Blog

January 29, 2024 Section 230

Zillow gets win in case alleging fraudulent online auction notices

section 230

Plaintiff sued Zillow and some other parties in federal court, claiming they engaged in a conspiracy to defraud her by illegally foreclosing on her home. She apparently claimed that Zillow “illegally” published information regarding the property at issue on its website, including listing it “for auction.”

Zillow moved to dismiss for failure to state a claim. The court granted the motion. It held that Section 230 (47 U.S.C. 230) immunized Zillow from liability. This statute immunizes providers of interactive computer services against liability arising from content created by third parties.

The court found that Zillow was an “interactive computer service,” demonstrated by how its website stated that it is “reimagining the traditional rules of real estate to make it easier than ever to move from one home to the next.”

It also found that plaintiff’s claims sought to hold Zillow liable for posting “auction notices”. But since the court did not believe plaintiff could demonstrate that Zillow developed or created this content, it found that plaintiff’s claims fell squarely within the purview of Section 230.

Choudhuri v. Specialised Loan Servicing, 2024 WL 308258 (N.D. Cal., January 26, 2024)

See also:

 

 

January 27, 2024 Computer Crime

Can one be liable for hacking by depositing fake checks into an ATM?

ATM fraud

If a person uses an ATM to deposit fraudulent checks, is the person liable for computer fraud? A recent criminal case answers that question, at least as far as Virginia state law would address the situation.

Depositing checks

Defendant deposited four checks at an ATM. These checks were later identified as forgeries or linked to a closed account, leading to the bank losing around $937. Security footage confirmed defendant’s involvement. During subsequent police interrogation, defendant acknowledged depositing the checks but denied knowing the man on whose account they were drawn, or the checks’ origins. At trial, she claimed her stepfather had given them to her, and that she believed he had earned them from construction work. Her mother supported this claim. The man on whose account the checks were drawn denied writing the checks, suspecting they were stolen from his truck.

Convicted for computer fraud, but…

At trial, defendant was convicted of multiple offenses, including uttering forged checks, obtaining money by false pretenses, computer fraud (under Virginia Code § 18.2-152.3), and failure to appear, resulting in a lengthy prison sentence. On appeal, a three-judge panel reversed her conviction for computer fraud, finding the evidence insufficient to show that the she acted “without authority” in using the ATM do deposit the checks.

The appellate court saw it differently

The government asked the court to reconsider the question en banc (i.e., with the full court, not just the three judge panel). The full court likewise determined the conviction for computer fraud should be reversed.

The court held that the term “without authority” in the statute specifically pertained to the use of a computer or network, not necessarily the intent or outcome of such use. It concluded that defendant, as a bank customer, had the right to use the ATM. Her actions, albeit for fraudulent purposes, did not equate to using the ATM without authority. Accordingly, the court reversed her conviction for computer fraud, differentiating between the unlawful purpose of an action and the unauthorized use of a computer or network as defined by the statute.

Wallace v. Commonwealth, — S.E.2d —, 2024 WL 236297 (Ct. App. Va., January 23, 2024) [Link to Opinion]

See also:

January 26, 2024 Contracts, Litigation

Click to Agree: Online clickwrap agreements steered bank lawsuit to arbitration

online terms and conditions

Plaintiffs sued their bank alleging various claims under state law. The bank moved to compel arbitration based on various online clickwrap agreements plaintiffs had entered into.

One of the clickwrap agreements required plaintiffs to scroll through the entire agreement and then click an “Acknowledge” button before continuing to the next step. Citing to the case of Meyer v. Uber, 868 F.3d 66 (2d Cir. 2017), the court observed that “[c]ourts routinely uphold clickwrap agreements for the principal reason that the user has affirmatively assented to the terms of agreement by clicking ‘I agree.'”

