SPAM NOTES:
a law blog covering electronic communications,
email, social networks, privacy, and more
a law blog covering electronic communications,
email, social networks, privacy, and more
Electronic Communications, Privacy, Data Protection, and More
Unsolicited Text Messages and the TCPA (and the Computer Fraud and Abuse Act)
I have a pair of posts at Professor Goldman's blog on unsolicited text messages, and the Telephone Consumer Protection Act and the Computer Fraud and Abuse Act.
Last week, a federal court in Minnesota held that the transmission of unsolicited text messages does not constitute a violation of the Computer Fraud and Abuse Act (Czech v. Wall Street on Demand, Inc.). The court recognized that the Computer Fraud and Abuse Act is a statute designed to combat hacking, and that plaintiff's allegations that it repeatedly received unwanted text messages do not make out a claim - based on the extraction of information, transmission of harmful code, or access (without authorization) - under the Computer Fraud and Abuse Act.
This week, a federal court in Illinois (Abbas v. Selling Source, LLC) held that the transmission of unsolicited text messages could violate the Telephone Consumer Protection act, because unwanted SMS messages constituted "calls" under the TCPA. Interestingly, defendant raised a First Amendment defense, which the court rejected.
Both cases are worth reading.
Last week, a federal court in Minnesota held that the transmission of unsolicited text messages does not constitute a violation of the Computer Fraud and Abuse Act (Czech v. Wall Street on Demand, Inc.). The court recognized that the Computer Fraud and Abuse Act is a statute designed to combat hacking, and that plaintiff's allegations that it repeatedly received unwanted text messages do not make out a claim - based on the extraction of information, transmission of harmful code, or access (without authorization) - under the Computer Fraud and Abuse Act.
This week, a federal court in Illinois (Abbas v. Selling Source, LLC) held that the transmission of unsolicited text messages could violate the Telephone Consumer Protection act, because unwanted SMS messages constituted "calls" under the TCPA. Interestingly, defendant raised a First Amendment defense, which the court rejected.
Both cases are worth reading.
Why Doesn't Facebook Make Company & Fan Pages More User Friendly?
"Why is Facebook so hard to use?" is a question that has nagged me for the past year. Seriously. For a company that has raised as much money and garnered the amount of attention that Facebook has, the Facebook user experience stinks.
I consider myself reasonably able to figure out basic tools like these on my own. But to me it seems like you need to take a class in order to put together anything more than a basic "personal page" on Facebook. Worse yet, Facebook doesn't make available documentation that answers basic questions on how to set up and use the various types of pages on Facebook. (Maybe this is what they teach you at social media seminars?)
Here's the scenario: I have a personal page on Facebook which I've had for the past year or so (give or take). About six months ago I decided to set up a "company page" for a side-project I'm working on with my mom (selling Indian spice mixes and rubs). Here's a link to the spice mix page. (At the risk of sounding trite, and to use an over-used expression, "feel free to fan" the spice rub page [link].) The basic problem I have is that Facebook does not make it easy to disassociate my personal page from the company page. My recollection when I set up the company page was that you had to tie it to a personal page for the person who would be the administrator. This was a lame decision on Facebook's part. Maybe people want to set up a company page but they don't want to be "on Facebook" (personally)? Anyway, that's neither here nor there, but what I'm really having trouble figuring out is how to easily distinguish between posting to your personal page and and posting to the company page.
Here's an example of what's problematic. I did a test post on the company page - here's a screen cap of the post below:
You would think since I posted this under my company account profile, this comment would not be in any way associated with my personal account, right? Wrong:
I realize Facebook has a lot of different settings you can tweak (including privacy settings) but this seems like a pretty basic failure in the way that company pages and personal pages fit together.
I know I'm not alone in my experience. As a relatively light Facebook user who hasn't been really active on Facebook I still chat with a fair number of people who have had similar problems, and worse yet, people who generally can't figure out the process of how to easily set up a company account (or don't realize the difference between a company page, a cause page, event page, fan page, etc.).
Get it together Facebook -- user experience is all important, and judging from my experience, Facebook gets a big fat F.
