AT&T v. FCC: 3rd Circuit Rules that Corporations May Invoke Personal Privacy Exception to FOIA Disclosure

12 Jun 2015 By Leave a Comment

Courts have long recognized that corporations have rights that are at least akin to individual privacy rights. Recognized corporate privacy rights include trade secrets and the exercise of the attorney-client privilege. However, the scope of corporate privacy rights is not nearly as broad as the scope of individual privacy rights. Many federal and state privacy laws only apply to individuals, not corporations. For example, the Federal Privacy Act only prohibits the government from collecting and disclosing certain types of information about “individuals” — a term defined to only include U.S. citizens and permanent resident aliens. See 5 U.S.C. § 552a(a)(2).

When dealing with a law that provides protection for privacy rights, attorneys and judges are often unsure whether the law applies only to individuals or covers corporations, as well. An opportunity for such line-drawing has recently arisen as to the scope of a “personal privacy” exception to the Freedom of Information Act (FOIA). 5 U.S.C. §552(b)(7).

Under FOIA, a government agency is generally obligated to produce any records in its possession upon a request form any person. 5 U.S.C. § 552(a)(3). However, there are many exceptions to this rule. Among these are, matters that are:

Exception 4: trade secrets and commercial or financial information obtained from a person and privileged or confidential (5 U.S.C. § 552(b)(4));

Exception 6: personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy (Id. at § 552(b)(6)); and

Exception 7(C): records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information . . . (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy (Id. at § 552(b)(7)(C)).

Prior decisions in the D.C. Circuit, which handles the plurality of FOIA appeals, have held that Exception 4, for “trade secrets,” does apply to business entities, such as corporations. Judicial Watch, Inc. v. U.S. Dept. of Energy, 310 F.Supp.2d 271 (D.D.C. 2004), affm’d in part, 412 F.3d 125 (D.D.C. 2004) (§(b)(4) exemption “serves the interest of the government in operating efficiently and effectively by enabling it to obtain necessary commercial and financial information from private persons and business entities”).

However, Exception 6, for “personal and medical files,” has so far only been applied to individuals. For example, in Multi Ag Media LLC v. Dept. of Agriculture, 515 F.3d 1224 (D.D.C. 2008), the Court stated that “Exemption 6 “has not been extended to protect the privacy interests of businesses or corporations”. Of course, this statement does not necessarily mean that Exception 6 might not also one day be extended to cover corporations as well.

Similar laconic statements have been made about Exception 7(C). However, the restriction of Exception 7(C) to individuals has now been soundly rejected by the 3rd Circuit.

Filed Under: Blog, News Tagged With: , , , , , ,

TJX Data Security Breach Saga Continues: Financial Institution Class Action against TJX Survives on Based on Unfair Competition Claim Predicated on Statements in FTC Complaint against T.J. Maxx / Marshalls’ Parent Company

9 Jun 2015 By Leave a Comment

TJX’s legal saga concerning its massive security breach in 2003 and 2006 lives on. TJX is a large retailer, with over 2000 T.J. Maxx, Marshalls, HomeGoods, Bob’s Stores and A.J. Wright stores in the U.S. and Puerto Rico, During 2003 and 2006, hackers broke into the TJX computer network that handled its credit and debit card, check and return merchandise transactions. The intrusion involved transactions occurring in 2003 and from May-December 2006. TJX learned about the intrusion in mid-December 2006, but delayed making public notification until January 17, 2007. Reports indicated that approximately 45.7 million customer credit and debit cards were affected by the breach.

According to TJX’s most recent 10-Q (May 2, 2009), TJX initially established a reserve of $178.1 million to reflect its losses from the data intrusion. TJX later reduced this reserve by $39.4 million. This means that TJX’s expects its net losses from the data intrusion to total almost $139 million. While TJX will survive, this is truly a massive loss and represents one of the largest computer-related losses experienced by a company.

An expanding of body of federal and state law has imposed two types of data security regulations on companies handling consumer financial transactions: (i) a duty to employ reasonable security measures, and (ii) a duty to notify consumers when a breach of security has occurred.

After TJX announced its data security breach, it was hit with a lengthy list of legal actions. These included: (i) a regulatory complaint by the FTC; (ii) claims by the credit card companies to recover tens of millions in fraud losses; (iii) regulatory actions by over 40 state attorneys general; (iv) several consumer class actions; and (v) a class action on behalf of thousands of banks that had lost money as a result of the breach. All but one of these major legal actions appear to have been resolved.

