Blog

August 17, 2015 Contracts

Court provides guidance on how to effectively communicate online terms of service

Are online terms of service provided via hyperlink in an email binding on the recipient of that email? The Second Circuit recently addressed that question, and the decision gives guidance on best practices for online providers.

Plaintiff booked a trip to the Galapagos Islands using defendant’s website. When she purchased her ticket, she got a booking information email, a confirmation invoice and a service voucher. (It is not clear how plaintiff got the confirmation invoice and the service voucher – the court’s opinion says they were sent as emails, but the PACER record does not show them as emails. In any event, plaintiff did not dispute that she received all three documents, nor did she dispute all three documents contained a hyperlink to defendant’s “terms and conditions” which were available online.)

One evening during the trip, a tour guide allegedly assaulted plaintiff. She sued defendant for negligently hiring and training that tour guide. Defendant moved to dismiss, pointing to language in the online terms and conditions that called for disputes to be heard in Canadian court. The district court dismissed the action, and plaintiff sought review with the Second Circuit. On appeal, the court affirmed. It held that defendant had reasonably communicated the forum selection clause to plaintiff by using hyperlinks and the appropriate language in the terms and conditions.

Each of the documents contained an underlined hyperlink, and accompanying language advising plaintiff to click on the hyperlink. The booking information email contained a standalone provision with the heading “TERMS AND CONDITIONS”. This section stated that “[a]ll . . . passengers must read, understand and agree to the following terms and conditions.” The hyperlink immediately followed. Both the confirmation invoice and the voucher contained a link to the terms and conditions, preceded by “[c]onfirmation of your reservation means that you have already read, agreed to and understood the terms and conditions. . . .”

The actual structure and language of the terms and conditions also served to reasonably communicate the forum selection clause. The second paragraph stated that the terms and conditions “affect your rights and designate the governing law and forum for the resolution of any and all disputes.” Later in the terms and conditions, a standalone section titled “APPLICABLE LAW” provided that all matters arising from the agreement were subject to Ontario and Canadian law and the exclusive jurisdiction of the Ontario and Canadian courts.

The decision validates the notion that an e-commerce provider can rely on establishing valid and binding contracts with its customers without having to actually transmit a copy of the terms and conditions that would apply to the transaction. Though the facts of this case dealt with email, there is no substantive reason why the best practices revealed by the court’s decision would not apply to providers of mobile apps and other online platforms.

Starkey v. G Adventures, Inc., — F.3d —, 2015 WL 4664237 (2nd Cir. August 7, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

August 13, 2015 Privacy

Is the Sixth Circuit willing to recognize a right to be forgotten under U.S. law?

Recent FOIA decision questions the 20-year-old notion that defendants have no interest in preventing release of booking photographs during ongoing criminal proceedings.

The Freedom of Information Act (“FOIA”) implements “a general philosophy of full agency disclosure” of government records. Since the mid-90s, the Sixth Circuit has required law enforcement to turn over booking photographs of defendants while ongoing criminal proceedings are occurring.

Plaintiff sought the booking photos of four criminal defendants from the U.S. Marshall’s office. When the U.S. Marshall refused to turn the photos over, plaintiff filed suit. The district court found in plaintiff’s favor, citing the Sixth Circuit case of Detroit Free Press v. United States Department of Justice, 73 F.3d 93 (1996). Defendant sought review with the Sixth Circuit and, bound by the 1996 decision, a panel of the Sixth Circuit affirmed, ordering that the photos be turned over.

But the panel was far from comfortable in its holding. Although it was bound to follow the earlier Sixth Circuit precedent, it urged the court to consider en banc whether an exception to FOIA applies to booking photographs. “In particular, we question the panel’s conclusion that defendants have no interest in preventing the public release of their booking photographs during ongoing criminal proceedings.”

The general theory behind the current requirement that booking photos be released is that the suspects have already appeared publicly in court, and the release of the photos and their names conveys no further information to implicate a protectible privacy interest. But this panel of the court noted that “[s]uch images convey an ‘unmistakable badge of criminality’ and, therefore, provide more information to the public than a person’s mere appearance.”

Something like a right to be forgotten appears in the court’s discussion of how photos can linger online: “[B]ooking photographs often remain publicly available on the Internet long after a case ends, undermining the temporal limitations presumed” by Sixth Circuit case law that calls for the release of photos during ongoing proceedings.

