Blog

October 21, 2008 Computer Crime, Privacy

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

October 17, 2008 First Amendment

No injunction against transferring student over violent YouTube video

O.Z. v. Board of Trustees of Long Beach Unified School Dist., 2008 WL 4396895 (C.D. Cal. Sept. 9, 2008)

While school was out of session for spring break, seventh grader O.Z. collaborated with a classmate to make a slide show video dramatizing the murder of the students’ English teacher. Though O.Z. says she did not intend to share the slide show to anyone outside her home, she posted the video to YouTube. A couple months later, while doing a vanity search on YouTube, the English teacher encountered the video. Naturally distressed by the work, the teacher notified school authorities. Administrators suspended O.Z. and transferred her to a different school for her eighth grade year.

O.Z. filed suit and sought a preliminary injunction requiring the school district to re-enroll her at her former school. She argued that the slide show was protected speech under the First Amendment, and that the school’s discipline for it was unconstitutional. The court denied the motion for preliminary injunction.

In evaluating the likelihood of O.Z.’s success on her First Amendment claim, the court applied the standard set forth in Tinker v. Des Moines Ind. Comm. School Dist., 393 U.S. 503 (1969). The Tinker test provides that discipline over student speech is appropriate if school officials reasonably conclude that the speech will “materially and substantially disrupt the work and discipline of the school.”

O.Z. argued that the slide show was merely a joke and not a true threat. But the court found that the school could reasonably forecast substantial disruption of school activities given the violent language and unusual photos comprising the video slide show. Further, the decision to transfer O.Z. served not only to discipline her, but to protect the safety of the teacher.

The fact that O.Z. created the slide show outside of school was of little import in the circumstances. Comparing the present situation with Wisniewski v. Board of Educ. of Weedsport Cent. School Dist., 494 F.3d 34 (2nd Cir. 2007) and other cases involving off-campus conduct, the court found that the slide show created a foreseeable risk of disruption within the school. Such a finding was no doubt influenced by the ability of social media platforms like YouTube to facilitate wide distribution of content.

October 7, 2008 Trademarks

Court enjoins transfer of trademarks associated with domain name booty

1st Technology v. Bodog Entertainment Group, S.A., No. 08-0872, (W.D. Wash. September 30, 2008).

After plaintiff 1st Technology won a $46 million default judgment against defendant BEGSA, 1st Technology began its collection efforts by seeking to obtain possession of thousands of BEGSA domain names registered through the Washington-state based registrar eNom. A state court ordered the domain names transferred to a receiver, but the judge, unsure of the degree of the state court’s jurisdiction, did not transfer the ownership of the corresponding federally-registered trademarks associated with the domain names.

Thereafter, BEGSA purported to assign the trademarks to various subsidiaries and related entities. 1st Technology filed a federal lawsuit against BEGSA and these other entities, asking the court to set aside the later transfers as fraudulent conveyances. 1st Technology sought a preliminary injunction to prevent further transfer of the trademarks, and to prevent defendants from using the trademarks in connection with online gambling.

The court granted the motion inasmuch as it sought prevention of further transfer. But it denied the motion as to the use in connection with online gambling.

BEGSA argued, among other things, that the court could not order the forced sale of the trademarks and their goodwill, and that federal trademark law preempted the state fraudulent conveyance law under which 1st Technology sought relief. The court rejected both of these arguments, citing to Seventh Circuit authority providing that the “assertion that a trademark is not subject to an involuntary judicial sale is incorrect.” Adams Apple Distrib. Co. v. Papeleras Reunidas, S.A., 773 F.2d 925, 931 (7th Cir. 1985). On the preemption question, the court noted the absence of any authority cited by BEGSA providing for preemption, and looked to the language of 15 U.S.C. §1119, which gives the court broad authority to affect the federal trademark register.

In denying injunctive relief against the use of the trademarks in connection with online gambling, the court concluded that at such an early stage in the litigation, it was not prepared to distinguish which conduct on the part of the defendants was illegal or legal. Of significant importance was the likelihood of harm to both parties if the trademarks could not be used in the way they traditionally had (that is, for online gambling). Defendants argued that “disjoining the marks from their most commonly known use hopelessly dilutes them and destroys their value – to anyone.”

September 18, 2008 Personal Jurisdiction

Interactive websites supported exercise of personal jurisdiction

Plaintiff sued a California corporation in federal court in Utah. Defendant moved to dismiss, asserting, among other things, lack of personal jurisdiction. The court denied the motion.

The court found that it had specific personal jurisdiction over defendant. Plaintiff provided evidence that defendant ran a number of highly interactive websites, including at least two online stores. Defendant provided visitors with a shopping cart feature that allowed them to select multiple products for purchase. Visitors to defendants’ sites could purchase items over the website using Google checkout or a number of major credit cards. Defendant offered to sell products into Utah through its multiple internet stores. In short, defendant purposefully used its website to reach a large number of potential buyers, including those in Utah, and benefited from that exposure.