Similarly, for the other relevant agreements, plaintiffs were required to click a box acknowledging that they agreed to those agreements before they could obtain access to digital products. Again, citing to the Meyer case: “A reasonable user would know that by clicking the registration button, he was agreeing to the terms and conditions accessible via the hyperlink, whether he clicked on the hyperlink or not.” By affirmatively clicking the acknowledgement, plaintiffs manifested their assent to the terms of the these agreements.

Curtis v. JPMorgan Chase Bank, N.A., 2024 WL 283474 (S.D.N.Y., January 25, 2024)

See also:

January 26, 2024 Contracts, Licensing

Disclaimer in software license agreement protected vendor from liability

software license disclaimer

A recent federal court case alleging breach of contract over failure of software to perform highlights the importance of careful drafting and review of disclaimer and other language in technology contracts.

Loss of livelihood

In 2021, a federal court entered an order that permanently barred plaintiff from preparing tax returns for other people. The court’s order apparently addressed past deficiencies in plaintiff’s past tax filings. In 2017, when using TaxWise software, plaintiff did not attach certain required forms to the tax returns.

No doubt this caused extreme hardship for plaintiff, so he sought to recover by blaming the software company – the defendant in this case – for a malfunction in the software that caused the required forms to be omitted.

He sued for breach of contract. Defendant moved to dismiss. The court granted the motion.

The lawsuit was too late

It held that plaintiff’s suit was untimely because the software license agreement contained a provision saying that any such claim had to be commenced within one year from the date such claim or cause of action first arose. The court rejected plaintiff’s argument that by bringing suit in January 2023, he was within the one year period because his first payment of a fine to the IRS was due in January 2022. Instead, the court held that the one year period for bringing suit began to run when the alleged breach occurred, i.e., in 2017 when the software allegedly malfunctioned.

Disclaimers knocked out the complaint

The court also held that certain disclaimer language in the software agreement served to defeat plaintiff’s claims as to the software’s performance. The agreement stated that plaintiff “expressly disclaim[ed] any representations or warranties that [his] use of the Products will satisfy any statutory or regulatory obligations, or will assist with, guarantee or otherwise ensure compliance with any applicable laws or regulations.” Moreover, the contract stated that plaintiff bore “THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRODUCT(S), INCLUDING ELECTRONIC FILING” and so the court found that this eliminated plaintiff’s ability to shift that responsibility to the software provider.

Diedrich v. Wolters Kluwer, 2024 WL 291156 (S.D.N.Y., January 25, 2024)

See also:

January 24, 2024 Privacy

Website cookie banner was not enough for cruise line to sink federal wiretap lawsuit

cookie banner

Plaintiffs sued Carnival Cruise Line because they were upset about how much information carnival.com collected when they visited the site. “On carnival.com, no action goes unnoticed. Every click is counted, every keystroke is collected, and every cursor movement is catalogued.”

The claims centered around Carnival’s use of Clarity – a Microsoft session replay software that was deployed onto the user’s browser to collect a wide variety of information about the user’s system and browsing behavior. That collection was not limited to information from carnival.com. Clarity allegedly assigned each user a specific id that it used to associate and aggregate browsing behavior across all Clarity-enabled websites.

Plaintiffs asserted several claims, including one under the federal Electronic Communications Privacy Act (18 U.S.C. 2510 et seq.) (“ECPA”). They complained that Carnival intercepted Plaintiffs’ personal information, including their passport number, driver’s license number, date of birth, home address, phone number, email address and payment information, and used that information to trace users’ browsing history on other sites.

Carnival moved to dismiss for failure to state a claim under the ECPA. The court denied the motion.

No “party to the communication” exception

Carnival argued that the “party to the communication” exception of the ECPA absolved it of liability. 18 U.S.C. 2511(2)(d) provides that “[i]t shall not be unlawful … for a person … to intercept a[n] electronic communication where such person is a party to the communication.” But plaintiffs asserted that Microsoft, as the provider of the session replay code software, was a third party to the communication of the browsing information. Courts sometimes find third parties to be merely “extensions” of a website when such third parties’ services “merely function as a tape recorder.” But in this case, citing to Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), the court declined to find that Clarity had such limited functionality. The main problem for Carnival was that Clarity did more than just serve as a “tape recorder” – it used data to generate analytics such as heatmaps of user engagement and profiles of browsing history on other sites.

