Author Archives: Evan Brown (@internetcases)

Court allows blockchain platform to send subpoena seeking info about hacker

Plaintiff provides a blockchain asset trading platform and claimed that a hacker broke in and transferred 330,000 Tether and 100 Ether to a Bittrex account. Though Bittrex told plaintiff it had identified the relevant Bittrex account holder, it would not disclose the identity to plaintiff without a court order.

So plaintiff filed suit against the John Doe hacker for conversion, violation of the federal Computer Fraud and Abuse Act, and under Washington state law. Since it could not serve the complaint on the Doe defendant without knowing his identity, plaintiff sought permission from the court to take early discovery from Bittrex. The court granted the motion.

The court permitted plaintiff to send a subpoena to Bittrex requesting the name of the Doe defendant. Federal Rule of Civil Procedure 26(d) bars parties from seeking “discovery from any source before the parties have conferred as required by Rule 26(f), except in a proceeding exempted from initial disclosure under Rule 26(a)(1)(B), or when authorized by these rules, by stipulation, or by court order.” Fed. R. Civ. P. 26(d)(1). In determining whether to permit expedited discovery, the court required plaintiff to demonstrate that “good cause” existed to deviate from the standard pretrial schedule.

In the Ninth Circuit, a court evaluating whether a plaintiff establishes good cause to learn the identity of Doe defendants through early discovery examines whether the plaintiff (1) identifies the Doe defendant with sufficient specificity that the Court can determine that the defendant is a real person who can be sued in federal court, (2) recounts the steps taken to locate and identify the defendant, (3) demonstrates that the action can withstand a motion to dismiss, and (4) proves that the discovery is likely to lead to identifying information that will permit service of process. This test is often associated with the case of Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 578–80 (N.D. Cal. 1999).

In this case, the court found that good cause supported plaintiff’s request for leave to take expedited discovery to ascertain sufficient identifying information about the Doe defendant. Plaintiff had provided evidence that appeared to trace the allegedly stolen funds to an account on Bittrex, and plaintiff’s conversation with Bittrex indicated that Doe’s identity as the account holder was likely already known or ascertainable. The court also found that plaintiff’s request seeking identifying information related to Doe was reasonably likely to lead to the production of information that would permit plaintiff to serve process.

ZG TOP Technology Co., Ltd. v. John Doe, 2019 WL 917418 (W.D. Wash., February 25, 2019)

Installing earlier software version that lacked license check feature triggered DMCA anticircumvention liability

EGS and DDS were in a dispute over the use of DDS’s software. [You can read about the copyright infringement claims here.] DDS claimed EGS had failed to pay license fees for its software. So DDS installed an update that would confirm the current license, and if the license was not up to date, would lock the program. In response, EGS elected to use a previously-licensed and older version of the software that did not contain the license check feature. Because of this, DDS claimed that EGS violated the anticircumvention provisions of the Digital Millennium Copyright Act

EGS moved to dismiss the DMCA anticircumvention claim. The court denied the motion. 

The DMCA provides, in relevant part, that “[n]o person shall circumvent a technological measure that effectively controls access to a work protected under this title.” It goes on to state that “to ‘circumvent a technological measure’ means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” It also explains that “a technological measure ‘effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” 

EGS had argued in part that it did not violate the anticircumvention provisions because its conduct was like the defendant in the case of I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Info. Systems, Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004). In that case, the defendant used a legitimate username and password to gain access to the protected work. 

The court acknowledged that like the situation in I.M.S., EGS did not do anything to change or manipulate the DDS software. However, as the court noted, the fact remained that EGS allegedly removed the software and reinstalled a prior version. For that reason, I.M.S. and the similar case of Navistar, Inc. v. New Baltimore Garage, Inc., 2012 WL 4338816 (N.D. Ill. Sept. 20, 2012), were not to the contrary.

First, those cases acknowledged that removing a technological measure suffices to state a claim under the DMCA. Second, EGS had leaned heavily on the fact that DDS analogized its license check to a password protection system, and that the district courts in I.M.S. and Navistar reasoned that “using a password to access a copyrighted work, even without authorization, does not constitute circumvention under the DMCA …” But implicit in those courts’ reasoning was a recognition that the licensee already knew the password and thus had the key to the castle.