The FTC Complaint was resolved in July 29, 2008 with the entry of a consent order requiring TJX to install and maintain a “comprehensive information security program to protect the security, confidentiality, and integrity of personal information collected from customers.” TJX is also required to provide initial and biennial audits affirming the quality of this system for the next 20 years. (Fn1) The State Attorney General actions were settled on June 22, 2009 with another consent decree requiring TJX to maintain a “comprehensive information security program.” TJX also agreed to comply with state breach notification laws and to pay the states $9.75 million.

The credit card company claims were settled for an amount estimated to be at least $24 million, but possibly much more. The consumer class action was settled in early 2008 in consumer class action dollars: including (i) the choice of a $60 gift certificate or $30 in cash, (ii) three years of credit monitoring from Equifax, (iii) the replacement cost of a drivers license and(iv) the amount of any actual, unreimbursed damages. Plus, TJX agreed that all its stores would hold a one-time Special Event (a sale) in which prices at its stores would be reduced by 15%. The plaintiffs’ attorneys received $6.5 million in attorneys fees, as well. (Fn2)

The major piece of litigation that remains is the financial institution class action. (Fn3) The suit is brought on behalf of “thousands of financial institutions” who apparently suffered losses too small to bring individual actions. So if the court refused to certify the plaintiffs as a class action, their claims would likely go away.

Filed Under: Blog, Cybercrime, News Tagged With: ,

Too Soon to Worry about the Anti-Counterfeiting Trade Agreement (ACTA)?

25 May 2015 By Leave a Comment

Digital media law update: Despite the tremors caused by the Lenz case, a recent decision by a Wisconsin District Court shows that it can still be difficult to obtain a judgment holding a defendant liable for sending a false DMCA notice. See Third Education Group, Inc. v. Phelps, E.D.Wisc., No. 07-c-1094, Decision and Order Following Court Trial (November 25, 2009).

The Digital Millennium Copyright Act puts a powerful tool in the hands of a person who claims to be the owner of a copyright. Copyright law provides for six-figure statutory damages against an ISP who permits infringing material to reside on a site under its control after receiving notice of the presence of the material. However, the DMCA provides immunity from these civil damages if an ISP takes down such material in response to a notice from the putative owner of the copyright, and meets certain other tests. This provides a strong incentive for an ISP to reflexively take down infringing material — such as by disabling an entire website — upon receiving a DMCA takedown notice.

This puts serious weapon in the hands of the general public that can be used protect legitimate copyright interests — or can be misused by someone who has no rights in material used by a competing business to get its site shut down.

To prevent abuse of the notice and take down system, Congress put two major protective measures into the DMCA: the counter-notice procedures in § 512(g) and the misrepresentation rule in § 512(f). Section 512(f) provides that a person who “knowingly” misrepresents that material on a site is infringing is liable for any damages, including attorneys fees, incurred by the alleged infringer.”

It can be very hard to prove a knowing misrepresentation occurred. Courts interpreting this statute have generally found that to be liable, the person who sent a false DMCA notice must have lacked the honest belief that material was infringing. As stated by the 9th Circuit, “Congress’s apparent intent [was] that the statute protect potential violators from subjectively improper actions by copyright owners.” Rossi v. MPAA, 391 F.3d 1000, 1005 (9th Cir. 2004).

To determine whether the sender of a false DMCA notice had a good faith belief in the truth of the notice, courts do not limit themselves to the testimony of the sender. Rather, courts consider the information that the sender relied on. However, it doesn’t take much evidence for the court to find that the author of a DMCA notice acted in good faith.

For example, the Rossi case concerned the website www.internetmovies.com, which Rossi described as an online magazine that provided visitors with a directory of websites containing information about movies. Rossi’s site contained the words “Join to download full length movies online now!” In fact, users could actually download no movies through Rossi’s site or through the links to which he referred users — a fact that MPAA investigators missed because they never attempted to download any movies from Rossi’s site.