Detroit Free Press v. U.S. Dept. of Justice, — F.3d —, 2015 WL 4745284 (6th Cir. August 12, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

August 5, 2015 Computer Crime, Litigation, Privacy

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

July 9, 2015 Trademarks

What is required for a website design to be protectible as trade dress?

Plaintiff sued defendant for, among other things, trade dress misappropriation, asserting that plaintiff’s website had a particular look and feel that would convert leads to sales, and that defendant copied the look and feel of the website’s distinctive elements. Defendant moved to dismiss the trade dress claim for failure to state a claim. The court granted the motion.

It found that plaintiff had failed to meet the requirement of pleading how its website’s design was distinctive. It noted that a mere cataloguing of a website’s features does not give defendants adequate notice of a plaintiff’s trade dress claim, especially, when the list of features comprising the trade dress is not complete. Rather, a complaint must “synthesize” how those features combine to create the website’s protectable look and feel. In the court’s view, a complaint that lists only some, but not all, of the features of the plaintiff’s website that the plaintiff believes constitute its trade dress is insufficient to state a plausible claim for trade dress infringement under the Lanham Act.

FC Online Marketing, Inc. v. Burke’s Martial Arts, LLC, 2015 WL 4162757 (E.D.N.Y., July 8, 2015)

See also:

June 10, 2015 Copyright, DMCA

Is a DMCA subpoena to identify unknown infringers valid if the infringement has ended?

The Digital Millennium Copyright Act (“DMCA”) is well-known for its notice and takedown provisions. But the DMCA provides a number of other interesting mechanisms, including a procedure for potential copyright plaintiffs to send subpoenas to online service providers to learn the identity of users who posted infringing content to that service. A recent case involving some subpoenas that a copyright owner sent to eBay examines the relationship between the notice and takedown procedures on one hand, and the subpoena mechanism on the other. The question before the court was whether a DMCA subpoena is valid if, by the time it is served on the online service provider, that online service provider has already removed or has disabled access to that content.

Section 512(h) (17 U.S.C. 512(h)) spells out the DMCA subpoena process, and how it relates to the notice and takedown provisions. An online service provider must act expeditiously to identify the user who uploaded infringing content “[u]pon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a [takedown request].” That plain language seems straightforward — an online service provider has to provide the identifying information in response to any subpoena it receives either with or subsequent to a takedown notice.

But it was not so straightforward in a 2011 case, where some confusing facts made for some confusing law. In Maximized Living, Inc., v. Google, Inc., 2011 WL 6749017 (N.D. Cal. December 22, 2011), the copyright holder sent a subpoena to the online service provider after the copyright holder had sent a DMCA takedown notice. That would appear to comport with the statute — the subpoena came subsequent to the takedown notice. But the problem in that case was that the takedown notice was not valid. By the time it was sent, the alleged infringer had already removed the infringing content. From that, the Maximized Living case pronounced that “the subpoena power of §512(h) is limited to currently infringing activity and does not reach former infringing activity that has ceased and thus can no longer be removed or disabled.”

In the recent case of In re DMCA Subpoena to eBay, Inc., eBay, as the recipient of subpoenas to identify some of its users, picked up on the Maximized Living holding to argue that it did not have to answer the subpoenas because it had already taken down the offending content pursuant to previous takedown notices. Since the subpoenas did not relate to “currently infringing activity,” eBay argued à la Maximized Living, that the subpoenas had not been issued under §512(h)’s power and were therefore invalid.

The court rejected eBay’s argument. The key distinction in this case was that, unlike in Maximized Living, the takedown notices in this case, when they issued, related to content that was on the eBay servers at the time the takedown notices were issued. Granted, some of those takedown notices went all the way back to early 2012 (query whether the subpoena should be valid if it would only uncover the identity of an infringer for whom the 3-year copyright statute of limitations had passed; but that wasn’t before the court).

So to simply state the rule in this case — for a DMCA subpoena to be valid, it has to relate to a valid DMCA takedown notice. That DMCA takedown notice is not valid unless it was served at a time when infringing content resided on the service. An online service provider cannot avoid the obligation of responding to a subpoena by taking down the content, thereby causing there to be no “currently infringing activity”. Such a rule would, as the court observed, cause the online service provider’s safe harbor protection to also shield the alleged infringer from being identified. That would indeed be an odd application of the DMCA’s protection. The court in this case avoided that outcome.

