Here Comes Another One: Examining the Home Depot Data Breach Lawsuit

40 million; the number of credit and debit card numbers stolen in the Target data breach of 2013. 200 million; the number of dollars credit unions and community banks spent reissuing only half of them. 1-3 million; the estimated number of these cards’ data successfully sold on the black market and fraudulently used before their issuing banks cancelled them. 5; the number of months ‘clandestine’ malware on Neiman Marcus systems operated and stole newly issued credit card information. 47; the percentage of world credit/debit card fraud that takes place in the United States. 18; the number of people, on average, whose stolen credit or debit card information just made them victims of identity theft before you even finished reading this paragraph.

Data breaches like Target and Neiman Marcus have prompted numerous consumer lawsuits against companies alleged of not doing enough to protect collected information about their customers. The effect of the media coverage over these data breaches combined with legislator concern and filed complaints has thrown the issue of consumer data protection into the spotlight.

One such lawsuit was filed on September 24, 2014 as Shonna Earls and John Holt Senior filed a class action against The Home Depot, Inc. in the U.S. District Court for the Northern District of California. The complaint alleges breaches of the California Customer Records Act as well as a violation of the California Unfair Competition Law among allegations of negligence on the part of Home Depot in managing recorded information.

The Breach

Home Depot confirmed that on September 18, 2014, 56 million credit and debit cards were exposed by hackers in the breach. The data stolen apparently centered on customer information recorded by the stores’ payment card systems which tracked the magnetic strip of the cards swiped and included customers’ names, card numbers, expiration dates, and CVV security codes. This type of information was also the targeted information in the Target and Neiman Marcus breaches. The popularity of this information among hackers comes from the ability to use this information to create new cards or make fraudulent purchases over the internet.

Home Depot has also confirmed that 53 million emails of customers were stolen in the hacks too. Home Depot has warned customers that this information could potentially be used in phishing scams online when hackers pose as Home Depot giving away gift cards or the like to trick consumers into disclosing personal financial information.

KrebsOnSecurity reports that the hack happened due to a variant of the “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows. This was similar to the methodology used in the 2013 Target data breach. The investigation has yielded information that the attackers broke into Home Depot’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services a third-party provider of refrigeration and HVAC systems.

The New York Times has covered accusations from former employees who said that Home Depot was slow to install updated security mechanisms to prevent the breach in the first place. Furthermore, former employees wondered whether Home Depot did not meet industry standard guidelines for securing credit and debit card data – attributing the extent of the breach to lax security measures.

The Fallout

Following the news of the breach, multiple financial institutions reported a steep increase in fraudulent ATM withdrawals on customer accounts. Home Depot estimates the breach will cost the company $62 million. Higher estimates are projected by some sources whereas the breach cost Home Depot $43 million in the third quarter of 2014 alone. Those same sources point to the 2013 Target breach costing upwards of $1 billion.

In addition to the Earls lawsuit, there are also 43 additional civil suits being filed against Home Depot across the United States.

In addition to the security upgrades and legal costs, Home Depot informed customers that it would be providing free identity protection services to anyone who used their cards at Home Depot in 2014.

Shareholders have expressed concern that news of the breach may hurt Home Depot’s stock price looking at the 14% drop in Target’s price only a couple months out from news of its breach in 2013. However, according to Google Finance, Home Depot’s stock value has actually increased to close out the year nearly 12 points higher than in September when the news was announced.

The Lawsuit

Shonna Earls personally incurred $543.95 in unauthorized charges in September, 2014 after using her credit card at her local Home Depot. John Holt Sr. was notified by his bank that fraudulent activity was taking place on his debit card that he had recently used at Home Depot. The two plaintiffs are named in a nation-wide and California-wide class action suit.

The complaint alleges Home Depot violated multiple sections of California law by failing to implement reasonable security procedures and practices to protect consumer credit and debit card information. Additionally, the complaint alleges Home Depot violated California law by failing to promptly notify class members that their personal information had been compromised.

California Civil Code § 1798.80 requires any business that owns or licenses personal information about a California resident to maintain reasonable security procedures appropriate to the nature of the information. The complaint alleges that Home Depot violated this section by keeping customers’ personal data within its custody longer than necessary and by failing to properly and adequately dispose or make customers’ data undecipherable.

The complaint further alleges Home Depot violated California Civil Code § 1798.82 by failing to promptly notify all affected Home Depot customers that their personal information had been exposed by hackers.

The second cause of action alleges that Home Depot violated California Business and Professions Code § 17200 by failing to take reasonable security measures to protect its customers’ data, and because they didn’t notify customers of the breach in a timely manner. It further alleges that Home Depot engaged in unfair business practices and conduct that undermines or violates the stated policies underlying the California Customer Records Act.

The third cause of action alleges that Home Depot owed Plaintiffs and members of the class a duty to exercise reasonable care in safeguarding and protecting that information – a duty underscored by the California Customer Records Act. Plaintiffs allege that timely disclosure was necessary to alert plaintiffs and allow them to, among other things, monitor their bank accounts, undertake appropriate measures to protect their identify and avoid unauthorized charges, and otherwise prevent or mitigate the risk of fraudulent cash withdrawals or unauthorized transactions.

The class requests that Home Depot submit itself to a third-party security audit and testing regimen, update its data security policies, destroy all non-necessary customer information, better educate its personnel on the need for data security, and better educate its customers about the risks they now face in light of the breach and how they may protect themselves.

The Adventure Continues

The Earls lawsuit is just the latest chapter in the saga of retail data breaches and the public prioritization of consumer information privacy. Former employees have filed a lawsuit against Sony over the recent hack by the “Guardians of Peace”. On December 4, 2014, U.S. District Judge Paul Magnuson ruled to allow a lawsuit by financial institutions against Target for allowing their computer systems to be breached to proceed. In January, Nieman Marcus was hit with a proposed class action lawsuit in federal court seeking to hold the retail chain accountable for separate data breaches that put customer payment information at risk. The Michaels craft store chain was hit with a similar lawsuit by Michael and Jessica Gouwens in Illinois alleging the retailer has failed to sufficiently step up security measures following a three-year-old security breach.

