Blog

November 1, 2012 Uncategorized

Online terms of service were not effective to prohibit data scraping

CollegeSource, Inc. v. AcademyOne, Inc., 2012 WL 5269213 (E.D. Pa. October 25, 2012)

paint scraping

Plaintiff sued its competitor, another platform for providing online college transfer services. Among other things, plaintiff alleged that defendant breached plaintiff’s online terms of service, violated the Computer Fraud and Abuse Act, and was unjustly enriched by copying and “scraping” course catalog information from plaintiff’s service and using that collected data to populate defendant’s own database.

Defendant moved for summary judgment on these claims. The court granted the motion.

Breach of Contract

The court held that defendant’s scraping and collection efforts did not fall within the scope of plaintiff’s online terms of service.

Although certain of defendant’s employees had subscribed to plaintiff’s premium services (and thereby agreed to tems of service that prohibited data scraping), the documents and information defendants used were gathered through a different service. Plaintiffs provided a function called “CataLink”, through which colleges could link website visitors to documents stored on plaintiff’s server. End users clicking on those links would not be presented with any terms of service by which to be bound.

Plaintiffs attempted an unsuccessful workaround on this point, arguing that the terms for the subscription services bound users of all “Services” provided by plaintiff (including the separate CataLink services). The court rejected this argument, finding it possible that a typical user may never even have known he visited a CataLink link. Moreover, the court found, if plaintiff had intended its subscriber agreement to include CataLink, it did not make its intention clear.

Unjust Enrichment

The court held that plaintiff’s unjust enrichment claim was preempted by the Copyright Act. Plaintiff asserted that defendant was unjustly enriched because it copied and displayed on its website course descriptions from plaintiff’s catalogs, and in doing so derived a financial benefit. And plaintiff argued that the facts in this case differed substantially from those required to state a claim for copyright infringement, in that defendant had misrepresented, or had taken in an underhanded way. But the court found that these elements (misrepresentation and acting underhandedly) did not avoid preemption. Nor did the element of “benefit conferred” defeat preemption, since a copyright infringer always accepts the benefit of the copyrighted work.

Computer Fraud and Abuse Act

The court found that defendant did not violate the Computer Fraud and Abuse Act, because the documents alleged to have been copied were available to the general public. And since plaintiff obtained the documents using the CataLink service — which, as discussed above was not subject to the terms of service — there were no contractual restrictions to define “without authorization” or “exceed[ing] authorized access” as used in the CFAA.

Image courtesy Flickr user fontplaydotcom under this Creative Commons license.

October 30, 2012 Copyright, DMCA

Court rules against Ripoff Report in copyright case

Xcentric Ventures, LLC v. Mediolex Ltd., 2012 WL 5269403 (D.Ariz. October 24, 2012)

Plaintiff Xcentric Ventures provides the infamous Ripoff Report, a website where consumers can go to defame complain about businesses they have dealt with. Defendant ComplaintsBoard.com is a similar kind of website.

Ripoff Report’s Terms of Service provide that users grant Ripoff Report an exclusive license in the content they post to the site. Based on this right, Xcentric sued various defendants associated with ComplaintsBoard for “encourag[ing] and permit[ing] consumers to post content that has been exclusively licensed to Xcentric.”

Defendants moved to dismiss the copyright infringement claim, asserting they were protected by the safe harbor provision of the Digital Millennium Copyright Act (“DMCA”). The court granted the motion to dismiss, but not because of the DMCA.

DMCA Analysis

The safe harbor provision of the DMCA states that a “service provider shall not be liable for monetary relief” if all of the following requirements are met:

(1) it does not have actual knowledge that the material on its network is infringing;

(2) it is not aware of facts or circumstances that would make the infringing activity apparent;and

(3) upon obtaining knowledge or awareness of such infringing activity, it acts expeditiously to remove or disable access to the copyrighted material.

In this case, Xcentric alleged that defendants actively “encouraged and permitted” copyright infringement by ComplaintsBoard users. The court held that this allegation, if taken as true, could be sufficient to preclude defendants from taking advantage of the DMCA’s safe harbor provisions.

But the court went on to hold that Xcentric had failed to state a copyright claim on which relief may be granted.

Secondary Liability Insufficiently Pled

Xcentric did not allege that defendants directly infringed copyright. Instead, it alleged that by encouraging and permitting users to copy and republish material, ComplaintsBoard was engaged in secondary infringement — either vicarious or contributory infringement.

To state a claim for contributory copyright infringement, Xcentric had to plead that ComplaintsBoard had knowledge of the infringing activity and induced, caused, or materially contributed to the infringing conduct of its users. The court found that Xcentric had not alleged any facts that would lead to a reasonable inference that defendants knew of their users’ republishing Xcentric’s copyrighted content or that defendants had induced, caused, or materially contributed to such republication.

