Blog Rss Feed

iPhone Bricking Class Certified, But CFAA, California Penal Code & Tresspass Claims Dismissed

Thu, 15 Jul 2010 10:35:43 GMT

A federal court in the Northern District of California dismissed Computer Fraud and Abuse Act (“CFAA”), California Penal Code Section 502, and trespass to chattel claims against Apple Computer, Inc. arising out of its transmission of a software update that caused iPhones, which had been unlocked so they could be used with other service providers, to become unusable. In re Apple & ATTM Antitrust Litig. No. 07-05152 (N.D. Cal. July 8, 2010). This complete disabling of the iPhone has been termed “bricking.”

While Apple scored a victory in getting these three claims dismissed, the Plaintiffs scored a larger victory as the court granted class certification for the remaining claims as to “[a]ll persons who purchased or acquired an iPhone in the United States and entered into a two-year agreement with Defendant AT&T Mobility, LLC for iPhone voice and data service any time from June 29, 2007, to the present." The newly certified class action will address Plaintiffs’ claims arising out of the “bricking” allegations that Apple and AT&T Mobility secretly agreed to technologically restrict voice and data service to iPhones in the aftermarket for five years (three years beyond the two-year service agreement with AT&T Mobility), and that Apple monopolized the aftermarket for third-party software applications for the iPhone.

The court addressed the CFAA, California Penal Code (“CPC”) § 502, and trespass to chattels claims together because Apple asserted that no Plaintiff was damaged by the “bricking” that resulted when upgraded software (1.1.1 Software) was installed on unlocked iPhones. In so doing the court first summarized the applicable law as to each cause of action and then addressed the elements of damages, intentional acts, and authorization, finding that Plaintiffs failed to establish each of those required elements.

Trespass to Chattels:

In California, a trespass to chattels claim requires “actual harm” and “lies where an intentional interference with the possession of personal property has proximately caused injury.” Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1350-51 (2003) (emphasis omitted) (internal quotation marks and citation omitted).

Computer Fraud and Abuse Act:

The CFAA creates liability for “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A).

The term “damage” means “any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8). A plaintiff must also demonstrate that the defendant’s action caused over $5,000 in damage over a one-year period. Id. § 1030(a)(4). Plaintiffs may aggregate individual damages over the putative class to meet the damages threshold. In re Toys R Us, Inc., Privacy Litig., No. 00-cv-2746, 2001 WL 34517252 at *11 (N.D. Cal. Oct. 9, 2001).

California Penal Code § 502:

CPC § 502 permits an action against an individual who “[k]nowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer.” CPC § 502(c)(4). Additionally, the CPC allows an action against an individual who “[k]nowingly introduces any computer contaminant into any computer, computer system, or computer network.” Id. § 502(c)(8). Under the CPC, a “computer contaminant” is defined as “computer instructions that are designed to . . . damage [a computer] . . . without the intent or permission of the owner.” Id. § 502(b)(10).

The court then found three separate reasons for dismissing the three causes of action.

Damages: A temporary loss of personal use does not constitute damage, and while destruction of third-party applications was a viable theory of damages, Plaintiffs failed to provide evidence of actual damage.

Apple conceded that there were allegations that third-party applications were erased when the iPhone’s were bricked, and that these allegations were sufficient to put Apple on notice that destruction of third-party applications could provide a theory of injury. The court then looked to the evidence of injury that was actually plead by Plaintiffs and adduced during discovery. It found that Plaintiffs had not produced sufficient evidence of injury because they had admitted that they weren’t injured, and that they had received free replacement phones within a few days after installing the 1.1.1. Software. The court found that the temporary loss of use of a personal phone is not a “substantial” or “measurable” amount as required in Hamidi. It also disregarded the temporary loss of use as sufficient for showing harm in the context of the CFAA or CPC.