No consent for third party interception

Carnival also argued that the ECPA claim should be dismissed because plaintiffs had consented to the interception of their information. The court rejected this argument.

Carnival’s first argued that by merely sending a communication over the internet, plaintiffs expressed their consent. It cited to a 2001 Pennsylvania decision called Commonwealth v. Proetto, a criminal case in which that court found that a defendant accused of improperly soliciting a 15-year-old girl online could not claim that the girl’s decision to print out the defendant’s chat communication violated defendant’s right of privacy. In other words, the Pretto case stands for the notion that when one sends something over the internet, he or she loses control, from a privacy standpoint, over what the recipient will do with that information. The court distinguished the Proetto case, however, noting that it did not cover third-party interception, focusing instead on direct communication between two parties, and emphasizing that consent is given specifically to the receiver, not any incidental third party. This distinction was crucial in the present case, as Carnival needed to demonstrate that plaintiffs consented not just to Carnival, but also to third-party session replay providers – such as Microsoft in providing Clarity – involved in data collection.

So Carnival cited to Farst v. AutoZone, Inc., 2023 WL 7179807 (M.D. Pa. 2023) wherein the court dismissed similar claims in the context of online shopping, deeming it a public activity with no expectation of privacy in browsing habits. The court distinguished the Farst case, however, by noting that it did not focus not on the collection of sensitive information like this case did. In the current case, plaintiffs had made concrete allegations regarding the interception of sensitive information (e.g., driver’s license number, date of birth, home address).

Carnival’s second argument for plaintiffs’ consent to its recording policy hinged on a “Cookie Policy” banner on its website, suggesting that continued use of the site provided consent to the policy. Plaintiffs countered this by asserting that the website did not adequately notify users of this recording, and interaction with the site was possible without reviewing or agreeing to any privacy policy. The court observed that in assessing the validity of such “browsewrap” agreements, it should consider whether a website provides sufficient notice to a reasonably prudent user about the terms of the contract. In this case, the Cookie Policy banner was less noticeable due to its smaller text, inconspicuous color scheme, and placement away from key user interaction points, like large “SHOP NOW” or “SEARCH CRUISES” buttons. There was also no evidence that the banner appeared immediately or remained visible throughout a user’s visit. Consequently, the court found that – based on the facts alleged – a reasonably prudent user would not be adequately informed of the terms, siding with plaintiffs’ claim that they did not consent to the interception of their communications.

Rejection of Carnival’s other ECPA arguments

In denying the motion to dismiss the ECPA claims, the court rejected Carnival’s remaining arguments as well.

The court found that based on the facts alleged in the complaint, it was plausible to believe that the transmission of the information was contemporaneous, thereby qualifying as an “interception” under the statute.

It found that the information transmitted was not merely “record information” but that information such as an intent to travel, dates and locations were actual “contents” of the alleged communications.

And it rejected Carnival’s argument that the offending session replay code comprising Clarity was not a “device” prohibited by the statute. Carnival contended that it did not meet the definition of a “device” in the context of wiretapping laws, arguing that a “device” should be a physical object. The court held that that the combination of software and hardware involved in this case fell under the ambit of “device” as contemplated by the statute.

Price v. Carnival Corporation, 2024 WL 221437 (S.D. Cal., January 19, 2024)

See also:

January 23, 2024 Personal Jurisdiction

RFK Jr.’s online defamation case against Daily Kos writer tossed on jurisdictional grounds

online defamation

Presidential candidate Robert Kennedy Jr. sued Daily Kos writer David Vickery over a blog post Daily Kos published on August 29, 2020. The post described Kennedy’s participation in a Berlin protest against COVID-19 measures and included various allegations that Kennedy asserted were untrue.