However, the 9th Circuit stated that the sender of a DMCA takedown notice is not required to perform a “reasonable investigation” and “cannot be held liable simply because an unknowing mistake is made, even if the copyright owner acted unreasonably in making the mistake.” Id. at 1005. Accordingly, the 9th Circuit found that the MPAA acted in subjective good faith because the language on Rossi’s site “led the MPAA employees to conclude in good faith that motion pictures owned by MPAA members were available for immediate downloading from the website.”

In a more recent case, a director and president of a small Wisconsin corporation, Third Education Group, Inc., which operated an online magazine at thirdeducationgroup.net and thirdeducationgroup.org, had a falling out with the other directors. He resigned from the board, and then changed the passwords to the two sites, locking the corporation from access to the sites. He then utilized the domain names as the home for his own independent organization which he incorporated in Iowa under the same name — Third Education Group, Inc.

After being locked out of its own websites, the Wisconsin corporation created a new site under the domain name tegr.org and populated it with material largely copied from thirdeducationgroup.net and thirdeducationgroup.org. In response, the absconding former president of the Wisconsin corporation sent DMCA takedown notices to the ISPs which hosted the terg.com site, resulting in the ISPs blocking access to the tegr.com site. See Third Education Group, Inc. v. Phelps, E.D.Wisc., No. 07-c-1094, Decision and Order Following Court Trial, November 25, 2009).

The absconding president argued that he could not be held liable for under Section 512(f) because he believed that he the right to take control of the websites. He was the person that had registered them, and he had registered them prior to the formation of the Wisconsin corporation — although after he had agreed with the other directors to form Third Education Group.

The Court ultimately found that the absconding president’s belief that he had a right to the websites was ill-founded and that the domain names belonged to the Wisconsin corporation. However, the Court nevertheless found that he could not be held liable for misrepresenting his entitlement to the domain names. The Court stated that “[d]etermining the ownership of the website material required resolution of complex and somewhat novel questions common law related to unincorporated associations and how the intellectual property of a voluntary association is affect when the association subsequently incorporates.” The absconding president was also largely responsible for coming up with the idea of the journal, and did or paid for nearly all the work on the website, including writing the allegedly infringing content at issue. As such, the judge concluded that there was no evidence that he acted in bad faith when he issued his DMCA notices. Id. at p. 16.

Many reading this are no doubt shouting, “What about the Lenz case?” Didn’t that essentially impose a duty on the sender of a DMCA notice to at least investigate whether the use of the content at issue was fair? See Lenz v. Universal Musical Corp., 572 F.Supp.2d 1150 (N.D. Cal. 2008). Actually, what Judge Fogel stated in Lenz was that the DMCA requires copyright owners to make an “initial review of the potentially infringing material prior to sending a takedown notice.” Id. at 1155 (emphasis added). As part of that initial review, there must a consideration of factors that relate to whether the use of copyrighted material is infringing, including the possible applicability of the fair use doctrine.

The impact of the Lenz case is that it implies that to act in good faith, the person sending a DMCA notice must have at least a basic knowledge of copyright law. This means that when reviewing a potentially infringing site (or setting up a review system), a copyright holder should consult with an expert on copyright law so that it can appropriately take into account the numerous factors that determine whether a use is infringing.

However, the case law on Section 512(f), as a whole also indicates that a copyright holder’s review of a potentially infringing site does not have to go very far. If the facially obvious evidence supports a conclusion that a use is infringing and there is no other evidence that the copyright holder acted in bad faith, a Court is unlikely to hold it liable for sending a DMCA notice that ultimately proves to rest on a false claim of infringement.

Filed Under: Blog, Cybercrime, News Tagged With: , ,

4th Circuit Sides with the Schoolmasters in On-line Plagiarism Detection Service Case

25 May 2015 By Leave a Comment

The complaint in Vanderhye v. IParadigms, LLC represented an interesting attempt to attack an on-line, computerized plagiarism detection service by accusing the service of copyright infringement. See Vanderhye v. IParadigms, LLC, 562 F.3d 630 (4th Cir. 2009).

IParadigm operates an on-line plagiarism detection service called Turnitin. Schools require students to submit writing assignments to Turnitin, which are compared to other writings in Turnitin’s database. The database contains other student papers, as well as commercial and academic journal articles. Turnitin supposedly creates a “fingerprint” of the student’s papers by applying various mathematical algorithms. Turnitin then compares this digital fingerprint to the fingerprints of the other works in its database and generates an “Originality Report” which indicates the percentage of the student’s work that appears not to be original.