When considering whether the deletion of third-party applications caused injury, the court noted that there was no evidence that any of the three named plaintiffs had suffered an actual injury. For one of the Plaintiffs, there was no evidence that he had paid for any third-party applications. Another plaintiff had kept a backup copy on his computer. And the third had deleted many of his third-party applications prior to downloading the 1.1.1 Software.

Intentional Acts: Apple did not intend to damage Plaintiffs’ iPhones.

Even if Plaintiffs could establish standing by showing damage, the court found that Plaintiffs had not produced sufficient evidence to show that Apple intended to damage Plaintiffs’ iPhones because there was no evidence that Apple had designed the 1.1.1 Software to “brick” iPhones.

Unauthorized Access: Voluntary installation of a software update was not unauthorized access.

Finally, the court noted that installing the 1.1.1 Software was voluntary, that the voluntary installation ran counter to the notion of a trespass and that the download did not qualify as unauthorized access under the CFAA or as without permission under the CPC.

The Direct Marketing Association Challenges Colorado’s Tax Notification and Sales Reporting Requirements for Out-of-State Retailers on Privacy and Free Speech Grounds

Thu, 15 Jul 2010 10:02:06 GMT

The Direct Marketing Association, a trade association with over 3000 members, has filed a complaint against the Executive Director of the Colorado Department of Revenue (“Department”) in her official capacity challenging Colorado’s tax notification and sales reporting requirements for out-of-state retailers in federal court. See The Direct Marketing Association v. Huber, No. 10-cv-1546 (D. Colo. June 30, 2010).

Colorado H.B. 10-1193, which went into effect March 1, 2010, requires out-of-state retailers, including Internet retailers, not otherwise obligated to collect Colorado sales tax to inform their Colorado customers of Colorado’s requirement that they self-report use tax to the Department. It also requires out-of-state retailers to file with the Department a Customer Identification Report that discloses the names of their Colorado customers based on billing addresses along with the amount of purchases made by each one. See Colo. Rev. Stat. § 39-21-112(3.5)(d)(II); Colo. Reg. 39-21-112.3.5.

The Direct Marketing Association claims that H.B. 10-1193 discriminates against and unduly burdens interstate commerce in violation of the commerce clause, violates Colorado consumers’ rights of privacy guaranteed by the U.S. and Colorado Constitutions, interferes with out-of-state retailers and Colorado consumers’ rights of free speech under the U.S. and Colorado Constitutions, deprives out-of-state retailers of property in violation of the Due Process Clause of the Fourteenth Amendment, and constitutes a taking under the U.S. and Colorado Constitutions.

The Direct Marketing Association’s privacy and free speech claims on behalf of Colorado consumers are particularly noteworthy. The privacy claims allege that that act of identifying to the Department an “individual’s status as a purchaser from certain businesses and organizations,” including non-profit political, religious or advocacy groups, “will reveal personal information about the purchaser, including not only the personal purchaser’s private interests and individual predilections, but also, among other things, potentially his or her religious beliefs, political opinions, medical conditions, financial situation, family concerns, or sexual orientation” in violation of Colorado consumers’ privacy rights under the U.S. and Colorado Constitutions. (Complaint at ¶¶ 79, 91.)

The First Amendment claim further alleges that the reporting requirements “may reveal information regarding the expressive content of products obtained by the purchaser,” which “will have a chilling effect on the exercise of the right to freedom of speech guaranteed by the Constitution” both by consumers and retailers. (Id. at ¶¶ 105, 109.) This claim is bolstered by a similar free speech claim under Article II, Section 10 the Colorado Constitution, which in conjunction with the First Amendment has been interpreted by the Colorado Supreme Court to protect “the right of the public to buy and read books anonymously, free from governmental intrusion.” Tattered Cover, Inc. v. City of Thornton, 44 P.3d 1044, 1051 (2002). This right to purchase and read books anonymously would likely extend to all forms of expressive materials protected by the First Amendment and the Colorado Constitution.

In the event traditional commerce clause arguments under Quill Corp. v. North Dakota, 504 U.S. 298 (1992), are unsuccessful, the Direct Marketing Association’s privacy and free speech claims provide possible alternative grounds to invalidate the Colorado reporting requirement.

