Federal court has no jurisdiction over PeopleBrowsr’s lawsuit against Twitter for shutoff of the “Firehose” – PeopleBrowsr, Inc. v. Twitter, Inc., 2013 WL 843032 (N.D. Cal. Mar. 6, 2013)
Big Data equal big assets, and in 2012, Twitter made significant moves toward putting a premium on its assets by restricting access to its data to third-party services (count Instagram and Tumblr among those affected). Social analytics provider PeopleBrowsr was one of the services affected by the changes in Twitter’s data access policies. In 2012, Twitter shut off PeopleBrowsr’s access to the “Firehose,” the nickname for the full stream of every tweet posted on Twitter. PeopleBrowsr mines data from the Firehose to derive insights about consumer reactions and identify social influencers for its clients. PeopleBrowsr fought back against the impending Firehose shutoff by suing Twitter in California state court and successfully obtaining a temporary restraining order to stop the shutoff.
The next chapter in the lawsuit unfolded in federal court. Twitter removed the lawsuit to federal court and then filed a motion to dismiss the action. But the lawsuit’s stay in federal court will be brief because federal district judge Edward Chen recently issued a decision sending the lawsuit back to state court. Twitter invoked federal jurisdiction on the ground that PeopleBrowsr’s claim for violation of California’s Unfair Competition Law (UCL) is based in part on the Sherman Act, over which federal courts have exclusive jurisdiction. Not so fast, said Judge Chen. At best, the Sherman Act might give Twitter a defense to the UCL claim. Unlike an affirmative claim for relief, a defense under federal law is not enough to support federal jurisdiction. The alleged violations of the UCL were based entirely on California law. Since federal courts have no jurisdiction over the lawsuit, the fight over the Firehose will continue in California courts. The court awarded attorneys’ fees to Peoplebrowsr for opposing the removal of the case to federal court.
Sharing a link to unauthorized video capture of proprietary information is not a violation of Stored Communications Act—Castle Megastore Group, Inc. v. Wilson, 2013 WL 672895 (D. Ariz. Feb. 25, 2013)
In closing arguments to the jury at the O.J. Simpson murder trial, defense attorney Johnnie Cochran famously quipped, “If it doesn’t fit, you must acquit.” Plaintiff’s attorneys looking to add a Stored Communications Act (SCA) claim to their complaint would do well to heed Cochran’s advice. There have been a rash of cases dismissing ill-fitted SCA claims (see my recent posts here and here). Castle Megastore Group, Inc. v. Wilson is the latest.
Castle Megastore Group, Inc. (CMG) sued its former employees for allegedly sharing confidential company information with other companies while they were still employed at CMG. CMG claimed that Flynn, who was employed by CMG as its “Social Media Specialist,” violated the SCA by posting a video of a confidential CMG managers meeting on Vimeo, a third party website, and sending co-workers the link to the video and the password to his personal Vimeo account.
This scenario didn’t fit into within the prohibitions of the SCA, the court said. CMG argued that Vimeo was an “electronic communication service” within the meaning of the SCA, that the defendants knew the video contained confidential content before accessing it, and that Flynn lacked authority to give others access to the video. The court agreed that Vimeo is an electronic communication service, but Vimeo is where Flynn shared the video, not where he obtained it. The CMG did not allege that Flynn obtained the video through unauthorized access to a CMG-owned electronic communication service. Flynn was authorized to grant access to his personal Vimeo account. Sharing a link and password to that account did not violate the SCA, the court ruled.
LegalTXTS Lesson: Read the SCA carefully before making a claim under it. Understand how the various concepts in the statute (like “access,” “without authorization,” “facility,” and “electronic communication service”) fit together. Just because one or more of the concepts is present in a given situation doesn’t mean you’ve a viable SCA claim.
Single words and subject lines in electronic messages are “content” protected by the Stored Communications Act—Optiver Australia Pty, Ltd. v. Tibra Trading Pty. Ltd. & Ors., 2013 WL 256771 (N.D. Cal. Jan. 23, 2013)
Optiver sued its former employees in Australia for allegedly stealing its proprietary source code and using the code to start a competing company, Tibra. The Australian court allowed Tibra to conduct discovery of emails from Google after finding Tibra’s discovery responses inadequate. Optiver subpoenaed Google to produce documents relating to emails and Google Talk messages containing the terms “PGP” or “Optiver.” Tibra moved to quash the subpoena, arguing that the Optiver was improperly requesting the content of communications in violation of the Stored Communications Act (SCA).