With permission from participating schools, Turnitin will place the submitted writing assignments into its database, so that they become part of the database used to evaluate the originality of subsequent student papers. The plaintiffs included three students who had submitted their papers to Turnitin for testing and whose papers were then archived in the database. The plaintiffs alleged that Turnitin’s inclusion of their papers in the database constituted copyright infringement.

The Fourth Circuit’s analysis focused on the “fair use” doctrine, which it characterized as “a privilege in others than the owner of the copyright to use the copyrighted material in a reasonable manner without the [copyright holder’s] consent.” 17 U.S.C. § 107 provides that fair use includes “criticism, comment, news reporting, teaching . . . scholarship or research.” The statute provides a four factor test to determine whether the use is fair.

The Court rejected the argument that because IParadigm’s use of the student papers was commercial that this required a finding that its use was unfair. Looking at the four factor test in the statute, the Court instead found that Turnitin’s use of the student papers was transformative, since the papers were being used for a different purpose in the Turnitin database than that for which they were originally prepared. It further found that Turnitin’s use of the papers did not discourage, but rather encouraged creative expression. While Turnitin used the whole of the plaintiff’s works, its use was so transformative that this factor was not decisive. Finally, it found no substantial evidence that Turnitin’s use of the papers in its database would affect the market for the papers.

It is not surprising that the 4th Circuit took the side of the schoolmasters in this case. Of course, any time a Court rules that it is OK for a third party to copy and then use an entire copyrighted work, it will raise eyebrows in some quarters.

Filed Under: Blog, News Tagged With: , ,

On-line Privacy Update: FTC Uses Its Mandate to Expand Reach of Consumer Data Security Laws to Non-Financial Businesses

22 May 2015 By Leave a Comment

The Federal Trade Commission (FTC) is increasingly using its broad powers to require businesses to enact privacy measures to protect their customers’ personal data. According to the FTC, all companies must “maintain reasonable and appropriate measures to protect sensitive consumer information.” And the FTC is ready and willing to step in and make them implement such measures — regardless of whether Congress has enacted a specific statute requiring the business to do so.

When most people think about the Federal Trade Commission (FTC), they think about a federal agency that fights monopolies or big consumer frauds. However, the FTC Act, the statute that created the FTC, gave it a very broad mandate: “to prevent persons, partnerships or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(2). In the digital media world, throughout the past decade, the FTC has used this vague “unfairness” mandate to require consumer-based businesses to enact data security measures.

There are federal laws that impose data security requirements, such as the Fair Credit Reporting Act (15 U.S.C. § 1681e) and the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.). These laws apply to financial institutions and credit reporting agencies. However, in its recent enforcement actions, the FTC has begun apply these data security rules to consumer businesses as a whole. (Fn1) According to a June 17, 2009 statement by the FTC to the U.S. House (Fn2), since 2001, the FCT has brought 26 cases against businesses that allegedly failed to protect consumer’s personal information. This includes cases against Microsoft, TJX, LexisNexis, Tower Records, Petco, Reed Elsevier, CVS and Compgeeks.com. None of these companies would commonly be considered financial or credit reporting companies.

The legal authority for the FTC’s actions in each case differed, but in some cases, such as the TJX and Compgeeks.comcases, rested solely on the FTC’s broad mandate to fight “unfairness.” (Fn3) Nevertheless, the terms of the consent orders reached in both cases imposed on TJX and Compgeeks.com the same obligations required of financial companies under the Gramm-Leach-Bliley Act. Both consent orders required the implementation of “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” This is language taken directly from 16 C.F.R. §314.3, the FTC’s rules implementing Gramm-Leach-Bliley.

The FTC complaints in its cases against non-financial businesses “have alleged such practices as the failure to (1) comply with posted privacy policies; (2) take even the most basic steps to protect against common technology threats, (3) dispose of data properly, and (4) take reasonable steps to ensure that they do not share customer data with unauthorized third parties.” According to the FTC, “all of the cases stand for the principle that companies must maintain reasonable and appropriate measures to protect sensitive consumer information.”

Some may wonder about the breadth of the FTC’s powers. However, prior case law had held that the FTC is not limited to merely enforcing specific laws that the Congress has elsewhere enacted. To the contrary, the FTC has the power to declare legal practices as unfair or deceptive, hence making them illegal.