YouTube Obtains Summary Judgment in Viacom Case

Mon, 12 Jul 2010 11:31:15 GMT

YouTube received a resounding win in a recent decision in the long-running Viacom v. YouTube case (Viacom Internationa, Inc. v. YouTube, Inc., 2010 WL 2532404 (SDNY June 23, 2010)). YouTube moved for summary judgment based on the safe harbor provisions of the Digital Millennium Copyright Act (DMCA), and despite Viacom's argument that the safe harbor was not applicable to YouTube on a wide variety of grounds, the court granted summary judgment on all direct and secondary copyright infringement claims. Although this is only a lower court decision, this is an important victory for social media sites, as they rely on the DMCA safe harbor to provide protection from copyright infringement claims for content posted by third parties.

The relevant part of the DMCA provides that an online service provider is not liable for copyright infringement for storing content at the direction of a user, provided that certain conditions are met. In addition to certain preliminary requirements, such as designating an agent to receive take-down notices and adopting and implementing a repeat infringer policy, these conditions require online service providers to remove or disable access to content if a proper take-down notice is received, if the online service has actual knowledge that such content is infringing, or if it becomes aware of facts or circumstances from which infringing activity is apparent,. The safe harbor will also not apply if the online service provider has the right and ability to control the infringement and it derives a direct financial benefit from the infringement. Viacom raised a number of arguments as to why the safe harbor was not applicable, but it did not prevail on any of them.

The decision was surprisingly short, given the importance of this case, and most of the discussion centered around the question of whether a generalized awareness that there are infringements on a site is sufficient to trigger the obligation to remove infringing content (i.e. whether such generalized knowledge constitutes "actual knowledge" or "facts and circumstances from which infringing activity is apparent" under the DMCA). Although YouTube promptly removed all clips when it received a specific take down notice, Viacom argued that the DMCA safe harbor was inapplicable because YouTube was aware of widespread infringement on the site and failed to act to stop it. After examining the legislative history and relevant case law, the court concluded that mere knowledge of the prevalence of infringing activity is not sufficient. Rather, the court found that the required knowledge must be of specific and identifiable infringements of particular, individual items. This decision is consistent with previous cases, such as Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1113 (9th Cir. 2007), which have found the threshold for proving the required knowledge to be quite high. It is also consistent with the recent decision in Tiffany, Inc. v. eBay, Inc., F. 3d 93 (2d Cir. April 1, 2010), in which the Second Circuit held that generalized knowledge of trademark infringement on the site was not sufficient to impose liability for trademark infringement.

The court quickly dismissed Viacom's argument that the replication, transmittal and display of videos on YouTube did not qualify for the safe harbor because it goes beyond merely storing content at the direction of a user. The court held that this is too narrow an interpretation of the word "storage," citing the case of Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1148 (N.D. Cal. 2008).

The court also did not find anything wrong with the way YouTube adopted and implemented its repeat infringer policy. The DMCA requires that online service providers adopt, notify users of, and reasonably implement "a policy that provides for the termination in appropriate circumstances of subscribers and account holders of the service provider's system or network who are repeat infringers." However, the statute does not define what those "appropriate circumstances" are or what constitutes a "repeat infringer." YouTube adopted a "three strikes" policy whereby it terminated users after three warnings, which were triggered by DMCA take-down notices. Viacom claimed YouTube did not reasonably implement its repeat infringer policy because of the way it counted strikes (e.g. it only counted as one strike a single take-down notice covering multiple videos and it did not count as a strike content removed through use of the Audible Magic filtering tool). The court, however, disagreed, citing langue from UMG Recordings, Inc. vs. Veoh Networks, Inc., 665 F. Supp. 2d 1099, 1116, 1118 (CD Cal. 2009) which concludes that Congress intended to leave the requirements of the repeat infringe policy and the subsequent obligation of the service provide loosely defined. The court also noted that even DMCA-compliant notices did not in themselves provide evidence of blatant infringement. This decision supports the view that companies have considerable latitude in adopting and implementing their repeat infringer policy.

