MediaTech Law

By MIRSKY & COMPANY, PLLC

Appellate Court Upholds FTC’s Authority to Fine and Regulate Companies Shirking Cybersecurity

Posted November 30, 2015 by Rob Ellis 0

In a case determining the scope of the Federal Trade Commission’s (FTC) ability to govern data security, the 3rd U.S. Circuit Court of Appeals in Philadelphia upheld a 2014 ruling allowing the FTC to pursue a lawsuit against Wyndham Worldwide Corp. for failing to protect customer information after three data breaches that occurred in 2008 and 2009. The theft of credit card and personal details from over 600,000 consumers resulted in $10.6 million in fraudulent charges and the transfer of consumer account information to a website registered in Russia.

In 2012, the FTC sued Wyndham, which brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge. The basis of the claim stated that Wyndham’s conduct was an unfair practice and its privacy policy deceptive. The suit further alleged the company “engaged in unfair cybersecurity practices that unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The appellate court’s decision is of importance because it declares the FTC has the authority to regulate cybersecurity under the unfairness doctrine within §45 of the FTC Act. This doctrine allows the FTC to declare a business practice unfair if it is oppressive or harmful to consumers even though the practice is not an antitrust violation. Under this decision, the FTC has the authority to level civil penalties against companies convicted of engaging in unfair practices.

What exactly did Wyndham do to possibly merit the claim of unfair practices?

According to the FTC’s original complaint, the company:

  • allowed for the storing of payment card information in clear readable text;
  • allowed for the use of easily guessed password to access property management systems;
  • failed to use commonly available security measures, like firewalls, to limit access between hotel property management systems, corporate networks and the internet; and
  • failed to adequately restrict and measure unauthorized access to its network.

Furthermore, the FTC alleged the company’s privacy policy was deceptive, stating:

“a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

Wyndham requested the suit be dismissed arguing the FTC did not have the authority to regulate cybersecurity. The appellate court found otherwise, however, stating that Wyndham failed to show that its alleged conduct fell outside the plain meaning of unfair.

The appellate court’s ruling highlights the need for companies to take special care in crafting a privacy policy to ensure it reflects the company’s cybersecurity standards and practices. This includes staying up-to-date on the latest best practices, and being familiar with the ever-changing industry standard security practices, including encryption and firewalls.

Read More

.SUCKS: Extortion or Free Speech?

Posted June 9, 2015 by Roman Vayner 0

Domain names are an essential part of modern commerce and convey important information about the website’s affiliation and legitimacy. Consumers may briefly glance at the .com or .edu at the end of the page they land on to make sure they’re on the right site, but soon they may see an unfamiliar suffix next to their favorite brand’s page – .sucks.

In 2014, the Internet Corporation of Assigned Names and Numbers (ICANN), a California-based nonprofit that manages and coordinates domain names, agreed to allow Vox Populi, a Canadian domain name registrar, to operate the registry for the new “.sucks” top-level domain (TLD).

Read More

Copyright of “Public Facts”: Craigslist v. PadMapper (updated)

Posted November 29, 2012 by Andrew Mirsky 0

Craigslist was meant for the common good, or as founder Craig Newmark puts it, “doing well by doing good”.  At least, that has been its announced mission since it began as an email distribution among friends. Craigslist kept its mantra through its rise to Silicon Valley stardom, snubbing multi-million dollar buyout offers and fighting attempts to monetize the site along the way.

The physical layout of Craigslist hasn’t changed much over the years. Point your browser in its direction and, like an old friend, you’ll be greeted with the same underlined blue links you’ve known for years. Fans are legion, but so too are critics: Critics see stagnation in this comfort, some of whom have taken matters into their own hands through attempts at innovation. However, as some have already discovered, developing tools to work around (critics would say “enhance”) Craigslist’s simple functionality can invite legal response. Is an early darling of Silicon Valley showing a decidedly uglier side, or is Craigslist still simply looking out for the common good?

This past July, Craigslist filed a lawsuit in the US District Court, Northern District of California, alleging that apartment-hunting site PadMapper and its data exchange partner, 3Taps, unlawfully repurpose Craigslist postings and therefore undermine “the integrity of local Craigslist communities, ultimately harming both Craigslist and its users.”  While the complaint parallels Craigslist’s “common good” business model, 3Taps CEO Greg Kidd sees it differently. “We believe Craigslist is acting like a copyright troll,” Kidd recently told AllThingsD.  Kidd’s company provides PadMapper an API for data about Craigslist postings that 3Taps gathers via means it claims are not subject to Craigslist’s Terms of Use and that likewise do not violate Craigslist’s copyrights.