Filed Under: Blog, Cybercrime, News Tagged With: , ,

Update on Proposed California Efficiency Standards for TVs: Given the Efficiency of our Market System, Does Consumer Demand for Green Technology Make this Regulation Unnecessary?

20 May 2015 By Leave a Comment

Several months ago, the California Energy Commission made big news by announcing that it was considering new energy efficiency standards for televisions. California’s current regulations only apply when a television is in “stand-by” mode and limit and limit such stand-by power usage to 3.0 watts. The current rules also only apply to stand-alone TVs designed to receive broadcast signals, and do not apply to combination TV/DVD or VCR units or computer monitors.

Pacific Gas & ElectricThe proposed rules were based on recommendations from Pacific Gas & Electric, a large California utility. The proposed rules would regulate TVs in both their stand-by and “on” modes and would apply to combination as well as stand-alone TVs. They would not cover computer monitors — a significant exception given the increasing encroachment of computer monitors into the entertainment space. The new rules would require significantly recued power usage: In stand-by mode, power usage would be limited to 1.0 watts. In “on-mode”, power usage limits would be based on screen size — ultimately based on the following formula: [{0.12 watts x the screen area (in square inches)} + 25 watts].

Immediately after the new proposed rules were announced, the major consumer electronics players, such as the Consumer Electronics Association (“CEA”) cried foul. The typical objection was that the new rules would primarily impact larger-sized and more richly-featured LCD and plasma TVs. Because these sets carry higher profit margins, the new rules could have a devastating impact on TV manufacturers and installers.

The California Energy Commission, which planned to move slowly on these regulations, has continued to seek and accept public comment. One such submission, from the CEA, which was recently released by the Commission on June 12, 2009, suggests that the CEA intends to mount a court challenge if the Commission moves forward with the proposed standards.

Filed Under: Blog, Cybercrime, News Tagged With: , ,

Court Split Widens over Whether DMCA Rules against Removal of Copyright

10 May 2015 By Leave a Comment

Among the anti-circumvention rules in the Digital Millennium Copyright Act (DMCA) are prohibitions against the removal or alteration of “copyright management information.” (17 USC §1202). While the popular understanding of the DMCA is that its provisions are specifically targeted to digital media, the definition of “copyright management information” appears very broad and includes:

• The title and other information identifying a work, including the information set forth in a notice of copyright.
• The name(s) and other identifying information of the author, owner and/or performer of the work.
• Terms and conditions for use of the work, and
• Identifying numbers or symbols referring to such information or links to such information.

At face value, nothing about these definitions appears to limit “copyright management information” to digital or other electronic information. However, the earliest District Court cases decided that Congress had intended to limit this provision to “automated copyright management systems functioning within a computer network environment.” IQ Group, Ltd. v. Wiesner Publishing, LLC, 409 F.Supp.2d 587, 596 (D. New Jersey 2006); Textile Secrets International, Inc. v. Ya-Ya Brand Inc., 524 F.Supp.2d 1184 (C.D. Cal. 2007). Among technological measures that these decisions indicated would qualify under this standard were electronic envelopes and digital watermarks. This interpretation was followed, without significant comment, in another recent Southern District of New York decision. See Silver v. Lavandeira, Southern District of New York, 08 Civ. 6522 (JSR) (January 7, 2009 Magistrate’s Report and Recommendation).

That early trend is meeting some resistance. In March 2007, a court in the Western District of Pennsylvania held that Section 1202(c) defines “copyright management information” broadly to include “any” of the information set forth in its defined categories, whether digital or not. McClatchey v. Associated Press, 2007 WL 776103 (W.D. Pa. 2007). This meant that cropping the title, author’s name and copyright notice on printouts of photographs could violate this provision of the DMCA. In February 2009, directly rejecting the IQ Group and Textile Secrets rulings, a court in the Southern District of New York stated that the phrase “the technological measures of automated systems” is not found in the statute. As such, it found that the statute could cover manual removal of copyright information. See Associated Press v. All Headline News Corp., Southern District of New York, 08 Civ. 323 (PKC) (February 17, 2009 Memorandum and Order).

It is too early to tell how this split will be resolved. If the broader view of the statute is accepted, it could substantially change the requirements even for fair use of copyrighted information. Under the statute removal or alteration of copyright information is prohibited “without the authority of the copyright owner or law” — without exception. Section 1202(b).