Optiver countered with three arguments. First, “PGP” is the name of an encryption system, not content. Second, Optiver said that it wanted the documents not to discover the substance of the communications, but to locate communications that might be relevant to the foreign litigation. Third, if the email has been encrypted through PGP, Optiver cannot access the content without the proper encryption key and pass phrase, which it did not have. The court was unpersuaded. Content is content, no matter how insignificant, the court said. The words “PGP” or “Optiver” in the body of a message qualify as content that the SCA protects.
Optiver also argued that subject lines of email communications and Google Talk messages are not protected by the SCA and should be disclosed. Wrong again, the court said. The subject line is “nothing less than a pithy summary of the message’s content.” For support, the court pointed to the legislative history of the SCA.
Court Finds That State Law Claims Against Online Forum Operator For Misappropriation, Theft, and Tortious Interference Hinge on “Publisher” or “Speaker” Status–Stevo Design, Inc. v. SBR Marketing Ltd., 2013 WL 308996 (D. Nev. Jan. 25, 2013)
A Nevada federal court held that Communications Decency Act (CDA) immunity barred state tort claims asserted in a lawsuit involving the dissemination of sports betting information. The court’s holding was based on a liberal interpretation of what it means to be a “publisher” or “speaker” under section 230 of the CDA.
Stevo Design, Inc. (Stevo) sells licenses for access to its sports betting reports. SBR operates a website with a discussion forum where users may post messages relating to sports betting and handicapping and to send messages to other users. SBR encourages activity on its website by awarding loyalty points to users for doing different things on the website, including posting original content. The loyalty points may be redeemed for credits at offshore gambling websites. Stevo claimed that SBR and its users published Stevo’s protected works on the SBR website without obtaining a license.
In addition to bringing claims for copyright and trademark infringement, Stevo asserted a slew of state-law claims against SBR. SBR asked the court to dismiss these state-law claims. The court first determined if SBR qualified for CDA immunity. The key question was whether SBR had a hand in developing the online content at issue. If so, then SBR does not enjoy CDA immunity.
Relying on Fair Housing Council of San Fernando Valley v. Roomates.com, 521 F.3d 1157 (9th Cir. 2008), the court concluded that SBR did not “develop” the offending online content. SBR encouraged its users to post original content. It did not specifically encourage its users to publish information illegally on the website. The fact that SBR users could freely contribute loyalty points to each other further evidenced the minimal role that SBR played in monitoring the content of forum posts. That SBR “sporadically” tried to eliminate infringing content did not persuade the court that SBR was a developer of unlawful content—the CDA allows interactive computer services to perform some editing of user-generated content without becoming liable for all unlawful messages they do not edit or delete.
Having determined that SBR qualified for CDA immunity, the court next considered the impact of immunity on the state-law claims. CDA immunity effectively precludes the operator of the interactive computer service from being considered the “publisher or speaker” of user-generated content. As a result, only claims requiring the defendant to be the “publisher or speaker” are barred by CDA immunity. Applying the meaning of “publisher or speaker” status liberally, the court concluded that CDA immunity barred each of the state-law claims:
Misappropriation of trade secrets: Misappropriation involves either “acquisition” or “disclosure” of a trade secret. The court easily found that “disclosure” of trade secrets through user posts on the SBR website to require there to have been publishing or “speaking. The court found “acquisition” to be a closer question, but the only kind of acquisition alleged in the complaint involved user posts on the SBR website, so the CDA barred that kind of misappropriation as well.
Misappropriation of licensable commercial property: The court is not sure such a claim exists under Florida common law, but assuming it is a form of misappropriation, the plaintiff must have suffered competitive injury due to the defendant’s taking of information. Stevo alleged that SBR injured it giving away its copyrighted information for free. The only way SBR could have done that was by disclosing the information, i.e., it acted as a publisher or speaker.
Contributory misappropriation of licensable commercial property: This claim merely required that SBR induced others to speak or publish. The court refused to allow circumvention of CDA by alleging that the defendant induced publication or speech instead of itself doing the publishing or speaking. Since SBR did not tell users what kind of information to include in their posts or encourage infringing content, it enjoyed immunity from this claim.