[BTW: at the time I created the company page I was fairly certain that you needed to have a personal profile to "administer" a separate page, such as a company page, but maybe things have changed.]
I consider myself reasonably able to figure out basic tools like these on my own. But to me it seems like you need to take a class in order to put together anything more than a basic "personal page" on Facebook. Worse yet, Facebook doesn't make available documentation that answers basic questions on how to set up and use the various types of pages on Facebook. (Maybe this is what they teach you at social media seminars?)
Here's the scenario: I have a personal page on Facebook which I've had for the past year or so (give or take). About six months ago I decided to set up a "company page" for a side-project I'm working on with my mom (selling Indian spice mixes and rubs). Here's a link to the spice mix page. (At the risk of sounding trite, and to use an over-used expression, "feel free to fan" the spice rub page [link].) The basic problem I have is that Facebook does not make it easy to disassociate my personal page from the company page. My recollection when I set up the company page was that you had to tie it to a personal page for the person who would be the administrator. This was a lame decision on Facebook's part. Maybe people want to set up a company page but they don't want to be "on Facebook" (personally)? Anyway, that's neither here nor there, but what I'm really having trouble figuring out is how to easily distinguish between posting to your personal page and and posting to the company page.
Here's an example of what's problematic. I did a test post on the company page - here's a screen cap of the post below:
You would think since I posted this under my company account profile, this comment would not be in any way associated with my personal account, right? Wrong:
I realize Facebook has a lot of different settings you can tweak (including privacy settings) but this seems like a pretty basic failure in the way that company pages and personal pages fit together.
I know I'm not alone in my experience. As a relatively light Facebook user who hasn't been really active on Facebook I still chat with a fair number of people who have had similar problems, and worse yet, people who generally can't figure out the process of how to easily set up a company account (or don't realize the difference between a company page, a cause page, event page, fan page, etc.).
Get it together Facebook -- user experience is all important, and judging from my experience, Facebook gets a big fat F.
[BTW: at the time I created the company page I was fairly certain that you needed to have a personal profile to "administer" a separate page, such as a company page, but maybe things have changed.]
Yahoo! Not Liable for Disclosure of Email Information to Chinese Officials
A group of plaintiffs filed suit against Yahoo! and its Chinese subsidiary for disclosing the email information (identity) of a person who used an email address to engage in political/dissident activity in China. Tom O'Toole at the BNA TechLaw blog reports [link] that Judge Chesney (of the Northern District of California) dismissed the claims against Yahoo! and its subsidiary on the basis that the Electronic Communications Privacy Act does not apply extraterritorially. (Access a link to the order at TechLaw here [pdf].)
Among other arguments, plaintiffs tried to argue that since Yahoo! has servers all over the world, including in the United States, it doesn't necessarily make sense to reject the claims on the basis that the interception/disclosure occurred outside the United States. The court disagreed, noting that according to plaintiffs' own allegations, the "acquisitions and subsequent disclosures . . . were made 'locally.'" I'm not familiar with the case law here, but I was surprised the court didn't give this argument a bit more credence. I'm not familiar with the Alien Tort Claims statute either, but I'm surprised plaintiffs didn't bring an ATCA claim.
Yahoo! testified in front of Congress after taking heat over these types of disclosures, as reported by Wired here (2007).
Yahoo! testified in front of Congress after taking heat over these types of disclosures, as reported by Wired here (2007).
Does Blogging Favor Smaller Firms?
Drug and Device Law has a great post that asks "Why Big Firms Don't Blog Well." Mark Hermann takes a look at the ABA 100 and sees a dearth of blogs by larger law firms. (Congrats to those nominated by the way.) He sees two (SCOTUS Blog and Drug and Device Law) on the list. He offers a few reasons as to why bigger law firms don't seem to see the same "success" in blogging as smaller firms, but his key point is that one of the keys to success is to write in a "distinctive voice." This ties into the issue of big firm lawyers being less likely to be opinionated. I like Mark's take on this:
There's also the fact that "interesting," usually equates to disclosing your particular personality quirks or your policy stance on an issue beyond the rule and implications of a particular case or piece of legislation. Some clients may agree with you and be drawn to your blog as a result. Other clients may be turned off. This can be tough to predict.