Responses to recent data breaches are not limited to judicial action. In the wake of the 2013 Target data breach, ranking members of Congress called for committee hearings to explore how to better protect consumers and ensure private companies are held accountable for failures to secure their customers’ data. This is reflective of polling information that indicates stolen credit card information tops the list of crimes Americans worry about the most. The public conscience, legislative priority, and judicial focus are all fixed upon how to secure consumers’ information in the twenty-first century. Regardless of the outcome of any single case, the issue remains. While the twenty-first century may be the century of big data; the courts, federal and state officials, and the general public will also take measures to ensure it is also the century of big data protection.

Tagged , , Leave a comment

Could Your Technology Be Incriminating You?

Earlier this week, we wrote about how the government can lawfully compel a person to unlock their smart phone with the Touch ID feature (if the feature is enabled). Recently, Fitbit has been in the news because the popular fitness tracker device is being used as evidence in a Canadian civil court in a personal injury lawsuit. According to Forbes, in this landmark case, Fitbit data was volunteered by the owner of the device (the plaintiff) to support a claim that her activity level had decreased following an alleged injury.

This, one again, raises issues about the juncture between modern technology and consumers’ Fifth Amendment rights. So far, it appears that Fitbit data, or data from other wearable devices, have not been subpoenaed or used against the will of the device’s owner in the United States (or Canada). However, this case has opened Pandora’s box to the question of technology and self-incrimination.

 

What does this Mean for Tech Users?

Let’s say that you are accused of robbing a bank. There is no evidence against you, and your alibi is that you were at home taking a nap at the time of the crime. A judge may be able to compel you to produce your wearable technology to account for your heart rate at the time of the crime. In this case, elevated heart rate would equal incrimination.

 

What’s Next?

Some savvy prosecutor or plaintiff’s attorney may attempt to compel the production of wearable technology data in the near future. Using the analysis from the previous blog post on this topic, the pertinent question will be whether the production of data from one’s wearable technology is a “testimonial communication.” If producing one’s Fitbit, for instance, is not a testimonial communication, than the wearer may invoke her Fifth Amendment privilege against self-incrimination to stop production (or use) of the data in court.

 

For more information on this topic see coverage from Forbes and The Atlantic.

Tagged , , Leave a comment

Aereo’s Next Chapter in Bankruptcy

On the heels of a business-crushing Supreme Court decision, television-streaming giant Aereo announced in November that it would be filing for Chapter 11 bankruptcy.  Founded in 2012 with nearly $100 million in venture funding, the company allowed users to live-stream 30 different television channels for a low monthly subscription fee.  Aereo accessed these networks through its own micro antennas, which pulled the signals necessary for re-broadcasting from the television channels’ nearby towers.

The parent companies of the effected networks  – ABC, CBS, NBC, and Fox – initiated a civil suit in the Southern District of New York in 2012.  The broadcasters alleged that Aereo violated federal copyright law by failing to pay retransmission fees, which generate a significant portion of the networks’ revenues.  In response, Aereo argued that its technology is no different from a TV antenna on an individual user’s roof that connects to the TV through a wire; here, the wire connecting the antenna with the TV is the internet.

The Copyright Law of 1976 provides a copyright holder with the exclusive right to “perform the copyrighted work publicly.”  In other words, the copyright holder is the only body permitted to “transmit or otherwise communicate a performance or display of the work . . . to the public, by means of any device or process . . .”  As the networks note in their briefs, Congress enacted this provision in order to “bring within the scope of the public performance right” the retransmission of television broadcasts – ultimately, to protect the networks’ content.

The Litigation

In the early stages of the litigation, it looked as though Aereo might prevail.  The District Court ruled in Aereo’s favor, first denying the broadcasters’ request for a preliminary injunction and later denying their motion for summary judgment.  The Second Circuit then affirmed the lower court’s rulings, relying on Aereo’s technological make-up in its decision.  The Second Circuit reasoned that Aereo did not violate the federal copyright law because each customer viewed a unique copy of a broadcast, obtained through that customer’s specific micro antenna.  In this way, Aereo was engaged in thousands of “private” performances rather than the prohibited “public” ones.

The broadcast networks filed their petition for writ of certiorari in October 2013, asking the Supreme Court to decide whether a “company ‘publicly performs’ a copyrighted television program when it retransmits a broadcast of that program to thousands of paid subscribers over the Internet.”  Aereo also urged the Supreme Court to take the case.  The company reasoned that, as its business grew, one wide-reaching decision would be better than a variety of different rulings throughout the country. The Supreme Court swiftly decided to take up the issue in January 2014 and held oral arguments in April.

On June 25, 2014, the Supreme Court reversed the Second Circuit’s ruling and held 6-3 that Aereo violated the Copyright Act’s Transmit Clause because it “publicly perform[ed]” the networks’ copyrighted works.  The Court found that Aereo was doing more than acting as the “wire” that connects the antenna to the television; it was functioning “substantially similar[ly]” to a cable system and, thus, needed to obtain the networks’ permission to transmit their content. The majority decision was delivered by Justice Breyer, joined by Justices Ginsburg, Kagan, Kennedy, Roberts, and Sotomayor.  Justices Alito and Thomas joined Justice Scalia in his dissent.

“Viewed in terms of Congress’ regulatory objectives, these behind-the-scenes technological differences do not distinguish Aereo’s system from cable systems, which do perform publicly,” the decision reads. “Congress would as much have intended to protect a copyright holder from the unlicensed activities of Aereo as from those of cable companies.”  In the same breath, the Court took care to note that this ruling was specific to Aereo and should not impact other emerging technologies.

In a statement following the ruling, Aereo’s CEO Chet Kanojia lamented that the Court’s ruling is a “massive setback for the American consumer” and that it sends a “chilling message to the technology industry.”  He explained that Aereo “worked diligently to create a technology that complies with the law,” but, unfortunately, the Court’s ruling made it clear that “how the technology works does not matter.”  On the other hand, the CEO of the National Association of Broadcasters, Gordon Smith, explained that he was “pleased” that the Court upheld the idea of copyright protection that is “enshrined in the Constitution” by siding with the television channels.  He sees Aereo’s argument that the broadcasters were simply attacking its innovation as “demonstrably false.”

Three days after the Supreme Court decision, Aereo suspended its streaming service.  Meanwhile, broadcasters such as CBS have moved forward with plans to allow consumers to live-stream programs on the internet.

