent was attempting to pass off as the Complainant to facilitate fraud on Internet users.

Ordinarily, in an uncontested UDRP matter (such as this one, where the Respondent did not file a response), such allegations would be enough to establish a prima facie showing on the second UDRP element. It is unclear what more the Panel expected to see in terms of proof of lack of rights or legitimate interests. The prima facie showing requirement is used in light of the difficulty of proving a negative, which is what the second UDRP element calls for.

In any event, despite the Complainant’s allegations listed in the decision, the Panel concluded, in summary fashion without explanation, that the Complainant failed to make a legally cognizable argument under this second UDRP element. For this reason, the Panel did not go on to analyze the bad faith element, but instead denied the Complaint.

BroadPath Healthcare Solutions / Jerry Robertson v. Maria Piro / Nova Nordisk, Claim Number: FA1709001748692 (NAF October 31, 2017)

October 30, 2017 Contracts, Unfair Competition

Court reinstates SCO’s misappropriation claim against IBM in long-running lawsuit

For almost a decade and a half, SCO and IBM have been fighting over their collaboration gone wrong concerning the development of a new version of UNIX for Intel processors. The case has garnered much attention, including from the open source community. You can read the backstory here on the Wikipedia page for the dispute. The case has been on appeal to the Tenth Circuit, which released its opinion on October 30. The decision was a mixed ruling – the court affirmed summary judgment in favor of IBM on most of the issues, but ruled in favor of SCO on one important claim – misappropriation.

SCO sued IBM for the tort of misappropriation (a form of unfair competition) arising from IBM’s alleged use in its own product of source code that SCO had contributed to the joint efforts to develop the new UNIX version. The district court granted IBM’s motion for summary judgment on the misappropriation claim, holding that such a claim was barred under New York law’s “independent tort doctrine”. SCO sought review with the Tenth Circuit Court of Appeals. The court reversed and remanded the case on the misappropriation claim.

This doctrine provides that a simple breach of contract is not to be considered a tort unless a legal duty independent of the contract itself has been violated. This separate duty must spring from circumstances extraneous to, and not constituting elements of, the contract, although it may be connected with and dependent upon the contract.

In this case, the court held that while IBM and SCO may not have had a formal partnership or joint venture as a matter of law, they surely enjoyed a business relationship in which each reposed a degree of trust and confidence in the other. In such a situation, there exists a duty not to take a business collaborator’s property in bad faith and without its consent in order to compete against that owner’s use of the same property.

SCO v. IBM, — F.3d —, 2017 WL 4872572 (10th Cir., October 30, 2017)

October 30, 2017 Contracts

Live by the browsewrap, die by the browsewrap

Company could not argue it was not bound by competitor’s browsewrap agreement, because it used a browsewrap agreement for its own website.

server_wrap

Oilpro filed a counterclaim for breach of contract against its competitor, DHI, arguing that DHI breached the agreement it had with Oilpro – such agreement being in a browsewrap agreement found on Oilpro’s website – to not scrape, crawl, or use other automated means to download data from Oilpro’s website. DHI moved to dismiss the breach of contract claim, arguing that Oilpro had insufficiently pled that DHI assented to the terms of the browsewrap agreement. The court denied the motion to dismiss.

In browsewrap cases, because there is no affirmative step to acknowledge assent to the agreement, the party claiming breach has to show that a valid contract exists by demonstrating that the breaching party had actual or constructive knowledge of the terms and conditions. Just having a link to the terms at the bottom of the page, or having them available for review (without having to affirmatively click on something) may not be enough (though there are exceptions to this).

Here, the court found that Oilpro was not relying only on the fact that the agreement was on the pages of the website and available. Instead, Oilpro pointed to DHI’s own web design practices to support its knowledge of the terms of the browsewrap agreement. In the court’s words:

Oilpro alleges constructive notice because DHI has a similar site with a similar browsewrap agreement. Thus, even if there are no allegations that DHI took affirmative action to acknowledge assent, the court finds that the allegations relating to DHI’s constructive knowledge provide more than that the agreement was available and raise the claim to plausible.

So the case stands for the proposition that a company that uses a browsewrap agreement on its own website is less likely to be able to argue it is unaware of other companies’ browsewrap agreements. Said another way, browsewrap-using companies may have a higher standard of diligence in their own online dealings.

It should be noted, however, that the conclusion in this case is likely to apply only in the B2B context, and will likely not affect the enforceability (or non-enforceability) of browsewrap agreements in consumer context. The court said “[t]his conclusion is confined, of course, to instances where both parties are sophisticated businesses that use browsewrap agreements on their websites.”

DHI Group, Inc. v. Kent et al., 2017 WL 4837730 (S.D. Texas, October 26, 2017).

Photo courtesy Flickr user Patrick Finnegan under this Creative Commons license.