This isn’t the first time Craigslist has claimed such violations, including several now-shuttered earlier services built on top of Craigslist’s platform. In July 2010, Newmark took to Q&A site Quora to defend his company’s actions in a case similar to Padmapper’s, saying he did not take issue with sites that do not affect Craigslist’s servers. “Actually, we take issue with only services which consume a lot of bandwidth, it’s that simple,” Newmark wrote.

June 22: Craigslist sends Padmapper a cease and desist letter and blocks PadMapper from pulling CL ads (at least from doing so directly).  According to CL’s complaint (filed July 20th), traffic to Padmapper immediately plummeted.  

PadMapper claims not to siphon off Craigslist’s servers. Through its partnership with 3Taps, PadMapper accesses a database of Craigslist listings found and organized from search engines including Google and Bing.

 July 9: Padmapper re-launches using 3Taps data.

July 20: Craigslist sues 3Taps and Padmapper.  CL claims:

  • Copyright infringement (for the CL site and for CL listings)
  • Contributory copyright infringement (against 3Taps)
  • Breach of contract (TOS)
  • Trademark infringement
  • Trademark dilution
  • Unfair trade practices

Perhaps that’s why Craigslist is now requiring users to “expressly grant and assign to Craigslist all rights” to enforce the copyright. Other sites like Yelp! and Facebook only require a non-exclusive license to their users’ content. But even if courts interpret this as a legally binding transfer of copyright to Craigslist, facts, like those in classified listings, often cannot be copyrighted. Therefore, it is possible that details such as an apartment’s price, address and number of bedrooms will not be protected.

This is of course Greg Kidd’s argument. “No Terms of Use can ride roughshod over the fact that there is no copyright in facts,” Kidd says. “Padmapper’s use of exchange posting is not infringing use. It is fair use or free use … of public facts.” According to Kidd, PadMapper could just be the beginning to what could be, “a whole class of use case conflicts if this stands.” Via this interpretation, as Kidd sees it, “a [Craigslist] posting retweeted via Twitter is going to be just as problematic as one through PadMapper.”

This argument inelegantly ignores 2 obstacles under contract and copyright.

Contract

First contract law, by virtue of the binding nature of Craiglist’s TOU as a contract.  So, as Craigslist notes in its complaint:

[3Taps and Padmapper] regularly accessed the CL website and affirmatively accepted and agreed to the [TOU] to, among other things, test, design, and/or use the software that allows Defendants to provide their services.  Likewise … Defendants regularly accessed the CL website with knowledge of the [TOU] and its prohibitions against copying, aggregating, displaying, distributing, performing and derivative use of the CL website and any content posted on the CL website … and regularly access the CL website and copied, aggregated, displayed, distributed, and made derivative use of the CL website and the content posted therein.

3Taps disagrees: 3Taps cannot be bound by Craigslist’s TOU, since 3Taps never touches Craigslist’s servers to obtain the data it provides via its API.  Says Kidd:

The [CL] data in question is indexed by public search engines and is made available in the public domain.  One does not have to belong to or even go to Craigslist to find this information on the description, price, and time of availability of a posting. The information is freely available in the public domain and is a fundamental component of transparency of supply and demand and price discovery that are the foundation of free markets.

Craigslist then says that 3Taps’ argument about not directly accessing data from Craigslist is absurd:

3Taps copies all of craigslist’s content – including time stamps and unique craigslist user ID numbers – and makes it available to third parties for use in competing websites or, for whatever other purpose they wish. On information and belief, 3Taps is obtaining this content by improperly accessing craigslist’s website and “scraping” content.

Copyright – Facts and Facts

Kidd’s “public domain” argument – challenging Craigslist’s private ownership of public “facts” – has its own problems.  That’s because there are public facts and … there are public facts. For starters, what makes an apartment listing a public fact? Arguably, an apartment listing is a private piece of information uniquely created and formatted by a landlord and Craigslist: How listed, what information is listed, what pricing, etc.  Perhaps not the most highly creative of copyright subject matters protected by “original works of authorship fixed in any tangible medium of expression” US Copyright Act (Title 17 US Code), but nonetheless protected by copyright.

