Great time today being on CNN.com Live talking about the recent lawsuit filed against a Twitter user for talking about mold in her apartment and an apparently uncaring management company. Video embedded below. (Or click through if it’s not showing up in the RSS feed).
You know the story of Lori Drew — the mom from Missouri who was accused of setting up a bogus MySpace profile impersonating an adolescent boy. Lori acted as this fake “Josh” to stir up romantic feelings in young Megan Meier who, after being dumped by “Josh,” took her own life.
A terrible thing of course. And someone needed blaming. So federal prosecutors chose to go after Lori Drew. The jury convicted her of violating the Computer Fraud and Abuse Act (the federal anti-hacking statute), but today the judge acquitted her. Seems like a good decision, as the theory on which the prosecution based its case — that Lori violated the site’s terms of service by saying she was someone other than she is and thereby exceeded her authority — was shaky at best. The big problem with that theory was that such a reading would make most of us criminals. I’m sure you don’t mean to tell me you’ve never signed up for an online service using something other than your real name or accurate contact information.
Most smart people can agree that the Computer Fraud and Abuse Act was not the right way to punish this “crime.” Various states have enacted legislation to handle cyberbullying and are already prosecuting people in state court. But the problem is not going to go away. People will still do foolish things on the internet.
And to the extent that foolishness is criminal, the individual should pay a criminal price. The individual.
Using the Computer Fraud and Abuse Act to go after this conduct put the contractual relationship between the end user and the provider (i.e., Lori Drew and MySpace) under the microscope where it did not belong. The court and jury had to scrutinize that contractual relationship and the resulting authority (or lack thereof). They had to do that because there was no other way the government was going to win a CFAA prosecution otherwise.
Focusing on that relationship in this context did not make sense. MySpace didn’t have anything to do with this other than being a passive intermediary. Why should the inquiry at trial have gone to those kinds of questions? Why should the intermediary have been bothered? It shouldn’t have.
The bad act was (I guess we have to again say “allegedly was” now that she’s been acquitted) between Lori Drew and Megan Meier. That’s the space where the factual focus and legal analysis belonged. Not in the legal relationship between Lori Drew and MySpace.
Now that we have a sensible legal outcome in this case, hopefully prosecutors will take some more principled approaches and leave the intermediaries out of it.
Cassetica Software, Inc. v. Computer Sciences Corp, 2009 WL 1703015 (N.D.Ill. 2009)
Cassetica Software made an application available for download on the web and entered into a license agreement for that application with Computer Sciences Corporation (CSC). Cassetica alleged that CSC continued to download the application after the license agreement expired.
So Cassetica sued in federal court, alleging a number of causes of action, including violations of the Computer Fraud and Abuse Act, 18 USC 1030 et seq. (CFAA). CSC moved to dismiss pursuant to FRCP 12(b)(6) for failure to state a claim. The court granted the motion, finding that Cassetica did not plead either damage or loss as required by the CFAA.
What the CFAA requires
Interpreting the CFAA differently that at least one other judge in the Northern District of Illinois has (cf. Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008)), Judge Kendall held that Cassetica was required to plead either damage or loss as such terms are defined in the CFAA. (In Garelli Wong, the court held that both damage and loss must be pled.)
Under the CFAA, “damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
Insufficient damage allegations
The bare allegations of damage in the complaint were not enough. The court found that Cassetica did not allege any facts that would plausibly suggest that the software downloads — authorized or not — caused a diminution in the computers or usability of [Cassetica’s] computerized data.” The court went on to observe that “[c]ritically absent from the Complaint are allegations that CSC’s downloads resulted in lost data, the inability to offer downloads to its customers, or that the downloads affected the availability of the software.”
Insufficient loss allegations
Cassetica’s complaint also failed to plead loss. The allegations primarily dealt with the lost fees Cassetica would have received had the alleged unauthorized downloading not taken place. Because Cassetica did not allege that it lost revenues as a result of an interruption in service caused by CSC, its claim for lost revenue fell outside the CFAA’s definition of “loss.”
Download picture courtesy Flickr user soren_nb under this Creative Commons license.
There has only been one copyright infringement case filed against an individual accused of illegally sharing music files over the internet to actually go to trial. That’s the case of Capitol Records v. Jammie Thomas. In October 2007, a jury in the U.S. District Court for the District of Minnesota returned a verdict of $222,000 against Ms. Thomas. The court on its own motion vacated that judgment, and ordered a retrial. That retrial concluded on June 18, 2009, with a judgment of a whopping $1.92 million against Ms. Thomas.
Here is a growing collection of links on the topic:
Subscribe to RSS headline updates from:
Palacio del Mar Homeowners Assn., Inc. v. McMahon, — Cal.Rptr.3d —, 2009 WL 1668294 (Cal. App. 4 Dist. June 16, 2009)
A California state court entered a $40,000 judgment against defendant McMahon in favor of plaintiff homeowners association. The homeowners association tried to collect the money from McMahon, seeking a “turnover” of property McMahon owned. Among the items the homeowners association sought was the domain name ahrc.com, registered in the name of McMahon’s wife.
The trial court permitted the domain name to be turned over to the homeowners association to satisfy the judgment. McMahon sought review with the California Court of Appeal. That court reversed and vacated the turnover order.