Bankruptcy

As Aereo CEO Kanojia explained in the company’s Chapter 11 announcement (appropriately entitled “The Next Chapter”), the June Supreme Court decision “effectively changed the laws that had governed Aereo’s technology, creating regulatory and legal uncertainty.”  Despite Aereo’s best efforts at circumventing this decision, “the challenges have proven too difficult to overcome.”  The CEO expects that Chapter 11 will allow Aereo to “maximize the value of its business” without the expense of protracted litigation.

When businesses are unable to service their debt, Chapter 11 permits them to undergo reorganization under Title 11 of the U.S. Bankruptcy Code.  Unlike in Chapter 7 where businesses cease operations, Chapter 11 debtors usually remain in control of their operations under the supervision of the court.  Companies have several mechanisms at their disposal as part of the restructuring process, including acquiring loans with favorable terms and canceling existing contracts.  Most importantly in the case of Aereo, companies who file for Chapter 11 bankruptcy benefit from an automatic stay, which halts pending litigation and prevents creditors from attempting to collect on their debts.

Aereo appointed Lawton Bloom of Argus to serve as the Chief Restructuring Officer, responsible for guiding the company through liquidation or restructuring. The company has already laid off 74 employees, leaving just 14.  In its papers filed with the court, Aereo claimed to have approximately $20.5 million of assets and to owe about $4.2 million of debts.  Aereo’s CFO Ramon Rivera explained that using Chapter 11 to gain protection from creditors would provide the “necessary breathing room” for Aereo to plot out next steps.

Tagged , , , Leave a comment

The Right of Publicity: Likeness Lawsuits Against Video Game Companies

What do actress Lindsay Lohan, former Panamanian dictator Manuel Noriega, and U.S. World War II General George S. Patton have in common? Each is involved in a right of publicity lawsuit brought against video game companies earlier this year. Lohan, Noriega, and Patton’s estate have each filed lawsuits alleging that certain video game characters illegally use their likeness and identity without permission. Before discussing the individual facts of each of these cases, it is important to understand the basics of the right of publicity.

The right of publicity varies from state to state. As seen from California’s right of publicity statute, Cal. Civ. Code § 3344, any “person who knowingly uses another’s voice, signature, photograph, or likeness, without such person’s prior consent, shall be liable for any damages sustained by the person injured.” In 1992, the Ninth Circuit in White v. Samsung Electronics America, Inc. stated that, in bringing a right of publicity claim, one must show (1) the defendant’s use of the plaintiff’s identity, (2) the appropriation of the plaintiff’s name or likeness to the defendant’s advantage, (3) the plaintiff’s lack of consent, and (4) the plaintiff’s injury. In this case, Samsung released an advertisement that depicted a robot standing in front of a Wheel of Fortune board, wearing a blond wig, a gown, and jewelry, which was made to resemble Vanna White. Addressing Samsung’s argument that it did not use White’s actual name or person, the court held that White had a valid claim because “the common law right of publicity reaches means of appropriation other than name or likeness [alone].” The court noted that this right was designed to protect celebrities from the unauthorized commercial exploitation of their identity. However, the extent and strength of this right is hotly debated.

In July 2014, Lindsay Lohan filed a lawsuit in a New York state court against Take-Two Interactive and Rockstar Games, the creators of Grand Theft Auto V. Lohan alleged that an in-game character, Lacey Jonas, as well as promotional art and other merchandise depicting a young blond woman, use her image, likeness, and voice without her permission. In Grand Theft Auto V, Lacey Jonas is a blond celebrity who asks for your assistance in escaping from the paparazzi, during which she discusses the burdens of being famous. Lohan argued that the character’s image, voice, and clothing were very similar to her own, and that Rockstar Games, in designing the game’s promotional art, used a “look-alike model to evoke the persona and image” of Lohan in order to profit from her fame. Thus, Lohan alleged that such use falls squarely under her right of publicity and that these video game companies have commercially exploited her identity without her permission.

In the same month, former Panamanian dictator Manuel Noriega, who is currently serving a two decade prison sentence for drug trafficking, money laundering, and killing political opponents, filed a lawsuit in California against Activision Blizzard, the creator of Call of Duty: Black Ops II. Differing from Lohan’s situation, this game unambiguously includes Noriega as a character and even features a mission to capture him. Noriega argued that his portrayal “as a kidnapper, murderer and enemy of the state” damaged his reputation, and that the use of his image and name entitles him to a share of Activision Blizzard’s profits. In October 2014, a California court dismissed Noriega’s lawsuit, stating that “Noriega’s right of publicity is outweighed by defendants’ First Amendment right to free expression.” Interestingly, former New York mayor, Rudy Giuliani, spoke out in defense of Activision Blizzard, arguing that, if Noriega’s lawsuit was not dismissed, “[p]ublic figures, good ones, bad ones, who are included in books, movies and video games, all of these [people] would have a right to sue.”

There have been other of instances of similar lawsuits, such as one filed by the estate of George S. Patton against Maximum Family Games for the use of the WWII General in one of its games, as well as a successful case brought by Ryan Hart, a college football player, against Electronic Arts, Inc. for his portrayal in EA’s NCAA Football video game series.

Together, these cases shed light on the strengths and limits of the right of publicity. In Hart v. Electronic Arts, Inc., it was the fact that EA did not “sufficiently transform” Hart’s identity or appearance that contributed to the Third Circuit’s holding in favor of Hart. As the court stated, this “Transformative Use Test” helps dictate the balance between a video game publisher’s right of expression under the First Amendment and a celebrity’s right of publicity. The Third Circuit held that, because the “digital Ryan Hart [did] what the actual Ryan Hart did while at [college]: he play[ed] football, in digital recreations of college football stadiums, filled with all the trappings of a college football game,” this use was meant to be highly realistic and was not transformative. Because this use was not transformative, it was clearly an unauthorized appropriation of Hart’s identity for commercial profit.