Jurisdictional Challenges

Vickery moved to dismiss the case, arguing the federal court sitting in New Hampshire where plaintiff brought the suit had no personal jurisdiction over Vickery. Kennedy argued that the New Hampshire court could exercise specific personal jurisdiction over Vickrey, based on the effects of the alleged defamation in New Hampshire. But Vickery argued his connection with New Hampshire was minimal – he resided in Maine, had not worked in New Hampshire for over a decade, and did not engage in activities connecting him to the state in the context of the Daily Kos article.

Court’s Analysis and Decision

Applying the principles laid out in the well-known case of Calder v. Jones, the court evaluated the “purposeful availment” aspect of personal jurisdiction. The court observed that Kennedy needed to demonstrate that Vickrey intentionally directed his conduct towards New Hampshire, anticipating that the impact of his actions would be felt there. But the court found that Kennedy’s claims did not hold up under this scrutiny. It found that the article was published long before Kennedy’s presidential run, negating any intention to influence New Hampshire voters specifically. And the continuation of the article’s online presence did not equate to republishing, a key consideration in defamation cases.

Conclusion

So the court ruled in favor of Vickrey, granting his motion to dismiss due to the lack of personal jurisdiction. Kennedy’s motion for preliminary discovery and an evidentiary hearing on the jurisdictional issue was also denied.

Kennedy v. Vickrey, 2024 WL 232104 (D.N.H., January 22, 2024)

See also:

January 20, 2024 Computer Crime

Court dismisses hacking claim in fraudulent refund case

hacking claim fraudulent

Plaintiff is a lawyer who represented defendant in defendant’s divorce proceedings. During those proceedings, defendant terminated the representation and clawed back money he had paid plaintiff, which plaintiff claimed was properly paid. Plaintiff alleged this was a fraudulent act that resulted in a violation of the Computer Fraud and Abuse Act (“CFAA”) as well as several state law claims.

Plaintiff sued under the CFAA. Defendant moved to dismiss the claim. The court granted the motion.

The CFAA if the federal “anti-hacking” statute. It creates criminal and civil liability, among other things, for whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

The court held that plaintiff’s complaint did not plausibly allege facts showing that in his attempt to get the credit card company and bank to return the money he previously paid to plaintiff, defendant accessed a protected computer without authorization or while exceeding his authorized access in violation of the statute.

If found that plaintiff accused defendant of filing fraudulent complaints and refund requests with Chase Bank and American Express through their websites. However, there were no allegations saying he did anything than access publicly available websites. In line with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), this did not constitute “access without authorization” since no special permission was needed to access these areas. Using the language of hiQ, it noted that publicly available webpages have “erected no gates to lift or lower in the first place”.

Even if defendant had used password-protected sections, the court found there were no assertions that defendant did so without authorization or exceeded his authorized access, such as using false credentials or accessing restricted information.

The court also examined plaintiff’s allegations that defendant violated AmEx’s terms of service by using the website for fraudulent purposes. It found that these allegations alone did not establish liability under the CFAA. Since there were no facts indicating that defendant’s actions were analogous to computer misconduct like “breaking and entering,” which the CFAA aims to combat, the court granted the motion to dismiss.

Watters v. Breja, 2024 WL 201356 (N.D. Cal. January 18, 2024)

See also:

 

January 17, 2024 Litigation, Section 230

Section 230 protected Meta from claims of discrimination for taking down Palestinian content

meta section 230

Pro se plaintiff sued Meta seeking to hold it liable for allegedly removing certain “Muslim and/or Palestinian content” while preserving “unspecified Jewish and/or Israeli content” and for allegedly banning certain Muslim users, while allowing unspecified Jewish users to continue using Meta’s services. He brought a civil rights claim for unlawful discrimination on the basis of religion in violation of  Title II of the Civil Rights Act of 1964.

Meta moved to dismiss, arguing, among other things, that plaintiff lacked standing. The lower court granted the motion. Plaintiff sought review with the Third Circuit. On appeal, the court affirmed the dismissal.

