Company Seeks To Regain Stolen Domain Names Using CFAA

Written by Keenan W.  Ng

An interesting Computer Fraud and Abuse Act case was recently filed in Virginia.  In AcmeBilling Company v. John Doe, Plaintiff, Acme, who maintains numerous websites hosted by GoDaddy, alleges cyber criminals in China stole its domain names.  These cyber criminals stole the domain names by gaining unauthorized access to Acme’s domain management account and altering the domain registration records for accounts owned and used by Acme.  While Acme was able to recover some of its domain names by working with GoDaddy, GoDaddy unfortunately informed Acme the Chinese domain name registrar who had 14 of their domain names refused to return the websites.

Because Internet domain names are valuable, they are becoming increasingly susceptible to theft.  Generally, a cyber criminal will find a way into a domain management account and transfer the domain name from its existing domain name registrar, such as GoDaddy, to another domain name registrar. In Acme’s case, its domain names were transferred to eName Technology Co., Ltd, based in China.  Because the website is now hosted on another domain registrar, the victim’s registrar is often helpless to do anything if the transferee registrar refuses to comply.

The victims of this sort of crime are often individuals and small businesses and lack the time or resources to track down the perpetrators and fight to get their domain names back.  The problem is further complicated by the fact that domain names are not considered “property” by many states and thus no cause of action can often be claimed.  Thankfully, California, domain names are recognized as property.

The Acme case is interesting because it is one of the first times I can recall framing stolen domain names as CFAA violations.  In its complaint, Acme pleads CFAA violations under three theories, 18 USC §§1030(a)(2)(C), (a)(4), and (a)(5)(C).

On the surface, this seems like a pretty straightforward CFAA claim.  The protected computers in question here are the GoDaddy servers that hosted Acme’s websites.  Obviously, the bad actors took control of Acme’s domain names without Acme’s permission so the actions were done without authorization. 

Acme’s efforts to figure out what happened to their websites, including who took them and working with GoDaddy and Acme’s lawyers to get their websites back, easily constitute $5,000 in “loss.”  Alternatively, there is an easy argument that the theft of the websites are also a denial of service and any revenues lost or consequential damages suffered due to loss business because of a downed website can also be contributed to the $5,000 loss requirement.  Similarly, the denial of service would also help satisfy the “damage” requirement of section 1030(a)(5)(C).

However, if the defendants are in China, and it is likely the court will never have jurisdiction over them, so why file the lawsuit?  To get a judgment and set a precedent?

The Department of Justice recently faced this situation when it filed charges against Chinese military hackers who hacked into major American corporations.  That indictment seemed more politically symbolic than substantive; it is unlikely the Chinese government will turn over the indicted Chinese citizens.  The DOJ likely filed charges in order to gain leverage in another area of negotiation. 

Geopolitical reasons cannot possibly be the basis for the Acme lawsuit because there is nothing for Acme to gain.  Acme’s posturing gains it nothing because, as far as I can tell, the return of the websites is the goal.  I honestly do not know the endgame here.  Nevertheless, it will be interesting to watch and see if this case blazes a path for other businesses to follow. 

   

Ninth Circuit Opinion Confirms That Websites Should Probably Have Clickwrap Agreements To Bind Their Customers

Written by Keenan W. Ng

Recently, the Ninth Circuit in Nguyen v. Barnes &Noble, Inc. held that “where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on—without more—is insufficient to give rise to constructive notice.”

In 2011, plaintiff purchased two Hewlett-Packard Touchpads from the Barnes & Noble website during a fire sale.  Unfortunately, despite receiving a confirming email of his purchase, plaintiff’s order was cancelled due to high demand.  Plaintiff filed suit alleging he had to purchase another tablet at a higher price.  Defendant argued that plaintiff must arbitrate the matter per the browsewrap terms of use agreement. 

The issue in the case was whether plaintiff was compelled to arbitrate as per the terms of use agreement that was a “browsewrap” agreement found on the Barnes & Noble webpage plaintiff used to purchase the Touchpad. A browsewrap agreement exists where a website’s terms and conditions of use are generally posted on the website via a hyperlink at the bottom of the screen.  (In contrast, a “clickwrap” agreement exists where website users are required to click on an “I agree” box after being presented with a list of terms and conditions of use.)