Perhaps one of the most interesting holdings in the case, although one that has received little attention so far, is that the "right and ability to control the infringing activity" also requires item-specific knowledge of the activity. There has been little case law so far on the meaning of the "right and ability to control" language, and the requirement that the provider must know of a particular infringing activity before he can control it is a fairly narrow interpretation of this requirement.

This is certainly not the last we have heard from this case, as Viacom has already stated it will appeal the decision. For now, however, it has eased concerns that the DMCA safe harbor is not an effective tool to protect social media sites from the copyright infringement liability inherent in their business models.

Senate rejects expansion of FTC enforcement authority

Mon, 28 Jun 2010 12:01:19 GMT

Lost in the shuffle surrounding the Senate Banking Committee's deliberations about the financial reform legislation (H.R. 4173) was its decision on June 22, 2010 to reject U.S. House of Representatives-authored language that would have broadened the FTC's enforcement powers. Although the rejected provisions were procedural, rather than substantive, they were important.

First, they would have permitted the agency to issue industry-wide rules under flexible "notice and comment" procedures, rather than the cumbersome procedures now imposed on the FTC through the Moss-Magnuson Act. Second, they would have permitted the FTC to pursue third-party claims against firms found to be "substantially assisting" an act prohibited by the FTC Act. Third, they would have permitted the agency to seek civil penalties in court without first getting approval from the Department of Justice.

The Senate's rejection of the House-authored language was no accident; it reflected aggressive lobbying by the United States Chamber of Commerce and a coalition of over 30 advertising, financial, retail and media industry groups.

French Data Protection Authority Permits Certain Copyright Holders to Collect IP Addresses of P2P Downloaders

Mon, 21 Jun 2010 09:12:39 GMT

The French data protection authority (i.e., Commission nationale de l’informatique et des libertés, or “CNIL”) has authorized music copyright holders to begin collecting Internet protocol (“IP”) addresses on illegal downloaders using P2P sites in order to identify them to authorities.

CNIL has granted permission to four associations: the société Civile des Producteurs Phonographiques (“SCPP”), the Société Civile des Producteurs de Phonogrammes en France (“SPPF”), the Société des Auteurs Compositeurs et Editeurs de Musique (“SACEM”) and the Société pour l'administration du Droit de Reproduction Mécanique (“SDRM”).

These associations can now report the IP addresses of illegal downloaders/sharers to the newly created High Authority for Diffusion of Works and Protection of Rights (“HADOPI”). HADOPI can then investigate file sharing complaints, issue initial warnings to illegal downloaders, and require Internet service providers to suspend Web access for up to a year for users who continue downloading or sharing copyrighted works after two warnings.

The French text of CNIL’s June 14 announcement is available at http://www.cnil.fr/la-cnil/actualite/infos-seances/article/article/699/seance-pleniere-du-10-juin-2010/

Supreme Court Declines to Address Technology and Expectations of Privacy

Thu, 17 Jun 2010 13:34:55 GMT

Today, the Supreme Court in City of Ontario v. Quon, et al., decided not to address whether a city police officer had a reasonable expectation of privacy in text messages sent using an employer-provided pager. Rather than confront the issue, the Court declined to "elaborat[e] too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear." The Court also declined to "establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices." Instead, the Court assumed that the police officer had an expectation of privacy in text messages sent through his employer-provided phone and found that the warrantless search of his text messages was reasonable.

In 2001 and 2002, Jeff Quon, a police officer for the City of Ontario in California, allegedly violated the police department's policy regarding use of employer-provided pagers to send text messages. To investigate the violations, the police department reviewed Quon's text messages and eventually disciplined him for violating department regulations. Quon and several individuals who had sent personal text messages to Quon then sued the City for, in part, violating their Fourth Amendment right to be free from unreasonable searches and seizures and sued Arch Wireless, the text messaging provider, for violating the Stored Communications Act ("SCA") in disclosing the content of the text messages to the City.