In this case, to the contrary, EGS had no way to go through the license check and access the current software except by removing it entirely. Accordingly, the court found that a more apt analogy was that EGS circumvented “the deployed technological measure in the measure’s gatekeeping capacity” by uprooting the locked gate.

Eclipse Gaming Systems, LLC v. Antonucci, 2019 WL 3988687 (N.D. Ill. Jan. 31, 2019)

See also:

Failure to pay software license fees was breach of contract, not copyright infringement

As part of a larger business dispute that found its way into litigation, counterclaimant DDS sued counterdefendant EGS for copyright infringement after EGS allegedly used DDS’s software without paying required license fees. EGS moved to dismiss the copyright infringement claims, asserting that there was no copyright infringement occurring, only a breach of the license agreement. The court granted the motion to dismiss. 

The court found that the provision of the agreement between the parties, requiring EGS to pay license fees, was a covenant and not a condition that must be met for use of the software to be authorized. The finding was critical because whether the failure of a non-exclusive licensee to pay royalties constitutes copyright infringement turns on the distinction between a promise subject to a condition and a covenant or contractual promise. Broadly speaking, the promise to pay royalties in a license agreement is generally considered a covenant, not a condition. 

In this case, the agreement between the parties provided that:

Upon [EGS’s] payment of [a one-time fee], and subject in each instance to [EGS’s] subsequent timely payment of the applicable [recurring] licensing fee, [DDS] hereby grants to [EGS] a limited, nonexclusive license . . . . 

The court determined this language established that DDS would install its software and then EGS would pay for the right to use the software. Under this line of thinking, the duty to pay fees did not accrue until the software was installed, meaning that payment could not be a condition on the rights to use the software (and that nonpayment would not be a failure of that condition). 

Eclipse Gaming Systems, LLC v. Antonucci, 2019 WL 3988687 (N.D. Ill. Jan. 31, 2019)

See also:

Arbitration provision in web-based contract was not enforceable

Defendants moved to compel arbitration based upon a purported arbitration clause in an agreement between them and plaintiffs that plaintiffs electronically signed through defendants’ website.

The court found that defendants failed to meet their burden to show, by undisputed material facts, that the parties entered into an agreement to arbitrate the claims in the case. The court looked to the Ninth Circuit decision in Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 (9th Cir. 2014) to support the idea that courts will enforce clickwrap-type agreements where the user indicates actual notice of the terms of the agreement or was required to acknowledge the terms of the agreement before proceeding with further use of the site. Enforcement of a browsewrap-type agreement, which lacks such an acknowledgment, will depend upon whether the website’s design and content would put “a reasonably prudent user on inquiry notice of the terms of the contract.” The conspicuousness of the terms and notices, as well as the overall design of the webpage, will contribute to the determination that a user was on inquiry notice.

In this case, according to the court, defendants had not offered evidence explaining the design and content of the webpage in question, or how the agreement appeared on the website. The court could not determine whether the terms of the agreement appeared on the registration page itself, or if a user would have had to click a link to see the full terms. Likewise, the court could not determine other factors that might contribute to determining plaintiffs’ notice of the terms, such as the size of the font or other aspects of the appearance and presentation of the terms online. The declaration offered by defendant did not provide evidence to show that: (1) either of the plaintiffs had actual knowledge of the arbitration agreement; or (2) whether the agreement was a clickwrap or a browsewrap agreement, how the website was designed and where these terms appeared, and whether plaintiffs assented by clicking an “I agree” box, or were deemed to agree by continuing in the registration process.

Given the lack of evidence of how the registration process appeared on its website, how one of the plaintiffs had declared that he did not see an arbitration agreement, and the reasonable doubts and inferences that must be drawn in that plaintiff’s favor under the applicable standard, the court found that plaintiffs had presented a genuine issue of fact concerning notice of, and assent to, the arbitration agreement here. The court could not find that plaintiffs were reasonably on notice of the agreement to arbitrate, and the accordingly the motion to compel was denied.