Plaintiff argued because he did not view the browsewrap agreement, he should not be held to it.  The court noted that browsewrap agreements are enforced where the user has actual notice of the agreement.  Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 401- 404 (2d Cir. 2004).  In situations where the user does not have knowledge of the agreement, the validity of the browsewrap agreement turns on whether the website places a reasonably prudent user on inquiry notice of the terms of the contract.  Specht v. Netscape Commc’ns Corp., 306 F.3d 17, 30-31 (2d Cir. 2002).  Inquiry notice depends on the design and content of the website and the agreement’s webpage.  Be In, Inc. v. Google Inc., No. 12-CV-03373-LHK, 2013 WL5568706, at *6 (N.D. Cal. Oct. 9, 2013).  That the agreement was an arbitration agreement was not relevant to the Court’s analysis.    

Barnes & Noble argued that the placement of the “Terms of Use” hyperlink in the bottom left-hand corner of every page on the Barnes & Noble website, and its close proximity to the buttons a user must click on to complete an online purchase, is enough to place a reasonably prudent user on constructive notice.  The Ninth Circuit stated the placement of the hyperlink was not enough to provide constructive notice, as there exists no authority supporting that position as well as the court’s reluctance to enforce browsewrap agreements against individual consumers.  The Court further noted that failure to read a contract before agreeing to its terms does not relieve a party of its obligations under the contract, Gillman v. Chase Manhattan Bank, N.A., 73 N.Y.2d 1, 11 (1988).  In light of this lack of authority, the Ninth Circuit held the plaintiff had insufficient notice of Barnes & Noble’s Terms of Use, and thus did not enter into an agreement with Barnes & Noble to arbitrate his claims. 

In summary, as a website owner, if you wish to bind your users to your use of terms, we suggest ensuring your users affirmatively acknowledge acceptance of your terms by using a clickwrap agreement.

Congress Readies Itself to Tackle Cybersecurity Legislation

Written by Keenan W. Ng

With Congress coming back from its summer recess, it will be focusing on a few cybersecurity related bills.  One of the most controversial of these bills is the Cybersecurity Information Sharing Act of 2014 (“the Act”), introduced by Senator Dianne Feinstein (D-CA) and Senator Saxby Chambliss (R-GA) for the fourth consecutive year.  The Act is supposed to “improve cybersecurity in the United Sates through enhanced sharing of information about cybersecurity threats, and for other purposes.”  While some of the ideas and the language behind the Act seem reasonable and commonsense, the devil is in the details- or rather, the definitions in the Act- and could have some very interesting implications for individuals and businesses. 

The Act allows for private companies and the Federal government to share information categorized as “cyber threat indicators” and “countermeasures” as they relate to cybersecurity threats and cybersecurity purposes.  Private companies could also share such information with other private companies for the same purposes.  The Act would also allow private companies to monitor their own “information systems,” as well as the information systems of other companies and Federal entities with written consent.       

For companies sharing applicable information with other companies, the Act would provide an antitrust exemption if applicable information is shared for cybersecurity purposes as defined under the Act.  Though to be sure, the Act does not protect any sharing of information that would permit price-fixing, monopolizing, or other conduct that would traditionally violate federal antitrust laws.

The Act also provides companies with protections from liability (1) if a firm monitors information and information systems as consistent with the Act; (2) if a firm shares or receives cyber threat indicators or countermeasures as consistent with the Act; and (3) if a firm believed in good faith that it was actions were permitted under the Act.  

Not surprisingly, many civil liberties organizations such as the American Civil Liberties Union and the Electronic Frontier Foundation have expressed considerable concern with the Act.  In particular, key terms such as “cyber threat indicators,” “countermeasures,” “cybersecurity purpose,” and “cybersecurity threat” are very broadly defined, thus encompassing a vast amount of information that private companies might “voluntarily” provide to Federal agencies.      

Because of the liability protections provided by the Act, however, consumers and those whose information is shared with Federal agencies would have little to no recourse through the courts.  For businesses, however, the Act provides some breathing room – from a legal standpoint – with regard to sharing information.  Whether this elicits a consumer response is an entirely different matter.             

