Digital Entertainment, Mobile & Internet Law Year in Review

Trusts andELIP Estates Section Section

Thursday, February 25, 2016 12:30 - 1:30 PM Lawry’s Restaurant Beverly Hills, CA

Speakers Ian Ballon, Greenberg Traurig LLP Tracey Freed, Freed Law P.C.

1 hour of CLE credit

Digital Entertainment, Mobile & Internet Law Year in Review – February 25, 2016

PROGRAM MATERIALS INDEX

Current State of the Law on Sponsored Link Advertising Page 1

DMCA Safe Harbors: An Analysis of the Statute and Case Law Page 116

Defending Data Privacy Class Action Litigation Page 399

Defending Security-Breach Class Action Litigation Page 458

CURRENT STATE OF THE LAW ON SPONSORED LINK ADVERTISING

Excerpted from Chapter 9 (Search Engine Marketing, Optimization and Related Indexing, Information Location Tools and Advertising Practices—Unique I.P. Issues) of E-Commerce and Internet Law: A Legal Treatise With Forms, Second Edition, a 4-volume legal treatise by Ian C. Ballon (Thomson/West Publishing 2016)

DIGITAL ENTERTAINMENT, MOBILE AND INTERNET REVIEW ENTERTAINMENT LAW AND INTELLECTUAL PROPERTY SECTION OF THE LOS ANGELES COUNTY BAR ASSOCIATION LAWRY’S RESTAURANT FEBRUARY 25, 2016

Ian C. Ballon Greenberg Traurig, LLP

Los Angeles: Silicon Valley: 1840 Century Park East, Ste. 1900 1900 University Avenue, 5th Fl. Los Angeles, CA 90067 East Palo Alto, CA 914303 Direct Dial: (310) 586-6575 Direct Dial: (650) 289-7881 Direct Fax: (310) 586-0575 Direct Fax: (650) 462-7881

[email protected] LinkedIn, Twitter, Facebook, Google+: IanBallon

This paper has been excerpted from E-Commerce and Internet Law: Treatise with Forms 2d Edition (Thomson West 2016 Annual Update), a 4-volume legal treatise by Ian C. Ballon, published by West LegalWorks Publishing, 395 Hudson Street, New York, NY 10014, (212) 337-8443, www.ianballon.net.

Ian C. Ballon Los Angeles 1840 Century Park East Shareholder Los Angeles, CA 90067 Internet, Intellectual Property & Technology Litigation T 310.586.6575 F 310.586.0575 Admitted: California, District of Columbia and Maryland Second, Third, Fourth, Ninth and Federal Circuits U.S. Supreme Court Silicon Valley JD, LLM, CIPP 1900 University Avenue 5th Floor [email protected] East Palo Alto, CA 94303 LinkedIn, Twitter, Facebook, Google+: Ian Ballon T 650.289.7881 F 650.462.7881 Ian Ballon represents entertainment, media and technology companies in intellectual property, internet and mobile-related litigation, including the defense of data privacy, security breach, behavioral advertising and TCPA class action suits. He is also the author of the leading treatise on Internet law, E-Commerce and Internet Law: Treatise with Forms 2d edition, the 4- volume set published by West (www.IanBallon.net). In addition, he is the author of The Complete CAN-SPAM Act Handbook (West 2008) and The Complete State Security Breach Notification Compliance Handbook (West 2009). He also serves as Executive Director of Stanford University Law School’s Center for E-Commerce, which hosts the annual Best Practices Conference where lawyers, scholars and judges are regularly featured and interact.

Mr. Ballon has brought or defended significant and often cutting edge suits involving computer software, the Internet and mobile technology. A list of recent cases may be found at http://www.gtlaw.com/People/Ian-C-Ballon.

Mr. Ballon was named the Lawyer of the Year for Information Technology Law in the 2013 and 2016 editions of Best Lawyers in America. In addition, he was the 2010 recipient of the State Bar of California IP Section’s Vanguard Award for significant contributions to the development of intellectual property law (http://ipsection.calbar.ca.gov/IntellectualPropertyLaw/IPVanguardAwards.a spx). He is listed in Legal 500 U.S., The Best Lawyers in America (in the areas of information technology and intellectual property) and Chambers and Partners USA Guide in the areas of privacy and data security and information technology. He also has been recognized by The Daily Journal as one of the Top 75 IP litigators in California in every year that the list has been published, from 2009 through 2015, and has been listed as a Northern California Super Lawyer every year from 2004 through 2015 and as one of the Top 100 lawyers in California. Mr. Ballon also holds the CIPP/US certificate for the International Association of Privacy Professionals (IAPP).

Chapter 9

Search Engine Marketing, Optimization and Related Indexing, Information Location Tools and Advertising Practices—Unique I.P. Issues 9.01 Information Distribution, Indexing and Retrieval—In General 9.02 Caching 9.02[1] In General 9.02[2] Temporary Caching: Web Browsing 9.02[3] Proxy Caching 9.02[4] Potential Copyright Defenses: The DMCA Liability Limitation for System Caching, Fair Use, Implied License and the Sony Safe Harbor 9.02[5] Liability for Unauthorized Caching Under Trademark and Unfair Trade Law 9.02[6] Potential Patent Liability for Caching 9.02[7] Caching Agreements 9.02[8] Caching and Child Pornography 9.03 Hypertext Links 9.03[1] Links and Liability for Linking—In General 9.03[2] Linking Compared to Caching 9.03[3] Potential Copyright Liability for Creating Hyperlinks 9.03[3][A] Grounds for Liability 9.03[3][A][i] In general 9.03[3][A][ii] Liability for unwanted links to genuine

Pub. 12/2015 9-1 E-Commerce and Internet Law

material on a copyright owner's own site 9.03[3][A][iii] Multiple links 9.03[3][B] General Defenses to Liability, their Limitations and Ways to Negate them: Implied License, Fair Use, De Minimis Infringement and the Sony Safe Harbor 9.03[3][C] DMCA Safe Harbor Liability Limitation for Information Location Tools 9.03[3][D] Extra-Judicial Remedies Available to Copyright Owners under the DMCA 9.03[4] Signicance of Web Linking Agreements 9.03[5] Case Study: Shetland Times, Ltd. v. Wills 9.03[6] Linking Liability Under Trademark and Unfair Trade Law 9.03[6][A] In General 9.03[6][B] Trademarks As Icons and Underlined Text 9.03[6][C] Site Links vs. Content Links 9.03[7] Content Links—Ticketmaster Corp. v. Microsoft Corp. 9.03[8] Potential Patent Liability for Hypertext Links 9.03[9] State Statutes Restricting Linking 9.03[10] Liability for Refusing to Provide a Link 9.04 Frames and In-line Links 9.04[1] In General 9.04[2] The Washington Post Co. v. TotalNews Inc. 9.04[3] Can the Copyright Act Be Stretched to Cover Frames? 9.04[3][A] Is a Framed Site a Derivative Work?

9-2 Search Engine Marketing

9.04[3][B] Moral Rights 9.04[3][C] The Potential Applicability of the Digital Millennium Copyright Act 9.05 Using Technology to Block Links and Frames 9.06 Practical Strategies to Minimize Liability for Linking or Framing 9.07 Downloading and Printing 9.08 Bots, Screen Scraping and Content Aggregation 9.08[1] In General 9.08[2] Using Bots to Copy Creative or Expressive Content 9.09 Search Engine Indexing Practices: Links, Snippets, Thumbnail Images and Favicons 9.10 Metatags and Other Hidden Text 9.10[1] In General 9.10[2] The Signicance of Metatags and Placement in Response to Search Engine Queries 9.10[3] Metatag Case Law 9.10[3][A] Early Metatag Cases and the Development of the Law 9.10[3][B] Brookeld Communications, Inc. v. West Coast Entertainment Corp. 9.10[3][C] The Current State of the Law on Metatags Under the Lanham Act 9.10[4] Fair Use 9.10[5] Third-Party Liability for Metatags 9.10[6] Practical Steps to Limit Metatag Infringement 9.10[7] Metatags as Evidence of Intent in Non-Trademark Cases 9.11 Keywords, y, Banner Advertisements and Sponsoredp Links 9.11[1]In General 9.11[2]Banner Advertisements 9.11[3]Sponsored Links, Pop Up Ads and

Pub. 12/2015 9-3 E-Commerce and Internet Law

SearchSearch Results and AdvertisementAdvertisementss onS Salesales SitesSites 9.11[4] State Law Claims and Preemption 9.11[5] Checklist 9.12 Blog, Message Board and Chat Room Liability 9.13 Strategies for Dealing with Fan and Consumer Criticism or Gripe Sites, Blogs and Social Network Pages Appendix 1. Adobe Systems, Inc., Claris Corp. & Traveling Software, Inc., v. Tripod, Inc. and Bo Peabody Appendix 2. Washington Post et al. v. Total News et al.—Complaint Appendix 3. Insituform v. National Envirotech Group LLC, et al.—Final Judgment on Consent

KeyCiteL: Cases and other legal materials listed in KeyCite Scope can be researched through the KeyCite service on WestlawL. Use KeyCite to check citations for form, parallel references, prior and later history, and comprehensive citator information, including citations to other decisions and secondary materials.

9.01 Information Distribution, Indexing and Retrieval—In General The Internet—and in particular the World Wide Web— created new ways for individuals to search for and nd information, while at the same time lowering the costs and barri- ers to entry for “publishers” such that virtually anyone with Internet access and a computer or mobile device can publish and distribute information on their own blogs, wiki, or other websites and through RSS feeds. The ways in which information is accessed and distributed online—and the tools used by companies and individuals to lure people to their sites or divert them away from other locations—implicate intellectual property law questions, many of which are unique to the Internet. This chapter focuses particular attention on links, frames, metatags, keywords (used for banner ads, sponsored links and other Internet advertising or

9-4 Search Engine Marketing 9.11[1]

9.11 Keywords, Banner Advertisements and Sponsored Links 9.11[1] In General Paying to have an advertisement delivered to a user who inputs a third party's mark as a keyword or search term may lead to liability or may be a permissible use, depending on the context. Keywords, like domain names and metatags, may be used to drive trac to (or divert it away from) particular websites. Keywords also may be used by a commercial website to direct users to competing brands when they search for a particular item to purchase. A keyword is a search term. In addition to natural search results (also referred to sometimes as organic search results)—or the lists of links to sites identied in response to a user's query of a search engine database—leading search engines sell advertisements triggered by search terms. Search engines typically sell banner advertisements and sponsored links, which appear on a search results page along with the natural search results. A banner advertisement may incorporate text, graphics, video or sound and is intended to grab a user's attention, so that the user will click on the advertisement and then be taken to another location.1 Banner advertisements typically do not aord much room for disclaimers or explanations. Sponsored links, like natural search results, list various sites responsive to a search request and typically include a link with a few short lines of text that describe each location. dard and robots.txt les). [Section 9.11[1]] 1 As explained by the Ninth Circuit, keywords (referred to in the opinion as “keying”) allow advertisers to target individuals with certain interests by linking advertisements to pre-identied terms. To take an in- nocuous example, a person who searches for a term related to gardening may be a likely customer for a company selling seeds. Thus, a seed company might pay to have its advertisement displayed when searchers enter terms related to gardening. After paying a fee to defendants, that company could have its advertisements appear on the page listing the search results for gardening-related terms: the ad would be “keyed” to gardening-related terms. Playboy Enterprises, Inc. v. Netscape Communica- tions Corp., 354 F.3d 1020, 1022–23 (9th Cir. 2004). The court further explained that “[n]ot all banner ads are keyed. Some advertisers buy space for their banner ads but only pay to have their ads displayed randomly. Such ads cost less because they are un-targeted and are therefore considered less eective.” Id. at 1023 n.1.

Pub. 12/2015 9-151 9.11[1] E-Commerce and Internet Law

Websites featured in sponsored links pay search engines for prominent positioning in response to particular search terms. Sponsored links typically are presented on the top or right margin of a search results page and usually have distinguishing features to identify the links as sponsored, as distinct from natural search results. A typical search performed on a search engine may yield natural search results—ranked in order based on relevancy, as determined by the particular proprietary algorithms used by a given search engine—as well as sponsored links—which are responsive sites that have paid the search engine to appear in a prominent spot on the rst page of a results list—as well as banner advertisements. If a user performs ve dierent searches in a row, chances are the natural search results, sponsored links and banner advertisements displayed in response to each search also will be dierent because search results and advertisements triggered by key words are dynamically generated based on the particular search terms employed by a user. Advertisers typically may purchase categories or generic search terms, which incidentally may include trademarked terms, or specic words, terms or phrases, including on some search engines, trademarked terms. Key word purchasers typically also may expressly exclude particular terms (including trademarks) to ensure that advertisements are not displayed if the particular term is used in a search. An excluded term is sometimes referred to as a negative key word. In general, “[a]n Internet user who runs a Google search for a term that has been purchased as an AdWord will see a ‘Sponsored Link’ to the purchaser's website in a display to the right of the search results.”2 On Google, “Sponsored Links are displayed above or to the right of the organic search results ....Those above the organic search results share a yellow rectangular background while those to the right of the organic search results are separated by a blue line.”3 Sponsored links are separated from natural search results in similarly distinctive ways on Bing, Yahoo! and other major

2 Southern Grouts & Mortars, Inc. v. 3M Co., 575 F.3d 1235, 1240 (11th Cir. 2009). 3 Rosetta Stone Ltd. v. Google, Inc., 730 F. Supp. 2d 531, 537 (E.D. Va. 2010), a'd in part, vacated in part, 676 F.3d 144 (4th Cir. 2012). The court explained that:

9-152 Search Engine Marketing 9.11[1]

Under the AdWords Program, Google oers an advertiser the ability to select certain words or phrases (“keywords”) that, combined with the advertisement's quality and the maximum bid price for the advertisement, will trigger a Sponsored Link to the advertiser's chosen website ....Advertisers select the keywords from a list of words or phrases generated algorithmically using Google's keyword tools, of which there are three: (1) Keyword Tool; (2) Query Suggestion Tool; and (3) a trademark-specic version of the Query Suggestion Tool ....Before the list is displayed to advertisers, however, it is passed through a lter which removes terms that Google entered into the lter as trademarked terms for which Google has received a complaint. . . . Alterna- tively, advertisers can also select the keywords on their own without relying on the list generated by Google's keyword tools ....Iftheadvertisement's quality and bid price are suciently high, it qualies to be shown on Google.com. For example, using the AdWords Program, Company B, a company that sells children's shoes, can cause Google to display its Sponsored Link whenever a Google user conducts a search using the term, “children's shoes.” Company B can also cause its Sponsored Link to appear whenever the user searches for the term “Company A,” Company B's competitor, who also sells children's shoes. Consequently, whenever a Google user wishing to buy children's shoes from Company A conducts a search of the term A (Company A's trademark), a Sponsored Link would appear on the search results page, inviting the user to view children's shoes from Company B, Company A's competitor. If the user clicked on Company B's link, Company B's website would open on the screen and the user might be able to purchase children's shoes from Company B. Thus, by participating in the AdWords Program, advertisers are able to place their advertising in front of consumers who identify themselves as interested in certain products or services oered by the advertisers' companies. Rosetta Stone Ltd. v. Google, Inc., 730 F. Supp. 2d 531, 537–38 (E.D. Va. 2010), vacated in relevant part, 676 F.3d 144 (4th Cir. 2012). As the appellate court noted: Google displays up to three sponsored links in a highlighted box immediately above the natural search results, and it also displays sponsored links to the right of the search results, but separated by a vertical line. As this suggests, more than one sponsor can purchase the same keyword and have a link displayed when a search for that keyword is conducted. Would-be advertisers purchase their desired keywords through an auction where advertisers bid competitively against each other for page position on the search results page. Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144, 151 (4th Cir. 2012). Google began allowing third party advertisers to purchase specic trademarks as keywords in 2004. Google revised its policy in 2009 to allow advertisers to use marks in the text of an advertisement if they (1) resell legitimate products bearing the trademark, (2) sell components, replacement parts, or compatible products corresponding to the trademark, or (3) provide non-competitive information about the goods or services corresponding to the trademark term. Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144, 151 (4th Cir. 2012). Google's policy shift came after it developed the technology to automatically check the linked websites to determine if the sponsor's use of the trademark in the ad text was legitimate. Id. at 152. Users sign up for Google's AdWords program by assenting to a click-through contract which provides for jurisdiction and venue exclusively in state or federal court in Santa Clara County, California. See Parts Geek, LLC v. United States Auto Parts Network, Inc., Civil Action

Pub. 12/2015 9-153 9.11[1] E-Commerce and Internet Law search engines. “Unlike a sponsored link, banner advertisements are not displayed as part of a search results list, but instead often occupy the margins of a webpage.”4 Placement in response to search engine queries has economic consequences. As outlined in section 9.10[2] in connection with metatags, fewer and fewer people look beyond the rst page of a search results list (or even beyond the rst few natural search results shown). In this competitive environment, getting noticed may be essential to completing a transaction, at least for some businesses. Site owners seek to enhance their placement in response to search engine queries through search optimization techniques, as well as through the use of metatags and hidden text, as discussed in section 9.10, and garner attention by purchasing banner advertisements and sponsored links. As with metatags, businesses sometimes seek attention by using other people's trademarks. Not all search engines knowingly sell marks as keywords. Google, which does sell marks as keywords, has a policy applying to advertisements

No. 09-5578 (MLC), 2010 WL 1381005 (D.N.J. Apr. 1, 2010) (enforcing the forum selection clause in Google's click-through AdWords contract). A dierent court explained the process in more elementary terms as follows: As part of operating its search engine, Defendant “indexes” websites, and col- lects information regarding their contents so that it, in turn, can store the information for use in formulas which respond to search queries. Generally, when a user enters a query into Defendant's website, the search engine will process relevant websites based on several information factors and then return results to the user. Web designers routinely use this process to inuence their ranking on Defendant's results page. Prior to building a site, web designers will often conduct a keyword search using various available keyword tools in order to determine what terms or phrases internet users are most commonly searching for. A web designer will then build its site around more popular search terms in order to ensure a higher rank on a search engine results page. Additionally, those with more capital may advertise their websites by “bidding” on keywords. A web designer can construct an ad using popular keywords, and then pay a search engine provider a fee to bid on those keywords in an eort to appear on a search engine results page as a “Sponsored Link” whenever users enter those keywords in their search queries. The higher a web designer bids, the higher the “Sponsored Link” placement when those bid-upon keywords are searched for. “Sponsored Links” appear either at the top or along the side of a search engine results page. As part of its business, Defendant allows advertisers to bid on keywords in a program called “Google AdWords” (“AdWords”) and through this program, encourages advertisers to bid on additional relevant keywords using a “keyword suggestion tool.” Jurin v. Google Inc., 768 F. Supp. 2d 1064, 1068 (E.D. Cal. 2011). 4 Hearts on Fire Co. v. Blue Nile, Inc., 603 F. Supp. 2d 274, 282 n.6 (D. Mass. 2009).

9-154 Search Engine Marketing 9.11[1] in the United States, Australia, New Zealand, Canada, the United Kingdom, and Ireland, which permits marks to be used in the text of advertisements (1) where the term is used descriptively, if the advertiser in fact sells the trademarked product (or components, replacement parts, or compatible products relating to the trademarked product) and the trademarked product is the primary focus of the ad's landing page, (2) where the advertiser is authorized by the trademark owner to use a certain term, or (3) where the primary purpose of the landing page is to provide information about goods or services corresponding to the trademarked term. In the United States, Google does not restrict the use of trademark terms as keywords.5 Where a mark accurately reects the content found on a page—such as when a product is lawfully sold on a site or used for fair use comparative advertising—its use as a keyword in connection with advertisements and sponsored links may be found to be a fair use or otherwise not actionable as not involving use of the mark in a trademark sense. Where third party marks are used simply to attract attention intended for another brand owner, and bear no relation to the content on a site, or falsely imply sponsorship, aliation or endorsement, the use of a mark as a keyword may be actionable. Whereas a site owner may have legitimate, non-trademark grounds for including a mark in metatags so that its site will be more eectively indexed, almost by denition someone who agrees to pay for an advertisement to appear when a third party's mark is inputted by a user is engaging in a commercial transaction involving the mark. In general, the use of a third party's mark to trigger sponsored links or banner advertisements is a use in commerce and therefore potentially actionable under the Lanham Act.6 This initial question—of whether a use potentially may form the basis for a Lanham Act claim by satisfying the low threshold for establishing use in commerce—is distinct from the issue of whether liability in fact may be imposed, which requires a

5 See https://support.google.com/adwordspolicy/answer/6118/ (last visited Mar. 2, 2015). 6 See 15 U.S.C.A. § 1127; Rescuecom Corp. v. Google Inc., 562 F.3d 123 (2d Cir. 2009); Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1144–45 (9th Cir. 2011); infra § 9.11[3]; see generally supra §§ 6.08, 7.10 (analyzing the issue in greater depth).

Pub. 12/2015 9-155 9.11[1] E-Commerce and Internet Law more substantial showing of confusion7 or dilution8 and that the use is neither fair (or otherwise not involving use of a mark in a trademark sense)9 nor functional.10 As with metatags,11 keyword claims (referred to in a couple of cases as keying)12 and claims based on sponsored link advertisements most frequently are premised on initial interest confusion, where recognized,13 and dilution,14 which address the more limited care and attention given by consumers as they surf online. Suits typically have been brought against competitors or search services for the keywords purchased to display advertisements and the resulting content associated with the advertisements displayed. Claims also have been directed at e-commerce sites in connection with the search tools they employ and the results they display on their own sites in response to user queries (typically when the search results lead to counterfeit goods oered or oers for competing goods or services). Dilution may be shown if a use tarnishes or blurs a famous mark.15 Merely using a famous mark to trigger a sponsored link may not necessarily create tarnishment or blurring, especially if the text surrounding the link clearly identies the advertiser and doesn't falsely suggest sponsorship, aliation or endorsement (or in the case of an e-commerce site, directs users to opportunities to purchase the brand owner's products or services or clearly communicates that those products are not available and makes clear when goods or services oered are those of a competitor). Confusion likewise may not result from the use of a mark to trigger a sponsored link or other advertisement if the

7 See supra §§ 6.08, 6.09. 8 See supra § 6.11. 9 See supra § 6.14. The Third and Ninth Circuits apply dierent tests for nominative fair use, which is a doctrine that has been widely applied but has not been expressly adopted by a majority of circuits. See supra § 6.14[3]. 10 See supra § 6.13[2]; infra § 9.11[3]. 11 See supra § 9.10. 12 See Playboy Enterprises, Inc. v. Netscape Communications Corp., 354 F.3d 1020, 1022–23 (9th Cir. 2004); Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160, 1178 (C.D. Cal. 2008). 13 See supra § 7.08[2]. 14 See supra § 6.11. 15 See supra § 6.11.