Civil theft: Common law theft is defined as obtaining or using the property of another with intent to appropriate the property to his or her unauthorized use. The only plausible way SBR procured or used Stevo’s property was through publication. This claim is barred.
Tortious interference with contractual relations: This claim requires interference with a business relationship. The only interference that could be inferred from the complaint involved SBR’s publication of Stevo’s works. As this claim depended on SBR’s status as the publisher, it is barred.
California federal court finds no CFAA violation for disseminating software updates obtained from subscription to software support service, and requires fraud-based CFAA claims to be pled with particularity – Oracle America, Inc. v. Service Key, LLC, 2012 WL 6019580 (N.D. Cal. Dec. 3, 2012).
DLT was a member of the Oracle Partner Network (OPN), a program for third party companies interested in reselling Oracle hardware and software. To facilitate their role as resellers, OPN members receive login-in credentials to access Oracle’s support websites. Oracle alleged that DLT fraudulently used its access to obtain Oracle’s proprietary software patches and updates, which DLT then provided to its own customers. Oracle further alleged that DLT gave its access credentials to Oracle’s websites to “unwitting third parties” (apparently including the Navy and FDA) who were unaware that DLT lacked authorization to do so. Oracle sued DLT under numerous theories, including violations of the CFAA.
Certain CFAA claims alleged that DLT “exceed[ed] authorized access” in obtaining information from Oracle’s support systems. The court agreed with DLT that dismissal of such claims was required under United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc). In Nosal, an en banc panel of the Ninth Circuit ruled that misuse or misappropriation of information to which one has authorized access does not violate CFAA provisions based on access to a computer “without authorization or exceeding authorized access.” Oracle’s complaint alleged that DLT used its access credentials for an unauthorized purpose (although Oracle apparently tried to distinguish Nosal by re-characterizing the complaint in subsequent briefing as alleging that DLT accessed Oracle’s websites without authorization). That’s precisely the kind of conduct that Nosal said was not actionable under the CFAA, the court ruled. However, DLT could still be liable under the CFAA for trafficking passwords to Oracle’s support sites because such a claim is not based upon unauthorized access to a protected computer.
Oracle also ran into trouble with the requirement in Rule 9(b) of the Federal Rules of Civil Procedure that claims alleging fraud or mistake to be pled with particularity. One of Oracle’s CFAA claims alleged that DLT “knowingly and with intent to defraud . . . exceed[ed] authorized access, and by means of such conduct further[ed] the intended fraud . . . .” 18 U.S.C. § 1030(a)(4). The court concluded that the claim was “grounded” or “sounded” in fraud and thus subject to Rule 9(b). Oracle did not adequately detail its fraud to meet the Rule 9(b) pleading requirement.
The one bright spot for Oracle in the decision was the court’s rebuff of DLT’s argument that Oracle did not properly allege damages. Oracle alleged that it incurred costs as a result of investigating and conducting a damage assessment in response to DLT’s actions, and the court found that enough to satisfy the damage requirement. The court also rejected a similar argument that Oracle did not sustain damages in excess of $5,000. That argument referred to the fraud-based CFAA violation, an element of which is that the fraud resulted in the defendant obtaining “anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]” 18 U.S.C. § 1030(a)(4) (emphasis added). The $5,000 threshold is not meant to be a measure of damages, the court held. Rather, the threshold refers to the value of the computer use relevant in determining whether a CFAA violation exists. In any event, the court said, Oracle did allege that DLT obtained something of value, i.e., its software.
LegalTXTS Lesson: If you’re in the Ninth Circuit, recovery under the CFAA for illicit use or dissemination of proprietary computer information is a challenge. Liability for hacking into a computer system is well-established, see Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), and so is giving away passwords to protected sites as the Oracle decision teaches. Asking permission to access your work computer “one last time” to delete personal files before switching jobs and then downloading a bunch of proprietary data also will get you in trouble (see Weingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012), and my post on it here).
When it comes to misuse or misappropriation of information that was obtained with authorized access, however, Nosal makes it pretty clear that’s not a violation of the CFAA. The Oracle decision follows that rule. Other circuits, like the Third Circuit, go the opposite direction—hence decisions like Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), which held that it is a violation of the CFAA to induce employees of a competing company who have authorized access to the company’s computer system to download proprietary information and give it to you (see my post on it here).