Given this holding, it will be interesting to see, if Noriega appeals, how a California appellate court will deal with transformative use factors and First Amendment concerns. Although the digital Noriega is visually realistic and was a CIA informant, like Noriega was in real life, there may be transformative aspects in that the in-game character engages in fictional dialogues and events. Some, like Giuliani, fear that this “absurd” lawsuit will allow countless historical and famous figures to unjustly halt many films, books, and other works of art, impeding creative progress and free speech. The Lohan case presents an additional layer of complexity, in that the in-game character may not even be found to use Lohan’s identity and likeness. An analysis of the similarities between the in-game character and Lohan will be required before fully proceeding to a discussion of the balance between publicity rights and free speech. Through the medium of video games, these cases illustrate a growing tension between First Amendment concerns and celebrity publicity rights and have the potential to seriously affect future creative works, privacy rights, and free speech.

Tagged , , Leave a comment

Federal “Catfishing”: When Government Impersonation through Social Media Gets Caught

You rush into work one morning, coffee and briefcase in hand, barely making it into the cramped elevator as the doors close. You overhear someone in the back whisper “That’s her, she’s the one in the tank top in her profile pic.” You wonder who they’re gossiping about but are too preoccupied on your 9:30 presentation to care. After a successful presentation, your boss pulls you aside and offers a friendly reminder to be aware of how people might see a Facebook profile or Twitter post to be a reflection on the character of the company. You’re slightly puzzled, as it seems to be coming out of nowhere, but just nod and smile and thank him for the reminder. At lunch, your co-worker comes up and says how cute your son and niece look in the pictures you posted online last night. You ask her what she’s talking about since you don’t remember posting anything. Her only reply is that it was on your Facebook profile and thanks for adding her as a friend yesterday.

There’s only one problem – you don’t have a Facebook profile.

 

Arquiett v. DEA

This scenario is similar to what brought Sondra Arquiett to sue the Drug Enforcement Administration (“DEA”) for commandeering her identity and impersonating her for months through a fake Facebook profile. In the complaint, filed in the United States District Court for the Northern District of New York, Arquiett alleges that an agent of the DEA “appropriated [Arquiett’s] name and likeness to create a publicly available Facebook account that purported to be an account belonging to [Arquiett] . . . without [her] knowledge or permission.” The complaint further alleges that the DEA agent posted pictures belonging to Arquiett on the page including suggestive pictures of her in her underwear and others with her child and niece – both minors. The DEA agent additionally “utilized the Facebook page to initiate contact with dangerous individuals he was investigating with regard to an alleged narcotics distribution ring . . . [and] also initiated contacts with other persons known to [Arquiett].” Arquiett alleges that she suffered fear and distress from uncovering the impersonation because the DEA agent had, “created the appearance that Plaintiff was willfully cooperating in his investigation of the narcotics trafficking ring, thereby placing her in danger.” Arquiett is charging that this impersonation violated her constitutional rights to privacy afforded under the First Amendment, equal protection under the Fifth Amendment, and her Eighth Amendment right to be free from cruel and unusual punishment.

The U.S. Attorney’s Office acknowledges the events in Arquiett’s complaint that took place but argues that the use of the account was proper as it was “for a legitimate law enforcement purpose.” The government argues:

“Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”

The district court has since approved mediation to resolve the issue and both parties are currently attending.

 

Prior use of Social Media by Law Enforcement

This wouldn’t be the first time a law enforcement agency has utilized social media in a criminal investigation. LexisNexis published a report in 2014 stating that eight out of ten law enforcement agencies utilized social media in criminal investigations. Although it is unclear to what extent law enforcement agencies create profiles impersonating real people (as opposed to creating profiles of fictitious individuals). Such investigations include a 2008 gang sting operation in Cincinnati, OH where 71 people were arrested following a data mining operation on Facebook.

 

No “Likes” for the DEA

After BuzzFeed News broke the story, Facebook removed the account and rebuked the DEA for its violation of Facebook’s community guidelines and demanded it cease all activities relating to fake profiles.

We ask that you refrain from publishing the personal information of others without their consent. Claiming to be another person, creating a false presence for an organization, or creating multiple accounts undermines community and violates Facebook’s terms.

Joe Sullivan, Facebook’s Chief Security Officer, commented in an October 2014 letter to the DEA that, “Facebook is deeply troubled by the DEA’s claims and legal position . . . Facebook has long made clear that law enforcement authorities are subject to these policies.”

In an interview with CNN, he also stated actions like these, “[undermine] the integrity of [Facebook’s] whole service if we allow people to use false accounts.

U.S. Senator Patrick Leahy, Chairman of the Senate Committee on the Judiciary, wrote a letter to U.S. Attorney General Eric Holder late last month condemning the DEA’s impersonation of Arquiett on Facebook and calling the DEA’s decision to post suggestive photos of Ms. Arquiett and pictures of her minor son and niece ‘appalling’ and ‘dangerous’. Leahy condemned the danger to Arquiett’s life the DEA incurred when they initiated conversations with known dangerous criminals impersonating Arquiett and then linking that to the pictures they posted of Arquiett’s son and niece. Leahy concluded:

I hope the Justice Department will agree that creating an online profile using an unsuspecting person’s identity to communicate with criminals is unethical, potentially dangerous, and should not be condoned by our nation’s law enforcement agencies.

 

This Isn’t Something New to the Internet

Impersonation isn’t anything new to social media. We all remember the infamous Manti Te’o scandal where the football star’s dead girlfriend turned out to be a hoax complete with her own Facebook profile.

Then there’s $616,165 fine the Federal Trade Commission leveled against JDI Dating last monthfor allowing users to create profiles on their sites for free and then send them fake messages from people who supposedly lived nearby and wanted to meet.

However, neither of these is as disturbing as the case of Megan Meier – the one that first drew national attention to the issue of online impersonation. Megan lived in Dardenne Prairie, MO and began an online friendship-turned-romance over her MySpace.com profile with Josh Evans. That was until October 2006 when Josh began being mean to her even to the point where he messaged Megan “The world would be a better place without you.” Megan hung herself in her bedroom closet. She was 13. It also turned out that Josh Evans never existed. A 47 year-old neighbor had been impersonating the profile the entire time.

This infamous case of “catfishing”, where someone impersonates being someone else over the internet often used to trick people into romantic relationships, prompted state legislatures across the country to create laws against this kind of fraudulent behavior. In California and New York, online impersonation is a misdemeanor. In Texas, it’s a third-degree felony.