I'm curious about something else that's related to this topic. Most law bloggers seem to blog for their peers or for themselves. (I know I rarely take into account a client or potential client's perspective when I blog. If I did, I'd make my blog posts a lot easier to read and digest! But this would probably increase the costs of blogging significantly.) Do any firms really blog with clients in mind? Even if they do, do clients find these blogs useful? I guess a good place to find out the answer would be to ask the clients, but so far I haven't seen many good data points on this.
Added: don't I feel like a dolt after reading Randazza's succinct post about this.
More: see more in posts by Scott Greenfield ("Blawgospheric Darwinism"), Kevin O'Keefe ("Big Law Firms Don't Blog Well, Says Who"), Carolyn Elefant ("Why Big Firms Don't Blog Well: Not Too Much Risk, but Too Little Passion"), and Mark Bennett ("Born to Fail, But on Life Support"). A fine example of lawyers being lawyers . . . arguing over the finer points of inside inside baseball. (Hey, it's fun . . . that's why we do it!)
I should add that there are a slew of blogs by larger law firms on my regular reading list, for example "Proskauer's New Media & Technology Law Blog," and David Johnson's "Digital Media Lawyer Blog" (to name a couple). Both are excellent resources.
Mark's take happens to be roughly in line with my thoughts from a chat I did with the WSBA Young Lawyer's Division in 2005:Crafting a distinctive on-line voice entails risk; most lawyers at big firms (perhaps intelligently) choose to avoid that risk; and so most big firm blogs just dangle out there, twisting slowly in the wind.
It's a crazily painstaking endeavor in my opinion to maintain an up-to-date, relevant blog which contains substantive posts that add to the conversation. Coupled with the fact that it's far from clear that there's a direct correlation with revenue and blogging (and the fact that most - if not all - law firms do not credit lawyers for time spent blogging) it's no surprise that few large firms maintain interesting and relevant blogs (at least as recognized by the ABA).marketing can be a byproduct of a blawg, but at its root, blogging is more about finding your unique voice and participating in a community. It is a grass-roots medium, and as with any other grass roots phenomenon, the "pure marketing approach" is rarely effective. A blawgger who is primarily marketing (rather than having a conversation with his or her readers) is also likely to find a tepid response from the blogging community.
..
the appeal of a blawg is mostly the personality of the blogger (or bloggers), so it doesn't make sense to have a "corporate blog". Even the more successful blogs affiliated with corporations are run by individuals (for example, both GM and Boeing have blogs). Corporate blogs should still heavily reflect the personality of the individual blogger. Blogging to me is a bit counter-culture. On that level, it's tough to imagine a blogosphere where corporate blogs live in the center and not on the fringe.
There's also the fact that "interesting," usually equates to disclosing your particular personality quirks or your policy stance on an issue beyond the rule and implications of a particular case or piece of legislation. Some clients may agree with you and be drawn to your blog as a result. Other clients may be turned off. This can be tough to predict.
I'm curious about something else that's related to this topic. Most law bloggers seem to blog for their peers or for themselves. (I know I rarely take into account a client or potential client's perspective when I blog. If I did, I'd make my blog posts a lot easier to read and digest! But this would probably increase the costs of blogging significantly.) Do any firms really blog with clients in mind? Even if they do, do clients find these blogs useful? I guess a good place to find out the answer would be to ask the clients, but so far I haven't seen many good data points on this.
Added: don't I feel like a dolt after reading Randazza's succinct post about this.
More: see more in posts by Scott Greenfield ("Blawgospheric Darwinism"), Kevin O'Keefe ("Big Law Firms Don't Blog Well, Says Who"), Carolyn Elefant ("Why Big Firms Don't Blog Well: Not Too Much Risk, but Too Little Passion"), and Mark Bennett ("Born to Fail, But on Life Support"). A fine example of lawyers being lawyers . . . arguing over the finer points of inside inside baseball. (Hey, it's fun . . . that's why we do it!)