To successfully plead vicarious infringement, Xcentric had to show that defendants had the right and ability to supervise the infringing activity and also had a direct financial interest in those activities. The court found that Xcentric had not put forward enought facts to show that defendants had the right and ability to supervise the infringing activity.

October 24, 2012 Computer Crime, Privacy

Class action against Path faces uphill climb

Hernandez v. Path, Inc., 2012 WL 5194120 (N.D.Cal. October 19, 2012)

uphill path

Earlier this year plaintiff filed a class action lawsuit against photo app provider Path, alleging ten claims relating to Path’s alleged surreptitious collecting of mobile device address books and installation of tracking software. Path moved to dismiss the lawsuit for lack of standing and for failure to state a claim. The court held that plaintiff had standing to pursue the case, but dismissed some of the claims.

Standing

The court found that alleged depletion of “two to three seconds of battery capacity” was de minimus and thus not sufficient to support the injury-in-fact plaintiff was required to show. Citing to the fairly recent case of Krottner v. Starbucks, the court found that the hypothetical threat of future harm due to a security risk to plaintiff’s personal information was insufficient to confer standing. The only basis on which the court found there to be a sufficient claim of injury to support standing was the (hard to believe) claim by plaintiff that he would have to spend $12,500 to pay a professional to remove the Path app and related data from his phone.

The Dismissed Claims

The court dismissed for failure to state a claim (with leave to amend) plaintiff’s claims under the Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), California wiretapping statute, state common law privacy, conversion and trespass.

ECPA and California Wiretapping Statute Claim. The court dismissed the ECPA and California Wiretapping Statute claims, finding that the complaint did not allege that Path intercepted any communication contemporaneous with its transmission. At best (from plaintiff’s perspective), it appears that Path gathered information on social networking sites after it was transmitted. And the uploading of the address books does not appear to have qualified as a communication under these statutes.

SCA Claim. The SCA claim failed “on multiple fronts.” Plaintiff was not a provider of electronic communication services and his iPhone was not a facility through which such service was provided. So Path’s alleged access did not come within the prohibition of the SCA. Moreover, the address books were not communications to which the SCA applied, because they were not in “electronic storage” as defined by the SCA, namely, being in temporary, intermediate storage incidental to their electronic transmission. (We see a similar issue in the recent Jennings case from South Carolina.)

State Common Law Privacy. This claim would have required plaintiff to show (1) public disclosure (2) of private facts (3) which would be offensive and objectionable to the reasonable person and (4) which is not of legitimate public concern. The court found there was no public disclosure, only Path’s storage of data on its servers.

Conversion. Under California law, to be successful on a claim of conversion, plaintiff would have had to plead and prove “ownership or right to possession of property, wrongful disposition of the property right and damages.” The court dismissed this claim because plaintiff pled only that Path copied the data, not dispossessing him of it. (As an aside, it’s this very point that underscores my common admonition to copyright maximalists that infringement is not “theft,” because theft involves dispossession. End of digression.)

Trespass. The California common law action of trespass in the computer context requires a plaintiff to show that (1) defendant intentionally and without authorization interfered with plaintiff’s possessory interest in a computer system; and (2) defendant’s unauthorized use proximately resulted in damage to plaintiff. The tort “does not encompass … an electronic communication that neither damages the recipient computer system nor impairs its functioning.” Intel v. Hamidi, 30 Cal.4th 1342 (Cal. 2003). In this case, plaintiff did not allege that the functioning of his mobile device was significantly impaired to the degree that would enable him to plead the elements of a trespass. The court found that any depletion of his mobile device’s finite resources was a de minimis injury. (See the standing analysis above.)

The Remaining Claims

The claims for violations of the California Computer Crime Law, Californa’s Unfair Competition Law (Section 17200), negligence and unjust enrichment remain in the case.

California Computer Crime Law. Based on the limited briefing, the court could not conclude as a matter of law whether Path’s alleged conduct fell outside this statute. The question remains whether providing the app which plaintiff voluntarily downloaded and installed on his iPhone provided undisclosed software code that surreptitiously transferred plaintiff’s data.

Californa’s Unfair Competition Law. This statute prohibits “any unlawful, unfair or fraudulent business act or practice.” The court found that the conduct alleged in the complaint, if true, constituted an unlawful or unfair act or practice within the meaning of the statute. It found that plaintiff had failed to allege any fraudulent practice, but since plaintiff met the first two prongs (unlawfulness and unfairness), the claim survived.