9-156 Search Engine Marketing 9.11[1] source of the link and surrounding text are clear and not deceptive. Even where confusion may be shown, a claim based on keywords or sponsored links may not be actionable. Damages from confusion associated with sponsored links may be dicult to prove. Likewise, it may be hard for a mark owner to prove irreparable injury sucient to justify injunctive relief.16 Proving initial interest confusion may be dicult as well, especially in cases involving advertisements displayed on major search engines. The Ninth Circuit explicitly cautioned in 2011 about the wooden application of the initial interest confusion doctrine and Internet ‘troika’ test for showing likelihood of confusion in Internet cases in the Ninth Circuit17 in ways that lose sight of the ultimate question of consumer confusion.18 In applying the initial interest confusion doctrine to sponsored link and keyword advertising cases, the court in Network Automation, Inc. v. Advanced Systems Concepts, Inc.19 held that in addition to the normal likelihood of confusion factors, courts must be careful to view the surrounding context in which a use appears, writing that “likelihood of confusion will ultimately turn on what the consumer saw on the screen and reasonably believed given the context.”20 The court elaborated that “the labeling and appearance of the advertisement and the surrounding context on the screen displaying the results page” were critical in that case to nding no likelihood of confusion in that

16 In addition to prevailing on the merits (or showing likelihood of prevailing on the merits for a preliminary injunction or TRO), to obtain injunctive relief a trademark owner must demonstrate that (1) it has suf- fered an irreparable injury, (2) remedies available at law such as monetary damages are inadequate to compensate for that injury, (3) a remedy in equity is warranted considering the balance of hardships between the plainti and defendant, and (4) the public interest would not be disserved by a permanent injunction. See Winter v. Natural Resources Defense Council, Inc., 555 U.S. 7, 20, 22 (2008) and eBay Inc. v. MercExchange, LLC, 547 U.S. 388, 392 (2006); supra § 6.16[1] (analyzing injunctive relief under the Lanham Act). 17 See supra § 6.09. 18 See Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137 (9th Cir. 2011). 19 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137 (9th Cir. 2011). 20 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1153 (9th Cir. 2011), quoting Hearts on Fire Co. v. Blue Nile, Inc., 603 F. Supp. 2d 274, 289 (D. Mass. 2009).

Pub. 12/2015 9-157 9.11[1] E-Commerce and Internet Law case.21 This consideration was characterized in a later Ninth Circuit case as “an additional factor that is outside of the eight-factor Sleekcraft test . . . ,” which should be used “in evaluating claims of trademark infringement in cases involving Internet search engines ....”22 Subsequently, in Multi Time Machine, Inc. v. Amazon.com, Inc.,23 the majority, in a sharply divided opinion, held that the traditional multi-factor test for evaluating likelihood of confusion is less helpful—and may not even apply at all—in a case involving an e-commerce site where a merchant is “responding to a request for a particular brand it does not sell by oering other brands clearly identied as such . . . ,”24 as opposed to the more typical trademark infringement dispute where a court must consider “whether two competing brands' marks are suciently similar to cause consumer confusion.”25 In such a case, “the ultimate test for determining likelihood of confusion is whether a ‘reasonably prudent consumer’ in the marketplace is likely to be confused” about the origin of the goods, which was a determination that could be made “simply by a[n] evaluation of the web page at issue and the relevant consumer.”26 In Multi Time Machine, the majority armed the lower court's entry of summary judgment in favor of Amazon and against Multi Time Machine, based on Network Automation. Multi Time Machine was a suit brought by the maker of high-end, military style watches that were not available for purchase on the Amazon.com website. Amazon did not sell MTM watches. A search for MTM watches on its website therefore produced a list of competing watches that were available instead. The majority held that because Amazon's search results page clearly labeled the name and manufac-

21 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1154 (9th Cir. 2011). 22 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *3 (9th Cir. 2015). 23 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600 (9th Cir. 2015). 24 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *3 (9th Cir. 2015). 25 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015) (emphasis in original). 26 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015) (citing earlier cases); see generally infra § 6.09[4] (discussing the case in greater detail).

9-158 Search Engine Marketing 9.11[1] turer of each product oered for sale “and even include[d] photographs of the items . . . no reasonably prudent customer accustomed to shopping online would likely be confused as to the source of the products.”27 Multi Time Machine underscores that the same issues that potentially could be challenged in connection with banner advertisements and sponsored links may arise when a commercial site's own search tools lead to search results or messaging that an aggressive brand owner could characterize as likely to cause dilution or consumer confusion about sponsorship, aliation or endorsement. Network Automation, Multi Time Machine, and their applicability to sponsored link and keyword advertising cases and search-related disputes involving competitive products are discussed further in section 9.11[3] and in the context of initial interest confusion, in section 7.08[2]. Courts considering search engine marketing (SEM) cases have not always appreciated that consumer distraction is not the same thing as likelihood of confusion or dilution. Many web surfers suer from what might charitably be characterized as a form of “Internet Attention Decit Disor- der”—an impatient approach to searching, where users may be easily distracted. Users thus potentially are more likely to be confused (leading, where recognized, to initial interest confusion) and more susceptible to advertising that portrays products and companies as associated with one another (thereby leading to dilution by blurring or tarnishment). Not all consumer perceptions, of course, are reasonable—or attributable to a defendant's use of a mark (as opposed to non- trademark considerations)—and not all consumers are as easily dazed and confused as others. Likewise, dierent circuits, and even within each circuit, dierent judges, are likely to view the reasonableness of Internet confusion dierently.28 Deceptive sponsored links and banner advertisements may create confusion, but even then it is often confusion that will quickly dissipate if it is clear from a review of the linked location that there is no sponsorship or endorsement by, or af- liation with, the brand owner whose mark was used in a

27 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *1 (9th Cir. 2015). 28 See supra §§ 6.09, 6.14, 7.08[2] (analyzing Internet confusion and pointing out dierent approaches and circuit splits).

Pub. 12/2015 9-159 9.11[1] E-Commerce and Internet Law search that led to the linked location. Absent other evidence, this type of confusion is more likely to be found actionable in a jurisdiction that recognizes and broadly applies the doctrine of initial interest confusion.29 On the other hand, because of the speed with which people navigate through search engine results, a false or deceptive advertisement or snippet accompanying a sponsored link may leave a lasting impression about the association of a brand with the advertised site, which may lead to blurring or tarnishment. If a search engine blurs the distinctions between sponsored and natural search results—so that all results appear to be natural—the use of a mark to falsely suggest logical relevance in response to a search engine query may be actionable.30 In many sponsored link cases, confusion and dilution have proven easier to allege than to establish. Where the text in a banner advertisement or surrounding a sponsored link is clear, and the appearance and presentation to users not deceptive with respect to the source of the advertisement, the use of a mark to trigger banner ads and sponsored links, even if theoretically actionable, may not support a nding of likelihood of confusion or dilution. A number of sponsored link cases have been found to involve lawful comparative advertising, fair use or use other than as a mark.31 Even where infringement or dilution may be shown, damages and attorneys' fees, which are not automatically granted

29 See infra § 9.11[3] (discussing cases). 30 See, e.g., 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273, 286–93 (D.N.J. 2006) (denying summary judgment on plainti's claims for trademark infringement and unfair competition based on the use by a pay-for-priority search engine of plainti's famous marks as search terms, sold to plainti's direct competitors, where, among other things, the defendant ranked paid responses above natural search results but did not clearly label them as paid search results). But see Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1153–54 (9th Cir. 2011) (reversing and vacating the lower court's preliminary injunction in a sponsored link case, nding that likelihood of confusion could not be shown given the sophistication of Internet users and the fact that, unlike the search engine at issue in 800-JR Cigar, Google and Bing place sponsored links in a separately labeled area). 31 See infra § 9.11[3].

9-160 Search Engine Marketing 9.11[1] under the Lanham Act,32 may not necessarily be awarded.33 The law governing keywords, banner advertisements and sponsored links developed from three separate lines of cases, which are analyzed in sections 9.11[2] and 9.11[3]. Starting in the late 1990s, suits were brought over the use of marks to trigger banner advertisements.34 In the early part of the following decade, courts considering pop up advertisements delivered by software provider WhenU.com concluded that the use of a mark to trigger a pop up advertisement did not involve a use in commerce and was not actionable under the Lanham Act.35 This line of cases, however, has largely been discredited or narrowed to the specic facts of how WhenU.com operated its software application, making these cases largely irrelevant today. Finally, cases involving sponsored links, brought in the latter part of the decade, have established that, like banner advertisements, the use of a mark to trigger a sponsored link potentially may be actionable under the Lanham Act.36 Prior to 2009, the law in this area was unsettled. Courts in the Second Circuit generally, and outside the Second Circuit in pop up ad cases, applied an exceptionally narrow interpretation of use in commerce in connection with Internet advertisements, which created a signicant split of authority on whether a mark owner even had standing to sue.37 Between 1999 and 2004 there was also some question about whether the use of marks to trigger banner advertisements could support claims for infringement or dilution, at least in the Ninth Circuit.38 In addition, prior to Congress amending the law in 2006, many circuits (and eventually the U.S. Supreme Court) required a plainti to show actual dilution, rather than likelihood of dilution, to state a claim, which was a dicult standard to meet at the very outset of a case.39 Uncertainty about the viability of claims over Internet advertisements from 1999 to 2009 (and a littered landscape

32 See supra §§ 6.16[2], 6.16[3]. 33 See infra § 9.11[3] (discussing cases). 34 See infra § 9.11[2]. 35 See infra § 9.11[3]. 36 See infra § 9.11[3]. 37 See infra § 9.11[3]. 38 See infra § 9.11[2]. 39 See supra § 6.11.

Pub. 12/2015 9-161 9.11[1] E-Commerce and Internet Law of cases that are no longer good law but which have not expressly been overruled) has left a lingering impression that the law in this area is unsettled, when in fact that is no longer the case.40 In Playboy Enterprises, Inc. v. Netscape Communications,41 the Ninth Circuit claried in 2004 that claims for initial interest confusion and dilution by tarnishment were potentially viable when a mark is used to trigger a banner advertisement, at least under certain circumstances.42 In 2006, Congress amended the federal dilution statute to make clear that injunctive relief was available on a showing of likelihood of dilution, rather than actual dilution.43 And, most signicantly, in Rescuecom Corp. v. Google, Inc.,44 the Second Circuit, in 2009, brought its jurisprudence on sponsored links and pop up advertisements in line with the law in the rest of the country. Variations in the way likelihood of confusion is evaluated in Internet cases still exist in dierent circuits—including the threshold issue of whether and to what extent initial interest confusion is applied—as well as more subtle dierences in how courts construe fair use.45 While these dierences mean that the outcome of a sponsored link or keyword case may depend in part on the venue where litigation is brought, there is broad agreement among the circuits that the use of a mark to trigger an Internet advertisement for goods or services is potentially actionable. While the touchstone for liability under the Lanham Act remains the commercial impression created by a given advertisement, Internet advertising has become suciently complex that the outcome of a case often turns on its unique constellation of facts. Context-based advertising tied to user search terms takes

40 See infra & § 9.11[3]. 41 Playboy Enterprises, Inc. v. Netscape Communications Corp., 354 F.3d 1020 (9th Cir. 2004). 42 See infra § 9.11[2]. 43 See 15 U.S.C.A. § 1125(d); see generally supra § 6.11. 44 Rescuecom Corp. v. Google Inc., 562 F.3d 123 (2d Cir. 2009). 45 See infra § 9.11[3]; supra §§ 6.09[4] (truncated likelihood of confusion test applied by some courts in Internet cases), 6.14 (fair use), 7.08[2] (initial interest confusion).

9-162 Search Engine Marketing 9.11[1] many dierent forms.46 In some cases, advertisers purchase intentionally particular words, phrases, or groups of words in various combinations, while in others they may pay to have their advertisements displayed in particular categories (such as automobiles or music) or leave it to the site or a third party to determine when and how advertisements will be displayed. As noted earlier, advertisers also may use negative key words to armatively block advertisements from appearing in response to particular keywords. In Playboy Enterprises, Inc. v. Netscape Communications,47 the search engines themselves bundled a collection of search terms together, which now is a less common practice. Today, ad networks and brokers increasingly are responsible for placing ads. In a given case, a particular advertiser may not have had direct input into what keywords were purchased, or blocked, or where advertisements appeared. In others, how an advertisement came to be displayed may be a function of complex algorithms. While many cases have been brought over the use of marks as key words—particularly over sponsored links—relatively few decisions had been rendered on the merits following a trial or on motion for summary judgment. As of August 2015, there had not been a case that had held that the mere use of a mark as a keyword, without more, constituted trademark infringement or dilution. Short of evidence of or additional acts of infringement or dilution, keyword cases are dicult to win. In a number of instances, keyword purchases have been found to constitute a nominative fair use or otherwise involve permissible uses of a mark in comparative advertising or other circumstances not likely to cause confusion or dilution. Absent additional facts, it may be easier to state a claim based solely on the use of a mark to trigger a sponsored link or banner advertisement than to actually prove likelihood of confusion or dilution or false advertising, or rebut a claim of fair use. In view of tightening standards for stating a claim in federal court, even getting past a Rule 12(b)(6) motion may be more dicult in some courts if the only fact alleged is that the defendant purchased a mark as a

46 See infra chapter 28 (providing more detailed information on the business of Internet advertising and analyzing the range of other laws that apply to it). Contextual advertising also raises privacy issues. See infra § 28.06. 47 Playboy Enterprises, Inc. v. Netscape Communications Corp., 354 F.3d 1020 (9th Cir. 2004).

Pub. 12/2015 9-163 9.11[1] E-Commerce and Internet Law keyword.48 Where a brand owner does not specically sue over the practice, restrictions on using marks to trigger banner advertisements or sponsored links, or in the advertisements themselves, often are included among uses restricted in proposed injunction orders, settlement agreements and stipulated judgments.49 In crafting proposed orders or stipula-

48 See, e.g., Parts.com, LLC v. Yahoo! Inc., 996 F. Supp. 2d 933 (S.D. Cal. 2013) (denying defendant’s motion to dismiss plainti’s federal trademark infringement claim, but dismissing with prejudice state law claims for trademark infringement and dilution and unfair competition as preempted by the CDA, dismissing plainti’s federal dilution claim with leave to amend and following Jurin in dismissing with leave to amend Parts.com’s false designation of origin and unfair competition claims premised on Yahoo’s alleged use of parts.com as a keyword for sponsored link advertisements because “the mere fact that Yahoo displays an array of links when a user enters ‘Parts.com’ as a search term is not enough to suggest that Yahoo is aliated with Parts.com.”); Infostream Group Inc. v. Avid Life Media Inc., No. CV 12–09315, 2013 WL 6018030, at *5 (C.D. Cal. Nov. 12, 2013) (dismissing with prejudice plainti's claims for federal and California state trademark infringement and dilution, false designation of origin under the Lanham Act and California unfair competition, where the plainti merely alleged that the defendant used its marks as keywords to trigger sponsored link advertisements for its competing dating services); Jurin v. Google Inc., 695 F. Supp. 2d 1117, 1122 (E.D. Cal. 2010) (dismissing plainti's false advertising claim arising out of Google's use of its keyword suggestion tool in connection with its AdWords program because the plainti and defendant were not direct competitors); Jurin v. Google, Inc., No. 2:09-cv-03065-MCE-KJM, 2010 WL 3521955 (E.D. Cal. Sept. 8, 2010) (dismissing false designation of origin, false advertising and breach of contract claims arising out of the defendant's alleged sale of its mark as a keyword to trigger sponsored link advertisements). But see Jurin v. Google Inc., 768 F. Supp. 2d 1064 (E.D. Cal. 2011) (denying defendant's motion to dismiss amended false advertising and false association claims arising out of the sale of a keyword as a sponsored link, but dismissing without leave to amend breach of contract and breach of the duty of good faith and fair dealing claims premised on an alleged failure by Google to adhere to its Adwords policy); see also Jurin v. Google Inc., No. 2:09-cv-03065-MCE-CKD, 2012 WL 5011007 (E.D. Cal. Oct. 17, 2012) (granting summary judgment for Google). 49 See, e.g., C & N Corp. v. Kane, No. 12–C–0257, 2013 WL 6001074, at *5 (E.D. Wisc. Nov. 12, 2013) (enjoining defendants from using the plainti's mark “HALLOWINE” in “Internet use . . . advertising . . . [and] web-based or any other program”); MasterCard Int'l Inc. v. Trehan, 629 F. Supp. 2d 824, 833 (N.D. Ill. 2009) (enjoining the defendant from using plainti's marks as keywords or in metatags, among other things, in a consent judgment and permanent injunction order entered in a case where the defendant had registered Hindi language versions of “MASTERCARD” as domain names); Premium Nutritional Products, Inc. v. Ducote, 571 F.

9-164 Search Engine Marketing 9.11[1] tions, it is important to consider both the use of a mark to trigger an advertisement and the text of the advertisement itself. Too often, parties and courts consider only one of these issues, but not the other. If applicable, the innocent printer's and publisher's defense may restrict remedies to injunctive relief for future conduct, rather than damages, for any claim brought under the Lanham Act (other than dilution).50 In addition to Lanham Act claims (and their state law equivalents for trademark infringement, dilution, false advertising, unfair competition and related claims),51 the use of a person's name, image, likeness or personal attributes as keywords potentially could be actionable under state common law and statutory right of publicity laws.52 Unlike claims brought under the Lanham Act, state law claims (including those for trademark infringement or dilution, rights of publicity violations or the range of activities actionable as unfair competition) based on third party content potentially may be preempted by the Good Samaritan exemption to the Communications Decency Act, 47 U.S.C.A. § 230(c).53 While the CDA would not preempt claims against competitors, distributors or others for their own conduct or content, or federal IP claims such as those brought under the Lanham Act, it could preempt state law IP claims asserted against intermediaries, such as search engines, for republishing advertisements originating with others,54

Supp. 2d 1216 (D. Kan. 2008) (holding the defendants in contempt for violating the terms of a Consent Judgment and Permanent Injunction which, among other things, prohibited them from using plainti's marks in metatags or banner ads); see generally supra §§ 6.16[1], 6.18 (formulating relief and settling disputes under the Lanham Act). 50 See supra § 6.16.[2][D]. 51 See supra §§ 6.11[7], 6.12[6]. 52 See infra § 9.11[4]. 53 47 U.S.C.A. 230(c); see generally infra § 37.05. 54 E.g., Parts.com, LLC v. Yahoo! Inc., 996 F. Supp. 2d 933, 938-40 (S.D. Cal. 2013) (dismissing with prejudice state law trademark infringement, dilution and unfair competition claims as preempted by the CDA where the complaint failed to show that defendant “creates advertisement content.”); Stayart v. Google Inc., 783 F. Supp. 2d 1055 (E.D. Wis. 2011) (dismissing claims against Google, where the court observed that the plainti had alleged that Google had wrongfully used her name for advertising purposes to circumvent the CDA since section 230 “eectively

Pub. 12/2015 9-165 9.11[1] E-Commerce and Internet Law depending which claims are raised and where suit is led.55 immunizes search engines like Yahoo and Google from claims that they displayed information created by third parties which presents an individual in an unfavorable light.”), a’d on other grounds, 710 F.3d 719 (7th Cir. 2013) (arming dismissal of plainti’s misappropriation claims arising out of the alleged use of her name in conjunction with searches for an erectile dysfunction drug because plainti made the search request a matter of public interest by suing Yahoo! over it in 2010 and therefore Google was shielded from liability by the incidental use exception for claims that its algorithms generated the suggestion to search for the drug Levitra when plainti’s name was input into its search engine or displayed sponsored link advertisements for the drug). But see CYBERsitter, LLC v. Google, Inc., 905 F. Supp. 2d 1080, 1086-87 (C.D. Cal. 2012) (holding that the plainti stated a claim against Google that was not barred by the CDA by alleging that Google sold to third parties the right to use plainti's trademark and that consumers were likely to mistakenly associate plainti's goods with those of third parties); Stayart v. Yahoo! Inc., 651 F. Supp. 2d 873, 885 (E.D. Wis. 2009) (holding that the CDA did not insulate Yahoo! for claims based on an alleged banner advertisement that plainti claimed Yahoo! itself was responsible for; dismissing claims based on search results under the CDA and because plainti could not allege contributory or vicarious trademark infringement), a'd on other grounds, 623 F.3d 436 (7th Cir. 2010) (dismissing claims). The CDA ruling in Stayart v. Yahoo! was quirky inasmuch as the court accepted plainti's questionable assertions about Yahoo!'s own responsibility for third party advertisements, which the district court in Stayart v. Google rejected. On remand, the district court in Stayart v. Yahoo! dismissed plainti's claims against Yahoo! without addressing the applicability of the CDA, based on a nding that plainti's alleged damages did not satisfy the amount in controversy requirement for diversity jurisdiction. In the alternative, the court ruled that plainti failed to show that Yahoo! used her name for purposes of advertising or trade or misap- propriated it in any way because “[a]n internet search engine does not use a person's name for such purposes when it reports information found on internet websites.” Stayart v. Yahoo! Inc., No. 10C0043, 2011 WL 3625242 (E.D. Wis. Aug. 17, 2011) (denying plainti's motion for reconsideration). 55 Compare Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1118-19 (9th Cir.) (construing the exclusion from CDA protection of “any law pertaining to intellectual property” to be restricted to “federal intellectual property” and therefore holding that the plainti's right of publicity claim against an Internet payment processor was preempted), cert. denied, 522 U.S. 1062 (2007) with Doe v. Friendnder Network, Inc., 540 F. Supp. 2d 288, 298-304 (D.N.H. 2008) (holding that “any law pertaining to intellectual property” literally means any law—state or federal—and therefore denying the defendant's motion to dismiss plainti's right of publicity claim under New Hampshire law) and Atlantic Recording Corp. v. Project Playlist, Inc., 603 F. Supp. 2d 690, 702-04 (S.D.N.Y. 2009) (construing the literal language of the statute the same way as the court in Doe and allowing a common law copyright claim under New York law to proceed); see generally infra § 37.05[5] (analyzing the potential scope of preemption for state IP claims).

9-166 Search Engine Marketing 9.11[2]

As with metatags, a person’s use of a mark as a keyword to trigger advertisements (or in the contents of advertisements) may be relevant in proving intent, the strength of a mark or other factors that may establish infringement or dilution in a case challenging multiple uses, even where the specic sponsored link or banner advertising practices challenged are not themselves actionable.56 Issues involving keywords, banner advertisements and sponsored links also arise internationally. The same lawsuits brought in the United States have been brought in Europe, with somewhat dierent results. Search engines such as Google also maintain dierent trademark policies with respect to the sale of advertisements based on specic keywords. Sites that operate in multiple countries therefore must closely follow developments internationally.

9.11[2] Banner Advertisements The rst lawsuit brought over the sale of keywords was initiated in the Southern District of New York in January 1999 by Estee Lauder, Inc. against Excite, Inc. and The Fragrance Counter, Inc., a company that purchased the keywords “Estee Lauder” from Excite. Whenever a search for “Estee Lauder” was performed on Excite, at the time the suit was led, a banner advertisement for the Fragrance Center would appear along with the results for the search. Estee Lauder alleged trademark infringement, false representation, unfair competition and false advertising.1 The case ultimately settled.