Ninth Circuit Affirms That Yelp! Can Use Hardball Sales Tactics To Sell Advertising To Businesses

Written by Keenan W. Ng

On Tuesday, the Ninth Circuit affirmed a district court ruling in Levitt v. Yelp! Inc. dismissing an action by a group of small businesses that Yelp! extorted, or used extortionate sales tactics, to induce small businesses to purchase advertising with Yelp! in violation of the federal Hobbs Act (civil extortion) and the California Unfair Competition Law.  The plaintiffs generally claimed that Yelp! sales people contacted them about purchasing advertising services in connection with their Yelp! pages.  When the plaintiffs declined to purchase the advertising, the plaintiffs alleged that Yelp! manipulated its service to lead to a downgrade in the businesses ratings.  The plaintiffs alleged that such tactics included removing positive reviews, re-posting negative reviews that had previously been taken down, allowing more negative reviews to appear first, and even authored negative reviews. 

    

Judge Marsha S. Berzon, writing for the Court, found that Yelp!’s tactics, while certainly could be considered “hard-bargaining,” did not amount to civil extortion because “a litigant must demonstrate either that he had a pre-existing right to be free from the threatened harm, or that the defendant had no right to seek payment for the service offered.”  In short, the plaintiffs had to show that Yelp! had no right to manipulate its own ratings algorithms to plaintiff’s detriment or that Yelp! had no right to seek payment for its advertising services. 

The Court stated that the businesses had no pre-existing right to be on Yelp! or to have positive reviews.  Moreover, because the website and review service belongs to Yelp!, it has not obligation to provide all, or even any, reviews of the businesses as “Yelp [would be] withholding a benefit that Yelp makes possible and maintains.”  In short, the review service that Yelp! provides is its own service; it can do what it wants with it, even manipulate the review process.  Asking businesses to pay Yelp! for more favorable treatment is not extortion because Yelp! had a right to control its own processes. 

With respect to the allegation that Yelp! purposefully authored negative reviews, the Court found that the plaintiffs were unable to point to any evidence suggesting that Yelp! engaged in those practices as the posts a generally anonymous due to the use of screen names. 

What does this opinion mean?  It means that Yelp! is a business and the fact that it is on the Internet changes nothing.  While many see the Internet as a public good, the services that are provided on the Internet most certainly are not.  You are not entitled to use Yelp! or any other online service and that can be swiftly taken away because you are always using those products under their terms.    

With that in mind, businesses should be wary about their actions on the Internet and to be cautious about the level of trust they place in Internet companies.  In addition to being cognizant of a product’s terms of service think about ways that use of the service could go awry.  The Internet feels like a public domain, but it is full of for-profit businesses, just like the real world and you should be as wary of a for-profit website as you would be of a brick-and-mortar business.

Ninth Circuit Finds That FedEx Drivers Are Employees and Not Independent Contractors

Written by Keenan W. Ng

An interesting opinion in Alexander v. FedEx came out of the Ninth Circuit on Wednesday holding that FedEx drivers and delivery people were improperly classified as independent contractors instead of employees because of the level of control that FedEx maintains over those drivers.  I find the opinion “interesting” because I never would have thought the people driving in the FedEx branded trucks, FedEx branded uniforms, using FedEx technology, delivering packages to FedEx customers in areas designated by FedEx, on FedEx’s schedule, would have been classified as anything other than an employee.

In the case, FedEx’s counsel argued that its drivers were properly classified as independent contractors because of the entrepreneurial opportunities their drivers had as FedEx workers, pointing to the fact that the drivers could hire third parties – so long as they were approved by FedEx – and that FedEx classified them as independent contractors.  Essentially, FedEx argues that its drivers are independent contractors under the law because FedEx classifies them as such.  

Writing for the majority, Judge Fletched dismantled FedEx’s arguments, holding that under the California right-to-control test, the contract between FedEx and the drivers grants FedEx a broad right to control the manner in which drivers’ perform their work.  This is the most important factor in the right-to-control test.  See S.G. Borello & Sons, Inc. v. Department of Industrial Relations, 769 P.2d 399, 404 (Cal.1989).  The court noted that FedEx controls virtually every aspect of the drivers’ job: including uniform, grooming habits, appearance of their truck, the specifications of the truck, who the drivers can hire, “suggests” routes for the drivers to take, generally dictates their schedules, trains their drivers, as well as a variety of other matters.  To the court, this misclassification did not even appear close.