The district court held that Quon had a reasonable expectation of privacy in the text messages, that the warrantless search of those messages was reasonable, and that Arch Wireless had not violated the SCA. The Ninth Circuit opinion agreed that plaintiffs had a reasonable expectation of privacy in the messages but found that the search was unreasonable because there were less intrusive measures the City could have taken, and therefore concluded that the City had violated the plaintiffs' Fourth Amendment rights. The Ninth Circuit also disagreed with respect to the SCA claim. The City appealed the Fourth Amendment ruling and Arch Wireless appealed the ruling under the SCA. The Supreme Court accepted review of only the City's appeal of the claim under the Fourth Amendment.

Before the Supreme Court, the parties disagreed about whether Quon had a reasonable expectation of privacy in text messages sent through his employer-provided pager. The Court did not resolve this issue and declined to adopt "[a] broad holding concerning employees' privacy expectations vis-a-vis employer-provided technological equipment [that] might have implications for future cases that cannot be predicted." Instead, the Court decided to "dispose of th[e] case on narrower grounds." To that end, the Court assumed that Quon had a reasonable expectation of privacy in the text messages and proceeded to hold, regardless of the analytical framework used to address the issue, that the warrantless search of the messages was reasonable and therefore did not violate the Fourth Amendment.

In so holding, the Court noted that it has “repeatedly refused to declare that only the ‘least intrusive’ search practicable can be reasonable under the Fourth Amendment … because judges engaged in post hoc evaluations of government conduct can almost always imagine some alternative means by which the objectives of the government might have been accomplished.” The court also considered whether the search of Quon's messages violated the Fourth Amendment rights of the individuals who sent personal text messages to Quon and held that because the search was reasonable as to Quon, "it necessarily follows that the other respondents cannot prevail."

The Quon opinion seems most notable for its reluctance to address the legal implications of emerging technologies. The Court was concerned that "[r]apid changes in the dynamics of communication and information transmission are evidenced not just in the technology itself but in what society accepts as proper behavior" and that "it is uncertain how workplace norms, and the law's treatment of them, will evolve." The Court also noted that it "ha[d] difficulty predicting how employees' privacy expectation will be shaped by [technological] changes or the degree to which society will be prepared to recognize those expectations as reasonable."

FTC Rejects i-SAFE's Proposal to Operate COPPA Safe Harbor Program

Thu, 10 Jun 2010 17:55:23 GMT

On June 2, 2010 the Federal Trade Commission ("FTC") rejected a proposal by i-SAFE, Inc. to operate a self-regulatory program that would provide businesses with an additional mechanism to certify compliance with the Children's Online Privacy Protection Act ("COPPA"). COPPA generally prohibits websites from collecting personally identifiable information about children under the age of 13 without providing notice of the nature and purposes of the information collection and obtaining verifiable parental consent before collecting such information. The rule includes a safe harbor provision, which effectively provides a defense against prosecution by the FTC or a state for alleged COPPA violations. The provision states that websites that can demonstrate full compliance with an approved safe harbor program shall be deemed to be in compliance with the FTC's COPPA regulations.

To be approved by the FTC, self-regulatory guidelines must meet the following three requirements:

· provide "substantially similar" requirements to those included in the COPPA rule;

· provide an independent mechanism for assessing participants' compliance with the safe harbor program; and

· provide "effective" incentives for participants' compliance with the program's guidelines.

After examining the i-SAFE proposal, the FTC concluded that it did not satisfy these criteria, and that the proposed guidelines would actually result in lesser protection for children than the rule currently provides.

For more information, a copy of the FTC letter is available at http://www.ftc.gov/os/2010/06/100608isafecoppa.pdf.