56 See, e.g., Trehan v. Kikkerland Design, Inc., No. 13-C-8023, 2014 WL 1018319, at *4 (N.D. Ill. Mar. 17, 2014) (denying defendant's motion to dismiss a trademark infringement case where plainti alleged use of plainti's mark in paid advertising on Google and plead “other facts to show a likelihood of confusion”); General Steel Domestic Sales, LLC v. Chumley, Civil Action No. 10-cv-01398-PAB-KLM, 2013 WL 1900562, at *7 (D. Colo. May 7, 2013) (holding that the defendant’s use of plainti’s mark in the copy of its AdWords advertisements evidenced the strength of plainti’s mark, in a case where the court entered judgment for the defendant on plainti’s claims for use of its mark to trigger sponsored link advertisements and in the text of those advertisements, but entered judgment for the plainti on its false advertising claims, following a bench trial). [Section 9.11[2]] 1 See Estee Lauder, Inc. v. Fragrance Counter, Inc., Case No. 1:99cv00382 (S.D.N.Y. led Jan. 19, 1999). Origins Natural Resources, Inc. and Clinique Laboratories, Inc. were also named plaintis in that

Pub. 12/2015 9-167 9.11[2] E-Commerce and Internet Law

Shortly thereafter, Playboy led similar actions in federal court in Los Angeles. In Playboy Enterprises, Inc. v. Excite Inc.,2 Playboy Enterprises, Inc. sued Excite and Netscape Communications for allegedly selling its marks “Playboy” and “Playmate” as keywords to third-parties whose banner advertisements, in most cases, allegedly promoted hard-core pornography that tarnished the company's image (in addition to creating likelihood of initial interest confusion). A parallel action also was brought against Netscape Com- munications Corp.3 The consolidated Playboy cases spent many years in litigation before the Ninth Circuit ultimately ruled in 2004 that Playboy had raised factual disputes precluding summary judgment on its claims for trademark infringement based on initial interest confusion and dilution by tarnishment. District Court Judge Alicemarie Stotler denied Playboy's motion for a preliminary injunction, ruling in 1999 that Playboy was not likely to prevail on its Lanham Act claims based on the defendant's sale of the words “PLAYBOY” and “PLAYMATE” (as part of a list of 450 terms relating to adult entertainment) to third-parties whose banner advertisements were displayed on Netscape's portal site whenever either word appeared in a search engine query.4 She reasoned that the terms “PLAYBOY” and “PLAYMATE” were common English language words and were not being used in a trademark sense when purchased by a hard-core pornography site.5 The district court's reasoning that “PLAYBOY” and “PLAYMATE” were not used in a trademark sense when used to drive users interested in adult entertainment to other websites, including hard core pornography sites, seemed questionable. It was unlikely that defendants used “PLAYBOY” and “PLAYMATE” for their dictionary mean- ings—hoping to attract children looking online for play- case, which had been assigned to Judge Robert W. Sweet before it eventually settled. 2 Playboy Enterprises, Inc. v. Netscape Communications Corp., Civil Action No. 8:99cv00321 (C.D. Cal. led Feb. 5, 1999). 3 See Playboy Enterprises, Inc. v. Netscape Communications Corp., Civil Action No. 8:99cv00321 (C.D. Cal. led Feb. 5, 1999). 4 Playboy Enterprises, Inc. v. Netscape Communications Corp.,55F. Supp. 2d 1070 (C.D. Cal. 1999), a'd mem., 202 F.3d 278 (9th Cir. 1999). 5 See 55 F. Supp. 2d at 1073–74.

9-168 Search Engine Marketing 9.11[2] mates—as opposed to their secondary meaning and the goodwill associated with those PEI marks, to divert trac from the genuine Playboy site. Nevertheless, it took ve years before the Ninth Circuit reconsidered the issue on the merits, after the trial court eventually granted summary judgment for the defendant based on the same awed rationale. In Playboy Enterprises, Inc. v. Netscape Communications,6 the Ninth Circuit reversed, holding, on a more complete record following discovery, that factual issues precluded summary judgment on Playboy's claims for initial interest confusion and dilution (under pre-2006 dilution law). In Netscape, the defendant search engines required that adult banner advertisements be run only in response to a list of over 400 words associated with adult entertainment, including the plainti's trademarks, PLAYBOY and PLAYMATE. PEI introduced evidence that the adult-oriented banner ads displayed on defendants' search results pages were often graphic in nature and were confusingly labeled or not labeled at all. In addition, buttons on the banner ads said “click here.” When a user complied, the search results page disap- peared, and the user found him or herself on the advertiser's website. Playboy had introduced survey evidence showing high rates of likely confusion. It also introduced evidence that both confusion and click through rates would have gone down had Netscape required that its ads be labeled. Even when asked to do so by advertisers, defendants refused to remove Playboy's marks from its keying list, which the court found provided some evidence of bad intent. In addition, the court noted that “the average searcher seeking adult-oriented materials on the Internet is easily diverted from a specic product he or she is seeking if other options, particularly graphic ones, appear more quickly.”7 In nding sucient evidence of initial interest confusion to defeat summary judgment, the Ninth Circuit commented that initial interest confusion was the only basis for confusion for which sucient evidence existed to defeat a motion for summary judgment on plainti's trademark infringement

6 Playboy Enterprises, Inc. v. Netscape Communications Corp., 354 F.3d 1020 (9th Cir. 2004). 7 Playboy Enterprises, Inc. v. Netscape Communications Corp., 354 F.3d 1020, 1028 (9th Cir. 2004).

Pub. 12/2015 9-169 9.11[2] E-Commerce and Internet Law claim.8 This underscores both the signicance of the doctrine in certain Internet advertising cases and the importance of litigating these types of claims—for both potential plaintis and defendants—in the right venue. Given that not all circuits apply initial interest confusion, or apply it as forcefully as the Ninth Circuit,9 where a banner ad case may be brought could itself be outcome determinative. The Ninth Circuit emphasized that the case involved unlabeled banner advertisements, which appeared immediately after a search was performed (and in some instances instructed users to “Click Here”), creating the perception for users that they should click on the link to access Playboy's website. The court noted that “if a banner advertisement clearly identied its source or, even better, overtly compared PEI products to the sponsor's own, no confusion would occur under PEI's theory.”10 In contrast to the Netscape case, in Playboy Enterprises, Inc. v. Welles11 the Ninth Circuit had previously held that a former Playboy Playmate's use of “Playboy,” “Playmate,” and “Playmate of the Year 1981” on the terriwelles.com website and in headlines, banner ads, and metatags used to promote and generate trac to the site constituted a nominative fair use where the defendant in fact was the 1981 Playmate of the Year and therefore these uses served to identify the defendant rather than imply current sponsorship or endorsement. In Welles, the court held that the defendants used only so much of the marks as reasonably necessary in connection with the banner advertisements and headlines “because they use[d] only the trademarked words, not the font or symbols associated with the trademarks.”12 Further, Welles did nothing in conjunction with these uses to suggest sponsorship or endorsement by Playboy Enterprises, Inc. “The marks are clearly used to describe the title she received from PEI in

8 Playboy Enterprises, Inc. v. Netscape Communications Corp., 354 F.3d 1020, 1025 n.13 (9th Cir. 2004). 9 See supra § 7.08[2] (analyzing initial interest confusion in the various federal circuits). 10 354 F.3d at 1025 n.16. 11 Playboy Enterprises, Inc. v. Welles, 279 F.3d 796 (9th Cir. 2002). 12 Playboy Enterprises, Inc. v. Welles, 279 F.3d 796 (9th Cir. 2002).

9-170 Search Engine Marketing 9.11[2]

1981, a title that helps describe who she is.”13 The court also pointed out that in addition to doing nothing in conjunction with her use of the marks to suggest sponsorship or endorsement by PEI, Welles armatively disavowed any sponsorship or endorsement by including a clear disclaimer. It cautioned, however, that “armative actions of this type” are not required when a use is nominative.14 In Netscape, the Ninth Circuit had rejected defendants' argument that their use of Playboy marks amounted to nominative fair use. The court found that defendants could have used other words, besides Playboy's marks, to trigger adult-oriented banner advertisements (and they in fact did so—using over 400 other terms).15 In so ruling, the court emphasized that it was not addressing a situation in which Playboy marks were used to trigger listings to genuine Playboy sites. Nor was it considering a case where the banner advertisements delivered clearly identied their source and sponsor's name. Further, the court explained that it was not addressing a situation in which advertisers or search engines overtly compared Playboy products to those of competitors, “for example, ‘if you are interested in Playboy, you may also be interested in the following message from [a dierent named company].’ ’’16 The court made clear it was only “evaluating a situation in which defendants display competitors' unlabeled banner advertisements, with no label or overt comparison to PEI, after Internet users type in PEI's trademarks.”17 Netscape underscores that the use of a mark to trigger banner advertisements may be actionable for initial interest confusion and dilution. It also makes clear, however, that if a search engine clearly labels its banner advertisements so that they are not confusing, proving initial interest confusion in a banner ad case could be quite dicult, at least under Ninth Circuit law. The court's analysis of Playboy's dilution claim is less instructive because it revolved around proof of fame, under the old eight-factor test, and commercial

13 Playboy Enterprises, Inc. v. Welles, 279 F.3d 796, 803 (9th Cir. 2002). 14 Playboy Enterprises, Inc. v. Welles, 279 F.3d 796, 803 n.26 (9th Cir. 2002); see generally supra § 6.14[3] (discussing the case). 15 354 F.3d at 1030. 16 354 F.3d at 1030. (brackets in original). 17 354 F.3d at 1030.

Pub. 12/2015 9-171 9.11[2] E-Commerce and Internet Law use in commerce, neither of which remain in eect today.18 While Netscape involved the use of a mark to trigger an unlabeled banner advertisement, in Finance Express LLC v. Nowcom Corp.,19 the court preliminarily enjoined the defendant from using plainti's marks to trigger banner advertisements that were labeled, but nonetheless were found likely to create initial interest confusion. In Finance Express, the defendant had registered 8 domain names that included plainti's marks and used plainti's marks in metatags and as keywords to deliver banner advertisements “to ensure that web users searching for those terms w[ould] be exposed to Nowcom's banner advertisement.”20 In rejecting the defendant's argument that its practices were distinguishable from those in Netscape because that case involved unlabeled banner ads, the court explained that: While it is true that a clearly-labeled banner advertisement might not create initial interest confusion, Nowcom's banner advertisement cannot be fairly characterized as one which “clearly identies its source with its sponsor's name.” Nowcom's banner advertisement states in large, underlined font: “Man- age Your Dealership.” Underneath that heading, on the second and third lines of the advertisement, it states in smaller font “Use Just One Software Program. Get A Free Trial of Dealer Desktop.” On the fourth line down, in even smaller font, appears a link to Nowcom's website: “www. Nowcom. com.”... This advertisement is not clearly labeled. The only indication as to the identity of the advertisement's sponsor lies in the website address, which is located in small print on the last line of the advertisement. While Nowcom's argument might be tenable if its name appeared in large font in the rst line of the advertisement, or perhaps even if it appeared anywhere in the text of the advertisement, this is not the case. A website address located in small font at the bottom of the advertisement is not sucient to overcome the initial interest confusion that results from Nowcom's practice of keying.21 In Network Automation, Inc. v. Advanced Systems Con-

18 See supra § 6.11. 19 Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160 (C.D. Cal. 2008). 20 Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160, 1177 (C.D. Cal. 2008). 21 Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160, 1178 (C.D. Cal. 2008). The court ultimately enjoined the defendant from (1) registering, maintaining the registration of, operating, owning, promoting, advertising, marketing, and/or utilizing any website whose domain name and/or content utilizes any of Finance Express' marks, including Tracker, TrackerDMS,

9-172 Search Engine Marketing 9.11[2] cepts, Inc.,22 a sponsored link case, the Ninth Circuit, in reversing and vacating a preliminary injunction order, claried that the initial interest confusion doctrine and so-called Internet troika test23 should not be applied mechanically or in a wooden fashion merely because a case involves an Internet dispute. In Network Automation, the court held that use of the Internet troika test for evaluating likelihood of confusion was inappropriate in a keyword advertising case and further held that confusion in a keyword suit must be evaluated in the surrounding context in which the advertisement appears.24 Following Network Automation, a sharply divided Ninth Circuit panel armed the entry of summary judgment for the defendant in a sponsored link case in Network Automa- tion in Multi Time Machine, Inc. v. Amazon.com, Inc.25 Multi Time Machine was a suit brought by the maker of high-end, military style watches that were not available for purchase on the Amazon.com website. Because Amazon did not sell MTM watches, a search for those products on its website produced a list of competing watches that were available. In arming summary judgment for Amazon on plainti's claim for trademark infringement, the majority held that because Amazon's search results page clearly labeled the name and manufacturer of each product oered for sale and even

DealTrace, and Finance Express; (2) using any of these four marks or combinations of these marks as meta tags or in buried HTML code; [and] (3) purchasing “keywords” containing these four marks or combinations of these marks to drive internet trac to banner advertisements for Defendants. Id. at 1179. The court declined to order the defendant to place a curative notice on its website. 22 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137 (9th Cir. 2011). 23 Prior to 2011, the Ninth Circuit, in Internet cases, generally applied only three of the factors from the traditional test for establishing likelihood of confusion (similarity of the marks, relatedness of the goods or services and simultaneous use of the Internet as a marketing channel), which had come to be known as the Internet troika. See, e.g., Perfumebay. com Inc. v. eBay, Inc., 506 F.3d 1165, 1173 (9th Cir. 2007); Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160 (C.D. Cal. 2008) (entering a preliminary injunction for the plainti in a key word case based on the three part test); see generally supra § 6.09[4] (analyzing the Ninth Circuit's approach). 24 Network Automation is discussed further in section 9.11[3] in connection with sponsored links. 25 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600 (9th Cir. 2015).

Pub. 12/2015 9-173 9.11[2] E-Commerce and Internet Law included photographs of the items, “no reasonably prudent customer accustomed to shopping online would likely be confused as to the source of the products.”26 Ultimately, likelihood of confusion or dilution, and issues of fair use, must be proven in a given case, based on the particular facts presented and the universe of relevant consumers.

9.11[3] Sponsored Links, Pop Up Ads and Search Results and Advertisements on Sales Sites The use of a third party's mark to trigger a sponsored link or other Internet advertisement, as with banner ads, generally constitutes the use of a mark in connection with the sale of goods or services or substantial advertising and therefore is potentially actionable under the Lanham Act,1 provided that a mark owner can prove confusion or dilution and negate fair use (or establish false advertising), which often are more dicult to do than to establish the threshold requirement of use in commerce. Suits over sponsored links typically are brought by trademark owners against search engines and other sites that sell marks as key words, and third party purchasers, who may be competitors, unauthorized resellers or other persons or entities. Litigation also may be initiated by a brand owner against a commercial website for its own search practices that may invite consumers to consider competing brands, either through advertisements or sales listings. Claims asserted frequently include trademark infringement, trademark dilution, false advertising, and unfair competition, under the Lanham Act2 and state law.3 Most cases are premised on direct liability, although plaintis in some cases brought against search engines have also sued for contributory trademark infringe-

26 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *1 (9th Cir. 2015); see generally infra § 9.11[3] (analyzing the case in greater detail). [Section 9.11[3]] 1 See, e.g., Rescuecom Corp. v. Google Inc., 562 F.3d 123 (2d Cir. 2009); Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1144–45 (9th Cir. 2011); see generally supra § 7.10. 2 See supra §§ 6.08 (trademark infringement), 6.11 (dilution under the Lanham Act), 6.12 (unfair competition and false advertising under the Lanham Act), 6.14 (fair use). 3 See infra § 9.11[4] (state law claims).

9-174 Search Engine Marketing 9.11[3] ment and vicarious liability.4 Absent other facts, it is often easier to state a claim at the outset than win a sponsored link case on the merits because of the diculty of proving confusion or dilution or false advertising or negating fair use in cases based solely on the use of a mark to trigger a sponsored link that itself is not deceptive and does not suggest sponsorship, aliation or endorsement. Some decisions have held that a plainti may not state a claim5 merely by alleging use of a mark to trigger

4 See, e.g., Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144 (4th Cir. 2012) (arming the entry of summary judgment for Google on Rosetta Stone's claims for vicarious trademark infringement and unjust enrichment, but vacating the entry of summary judgment for Google on Rosetta Stone's claims for direct and contributory infringement and dilution because material facts were disputed); Sellify Inc. v. Amazon.com, Inc., No. 09 Civ. 0268 (JSR), 2010 WL 4455830 (S.D.N.Y. Nov. 14, 2010) (granting summary judgment for Amazon.com on claims for contributory and vicarious trademark infringement where there was “no evidence that Am- azon had particularized knowledge of, or direct control over,” third party sponsored link advertisements purchased by on of Amazon.com's more than 3 million associates and where there was no agency relationship); Government Employees Ins. Co. v. Google, Inc., 330 F. Supp. 2d 700, 704–05 (E.D. Va. 2004) (denying defendants Google, Inc. and Overture Services, Inc.'s motions to dismiss federal Lanham Act claims for trademark infringement, contributory trademark infringement, vicarious trademark infringement, false representation and dilution arising out of their practice of selling advertisements linked to search terms); see generally supra § 6.10 (analyzing secondary liability for trademark infringement). 5 See, e.g., Parts.com, LLC v. Yahoo! Inc., 996 F. Supp. 2d 933 (S.D. Cal. 2013) (dismissing with prejudice state law claims for trademark infringement and dilution and unfair competition as preempted by the CDA, denying defendant's motion to dismiss plainti's federal trademark infringement claim, dismissing plainti's federal dilution claim with leave to amend and following Jurin in dismissing with leave to amend Parts.com's Lanham Act false designation of origin and unfair competition claims premised on Yahoo's alleged use of parts.com as a keyword for sponsored link advertisements because “the mere fact that Yahoo displays an array of links when a user enters ‘Parts.com’ as a search term is not enough to suggest that Yahoo is aliated with Parts.com.”); Infostream Group Inc. v. Avid Life Media Inc., No. CV 12–09315, 2013 WL 6018030, at *5 (C.D. Cal. Nov. 12, 2013) (dismissing with prejudice plainti's claims for federal and California state trademark infringement and dilution, false designation of origin under the Lanham Act and California unfair competition, where the plainti merely alleged that the defendant used its marks as keywords to trigger sponsored link advertisements for its competing dating services); Jurin v. Google Inc., 695 F. Supp. 2d 1117, 1122 (E.D. Cal. 2010) (dismissing plainti's false advertising claim arising out of Google's use of its keyword suggestion tool in connection with its

Pub. 12/2015 9-175 9.11[3] E-Commerce and Internet Law a sponsored link advertisement, without more, or granted judgment on the pleadings on that basis,6 while other courts have denied motions to dismiss, allowing the case to proceed,7

AdWords program because the plainti and defendant were not direct competitors); Jurin v. Google, Inc., No. 2:09-cv-03065-MCE-KJM, 2010 WL 3521955 (E.D. Cal. Sept. 8, 2010) (dismissing false designation of origin, false advertising and breach of contract claims arising out of the defendant's alleged sale of its mark as a keyword to trigger sponsored link advertisements). But see Jurin v. Google Inc., 768 F. Supp. 2d 1064 (E.D. Cal. 2011) (denying defendant's motion to dismiss amended false advertising and false association claims arising out of the sale of a keyword as a sponsored link, but dismissing without leave to amend breach of contract and breach of the duty of good faith and fair dealing claims premised on an alleged failure by Google to adhere to its Adwords policy); see also Jurin v. Google Inc., No. 2:09-cv-03065-MCE-CKD, 2012 WL 5011007 (E.D. Cal. Oct. 17, 2012) (granting summary judgment for Google). 6 See, e.g., Allied Interstate LLC v. Kimmel & Silverman P.C., No. 12 Civ. 4202 (LTS) (SN), 2013 WL 4245987 (S.D.N.Y. Aug. 12, 2013) (granting judgment on the pleadings on plainti's New York state and federal claims for dilution where the defendant’s alleged use of plainti’s mark in metatags, hidden words and keywords to trigger sponsored link advertisements was on its face a fair use); Whipple v. Brigman, Civil Action No. 3:12CV258, 2013 WL 566817 (W.D.N.C. Feb. 13, 2013) (granting judgment on the pleadings where the plainti alleged that the defendant’s use of “queen city,” “tour” and “nascar shuttle” in metatags and as AdWords to trigger sponsored links constituted trademark infringement because plainti’s alleged marks were weak or generic; “Accepting the Plainti’s argument would mean businesses like GEICO would have a claim for infringement against any company using the word ‘insurance’ while car salesmen would be prohibited from using the terms ‘car’ or ‘automobile’ because Volvo, Chevrolet, or Toyota trademarked the words.”). 7 See, e.g., Romeo & Juliette Laser Hair Removal, Inc. v. Assara I LLC, No.08-CV-442 (TPG)(FM), 2014 WL 4723299, at *2-4 (S.D.N.Y. Sept. 23, 2014) (denying defendant's motion to dismiss Lanham Act claims at least in part because the defendant purchased the ROMEO & JULIETTE mark to trigger advertisements on Google for its hair-removal services); Parts.com, LLC v. Yahoo! Inc., No. 13-CV-1078 JLS (JMA), 2014 WL 2573321 (S.D. Cal. June 9, 2014) (denying Yahoo’s motion to dismiss claims for trademark infringement and dilution based the alleged use of parts.com as a keyword for sponsored link advertisements); Parts.com, LLC v. Yahoo! Inc., 996 F. Supp. 2d 933 (S.D. Cal. 2013) (denying defendant’s motion to dismiss plainti’s federal trademark infringement claim, while dismissing with prejudice state law claims for trademark infringement and dilution and unfair competition as preempted by the CDA, dismissing plainti’s federal dilution claim with leave to amend and following Jurin in dismissing with leave to amend Parts.com’s false designation of origin and unfair competition claims premised on Yahoo’s alleged use of parts.com as a keyword for sponsored link advertisements because “the mere fact that Yahoo displays an array of links when a user enters ‘Parts.com’ as a search term is not enough to suggest that Yahoo is ali-

9-176 Search Engine Marketing 9.11[3] at least in jurisdictions where initial interest confusion is recognized. Although less commonly sought in disputes over sponsored links, preliminary injunctions have been granted8 or denied9 ated with Parts.com.”); Elcometer, Inc. v. TQC-USA, Inc., No. 12-cv-14628, 2013 WL 1433388, at *4–5 (E.D. Mich. Apr. 9, 2013) (denying defendants’ motion to dismiss plainti’s trademark infringement claim based on allegations that defendants used the ELCOMETER mark as an AdWord so that consumers and potential consumers would be directed to the Paintmeter website when conducting a search using the term “Elcometer” and that, once at the site, consumers were deceived into believing that Paintmeter was an authorized dealer or seller of Elcometer products); Cybersitter, LLC v. Google, Inc., 905 F. Supp. 2d 1080, 1087–88 (C.D. Cal. 2012) (holding that Cybersitter stated claims for state law trademark infringement, contributory infringement pursuant to Cal. Bus. & Prof. Code § 14245(a)(3)and unfair competition under Cal. Bus. & Prof. Code § 17200, arising out of the alleged sale of “CYBERsitter” as a keyword to trigger sponsored link advertisements); Morningware, Inc. v. Hearthware Home Products, Inc., 673 F. Supp. 2d 630, 634–38 (N.D. Ill. 2009) (denying defendant's motion to dismiss where Morningware alleged that Hearth- ware, a competitor, purchased its mark as a keyword through Google's AdWards program, causing initial interest confusion). 8 See, e.g., CJ Products LLC v. Snuggly Plushez LLC, 809 F. Supp. 2d 127, 157–58 (E.D.N.Y. 2011) (preliminarily enjoining defendant's purchase of the phrases “Pillow Pets” and “My Pillow Pets” through Google's AdWords program, in a copyright and trademark infringement case where the court found that the plainti was likely to prevail on multiple dierent grounds); Martha Elizabeth, Inc. v. Scripps Networks Interactive, LLC, No. 1:10-cv-1244, 2011 WL 1750711, at *19–20 (W.D. Mich. May 9, 2011) (granting a motion for preliminary injunction where defendant's purchase of misspelled variations of plainti's mark as sponsored links was found to evidence bad faith for purposes of likelihood of confusion analysis); InternetShopsInc.com v. Six C Consulting, Inc., No. 1:09-CV-00689-JEC, 2011 WL 1113445, at *6-7 (N.D. Ga. Mar. 24, 2011) (granting a permanent injunction in case where defendant conceded that its use infringed plainti's trademark rights); Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160, 1176–79(C.D. Cal. 2008) (entering a preliminary injunction for the plainti in a keyword case based on the three part test). Injunctive relief also has been obtained in unopposed cases where the plainti seeks relief from a wide array of trademark-related violations. See, e.g., Louis Vuitton Malletier, S.A. v. 2013LVshop.com, No. 14- 61698-CIV, 2014 WL 3855058 (S.D. Fla. Aug. 5, 2014) (entering a preliminarily injunction ordering each defendant, “its ocers, directors, employees, agents, subsidiaries, distributors, and all persons in active concert or participation with any Defendant having notice of this Order shall immediately discontinue, until further Order of this Court, the use of the Louis Vuitton Marks, or any confusingly similar trademarks within domain name extensions, metatags or other markers within website source code, from use on any webpage (including as the title of any web page), any advertising links to other websites, from search engines' databases or