The court gave several reasons for reversing the lower court. The most interesting reason, however, dealt with the very nature of domain names. The provision in California law allowing turnover of property limits itself to tangible property that can be “levied upon by taking it into custody.” Looking to the case of Network Solutions, Inc. v. Umbro International, Inc., 529 S.E.2d 80 (Va. 2000), the court held that a domain name registration is not property, but merely supplies the intangible contractual right to use a unique domain name for a specified period of time. Even if the registration were property, it was not something that could be taken into custody.
Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)
Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (“ECPA”). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.
Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.
The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”
An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.
An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.
But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.
This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.
In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”
The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.
I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.
Had a great time talking about anonymity and the First Amendment with Sheilah Kast of Baltimore’s 88.1 FM WYPR on today’s Maryland Morning. I talked about the court’s analysis in the recent case of Independent Newspapers, Inc. v. Brodie (which I wrote about here).
Listen to the interview here:
MP3
Barnes v. Yahoo!, Inc., No. 05-36189, 9th Cir. May 7, 2009
Yesterday’s decision from the Ninth Circuit in Barnes v. Yahoo is kind of a big deal. Jeff Neuberger observes that Section 230 took a hit. Characterizing it differently, Thomas O’Toole called it a nice win for online publishers. I’m thinking that the halcyon days of robust Section 230 immunity may be on the wane.
Barnes alleged that her ex-boyfriend did some pretty rotten things using various Yahoo services. Since I think my mom reads my blog I won’t elaborate on Prince Charming’s shenanigans. But if the allegations are true, one can understand why Barnes would be mad. Simply stated, they involved nude photos and men looking to cavort showing up where Barnes worked.
Barnes contacted Yahoo and asked it to take the offending content down. Folks there said they would. Months later, when the content remained online, Barnes sued Yahoo for negligent undertaking and promissory estoppel.
The district court dismissed Barnes’ claims, holding that 47 U.S.C. 230 protected Yahoo because, according to that section, “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”
It’s no big surprise that the appeallate court affirmed the lower court on the question of negligent undertaking. Barnes’ claim was that Yahoo was negligent in undertaking to remove the content. Since the removal of content is one of the quintessential functions of a publisher, it would contravene Section 230 to hold Yahoo liable for that.
The more intriguing part of the case comes from the court’s reversal on the question of promissory estoppel. Yahoo’s breach of an alleged promise to remove the content was of a different nature than the act of removing the content. “Promising is different because it is not synonymous with the performance of the action promised.” Liability arising from failing to live up to that promise was outside the scope of Section 230. In other words, pursuing Yahoo for breaking its promise to take down the offending content did not treat it as the publisher or speaker of that content.
This holding seems to be another chip away at Section 230 immunity. Smart intermediaries (e.g. website operators) are likely to communicate less now with individuals who feel aggrieved, because the intermediary may fear that anything it says could be construed as a breakable promise putting it at risk for liability.
Ledbetter v. Wal-Mart Stores, Inc., 2009 WL 1067018 (D.Colo. April 21, 2009)
A couple of electricians were severely burned when the electrical system they were working on in an Aurora, Colorado Wal-Mart shorted out. They sued Wal-Mart over their injuries. One of the plaintiffs’ wives brought a claim for loss of consortium.
During discovery, Wal-Mart sent subpoenas to Facebook, MySpace and Meetup.com seeking information about the plaintiffs. The plaintiffs filed a motion for protective order which would have prevented the social networking sites from providing the requested information. The plaintiffs claimed that the information should be protected by the physician-patient privilege or, as for the loss of consortium claim, the spousal privilege. The court denied the motion and allowed the subpoenas.
The court held that an earlier protective order entered in the case (to which the parties had agreed) protected the confidentiality of the information. And the plaintiffs had put the purported confidential facts, i.e., the extent of the injuries and the nature of the consortium, at issue by bringing the suit. Moreover, the information sought by the subpoenas was reasonably calculated to lead to the discovery of admissible evidence and was relevant to the issues in the case.
It’s worth noting that the court might have had other reasons to deny the motion for protective order that it did not mention. A privilege of confidentiality is usually destroyed when it is disclosed to a third party. How could information on Facebook or MySpace still be secret? Unless Wal-Mart was only seeking private messages sent either between the spouses or one of the plaintiffs and a doctor, it would seem that most everything these sites would have would not be confidential in the first place.
The big news story of the day is the guilty verdict from a Swedish court against the four guys behind The Pirate Bay. The judge sentenced them to a year in prison for facilitating copyright infringement and also ordered them to pay millions of dollars. The righteous indignation flows like akvavit.
I cannot see any reason why anyone outside the reach of Sweden’s laws should be all that concerned about this case. Sure, it’s grand spectacle to see an act of civil disobedience deliver its agents to purported martyrdom. But as for any legal significance outside Sweden, there is none. And does it teach us anything about the underlying interests that gave rise to the dispute? No. We have known for a long time that there are some who believe copyright law is too restrictive, and that those interests are pitted against the corporate and pecuniary interests of the big media companies.
So if one is to treat as news the fact that the RIAA and other content owners sometimes overreach, or that zealous advocates for copyright reform believe in their cause, please send me some of that sweet oblivion.