Filed Under: Blog, Cybercrime Tagged With: , , , , , , , ,

Controlling Discovery in Digital Media Cases: Lessons from the Viacom Suit Against YouTube/Google

24 Apr 2015 By Leave a Comment

Since entering its discovery phase, formal courtroom proceedings in Viacom’s copyright infringement suit against YouTube and Google have substantially quieted down. Press reports suggest that the lull in public proceedings may be due to settlement efforts. However, the nature of this case suggests that the parties’ discovery burdens could be substantial and causing a slowdown.

Viacom’s claim in this suit is that YouTube had permitted over 150,000 clips of Viacom-owned content, such as clips from “SpongeBob SquarePants”, “SouthPark” or “The Daily Show with Jon Stewart” to be uploaded and viewed by users. According to Viacom’s complaint, its copyrighted material has been viewed on YouTube “an astounding 1.5 billion times.” Raising both direct and indirect infringement theories, Viacom claimed that YouTube had created an environment that “promotes” and “induces” copyright infringement.

YouTube and Google’s primary response was that their actions were protected by the Digital Millennium Copyright Act (DMCA). According to YouTube’s Answer, “YouTube . . . fulfills its end of the DMCA bargain, and indeed goes far beyond its legal obligations in assisting content owners to protect their works.”

In two recent suits, a similar internet file-sharing service, Veoh, has prevailed at summary judgment using the DMCA safe-harbor defense that the infringing material was “information residing on systems or networks at direction of users.” 17 U.S.C. §512(c); see IO Group, Inc. v. Veoh Networks, Inc., 586 F.Supp.2d 1132 (N.D. Cal. 2008); UMG Recordings, Inc. v. Veoh Networks, Inc., 2008 WL 5423841 (C.D.Cal. 2008). YouTube may also prevail in its case against Viacom. However, this does not mean that sailing will be smooth for YouTube.

Filed Under: Blog, Cybercrime Tagged With: , , , , , ,

Inside Rescuecom Corp. v. Google, Inc.: Does Google’s Use of Trademarks to Trigger Advertisements from Competitors Violate Federal Trademark Laws?

21 Apr 2015 By Leave a Comment

The point of the spear in digital media law may be turning from copyright to trademark. As website operators take advantage of recent court decisions, such as Perfect 10, to provide access to third party content with less fear of a copyright suit, content providers as looking to other intellectual property laws to protect their work. The Rescuecom v Google (Fn1) case is an example of such an attack regarding Google’s use of third party trademarks as keywords in internet searches.

Rescuecom filed suit over Google’s use of Rescuecom’s trademark in Google’s search engine. At the time of suit was filed (Fn2), when a Google user entered an entity’s name or trademark, Google provided two types of results. First, it provided a list of links to websites, listed in the order Google’s algorithm’s deemed to be of descending relevance to the user’s search term. (The search results were generally found in a column on the left side of a user’s screen). Search results would typically begin by providing a link to a site owned by the trademark holder, followed by a list of other links that Google’s algorithm’s also deemed relevant to the search term. Second, Google would also provide content-based advertising. These are the “Sponsored Links”, which in my experience show up in a narrower column on the right side of a user’s screen.

Google used a couple of programs to offer these “context-based” links to advertisers: AdWords and Keyword Suggestion Tool. AdWords permitted an advertiser to purchase keywords. The advertiser’s ad would appear in the “Sponsored Links” section on a user screen whenever the purchased keyword was entered as a search term. The advertisers would then pay Google based on the number of times its ad was clicked by users.

Google’s Keyword Suggestion Tool would provide hints to advertisers wishing to purchase keywords as to other useful words that they could purchase. If an advertiser X, a furnace repair company, purchased the keyword “furnace repair”, the tool might also suggest that it purchase the term “Y” — the brand name and trademark of a competing furnace repair company. This would permit advertiser’s X’s ad to appear on Google’s website whenever a user searched for company’s Y’s brand name and trademark.

Rescuecom claimed that through the use of these tools, its competitors’ ads would appear when users were searching for “Rescuecom” on Google. It alleged that as a result, users were deceived and diverted from Rescuecom to these other competing firms. Rescuecom sued, claiming that this practice violated the Lanham Act (federal trademark law).