Pub. 12/2015 9-177 9.11[3] E-Commerce and Internet Law in particular cases. Preliminary injunctive relief is granted based on a showing of likelihood of confusion, not merely copying. Irreparable injury also must be shown (and may not be inferred merely by virtue of the fact that a plainti may show likelihood of prevailing on the merits).10 Claims that survive motions to dismiss may be resolved on the merits through summary judgment motions, if facts are cache memory, and any other form of use of such terms which is visible to a computer user or serves to direct computer searches to websites registered by, owned, or operated by each Defendant, including the Internet websites operating under the Subject Domain Names . . . .”); Consumer Source Holding, Inc. v. Does 1-24, No. 1:13-cv-1512 (AJT/JFA), 2014 WL 2967942 (E.D. Va. June 30, 2014) (enjoining and restraining defendants “from using Plainti's registered trademarks...oranyconfus- ingly similar trademarks within domain name extensions, metatags or other markers within website source code, from use on any webpage (including as the title of any web page), any advertising links to other websites, from search engines' databases or cache memory, and any other form of use of such terms which is visible to a computer user or serves to direct computer searches to websites registered, owned, or operated by each Defendant, including the Internet websites operating under the domain names in Appendix A . . . .”); Abercrombie & Fitch Trading Co. v. 7Starzone.com, No. 14-6008-CIV, 2014 WL 352184 (S.D. Fla. Jan. 31, 2014) (entering an unopposed TRO enjoining, among other things, the use of plainti's mark in metatags or as sponsored link advertisements). 9 See, e.g., Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1153–54 (9th Cir. 2011) (reversing and vacating the lower court's preliminary injunction in a sponsored link case, nding that likelihood of confusion could not be shown given the sophistication of Internet users and the fact that Google and Bing place sponsored links in a separately labeled area); AK Metals, LLC v. Norman Industrial Materi- als, Inc., No. 12cv2595, 2013 WL 417323 (S.D. Cal. Jan. 31, 2013) (denying plainti's motion for a preliminary injunction because it could not show entitlement to equitable relief and was unlikely to succeed on the merits of its case for unfair competition and trademark infringement arising out of defendant's purchase of “Escondido Metal Supply” and variations of that name as keywords for sponsored link advertisements); King Pharmaceuticals, Inc. v. Zymogenetics, Inc., No. 2:09-CV-244, 2009 WL 4931238, at *4 (E.D. Tenn. Dec. 10, 2009) (denying plainti's motion for a preliminary injunction where ZymoGenetics represented to the court that it had ceased using King's marks as Google AdWords and would not do so in the future). 10 See supra § 6.16[1]. The standards for obtaining injunctive relief in Lanham Act cases have become more exacting since the time the rst sponsored link cases were decided as a result of the U.S. Supreme Court's decisions in Winter v. Natural Resources Defense Council, Inc., 555 U.S. 7 (2008) and eBay Inc. v. MercExchange, LLC, 547 U.S. 388, 392 (2006). See generally supra § 6.16[1] (analyzing injunctive relief under the Lanham Act).

9-178 Search Engine Marketing 9.11[3] unrefuted, or at trial. Accordingly, courts have granted or af- rmed summary judgment for plaintis11 or for defendants12

11 See, e.g., Digby Adler Group LLC v. Image Rent a Car, Inc., No. 10- cv-00617-SC, 2015 WL 525906, at *3 (N.D. Cal. Feb. 6, 2015) (granting summary judgment for plainti on its claims for trademark infringement, where defendants, competitors in the van rental industry, registered plainti's “Bandango” mark as a domain name and bid on Google AdWords search terms “Bandango,” “Bandango van rental,” and “Bantango van rentals,” and for cybersquatting and copyright infringement, based on defendants' copying text from plainti's website); Storus Corp. v. Aroa Marketing, Inc., 87 U.S.P.Q.2d 1032, 2008 WL 449835 (N.D. Cal. Feb. 15, 2008) (granting summary judgment for the plainti in a sponsored link case based on a nding of initial interest confusion under the Ninth Circuit's more expansive application of the doctrine based on the defendants' use of the “Smart Money Clip” mark in sponsored link advertising purchased from Google and in connection with searches for the mark on Skymall.com). 12 See, e.g., Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600 (9th Cir. 2015) (arming the entry of summary judgment for Amazon.com in a sponsored link case where the plainti alleged that Amazon's presentation of listings for competing products in response to search queries for plainti's watches on the Amazon.com website was likely to cause initial interest confusion); 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229 (10th Cir. 2013) (arming the entry of summary judgment for the defendant, Lens.com, on all but one claim, nding no likelihood of initial interest confusion in a sponsored links case where initial interest confusion occurred at most 1.5% of the time that a Lens.com advertisement was generated by one of nine challenged keywords and therefore could not be said to likely lure consumers in search of the plainti’s product to those of the defendant; reversing and remanding the lower court’s order granting summary judgment on plainti’s claim for contributory infringement based on alleged direct infringement by a Lens.com aliate); Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144 (4th Cir. 2012) (arming the entry of summary judgment for Google on Rosetta Stone's claims for vicarious trademark infringement and unjust enrichment, but vacating summary judgment on Rosetta Stone's claims for direct and contributory infringement and dilution because material facts were disputed); Florida Van Rentals, Inc. v. Auto Mobility Sales, Inc., — F. Supp. 3d —, 2015 WL 179294, at *1, 4-6 (M.D. Fla. 2015) (granting summary judgment for the defendant in a suit based in part on the defendant's purchase of the keywords “medical” and “travel” as dynamic keyword insertions (so that Auto Mobility's advertisements would appear when those words were searched in combination) because plainti's alleged DISCOUNT MOBILITY and MEDICAL TRAVEL marks were descriptive and had not acquired secondary meaning); Earthcam, Inc. v. Oxblue Corp., 49 F. Supp. 3d 1210, 1240–41 (N.D. Ga. 2014) (granting summary judgment for the defendant on plainti’s claims for trademark infringement based on initial interest confusion, false designation of origin, unfair competition, and deceptive trade practices arising out of defendant's purchase of plainti's “oxblue” mark as a keyword to generate sponsored link

Pub. 12/2015 9-179 9.11[3] E-Commerce and Internet Law and denied13 summary judgment motions brought by both advertisements, where the plainti failed to present admissible evidence to support likelihood of confusion); CollegeSource, Inc. v. AcademyOne, Inc., Civil Action No. 10-3542, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012) (granting summary judgment for the defendant on plainti’s trademark infringement and unfair competition claims under the Lanham Act based on the court’s nding that AcademyOne’s purchase of AdWords containing CollegeSource’s marks were not likely to cause consumer confusion), a'd, 597 F. App'x 116, 130-31 (3d Cir. 2015); Jurin v. Google Inc., No. 2:09-cv- 03065-MCE-CKD, 2012 WL 5011007 (E.D. Cal. Oct. 17, 2012) (granting Google's unopposed motion for summary judgment on Jurin's claims for trademark infringement and dilution and false advertising under the Lanham Act); Sellify Inc. v. Amazon.com, Inc., No. 09 Civ. 0268 (JSR), 2010 WL 4455830 (S.D.N.Y. Nov. 14, 2010) (granting summary judgment for Amazon.com on claims for contributory and vicarious trademark infringement and alleged violations of the Connecticut Unfair Trade Prac- tices Act where there was “no evidence that Amazon had particularized knowledge of, or direct control over,” third party sponsored link advertisements purchased by one of Amazon.com's more than 3 million associates, where Amazon.com itself did not itself directly use Sellify's mark and where there was no agency relationship between Amazon.com and its associate); J.G. Wentworth, S.S.C. LP v. Settlement Funding LLC, 85 U.S.P. Q.2d 1780, 2007 WL 30115 (E.D. Pa. Jan. 4, 2007) (granting summary judgment for the defendant in a sponsored link case based on the narrower application of the initial interest confusion doctrine applied in the Third Circuit). 13 See, e.g., Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144 (4th Cir. 2012) (vacating summary judgment on Rosetta Stone's claims for direct and contributory infringement and dilution because material facts were disputed, but arming the entry of summary judgment for Google on Rosetta Stone's claims for vicarious trademark infringement and unjust enrichment); 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229 (10th Cir. 2013) (reversing and remanding the lower court’s order granting summary judgment on plainti’s claim for contributory infringement based on alleged direct infringement by a Lens.com aliate, but otherwise arming summary judgment for the defendant on all other claims); Scooter Store, Inc. v. SpinLife.com, LLC, No. 2:10-vc-18, 2011 WL 6415516, at *4 (S.D. Ohio Dec. 21, 2011) (denying in part defendant's summary judgment motion because the use of a mark in metadata and for keyword purchases was potentially actionable based on initial interest confusion); Fair Isaac Corp. v. Experian Information Solutions Inc., 645 F. Supp. 2d 734, 761 (D. Minn. 2009) (denying in part defendants' motion for summary judgment in a case brought by an analytics corporation against credit bureaus that were alleged to have created a competing product, where the court found factual disputes over likelihood of confusion for all marks and secondary meaning for one precluded summary judgment in a sponsored link case); Standard Process, Inc. v. Total Health Discount, Inc., 559 F. Supp. 2d 932 (E.D. Wis. 2008) (denying defendant's motion for summary judgment based on the nominative fair use defense where the defendant used the pronouns “we” and “our” to refer to plainti's products, which therefore created at least a factual question about sponsorship, aliation or

9-180 Search Engine Marketing 9.11[3] plaintis and defendants. Judgment also has been entered for plaintis14 and defen- dants15 in sponsored link cases following trial on the merits. endorsement). 14 See Chow v. Chau, 555 F. App’x 842 (11th Cir. 2014) (arming a jury award of $500,000 to the corporate plainti and reinstating the jury award of $520,451 to Mr. Chow, the individual plainti, for false advertising and unfair competition by a former longtime employee of Mr. Chow, who set up competing restaurants in the same cities where Mr. Chow restaurants were located and used a similar menu, décor and “noodle show” as the famous Mr. Chow restaurants, where the defendants made deceptive statements, falsely claiming that the former employee was the “architect” and “mastermind” of the menu at Mr. Chow, and purchased “Chow” and “Mr. Chow” as sponsored links so that the website for defendants’ restaurants would appear in the search results when people searched for Mr. Chow); Binder v. Disability Group, Inc., 772 F. Supp. 2d 1172 (C.D. Cal. 2011) (awarding $292,235.20 (double lost prots) and attorneys' fees for defendants' willful trademark infringement and false advertising under the Lanham Act (and nding defendants liable for unfair competition under California law) following a bench trial in a suit brought by the owners of trademarks associated with their disability law rm against a competitor and its principal, who bid on and purchased “Binder and Binder” through Google AdWords to display advertisements for their competing law rm); Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632 (N.D. Tex. 2009) (awarding $1,139,962 in damages and broad injunctive relief following a jury trial, but declining to prohibit defendants from purchasing “Mary Kay” as keywords for sponsored links or other lawful advertising that did not suggest sponsorship, aliation or endorsement); TracSchool.com, Inc. v. eDriver, Inc., 633 F. Supp. 2d 1063 (C.D. Cal. 2008) (imposing a permanent injunction following a bench trial for false advertising under the Lanham Act, on the operators of DMV.ORG, a site that earned fees by referring users to trac school and driver's education course providers which sought to benet from perceptions that it was a government-run website by, among other things, purchasing “DMV” as a keyword to deliver sponsored links captioned “California DMV” and “California DMV Drivers Ed” and “CA Drivers Ed Online.”), a'd in part and rev'd in part, 653 F.3d 820 (9th Cir. 2011) (reversing on the scope of the injunction and the court's denial of plainti's application for attorneys' fees). 15 See College Network, Inc. v. Moore Educational Publishers, Inc., 378 F. App'x 403 (5th Cir. 2010) (arming a jury verdict for the defendant in a suit over defendant's purchase of “The College Network” from Google and Yahoo! to trigger sponsored links, where the jury found that the plainti's mark was valid but it was not infringed); Tiany (NJ) Inc. v. eBay Inc., 600 F.3d 93 (2d Cir.) (arming the entry of judgment following a bench trial on Tiany's claims for trademark infringement and dilution, based on eBay's use of Tiany in a non-trademark sense to advertise Tiany products actually sold on eBay, but remanding for further consideration Tiany's claim that sponsored links advertising Tiany products on eBay, while not literally false, might be found misleading or

Pub. 12/2015 9-181 9.11[3] E-Commerce and Internet Law

In addition, remedies have been granted in connection with a default judgment.16 In at least one instance, individual liability was imposed on a corporate ocial in a sponsored link case.17 Cases, however, often turn on specic facts. confusing), cert. denied, 562 U.S. 1082 (2010); General Steel Domestic Sales, LLC v. Chumley, Civil Action No. 10-cv-01398-PAB-KLM, 2013 WL 1900562, at *9-11 (D. Colo. May 7, 2013) (entering judgment for the defendant on plainti’s claims for use of its mark to trigger sponsored link advertisements and in the text of those advertisements based on a failure of proof to show likelihood of confusion, following a bench trial); Tiany (NJ) Inc. v. eBay, Inc., Case No. 04 Civ. 4607 (RJS), 2010 WL 2722894 (S.D.N.Y. Sept. 13, 2010) (entering judgment for eBay on Tiany's false advertising claim following remand from the Second Circuit); Fair Isaac Corp.v. Experian Information Solutions Inc., No. 06-41122009 WL 4263699 (D. Minn. 2009) (entering judgment for the defendant credit bureaus following trial where the court found no credible inference of likelihood of confusion with respect to marks purchased by the defendants to trigger sponsored links and the jury had earlier found no secondary meaning with respect to one other mark held by the court to be descriptive (“300-850”), which the defendants had also purchased as a key word to trigger sponsored links); Fair Isaac Corp. v. Experian Information Solutions Inc., 711 F. Supp. 2d 991 (D. Minn. 2010) (granting in part and denying in part post-trial motions and awarding costs but not attorneys' fees to the prevailing defendants); Government Employees Ins. Co. v. Google, Inc., 77 U.S.P. Q.2d 1841, 2005 WL 1903128 (E.D. Va. Aug. 5, 2005) (holding, following trial, that GEICO had been unable to present any evidence of likelihood of confusion based on Google's sale of sponsored links triggered by searches for its mark, except in narrow circumstances where GEICO's mark appeared in the text of an ad). 16 See, e.g., Consumer Source Holding, Inc. v. Does 1-24, No. 1:13-cv- 1512 (AJT/JFA), 2014 WL 2967942 (E.D. Va. June 30, 2014) (enjoining and restraining defendants “from using Plainti's registered trademarks . . . or any confusingly similar trademarks within domain name extensions, metatags or other markers within website source code, from use on any webpage (including as the title of any web page), any advertising links to other websites, from search engines' databases or cache memory, and any other form of use of such terms which is visible to a computer user or serves to direct computer searches to websites registered, owned, or operated by each Defendant, including the Internet websites operating under the domain names in Appendix A . . . .”); Craigslist, Inc. v. Nature- market, Inc., 694 F. Supp. 2d 1039, 1058–60 (N.D. Cal. 2010) (entering a default judgment for trademark infringement under the Lanham Act and California law based on the defendants' display of the Craigslist mark in the text and in the headings of sponsored links advertising products to automate the process of posting listings to Craigslist, in advertising their products and on their website). 17 See Binder v. Disability Group, Inc., 772 F. Supp. 2d 1172, 1181-82 (C.D. Cal. 2011) (imposing individual liability for an award of $292,235.20 (double lost prots) for defendants' willful trademark infringement and false advertising under the Lanham Act in a suit brought by the owners of

9-182 Search Engine Marketing 9.11[3]

Even where liability is established, injunctive relief may be narrowly granted with respect to use of a mark in connection with sponsored links. For example, in Mary Kay, Inc. v. Weber,18 the court entered a broad injunction against trademark infringement and upheld an award of $1,139,962 plus post-judgment interest, following a jury verdict for the plainti, but declined to prevent defendants from continuing to use “Mary Kay” to trigger sponsored links on Google or Yahoo!, as Mary Kay had requested. In that case, a manufacturer/wholesale distributor had sued former independent sales representatives who purchased Mary Kay products on eBay and then resold them at a store on eBay called “marykay1stop.” After Mary Kay complained of contract and trademark violations, the defendants changed the name of their store to Touch of Pink and created touchofpinkcosmetics.com, independent of the eBay store. The jury had found in favor of Mary Kay on its claims for unfair competition, passing o, and trademark infringement under the Lanham Act and unfair competition and trademark infringement under Texas common law. The court broadly enjoined defendants from using the names “Touch of Pink” or “MaryKay1Stop,” selling expired or past-shelf life Mary Kay products or suggesting endorsement or sponsorship by or aliation with Mary Kay. Even though the case involved ample evidence of defendants improperly suggesting sponsorship, aliation and endorsement, the court declined to enjoin defendants from using “Mary Kay” in connection with sponsored links.19 The solution to the problem of defendants' trademark infringement, the court wrote, “is to require the defendants to alter the language, appearance and tone of the website—not to ban them from selling genu- trademarks associated with their disability law rm against a competitor and its principal, who bid on and purchased “Binder and Binder” through Google AdWords to display advertisements for their competing law rm); see generally supra § 6.10[4] (analyzing the individual liability of corporate ocials). 18 Chow v. Chau, 555 F. App’x 842 (11th Cir. 2014) (arming a jury award of $500,000 to the corporate plainti and reinstating a jury award of $520,451 to the individual plainti, where the defendants made deceptive statements and purchased “Chow” and “Mr. Chow” as sponsored links so that the website for defendants’ restaurants would appear in the search results when people searched for Mr. Chow); Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632 (N.D. Tex. 2009). 19 Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632, 646 (N.D. Tex. 2009).

Pub. 12/2015 9-183 9.11[3] E-Commerce and Internet Law ine Mary Kay products in a proper manner.”20 Similarly, even if trademark infringement or dilution, unfair competition or false advertising is proven, damages and attorneys' fees, which are not automatic under the Lanham Act,21 may not necessarily be awarded to a prevailing plainti22 (or awarded to a prevailing defendant23), although they have been in some cases.24 Damages are awarded in the discretion of the court in a Lanham Act case, but may be dicult to prove, or merely de minimis, in many sponsored link cases, absent other facts (such as those described in Mary Kay, Inc. v. Weber). Likelihood of confusion or dilution potentially may be shown by the use of a mark to trigger a sponsored link, but also may be established based on the text surrounding a sponsored link25 or the layout of a search results page (if, for

20 Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632, 645 (N.D. Tex. 2009). 21 See supra §§ 6.16[2], 6.16[3]. 22 See, e.g., Digby Adler Group LLC v. Image Rent a Car, Inc., No. 10- cv-00617-SC, 2015 WL 525906, at *3, 11 (N.D. Cal. Feb. 6, 2015) (granting summary judgment for plainti on its claims for cybersquatting, copyright infringement and trademark infringement, where defendants, competitors in the van rental industry, registered plainti's “Bandango” mark as a domain name and bid on Google AdWords search terms “Bandango,” “Bandango van rental,” and “Bantango van rentals,” but declining to award disgorgement of prots where defendants bid on 14,057 keywords through their AdWord accounts but only 14 (or 0.1%) included the word “bandango” and, of those 14, only three generated any clicks; “In other words, Defendants' bids on infringing keywords from November 2008 to April 2009 resulted in a total of three visits to Defendants' website. Even assuming all three visits were from dierent users, that each would have rented from Bandango absent these advertisements, and that each of those users proceeded to rent vans from Defendants instead, Digby's actual damages attributable to the infringing AdWords must have been vanish- ingly small.”). 23 See, e.g., Fair Isaac Corp. v. Experian Information Solutions Inc., 711 F. Supp. 2d 991 (D. Minn. 2010) (granting in part and denying in part post-trial motions and awarding costs but not attorneys' fees to the prevailing defendants). 24 See Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632 (N.D. Tex. 2009) (awarding $1,139,962 plus post-judgment interest in a case where the defendant was found liable for suggesting sponsorship, aliation and endorsement). 25 See, e.g., 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1252-55 (10th Cir. 2013) (reversing and remanding the entry of summary judgment on plainti’s claim for contributory infringement for a sponsored link advertisement placed by a Lens.com aliate which included plainti’s

9-184 Search Engine Marketing 9.11[3] example, paid links were interspersed with natural search results such that consumers could not tell the dierence, which is not the practice of major search engines).26 Whether a mark actually is visible to users in connection with the display of a sponsored link, however, is not determinative in establishing likelihood of confusion.27 mark in the text of the advertisement); Government Employees Ins. Co. v. Google, Inc., 77 U.S.P.Q.2d 1841, 2005 WL 1903128 (E.D. Va. 2005) (holding, following trial, that GEICO had been unable to present any evidence of likelihood of confusion based on Google's sale of sponsored links triggered by searches for its mark, except in narrow circumstances where GEICO's mark appeared in the text of an ad); see also Hearts on Fire Co. v. Blue Nile, Inc., 603 F. Supp. 2d 274 (D. Mass. 2009) (denying defendant's motion to dismiss trademark infringement and unfair competition claims under the Lanham Act and Massachusetts law based on the defendant's purchase of sponsored links tied to “Hearts on Fire” and the display of the mark in text next to the sponsored links); Standard Process, Inc. v. Total Health Discount, Inc., 559 F. Supp. 2d 932 (E.D. Wis. 2008) (denying defendant's motion for summary judgment based on the nominative fair use defense where the defendant used the pronouns we and our to refer to plainti's products which therefore created at least a factual question about sponsorship, aliation or endorsement). 26 See 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273, 286–93 (D.N.J. 2006) (holding that factual issues precluded summary judgment on the issues of likelihood of confusion and dilution and fair use in connection with plainti's claims for trademark infringement and unfair competition based on the use by a pay-for-priority search engine of plainti's famous marks as search terms, sold to plainti's direct competitors, where the defendant ranked paid responses above natural search results, sold search results tied to plainti's mark to 11 of plainti's competitors and, through its automated suggestion tool, actively marketed plainti's mark to competitors as a paid search term). 27 See, e.g., Fair Isaac Corp. v. Experian Information Solutions Inc., 645 F. Supp. 2d 734, 761 (D. Minn. 2009) (holding that factual disputes over likelihood of confusion precluded summary judgment). Older cases that drew a distinction between uses where the mark was displayed, which were actionable, and those where the mark was not visible to users, which were not actionable, were premised on the awed assumption that a mark was not used “in commerce” under the Lanham Act unless it was visible to consumers, which was soundly rejected by the Second Circuit in Rescuecom Corp. v. Google Inc., 562 F.3d 123, 127–31 (2d Cir. 2009). Of course, if a mark is used to trigger sponsored links and used in the text of the advertisement itself (or in other ways), it may bolster a mark owner's potential claim. Use of a mark in the text of the advertisement surrounding the sponsored link also may create confusion or dilution which otherwise might not be found based solely on the use of the mark to trigger sponsored links. See, e.g., Government Employees Ins. Co. v. Google, Inc., 77 U.S.P.Q.2d 1841, 2005 WL 1903128 (E.D. Va. Aug. 5, 2005) (holding, following trial, that GEICO could not establish likelihood of confusion