Former California State Senator Joe Simitian commented that these laws were created to prevent harm from coming to individuals who fall victim to online impersonation – just like identity theft. “There are many kinds of harm . . . Emotional distress is a harm. Financial damage is a harm. When someone both steals your identity and damages your reputation, there ought to be consequences.

But what about when it’s the government doing the “catfishing”?

 

A Novel Question for the Courts

Anita L. Allen, professor at University of Pennsylvania Law School, protests to the use of fake profiles by government agencies as “misrepresentation, fraud, and invasion of privacy.” However, she also pointed out that Arquiett’s case presents a novel legal issue that has not yet been tested in federal courts – how far is too far when the government impersonates a real individual over social media without their knowledge or consent? Ryan Calo, a professor at the University of Washington School of Law, says that what separates this kind of deceptive behavior from others in which law enforcement agencies have engaged in the past is that this case is an instance where the government assumed the identity of a real individual as opposed to a fictional one. Neil Richards, also a professor at Washington University School of Law, agrees that “There are a whole bunch of new things that are possible [with social media], and we don’t have rules for them yet.

Allen also brings up the point that the government admits that Arquiett did not give her express permission to use the private photographs stored on her phone on social media. Allen analogies, “I may allow someone to come into my home and search, but that doesn’t mean they can take the photos from my coffee table and post them online.” Elizabeth Joh, professor at UC Davis School of Law, said that for the government to glean ‘implied consent’ for use of the pictures on social media absent any express permission to do so, “[is] a dangerous expansion of the idea of consent, particularly given the amount of information on people’s cell phones.”

In the era of mass privacy breaches of commercial retail chains and ex-patriots exposing NSA domestic spying programs; technology has allowed federally-sponsored “catfishing” to be added to the mix of privacy concerns. Maybe you should just call next time instead of sending that Facebook message. After all, the face behind the profile might not be the one you were expecting.

Tagged , , , Leave a comment

The Smartphone versus the Fifth Amendment

For many smartphone users, passwords and passcodes have become a thing of the past. Since late 2013, Apple iPhone users have been able to access their phones by simply applying their stored fingerprint to the Home Button. Many Android devices offer the same feature. And now, Touch ID does more than unlock a phone. As of October 20, 2014, Apple’s Touch ID is fully integrated with Apple Pay, which allows users to make every-day purchases with a touch of their thumb.

However, in the aftermath of Virginia v. Baust, many smartphone users may soon reconsider their reliance on fingerprint ID technology.

In October, a Virginia trial judge ruled that unlike a passcode, the production of one’s fingerprint is not “testimonial communication”, and therefore, the Fifth Amendment privilege against self-incrimination cannot be invoked. Rather, the government may properly compel the production of a smartphone user’s fingerprint to unlock the user’s device. This force compulsion would ostensibly extend to any applications within a device that can be opened via fingerprint.

According to the Virginia court that decided the case, Fifth Amendment protection is implicated where the government demands the “(1) compulsion of a (2) testimonial communication that is (3) incriminating.” Virginia v. Baust. In its analysis, the Virginia trial judge relied on authority such as the 1967 case, United States v. Wade, where the Supreme Court found that biometrics such as height, weight, photograph, voice, and handwriting were not testimonial communication, and accordingly, could be compelled by the government.

The Court reasoned that the production of a passcode, on the other hand, is a “testimonial communication.” A cited authority United States v. Kirschner (2010), contrasted the hypothetical compellation of a passcode with the compellation of a writing sample. The court found in Kirschner that a defendant would not be revealing knowledge by giving a writing sample, but s/he would be revealing knowledge if s/he were compelled to recount the passcode.

Is All Smartphone Privacy Lost?:

As a trial court, the ruling in Virginia v. Baust is not mandatory law. However, as with any early caselaw in a novel and undeveloped area of the law, this opinion will likely be cited as a persuasive authority.

In the short term, we’ll have to wait to see what other jurisdictions will say about this burgeoning question. For now, the convenience of Touch ID may not be worth risk of lost privacy.

For more information on this topic see coverage from: Mashable; and Huff Post.

Tagged , , , , , , Leave a comment

Terms of Service: Didn’t Read? Might Not Be a Problem If It’s Browsewrap

As websites today develop increasingly complex relationships with visitors, the contracts that define those relationships have become more difficult for companies to impose as binding.  Recent litigation surrounding “Terms of Service” (ToS) agreements has put pressure on companies to draft agreements that courts will actually enforce.

Today’s ToS contracts generally come in two forms: clickwrap and browsewrap.  Clickwrap agreements require users to affirmatively review the terms and, at the end, to press the “I accept” or “I agree” button to indicate their assent.  Browsewrap agreements, on the other hand, are passive.  On most websites, the terms are connected to the main page via hyperlinks and do not require any affirmative action.  Instead, visitors signal their acceptance of the ToS by using the website.  Both types derive their names from “shrink-wrap agreements,” which were the extremely long, fine print ToS’s that appeared under the plastic wraps of prepackaged software.  Browsewraps, in particular, have fallen under heavy scrutiny in recent years.

In re Zappos.com, Inc., Customer Data Security Breach Litigation

In January 2012, Zappos.com suffered a security breach through which hackers obtained customers’ names and addresses, though not their financial information. Several plaintiffs independently filed suit against Zappos.com, alleging that the company failed to protect their valuable information.  The cases were consolidated in the District of Nevada where Zappos.com was headquartered.  Shortly thereafter, the company filed a motion to compel arbitration because, it argued, the ToS on its website had a clause that required all disputes to be “submitted to confidential arbitration in Las Vegas, Nevada.”

The clause appeared as part of a browsewrap agreement that customers were not required to affirmatively “accept.”  In fact, the company placed the “Terms of Use” hyperlink in left-hand column towards the bottom of its website, which, if you were to print it, would appear on page three of four. The District of Nevada Court concluded that plaintiffs never viewed, “let alone manifested assent to,” the Zappos.com’s ToS. The court pointed out that “[n]o reasonable user would have reason to click on the Terms of Use,” as the company never directs the user to review it, and “[a] party cannot assent to terms of which it has no knowledge or constructive notice.”