In re DMCA Subpoena to eBay, Inc., 2015 WL 3555270 (S.D. Cal. June 5, 2015).

Evan Brown is a Chicago attorney helping clients in matters dealing with copyright, technology, the internet and new media. Call him at (630) 362-7237, send email to ebrown [at] internetcases dot com, or follow him on Twitter @internetcases

Photo courtesy of Flickr user Thomas Galvez under this Creative Commons license.

May 8, 2015 Copyright, Litigation

Court will not order seizure of domain name in copyright infringement case

Plaintiffs – the owners of the copyright in photographs – sued defendants for copyright infringement over the unauthorized publication of photos on one of the business defendant’s websites that used the domain name <4umf.com>. The court awarded judgment and damages in plaintiffs’ favor when the business defendant defaulted.

Even after having received two extensions of time from the court, though, plaintifsf had not yet served the summons and complaint upon one of the individual defendants. The court ordered plaintiffs to show cause why the action should not be dismissed against that defendant for failure to serve him. In response, plaintiffs stated that despite diligent efforts, they could not identify or locate the individual plaintiff. So it asked the court – via a “motion to seize domain name” – to order the turnover of the <4umf.com> domain name for the purpose of uncovering the defendant’s true identity.

The court denied the motion. It found that plaintiffs had failed to demonstrate why the court should exercise auhority over the domain name as property subject to the court’s control and authority. It rejected plaintiffs’ attempts to liken the situation to other cases in which courts had ordered the seizure of domain names in trademark actions for over disputed domain names. “[S]eizures under the former circumstances were contemplated by the [Anticybersquatting Consumer Protection Act] to combat ‘cybersquatting.'”

The court also noted that seizure of copyrighted materials is a permissible remedy under the Copyright Act and has been granted by certain courts in some circumstances. But in this case, plaintiffs did not seek seizure pursuant to the Copyright Act § 503, nor did they seek impoundment or seizure in their complaint or motion for default. Plaintiffs sought only damages and attorneys’ fees, which the Court awarded.

Further, the court noted that plaintiffs were not seeking to reclaim their copyrighted material by seizing the six infringing photos, but rather the entirety of the domain name. The court was sympathetic – although plaintiffs may have had difficulty locating defendants and enforcing the default judgment, plaintiffs had not demonstrated why that entitled them to seizure of the whole domain name, or how seizing the domain name would facilitate identification or location of defendants or collection on the judgment. Even if seizure were appropriate at this late stage, it the court found that to be an overly broad remedy for the violations here.

BWP Media USA, Inc. v. NV Media Group, Inc., 2015 WL 2152679 (S.D.N.Y. May 6, 2015)

April 9, 2015 Privacy

Casual website visitor who watched videos was not protected under the Video Privacy Protection Act

A recent federal court decision from the Southern District of New York sheds light on what is required to be considered a “consumer” who is protected under the Video Privacy Protection Act (VPPA). The court held that a website visitor who merely visited a website once in awhile to watch videos — without establishing a more “deliberate and durable” affiliation with the website — was not a “subscriber” to the website’s services and thus the VPPA did not prohibit the alleged disclosure of information about the website visitor’s viewing habits.

Defendant was a television network that maintains a website offering video clips and episodes of many of its television shows. The website also incorporated Facebook’s software development kit which, among other things, let visitors log into websites using their Facebook credentials. This mechanism relied on cookies. If a person had chosen to remain logged into Facebook by checking the “keep me logged in” button on Facebook’s homepage, the relevant cookie would continue to operate, regardless of what the user did with the web browser. Plaintiff alleged that this mechanism caused AMC to transmit information to Facebook about the video clips she watched on the AMC site.

Plaintiff sued under the VPPA. Defendant moved to dismiss, arguing that plaintiff lacked standing under the statute and that she was not a protected “consumer” as required by the statute.

The court found that plaintiff had standing. It rejected defendant’s argument that a VPPA plaintiff must allege some injury in addition to asserting that defendant had violated the statute. “It is true . . . that Congress cannot erase Article III’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.” But Congress “can broaden the injuries that can support constitutional standing.”

The court next looked to whether plaintiff was a “consumer” protected under the statute. The VPPA defines the term “consumer” to include “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Absent any assertion that plaintiff was a renter or purchaser of AMC’s goods, the parties and the court focused on whether she was a “subscriber” (a term not defined in the statute).