Based on older 2nd Circuit precedent, the District Court dismissed the suit on Google’s 12(b)(6) motion. (Fn3) However, on April 3, 2009, over a year after it heard the case, the 2nd Circuit reversed.

Filed Under: Blog, Cybercrime, News Tagged With: , , ,

Citysearch Click Fraud Class Action Certified — but Proving Meaningful Damages May Remain a Problem for Plaintiffs

15 Apr 2015 By Leave a Comment

The recent certification of a national class action in the Citysearch click fraud case represents a major victory – at least for the plaintiffs’ counsel. But whether adjudication of the case will produce significant recoveries for the plaintiffs is an open question.

The Citysearch click fraud class action (Menagerie Productions v. Citysearch, C.D. Cal., No. 2:08-cv-04263) was brought on behalf of some 10,000 advertisers on Citysearch.com websites. Citysearch operates dozens of websites that provide information about restaurants, shops, hotels and other services in individual cities around the U.S. For example, at dallas.citysearch.com, Citysearch provides information geared towards the DFW metroplex.

To earn revenue through these sites, Citysearch sells advertising. Much of this advertising is “pay-for-click”, in which advertisers only pay when visitors clicked on their ads. The complaint claims that Citysearch entered into a standard form advertising agreement for these ads which claimed that: “We connect you to customers. You pay only for results.” In its FAQ page for the agreement, Citysearch also stated as follow:

Q: How do I know that clicks to my website are legitimate?
A: Citysearch proactively researches and develops processes, policies, and technologies to identify invalid click activity with respect to our customers’ advertising. Citysearch employs advanced security filters and blocks out clicks from spiders and robots.

The two named plaintiffs, Menagerie and Redwolf, claimed that despite paying up to $1,900 in advertising fees for pay-for-click ads over a period of several months, they received no new customers. There are many legitimate reasons that an ad campaign may not generate identifiable new revenue. However, the complaint alleged that the plaintiffs’ failure to generate new customers was because of click-fraud. In click fraud, an on-line media source that is party to a click-through ad contract inflates the number of ad clicks to fraudulently increase its ad revenues.

The plaintiffs allege that Citysearch failed to track fraudulent clicks originating with its employees and “partner sites” and failed to inform advertisers that it did not employ methods to track fraudulent clicks — but nevertheless charged customers for invalid clicks. The plaintiffs also allege that Citysearch falsely claims that customers will not be charged for invalid clicks, even though it knows or should know that these claims are false. The plaintiffs seek to recover the advertising fees they paid under breach of contract theories, as well as under California’s unfair competition law.

To qualify as a class action, the named plaintiffs must meet two sets of requirements: First, they must first meet four requirements in Federal Rule of Civil Procedure 23(a) that test whether the class is sufficient numerous and whether the claims brought by the named plaintiffs adequately represent the rest of the plaintiffs in the class. The main dispute here centered on whether the claims by the named plaintiffs were typical of all of Citysearch’s 10,000 pay-for-click advertisers.

Citysearch argued that the plaintiffs had presented no evidence that they were charged for fraudulent clicks, and hence, had no actual injury. In response, the plaintiffs presented a report from their expert which identified two clicks received by named plaintiff Redwolf within the same second on the same day. The plaintiffs also presented evidence that Citysearch had charged Redwolf for both clicks. The second named plaintiff, Menagerie Productions presented similar evidence.

Unfortunately for the public, the documents that contain this evidence were filed under seal – so it is not possible to analyze the general prevalence of such possibly invalid double clicks. The impression from the Court’s ruling is that the prevalence of even potentially invalid clicks was not extensive. Nevertheless, even though the evidence appears scant, the Court held that the two named plaintiffs had presented sufficient evidence they had suffered an actual injury – both had paid for invalid clicks that Citysearch had failed to detect.

The Court further held that even if some of the representations made by Citysearch to pay-for-click advertisers differed, the typicality requirement was met: “plaintiffs’ claims are based on an alleged common course of conduct by Citysearch to (1) charge it advertisers for invalid clicks, and (2) make material omissions regarding the existence and quality of its click filters.”