Courts Permit Service by Email on Defendants Operating Online Businesses

Thu, 03 Jun 2010 10:03:59 GMT

In Chanel, Inc. v. Zhixian, et al., a Florida federal court authorized service of the Summons and Complaint upon defendant who was operating the chanel2u.com and at least 9 other websites that incorporated the Chanel mark . Chanel provided the Court with evidence that defendant used false information when registering the chanel2u.com domain name and that it was unable to determine defendant’s location through additional investigation. Despite plaintiff’s inability to locate defendant’s physical location, it was able to identify two email addresses that did not bounce back.

The Court first determined that International law did not prohibit service by email because China is a signatory to the Hague Service Convention. Article 1 of that convention provides that the “Convention shall not apply where the address of the person to be served with the document is not known.” The Court then determined that it had discretion to authorize service via email under U.S. law, (Federal Rule of Civil Procedure 4(f)(3)), and cited several previously decided cases that had found that service by email to satisfy due process concerns in various circumstances. Finally, the Court found that email service was reasonably calculated to notify Defendants of the pendency of the lawsuit, but it also required Chanel to serve Defendant via public announcement in the jurisdiction where Defendant purportedly resides in accordance with Article 84 of the Civil Procedure Law of the People’s Republic of China.

In craigslist, Inc. v. Eddie Temple, et al, a California federal court authorized service of the Summons and Complaint upon defendant who had provided physical addresses that were either invalid or unreachable for service. craigslist also submitted evidence that Defendant likely resided in Canada and that he did not rely on a physical address to operate his internet related business. The court looked to Federal Rule of Civil Procedure 4(f)(3) that provides for service on individuals in a foreign country and provides federal courts with the discretion to direct service by any means as long as the they are not prohibited by international agreement. The Court also cited several recent unreported cases also from the Northern District of California that had approved similar applications, and permitted craigslist one week to serve defendant by email.

New Ninth Circuit FTC Act opinion: FTC v. Neovi, Inc.

Wed, 02 Jun 2010 14:00:24 GMT

In May, 2010 the Ninth Circuit, in Federal Trade Commission v. Neovi, Inc, [http://tiny.cc/bdq8b] affirmed summary judgment for the agency against Qchex, an internet-based service that created and delivered unverified checks at the direction of the service's user's, many of whom were fraudsters and con artists who used bogus checks to defraud consumers and account holders. Because it is unclear whether the Federal Trade Commission Act provides the FTC with the authority to prosecute Qchex for aiding and abetting fraud, the agency challenged Qchex's practices themselves as unfair to consumers, on the theory that Qchex's "profound lack of diligence, coupled with the affirmative acts of creating and delivering thousands of unverified checks - over 150,000 of which were from accounts later frozen for fraud – warranted liability under the Act." Indeed, over a six-year period, Qchex froze over 13,750 accounts for fraud. Prior to being frozen, those accounts were the source of checks totaling over $400 million, an amount that was over half of the total amount drawn on checks via Qchex during that same time period.

Key to the decision was the ease with which users could set up a Qchex account; the user needed to supply only pertinent information, such as the routing and account numbers, to a bank account, purportedly owned by the user. Users could then submit a request on the Qchex website that a check drawn from their account be created and delivered to a third party payee. Qchex made no effort to confirm the bank account was in fact owned by the user, or that the account held sufficient funds to cover the checks.

Qchex quickly became the preferred vehicle for fraudsters who, through identify theft, were able to open Qchex accounts and draw checks from bank accounts that were not their own - including bank accounts held by the University of Chicago, Goldman Sachs and even the Federal Trade Commission itself.

This case raises several interesting points. First, the avalanche of complaints from consumers and law enforcement agencies about frauds perpetrated by Qchex's users was found to place Qchex on notice that it had "created and controlled a system that facilitated fraud. . ." by issuing checks in a form "legitimatized in the eyes of consumers." Qchex tried to depict itself as the first victim of fraudsters and con men who used its site, but none of the measures Qchex adopted to combat misuse were effective - they applied only after complaints were brought to Qchex's attention and were half hearted at best. In fact, Qchex's president even testified that they expected the site would be used for fraudulent purposes from the beginning, but nonetheless continued to create and deliver checks without proper verification. The court found that by doing so, it engaged in a practice that facilitated and provided substantial assistance to a multitude of deceptive schemes.