I should add that there are a slew of blogs by larger law firms on my regular reading list, for example "Proskauer's New Media & Technology Law Blog," and David Johnson's "Digital Media Lawyer Blog" (to name a couple). Both are excellent resources.
The Randazza Fan Club
In the better late than never category, I wanted to mention Marc Randazza's victory over Glenn Beck. Glenn Beck brought a UDRP action against Isaac Eiland-Hall over Eiland-Hall's registration and use of the domain name <glennbeckrapedandmurderedayounggirlin1990.com>. Another way to put it is that Beck went to a non-US tribunal in an attempt to bypass a domain name registrant's First Amendment rights.
You can follow the links at Randazza's to get the details, but in a nutshell Randazza opened up a can of First Amendment whoop-ass on Beck. The WIPO arbitrator concluded that Beck was not entitled to transfer of the domain name since Eiland-Hall didn't commercially exploit any of Beck's rights and the site was clearly intended to mock Beck. (I haven't had time to read the ruling but this is what I gather from descriptions of it. See NPR's coverage here.)
After the ruling was handed down, Eiland-Hall offered to return the domain name to Beck, stating in a letter that he defended against the UDRP action in order to prove a point and vindicate the First Amendment.
The cool part? Randazza now has a fan club. Randazza's filings were entertaining, and more importantly effective.
On the heels of the Glenn Beck win, Randazza also convinced a law professor who sued Above the Law to drop his claims.
In the midst of all this activity, he continues to blog up a storm. Head on over and check out his blog, if you haven't already.
Added: The Daily Beast as a nice piece on Eiland-Hall and the dispute.
After the ruling was handed down, Eiland-Hall offered to return the domain name to Beck, stating in a letter that he defended against the UDRP action in order to prove a point and vindicate the First Amendment.
The cool part? Randazza now has a fan club. Randazza's filings were entertaining, and more importantly effective.
On the heels of the Glenn Beck win, Randazza also convinced a law professor who sued Above the Law to drop his claims.
In the midst of all this activity, he continues to blog up a storm. Head on over and check out his blog, if you haven't already.
Added: The Daily Beast as a nice piece on Eiland-Hall and the dispute.
Prof. Goldman Interviews Cindy Cohn of the EFF
Professor Goldman interviews Cindy Cohn, legal director of the EFF. Access the interview here. 
It's well worth listening to for a couple of reasons:
- as far as organizations go, the EFF has probably been most influential in shaping the law in cyberspace (purveyors of adult content and other less mainstream content peddlers have been pretty influential but they obviously don't influence the law in a concerted policy-driven manner);
- great career advice - they chat in the interview about the "call that changes your career" .. great advice for students, lawyers, and people who are just looking to get into a particular area ("just do it" probably sums up the advice, but it's always always healthy to hear about how chance plays a role);
- good discussion on the Google Books Settlement and the privacy issues that the EFF brought to light;
- the discussion about whether she's a "geek" and what "geekiness" is was funny as well.
Starbucks Data Breach Plaintiffs Try Their Luck in the Ninth Circuit
A lost laptop computer containing the personal information of Starbucks employees prompted a class action lawsuit against Starbucks (in Washington). The lawsuit received some coverage (see, for example Bob McMillan here, and Starbucks Gossip here), but the trial court's dismissal of the lawsuit received almost no coverage. (I mentioned the lawsuit, but failed to note the court's dismissal of it. Here is the one mention I came across.) Plaintiffs appealed the dismissal to the Ninth Circuit, and their just-filed appeal brief is worth a look. Access a copy of the brief at scribd here.
Background: As described in the complaint, in 2008, someone stole a laptop containing the personal information of approximately 97,000 employees. Starbucks notified the police and affected employees (plaintiffs claim Starbucks was slow in effecting this notice). Starbucks also offered one year of free credit monitoring to affected employees. The plaintiffs fall into a couple of categories, but significantly, one of the plaintiffs was notified that someone tried to open a bank account without his authorization. It was never determined whether this attempt to open a bank account with the information of one of the plaintiffs was connected to the underlying breach.