No “informational injury”

The court observed that plaintiff had not alleged that he owned, created, controlled or had any personal involvement with the removed content other than having previously viewed it. Nor had he alleged any personal involvement with the banned users. Likewise, he had not argued that he was denied the same level of service that Meta offered to all its users. Instead, he had argued that he was entitled to relief as a Muslim being discriminated against by having Muslim-related news removed while Jewish content remained.

The court examined whether plaintiff could establish standing under the “information injury” doctrine. To establish standing under the informational injury doctrine, plaintiff “need[ed] only allege that [he] was denied information to which [he] was legally entitled, and that the denial caused some adverse consequence related to the purpose of the statute.” It went on to note that an entitlement to information allegedly withheld is the “sine qua non” of the informational injury doctrine.

It held that plaintiff had failed to establish standing under this doctrine because he did not show that he was legally entitled to the publication of the requested content or the removal of other content. Title II does not create a right to information. And the statute could not be understood as granting him a right to relief because he did not allege that he was personally denied the full and equal enjoyment of Meta’s services. Moreover, plaintiff was without relief under Title II because the statute is limited to physical structures of accommodations, and Meta, for purposes of the statute was not a “place of public accommodation.”

Section 230 Classics

And in any event, 47 U.S.C. § 230 precluded the court from entertaining these claims, which would have sought to hold Meta liable for its exercise of a publisher’s traditional editorial functions – such as deciding whether to publish, withdraw, postpone, or alter content. On this point, the court looked to the classic Section 230 holdings in Green v. America Online (AOL), 318 F.3d 465,(3d Cir. 2003) and Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997).

Elansari v. Meta, Inc., 2024 WL 163080 (3d. Cir. January 16, 2024) (Not selected for official publication)

See also:

 

January 16, 2024 Trademarks

Who owns the trademark rights in the name of a user-created community?

trademarks social platforms

In the realm of online communities, where does the ownership of trademark rights lie – with the platform hosting the community or the individual user who creates and develops it?

The intriguing case involving Reddit and the founder of the well-known r/WallStreetBets subreddit presents a scenario that addresses this question concerning online communities and intellectual property rights. The case deals with the ownership and alleged infringement of two trademarks: WALLSTREETBETS and WSB.

Reddit and WallStreetBets

Reddit is a widely-used social media platform that enables users to create, manage, and participate in communities known as subreddits, centered around various interests. Plaintiff Rogozinski launched r/WallStreetBets in January 2012 to establish a forum for discussions and information exchange about the financial industry. While preparing for the launch, plaintiff invested considerable time and effort in developing the subreddit’s unique identity. This included creating the WALLSTREETBETS logo, designing the site using CSS to modify Reddit’s template. Later he set up related online channels, including an Internet Relay Chat (IRC) chatroom, a Discord channel, and a Twitter account under the WALLSTREETBETS name. By 2020, the r/WallStreetBets subreddit had amassed over a million followers.

Reddit Got Mad

The conflict took shape when plaintiff filed an application to register the WALLSTREETBETS trademark with the USPTO in March 2020. Reddit subsequently suspended plaintiff’s account for a week, citing his attempt to monetize the community, and barred him from moderating on the platform. In January 2022, plaintiff filed to register the mark WSB, and the USPTO granted this registration in June 2022.

Then There Was Litigation

Plaintiff sought a declaratory judgment – which in this case was a request for the court to acknowledge his ownership of the WALLSTREETBETS and WSB trademarks. He also made a claim against Reddit for infringing these trademarks, together with various other claims arising under state law. On the infringement issue, his theory was that he did not give Reddit permission to use the WALLSTREETBETS trademark following his ban as a moderator of the r/WallStreetBets subreddit he created.

The court dismissed Plaintiff’s first complaint, which he filed in February 2023. That dismissal, however, came with the opportunity for plaintiff to amend his complaint to address these issues. Despite his efforts to fix the identified shortcomings in his amended complaint, Reddit argued that he had still failed to meet the necessary legal standards. The court agreed and dismissed the case again.