Pub. 12/2015 9-185 9.11[3] E-Commerce and Internet Law

Confusion or dilution also may be established by the landing page that users access when clicking on a sponsored link. Often, however, the landing page itself is not actionable in sponsored link cases, which is why the mark owner has sued only over the link. In such cases (assuming the use is not fair or otherwise permissible), whether a plainti is able to prevail on a claim for trademark infringement often turns on the applicability of the doctrine of initial interest confusion, which is not universally recognized and, even where it is, not applied uniformly.28 Depending on the nature of the advertisement and the ex- planatory text adjacent to the link, likelihood of confusion may be dicult to show in the Fourth Circuit where a court would look at both the advertisement and related link and the entire contents of the defendant's website.29 By contrast, other courts apply the initial interest confusion doctrine which makes potentially actionable acts that create merely initial confusion—such as attempts to use a competitor's goodwill to lure Internet visitors to a site that on its own would not be likely to create consumer confusion.30 While the Ninth Circuit had applied this doctrine broadly from 1999 to 2010, other courts did not. Thus, for example, in the Third Circuit, the initial interest confusion doctrine is likely to be applied narrowly in a way that made it more dicult for trademark owners to prevail in Internet advertising cases than was the case in the Ninth Circuit,31 at least prior to 2011. based on Google's sale of sponsored links triggered by searches for its mark, but could where GEICO's mark appeared in the text of an ad). While a mark need not be visible to be actionable, a mark owner must present evidence to show how a mark is used to deliver sponsored links. See, e.g., Children's Legal Services PLLC v. Kresch, 545 F. Supp. 2d 653, 662 (E.D. Mich. 2008) (denying summary judgment where the mark owner failed to present any evidence to substantiate its allegation that a competing advertiser of legal services to parents of children injured by medical malpractice had purchased its mark as a keyword to deliver sponsored links to users looking for its site). 28 See supra § 7.08[2]. 29 See Lamparello v. Falwell, 420 F.3d 309 (4th Cir. 2005). 30 See generally supra § 7.08[2] (analyzing the doctrine and its application in each of the federal circuits). 31 Compare J.G. Wentworth, S.S.C. LP v. Settlement Funding LLC,85 U.S.P.Q.2d 1780, 2007 WL 30115 (E.D. Pa. Jan. 2007) (granting summary judgment for the defendant in a sponsored link case based on the Third Circuit's somewhat narrower application of the initial interest confusion

9-186 Search Engine Marketing 9.11[3]

Indeed, prior to 2011, venue decisions potentially had a signicant impact on the outcome of a sponsored link case. In addition to diering views on the initial interest confusion doctrine, the Ninth Circuit's modied three-part “Internet ‘troika’ ’’ test for nding likelihood of confusion in Internet cases, which was applied in sponsored link cases in place of the traditional full test for confusion,32 could impact the outcome of a case if suit was brought in the Ninth Circuit (although not necessarily elsewhere).33 Dierences between the Third and Ninth Circuit's tests for evaluating nominative fair use also may aect the outcome of a case.34 In Network Automation, Inc. v. Advanced Systems Con- cepts, Inc.,35 the Ninth Circuit in 2011 claried that the initial interest confusion doctrine and so-called Internet troika test should not be applied mechanically or in a wooden fashion merely because a case involves an Internet dispute and held that in a sponsored link case likelihood of confusion must take into account the surrounding context in which a doctrine applied in the Third Circuit) with Storus Corp. v. Aroa Market- ing, Inc., 87 U.S.P.Q.2d 1032, 2008 WL 449835 (N.D. Cal. Feb. 15, 2008) (granting summary judgment for the plainti in a sponsored link case based on the Ninth Circuit's more expansive application of the initial interest confusion doctrine); see generally supra § 7.08[2] (analyzing the approaches of the dierent federal circuit courts to initial interest confusion). 32 In Internet cases, the Ninth Circuit, prior to 2011, generally applied only three of the factors from the traditional test for establishing likelihood of confusion (similarity of the marks, relatedness of the goods or services and simultaneous use of the Internet as a marketing channel). See, e.g., Perfumebay.com Inc. v. eBay, Inc., 506 F.3d 1165, 1173 (9th Cir. 2007); Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160 (C.D. Cal. 2008) (entering a preliminary injunction for the plainti in a key word case based on the three part test); see generally supra § 6.09[4] (analyzing the Ninth Circuit's approach). Today, that test may still be applied in appropriate circumstances but was characterized in Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1148-49 (9th Cir. 2011) as ill-suited for sponsored link cases. 33 See, e.g., College Network, Inc. v. Moore Educational Publishers, Inc., 378 F. App'x 403 (5th Cir. 2010) (declining to apply the Ninth Circuit's ‘‘controlling troika or Internet trinity’’ test for likelihood of confusion in a sponsored link case where the plainti conceded that confusion could not be shown under the traditional test but argued that it was established under the Ninth Circuit test, where the plainti had not raised its applicability below). 34 See supra § 6.14[3]. 35 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137 (9th Cir. 2011).

Pub. 12/2015 9-187 9.11[3] E-Commerce and Internet Law sponsored link advertisement appears. The district court in Network Automation had preliminarily enjoined a defendant from using the plainti's trademark to trigger sponsored link advertisements for its competing products. In reversing and vacating the order, the Ninth Circuit panel held that the district court abused its discretion in nding likelihood of confusion in a case involving sponsored link comparative advertisements. In so ruling, the court provided broad guidance about the limits of both the initial interest confusion doctrine and Internet troika test in the Ninth Circuit. The Ninth Circuit panel observed that Internet users in 2011 were more sophisticated than when the initial interest confusion doctrine was rst applied to Internet cases by courts in the Ninth Circuit in 199936 and therefore exercised a greater degree of care.37 Quoting an earlier nominative fair use case, the panel explained that: [I]n the age of FIOS, cable modems, DSL and T1 lines, reasonable, prudent and experienced internet consumers are accustomed to such exploration by trial and error. They skip from site or site, ready to hit the back button whenever they're not satised with a site's contents. They fully expect to nd some sites that aren't what they imagine based on a glance at the domain name or search engine summary. Outside the special case of . . . domains that actively claim aliation with the trademark holder, consumers don't form any rm expectations about the sponsorship of a website until they've seen the landing page—if then.38 With respect to the Internet troika test, the panel explained that the Ninth Circuit “did not intend Brookeld to be read so expansively as to forever enshrine th[e] three factors—now often referred to as the ‘Internet trinity’ or ‘Internet troika’—as the test for trademark infringement on the Internet.”39 The court concluded that the use of the troika would be a “particularly poor t” for evaluating likelihood

36 See Brookeld Communications, Inc. v. West Coast Entertainment Corp., 174 F.3d 1036 (9th Cir. 1999) (applying initial interest confusion). 37 See Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1152 (9th Cir. 2011) (“[T]he default degree of consumer care is becoming more heightened as the novelty of the Internet evaporates and online commerce becomes commonplace.”). 38 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1152–53 (9th Cir. 2011), quoting Toyota Motor Sales, U.S.A., Inc. v. Tabari, 610 F.3d 1171, 1179 (9th Cir. 2010). 39 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638

9-188 Search Engine Marketing 9.11[3] confusion in a sponsored link case given the relative sophistication of Internet users in 2011, although the panel suggested in dicta that it may still be appropriate for domain name disputes.40 The court explained that “[g]iven the multifaceted nature of the Internet and the ever-expanding ways in which we all use the technology, . . . it makes no sense to prioritize the same three factors for every type of potential online commercial activity.”41 The Network Automation court stressed that the various tests potentially applicable for evaluating Lanham Act violations online should be applied exibly to focus on the ultimate issue of consumer confusion. With respect to keyword advertising, the panel emphasized that what a consumer saw on the screen and reasonably believed given the context was most important.42 The Ninth Circuit held that the surrounding context— with sponsored link advertisements placed in a separately labeled area by both Google and Bing—and the sophistication of Internet consumers, among other things, showed that the plainti had not established likelihood of confusion and on that basis reversed and vacated the preliminary injunction. The panel explained that “Google and Bing have partitioned their search results pages so that the advertisements appear in separately labeled sections for ‘sponsored’ links. The labeling and appearance of the advertisements as they appear on the results page includes more than the text of the advertisement, and must be considered as a whole.”43 Signicantly, even though the defendant alleged that the case involved lawful comparative advertising, the panel chose to analyze the case in terms of likelihood of confusion,

F.3d 1137, 1148 (9th Cir. 2011). 40 See Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1148–49 (9th Cir. 2011). 41 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1148 (9th Cir. 2011). 42 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1153 (9th Cir. 2011), quoting Hearts on Fire Co. v. Blue Nile, Inc., 603 F. Supp. 2d 274, 289 (D. Mass. 2009). The Ninth Circuit declined to specically adopt the Blue Nile test, however. The panel explained that “[w]hile we agree that the decision's reasoning is useful, we decline to add another multi-factor test to the extant eight-factor Sleekcraft test.” Id. at 1153 n.6. 43 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1154 (9th Cir. 2011).

Pub. 12/2015 9-189 9.11[3] E-Commerce and Internet Law rather than fair use,44 making it potentially more dicult for trademark owners to prevail or even state a claim based on initial interest confusion. In litigation, a plainti bears the burden of proving likelihood of confusion, whereas a defendant generally bears the burden of proving armative defenses such as fair use. Four years later, a dierent, sharply divided Ninth Circuit panel rearmed Network Automation in Multi Time Ma- chine, Inc. v. Amazon.com, Inc.,45 after rst issuing, and then withdrawing, an opinion that would have limited the potential scope of Network Automation—particularly in cases involving e-commerce sales sites.46 Multi Time Machine was a suit brought by the maker of high-end, military style watches that were not available for purchase on the Amazon.com website. Because Amazon did not sell MTM watches, a search for those products on its website produced a list of competing watches that were available (among other things). In arming summary judgment for Amazon on plainti's claim for trademark infringement, the majority held that because Amazon's search results page clearly labeled the name and manufacturer of each product oered for sale “and even include[d] photographs of the items . . . ,” which presumably were not required to mitigate potential confusion, “no reasonably prudent customer accustomed to shopping online would likely be confused as to the source of the products.”47 Judge Carlos Bea dissented,48 emphasizing the number of times that MTM Special Ops was visible on the screen when a user searched for that product. He explained that if a user searched for an MTM Special Ops watch on Amazon.com,

44 Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1152 n.5 (9th Cir. 2011). 45 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600 (9th Cir. 2015). 46 Multi Time Machine, Inc. v. Amazon.com, Inc., 792 F.3d 1070 (9th Cir. 2015), op. withdrawn and new op. led, — F.3d —, 2015 WL 6161600 (9th Cir. 2015). 47 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *1 (9th Cir. 2015). 48 Judge Bea had written the initial majority opinion, joined by Judge Gordon J. Quist of the Western District of Michigan, sitting by designation, who changed his mind and sided with Judge Barry Silverman, who previously had written a strong dissent, in response to Amazon's motion for reconsideration and multiple amicus briefs urging reconsideration.

9-190 Search Engine Marketing 9.11[3] the search would display MTM Special Ops (1) in the search eld, (2) in quotation marks below the search eld, and (3) as part of the suggested search “Related Searches: MTM special ops watch,” above a notice that read “Showing 10 Results” (which displayed oers for competing watches). These notices were generated algorithmically based on searches conducted by other users and Amazon's proprietary “Behavior Based Search Technology” that predicted the types of searches and products that users would be interested in based on the specic query posed. Judge Bea argued that this contrasted unfavorably with Amazon competitors Buy.com and Overstock.com, which simply informed users who searched for “MTM Special Ops” that there was no match, and oered no alternatives.49 Judge Silverman, for the 2-1 majority, rejected these arguments—and the notion that an e-commerce site should not oer users alternatives when a requested item is unavailable—explaining that Amazon was merely “responding to a customer's inquiry about a brand it d[id] not carry by doing no more than stating clearly (and showing pictures of) what brands it d[id] carry.”50 He wrote that “in evaluating claims of trademark infringement in cases involving Internet search engines, . . . [the Ninth Circuit has] found particularly important an additional factor that is outside of the eight-factor Sleekcraft test: ‘the labeling and appearance of the advertisements and the surrounding context on the screen displaying the results page.’ ’’51 Judge Silverman explained, however, that the traditional multi-factor test for evaluating likelihood of confusion was less helpful in a case where a merchant is “responding to a request for a particular brand it does not sell by oering other brands clearly identied as such . . .”52 than in the more typical case, where it is applied to analyze “whether

49 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *8-13 (9th Cir. 2015) (Bea, J. dissenting). 50 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *3 (9th Cir. 2015). 51 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *3 (9th Cir. 2015), quoting Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1154 (9th Cir. 2011). 52 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *3 (9th Cir. 2015).

Pub. 12/2015 9-191 9.11[3] E-Commerce and Internet Law two competing brands' marks are suciently similar to cause consumer confusion.”53 The majority elaborated that although the case involved “brands that compete with MTM, such as Liminox, Chase-Durer, TAWATEC, and Modus, MTM does not contend that the marks for these competing brands are similar to its trademarks. Rather, MTM argues that the design of Amazon's search results page creates a likelihood of initial interest confusion.”54 Judge Silverman characterized this as “a dierent type of confusion . . . not caused by the design of the competitor's mark, but by the design of the web page that is displaying the competing mark and oering the competing products for sale.”55 In such a case, Judge Silverman explained, “the ultimate test for determining likelihood of confusion is whether a ‘reasonably prudent consumer’ in the marketplace is likely to be confused” about the origin of the goods, which was a determination that could be made “simply by a[n] evaluation of the web page at issue and the relevant consumer.”56 The majority reiterated that in keyword advertising cases, likelihood of confusion “will ultimately turn on what the consumer saw on the screen and reasonably believed, given the context.”57 Stated dierently, Judge Silverman explained that the outcome in the case depended on the answer to two questions: “(1) Who is the relevant reasonable consumer?; and (2) What would he reasonably believe based on what he saw on the screen?”58 In Multi Time Machine, the majority concluded that because the goods at issue were expensive, the relevant consumer was “a reasonably prudent consumer accustomed

53 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015) (emphasis in original). 54 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015) (emphasis in original). 55 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015). 56 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015) (citing earlier cases). 57 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015), quoting Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1153 (9th Cir. 2011). 58 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *4 (9th Cir. 2015).

9-192 Search Engine Marketing 9.11[3] to shopping online.”59 With respect to the second question, the majority found that the products at issue were clearly labeled by brand name and model number (with the manufacturer's name sometimes listed twice—such as “Luminox Men's 8401 Black Ops Watch by Luminox” or “Chase-Durer Men's 246.4BB7-XL-BR Underwater Demolition Team Watch by Chase-Durer”) and were accompanied by a photograph of the item, making it “unreasonable to suppose that the reasonably prudent consumer accustomed to shopping online would be confused about the source of the goods.”60 The majority rejected MTM's argument that initial interest confusion might occur because Amazon listed the search term used (in this case, mtm special ops) three times at the top of the search page. Judge Silverman explained that “merely looking at Amazon's search results page shows that such consumer confusion is highly unlikely.”61 None of the watches included in the search results page were labeled MTM or Special Ops, let alone the specic phrase MTM Special Ops. Further, Judge Silverman noted that some of the products listed were not even watches. He elaborated: The tenth result is a book entitled “The Moses Expedition: A Novel by Juan Go´ mez–Jurado.” No reasonably prudent consumer, accustomed to shopping online or not, would assume that a book entitled “The Moses Expedition” is a type of MTM watch or is in any way aliated with MTM watches. Likewise, no reasonably prudent consumer accustomed to shopping online would view Amazon's search results page and conclude that the products oered are MTM watches. It is possible that someone, somewhere might be confused by the search results page. But, “[u]nreasonable, imprudent and in- experienced web-shoppers are not relevant.” Tabari, 610 F.3d at 1176; see also Network Automation, 638 F.3d at 1153 (“[W]e expect consumers searching for expensive products online to be even more sophisticated.”). To establish likelihood of confusion, MTM must show that confusion is likely, not just possible. See Murray, 86 F.3d at 861.62 The majority also rejected MTM's argument that, to elimi-

59 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *5 (9th Cir. 2015), quoting Toyota Motor Sales, U.S.A., Inc. v. Tabari, 610 F.3d 1171, 1176 (9th Cir. 2010). 60 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *5 (9th Cir. 2015). 61 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *5 (9th Cir. 2015). 62 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *5 (9th Cir. 2015) (emphasis in the original).

Pub. 12/2015 9-193 9.11[3] E-Commerce and Internet Law nate likelihood of confusion, Amazon would have to rst explain on its search results page that it did not oer MTM watches for sale before suggesting alternative watches to consumers. Judge Silverman wrote that “[t]he search results page makes clear to anyone who can read English that Ama- zon carries only the brands that are clearly and explicitly listed on the web page. The search results page is unambiguous—not unlike when someone walks into a diner, asks for a Coke, and is told ‘No Coke. Pepsi.’ ’’63 He held that “[i]n light of the clear labeling Amazon uses on its search results page, no reasonable trier of fact could conclude that Amazon's search results page would likely confuse a reasonably prudent consumer accustomed to shopping online as to the source of the goods being oered.”64 Although Judge Silverman concluded that summary judgment was appropriate based solely on consideration of the (1) the type of goods and the degree of care likely to be exercised by the purchaser, and (2) the labeling and appearance of the products for sale and the surrounding context on the screen displaying the results page, for good measure he explained that even if he were to consider the other likelihood of confusion factors they would either be neutral or unimportant in this case. He noted that there was no evidence of actual confusion and similarly no evidence of an intent to confuse consumers. With respect to the strength of the mark, Judge Silverman considered the factor to be unimportant “under the circumstances of this case. Even assuming MTM's mark is one of the strongest in the world—on the same level as Apple, Coke, Disney, or McDonald's—there is still no likelihood of confusion because Amazon clearly

63 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *6 (9th Cir. 2015). This quote was a reference to a Saturday Night Live skit from the 1970s about a diner where, in response to a request for a Coke, John Belushi says, in character, “No Coke. Pepsi.” Judge Silverman had explained, in his dissenting opinion in the prior Multi Time Machine opinion, that no one would “seriously contend that the diner violated Coke's trademark by responding to the customer's order that it doesn't carry Coke, only Pepsi.” Multi Time Machine, Inc. v. Amazon.com, Inc., 792 F.3d 1070, 1080-81 (9th Cir. 2015) (Silverman, J. dissenting), op. withdrawn and new op. led, — F.3d —, 2015 WL 6161600 (9th Cir. 2015). 64 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *6 (9th Cir. 2015).

9-194 Search Engine Marketing 9.11[3] labels the source of the products it oers for sale.”65 He further found that, as in Network Automation, the remaining Sleekcraft factors were “unimportant in a case, such as this, involving Internet search terms where the competing products are clearly labeled and the relevant consumer would exercise a high degree of care.”66 In dissent, Judge Bea argued that whether Amazon's labeling was adequate was a fact question for the jury, not an issue to be decided on summary judgment. He also opined that a jury could infer that a survey, which showed users were confused about why MTM products were not listed, reected that the products displayed were aliated with MTM given that luxury brands frequently are “produced by manufacturers of lower-priced, better known brands—just as . . . Timex manufactures watches for luxury fashion houses Versace and Salvatore Ferragamo.”67 Accordingly, he concluded that the risk of initial interest confusion was higher specically because MTM Special Ops watches were luxury goods. Judge Bea characterized Network Automation as a case that addressed unauthorized use of a trademark to sell advertising keywords, where the search engines clearly labeled the advertisements as such, and which was decided in connection with a preliminary injunction motion, where the relevant legal standard focuses merely on a plainti's likelihood of prevailing on the merits. By contrast, Multi Time Machine involved the results pages of product searches conducted for plainti's watches on the Amazon.com website that, unlike the Google and Yahoo search pages at issue in Network Automation, did not, in his view, involve “clear labeling” and where the question of whether the plainti could establish likelihood of initial interest confusion required a determination of whether material facts precluded

65 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *7 (9th Cir. 2015). 66 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *7 (9th Cir. 2015), citing Network Automation, Inc. v. Advanced Systems Concepts, Inc., 638 F.3d 1137, 1150-53 (9th Cir. 2011) (nding “proximity of goods,” “similarity of marks,” “marketing channels,” and “likelihood of expansion” to be unimportant in a trademark case involving Internet search terms where the advertisements are clearly labeled and the relevant consumers would exercise a high degree of care). 67 Multi Time Machine, Inc. v. Amazon.com, Inc., — F.3d —, 2015 WL 6161600, at *11 (9th Cir. 2015) (Bea, J. dissenting).

Pub. 12/2015 9-195 9.11[3] E-Commerce and Internet Law summary judgment, not whether plainti was likely to succeed on the merits. Judge Bea further distinguished Network Automation as a case involving advertisements, whereas Multi Time Machine involved product sales. Network Automation, in his view, was a dispute “where the claimant trademark holder's products were displayed alongside the alleged infringers' products, thereby presenting ‘clearly marked options.’ ’’68 By contrast, MTM watches were not oered for sale through the Amazon website. As of late 2015, it remained to be seen whether Multi Time Machine would be reconsidered through en banc review. Whether or not the decision stands, it underscores the importance of clear messaging in disclaiming sponsorship, aliation and endorsement both in connection with advertisements and landing pages. It also serves as a reminder that case law on sponsored links potentially applies both to (1) Internet searches and ad buys undertaken in connection with marketing and advertisements, and (2) website and mobile search tools used to promote sales on (or through) a given site or service. The initial interest confusion doctrine, while disfavored by some scholars and less widely applied to Internet cases than during the heyday of its popularity, remains a potential tool for trademark owners in disputes where traditional confusion could not be shown. Notwithstanding Network Automa- tion, it also continues to be widely pled in Internet advertising cases. Network Automation and Multi Time Machine present particular obstacles to plaintis in cases in the Ninth Circuit where search results or advertisements are clearly labeled to negate any inference of sponsorship, aliation or endorsement. Outside the Ninth Circuit, the initial interest confusion doctrine remains viable, but has not been applied as expansively as it once was in the Ninth Circuit.69 In addition to trademark infringement and dilution claims, use of a mark in connection with sponsored links may give rise to a claim for false advertising under the Lanham Act in appropriate circumstances. Unlike a false designation of

68 Multi Time Machine, Inc. v. Amazon.com, Inc., 792 F.3d 1070, 1078 (9th Cir. 2015), op. withdrawn and new op. led, — F.3d —, 2015 WL 6161600 (9th Cir. 2015). 69 See generally supra § 7.08[2].