Second, the FTC did not allege that Qchex had itself engaged in deceptive practices. None of the representations Qchex made to users or third party payees about its service was false or deceptive. Instead, it was the creation and control of a system that facilitated fraud by those users that was found to be unfair to consumers in violation of the FTC Act. The "user friendliness" of Qchex's service was not a defense - it was not even recognized as a legitimate interest.

Third, the case raises serious issues about the liability of online transaction "facilitators" for the conduct of their users. The Ninth Circuit did not impose on Qchex an obligation actively to police its service users. But it could not ignore the flood of consumer complaints its users generated. By doing little or nothing to address the fraud facilitated by its site, Qchex became equally liable for it.

Hansen, Soderquist & Grant Publish Virtual Currency Articles on NetworkWorld Column

Wed, 19 May 2010 10:54:41 GMT

Two articles written by Perkins Coie attorneys Dax Hansen, Kirk Soderquist and Andrew Grant were recently published in the Security Strategies Alert column in NetworkWorld. The articles, "Real legal issues with virtual currencies" and "Legal risks with virtual currencies in online games" provide a legal perspective on the increasing use of virtual currencies in online role-playing games and virtual worlds.

Perkins Coie Lawyers to Participate in IAPP Practical Privacy Series

Thu, 13 May 2010 22:55:25 GMT

Perkins Coie Of Counsel Susan Lyon will be serving as co-chair for the Data Breach program at the IAPP Practical Privacy Series on June 14-15, 2010 in Santa Clara, CA. The program provides a full day of exercises that will test your ability to make decisions in a data breach situation. Perkins Coie Partner James McCullagh is on the agenda, along with Jonathan Fox of eBay, Inc.

FTC Gives Ann Taylor One-Time Free Pass on Violation of Endorsement Rules

Wed, 12 May 2010 14:45:45 GMT

In 2009, the FTC revised its guidelines for advertisers who use product endorsers, requiring the advertisers to disclose to consumers any "material" financial connection between it and the endorser. One of the most controversial aspects of the new rule was its extension to product endorsements through blog entries by consumers. Under the new agency guidelines, if an endorser received any compensation for providing an endorsement through blog entry, that fact had to be disclosed to consumers in connection with the endorsement. How this rule would play out in FTC enforcement actions was a hotly debated subject.

In January 2010, Ann Taylor invited selected fashionistas to preview its LOFT division's Summer 2010 Collection, promising participants who did so and posted comments about it on their blogs an opportunity to win through a random drawing a "mystery gift card" worth between $50 and $500. The agency opened an investigation but ultimately decided not to recommend enforcement action, citing among other things the small number of posted comments about the collection. http://www.ftc.gov/os/closings/100420anntaylorclosingletter.pdf

What's interesting about the investigation is that the "material connection" at issue was contingent (the "gift" consisted of an opportunity to win a gift card) . Also, as the agency noted, Ann Taylor had tried to comply with the endorsement rule by posting a sign at the preview telling bloggers that they should disclose the gift in his or her blog; this was not a defense, however, because is was unclear how many bloggers actually saw the sign.

Gidari's Congressional Testimony Cited in PCWorld Article

Fri, 07 May 2010 17:41:53 GMT

Congress should bring the Electronic Communications Privacy Act (ECPA) into the twenty-first century. That was the message from several witnesses, including Perkins Coie Partner Albert Gidari, to the Committee on the House of Representatives' Judiciary Committee, Subcommittee on the Constittution, Civil Rights, and Civil Liberties at a hearing Wednesday and described in the PCWorld article, "Lawmakers Consider Changes to Wiretapping Law."

The article cites Gidari's explanation of the dilemma facing telecom and Internet service providers. "These service providers are caught in the middle every day," he said. "The best way to determine whether ECPA is out of balance is to take a look at what service providers do every day - that is, essentially, guess."