Chen v. Premier Financial Alliance, Inc., 2019 WL 280944 (N.D. Cal. Jan. 22, 2019)

Company cannot avoid DMCA liability for false CMI by claiming it used its own name

Plaintiff sued defendant claiming defendant violated the DMCA by providing and distributing false copyright management information (“CMI”), in violation of 17 U.S.C. § 1202(a)(1)–(2). Defendant had placed its brand name and logo on and adjacent to plaintiff’s photo within defendant’s advertising material. 

The part the DMCA relevant to this case provides that “[n]o person shall knowingly and with the intent to induce, enable, facilitate, or conceal infringement — (1) provide copyright management information that is false, or (2) distribute or import for distribution copyright management information that is false.”

Section 1202(c) defines CMI as “any of the following information conveyed in connection with copies or phonorecords of a work or performances or displays of a work, including in digital form, except that such term does not include any personally identifying information about a user of a work or of a copy, phonorecord, performance, or display of a work: …” (emphasis added). It goes on to list eight types of CMI, as relevant in this case: (2) the name of, and other identifying information about, the author of the work; (3) the name of, and other identifying information about, the copyright owner of the work, including the information set forth in a notice of copyright; and (7) identifying numbers or symbols referring to such information or links to such information.

Defendant moved to dismiss, arguing that the plain language of § 1202(c) excepts from the definition of CMI “any personally identifying information about a user of a work or of a copy, phonorecord, performance, or display of a work.” It reasoned that because plaintiff’s complaint defined defendant as a “user” of the photograph (i.e., by alleging that defendant used the photograph for commercial promotion) and because personally identifiable information includes names, the name of a user of a work is not, and cannot, be CMI.

The court rejected this argument and denied the motion to dismiss. It looked to the decision of another federal court, Tiermy v. Moschino S.P.A., No. 15-CV-5900, 2016 WL 4942033 (C.D. Cal. Jan. 13, 2016) in which a defendant had made a similar argument. As that court noted, defendant’s argument fell short on a logical basis. Taking defendant’s theory to the extreme, virtually any person who took another’s work and placed their name or brand on it could be considered a “user of a work” rather than an infringer, and escape liability. The court found that was not the intent of the statute, which is to protect the integrity of CMI by prohibiting the provision of false CMI. The court held that it cannot be, and defendant provided no authority in support, that an alleged infringer can escape liability under § 1202(a) simply because the false CMI put forth is the alleged infringer’s own name.

Roth v. The Walsh Co., 2019 WL 318404 (E.D. Wis. Jan. 24, 2019)

Should revenge porn victims be allowed to proceed anonymously in court?

Plaintiff and her twin sister sued her ex-boyfriend and an unknown John Doe accusing them of copyright infringement and other torts such as invasion of privacy. They claimed the defendants posted intimate and nude photos of plaintiffs online without their consent. And defendants had posted one of the plaintiff’s name and other information on social media in connection with the photos.

Arguing that they had a substantial privacy right that outweighed the customary and constitutionally-embedded presumption of openness in judicial proceedings, plaintiffs asked the court for permission to proceed anonymously. But the court denied the motion.

Plaintiffs’ privacy arguments

Plaintiffs had primarily argued that proceeding under their real names would require them to disclose information of the utmost intimacy and that if they were required to attach their names to the litigation, there would be a public record connecting their names to the harm and exploitation they had suffered which could result in even more people viewing the very images that were stolen and disseminated without their consent.

Court: the harm had already been done

The court rejected these arguments. It observed that the photographs had been published on the internet for approximately seven years and had been sent to people they know. Plaintiffs admitted that one of them could be identified in some of the photographs because her face and a distinctive tattoo were visible. And John Doe had already published that plaintiff’s contact information which resulted in her being inundated with phone calls, text messages, emails, and Instagram, Facebook, and Twitter messages.

So in the court’s mind it appeared that that plaintiff’s identity was already known or discoverable. In addition, that plaintiff had obtained copyright registrations for many of the photographs and the copyright registration was a public document that clearly identified her by name.

As for the twin sister, although her identity had not been similarly made public, the court found that “no great stretch [was] required to identify her through public records as [the other plaintiff’s] twin sister.”