Ruling by Judge Jones: Judge Jones granted the motion to dismiss filed by Starbucks, finding that Washington courts would not recognize a cause of action as asserted by plaintiffs. (Access a copy of the order by Judge Jones dismissing the claims here: [scribd].) After concluding that plaintiffs had standing (given the broad scope of Article III standing this wasn't a surprise), Judge Jones focused on the issue of whether plaintiffs stated cognizable claims in negligence under Washington law. Judge Jones noted that Washington courts don't typically recognize claims where the sole injury is "risk of future harm," and if Washington courts were to recognize a common law cause of action arising from a data breach, they would be alone in doing so. Judge Jones also noted that the overwhelming majority of courts that have looked at the issue have declined to find that plaintiffs could recover merely because their data was stolen, and those that have recognized a possible cause of action have typically ruled against plaintiffs due to insufficient proof of misuse of the data. In Judge Jones's view, the Washington Supreme Court would likely conclude that the issue is best left to the legislature. In a footnote, he notes the enactment of data breach laws in other states, but points out that none of those laws provide for private causes of action, "much less a private right to damages."
With respect to the plaintiffs who did not have any proof that their personal information was misused, the court found that they could "claim only monitoring costs" as a potential injury, and these wouldn't fly under Washington law. With respect to the plaintiff who presented proof that someone tried to open a bank account in his name, the court acknowledged that "the timing of the [events permitted] the inference that someone acquired [plaintiff's] personal information from the laptop and misused it." Nevertheless, the court concluded that he did not assert a cognizable claim because he didn't suffer any out of pocket loss. The plaintiffs also asserted a claim based on implied contract, but the court didn't need to address whether Starbucks breached any implied obligations since it found that plaintiffs did not suffer any type of injury for which Washington law affords a remedy.
What to Make of the Appeal? Plaintiffs' appeal brief (filed on Monday) sort of canvasses the various theories under which plaintiffs should be entitled to relief under Washington law. Plaintiffs spend a fair amount of space discussing how Starbucks breached its (implied) contractual obligations to plaintiffs - Starbucks obtained this information in the employment context, and had policies in place which required employees to safeguard employee information. Given that Starbucks failed to fulfill these obligations, plaintiffs argue that the law would fashion some sort of remedy for the injured plaintiffs. Plaintiffs also attack the trial court's dismissal of the negligence claim from all angles, pointing out that stolen data is often misused long after it is compromised, and the fact that the underlying data breach is unsolved means that Starbucks can't conclusively show that the data will not be misused at some point in the future.
The dispute raises the familiar issue of whether the harm in the data breach context lies in the breach, or the actual misuse of the data. Courts have pretty uniformly taken the view that the harm flows from the actual misuse of the data, rather than the loss of the data. That said, the outcome here depends on the vagaries of state law, and what the Ninth Circuit predicts the Washington Supreme Court would do. My anecdotal observation is that Washington courts are very privacy friendly, but somewhat middle of the road when it comes to crafting "new" causes of action. Plaintiffs also asked the Ninth Circuit to certify the issue to the Washington Supreme Court, something the Ninth Circuit did recently in a spam case (Kleffman v. Vonage).
The Ninth Circuit has dealt with this issue once in an unpublished decision (Stollenwerk v. Tri-West Healthcare Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).) In that case the Ninth Circuit affirmed the dismissal of data breach claims brought by plaintiffs who did not allege misuse of their data, but reversed as to the plaintiff who made a basic showing that the data could have been misused. Stollenwerk was inconclusive in that the Ninth Circuit (again, in an unpublished decision) merely stated that if the plaintiff was able to show actual damages, he would be entitled to relief. Interestingly, Stollenwerk was settled shortly after remand, on the heels of the district court's denial of a motion for class certification. One possibility to consider is that a monitoring claim seems much easier to fit into a class. An "actual damage" claim may be less amenable to class resolution.