Thus, in October 2012 the court held that the arbitration provision contained therein was unenforceable, noting that “the advent of the Internet has not changed the basic requirements of a contract, and there is no agreement where there is no acceptance, no meeting of the minds, and no manifestation of assent.”  Indeed, the court found that a “highly inconspicuous hyperlink buried among a sea of links” does not provide the customer with adequate notice.  Without acceptance and a manifestation of assent, “no contract exists” and plaintiffs cannot be compelled to arbitrate.

Nguyen v. Barnes & Noble, Inc.

Similarly, in August 2014 the Ninth Circuit held that Barnes & Noble failed to provide adequate notice of its 2011 Terms of Use and, therefore, the plaintiff was not bound by the arbitration provision.  Nguyen filed a class action suit after the company canceled his order for two tablets because of “unexpectedly high demand.”  Barnes & Noble presented the ToS to its customers as a browsewrap agreement, which appeared on the bottom left-hand corner of every screen and did not require the customers to affirmatively accept.

The court explained that the central issue in cases with browsewrap agreements is whether users received actual or constructive noticed of the ToS.  Here, there was no evidence that the user had any actual knowledge of the agreement, let alone the arbitration clause. The validity of the agreement, then, turns on whether the website puts a “reasonably prudent user on inquiry notice of the terms of the contract.” The court considered the placement of the link, notices to users of the terms, and the layout of the website. Ultimately, the court held that “the proximity or conspicuousness of the hyperlink alone” is insufficient to give rise to constructive notice.  And because Nguyen did not receive adequate notice of the terms of the contract, the court held that he could not be bound by the arbitration provision therein.

Transparency

On the other side of the equation, some tech start-ups are working to make ToS agreements more transparent for consumers.  Terms of Service; Didn’t Read is one such project, aiming to fix “the biggest lie on the web: almost no one really reads the terms of service we agree to all the time.”  Indeed, this was confirmed by a 2008 study by Carnegie Mellon professors, which found that the average internet user encounters almost 1,500 privacy policies a year, most of them exceeding 2,500 words. With few people willing to spend time reviewing each and every ToS that comes their way, Terms of Service; Didn’t Read intends to fill that gap. The organization has generated a peer-review process to rate various companies’ ToS policies from “Class A,” signaling it is among the best, through “Class E,” warning that it is very troubling for consumers.

As courts such as the Ninth Circuit invalidate arbitration clauses in browsewrap ToS agreements, the pressure will be on companies to adapt their agreements so that courts will enforce them. Companies may well have a better chance with clickwraps.

Tagged , , , , Leave a comment

Virtual Marriage Equality: Nintendo’s Tomodachi Life is Behind the Times

“A celebrity might fall in love with your math teacher,” but, in Nintendo’s new Sims-like game, your characters cannot be gay.  In June 2014, Nintendo released Tomodachi Life, a 3DS social simulation game through which players import their avatars, or “Miis,” into what one game critic called a “digital dollhouse.” There, players can customize Mii characters for any person they wish – friends, family, or celebrities – and then watch as they all interact.  Despite what appears to be a game with limitless social opportunities, the Miis are only permitted to marry members of the opposite sex.

Tomodachi Life was first released in Japan in April 2013 where it received positive reviews and developed a strong following.  Nintendo set June 2014 as the release date for the U.S. market.  Just weeks before, U.S. fans started the Miiquality campaign to put pressure on Nintendo to create a gay marriage option in the game.  Tye Marini, the founder of the campaign, wanted to “be able to marry [his] real-life fiancé’s Mii,” but the game would not allow it. Marini went on to explain that his options were to “marry some female Mii, to change the gender of either [his] Mii or [his] fiancé’s Mii (and other male Miis) or to completely avoid marriage altogether and miss out on the exclusive content that comes with it.”  The timing of the campaign coincided with the 10-year anniversary of marriage equality in the U.S.

In response, Nintendo released the following statement: “We hope that all of our fans will see that ‘Tomodachi Life’ was intended to be a whimsical and quirky game, and that we were absolutely not trying to provide social commentary.”  The company later revised its comment, explaining that it was too late to revise the game and pledging to “strive to design a gameplay experience from the ground up that is more inclusive, and better represents all players.”  Despite the initial negative publicity, Tomodachi Life went on to receive positive reviews.

Nintendo’s failure to make the requested changes has left members of the LGBT community feeling excluded. And, as GLAAD national spokesperson Wilson Cruz told GamesBeat, Nintendo is signaling that it is “way behind the times.”  Cruz explained that it has “been over a decade since The Sims — the original ‘whimsical and quirky’ life simulator — allowed its users to marry any character they wanted, and many other mainstream and massively popular video games have followed their lead since.”  GLAAD urged Nintendo to do the same.

Civil rights issues in video games are not often litigated because the Supreme Court has held that video games qualify as protected expression under the First Amendment.  In 2011 in Brown v. Entertainment Merchants Association, the Court issued a 7-2 decision striking down a California law that prohibited the sale or rental of violent video games to minors.  The Court reasoned that “[l]ike the protected books, plays, and movies that preceded them,” video games communicate ideas, and that “suffices to confer First Amendment protection.”  The video game and entertainment industries applauded the decision which, in the words of the Entertainment Merchants Association’s CEO, “declared forcefully that content-based restrictions on games are unconstitutional; and that parents, not government bureaucrats, have the right to decide what is appropriate for their children.”

Ten years prior, Judge Posner of the Seventh Circuit made a similar comparison in American Amusement Machine Ass’n v. Kendrick: “Maybe video games are different. They are, after all, interactive. But this point is superficial, in fact erroneous. All literature . . . is interactive; the better it is, the more interactive.”  Judge Posner added, “Literature when it is successful draws the reader into the story, makes him identify with the characters, invites him to judge them and quarrel with them, to experience their joys and sufferings as the reader’s own.”  In that case, the Seventh Circuit held that there was insufficient evidence that exposure to violent video games actually caused harmful behavior and that young people had First Amendment rights to play these games.  These passages are frequently cited to argue that video games are no more threatening than other media forms.

Against this backdrop, civil rights groups would be hard-pressed to litigate issues of in-game marriage equality in U.S. courts.  It seems that the best strategy might be for activist organizations like GLAAD to provide support to campaigns such as Miiquality, which aim to mobilize what the game companies need most – players.