Consequently, the court was not persuaded that plaintiffs’ privacy interests outweighed the public’s right of access in judicial proceedings.

M.C. v. Geiger, 2018 WL 6503582 (M.D.Fla. Dec. 11, 2018)

Restraining order entered against website that encouraged contacting children of plaintiff’s employees

Plaintiff sued defendant (who was an unhappy customer of plaintiff) under the Lanham Act (for trademark infringement) and for defamation. Defendant had registered a domain name using plaintiff’s company name and had set up a website that, among other things, he used to impersonate plaintiff’s employees and provide information about employees’ family members, some of whom were minors.

Plaintiff moved for a temporary restraining order and the court granted the motion.

The Website

The website was structured and designed in a way that made it appear as though it was affiliated with plaintiff. For example, it included a copyright notice identifying plaintiff as the owner. It also included allegedly false statements about plaintiff. For example, it included the following quotation, which was attributed to plaintiff’s CEO:

Well of course we engage in bad faith tactics like delaying and denying our policy holders [sic] valid claims. How do you think me [sic], my key executive officers, and my board members stay so damn rich. [sic]

The court found that plaintiff had shown a likelihood of success on the merits of its claims.

Lanham Act Claim

It found that defendant used plaintiff’s marks for the purpose of confusing the public by creating a website that looked as though it was a part of plaintiff’s business operations. This was evidenced by, for example, the inclusion of a copyright notice on the website.

Defamation

On the defamation claim, the court found that the nature of the statements about plaintiff, plaintiff’s assertion that they were false, and the allegation that the statements were posted on the internet sufficed to satisfy the first two elements of a defamation claim, namely, that they were false and defamatory statements pertaining to the plaintiff and were unprivileged publications to a third party. The allegations in the complaint were also sufficient to indicate that defendant “negligently disregarded the falsity of the statements.”

Furthermore, the statements on the website concerned the way that plaintiff processed its insurance claims, which related to the business of the company and the profession of plaintiff’s employees who handled the processing of claims. Therefore, the final element was also satisfied.

First Amendment Limitations

The court’s limitation in the TRO is interesting to note. To the extent that plaintiff sought injunctive relief directed at defendant’s speech encouraging others to contact the company and its employees with complaints about the business, whether at the workplace or at home, or at public “ad hominem” comments, the court would not grant the emergency relief that was sought.

The court also would not prohibit defendant from publishing allegations that plaintiff had engaged in fraudulent or improper business practices, or from publishing the personally identifying information of plaintiff’s employees, officers, agents, and directors. Plaintiff’s submission failed to demonstrate to the court’s satisfaction how such injunctive relief would not unlawfully impair defendant’s First Amendment rights.

The did, however, enjoin defendant from encouraging others to contact the children and other family members of employees about plaintiff’s business practices because contact of that nature had the potential to cause irreparable emotional harm to those family members, who have no employment or professional relationship with defendant.

Symetra Life Ins. Co. v. Emerson, 2018 WL 6338723(D. Maine, Dec. 4, 2018)

Facebook did not violate HIPAA by using data showing users browsed healthcare-related websites

Plaintiffs sued Facebook and other entities, including the American Cancer Society, alleging that Facebook violated numerous federal and state laws by collecting and using plaintiffs’ browsing data from various healthcare-related websites. The district court dismissed the action and plaintiffs sought review with the Ninth Circuit. On appeal, the court affirmed the dismissal.

The appellate court held that the district court properly determined that plaintiffs consented to Facebook’s data tracking and collection practices.

Plaintiffs consented to Facebook’s terms

It noted that in determining consent, courts consider whether the circumstances, considered as a whole, demonstrate that a reasonable person understood that an action would be carried out so that their acquiescence demonstrates knowing authorization.

In this case, plaintiffs did not dispute that their acceptance of Facebook’s Terms and Policies constituted a valid contract. Those Terms and Policies contained numerous disclosures related to information collection on third-party websites, including:

  • “We collect information when you visit or use third-party websites and apps that use our Services …. This includes information about the websites and apps you visit, your use of our Services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us,” and
  • “[W]e use all of the information we have about you to show you relevant ads.”