On a related note, there's talk of federal data breach legislation winding its way through Senate. (Two proposals are mentioned here.) To my knowledge, neither of the proposals contain a private right of action, and both merely speak to notification upon a breach. There's also the familiar call for a federal standard which would displace disparate state standards. This debate sounds somewhat similar to the one that surrounded the passage of the CAN-SPAM Act.
Related: Tom O'Toole has a post from a while back about Ruiz v Gap Inc., a case from the Northern District of California also involving the loss of employee/applicant data (coincidentally, from an unencrypted laptop): "Court Finds No Cognizable Damages in Gap Laptop Theft Case."
[Cross posted at Prof. Goldman's blog.]
Background: As described in the complaint, in 2008, someone stole a laptop containing the personal information of approximately 97,000 employees. Starbucks notified the police and affected employees (plaintiffs claim Starbucks was slow in effecting this notice). Starbucks also offered one year of free credit monitoring to affected employees. The plaintiffs fall into a couple of categories, but significantly, one of the plaintiffs was notified that someone tried to open a bank account without his authorization. It was never determined whether this attempt to open a bank account with the information of one of the plaintiffs was connected to the underlying breach.
Ruling by Judge Jones: Judge Jones granted the motion to dismiss filed by Starbucks, finding that Washington courts would not recognize a cause of action as asserted by plaintiffs. (Access a copy of the order by Judge Jones dismissing the claims here: [scribd].) After concluding that plaintiffs had standing (given the broad scope of Article III standing this wasn't a surprise), Judge Jones focused on the issue of whether plaintiffs stated cognizable claims in negligence under Washington law. Judge Jones noted that Washington courts don't typically recognize claims where the sole injury is "risk of future harm," and if Washington courts were to recognize a common law cause of action arising from a data breach, they would be alone in doing so. Judge Jones also noted that the overwhelming majority of courts that have looked at the issue have declined to find that plaintiffs could recover merely because their data was stolen, and those that have recognized a possible cause of action have typically ruled against plaintiffs due to insufficient proof of misuse of the data. In Judge Jones's view, the Washington Supreme Court would likely conclude that the issue is best left to the legislature. In a footnote, he notes the enactment of data breach laws in other states, but points out that none of those laws provide for private causes of action, "much less a private right to damages."
With respect to the plaintiffs who did not have any proof that their personal information was misused, the court found that they could "claim only monitoring costs" as a potential injury, and these wouldn't fly under Washington law. With respect to the plaintiff who presented proof that someone tried to open a bank account in his name, the court acknowledged that "the timing of the [events permitted] the inference that someone acquired [plaintiff's] personal information from the laptop and misused it." Nevertheless, the court concluded that he did not assert a cognizable claim because he didn't suffer any out of pocket loss. The plaintiffs also asserted a claim based on implied contract, but the court didn't need to address whether Starbucks breached any implied obligations since it found that plaintiffs did not suffer any type of injury for which Washington law affords a remedy.
What to Make of the Appeal? Plaintiffs' appeal brief (filed on Monday) sort of canvasses the various theories under which plaintiffs should be entitled to relief under Washington law. Plaintiffs spend a fair amount of space discussing how Starbucks breached its (implied) contractual obligations to plaintiffs - Starbucks obtained this information in the employment context, and had policies in place which required employees to safeguard employee information. Given that Starbucks failed to fulfill these obligations, plaintiffs argue that the law would fashion some sort of remedy for the injured plaintiffs. Plaintiffs also attack the trial court's dismissal of the negligence claim from all angles, pointing out that stolen data is often misused long after it is compromised, and the fact that the underlying data breach is unsolved means that Starbucks can't conclusively show that the data will not be misused at some point in the future.
The dispute raises the familiar issue of whether the harm in the data breach context lies in the breach, or the actual misuse of the data. Courts have pretty uniformly taken the view that the harm flows from the actual misuse of the data, rather than the loss of the data. That said, the outcome here depends on the vagaries of state law, and what the Ninth Circuit predicts the Washington Supreme Court would do. My anecdotal observation is that Washington courts are very privacy friendly, but somewhat middle of the road when it comes to crafting "new" causes of action. Plaintiffs also asked the Ninth Circuit to certify the issue to the Washington Supreme Court, something the Ninth Circuit did recently in a spam case (Kleffman v. Vonage).