Because plaintiff’s allegations failed to establish a relationship with defendant sufficient to characterize her as a subscribers of defendant’s goods or services, the court dismissed the VPPA claim with leave to amend. It observed: “Conventionally, ‘subscription’ entails an exchange between subscriber and provider whereby the subscriber imparts money and/or personal information in order to receive a future and recurrent benefit, whether that benefit comprises, for instance, periodical magazines, club membership, cable services, or email updates.” In this case, “[s]uch casual consumption of web content, without any attempt to affiliate with or connect to the provider, exhibit[ed] none of the critical characteristics of ‘subscription’ and therefore [did] not suffice to render [plaintiff] a subscriber of [defendant’s] services.”

Austin-Spearman v. AMC Network Entertainment LLC, 2015 WL 1539052 (S.D.N.Y. April 7, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

March 1, 2015 Section 230

Third Circuit upholds Communications Decency Act immunity for Google, Yahoo and others

Plaintiff filed suit against Google, Yahoo and some unknown (John Doe) defendants for defamation, tortious interference with contract, and negligent and intentional infliction of emotional distress based on various online postings. The district court dismissed the complaint, holding that the Communications Decency Act (47 U.S.C. §230) provided immunity to defendants over the third party content giving rise to the complaint. Section 230 provides, in relevant part, that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Because defendants were not the creators of the information, and the claims attempted to treat them as the publisher or speaker of that content, Section 230 barred the claims.

Kabbaj v. Google, Inc., 2015 WL 534864 (3rd Cir. Feb. 10, 2015)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

February 20, 2015 Anonymity, Defamation

Complaint site does not have to identify its users

Petitioner filed an action in New York state court seeking to compel PissedConsumer.com to disclose the identity of the person or persons who posted certain statements to the site. These statements criticized petitioner for allegedly failing to fulfill an advertising promise to give the user a $500 gas card. The anonymous user went on to complain that petitioner “will forget about you and … all the promises they made to you” once “you sign on the dotted line.”

The trial court denied the petition to compel PissedConsumer.com to turn over the names of its users. Petitioner sought review with the Appellate Division. On appeal, the court affirmed.

It held that the lower court properly denied the petition since petitioner failed to demonstrate that it had a meritorious cause of action as required to obtain pre-action discovery:

Nothing in the petition identifies specific facts that are false and when the statements complained of are viewed in context, they suggest to a reasonable reader that the writer was a dissatisfied customer who utilized respondent’s consumers’ grievance website to express an opinion. Although some of the statements are based on undisclosed, unfavorable facts known to the writer, the disgruntled tone, anonymous posting, and predominant use of statements that cannot be definitively proven true or false, supports the finding that the challenged statements are only susceptible of a non-defamatory meaning, grounded in opinion.

The court seemed to recognize the importance of anonymous speech, and that one must not lightly cast aside its protections. If you’re going to go after an online critic, best have a cause of action that you can actually plead.

Woodbridge Structured Funding, LLC v. Pissed Consumer, — N.Y.S.2d —, 2015 WL 686383, (February 19, 2015)

Evan Brown is an attorney in Chicago helping clients with technology, intellectual property and new media issues.

January 28, 2015 About This Site

internetcases turns 10 years old today

Ten years ago today, somewhat on a whim, yet to fulfill a need I saw for discussion about the law of the internet in the “blogosphere” (a term we loved dearly back then), I launched internetcases.

What started as a one-page handwritten pamphlet that I would mimeograph in the basement of my one-bedroom apartment and then foist upon unsuspecting people on street corners has in ten years turned into a billion dollar conglomerate and network. internetcases is now translated into 7 languages daily and employs a staff of thousands to do the Lord’s work fighting Ebola and terrorism on 4 continents. Or it’s a WordPress install on some cheap GoDaddy space and I write when I can.

All seriousness aside, on this 10th anniversary, I want to sincerely thank my loyal readers and followers. Writing this blog has been the single most satisfying thing I’ve done in my professional life, and I am immensely grateful for the knowledge it has helped me develop, the opportunities for personal brand development it has given (speaking, press, media opportunities), but most of all, I’m grateful for the hundreds of people it has enabled me to connect with and get to know.

Blogging (and the web in general) has changed a lot in 10 years. And the legal issues arising from the internet continue to challenge us to stretch our thinking and amp up our powers of analysis. It’s great to have a platform on the web from which to share news and thoughts about the role that technology plays in shaping our legal rules and our culture.

Thanks all.

Scroll to top