Citing to Dedvukaj v. Maloney, 447 F.Supp.2d 813 (E.D.Mich. 2006), the court observed that “[s]ellers cannot expect to avail themselves of the benefits of the internet-created world market that they purposefully exploit and profit from without accepting the concomitant legal responsibilities that such an expanded market may bring with it.”

A.L. Enterprises Inc. v. Sebron, 2008 WL 4356958 (D. Utah, September 17, 2008) 

 

September 10, 2008 Anonymity, Copyright, Electronic Discovery, Litigation

Subpoena to university in P2P case must give time to notify parents

UMG Recordings, Inc. v. Doe, No. 08-3999, 2008 WL 4104207 (N.D.Cal. September 4, 2008)

Plaintiff record companies, using Media Sentry, found the IP address of a John Doe file-sharing defendant, and filed suit against Doe in federal court for copyright infringement. As in any case where a defendant is known only by his or her IP address, the record companies needed some discovery to ascertain the name and physical address matching that IP address. But the federal rules of procedure say that without a court order, a party cannot seek discovery until the parties have conferred pursuant to Fed. R. Civ. P. 26(f).

So the record companies sought the court order allowing them to issue a subpoena to Doe’s Internet service provider prior to the 26(f) conference. The court granted the order, but with a caveat.

The evidence showed that Doe was a student at the University of California, Santa Cruz. Under the Family Educational Rights and Privacy Act at 20 U.S.C. § 1232g, a college generally cannot disclose “any personally identifiable information in education records other than directory information.” There’s an exception to that rule when the college is answering a lawfully issued subpoena, provided that “parents and the students are notified of all such … subpoenas in advance of the compliance therewith by the educational institution or agency.”

The court granted the record companies’ motion for leave to serve the subpoena prior to the Rule 26(f) conference, but required that the subpoena’s return date “be reasonably calculated to permit the University to notify John Doe and John Doe’s parents if it chooses prior to responding to the subpoena.”

September 9, 2008 Defamation, Section 230

No CDA immunity for letting co-defendant use computer to post material

Capital Corp. Merchant Banking, Inc. v. Corporate Colocation, Inc., No. 07-1626, 2008 WL 4058014 (M.D.Fla., August 27, 2008)

Professor Goldman points us to a recent decision in a case where the plaintiff alleged that one of the individual defendants “allowed [a co-defendant] to use ‘a computer registered in her name’ to make . . . defamatory statements.” The defendants filed a 12(b)(6) motion to dismiss, arguing that the Communications Decency Act (CDA) at 47 U.S.C. 230 barred the claims. The court denied the motion.

With little analysis, the court cited to the 9th Circuit’s Roommates.com decision, holding that “[t]he CDA provides immunity for the removal of content, not the creation of the content.” While that is not an incorrect statement, it is troublesome in this context inasmuch as it tells half the story.

Yes, 47 U.S.C. 230(c) does provide protection to “Good Samaritan” operators of interactive computer services who remove offensive content. The user whose content has been removed would not have a cause of action against the operator who took down the content in good faith. See 47 U.S.C. 230(c)(2).

But 47 U.S.C. 230(c)(1) provides that no provider of an interactive computer service shall be treated as a publisher or speaker of any information provided by a third party. Courts have usually held that when a defamation plaintiff brings a claim against the operator of the computer service used to post defamatory content (who was not responsible for creating the content), such a claim is barred, as the plaintiff would not be able to satisfy the publication element of a defamation prima facie case.

Maybe in this situation the court found that the defendant who let a co-defendant use her computer did not meet the definition of a service provider as contemplated by the CDA. But it would have been nice to see that analysis written down, rather than having to merely surmise or speculate.

September 3, 2008 Copyright, DMCA, Litigation, Uncategorized

Veoh eligible for DMCA Safe Harbor

[Brian Beckham is a contributor to Internet Cases and can be contacted at brian.beckham [at] gmail dot com.]

Io Group, Inc. v. Veoh Networks, Inc., 2008 WL 4065872 (N.D.Cal. Aug. 27, 2008)

The U.S. District Court for the Northern District of California ruled that Veoh’s hosting of user-provided content is protected by the DMCA safe harbor provision, and that it does not have a duty to police for potential copyright infringement on behalf of third-parties, but rather must act to remove infringing content when so put on notice.

IO produces adult films; Veoh hosts, inter alia, its own “Internet TV channels” and user-posted content (much like YouTube). In June 2006, IO discovered clips from ten (10) of its copyrighted films ranging from 6 seconds to 40 minutes in length hosted on Veoh. Rather than sending Veoh a “DMCA Notice & Takedown” letter, IO filed the instant copyright infringement suit. (Coincidentally, Veoh had already removed all adult content sua sponte — including IO’s prior to the suit). Had Veoh received such a notice, so the story goes, it would have removed the content, and terminated the posting individual’s account.