The Ninth Circuit has dealt with this issue once in an unpublished decision (Stollenwerk v. Tri-West Healthcare Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).) In that case the Ninth Circuit affirmed the dismissal of data breach claims brought by plaintiffs who did not allege misuse of their data, but reversed as to the plaintiff who made a basic showing that the data could have been misused. Stollenwerk was inconclusive in that the Ninth Circuit (again, in an unpublished decision) merely stated that if the plaintiff was able to show actual damages, he would be entitled to relief. Interestingly, Stollenwerk was settled shortly after remand, on the heels of the district court's denial of a motion for class certification. One possibility to consider is that a monitoring claim seems much easier to fit into a class. An "actual damage" claim may be less amenable to class resolution.
On a related note, there's talk of federal data breach legislation winding its way through Senate. (Two proposals are mentioned here.) To my knowledge, neither of the proposals contain a private right of action, and both merely speak to notification upon a breach. There's also the familiar call for a federal standard which would displace disparate state standards. This debate sounds somewhat similar to the one that surrounded the passage of the CAN-SPAM Act.
Related: Tom O'Toole has a post from a while back about Ruiz v Gap Inc., a case from the Northern District of California also involving the loss of employee/applicant data (coincidentally, from an unencrypted laptop): "Court Finds No Cognizable Damages in Gap Laptop Theft Case."
[Cross posted at Prof. Goldman's blog.]
Dane's Claims Against Gawker Look Flimsy
Gawker published a homemade videotape of Grey's Anatomy star Eric Dane and his wife (along with one other person). Dane and his wife sued Gawker for damages. Gawker declined to remove the tape and is defending against Dane's lawsuit. MediaShift raises the issue of whether Gawker is likely to be able to take advantage of fair use in publishing the tape. Rob Arcamona walks through the fair use factors and gives "a three point spread," after concluding that Dane has valid claims, and Gawker has a "formidable" defense.
Fair use is fact
-specific and it's notoriously difficult to predict whether a court will ultimately conclude that someone is entitled to the fair use defense. I'm somewhat surprised that Gawker is taking a hard line on the fair use issue. Maybe they are taking a stand in order to show everyone that the disappearance of so-called "old media" entities will not leave institutional First Amendment interests hanging? They could have taken down the tape (although they published it after receiving a demand from Dane's lawyers) after-the-fact, and likely come to some sort of easy settlement with Dane and company. However, aggressively defending the case, as they seem to be doing, only escalates the stakes. (Good for them for sticking to their guns.)
Dane's claims are somewhat curious. Celebrities have been fairly successful in preventing publication of these types of tapes (see, e.g., Michaels v. Internet Entertainment Group, 5 F. Supp. 2d 823 (C.D. Cal. 1998)). (News organizations successfully asserted a fair use defense as to excerpts of the tape, but the court determined that full blown commercial exploitation of the tape by IEG was likely to infringe.) That said, given the snippets of the tape published by Gawker, it can probably assert a colorable fair use defense. But what is odd about Dane's claims is that he is only asserting copyright claims, and Gawker's publication pre-dated Dane's registration of the copyright in the tape. In other words, Dane should only be entitled to actual damages, or so Gawker argues pretty persuasively in a motion to strike [pdf] Dane's request for statutory damages. This puts Dane in an awkward spot. If the court agrees with Gawker and Dane ends up with only actual damages I'm not sure what Dane will end up doing. Some cases define actual damages as lost licensing revenues, or damage to the owner's ability to license the work. Gawker can argue that its own commercial exploitation of the tape did not impair the market for the tape since Dane had no intent to commercialize it. End result: Dane is awarded nominal damages and doesn't get his fees either. Ironically, Gawker's publisher Nick Denton invoked the words of Dane's own lawyer when commenting on the lawsuit:
In these circumstances, celebrities also bring privacy (and personality rights) based claims, but Dane didn't assert any such claims. (Access a copy of the complaint here: [pdf].)