9-196 Search Engine Marketing 9.11[3] origin or other Lanham Act claim, a suit for false advertising where a plainti can allege (1) an injury to a commercial interest in reputation or sales; and (2) economic or reputational injury owing directly from the deception wrought by the defendant’s advertising (which occurs when the deception of consumers causes them to withhold trade from the plainti).70 In addition, use of a mark—and even likelihood of confusion—are not necessarily elements of a claim for false advertising (although, by contrast, these elements must be established to prevail on a claim of false designation of origin). To establish false advertising, a plainti generally bears the burden of proving that the advertisement is false, customer deception (which may be presumed if literal falsity is shown) and materiality (that the advertisement had a material eect on consumers' purchasing decisions).71 The specic standing requirements and elements that must be met in a false advertising claim are analyzed in section

70 Lexmark Int’l, Inc. v. Static Control Components, Inc., 134 S. Ct. 1377, 1387-91 (2014); see generally supra § 6.12[5][A]. 71 E.g., Chow v. Chau, 555 F. App’x 842 (11th Cir. 2014) (arming a jury award of $500,000 to the corporate plainti and reinstating a jury award of $520,451 to the individual plainti, for false advertising and unfair competition by a former longtime employee who set up competing restaurants in the same cities where Mr. Chow restaurants were located and used a similar menu, décor and “noodle show” as the famous Mr. Chow restaurants, where the defendants made deceptive statements, falsely claiming that the former employee was the “architect” and “mastermind” of the menu at Mr. Chow, and purchased “Chow” and “Mr. Chow” as sponsored links so that the website for defendants’ restaurants would appear in the search results when people searched for Mr. Chow); Binder v. Disability Group, Inc., 772 F. Supp. 2d 1172 (C.D. Cal. 2011) (awarding $292,235.20 (double lost prots) and attorneys' fees for defendants' willful trademark infringement and false advertising under the Lanham Act (and nding defendants liable for unfair competition under California law) following a bench trial in a suit brought by the owners of trademarks associated with their disability law rm against a competitor and its principal, who bid on and purchased “Binder and Binder” through Google AdWords to display advertisements for their competing law rm); Green Bullion Financial Services, LLC v. Money4Gold Holdings, Inc., 639 F. Supp. 2d 1356 (S.D. Fla. 2009) (denying plainti's motion for a preliminary injunction where the plainti established that a sub-aliate of the defendant, a competitor, purchased sponsored links that were literally false—asking Google users to “See our Super Bowl Ad” when plainti was the only gold buyer that purchased an advertisement during the Super Bowl and using plainti's name, Cash4Gold, even though plainti was a competitor and not aliated with Cash4Gold—where the plainti introduced no evidence to prove that the false advertisements had a material eect on consumers' purchasing decisions).

Pub. 12/2015 9-197 9.11[3] E-Commerce and Internet Law

6.12[5]. False advertising claims arising out of the use of sponsored links have been brought against parties alleged to have caused competitive injury72 and, less successfully, against search engines.73 In at least some cases against direct

72 See, e.g., Tiany (NJ) Inc. v. eBay Inc., 600 F.3d 93, 112-14 (2d Cir.) (remanding for further consideration of Tiany's claim that sponsored links advertising Tiany products on eBay, while not literally false, might be found misleading or confusing ‘‘insofar as they implied the genuineness of Tiany goods on eBay's site[,]’’ where evidence was presented that, despite eBay policies, some eBay users posted listings for counterfeit products), cert. denied, 562 U.S. 1082 (2010); Tiany (NJ) Inc. v. eBay, Inc., Case No. 04 Civ. 4607 (RJS), 2010 WL 2722894 (S.D.N.Y. Sept. 13, 2010) (entering judgment for eBay on Tiany's false advertising claim following remand); Binder v. Disability Group, Inc., 772 F. Supp. 2d 1172, 1177-78 (C.D. Cal. 2011) (holding defendants liable for trademark infringement and false advertising under the Lanham Act and unfair competition under California law in a suit brought by the owners of various trademarks associated with their disability law rm against the defendants, a competitor and its principal, who bid on and purchased “Binder and Binder” through Google AdWords to display advertisements for their competing law rm). 73 See Jurin v. Google Inc., 695 F. Supp. 2d 1117, 1122 (E.D. Cal. 2010) (dismissing plainti's false advertising claim arising out of Google's use of its keyword suggestion tool in connection with its AdWords program because the plainti and defendant were not direct competitors). But see Jurin v. Google Inc., 768 F. Supp. 2d 1064 (E.D. Cal. 2011) (denying defendant's motion to dismiss amended false advertising and false association claims arising out of the sale of a keyword as a sponsored link). In Jurin, the court initially also dismissed plainti's original false designation of origin claim arising out of Google's AdWords program because a false designation claim requires a showing that the defendant falsely represented that it was the ‘‘source’’ of the goods when it was not, and merely by using its keyword suggestion tool--which suggested potential sponsored link terms that advertisers could purchase--Google was ‘‘in no way directly represent[ing] that it [wa]s the producer of the Styrotrim product.’’ Jurin v. Google Inc., 695 F. Supp. 2d 1117, 1121-22 (E.D. Cal. 2010); see also Jurin v. Google, Inc., No. 2:09-cv-03065-MCE- KJM, 2010 WL 3521955 (E.D. Cal. Sept. 8, 2010) (dismissing false designation of origin, false advertising and breach of contract claims arising out of the defendant's alleged sale of its mark as a keyword to trigger sponsored link advertisements). The court eventually allowed Jurin's second amended complaint for false advertising and false association based on Google's alleged use of Styrotrim in its AdWords program and keyword suggestion tool to proceed, holding sucient the amended allegations that ‘‘advertising competitors of ‘Styrotrim' in the building materials industry are falsely misled that the keyword ‘Styrotrim' is a generic word and not an abstract trademark term’’ thereby causing a false association between plainti's ‘‘Styrotrim’’

9-198 Search Engine Marketing 9.11[3] competitors, injunctive relief74 and damages75 have been awarded. By far, however, the largest number of claims brought over sponsored links have been based on alleged trademark violations. Where a mark is used to trigger sponsored links for products lawfully sold on a site, the use has been found to be building materials and those of its competitors, and that--astonishingly-- end users have a reasonable expectation that websites provided to them on a search results page are associated with the search engine, potentially causing consumer confusion, mistake and deception. See Jurin v. Google Inc., 768 F. Supp. 2d 1064, 1070-72 (E.D. Cal. 2011). The court declined to read 15 U.S.C.A. § 1125(a)(1)(A) narrowly to require that a defendant produce the same goods as the plainti in order to state a claim for false association and, because it found the false association claim viable, declined to reach the question of whether the plainti could be said to have sustained a competitive injury for purposes of stating a false advertising claim because the plainti and defendant were not competitors for the keyword ‘‘Styrotrim.’’ See Jurin v. Google Inc., 768 F. Supp. 2d 1064, 1071-73 (E.D. Cal. 2011). The court eventually granted Google's motion for summary judgment on Jurin's remaining claims for false advertising and trademark infringement and dilution, which Jurin did not oppose. See Jurin v. Google Inc., No. 2:09-cv-03065-MCE-CKD, 2012 WL 5011007 (E.D. Cal. Oct. 17, 2012) (granting summary judgment for Google). 74 See Binder v. Disability Group, Inc., 772 F. Supp. 2d 1172, 1178-85 (C.D. Cal. 2011) (awarding $292,235.20 (double lost prots) for defendants' willful trademark infringement and false advertising under the Lanham Act (and holding defendants liable for unfair competition under California law) following a bench trial in a suit brought by the owners of trademarks associated with their disability law rm against a competitor and its principal, who bid on and purchased “Binder and Binder” through Google AdWords to display advertisements for their competing law rm); TracSchool.com, Inc. v. eDriver, Inc., 633 F. Supp. 2d 1063 (C.D. Cal. 2008) (imposing a permanent injunction for false advertising under the Lanham Act on the operators of DMV.ORG, a site that earned fees by referring users to trac school and driver's education course providers which sought to benet from perceptions that it was a government-run website by, among other things, purchasing ‘‘DMV’’ as a keyword to deliver sponsored links captioned ‘‘California DMV’’ and ‘‘California DMV Drivers Ed’’ and ‘‘CA Drivers Ed Online.’’), a'd in part and rev'd in part, 653 F.3d 820 (9th Cir. 2011) (arming the judgment but reversing on the scope of the injunction and the court's denial of plainti's motion for attorneys' fees). 75 See General Steel Domestic Sales, LLC v. Chumley, Civil Action No. 10-cv-01398-PAB-KLM, 2013 WL 1900562, at *11-17 (D. Colo. May 7, 2013) (awarding disgorgement of prots for false advertising in website and sponsored link advertisements, following a bench trial).

Pub. 12/2015 9-199 9.11[3] E-Commerce and Internet Law a nominative fair use or otherwise permissible.76 Use in connection with comparative advertising also generally is permissible,77 assuming the use is not deceptive or otherwise actionable. In Standard Process, Inc. v. Total Health Discount, Inc.,78 the court held that a defendant was not entitled to the nominative fair use defense where it used the plainti's name “to be placed prominently as a paid advertiser in search engine results”79 and used the pronouns we and our to refer to plainti's products. The court held that it was unable to conclude on that record that the defendant had done nothing that would, in conjunction with the mark, suggest sponsorship or endorsement by the mark holder.80 In Mary Kay, Inc. v. Weber,81 the court held that merely purchasing keyword advertisements did “not, in and of itself,

76 See, e.g., Tiany (NJ) Inc. v. eBay Inc., 600 F.3d 93, 102–03, 111–12 (2d Cir.) (arming the entry of judgment for eBay on Tiany's claims for trademark infringement and dilution; holding that eBay's purchase of Tiany's marks as sponsored links advertising lawful listings of genuine Tiany's products oered for resale by eBay users was permissible as an accurate description of the products oered for sale which did not suggest that Tiany was aliated with eBay or endorsed the sale of its products through eBay's website; declining to address the viability of the nominative fair use doctrine in the Second Circuit; and holding that because eBay used Tiany's marks to advertise the availability of authentic Tiany merchandise on eBay, and not in an eort to create an association with its own product, “[t]here was no second mark or product at issue here to blur with or to tarnish.”), cert. denied, 562 U.S. 1082 (2010). 77 See 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273, 292–93 (D.N.J. 2006) (stating in dicta in a suit against a pay-for-priority search engine that “use of JR's marks by GoTo is probably fair in terms of its search engine business; that is, where GoTo permits bids on JR marks for purposes of comparative advertising, resale of JR's products, or the provision of information about JR or its products. However, fairness would dissipate, and protection under a fair use defense would be lost, if GoTo wrongfully participated in someone else's infringing use.”). 78 Standard Process, Inc. v. Total Health Discount, Inc., 559 F. Supp. 2d 932 (E.D. Wis. 2008). 79 Standard Process, Inc. v. Total Health Discount, Inc., 559 F. Supp. 2d 932, 938 (E.D. Wis. 2008). 80 Standard Process, Inc. v. Total Health Discount, Inc., 559 F. Supp. 2d 932, 938–39 (E.D. Wis. 2008), citing New Kids on the Block v. News America Publishing, Inc., 971 F.2d 302, 308 (9th Cir. 1992). 81 Mary Kay, Inc. v. Weber, 601 F. Supp. 2d 839 (N.D. Tex. 2009).

9-200 Search Engine Marketing 9.11[3] make the fair use defense unavailable.”82 At the same time, the court held that the defendants' potential entitlement to the fair use defense was a disputed fact that could not be resolved on motion for summary judgment. In Weber, Mary Kay sued unauthorized Internet resellers of its products who spent approximately $20,000 per month on 79 keywords purchased on Google, 75 of which referenced Mary Kay or Mary Kay products. The court held that merely advertising products for sale through sponsored link advertising did not itself suggest an aliation with the manufacturer of the products.83 The court then proceeded to analyze the language of the advertisement to evaluate if the defendant improperly suggested an aliation. The ad in question read “Mary Kay Sale 50% O: Free Shipping on Orders over $100 Get up to 50% O-Fast Ship- ping www.touchofpinkcosmetics.com.” The court found that, although the defendants did not armatively represent that they were aliated with Mary Kay, “Mary Kay Sale 50% O” implied that Mary Kay was hosting the sale.84 In combination with the website, which referenced pink (a color frequently associated with Mary Kay), the court wrote that “[o]ne could easily conclude from this ad that the entity of- fering the sale either is Mary Kay, or has Mary Kay's approval.”85 The court also found a triable issue of fact on whether the defendants' website was likely to cause confusion.86 The case subsequently went to trial and resulted in a jury verdict for the plainti. The court enjoined defendants from using the color pink or seeking expired products, but not from purchasing key words that included “Mary Kay.”87 Prior to 2009, the law governing sponsored links and pop

82 Mary Kay, Inc. v. Weber, 601 F. Supp. 2d 839, 857 (N.D. Tex. 2009). 83 Mary Kay, Inc. v. Weber, 601 F. Supp. 2d 839, 856 (N.D. Tex. 2009). 84 Mary Kay, Inc. v. Weber, 601 F. Supp. 2d 839, 857 (N.D. Tex. 2009). By reference to another case, the court explained that the Webers' ad was similar to one reading “Your Kirby Headquarters,” which suggests aliation, as opposed to “Sales & Repairs of Kirby Vacuums (not authorized by Kirby),” which does not. 85 Mary Kay, Inc. v. Weber, 601 F. Supp. 2d 839, 858 (N.D. Tex. 2009). 86 Fair use issues are analyzed more extensively in section 6.14. 87 See Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632 (N.D. Tex. 2009).

Pub. 12/2015 9-201 9.11[3] E-Commerce and Internet Law up ads was confused based on an early misconstruction of the “use in commerce” requirement in the Lanham Act, which was repeated through multiple district court cases (primarily in the Second Circuit) until it was soundly rejected by Judge Leval in Rescuecom Corp. v. Google, Inc.88 The tortured history of the development of law in this area, which is discussed below, is important to understand, to be able to distinguish older cases that remain relevant from those that are no longer good law in light of Rescuecom. Rescuecom and its signicance is further analyzed in section 7.10. In cases involving pop up advertisements—where ads appear in a separate search box on a user's screen based on search terms inputted by the user—courts had held that plaintis could not maintain claims under the Lanham Act because the use of a competitor's mark was not a use for purposes of the Lanham Act and therefore was not actionable.89 In 1-800 Contacts Inc. v. WhenU.com Inc.,90 the Second Circuit, ruling in 2005, reversed the lower court's entry of a preliminary injunction enjoining WhenU.com from using the 1-800 Contacts mark (or similarly confusing terms) as elements in the SaveNow software directory or causing defendant Vision Direct's pop-up advertisements to appear when a computer user “made a specic choice to access or nd Plainti's website by typing Plainti's mark into the URL bar of a web browser or into an Internet search engine ....”Thedistrict court had concluded that WhenU.com was making “trademark use” of plainti's mark in two ways—by using it in the database directory of terms that triggered pop-up advertisements and by displaying advertisements for Vision Direct, a competitor, when a user typed plainti's marks. The lower court had further found that plaintis were likely to prevail in establishing likelihood of confusion based on initial interest confusion, writing that the harm to plainti “lies not in the loss of Internet users

88 Rescuecom Corp. v. Google Inc., 562 F.3d 123 (2d Cir. 2009). 89 See 1-800 Contacts, Inc. v. WhenU.com, Inc., 414 F.3d 400 (2d Cir.), cert. denied, 546 U.S. 1033 (2005); U-Haul Int'l, Inc. v. WhenU.com, Inc., 279 F. Supp. 2d 723 (E.D. Va. 2003); Wells Fargo & Co. v. WhenU.com, Inc., 293 F. Supp. 2d 734 (E.D. Mich. 2003). These cases involved a software application that caused advertisements to be delivered on a user's screen, not delivery of advertisements over the Internet. 90 1-800 Contacts, Inc. v. WhenU.com, Inc., 414 F.3d 400 (2d Cir.), cert. denied, 546 U.S. 1033 (2005).

9-202 Search Engine Marketing 9.11[3] who are unknowingly whisked away from Plainti's website; instead, harm to the Plainti from initial interest confusion lies in the possibility that, through the use of pop-up advertisements Defendant Vision Direct ‘would gain crucial credibility during the initial phases of a deal.’ ’’ The Second Circuit, however, ruled that defendants were not using plainti's mark in a trademark sense. The appellate court found the dierence between plainti's 1-800 CONTACTS mark and defendant's use of www.1800contacts.com to be signicant, ruling that the URL “functions more or less like a public key to 1-800's website.” The court wrote that a “company's internal utilization of a trademark in a way that does not communicate it to the public is analogous to a[n] individual's private thoughts about a trademark. Such conduct simply does not violate the Lanham Act.” Following 1-800Contacts, district courts in the Second Circuit initially held that purchasing a third party's trademark as a keyword to trigger sponsored advertisements generally did not amount to use of the mark in commerce and therefore was not actionable91 (at least where the mark itself was not visible in the text displayed to users).92 By contrast, courts in other parts of the country uniformly held that purchasing a mark to trigger advertisements at least met the initial jurisdictional requirement of use in commerce,93 regardless of whether the claim ultimately proved meritorious.

91 See, e.g., Site Pro-1, Inc. v. Better Metal, LLC, 506 F. Supp. 2d 123 (E.D.N.Y. 2007); FragranceNet.com, Inc. v. FragranceX.com, Inc., 493 F. Supp. 2d 545 (E.D.N.Y. 2007); Rescuecom Corp. v. Google, Inc., 456 F. Supp. 2d 393 (N.D.N.Y. 2006), rev'd, 562 F.3d 123 (2d Cir. 2009); Merck & Co. v. Mediplan Health Consulting, Inc., 425 F. Supp. 2d 402 (S.D.N.Y. 2006). As a result of the Second Circuit's ruling in Rescuecom Corp. v. Google Inc., 562 F.3d 123 (2d Cir. 2009), these rulings are no longer good law. 92 See Hamzik v. Zale Corp., No. 3:06-cv-1300, 2007 WL 1174863, at *10–11 (N.D.N.Y. Apr. 19, 2007). 93 See, e.g., Hearts on Fire Co. v. Blue Nile, Inc., 603 F. Supp. 2d 274, 281–83 (D. Mass. 2009); Hysitron Inc. v. MTS Systems Corp., No. 07-1533, 2008 WL 3161969, at *4–6 (D. Minn. Aug. 1, 2008); Finance Express LLC v. Nowcom Corp., 564 F. Supp. 2d 1160, 1173–74 (C.D. Cal. 2008); Google Inc. v. American Blind & Wallpaper, C 03-5340JF(RS), 2007 WL 1159950 (N.D. Cal. Apr. 18, 2007); Rhino Sports, Inc. v. Sport Court, Inc., Nos. CV- 02-1815-PHX-JAT, CV-06-3066-PHX-JAT, 2007 WL 1302745 (D. Ariz.

Pub. 12/2015 9-203 9.11[3] E-Commerce and Internet Law

In Rescuecom Corp. v. Google, Inc.,94 however, the Second Circuit in 2009 reversed a lower court's order granting Google's motion to dismiss, holding that plainti's case could proceed. The court, in an opinion written by Judge Leval, held that Google's sale of the “RESCUECOM” mark as a keyword through its AdWords program95 and in response to a suggestion generated automatically by its Keyword Sug- gestion Tool96 constituted a use in commerce under the Lanham Act. In Rescuecom, the plainti alleged that Google, through its Keyword Suggestion Tool, recommended its RESCUE- COM trademark to Rescuecom's competitors. It also alleged that users might be easily misled to believe that sponsored link advertisements in fact were part of the relevance-based (or “natural”) search results and that the appearance of a competitor's ad and link in response to a search for “Rescue- com” was likely to cause confusion about the sponsorship, af- liation or approval of the service. Although sponsored links generally are identied as such and appear on a separate part of a search results page from natural search results, Rescuecom alleged that Google failed to label the ads in a manner that would clearly identify them as purchased ads rather than search results. This was particularly true, the plainti alleged, when sponsored links were displayed horizontally at the top of a search results page, rather than on the side, where they could appear to a user to be the rst, and therefore the most relevant, entries responding to the

May 2, 2007); J.G. Wentworth, S.S.C. LP v. Settlement Funding, LLC,85 U.S.P.Q.2d 1780, 2007 WL 30115 (E.D. Pa. Jan. 4, 2007); Edina Realty, Inc. v. TheMLSonline.com, No. Civ. 04-4371 (JRT) (FLN), 2006 WL 737064 (D. Minn. Mar. 20, 2006); 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273 (D.N.J. 2006); Buying For The Home, LLC v. Humble Abode, LLC, 459 F. Supp. 2d 310 (D.N.J. 2006); Government Employees Ins. Co. v. Google, Inc., 330 F. Supp. 2d 700 (E.D. Va. 2004). 94 Rescuecom Corp. v. Google Inc., 562 F.3d 123 (2d Cir. 2009). 95 AdWords is Google's program through which advertisers purchase keywords. “When entered as a search term, the keyword triggers the appearance of the advertiser's ad and link.” Rescuecom Corp. v. Google Inc., 562 F.3d 123, 125 (2d Cir. 2009). Advertisers pay Google based on the number of times users click on the link. 96 Google's Keyword Suggestion Tool is a software application that recommends potential keywords to advertisers for purchase. “The program is designed to improve the eectiveness of advertising by helping advertisers identify keywords related to their area of commerce, resulting in the placement of their ads before users who are likely to be responsive to it.” Rescuecom Corp. v. Google Inc., 562 F.3d 123, 126 (2d Cir. 2009).

9-204 Search Engine Marketing 9.11[3] search query. Because the appellate court considered the issue in connection with a motion to dismiss, it was bound to accept as true plainti's allegations in ruling on the issue of whether the plainti had stated a claim on which relief could be granted. In so ruling, the court distinguished 1-800 Contacts, which lower courts in the Second Circuit generally had concluded compelled a nding that the use of a mark to trigger a sponsored link for a third party was not a use in commerce. Since 1-800 Contacts was decided by another panel of Second Circuit judges (comprised of Chief Judge Walker and Circuit Judge Straub), Judge Leval could not simply overrule the decision and therefore distinguished it in two signicant respects. First, the court explained that in 1-800 Contacts, the defendant used the 1–800Contacts.com address, not the 1-800 Contacts mark. This, however, should be considered a distinction without a dierence because it was the branded portion of the address—1-800 Contacts—that eectively was the trigger to deliver an advertisement. 1-800 Contacts did not involve an IP address or other domain name that arguably would more clearly be viewed as an address. Indeed, in evaluating trademark applications based on domain names the PTO generally discounts the text to the left and the right of the actual name (i.e., the PTO would focus on 1-800 CONTACTS, not www.1800Contacts.com, in evaluating the strength of a mark).97 Nevertheless, the plainti in 1-800 Contacts did not allege that this amounted to use of the mark—as Judge Leval pointed out in a footnote in the decision.98 Thus, although 1-800 Contacts may be distinguished because that case did not involve use of a mark, it is important to keep in mind that the court did not hold that use of the domain name did not amount to use as a mark. The plainti had merely neglected to make this allegation. Second, Judge Leval explained that, as an alternative basis, the 1-800 Contacts court found no use because under

97 See supra § 6.06[5]. 98 562 F.3d at 128 n.3. Judge Leval claried that: “We did not imply in 1-800 that a website can never be a trademark. In fact, the opposite is true.” Id., citing Trademark Manual or Examining Procedures § 1209.03(m) (5th ed. 2007) (“A mark comprised of an Internet domain name is registrable as a trademark or service mark only if it functions as an identier of the source of goods or services.”).