It is not a long read, so I highly recommend it.  And, for those who have a habit of misquoting law, and presenting evidence out of context, I highly recommend you read the first few paragraphs of the concurrence.

Federal Judge Rules Against NCAA In Antitrust Lawsuit

Written by Wendy L. Hillger and Keenan W. Ng

It has been a little over a week since U.S. District Judge Claudia Wilken of the Northern District of California issued her August 8, 2014 landmark ruling against the National Collegiate Athletic Association (“NCAA”) in O’Bannon v. NCAA.  While it is too early to know the ramifications of the ruling (the NCAA has already stated it will appeal), the opinion has roundly been seen as favorable for collegiate athletes.

How The Challenge Started
The road to get to this ruling did not start with the lead plaintiff, former UCLA basketball star, Ed O’Bannon, simply filing suit.  Rather, Mr. O’Bannon stood on the accomplishments of an evolution in public opinion and challenges that chipped away at the NCAA’s “defense of amateurism”.  

The challenge to NCAA’s reign was, in part, started by the very man who helped commercialize college sports, Sonny Vaccaro.  After spending decades building endorsement relationships between shoe companies such as Nike, Adidas, and Reebok, with universities all over the country, Mr. Vaccaro eventually soured on what he saw as colleges taking advantage of athletes. While universities and the NCAA were making money hand-over-fist from merchandising, television rights, and other endorsement deals, they were withholding those revenues from the athletes (called “student-athletes” by the NCAA for the purposes of avoiding paying workers compensation insurance), suggesting that these athletes were playing as students and amateurs, not professionals, and thus not entitled to that money.

In 2001, in front of the Knight Commission on Intercollegiate Athletics, Mr. Vaccaro addressed a panel of his detractors, many of them administrators of universities:

          “Why,” asked Bryce Jordan, the president emeritus of Penn State, 
          “should a university be an advertising medium for your industry?”

          Vaccaro did not blink. “They shouldn’t, sir,” he replied. “You sold your 
          souls, and you’re going to continue selling them. You can be very moral 
          and righteous in asking me that question, sir,” Vaccaro added with 
          irrepressible good cheer, “but there’s not one of you in this room that’s 
          going to turn down any of our money. You’re going to take it. I can only 
          offer it.”

That quote came from a seminal 2011 article in the Atlantic that broke open the public’s opinion about the NCAA’s “amateurism” model and questions began to follow.  

Since then, doubts and direct challenges began to mount against the NCAA.  Earlier this year, football players at Northwestern University won the right to vote to form a union.  National Labor Relations Board Region 13 director, Peter Sung Ohr, issued an opinion stating that the football players were “employees” of Northwestern.

In March 2014, sports labor attorney Jeffrey Kessler filed a lawsuit against the NCAA and five conferences arguing that the practice of limiting athlete compensation to simply tuition, room, board, and books is below what they might normally be able to get if universities were not restricted by NCAA rules.  Calling the NCAA and the conferences a “cartel” the lawsuit does not seek damages, only asking for a permanent injunction ending the practice.

Feeling the heat, the NCAA has proposed common-sense changes to help ease its public relations problem. In April 2014, the NCAA proposed allowing athletes unlimited food provided by their university.  Soon, athletes will not get in trouble for eating too much pasta at their graduation banquets.

On the eve of Judge Wilken’s opinion, the NCAA issued new rules allowing greater flexibility for the “power conferences” – the Pac 12, SEC, Big 12, Big Ten, and ACC – within 11 “areas of autonomy.”

O’Bannon v. NCAA
The centerpiece to the challenge of the NCAA has been O’Bannon v. NCAA.  In 2009, Mr. O'Bannon and 19 other putative class members filed a class action lawsuit against the NCAA.  The O'Bannon lawsuit sought a share of the money received from the NCAA as a result of the usage of the college athletes' names, images and likenesses ("NIL").  This includes broadcasting the games on television, jersey sales and licensing for videogames.  The lawsuit sought treble damages, disgorgement of profits for the NCAA's use and sale of the class members' images, declaratory relief and an injunction against future misuse, among other remedies.