On a related note, a funner battle would be if someone decided to run the photos and videos described here.
Fair use is fact
-specific and it's notoriously difficult to predict whether a court will ultimately conclude that someone is entitled to the fair use defense. I'm somewhat surprised that Gawker is taking a hard line on the fair use issue. Maybe they are taking a stand in order to show everyone that the disappearance of so-called "old media" entities will not leave institutional First Amendment interests hanging? They could have taken down the tape (although they published it after receiving a demand from Dane's lawyers) after-the-fact, and likely come to some sort of easy settlement with Dane and company. However, aggressively defending the case, as they seem to be doing, only escalates the stakes. (Good for them for sticking to their guns.)Dane's claims are somewhat curious. Celebrities have been fairly successful in preventing publication of these types of tapes (see, e.g., Michaels v. Internet Entertainment Group, 5 F. Supp. 2d 823 (C.D. Cal. 1998)). (News organizations successfully asserted a fair use defense as to excerpts of the tape, but the court determined that full blown commercial exploitation of the tape by IEG was likely to infringe.) That said, given the snippets of the tape published by Gawker, it can probably assert a colorable fair use defense. But what is odd about Dane's claims is that he is only asserting copyright claims, and Gawker's publication pre-dated Dane's registration of the copyright in the tape. In other words, Dane should only be entitled to actual damages, or so Gawker argues pretty persuasively in a motion to strike [pdf] Dane's request for statutory damages. This puts Dane in an awkward spot. If the court agrees with Gawker and Dane ends up with only actual damages I'm not sure what Dane will end up doing. Some cases define actual damages as lost licensing revenues, or damage to the owner's ability to license the work. Gawker can argue that its own commercial exploitation of the tape did not impair the market for the tape since Dane had no intent to commercialize it. End result: Dane is awarded nominal damages and doesn't get his fees either. Ironically, Gawker's publisher Nick Denton invoked the words of Dane's own lawyer when commenting on the lawsuit:
Coverage at THR, Esq. here and here.To quote the great Marty Singer - Eric Dane's lawyer – 'If you don't want a sex tape on the Internet, don't make one!'
In these circumstances, celebrities also bring privacy (and personality rights) based claims, but Dane didn't assert any such claims. (Access a copy of the complaint here: [pdf].)
On a related note, a funner battle would be if someone decided to run the photos and videos described here.
There are Email Gaffes..and Then There are Email Gaffes
It's safe to say the affair-having couple discussed in this Gawker post had one of the worst email gaffes imaginable. [NSFW text]
The short version: they're engaged in a steamy discussion regarding the details of their affair when he accidentally copies the entire school listserv. The story is so crazy it's almost unbelievable. "Guest of a Guest" - which appears to have first noted the story - sums it up best [link]:
(h/t Gideon)
The short version: they're engaged in a steamy discussion regarding the details of their affair when he accidentally copies the entire school listserv. The story is so crazy it's almost unbelievable. "Guest of a Guest" - which appears to have first noted the story - sums it up best [link]:
I'm not even sure what to say to that, except it's well outside the "everyone will have at least one email gaffe in their professional lives" rule that I believe is true.Everyone has had at least one bad email incident that they have had to learn from. Some involve, say, sending an invitation and forgetting to bcc everyone. Or worse, sending an email complaining about your boss to, er, your boss, named Sarah (instead of your best friend Sarah). But, NO ONE, and we mean NO ONE has had a worse email gaffe than John X did about an hour ago.
(h/t Gideon)
Verizon Privacy Failure
It's probably hard to read the notice below which I received from Verizon:
It says:
Unless you provide us with notice that you wish to opt out within 45 days of receiving this letter, we will assume that you give us the right to share your CPNI with the authorized companies described above.Who is the information shared with? "affiliates," "parent companies," and "agents". "Agents" (??) The policy also states that the information will not be shared with "unrelated third parties." Legal issues aside, I have no idea from reading this who exactly my information will be shared with.