Pub. 12/2015 9-205 9.11[3] E-Commerce and Internet Law the defendant's program, advertisers could not request or purchase keywords to trigger their ads. The defendant did not disclose the proprietary contents of its database to its advertising clients. Moreover, in addition to not selling third party trademarks to trigger advertisements, the 1-800 Con- tacts defendant did not otherwise manipulate which category- related advertisement would pop up in response to any particular terms in its internal directory. The display of a particular advertisement was controlled by the category associated with the website or keyword (such as “eye care”), rather than the website or keyword itself.99 By contrast, in Rescuecom, the plainti alleged that Google recommended and sold to its advertisers the Rescuecom trademark. Judge Leval also rejected the analysis of some district courts and commentators who focused on the 1-800 Contacts court's conclusion that inclusion of a mark on an internal database cannot constitute use. Judge Leval characterized this as an over-reading of the 1-800 Contacts decision. He explained that “1-800 did not imply that use of a trademark in a software program's internal directory precludes a nding of trademark use. Rather inuenced by the fact that the defendant was not using the plainti's mark at all, much less using it as the basis of a commercial transaction, the court asserted that the particular use before it did not constitute a use in commerce.”100 He further wrote: We did not imply in 1-800 that an alleged infringer's use of a trademark in an internal software program insulates the alleged infringer from a charge of infringement, no matter how likely the use is to cause confusion in the marketplace .... [Otherwise,] the operators of search engines would be free to use trademarks in ways designed to deceive and cause consumer confusion.101 Finally, Judge Leval rejected the argument that sponsored links were no dierent from product placement found at retail stores, where a store-brand generic product is placed next to a trademarked product to induce a customer who specically sought out the trademarked product to consider a less expensive generic brand as an alternative. Judge Leval concluded, however, that “[i]t is not by reason of absence of a use of a mark in commerce that benign product placement

99 562 F.3d at 129–30, citing 1-800Contacts, 414 F.3d at 409–11. 100 562 F.3d at 129–30. 101 562 F.3d at 130.

9-206 Search Engine Marketing 9.11[3] escapes liability; it escapes liability because it is a benign practice which does not cause a likelihood of consumer confusion.”102 Judge Leval made clear that product placement, if deceptive, could be actionable, just as the purchase of a trademark to deliver a sponsored link could be actionable, if likelihood of confusion (or dilution) can be shown. While Rescuecom harmonized the law—eliminating a split of authority among district courts over whether the sale or purchase of a keyword constitutes a use in commerce—the Second Circuit's decision in that case does not end the analysis of whether a given use in fact will lead to liability. To prevail, a plainti still must show likelihood of confusion or dilution. In Tiany (NJ) Inc. v. eBay Inc.,103 the Second Circuit af- rmed the entry of judgment following a bench trial on Tif- fany's claims for trademark infringement and dilution based on its use of the Tiany mark in sponsored links advertising Tiany products on eBay, such as “Tiany” and “Tiany on eBay—Find Tiany items at low prices” to promote sales. The court found it unnecessary to apply either the Third or Ninth Circuit tests or determine if nominative fair use was an armative defense or part of the likelihood of confusion analysis,104 holding simply that “a defendant may lawfully use a plainti's trademark where doing so is necessary to describe the plainti's product and does not imply a false aliation or endorsement by the plainti of the defendant.”105 The court likewise armed the entry of judgment for eBay on Tiany's dilution claim based on the nding that eBay never used Tiany's marks as sponsored links to create an association with its product, but merely to advertise the availability of authentic Tiany merchandise on eBay's website.106 Because eBay never used Tiany's marks to refer to eBay's own products, the court held there could be no dilution. In the words of the Second Circuit panel, “[t]here is no second mark or product at issue here to blur with or

102 562 F.3d at 130. 103 Tiany (NJ) Inc. v. eBay Inc., 600 F.3d 93 (2d Cir.), cert. denied, 562 U.S. 1082 (2010). 104 See supra § 6.14[3]. 105 600 F.3d at 102–03. 106 600 F.3d at 111–12; see supra § 6.11[3].

Pub. 12/2015 9-207 9.11[3] E-Commerce and Internet Law tarnish.”107 The Second Circuit remanded the case on the narrow issue of whether Tiany could maintain a claim for false advertising based on eBay's sponsored link advertisements. The court held that eBay's advertisements for Tiany products were not literally false “inasmuch as genuine Tif- fany merchandise was oered for sale through eBay's website.”108 The court remanded, however, for consideration of whether extrinsic evidence showed that the challenged advertisements were misleading or confusing “insofar as they implied the genuineness of Tiany goods on eBay's site[.]”109 In a dierent part of the court's opinion, the Second Circuit had ruled, in arming the entry of judgment in favor of eBay on Tiany's claim for contributory trademark infringement, that while eBay had generalized knowledge that its site was misused by some people to oer counterfeit Tif- fany goods, in violation of eBay policies, it could not be held liable since it disabled every listing that was identied by Tiany or users as potentially infringing and terminated user accounts pursuant to its three strikes policy. Based on this generalized knowledge that in addition to genuine Tif- fany products, counterfeit items were available on eBay, the Second Circuit remanded for further consideration. On remand, the district court entered judgment for eBay, nding that Tiany could not present extrinsic evidence to meet its burden of proving false advertising.110 A number of sponsored link cases have been brought against search engines, although these suits usually do not end well for mark owners because of the diculty of proving confusion or dilution or that use of a mark is not a nominative fair use or otherwise permissible, except where a search engine employs practices that blur the distinctions between natural and paid search results,111 which is not the practice of any of the major search engines.

107 600 F.3d at 112; see supra § 6.11[3][B]. 108 600 F.3d at 113. 109 600 F.3d at 113–14; see generally supra § 6.12[5][A] (discussing this aspect of the case in greater detail). 110 See Tiany (NJ) Inc. v. eBay, Inc., Case No. 04 Civ. 4607 (RJS), 2010 WL 2722894 (S.D.N.Y. Sept. 13, 2010); see generally supra § 6.12[5][A] (discussing the court's reasoning). 111 See, e.g., 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273, 286–93 (D.N.J. 2006) (denying summary judgment on plainti's claims for

9-208 Search Engine Marketing 9.11[3]

In Rosetta Stone Ltd. v. Google, Inc.,112 the district court went further, holding, as an alternative ground for granting summary judgment for Google on Rosetta Stone's state and federal trademark infringement claims, that Rosetta Stone's claims were barred by the functionality doctrine. The functionality doctrine “prevents trademark law, which seeks to promote competition by protecting a rm's reputation, from instead inhibiting legitimate competition by allowing a producer to control a useful product feature.”113 In Rosetta Stone, Judge Gerald Bruce Lee of the Eastern District of Virginia ruled that Google used trademarks, including Rosetta Stone marks, to identify relevant sponsored links, which the court held was “no dierent than the use of a Google search query to trigger organic search results relevant to the user's search. In both cases, a search term like ‘Rosetta Stone’ will return a string of Sponsored Links and organic links on Google's search results page.”114 Accord- ingly, the district court held that keywords “have an essential indexing function because they enable Google to readily identify in its databases the relevant information in response to a web user's query.”115 On appeal, however, the Fourth Circuit vacated this aspect of the court's decision, ruling that the functionality doctrine only applies when a mark is used for functional product features or the trademark trademark infringement and unfair competition based on the use by a pay-for-priority search engine of plainti's famous marks as search terms, sold to plainti's direct competitors, where, among other things, the defendant ranked paid responses above natural search results but did not clearly label them as paid search results). 112 Rosetta Stone Ltd. v. Google, Inc., 730 F. Supp. 2d 531 (E.D. Va. 2010), vacated in relevant part, 676 F.3d 144 (4th Cir. 2012). 113 Qualitex Co. v. Jacobson Products Co., Inc., 514 U.S. 159 (1995); see generally supra § 6.13[2]. 114 Rosetta Stone Ltd. v. Google, Inc., 730 F. Supp. 2d 531, 546 (E.D. Va. 2010), vacated in relevant part, 676 F.3d 144 (4th Cir. 2012). 115 Rosetta Stone Ltd. v. Google, Inc., 730 F. Supp. 2d 531, 546 (E.D. Va. 2010), vacated in relevant part, 676 F.3d 144 (4th Cir. 2012), citing Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510, 1531 (9th Cir. 1992) (nding that use of the plainti's trademark initialization sequence to achieve compatibility was functional because interoperability could not be achieved without the trademark sequence); see also Compaq Computer Corp. v. Procom Technology, Inc., 908 F. Supp. 1409, 1423 (S.D. Tex. 1995) (nding that the word “Compaq” inserted in computer code for purposes of compatibility was functional).

Pub. 12/2015 9-209 9.11[3] E-Commerce and Internet Law owner's own use (not a third party's) is functional.116 In 1-800-Contacts, Inc. v. Lens.com, Inc.,117 the Tenth Circuit largely armed the trial court’s entry of summary judgment for the defendant, Lens.com, in a sponsored link case, but reversed and remanded on the issue of whether Lens.com could be held contributorily liable for an advertisement placed by a Lens.com aliate without authorization, which included plainti’s 1-800-Contacts mark in the body of the advertisement. The Tenth Circuit panel armed summary judgment for Lens.com on claims of direct and vicarious liability where the evidence showed that initial interest confusion occurred at most 1.5% of the time that a Lens.com advertisement was generated by one of nine challenged keywords and therefore could not be said to likely lure consumers in search of the plainti’s product to those of the defendant.118 Because Lens.com was decided on summary judgment, and because sponsored link data was readily available to advertisers, the court was able to determine the “upper limit on how often consumers really were lured . . . ” by calculating the number of click-throughs as a percentage of total ad impressions delivered in response to search engine queries that triggered a sponsored link based on the chal-

116 Rosetta Stone Ltd. v. Google, Inc., 730 F. Supp. 2d 531, 546 (E.D. Va. 2010), vacated in relevant part, 676 F.3d 144 (4th Cir. 2012); see generally supra § 6.13[2]. In Rosetta Stone, the Fourth Circuit armed the entry of summary judgment for Google on Rosetta Stone's claims for vicarious trademark infringement and unjust enrichment but vacated summary judgment for Google on plainti's direct and contributory trademark infringement and dilution claims and remanded the case for further proceedings, nding that that the trial court judge improperly weighed evidence, as though he were ruling at trial, when material facts remained in dispute. 117 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229 (10th Cir. 2013). 118 The district court had ruled that use of the challenged keywords, divorced from the text of resulting advertisements, could not result in likelihood of confusion. It had pointed out that because Google users viewed only the results of searches and could not tell exactly which keywords an advertiser had purchased, a user who searched for “1-800- Contacts” and saw a sponsored link advertisement for Lens.com would have had no way of knowing whether Lens.com had purchased 1-800- Contracts’ trademark as a keyword or the generic term contacts. The Tenth Circuit appellate panel found it unnecessary to reach this issue. See 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1242-43 (10th Cir. 2013).

9-210 Search Engine Marketing 9.11[3] lenged keywords.119 The Lens.com court also armed the entry of summary judgment on vicarious liability claims based on keyword purchases of two Lens.com aliates who purchased keywords that were either identical or closely similar to 1-800- Contacts’s service mark. One of the aliates, McCoy, had also published at least one advertisement that featured a close variation of plainti’s mark in the text of the advertisement. The low ratio of clicks to impressions (0.7% and 1%) convinced the appellate court that summary judgment was appropriate. The court separately analyzed claims based on McCoy’s publication of ads that featured variations on plainti’s 1-800-Contacts mark in the text of the advertisement. The court explained that a principal is subject to liability for its agent’s tortious conduct only if the conduct “is within the scope of the agent’s actual authority or ratied by the principal.”120 The court further explained that an “agent acts with actual authority if it ‘reasonably believes, in accordance with the principal’s manifestations to the agent, that the principal wishes the agent so to act.’ ’’121 By contrast, [l]ack of actual authority is established by showing either that the agent did not believe, or could not reasonably have believed, that the principal's grant of actual authority encompassed the act in question. This standard requires that the agent's belief be reasonable, an objective standard, and that the agent actually hold the belief, a subjective standard.122 Because the aliate “never believed, reasonably or otherwise, that Lens.com authorized him to place the ads . . . the subjective component of actual authority was absent.”123 On the other hand, the Tenth Circuit reversed the entry of summary judgment in favor of Lens.com on plainti’s

119 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1244 (10th Cir. 2013). 120 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1251 (10th Cir. 2013), quoting Restatement (Third) of Agency § 7.04. 121 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1251 (10th Cir. 2013), quoting Restatement (Third) of Agency § 2.01. 122 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1251 (10th Cir. 2013), quoting Restatement (Third) of Agency § 2.02 comment e (emphasis in opinion). 123 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1252 (10th Cir. 2013) (emphasis in original). Notwithstanding its holding, the appellate court, addressing the district court’s analysis, noted in dicta that a

Pub. 12/2015 9-211 9.11[3] E-Commerce and Internet Law claim for contributory infringement based on McCoy’s advertisements, nding that there was at least a factual question about whether Lens.com could have stopped McCoy (whose identity at the time was unknown to Lens.com) from using plainti’s mark in sponsored link advertisements. The appellate panel concluded that Lens.com received notice of the advertisement when it was sued because a copy of the advertisement had been attached to plainti’s complaint. Al- though Lens.com could not identify the specic responsible aliate just from the advertisement reprinted in plainti’s Complaint, the court concluded that there was at least a factual question about whether Lens.com could have required Commission Junction to send an email blast to all aliates forbidding this use. The court explained that particularized knowledge is required in cases where a defendant could not act on anything but specic knowledge, as in Rosetta Stone and Tiany v. eBay, but a less exacting standard is required (at least in the Tenth Circuit) where the defendant has knowledge sucient to act upon to deter infringement, and fails to do so. Accordingly, the court remanded the case for consideration of whether Lens.com could have compelled Commission Junction to notify all Lens.com aliates, even if Lens.com did not know the identity of the specic aliate responsible for the advertisement. Distinguishing Rosetta Stone and Tiany v. eBay, the court in 1-800 Contacts explained that: When modern technology enables one to communicate easily and eectively with an infringer without knowing the infringer's specic identity, there is no reason for a rigid line requiring knowledge of that identity, so long as the remedy does not interfere with lawful conduct.124 The appellate court did not conclude that Lens.com in fact plainti need show a duciary relationship to establish agency, an independent contractor may be an agent, an agent without authority to bind a principal to a contact may nonetheless have authority for other purposes and the absence or infrequency of direct communications from a company to its aliates is not conclusive of whether the aliates were its agents because a principal can authorize an agent to appoint a subagent, and the subagent can then act as an agent for the principal even though the principal’s control is indirect. Id. at 1250-51. The court also noted that merely because an aliate may work simultaneously for other advertisers does not necessarily mean that they could not also be a defendant’s agent because “[a]n agent can server multiple principals at once, even principals that are competing with one another.” Id. at 1250. 124 1-800-Contacts, Inc. v. Lens.com, Inc., 722 F.3d 1229, 1254 (10th Cir. 2013).

9-212 Search Engine Marketing 9.11[3] was liable. It merely remanded the case for further consideration, nding that a factual dispute precluded summary judgment on this one, narrow ground. To date, there has not been a case that has held on the merits that mere use of a mark as a keyword constituted trademark infringement or dilution by a search engine. Sponsored link suits have been more successful when asserted against competitors, distributors or other third parties who use a mark to trigger sponsored link advertisements, rather than search engines, although even in competitor suits a plainti, to prevail, still must prove infringement or dilution, negate fair or otherwise permissible use, or show false advertising, and establish entitlement to recover damages or injunctive relief. Indeed, with only a couple of exceptions, no court to date has held on the merits in a contested case that mere use of a mark as a keyword, without more, constituted trademark infringement.125 More typically, where liability has been found there has also been evidence of other actionable misconduct, in addition to the use of a mark in connection with sponsored links.126

125 Aside from default or stipulated judgments, there have only been a couple of cases where liability has been contested where the plainti obtained a judgment for trademark infringement based solely on the use of a mark in connection with sponsored link advertising (rather than in conjunction with other alleged acts of trademark infringement). See Binder v. Disability Group, Inc., 772 F. Supp. 2d 1172 (C.D. Cal. 2011) (awarding $292,235.20 (double lost prots) and attorneys' fees for defendants' willful trademark infringement and false advertising under the Lanham Act (and nding defendants liable for unfair competition under California law) following a bench trial in a suit brought by the owners of trademarks associated with their disability law rm against a competitor and its principal, who bid on and purchased “Binder and Binder” through Google AdWords to display advertisements for their competing law rm); Storus Corp. v. Aroa Marketing, Inc., 87 U.S.P.Q.2d 1032, 2008 WL 449835 (N.D. Cal. Feb. 15, 2008) (granting partial summary judgment for the plainti on the issue of initial interest confusion based on the defendants' use of the “Smart Money Clip” mark in sponsored link advertising purchased from Google and in connection with searches for the mark on Skymall.com). 126 See Chow v. Chau, 555 F. App'x 842 (11th Cir. 2014) (arming a jury award of $500,000 to the corporate plainti and reinstating the jury award of $520,451 to Mr. Chow, the individual plainti, for false advertising and unfair competition by a former longtime employee of Mr. Chow, who set up competing restaurants in the same cities where Mr. Chow restaurants were located and used a similar menu, décor and “noodle show” as the famous Mr. Chow restaurants, where the defendants made deceptive statements, falsely claiming that the former employee was the

Pub. 12/2015 9-213 9.11[3] E-Commerce and Internet Law

Absent obvious misconduct, sponsored link claims under the Lanham Act generally are easier to allege than prove. For this reason, while the use of marks in sponsored link advertisements continues to be the subject of cease and desist letters, only a small percentage of complaining parties actually le suit. Suits against search engines appear particularly weak, except perhaps in rare circumstances where natural and paid search results are intermingled in a way that could create confusion or dilution.127 While this practice may be found from time to time among smaller sites, major search engines clearly demarcate natural search results from sponsored links. In all sponsored link cases brought under the Lanham Act, confusion, dilution and the absence of fair use may be dicult to prove if the sole basis for a claim is the purchase or sale of a mark as a keyword for a sponsored link displayed in a separate, clearly labeled area from natural search results.

“architect” and “mastermind” of the menu at Mr. Chow, and purchased “Chow” and “Mr. Chow” as sponsored links so that the website for defendants' restaurants would appear in the search results when people searched for Mr. Chow); Digby Adler Group LLC v. Image Rent a Car, Inc., No. 10-cv-00617-SC, 2015 WL 525906, at *3 (N.D. Cal. Feb. 6, 2015) (granting summary judgment for plainti on its claims for trademark infringement, where defendants, competitors in the van rental industry, registered plainti's “Bandango” mark as a domain name and bid on Google AdWords search terms “Bandango,” “Bandango van rental,” and “Bantango van rentals,” and for cybersquatting and copyright infringement, based on defendants' copying text from plainti's website); Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632 (N.D. Tex. 2009) (awarding $1,139,962 in damages and broad injunctive relief prohibiting defendants from using the names ‘‘Touch of Pink’’ or ‘‘MaryKay1Stop,’’ but declining to prohibit them from purchasing ‘‘Mary Kay’’ as keywords for sponsored links or other lawful advertising that did not suggest sponsorship, aliation or endorsement); TracSchool.com, Inc. v. eDriver, Inc., 633 F. Supp. 2d 1063 (C.D. Cal. 2008) (imposing a permanent injunction following a bench trial for false advertising under the Lanham Act, on the operators of DMV.ORG, a site that earned fees by referring users to trac school and driver's education course providers which sought to benet from perceptions that it was a government-run website by, among other things, purchasing ‘‘DMV’’ as a keyword to deliver sponsored links captioned ‘‘California DMV’’ and ‘‘California DMV Drivers Ed’’ and ‘‘CA Drivers Ed Online.’’), a'd in part and rev'd in part, 653 F.3d 820 (9th Cir. 2011) (reversing on the scope of the injunction and the court's denial of plainti's application for attorneys' fees). 127 See, e.g., 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273, 295-96 (D.N.J. 2006) (denying summary judgment based on disputed material facts over likelihood of confusion).

9-214 Search Engine Marketing 9.11[4]

Sponsored link cases are most likely to be successful, by contrast, when asserted against competitors, distributors or others who are using a mark to drive trac to or away from a particular site, or sell goods or services, in a way likely to cause confusion or dilution, which usually means that the text surrounding the advertisement, the domain name used by the advertiser or the landing page associated with the link is potentially confusing or diluting. Mark owners may have stronger cases where the use of a mark to trigger sponsored links is merely one of several practices undertaken by a defendant to trade on the goodwill of a brand or falsely suggest sponsorship, aliation or endorsement, or where key word purchases provide evidence of likelihood of confusion but are not in and of themselves actionable.128 If the only allegation is that a competitor is simply using a mark to trigger an advertisement that itself is not deceptive, unfair, diluting or confusing, the claim will be dicult to maintain if a court properly applies governing law. At the margin, the outcome of a case may be determined by which test for likelihood of confusion in Internet cases and nominative fair use is applied, although the law on what constitutes a claim based on sponsored links under the Lanham Act has been harmonized considerably by decisions in the Second and Ninth Circuits in 2009 and 2011, respectively, as discussed earlier in this section.

9.11[4] State Law Claims and Preemption Although most sponsored link cases are brought under the Lanham Act, state law claims sometimes may be added. Court rulings on the merits of state law trademark infringement and dilution and unfair competition claims often track rulings in the same case on comparable federal claims,

128 See, e.g., Avalere Health, LLC v. Avalere.org, No. 1:12-cv-00997 (LO/ IDD), 2013 WL 1790137, at *5 (E.D. Va. Apr. 10, 2013) (citing the fact that the defendant’s website directed consumers to sponsored links related to medical and health-related services as evidence of likelihood of confusion); Martha Elizabeth, Inc. v. Scripps Networks Interactive, LLC, No. 1:10-cv-1244, 2011 WL 1750711, at *19 (W.D. Mich. May 9, 2011) (holding, in granting a motion for preliminary injunction, that a defendant's purchase of misspelled variations of plainti's mark as sponsored links evidenced bad faith for purposes of likelihood of confusion analysis).

Pub. 12/2015 9-215 9.11[4] E-Commerce and Internet Law whether for the plainti1 or defendant,2 although some state claims may require a showing of dierent elements (such as dilution)3 or aord broader relief (such as California's unfair competition laws).4 Where a person's name, likeness or attributes are used, state common law or statutory right of publicity claims potentially may be asserted5 (in addition to Lanham Act claims where a person's name is separately

[Section 9.11[4]] 1 See, e.g., Binder v. Disability Group, Inc., 772 F. Supp. 2d 1172, 1178 (C.D. Cal. 2011) (holding defendants liable for trademark infringement and false advertising under the Lanham Act and unfair competition under California law in a suit brought by the owners of various trademarks associated with their disability law rm against the defendants, a competitor and its principal, who bid on and purchased “Binder and Binder” through Google AdWords to display advertisements for their competing law rm); Craigslist, Inc. v. Naturemarket, Inc., 694 F. Supp. 2d 1039, 1058–60 (N.D. Cal. 2010) (entering a default judgment for trademark infringement under the Lanham Act and California law based on the defendants' display of the Craigslist mark in the text and in the headings of sponsored links advertising products to automate the process of posting listings to Craigslist, in advertising their products and on their website); Mary Kay, Inc. v. Weber, 661 F. Supp. 2d 632 (N.D. Tex. 2009) (entering judgment based on a jury verdict for Mary Kay on claims for unfair competition, passing o, and trademark infringement under the Lanham Act and unfair competition and trademark infringement under Texas common law); Fair Isaac Corp. v. Experian Information Solutions Inc., 645 F. Supp. 2d 734 (D. Minn. 2009) (denying defendants' motion for summary judgment in a sponsored links case where factual disputes over likelihood of confusion precluded summary judgment under the Lanham Act and Minnesota common law); Hearts on Fire Co. v. Blue Nile, Inc., 603 F. Supp. 2d 274 (D. Mass. 2009) (denying defendant's motion to dismiss trademark infringement and unfair competition claims under the Lanham Act and Massachusetts law based on the defendant's purchase of sponsored links tied to “Hearts on Fire” and the display of the mark in text next to the sponsored links). 2 See, e.g., Sellify Inc. v. Amazon.com, Inc., No. 09 Civ. 0268 (JSR), 2010 WL 4455830 (S.D.N.Y. Nov. 14, 2010) (granting summary judgment for Amazon.com on claims for contributory and vicarious trademark infringement and alleged violations of the Connecticut Unfair Trade Prac- tices Act, where judgment was entered on plainti's state law claim because there was no evidence that Amazon.com itself placed the sponsored link advertisement at issue in the case and the associate who did so was not acting as Amazon.com's agent). 3 See supra § 6.11[7]. 4 See supra § 6.12[6]. 5 See supra § 12.03[2].