No, Craigslist may not be able to protect names and addresses, but it may be able to protect Craigslist’s particular presentation of those names and addresses.  And Craigslist makes this very point in its complaint, claiming that 3Taps “displays craigslist’s copyrighted content in virtually identical visual fashion to the manner in which they appear on craigslist.”

August 1: After filing its July suit, Craigslist amends its TOU, telling users they were not permitted to cross-post their sales items anywhere else on the internet:

Clicking ‘continue’ confirms that Craigslist is the exclusive licensee of this content, with the exclusive right to enforce copyrights against anyone copying, republishing, distributing, or preparing derivative works without its consent.

August 5: Craigslist instructs all general search engines to stop indexing CL postings.

August 9: CL amends its TOU – again – to remove “exclusive license” language from its TOS:

Second, Craigslist may be able to rely on copyright arguments similar to those historically made by mapmakers and telephone book publishers, where the compilation of otherwise public facts is itself copyrightable. (See, for example, Feist Publications, Inc. v. Rural Telephone Service Co., 499 US 340 (1991).)  This argument, where the unique presentation, design, layout, or formatting give a compiler a copyright edge, still gives scant protection to the component parts, but it can give viability to a legal claim of misappropriation.

Other Arguments – Trademark and Unfair Competition

Craigslist makes other legal arguments, including most notably trademark infringement and dilution claims and California state law unfair competition claims.  These are subjects beyond the scope of the present discussion, although they do seem to raise the kinds of issues that the likes of Rockefeller Plaza in New York City deals with: Once a year, every year, the plaza is closed to public access in order to allow its owners to continue to assert their private ownership.   Perhaps Craigslist, too, feels some periodic necessity to remind its users that freedom of internet use is not free.

September 24: 3Taps files answer and counterclaim against CL.  Counterclaims:

  • Antitrust
  • Unfair competition
  • Interference with economic advantage

From 3Taps antitrust counterclaim complaint:

3taps is not alleging that craigslist acquired its widespread monopoly power improperly – far from it; craigslist should be applauded for bringing online classifieds into the modern age and achieving its initial dominance over various U.S. markets for the “onboarding” (i.e., the process of inputting and uploading factual content on the internet) of user-generated classified ads by those seeking a personal exchange transaction for various goods and services, including apartment rentals, jobs, personal services, general goods, and other sales.

What 3taps is complaining about is how craigslist has maintained (and continues to maintain) its monopoly power in these three related markets. Certainly, craigslist has not maintained this power by competing on the merits. Indeed, for years, craigslist has espoused the classic principles of a monopolist that believed it did not need to compete: a “strategy” of “unbranding,” “demonetizing,” and “uncompeting” —the epitome of a lethargic monopolist. And why not?  As an unchallenged monopolist across these various markets, craigslist has generated revenues somewhere between $100-$300 million per year, and that’s without sinking any significant costs into research and development or innovation.

September 24: Craigslist launches its own mapping capability.

Bruce Fryer, an intern with Mirsky & Company, PLLC, contributed to this post.

Read More

Tootsie Roll vs. Footzy Roll: Clever Marketing or Trademark Infringement?

Posted August 14, 2012 by Britnie Morris 0

As a twentysomething female who likes to dress for success but not suffer without end in the unrelenting DC humidity, flat, practical shoes can offer a sweet reprieve from uncomfortable heels.  Rollashoe’s premier product, the Footzy Roll, a ballet-style, compactible slipper can be stored easily for the girl on the go.  They’re great to casually slip on after a night out on the town or for happy hour after a day in the office.  They’re also edible.  Just kidding.

Tootsie Roll seeks to block Rollashoe’s trademark for “Footzy Rolls” in the US Patent and Trademark Office, as Reuters reported last fall.  Tootsie, which, as reported in the Chicago Tribune, earned $521 million in 2010, filed suit against Rollashoe, LLC in federal court in Chicago, claiming that Footzy Roll will confuse and deceive consumers and dilute Tootsie’s trademarks. 

Read More

Privacy: Consent to Collecting Personal Information

Posted April 4, 2012 by Andrew Mirsky 0

Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added)

Read More

Copyright 2022 Mirsky & Company, PLLC