Negligence. Plaintiff alleged that Path owed a duty to plaintiff to protect his personal information and data property and take reasonable steps to protect him from the wrongful taking of such information and the wrongful invasion of privacy. Path allegedly breached this duty by, among other things, accessing and uploading data from plaintiff’s phone, storing that data in an unsecure manner, and transmitting the data to third parties. Path relied on In re iPhone Application Litigation to argue it had no duty to plaintiff. In that decision, Judge Koh held that plaintiffs had not yet adequately pled or identified a legal duty on the part of Apple to protect users’ personal information from third-party app developers. This case was different because Path was a third party developer. Despite the existence of a duty, plaintiff’s claims of damages (here’s the $12,500 repair bill issue again) will likely face substantial challenges as the case progresses.

Unjust Enrichment. Path argued that unjust enrichment was not a cause of action under California law. The court cited to cases suggesting that California law does indeed recognize such a claim and kept in in this case.

Photo credit Flickr user stormwarning under this Creative Commons license.

October 18, 2012 First Amendment

Eighth Circuit rules against students’ free speech claim over offensive website

S.J.W. v. Lee’s Summit R-7 School District, No. 12-1727 (8th Cir. October 17, 2012)

Plaintiffs (twin brothers) created a blog that contained offensive, racist and sexually explicit content targeting their high school classmates by name. The school district suspended the brothers for 180 days. Plaintiffs got a preliminary injunction against the suspension, and the school district sought review with the Eighth Circuit. On appeal, the court reversed, and ordered that the suspension should not have been halted by the injunction.

students talking

The court held that under the Tinker analysis (Tinker is the leading case from the Supreme Court dealing with student free speech), the blog posts could reasonably have been expected to reach the school or impact the environment. Paired with the considerable disturbance and disruption at school because of the content, the court found that the lower court improperly held that the plaintiffs would have a successful First Amendment argument.

Moreover, the appellate court held that the plaintiffs had not shown irreparable harm from their suspension. They were able to enroll at another local accredited school, and the harm to their future music careers from not being able to try out for band was merely speculative.

Photo courtesy Flickr user davitydave under this Creative Commons license.

October 17, 2012 Privacy

Fear of crime exception made recording phone call okay under eavesdropping statute

Carroll v. Merrill Lynch, No. 12-1076 (7th Cir. October 16, 2012)

Late in the evening on Thanksgiving Day 2005, plaintiff called her co-worker at home and started yelling profanities. The co-worker’s wife picked up another phone on the line and, becoming alarmed at the threatening nature of the conversation, began recording the call.

rotary phone

Plaintiff sued under the Illinois eavesdropping statute, 720 ILCS 5/14. Defendants moved for summary judgment, arguing that the recording was covered under the “fear of crime” exception to the statute. The lower court granted the motion for summary judgment and plaintiff sought review with the Seventh Circuit. On appeal, the court affirmed the award of summary judgment.

The Illinois eavesdropping statute prohibits recording a conversation unless all parties consent to the recording. But that general rule is subject to a bunch of exceptions, such as recordings made:

under reasonable suspicion that another party to the conversation is committing, is about to commit, or has committed a criminal offense against the person or a member of his or her immediate household, and there is reason to believe that evidence of the criminal offense may be obtained by the recording

In this case, the court held that the wife had both a subjective and objective belief that the plaintiff would, at minimum, vandalize their home. Since plaintiff introduced no evidence to create a genuine issue of material fact on the question of the wife’s asserted fear of a crime being committed, summary judgment had been properly granted.

Photo courtesy Vincent Van Der Pas under this Creative Commons license.

October 7, 2012 Computer Crime, Employment, Trademarks

No Computer Fraud and Abuse Act violation for taking over former employee’s LinkedIn account

Eagle v. Morgan, 2012 WL 4739436 (E.D.Pa. October 4, 2012)

After plaintiff was fired as an executive, her former employer (using the password known by another employee) took over plaintiff’s LinkedIn account. It kept all of plaintiff’s contacts and recommendations but switched out plaintiff’s name and photo with those of the new CEO.

LinkedIn identity writ large

Plaintiff sued in federal court under the Computer Fraud and Abuse Act, the Lanham Act, and a slew of state law claims including identity theft, conversion and tortious interference. The former employer moved for summary judgment on the CFAA and Lanham Act claims. The court granted the motion, but continued to exercise supplemental jurisdiction over the state law claims.

On the CFAA claim, the court found that plaintiff failed to show how the taking over over her account gave rise to a cognizable loss under the CFAA. The kinds of losses she tried to prove, e.g., lost future business opportunities and professional reputation, did not pertain to any impairment or damage to a computer or computer system. Moreover, the court found, plaintiff failed to specify or quantify the damages she alleged.