During a 3-week trial in June 2014, former players testified that due to rigorous practice and playing schedules they have no time to participate in school above the minimum necessary to maintain eligibility to play.  The NCAA argued the restrictions on athlete compensation were necessary for four reasons: to preserve its tradition of amateurism, maintain competitive balance among small and power conference teams, promote the integration of academics and athletics, and increase the total output.    

Judge Wilken rejected these claims, and in her 99 page decision, ruled that the NCAA violated federal antitrust laws by colluding with its member schools to restrain the schools’ ability to compensate their football and basketball athletes for more than the NCAA’s rules currently allow for.  This includes restrictions against giving student-athletes a share of the revenues earned when their NIL were used.

The Court ruled that each player whose NIL is used shall receive not less than $5,000, per year they compete.  This money will go into a trust until the player leaves school.  In addition, each school may also now pay the full cost for an athlete to attend that school, if it wants to.  The NCAA currently prohibits student athletes from receiving any compensation beyond scholarships covering their tuition, fees, room and board, and books.  This restriction lead to players being "paid" (allegedly) by school boosters in order to have spending money, as the players did not have time to work part-time jobs for money and many came from families unable to financially contribute much.

Beyond O’Bannon
Judge Wilken’s ruling strikes at the heart of the NCAA’s amateurism argument that has allowed the organization and its member schools to profit for so long.  Given the number of suits and actions currently being taken against the NCAA, as well as the access to media that many people, such as a current and former athletes now have, the current existence of college sports may be very different five or ten years from now.  Athletes who attend universities could now be monetarily compensated for their work on behalf of their schools; medical benefits could extend to athletes beyond their playing days; athletes could be eligible for workers compensation like any other university employee; and schools could guarantee scholarships to athletes until they graduate regardless of injury or on-field performance.  If the Northwestern labor opinion holds up, it will allow athletes to organize for even greater benefits and treatment.  The Wilken opinion is not the final word in this extraordinary saga – indeed, both parties will appeal it.  But, it certainly lays down the gauntlet and blazes a path for future athletes to follow.

S.D.N.Y. Affirms Order To Microsoft To Hand Over Data Stored Overseas Pursuant To A Stored Communications Act Warrant

Written by Keenan W. Ng

On Thursday, July 31, 2014, Microsoft lost a challenge to an April 25, 2014 order denying its motion to quash a subpoena issued by the federal government pursuant to the Stored Communications Act (“SCA”) for email communications located on Microsoft servers in the Ireland.  Issuing her ruling from the bench, U.S. District Judge Loretta Preska stated that “Congress intended in this statute for ISPs to produce information under their control, albeit stored abroad, to law enforcement in the United States … As [Magistrate Judge James Francis IV] found, it is a question of control, not a question of the location of that information.”

Luckily for Microsoft, Judge Preska stayed the implementation of her ruling so that Microsoft could appeal to the Second Circuit.  While we wait for that to occur, it might be worthwhile to go back and examine what Judge Francis’ April 25, 2014 Order said.

The April 25, 2014 Order Denying Microsoft’s Motion to Quash
          Background
On December 4, 2013, Judge Francis issued a warrant pursuant to section 2703(a) of the SCA.  The SCA authorizes the search and seizure of information associated with a specific web based e-mail account.

In response to this warrant, Microsoft’s Global Criminal Compliance (“GCC”) team took action.  When the GCC receives a warrant, it determines where the data for the account target is stored.  The GCC can retrieve this information remotely no matter where the data is located.  

Microsoft stores emails sent and received by its users in its datacenters, stored at various locations in the United States and abroad.  Because of “network latency” (the concept that the closer the user is to where their data is stored, the more quickly the user can access that data) where a user’s information is stored is based upon the “country code” the user enters at registration.

Upon review of the court’s December 4 warrant, the GCC determined that some information associated with the target account was located in Ireland.  Because this information was stored outside of the United States, Microsoft filed a motion to quash, arguing that federal courts do not have authority to issue warrants for the search and seizure of property outside the United States.