Interactive Access Service Provider awarded $2,595,020 for Spam

Fri, 07 May 2010 12:20:27 GMT

In Asis Internet Services v. Richard Rausch et al., No. 08-03186 (N.D. Cal May 3, 2010), the court awarded $2,596,020 to a provider of dial-up and broadband internet and email services to just under 1,000 customers for damages resulting from the receipt of 24,724 spam emails that were sent by defendants. Asis provides its service through its own equipment and services and equipment provided by vendors such as Postini (the popular spam filtering service) and a team of four employees. Asis receives approximately 200,000 spam emails a day and incurs costs of approximately $3,000 per month to process spam emails in both processing and employee costs.

Asis sued defendants for 24,724 emails received from November 16, 2006 to May 5, 2008. Asis received the emails first on Postini, then transferred, processed and stored the emails on its email server, and then transferred the emails to its attorney where they were stored on a special spam storage and investigation server.

In addressing Asis claim under CAN-SPAM, 15 U.S.C. § 7704(a)(1) and (a)(2), the Court first determined that plaintiff meet the two-part test for standing of (1) whether the plaintiff is an Internet access service provider (“IAS”)”, and (2) whether the plaintiff was “adversely affected by statutory violations.” Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1049 (9th Cir. 2009). The Court found that the first test was satisfied easily because Asis is a corporation licensed to do business in California that provides dial, broadband internet and email service to almost 1,000 customers using its own equipment, service contracts, and has four employees. When determining whether plaintiff was “adversely affected,” the court looked for guidance from Gordon and noted that ordinary filtering costs do not constitute harm, and that “at a minimum … the harm must be both real and of the type experienced by ISPs …. The harm must be of significance to a bona fide IAS provider – something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business.” Gordon, 575 F.3d at 1053-54.

The Court then found that Plaintiffs made a sufficient showing of adverse affect based on the following evidence:

The receipt of 200,000 spam emails per day resulting in processing costs of approximately $3,000 per month
The fact that some emails, such as those containing viruses or “hacker software”, have higher costs
Asis occasionally experiences network slow downs due to spam
Some of its clients are local businesses that lack the resources to adequately screen for spam, and so fire Plaintiffs to do so
Asis received complaints from three of its clients about the specific spam at issue and resolving those complaints consumed 22 hours of Plaintiffs’ staff time
Asis lose customers regularly as a result of spam, and would realize over one third more revenue per year if they did not have to spend money on addressing spam.

Turning to the merits, the court had not trouble finding that Asis had easily established the merits of its CAN-SPAM claim as a result of defendant’s failure to respond to Asis’s Request For Admission, which are deemed admitted if not answered. The Court then addressed damages, compared the facts in this case to facts in two other recently decided CAN-SPAM cases from the Northern District of California (Facebook v. Wallace, 2009 WL 3617789 (N.D. Cal. Oct. 29, 2009), and Tagged, Inc. v. Does 1 through 10, 2010 WL 370331 (N.D. Cal. Jan. 25, 2010)) and applied statutory damages of $25 per spam email for a total statutory damages awarded of $865,340. The court also awarded aggravated damages under 15 U.S.C. § 7706(g)(3)(C) based on evidence provided by Asis employees that defendants had conducted a directory harvest and used automated scripts to acquire email accounts. Based on that evidence the court trebled the damages award for a total award of $2,596,020.

Gidari testifies before House Judiciary Committee on ECPA Reform

Wed, 05 May 2010 16:23:45 GMT

Perkins Coie Partner Albert Gidari testified today before the Committee on the House of Representatives' Judiciary Committee, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, on the need for reform of the Electronic Communications Privacy Act (ECPA). Gidari noted that ECPA is 25 years old and its application to many new services like cloud computing, social networking and location-based services is unclear. He called for clear rules for service providers to disclose user content, communications and information and for more transparency about the amount of information collected by governmental agencies. Read written testimony.