As for the Lanham Act claim, the court found that there was no likelihood of confusion. It noted that “anyone who navigated to [plaintiff’s] LinkedIn account would be met with [the new CEO’s] name, photograph and new position.” Accordingly, there was no effort to “pass off” the new CEO as plaintiff or to otherwise suggest an endorsement or affiliation.

Though it dismissed all the federal claims, the court kept the pending state law claims. The matter had been before the court for over a year, the judge was familiar with the facts and the parties, and dismissing it so soon before trial would not have been fair.

Other coverage by Venkat.

Photo credit: Flickr user smi23le under this Creative Commons license.

September 10, 2012 Contracts

GoDaddy outage reminds us why limitation of liability clauses are important

The legal team at GoDaddy today probably had more than one conversation about Section 13 of the company’s Universal Terms of Service. That Section contains pretty widely used language which limits how badly GoDaddy could get hurt by an epic failure of its system like the one that happened today.

We are conspicuously told that:

IN NO EVENT SHALL Go Daddy, ITS OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE TO YOU OR ANY OTHER PERSON OR ENTITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES WHATSOEVER . . .

Language like this is critical to technology service agreements. Today’s huge blackout illustrates the extent to which GoDaddy would be on the hook if such a limitation were not in place. Thousands of sites were offline for hours, losing uncountable pageviews and ecommerce sales. Holding GoDaddy responsible for those millions of lost dollars (which would be in the categories of indirect, special and consequential damages) could put a company into bankruptcy. GoDaddy would be big enough (probably) to pick up the tab in such a situation once or twice. Smaller enterprises would likely not be as lucky.

This kid is like GoDady inasmuch as he's trying to limit his liability.

To illustrate the effect of limitation of liability clauses, I have often used the example of similar language in Microsoft’s end user license agreement for Office. Because that is there, you cannot go after Microsoft for the business you lose if Word fails on your computer and you miss the deadline for submitting that big proposal. After today we have a new, perhaps more relevant example. GoDaddy would be pretty protected if you claim that you missed out on that million dollar client because your website was down.

So if you were looking for me through my site today, let me know, so I can send a bill for what you would have paid me to GoDaddy. Then again, I guess I’ve already shown why that won’t get paid.

Photo courtesy Flickr user Mikol under this Creative Commons license.

September 7, 2012 Copyright, Litigation

BitTorrent defendant not negligent for failing to secure home Wi-Fi network

AF Holdings, LLC v. Doe, 2012 WL 3835102 (N.D. Cal., September 4, 2012)

Copyright troll plaintiff AF Holdings sued defendant for, among other things, negligence for failing to secure his home wi-fi network. Plaintiff argued that defendant’s inaction allowed a third-party to commit large-scale infringement of AF Holdings’ copyrighted works.

Defendant moved to dismiss for failure to state a claim. The court granted the motion and dismissed the negligence claim.

It held that a defendant like the one in this case had no duty to protect another from harm in this situation of “non-feasance” (i.e, failing to do something) unless a special relationship existed which would give rise to such duty. In law school this principal is articulated through the hypothetical of standing on a lakeshore watching someone drowning — you don’t have to jump in to save the person unless you are a lifeguard (or the victim’s parent, or a member of some other very limited class).

The court found that no special relationship existed here, thus plaintiff had not articulated any basis for imposing on defendant a legal duty to prevent the infringement of plaintiff’s copyrighted works.

We talked about this issue, along with other issues like copyright preemption, as it arose in a different case back on Episode 170 of This Week in Law beginning at about the 19 minute 40 second mark:

September 6, 2012 Litigation, Personal Jurisdiction, Service of Process

Social media activity proved employee could be served with process

Clint Pharmaceuticals v. Northfield Urgent Care, LLC, 2012 WL 3792546 (Minn. App., September 4, 2012)

Appellant, a healthcare clinic organized as an LLC in Minnesota, got sued in Tennessee. It never showed up to defend itself, so the Tennessee court entered a default judgment against it. When the plaintiff sought to have the Tennessee judgment recognized in Minnesota, the clinic challenged the underlying lawsuit, claiming that the court in Tennessee did not have personal jurisdiction over the clinic, as it had not been properly served with the civil “warrant”.

these leaves are intertwined, just like the employee in this case was with the healthcare clinic

In this case, the court found that the clinic had been properly served because the papers were opened by the wife of the clinic’s owner. The court found she was “intertwined” with the clinic, and should have known what to do with the papers, based in part on the fact that she was “prominently displayed” on the clinic’s website and interacted with commenters on the clinic’s Facebook page.

Photo courtesy Flickr user jenny downing under this Creative Commons license.

Scroll to top