When a user submits a video for posting, Veoh’s system extracts certain metadata (e.g., file format and length), assigns a file number, extracts several still images (seen on the site as an icon), and converts the video to Flash. Prior to posting, Veoh’s employees randomly spot check the videos for compliance with Veoh’s policies (i.e., that the content is not infringing third-party copyrights). On at least one occasion, such a spot check revealed infringing content (an unreleased movie) which was not posted.

Veoh moved for summary judgment under the DMCA’s Safe Harbors which “provide protection from liability for: (1) transitory digital network communications; (2) system caching; (3) information residing on systems or networks at the direction of users; and (4) information location tools.” Ellison, 357 F.3d at 1076-77. Finding that Veoh is a Service Provider under the DMCA, the Court had little trouble in finding that it qualified for the Safe Harbors. IO admitted that Veoh “(a) has adopted and informed account holders of its repeat infringer policy and (b) accommodates, and does not interfere with, “standard technical measures” used to protect copyrighted works”, but took issue with the manner in which Veoh implemented its repeat infringer policy.

Veoh clearly established that it had a functioning DMCA Notice & Takedown system:

  • Veoh has identified its designated Copyright Agent to receive notification of claimed violations and included information about how and where to send notices of claimed infringement.
  • Veoh often responds to infringement notices the same day they are received.
  • When Veoh receives notice of infringement, after a first warning, the account is terminated and all content provided by that user disabled.
  • Veoh terminates access to other identical infringing files and permanently blocks them from being uploaded again.
  • Veoh has terminated over 1,000 users for copyright infringement.

The Court held that Veoh did not have a duty to investigate whether terminated users were re-appearing under pseudonyms, but that as long as it continued to effectively address alleged infringements, it continued to qualify for the DMCA Safe Harbors; moreover, it did not have to track users’ IP addresses to readily identify possibly fraudulent new user accounts.

The Court further noted that: “In essence, a service provider [Veoh] is eligible for safe harbor under section 512(c) if it (1) does not know of infringement; or (2) acts expeditiously to remove or disable access to the material when it (a) has actual knowledge, (b) is aware of facts or circumstances from which infringing activity is apparent, or (c) has received DMCA-compliant notice; and (3) either does not have the right and ability to control the infringing activity, or – if it does – that it does not receive a financial benefit directly attributable to the infringing activity.”

The Court found that (1) there was no question that Veoh did not know of the alleged infringement — since IO did not file a DMCA Notice (2) it acted expeditiously to remove user-posted infringing content, (3) it did not have actual knowledge of infringement, (4) it was not aware of infringing activity, and (5) it did not have the right and ability to control the infringing activity (the Court did not address any financial benefit).

In sum: the Court “[did] not find that the DMCA was intended to have Veoh shoulder the entire burden of policing third-party copyrights on its website (at the cost of losing its business if it cannot). Rather, the issue [was] whether Veoh [took] appropriate steps to deal with [alleged] copyright infringement.”

There is much speculation as to how, if at all, this case will affect the Viacom / YouTube case. YouTube praised the decision, Viacom noted the differences. Each case turns on its own facts, but to the extent there are similarities, this decision is wind in YouTube’s sails.

Case is: IO Group Inc.(Plaintiff), v. Veoh Networks, Inc. (Defendant)

September 2, 2008 Evidence, Litigation, Miscellaneous

Slamming Wikipedia’s reliability not enough in immigration case

Badasa v. Mukasey, — F.3d —, 2008 WL 3981817 (8th Cir. Aug. 29, 2008)

Illegal alien Badasa sought asylum in the United States. To establish her identity, she submitted to the Immigration Judge a “laissez-passer” issued by the Ethiopian government. Opposing the application for asylum, the Department of Homeland Security submitted a number of items, including a Wikipedia article, to show that a laissez-passer is merely a document issued for a one-time purpose based on information provided by the applicant. The Immigration Judge was not convinced that the laissez-passer established Badasa’s identity, and denied the application for asylum.

Badasa appealed to the Board of Immigration Appeals, which agreed that asylum should be denied. It soundly criticized Wikipedia’s reliability to establish the meaning of the document at issue, but found there was enough other evidence to support the Immigration Judge’s conclusion that Badasa had failed to establish her identity. But the Board of Immigration Appeals failed to discuss this other evidence, therefore running afoul of the administrative law textbook case of SEC v. Chenery, 318 U.S. 80 (1943).

So the Eighth Circuit sent the case back to the Board of Immigration Appeals to make additional findings. The court observed that the Board of Immigration Appeals found that “Badasa was not prejudiced by the [Immigration Judge’s] reliance on Wikipedia, but [the Board of Immigration Appeals] made no independent determination that Badasa failed to establish her identity.” In short, the Board of Immigration Appeals had focused only on why the use of Wikipedia made the case less “solid,” and did not address the lack of solidity found in any of the other evidence connected with the laissez-passer used to establish identity.

Scroll to top