To qualify as a class action, the named plaintiffs must also show that the proposed class fits into one of several categories of cases specified in FRCP 23(b) that test whether certifying the case as a class action would make for efficient adjudication. Here, the named plaintiffs attempted to fit the case into FRCP 23(b)(2) which requires a showing that interests of all of the parties would best be served by settling their differences in single action. To do this, the named plaintiffs needed to show that the issues common to the class predominated over issues unique to class members, and that the proposed class was a superior method of adjudicating the matter.

The Court had little difficulty in finding that common issues of fact and law predominated for the breach of contract claims – because the claim arose from a standard form contract to which all of Citysearch’s pay-for-click advertisers had agreed. The Court also found that common issues predominated for the breach of the covenant of good faith and fair dealing claim – because the focus would be on whether the procedures Citysearch employed to identify click fraud were objectively reasonable.

The Court had a little more trouble with the UCL claims. California’s UCL statute permits claims against any “unlawful, unfair or fraudulent business act or practice.” Cal. Bus & Prof. Code § 17200. Here, the plaintiffs claimed that Citysearch’s advertising practices were both unfair and fraudulent. However, the Court found that common issues of law and fact would only predominate as to the fraudulent practices claims.

The Court held that to recover for fraudulent business practices under the UCL, a plaintiff does not need to establish the common-law elements of fraud, such as proof of deception, reliance and injury. Rather, UCL fraud is governed by a “reasonable consumer” test, which only requires that plaintiffs show that members of the public are likely to be deceived” [citing Williams v. Gerber Products Co., 523 F.3d 934, 938 (9th Cir. 2008)]. Because the UCL claim arose from Citysearch’s common course of conduct to all class members and the “reasonable consumer” standard would be used to adjudicate this claim, the predominance standard was met.

On the other hand, that Court found that to recover for unfair business practices under the UCL, “a plaintiff’s individual expectations about the business practice are relevant to determining the extent of its harm.” The need to examine the expectations of each plaintiff in the expected 10,000 member class made this claim unsuitable for resolution via a class action.

To show that a class action was a superior method of resolving the claims of all litigants, the plaintiffs also needed to show that they had a plausible method for calculating damages. The plaintiffs claimed that their expert would be able to identify fraudulent clicks (defined as clicks as having no probability of creating value) by merely examining the Citysearch click logs. Accordingly, the plaintiffs proposed a three-step method to calculate damages: (1) the plaintiffs’ expert would establish categories of clicks that were “objectively” invalid and that Citysearch should have filtered out, (2) he would examine Citysearch’s click logs to identify the invalid clicks for which each member of the plaintiff class was charged, and (3) the damages incurred by each plaintiff would be computed as a matter of simple math.

Citysearch claimed that this was bosh – because “it is impossible . . . to measure the subjective intent of the users who click on an online advertisement” merely from examining click logs.

The Court found that to satisfy FRCP 23 requirements, the plaintiffs’ damages methodology only had to be plausible – a low standard that she found they had met. Ultimately, in ruling issued on November 8, 2009, the Court certified a class action of “All persons or entities in the United States who entered into form contracts for pay-for-click advertising through Citysearch.com, paid money for this advertising service, and experienced click fraud by reason of double clicks or Citysearch’s failure to apply automatic filters to traffic from its syndication partners up through March 23, 2007.”

The latest action in this case is that on November 25, 2009, Citysearch filed a notice of appeal of the class certification ruling. This appeal may indicate that Citysearch believes it is at risk of significant damages. However, the evidence that has filtered from the court records suggests that this risk may be moderate.

The plaintiffs’ primary damages will be recovery of the dollars they spent on clicks that the court finds were invalid. However, the two named plaintiffs seem to have only been able to show that they paid for one invalid double-click each. It seems to me that if there had evidence of pervasive invalid clicks, this evidence would have made it into the court’s ruling. Moreover, according to Citysearch’s papers, over 90% of its on-line advertisers renew or extend their pay-for-click contracts – suggesting that they are satisfied with the results and that the prevalence of invalid clicks may be low. If this is the case, the plaintiffs’ victory here could be pyrrhic.

What is more frustrating for online media businesses like Citysearch is that the precision in determining an advertiser’s ROI from its advertising dollars sought in this suit is only possible in Internet media. Broadcast media traditionally have only been able to use surveys (which is what “ratings” really are) that constitute only an educated guess at viewership of advertising.

Filed Under: Blog, Cybercrime Tagged With: , , ,