Tagged , , , Leave a comment

Agmen sues Sandoz over biosimilar application

On October 24, 2014, Amgen filed a complaint against Sandoz, the generic arm of Novartis Group, asserting three causes of action: 1) unfair competition under Cal. Bus. & Prof. Code § 17299 et seq.; 2) conversion; and 3) patent infringement. Amgen filed the complaint in response to Sandoz’s July 2014 application for a biosimilar that mirrors Amgen’s Neupogen (filgrastim, a drug used to reduce incidence of infection in patients receiving myelosuppressive anticancer drugs), which Sandoz will market under the brand name Zarzio. Sandoz’s Biologics License Application (BLA) was a milestone as it was the first accepted by the U.S. Food and Drug Administration (FDA) under the Biologics Price Competition and Innovation Act (BPCIA).

A biosimilar is biopharmaceutical that is “highly similar” to an FDA-licensed biological product—a medicine made from biological sources (living organisms). While some minor differences in active components may exist, biosimilars are functionally the same as their reference products. Biosimilars are often compared to generic drugs, which replicate traditional, small-molecule prescription drugs made through chemical processes. But biosimilars instead mirror biological products, and cannot be substituted for their reference product until they are deemed “interchangeable” (produce the same clinical results).

The Biologics Price Competition and Innovation Act (BPCIA) created an abbreviated licensing pathway for biosimilars. The BPCIA was signed into law on March 23, 2010 as part of the Affordable Care Act to facilitate affordable access to biological products. Biologics are expensive to produce and consequently cost 20 times more on average than chemical drugs. By allowing biosimilar producers to piggyback the original inventor’s extensive clinical trials required to prove the product is safe, pure, and potent, the BPCIA will reduce market barriers for companies creating biosimilars, thereby sparking industry growth and price reductions. Biosimilars will be sold at an estimated 30% discount.

Under the BPCIA patent litigation framework, the creator of a biosimilar first files a BLA with the FDA, prompting the maker of the reference product to bring an action against the applicant for infringement. Pursuant to 42 U.S.C. § 262, the applicant must provide its BLA to the reference product sponsor before the action commences, who in turn provides the applicant with a list of patents for which it believes a claim of infringement can be brought. The applicant and the innovator must then engage in “good faith negotiations” to agree upon which patents will be litigated before patent infringement claims can be brought.

After filing its July 2014 application, Sandoz was required by § 262 to submit a copy of its BLA and other relevant manufacturing information to Amgen within 20 days. Sandoz instead proposed an alternative method for exchanging information, which Amgen rejected. Nevertheless, Sandoz still refused to follow the statutory requirement. Amgen’s complaint alleges that “Defendants’ failure to provide their BLA and manufacturing information was an attempt to prevent Amgen from learning the details of their process(es) for manufacture, to avoid patent infringement litigation on any manufacturing patents, and to avoid the patent exchanges required by the statute; and instead to go directly to litigation.”

Amgen’s complaint requested an injunction preventing Sandoz from commercially marketing Zarzio until Amgen is “restored to the position they would have been had Defendants met their obligations under BPCIA” by providing the required application and manufacturing information. Significantly, the complaint asked that the court prevent Sandoz from providing initial notice of its commercial marketing until on or after FDA licensure, which would delay the launch of Zarzio by six months. In addition Amgen requested an injunction suspending FDA review of Sandoz’s application until it receives permission from Amgen to use the Neupogen license and a court judgment that Sandoz committed patent infringement by submitting its application to the FDA for approval without providing the required application information to Amgen.

The court’s interpretation of the statutory requirements will set the stage for future biosimilar applications. Such statutory interpretation will undoubtedly create further controversy as more companies begin filing biosimilar applications, and has already proven critical to the approval process in other patent disputes under the BPCIA even in its infancy.

Another key concern of the patent framework regards the process by which biosimilar developers can seek adjudication of patent resolution early in the product development phase. Because of the substantial upfront costs of developing and testing biosimilars, companies face a serious disincentive if they cannot adjudicate their legal rights to release the product until it is ready to be submitted for approval—a disincentive that seems to undermine the BPCIA’s goal of relaxing biologics market barriers to entry.

The District Court of Northern California was the first to interpret the BPCIA when it addressed this question in another dispute between Sandoz and Amgen. In June 2013, Sandoz filed a complaint against Amgen seeking declaratory judgment that two of Amgen’s patents on Enbrel (etanercept) were invalid. Sandoz claimed that it had timed the release of its biosimilar to coincide with the expiration of Amgen’s other patents, and that the patents in dispute would cause significant delay in the release of Sandoz’s product. The court granted Amgen’s motion for dismissal, concluding that it did not have subject matter jurisdiction because Sandoz had not yet filed an application with the FDA, as required by § 262. The court also found that Sandoz had not presented a “real and immediate injury or threat of future injury” because the Amgen had not yet indicated any intent to sue.

Sandoz appealed the judgment in December 13, 2013, but if affirmed, it will limit the scope of actions allowed by biosimilar developers. Resolution of this appeal will thus likely play a crucial role in the future of early stage biosimilar patent litigation.

Tagged , , Leave a comment

Klinger v. Conan Doyle Estate LTD. Extent and duration of copyright protection for fictional characters? Attorney Fees? Not so elementary

The character of Sherlock Holmes seems to remain popular more than a 120 years after its initial publication. Over the last few years we have witnessed a modern day Sherlock Holmes in the critically acclaimed BBC series Sherlock and a new take on the old Holmes in two Sherlock Holmes movies with Robert Downy Jr.

The first Sherlock Holmes story was published by Arthur Conan Doyle in 1887. The last story was published in 1927. The entire body of work consists of 56 stories and four novels. 10 of these stories were published between 1923 and 1927. Due to statutory extensions of copyright protection, the copyright protection on these 10 final stories will expire between the years 2018 to 2022.

Leslie S. Klinger is, among other things, a literary editor, specializing in Dracula and Sherlock Holmes. Klinger co-edited an anthology called A Study in Sherlock: Stories Inspired by the Sherlock Holmes Cannon. The anthology consisted of stories written by modern authors who were inspired by the characters of Sherlock Holmes and Doctor Watson. Klinger did not think he needed a license to publish the anthology, as most of the copyrights in the stories had expired. However, the estate of Arthur Conan Doyle, the owner of the copyrights, told Klinger’s publisher that it would have to pay the estate $5,000 for a license. The publisher decided to pay in order to obtain a license and the book was published.