Court Says the Rights are Reddit’s

The Court’s placed significant emphasis on the principle of “first use in commerce,” a critical element in establishing trademark ownership. In his amended complaint, plaintiff attempted to demonstrate his early and significant involvement in the development and use of the trademarks in question. He detailed his efforts in creating the logo, designing the subreddit, and establishing associated online channels. However, the court remained unconvinced by these assertions, noting that plaintiff’s actions did not meet the threshold of “use in commerce” as required by trademark law. The Court also scrutinized the timing and nature of plaintiff’s activities in relation to the establishment and popularity of the subreddit, ultimately finding that these actions did not suffice to establish his ownership of the trademarks.

And the case addresses the interesting issue of who owns trademark rights in a user-generated community – the platform or the moderator/creator? Reddit asserted that it owned the trademark rights in the community. Specifically, citing a case from the USPTO’s Trademark Trial and Appeal board, In re Florists’ Transworld Delivery Inc., 2016 WL 3998062 (T.T.A.B. May 11, 2016), Reddit had argued that account holders like plaintiff “generally will not be able to rely on use of [their] social media account to support an application for registration of a mark for such service.” Reddit argued that “[j]ust as the applicant in In re Florists’ Transworld could not claim rights in connection with ‘creating an online community’ based on use of Twitter, Plaintiff cannot rely on his use of Reddit’s platform to support alleged service mark rights in connection with a ‘web based community'”.

Regarding the state law claims, the court looked to 47 U.S.C. 230, which provides immunity to providers of interactive computer services from liability for content posted by others. The court found that these claims, as presented, did not get around Reddit’s Section 230 immunity.

Rogozinski v. Reddit, Inc., 2024 WL 150727 (N.D. California January 12, 2024)

Read Franklin’s post at Creator Economy Law.

See also:

January 15, 2024 Privacy

Beauty and the Biometrics: Federal court in Illinois tosses biometric data case brought against cosmetics giant

biometric privacy

A federal judge recently dismissed a class action lawsuit against The Estée Lauder Companies and one of its affiliates. This case involved allegations that these entities violated the Illinois Biometric Information Privacy Act (BIPA).

Background of the Case

Plaintiffs represented a proposed class and accused defendants of three distinct violations of BIPA. The dispute centered on the use of a virtual try-on tool that one of defendants had licensed to Estée Lauder which enabled customers to virtually test cosmetic products on brand websites. Plaintiffs claimed that they were not adequately informed about the capture and use of their biometric data, including facial mapping and facial geometry. They argued that there was a failure to provide clear consent and privacy policies regarding biometric data.

What BIPA Says

The law governs private entities’ collection, use, and storage of biometric identifiers and information. Plaintiffs contended that defendants did not comply with these requirements, specifically in failing to obtain written consent and establishing proper retention and destruction policies for biometric data.

What the Court Said

The court’s decision to dismiss the case hinged on plaintiffs’ inability to demonstrate that defendants used the biometric data in a manner that could identify individuals. The court referenced similar cases where allegations were dismissed due to the lack of plausible claims connecting biometric data collection with the capability to identify individuals.

The court found that plaintiffs did not provide sufficient factual allegations to establish that defendants could identify individuals using the facial scans. It compared other cases where claims were either dismissed or upheld based on the presence or absence of plausible allegations of identification capability. The case was dismissed without prejudice, meaning plaintiffs were given the opportunity to file an amended complaint by a specified date.

What It Means

This decision highlights the importance of clear legal standards for biometric data usage and the challenges plaintiffs face in proving violations under BIPA. It also underscores the need for companies to be transparent and compliant with privacy laws when implementing innovative technologies.

Castelaz v. The Estee Lauder Companies, Inc. et al., 2024 WL 136872 (N.D. Illinois, January 10, 2024)

See also:

Scroll to top