In reviewing Microsoft’s motion, the court considered whether United States law enforcement agents could obtain digital information from Microsoft that is stored abroad.  After analyzing (1) the statutory language of the SCA; (2) the structure of the SCA; and (3) the legislative history of the SCA, the court denied Microsoft’s motion.  

          Statutory Language
The relevant part of the SCA states:

A governmental entity may require the disclosure by a provider of
electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant
issued using the procedures described in the Federal Rules of Criminal
Procedure … by a court of competent jurisdiction. (Emphasis added.)

The key ambiguous language of this statute are the words “using the procedures described in the Federal Rules of Criminal Procedure,” referring to Fed. R. Crim. P. 41.  Microsoft argued that all aspects of Rule 41 are incorporated by reference into the SCA, including limitations on the territorial reach of SCA warrants.  The court did not believe this interpretation was so clean cut, suggesting that while procedural aspects of the application process are to be drawn from Rule 41, more substantive rules were derived from other sources.  As such, the court found that statutory language was not helpful to its analysis.

          Structure of the SCA
The court next looked at the structure of the SCA.  Through the SCA, Congress placed limitations on a service providers’ ability to disclose information.  This not only addressed the fact that there were no constitutional limits on an ISP’s disclosure of its customer’s data (thus typing up a loophole in the Fourth Amendment), but also created a higher standard of showing for the government to obtain the information as a subpoena, as opposed to a warrant, does not require a showing of probable cause.

Curiously, a warrant issued pursuant to the SCA is a hybrid warrant-subpoena: it is obtained like a search warrant upon a showing of probable cause, however it is executed like a subpoena in that it is served on the ISP but does not involve government agents entering the premises of the service provider to search its servers and seize the target e-mails.

Because the warrant’s execution, the court found that the principles of extraterritoriality did not apply to SCA warrant which should be treated like subpoena.  In particular, the court noted that a subpoena required the recipient to produce information in its possession, custody, or control regardless of where that information is located in the United States or not.  As such, Microsoft was required to produce the data stored in Ireland because the information was in their control.

In addition, the court cited Professor Orin S. Kerr, who stated that in the context of digital information, a “search” occurs when the information is viewed on a computer screen as opposed to when it is copied to a hard drive or processed by computer.  In the instance of an SCA warrant, the federal agents’ “search” of Microsoft emails would take place in the United States, and therefore no extraterritorial search would occur.

          Legislative History
With respect to (“scant”) legislative history, the court determined that “Congress anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to section 2703(a) by producing information within its control, regardless of where that information was stored.”  This further supported the proposition that Microsoft could not avoid producing information stored internationally.

          Practical Considerations
In addition, the court also reviewed a few practical considerations for why territorial restrictions on conventional warrants should not apply to SCA warrants.  First, because an ISP is not obligated to verify the information provided by its users, a party intending to engage in criminal activity could simply state to his internet service provider that he is a resident outside of the United States and then evade an SCA warrant.

Second, if an SCA warrant were treated like a conventional search warrant, it would have to be executed abroad pursuant only to the Mutual Legal Assistance Treaty (“MLAT”).  However, given that the MLAT does not apply to countries that are not part of the treaty, and that for member countries, adherence to the MLAT is optional, reliance on the MLAT to implement the SCA could prove burdensome.

In light of the above factors, the court denied Microsoft’s motion to quash and ordered the company to comply with the government’s SCA warrant.

Going Forward
If the Second Circuit affirms Judge Preska’s ruling, it could have troubling effects for technology firms as well as companies that store information on the cloud.  This interpretation of the power of the SCA is a way for the government to circumvent channels that the principles of extraterritoriality previously denied.  In addition, what would such a ruling mean for foreign citizens who use Gmail, Amazon, DropBox, and other such cloud-based applications?  Although not normally subject to an American court’s jurisdiction normally, a foreign person’s data might now be fair game because of an SCA warrant.

Of course, there is an easy way for firms to protect their user’s data in the face of an SCA warrant: client-side encryption.  Because the user has the keys to decrypt their data, it prevents ISPs from handing over usable data with out the permission of the user.  While this may protect foreign users, users in the United States can be compelled to decrypt their data.  In any event, while the S.D.N.Y.’s ruling may conjure troubling implications, practically speaking, it seems that industry has already developed a hack around the SCA to guard against their revealing user data.