The court found that a reasonable person viewing those disclosures would understand that Facebook maintained the practices of (a) collecting its users’ data from third-party sites and (b) later using the data for advertising purposes. This was “knowing authorization”.

“But it’s health-related data”

The court rejected plaintiffs claim that—though they gave general consent to Facebook’s data tracking and collection practices—they did not consent to the collection of health-related data due to its “qualitatively different” and “sensitive” nature.

The court did not agree that the collected data was so different or sensitive. The data showed only that plaintiffs searched and viewed publicly available health information that could not, in and of itself, reveal details of an individual’s health status or medical history.

This notion supported the court’s conclusion that the use of the information did not violate the Health Information Portability and Accountability Act of 1996 (“HIPAA”) and its California counterpart.

The court held that information available on publicly accessible websites stands in stark contrast to the personally identifiable patient records and medical histories protected by HIPAA and other statutes — information that unequivocally provides a window into an individual’s personal medical history.

Smith v. Facebook, Inc., 2018 WL 6432974 (9th Cir. Dec. 6, 2018)

Willie Nelson meme on Facebook was not clearly fair use

Plaintiff photographer sued website publisher (who also maintained a Facebook page to go with the website) for copyright infringement. Plaintiff claimed defendant infringed plaintiff’s copyright in a photo plaintiff took of Willie Nelson when defendant posted the photo on Facebook with a cultural message superimposed over the photo in the form of a meme.

Defendant moved to dismiss for failure to state a claim, on the basis of fair use. The court denied the motion, applying the fair use test set forth in 17 USC 109.

The court’s holding turned essentially on the idea that there were not yet enough facts in the record to support a finding of fair use, and that such a determination should be made later in the case, e.g., at summary judgment. For example, plaintiff had argued that defendant’s purpose was not transformative, and that it was in fact the same purpose plaintiff had for publishing the photo, namely, to identify Willie Nelson.

Philpot v. Alternet Media, Inc., 2018 WL 6267876 (N.D. Cal. Nov. 30, 2018)

Attorney-client privilege protected defendants’ lawyers’ communications with PR firm hired to combat negative online treatment

In defending intellectual property claims over video games, defendants’ law firm hired a public relations firm to assist it with “input on legal strategy, including regarding initial pleadings and communications about the case to counteract [plaintiff’s] false and negative statement.” Defendants were allegedly being targeted by negative online attacks by the plaintiff.

During discovery, plaintiff served a subpoena on the hired PR firm, seeking, among other things, all documents relating to the communciations between the PR firm and defendants’ counsel.

Defendants sought to quash the subpoena, arguing the information was protected from disclosure under the attorney-client privilege. The court quashed the subpoena.

It found that because defendants’ counsel (and not defendants themselves) hired the PR firm to provide PR counseling specifically for the purposes of litigation strategy, the attorney-client privilege extended to the communications between the PR firm and defendants’ counsel pertaining to “giving and receiving legal advice about the appropriate response to the lawsuit and making related public statements.”

Specifically, these communications were

  • confidential communications made
  • between lawyers and public relation consultants
  • hired by the lawyers to assist them in dealing with the media in cases or litigation
  • that were made for the purpose of giving or receiving advice
  • directed at handling the client’s legal problems that were undeniably protected by the attorney client privilege.

The court similarly found that the attorney work product doctrine extended to the communications exchanged between the PR firm and defendants’ counsel. As could be seen by the privilege log, documents such as a “draft Answer and Counterclaim” and a “draft press release” would contain “the mental impressions, conclusions, opinions, or legal theories of a party’s attorney or other representative concerning the litigation.” Moreover, documents such as a “draft Answer and Counterclaim” and a “draft press release” were “prepared in anticipation of litigation or for trial.” Defendants’ counsel also did not waive their work-product protection when they shared otherwise valid work product (e.g. draft Answers or Counterclaims) with the PR firm for assistance because the communications were intended to be confidential.

Stardock Systems, Inc. v. Reiche, 2018 WL 6259536 (N.D.Cal. Nov. 30, 2018)

See also: Emails sent through Yahoo account using work computer protected under attorney-client privilege