Klinger and his co-editor decided to create a sequel to the first book to be called In the Company of Sherlock Holmes, this time with a different publisher. The estate again approached the publisher and told them they would have to obtain a license in order to be legally authorized to publish the new book. Although the estate did not explicitly threaten to sue for copyright infringement, it did threaten to prevent distribution of the book. As with the previous book, the publisher “yielded to the threat” and refused to publish the book “unless and until” Klinger obtained the proper license.

As the Court put it, “Instead of obtaining a license, Klinger sued the estate, seeking a declaratory judgment that he is free to use the material in the 50 Sherlock Holmes stories and novels that are no longer under copyright, though he may use nothing in the 10 stories still under copyright that has sufficient originality to be copyrightable.”

The estate’s main argument was that copyright on “complex” characters, whose complexity is not revealed until a later story, remains under copyright until the later story falls into the public domain. The fact that early stories featuring Sherlock Holmes and Doctor Watson are already in the public domain, does not permit their less than fully developed “complexified” characters in the early stories to be copied even though the stories themselves are in the public domain.

The issue of copyright protection of characters, separately from the works in which they appear, has been addressed in numerous court rulings in the past. One of the landmark cases dealt with a slightly less popular detective: Sam Spade. The Ninth Circuit in Warner Bros. Pictures v. Columbia Broadcasting Systems discussed the protection of characters and ruled that a character would only be protected if it constitutes “the story being told.” A later case, dealing with graphic characters, seemed to apply a different standard for protection of graphic characters, as they are distinguishable from literary characters (Walt Disney Productions v. Air Pirates). This is, however, not the issue of this ruling. It appears that both sides (and the Court) agree that the characters of Sherlock Holmes and Doctor Watson are original and distinguished enough to warrant copyright protection. The question is, can later development of a character “extend” the copyright protection for works featuring the same character that is already in the public domain?  The seventh Circuit’s answer is clear – no.

In the opinion of the Court, decided on June 16, 2014 and delivered by Judge Posner, the Court found “no basis in the statute or case law for extending a copyright beyond its expiration.” The Court cited an earlier case, Silverman v. CBS Inc., which raised a similar question. The fictional characters of Amos and Andy appeared in copyrighted radio scripts. The characters continued to appear in subsequent scripts, while the early scripts fell into the public domain. The Second Circuit ruled that copyright can only secure protection for incremental additions of originality. Interestingly, the Seventh Circuit does not mention an almost identical case, from the District Court in New York, Pannonia Farms, Inc. v. USA Cable (The District Court’s ruling in Klinger does cite the Pannonia ruling). In Pannonia, the plaintiff, claiming to be the owner of the copyright in Arthur Conan Doyle’s works, sued a basic cable network for displaying a movie featuring the characters of Holmes and Watson. The District Court cited the Silverman ruling and concluded that there was no copyright infringement.

The estate argued that denying an extension of the copyright would discourage creativity. An author may require a long time in order to “perfect a character or other expressive element that first appeared in his early work.” The loss of copyright may discourage him from trying to improve the character. The Court replied that this is a “double edged sword,” meaning this extension would shrink the public domain and not enable future creators to prepare derivative works. Furthermore, allowing this extension would encourage creators to keep writing stories with the same characters, instead of creating new ones.

The estate argued that the Court needs to distinguish between “flat” and “round” fictional characters. “Flat” characters are those completely described in the first works in which they appear. They do not evolve. The estate claims that Holmes and Watson are “round” characters, since they were not fully evolved and “rounded” until the last story written by Doyle. The Seventh Circuit rejects this argument and points out that this distinction has nothing to do with copyright law. The additional features of the characters, presented in the later stories, may be protected by copyright as long as they are “original” enough to warrant such protection.

The Seventh Circuit ends its ruling by reaffirming the notion that “perpetual or at least nearly perpetual copyrights would violate the copyright clause of the Constitution, Art. I, §8, cl. 8, which authorizes copyright protection only for ‘limited times’.”

In a later decision, the Seventh Circuit awarded Klinger with attorney’s fees. 17 U.S.C. § 505 authorizes the award of reasonable attorney fees to a prevailing party. The Court found that Klinger had to spend money on the appeal process, in which the other party had only a “frivolous” defense. The Court criticized the actions of the estate, going as far as to call them “a form of extortion”. The Court further noted that some of the estate’s actions, mainly asking Amazon and other booksellers to cooperate in enforcing “non-existing” copyrights claims against Klinger, may even be considered a violation of antitrust law.

On September 15, 2014, the Estate filed a writ of certiorari to the Supreme Court. In its petition, the estate argued that the Courts, both the District Court and the Seventh Circuit, erred by not demanding Klinger to present a concrete work, as the anthology was still in the making. There was no writing before the Court, which could be compared to the copyrighted works in order to determine if there is an infringement. This seemed to contradict the Courts’ general approach to reject rulings on “advisory” disputes. Also, the estate argued that the Seventh Circuit ruling presents a circuit conflict as to the proper test to apply for an evolving character. The estate mainly cites the Eighth Circuit decision in Warner Brothers Entertainment Inc. v. X One X Productions, which dealt with characters from films featured on movie posters and postcards. The posters and postcards were in the public domain. A film memorabilia company produced several products featuring the characters, based on the posters and postcards and their depiction in the movies (for example, a picture of Dorothy from the Wizard of Oz, with the phrase “there’s no place like home,” taken from the movie). The Eighth Circuit ruled that the entire character was not “thrust” into the public domain, because the poster and postcards did not “anticipate the full range of distinct speech, movement and other personality traits that combine to establish a copyrightable character.” 

The estate’s writ of certiorari to the Supreme Court was denied on November 3, 2014. The Seventh Circuit’s firm language in criticizing the estate business model and willingness to issue a declaratory judgment without examining a concrete work seemed to send a strong message both for the protection of the public domain and its exploitation by future creators and both to “copyright trolls,” who try to aggressively seek licensing fees, even when the claim for existing copyright protection is doubtful, at best.

 

Tagged , , , Leave a comment