9-216 Search Engine Marketing 9.11[4] used as a mark).6 There is not much case law on state right of publicity claims based on sponsored links. In one of the few cases, Habush v. Cannon,7 an intermediate appellate court in Wisconsin held that a competing law rm did not “use” lawyers names within the meaning of Wisconsin’s right of publicity statute, Wis. Stat. § 995.50(2)(b), by successfully bidding on plainti’s names and purchasing keyword ads triggered by those names because the use was not a “visible” part of a promotion or product. In so ruling, the court rejected plainti’s argument that a use should be found by analogy to trademark law, including the Second Circuit’s holding in Rescuecom Corp. v. Google, Inc.8 The intermediate appellate court made clear it was not rejecting the analogy on the merits, but rather based on plainti’s failure to adequately brief the issue.9 The court held in Habush v. Cannon that bidding on a competitor’s name as a keyword to trigger a sponsored link advertisement is like locating a business in close proximity to another business or placing a billboard or Yellow Pages advertisement in close proximity to a competitor’s, which the plainti had conceded would not have been actionable.10 While there are many reasons to assume that truthful comparative advertising could be a permissible use under fair use principles or the First Amendment,11 the court’s conclusion that no use was involved because any use was not visible seems questionable. Notwithstanding this one intermediate appellate court ruling, where a person’s name or attributes are used to trigger advertisements for unrelated products or services (such

6 See supra § 12.03[3]. 7 Habush v. Cannon, 346 Wis. 2d 709, 828 N.W.2d 876 (2013). 8 Rescuecom Corp. v. Google Inc., 562 F.3d 123 (2d Cir. 2009); supra §§ 9.11[1], 9.11[3]. 9 See Habush v. Cannon, 346 Wis. 2d 709, 727, 828 N.W.2d 876, 884 (2013) (“We do not hold that trademark case law does not provide helpful analogies, but rather observe only that, if this is true, it is not readily apparent and Habush and Rottier do not demonstrate that it is true.”). The similarities between trademark and state right of publicity laws are discussed in section 12.03. 10 Habush v. Cannon, 346 Wis. 2d 709, 724, 828 N.W.2d 876, 882-83 (2013). 11 See infra § 12.05.

Pub. 12/2015 9-217 9.11[4] E-Commerce and Internet Law as use of a well-known actor or rapper’s name to trigger ads for unrelated products), the commercial use to promote unrelated goods or services potentially may be actionable under applicable state12 law,13 but subject to broad First Amend- ment protections for incidental use14 and other permissible grounds.15 Right of publicity laws are separately analyzed in section 12.03. In contrast to sponsored link claims brought under the Lanham Act, those arising under state law potentially may be preempted by the Good Samaritan exemption created by the Telecommunications Act of 1996, also referred to as the Communications Decency Act, 47 U.S.C.A. § 230(c).16 While this exemption would not preempt claims against competitors, distributors or others for their own conduct or content, it could preempt a range of state law claims asserted against intermediaries, such as search engines, for republishing advertisements written or developed by third parties,17

12 Under federal law, the use of a name entitled to trademark protection to trigger advertisements would be deemed a use in commerce under the Lanham Act, whether or not the claim ultimately was successful. See supra §§ 9.11[1], 9.11[3]. 13 See, e.g., Allen v. National Video, Inc., 610 F. Supp. 612 (S.D.N.Y. 1985) (enjoining the use of a celebrity impersonator to promote an unaf- liated videotape rental chain); see generally infra § 12.03[2][B] (collecting similar cases). 14 See, e.g., Stayart v. Google Inc., 710 F.3d 719 (7th Cir. 2013) (af- rming dismissal of plainti’s misappropriation claims arising out of the alleged use of her name in conjunction with searches for an erectile dysfunction drug because plainti made the search request a matter of public interest by suing Yahoo! over it in 2010 and therefore the fact that algorithms generated the suggestion to search for the drug Levitra when plainti’s name was input into the search engine or displayed sponsored link advertisements for the drug was shielded from liability by the incidental use exception). 15 See infra § 12.05 (incidental use, newsworthiness exception and other defenses to right of publicity claims). 16 See supra § 9.01 (discussing the exemption in connection with metatags); infra § 37.05[5] (analyzing the issue more extensively). 17 See, e.g., Parts.com, LLC v. Yahoo! Inc., 996 F. Supp. 2d 933, 938-39 (S.D. Cal. 2013) (dismissing with prejudice state law claims for trademark infringement and dilution and unfair competition as preempted by the CDA); Rosetta Stone Ltd. v. Google Inc., 732 F. Supp. 2d 628 (E.D. Va. 2010) (dismissing Rosetta Stone's unjust enrichment claim, based on the use of its marks to trigger sponsored links, as preempted by the CDA), a'd in relevant part on other grounds, 676 F.3d 144, 165–66 (4th Cir. 2012); Jurin v. Google Inc., 695 F. Supp. 2d 1117 (E.D. Cal. 2010) (dismiss-

9-218 Search Engine Marketing 9.11[4] depending which claims are raised and where suit is led.18 For example, in Rosetta Stone Ltd. v. Google, Inc.,19 the ing as preempted by the CDA claims for negligent and intentional interference with contractual relations and prospective economic advantage and fraud arising out of Google's use of its keyword suggestion tool in connection with its AdWords program). But see Cybersitter, LLC v. Google, Inc., 905 F. Supp. 2d 1080, 1086-87 (C.D. Cal. 2012) (narrowly applying the CDA without much analysis in denying in part the defendant’s motion to dismiss and holding that the CDA preempted claims based on the contents of advertisements, to the extent not developed by the defendant, but not claims arising out of the alleged sale of plainti’s “Cybersitter” mark as a key word to trigger sponsored link advertisements); Amerigas Propane, L.P. v. Opinion Corp., Civil Action No. 12-713, 2012 WL 2327788, at *9 (E.D. Pa. June 19, 2012) (distinguishing Rosetta Stone based on allegations in this case that the defendant itself was responsible for exercising control over what advertisements appeared on its own page); Stayart v. Yahoo! Inc., 651 F. Supp. 2d 873 (E.D. Wis. 2009) (holding that the CDA did not insulate Yahoo! for claims based on an alleged banner advertisement that plainti claimed Yahoo! itself was responsible for; dismissing claims based on search results under the CDA and because plainti could not allege contributory or vicarious trademark infringement), a'd on other grounds, 623 F.3d 436 (7th Cir. 2010) (arming dismissal of plainti's Lanham Act claim based on lack of standing to assert trademark rights in her name). On remand, plainti's remaining right of publicity claim ultimately was dismissed on other grounds. See Stayart v. Yahoo! Inc., No. 10C0043, 2011 WL 3625242 (E.D. Wis. Aug. 17, 2011) (dismissing plainti's claim for failing to meet the amount in controversy requirement for diversity jurisdiction and, in the alternative, because use of a name to search for information found on Internet sites does not involve use for advertising or trade under Wisconsin law and is protected as a matter of public record and, at most, shows that third parties used her name, not Yahoo!). 18 There presently is a split of authority over whether the CDA preempts state laws “pertaining to intellectual property,” or whether state IP claims are excluded from CDA preemption like federal claims, such as those arising under the Lanham Act. Compare Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.) (construing the term “any law pertaining to intellectual property” to be restricted to “federal intellectual property” and therefore holding that the plainti's right of publicity claim against an Internet payment processor was preempted), cert. denied, 522 U.S. 1062 (2007) with Doe v. Friendnder Network, Inc., 540 F. Supp. 2d 288 (D.N.H. 2008) (holding that “any law pertaining to intellectual property” literally means any law—state or federal—and therefore denying the defendant's motion to dismiss plainti's right of publicity claim under New Hampshire law) and Atlantic Recording Corp. v. Project Playlist, Inc., 603 F. Supp. 2d 690 (S.D.N.Y. 2009) (construing the literal language of the statute the same way as the court in Doe and allowing a common law copyright claim under New York law to proceed); see generally infra § 37.05[5] (analyzing the issue and discussing more recent case law). 19 Rosetta Stone Ltd. v. Google Inc., 732 F. Supp. 2d 628 (E.D. Va.

Pub. 12/2015 9-219 9.11[4] E-Commerce and Internet Law district court held that Rosetta Stone's state law claim against Google for unjust enrichment, based on the use of its marks in sponsored links, was preempted. In so ruling, the court distinguished 800-JR Cigar, Inc. v. GOTO.com, Inc.,20 where the court held that CDA immunity did not bar a similar claim against a “pay-for-priority” search engine. First, in that case, the court wrote, the defendant, unlike Google, did not qualify as an interactive service provider. Second, the defendant in GOTO.COM was responsible for the content at issue, whereas in Google third party advertisers were responsible for selecting the keyword triggers.21 On appeal, the Fourth Circuit armed on dierent grounds, ruling that Rosetta Stone did not allege that it conferred a benet on Google which Google should reasonably have expected to repay.22 To establish a claim for unjust enrichment under Virginia law, a plainti must show that (1) it conferred a benet on the defendant, (2) the defendant knew of the benet and should reasonably have expected to repay the plainti, and (3) the defendant accepted or retained the benet without paying for its value.23 The appellate panel explained that Rosetta Stone did not allege, and did not contend, that Google paid any other mark holders for the right to use a mark in its AdWords program.24 Disputes involving sponsored links also potentially may arise from license disputes25 or contract claims.26

2010), a'd in relevant part on other grounds, 676 F.3d 144, 165–66 (4th Cir. 2012). 20 800-JR Cigar, Inc. v. GoTo.com, Inc., 437 F. Supp. 2d 273, 295–96 (D.N.J. 2006). 21 Rosetta Stone Ltd. v. Google Inc. was distinguished in Amerigas Propane, L.P. v. Opinion Corp., Civil Action No. 12-713, 2012 WL 2327788, at *13 (E.D. Pa. June 19, 2012), in which a court denied a commercial gripe site's motion to dismiss because, among other things, unlike in Rosetta Stone, the defendant in Amerigas Propane was alleged to have exercised control over the advertisements on its website. In that case, the plainti asserted that the gripe site, PissedConsumer.com, solicited and wrote highly negative comments about the plainti, which it then used to sell advertisements to plainti's competitors. 22 Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144, 166 (4th Cir. 2012). 23 Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144, 165–66 (4th Cir. 2012). 24 Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144, 166 (4th Cir. 2012). 25 See Video Professor, Inc. v. Amazon.com, Inc., Case No. 09-cv-00636- REB-KLM, 2010 WL 1644630 (D. Colo. Apr. 21, 2010) (granting defen-

9-220 Search Engine Marketing 9.11[5]

9.11[5] Checklist In evaluating how to circumnavigate the series of potential obstacles created by the dierent approaches taken to the treatment of Internet advertising cases under the Lanham Act, the following guidelines may be helpful: E Did a competitor deliberately purchase a keyword or was it automatically selected because of the algorithms used for generating sponsored links? E Did the competitor use negative key words to af- rmatively preclude certain marks from triggering banner advertisements?1 E Does the linked advertisement display a competitor's mark or is the mark merely only used to trigger the advertisement? E Do the link, surrounding text and landing page clearly identify the source of the product or service displayed or is there a likelihood of confusion? E Can a use be said to blur or tarnish another company's mark? E Could the use be characterized as a nominative fair use, non-trademark use or lawful comparative advertising in those jurisdictions where actionable? In fact, no two companies may take the exact same approach to handling sponsored links. Among other factors dant's summary judgment motion where the court found that Amazon's purchase of “Video Professor” as keywords to trigger sponsored links on Google for genuine products sold by Amazon.com was not restricted by the terms of a trademark license entered into by the parties). 26 See, e.g., Ingrid & Isabel, LLC v. Baby Be Mine, LLC, 70 F. Supp. 3d 1105, 1132 (N.D. Cal. 2014) (granting defendant's motion for summary judgment on plainti's claim that the defendant breached a settlement agreement by purchasing “Bella” as a keyword for sponsored link advertisements); Jurin v. Google Inc., 768 F. Supp. 2d 1064, 1073 (E.D. Cal. 2011) (dismissing with prejudice claims for breach of contract and breach of the duty of good faith and fair dealing arising out of the alleged breach by Google of its AdWords policy terms and conditions because a “broadly worded promise to abide by its own policy does not hold Defendant to a contract.”); see also Jurin v. Google, Inc., No. 2:09-cv- 03065-MCE-KJM, 2010 WL 3521955 (E.D. Cal. Sept. 8, 2010) (dismissing plainti's initial breach of contract claim with leave to amend based on the court's nding that Google's AdWords contract did not obligate Google to disable keywords in response to a trademark complaint). [Section 9.11[5]] 1 In most cases, it is not required to armatively block the use of particular terms, although doing so could negate potential claims.

Pub. 12/2015 9-221 9.11[5] E-Commerce and Internet Law that a business should consider are the strength of particular brands, the degree to which sales and marketing are driven by search engines compared to brand identity, the extent to which the Internet plays a role in generating sales from new rather than brand-loyal customers and whether and to what extent a company is more likely to be a purchaser rather than an objector to the practice of purchasing keywords. In litigation, however, the choices are clear. Assuming fair use does not apply and a mark may not be said to be used in a non-trademark sense, plaintis generally are better o l- ing suit in the Ninth Circuit, while defendants may be best able to defend claims in the Fourth Circuit, where initial interest confusion eectively is not recognized, or possibly in the Third Circuit, which applies a tougher standard before nding initial interest confusion. In all cases, companies should think strategically about Internet marketing decisions.

9.12 Blog, Message Board and Chat Room Liability Blogs, message boards and chat rooms analytically are no dierent from other interactive locations where users or other third-parties may post, store or transmit potentially infringing, tortious or otherwise illegal material. Liability for user content and conduct in connection with hosting a blog, message board or chat room may arise under copyright law, trademark law, trade secret law, rights of publicity, adult material and a range of potential state law claims. The Communications Decency Act exempts intermediaries for much of this potential exposure other than claims pertaining to intellectual property and federal criminal matters. The Digital Millennium Copyright Act provides a notice and takedown procedure that service providers may use to limit their liability. Intermediaries usually benet from adopting similar procedures for I.P. claims other than copyright, even though there is no express safe harbor for such claims. Sites and services similarly must comply with child pornography reporting obligations in order to avoid liability. These liability risks and potential exemptions and safe harbors are analyzed extensively in chapters 49 to 51. Chapter 49 assesses the legal risks and opportunities. Chapter 50 discusses practical approaches to reducing exposure. Chapter 51, in turn, addresses issues specic to blogs and social networks. Finally, Shield Law protection, available in limited

9-222



       

 

  

 



    

 



Excerpted from Chapter 4 (Copyright Protection in Cyberspace) of E-Commerce and Internet Law: A Legal Treatise With Forms, Second Edition, a 4-volume legal treatise by Ian C. Ballon (Thomson/West Publishing 2016)

DIGITAL ENTERTAINMENT, MOBILE AND INTERNET REVIEW ENTERTAINMENT LAW AND INTELLECTUAL PROPERTY SECTION OF THE LOS ANGELES COUNTY BAR ASSOCIATION LAWRY’S RESTAURANT FEBRUARY 25, 2016

Ian C. Ballon Greenberg Traurig, LLP

[email protected] LinkedIn, Twitter, Facebook, Google+: IanBallon

4.10 E-Commerce and Internet Law

4.10 Fair Use Defense and the Concept of Time in Cyberspace

4.10[1] The Fair Use Defense—In General Fair use is a complete defense to copyright infringement1 (although it is not a defense to a claim brought under the anticircumvention provisions of the Digital Millennium Copyright Act).2 Fair use has been characterized as an “equitable rule of reason”3 and therefore must be proven on a case-by-case basis in litigation,4 rather than easily determined by a bright line test. Fair use is “an open-ended and context-sensitive inquiry ....”5 It is an exception that “permits courts to avoid rigid application of the copyright statute when, on occasion, it would stie the very creativity which that law is designed to foster.”6 It is also generally viewed as fully encompassing potential First Amendment protections in copyright cases.7 The fair use defense generally applies where a work is used “for purposes such as criticism, comment, news report-

[Section 4.10[1]] 1 17 U.S.C.A. § 107. 2 17 U.S.C.A. §§ 1201 et seq.; see generally infra § 4.21[2]. 3 Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417, 448 (1984). 4 See Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 577 (1994). 5 Blanch v. Koons, 467 F.3d 244, 251 (2d Cir. 2006). 6 Dr. Seuss Enterprises, L.P. v. Penguin Books USA, Inc., 109 F.3d 1394, 1399 (9th Cir. 1997) (internal quotation marks and citation omitted). 7 New Era Publications Int'l, ApS v. Henry Holt & Co., 873 F.2d 576, 584 (2d Cir. 1989) (summarizing earlier case law), cert. denied, 493 U.S. 1094 (1990). The Supreme Court has recognized that the Copyright Act itself embodies a balance between the rights of copyright holders, which are guaranteed by Article I, section 8 of the Constitution, and the protections of the First Amendment. See Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 556 (1985) (analyzing the issue and rejecting a First Amendment claim “[i]n view of the First Amendment protections already embodied in the Copyright Act's distinction between copyrightable expression and uncopyrightable facts and ideas, and the latitude for scholarship and comment traditionally aorded by fair use”; Religious Technology Center v. Netcom On-Line Communication Services, Inc., 923 F. Supp. 1231, 1258 (N.D. Cal. 1995) (analyzing case law).

4-170 Copyright Protection in Cyberspace 4.10[1] ing, teaching . . . scholarship or research ....”8 In evaluating whether the fair use defense is available, courts must consider9 four statutory factors: E the purpose and character of the use, including whether it is of a commercial nature or is for nonprot educational purposes;10

8 17 U.S.C.A. § 107 (emphasis added). 9 Stewart v. Abend, 495 U.S. 207, 237 (1990). 10 In evaluating the purpose and character of the use, courts typically consider whether a defendant's use is (a) commercial and (b) transformative. In considering whether a work is commercial, the issue “is not whether the sole motive of the use is monetary gain, but whether the user stands to prot from exploitation of the copyrighted material without paying the customary price.” Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 562 (1985). In A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001), for example, the Ninth Circuit found that Napster's peer-to-peer “le sharing” service was “commercial” even though it charged no fees for use because, among other things, it allowed users to “get for free something they would ordinarily have to buy.” The Ninth Circuit emphasized that “[d]irect economic benet is not required to demonstrate a commercial use.” In Napster, there was evidence that the service, backed by venture capitalists, had hoped, like many Internet start-ups, to generate trac and brand identity so that it would eventually earn money. Likewise, in UMG Recordings, Inc. v. MP3.com, Inc.,92 F. Supp. 2d 349 (S.D.N.Y. 2000), the court found defendant's My.MP3.com service commercial because even though subscribers were “not currently charged a fee, defendant seeks to attract a suciently large subscription base to draw advertising and otherwise make a prot.” UMG Recordings, Inc. v. MP3.com, Inc., 92 F. Supp. 2d 349, 351 (S.D.N.Y. 2000). The evaluation of the purpose and character of a work “may be guided by the examples given in the preamble to section 107, looking to whether the work is for criticism, or comment, or news reporting, and the like” Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 578–79 (1994). The central focus of the inquiry, however, is whether (and to what extent) “the new work merely supersedes the objects of the original creation . . . or instead adds something new, with a further purpose or dierent character, altering the rst with new expression, meaning or message; . . . in other words, whether and to what extent the work is transformative.” Campbell v. Acu-Rose Music, Inc., 510 U.S. 569 (1994), quoting Pierre N. Leval, Toward A Fair Use Standard, 103 Harv. L. Rev. 1105, 1111 (1990). The character of a work weighs in favor of nding fair use if it “adds value to the original” or uses the original “as raw material, transformed in the creation of new information, new aesthetics, new insights and understandings.” Castle Rock Entertainment, Inc. v. Carol publishing Group, Inc., 150 F.3d 132, 141 (2d Cir. 1998) (nding “slight to nonexistent” transformative value to a trivia quiz), quoting Leval, 103 Harv. L. Rev. at 1111. Cf. Michaels v. Internet Entertainment Group Inc., 48 U.S.P.Q.2d 1891, 1998 WL 882848 (C.D. Cal. Sept. 10, 1998) (nding

Pub. 12/2015 4-171 4.10[1] E-Commerce and Internet Law

the use of twenty-seven seconds from a forty-ve-minute videotape of actress Pamela Anderson Lee and a former boyfriend engaging in sexual relations (displayed in blurry two to ve-second segments) transformative when used in a report aired on the television show “Hard Copy” about the plainti's dispute over the pending unauthorized release of the video over the Internet). The more transformative the new work, the less important other factors (including the commercial character of a work) become. See, e.g., A.V. v. iParadigms, LLC, 562 F.3d 630, 639 (4th Cir. 2009) (holding that defendants' use of high school term papers in a database to compare and evaluate plagiarism claims was highly transformative and that the commercial aspect of the use was not signicant in light of its transformative nature). Thus, even a practice that has a negative eect on the market for a genuine product may be found to be a fair use if it serves a transformative purpose. See Sony Computer Entertainment, Inc. v. Connectix Corp., 203 F.3d 596, 607 (9th Cir.) (“some economic loss . . . does not compel a nding of no fair use.”), cert. denied, 531 U.S. 871 (2000); see also Sony Computer Entertainment America, Inc. v. Bleem, LLC, 214 F.3d 1022, 1027, (9th Cir. 2000) (holding that copying “screen shots” from Sony computer games for use in advertisements constituted a fair use under narrow circumstances in part because “comparative advertising redounds greatly to the purchasing public's benet with very little corresponding loss to the integrity of . . . [the] copyrighted material.”). Likewise, even an exact or complete copy of a work may be found to be a fair use if it is transformative. See, e.g., Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1163–65 (9th Cir. 2007) (holding entire images copied in search results to be a fair use where the copying in connection with operation of a visual search engine was “highly transformative”); Nunez v. Caribbean Int'l News Corp., 235 F.3d 18, 22–23 (1st Cir. 2000) (holding republication of photos taken for a modeling portfolio in a newspaper to be transformative because the photos served to inform, as well as entertain); Field v. Google Inc., 412 F. Supp. 2d 1106, 1118–22 (D. Nev. 2006) (holding Google's practice of caching content to be a fair use because it was highly transformative and served a noncompetitive purpose by enabling users to access a site when the original page was inaccessible, allowing users to compare changes to a site over time, highlighting search terms to allow users to understand why a page was deemed responsive to a query, using various design features to underscore that the cached copy is not intended to replace the original and encouraging users to access the original, and ensuring that site owners could disable the cache functionality so that their sites would not be copied by Google). A use “can be transformative in function or purpose without altering or actually adding to the original work.” A.V. v. iParadigms, LLC, 562 F.3d 630, 639 (4th Cir. 2009) (holding that making an exact digital copy of a student's thesis for the purpose of determining whether it included plagiarism was a fair use); Swatch Group Mgmt. Servs. v. Bloomberg LP, 756 F.3d 73, 84 (2d Cir. 2014) (quoting iParadigms for this proposition in a case in which the court held that a new service's dissemination of verbatim transcripts of plainti's recorded conference calls with securities analysts was a fair use and served at least an arguably transformative purpose—

4-172 Copyright Protection in Cyberspace 4.10[1]

namely, to publish factual information, which otherwise was restricted to narrow group of analysts, to the public). On the other hand, when a work is simply retransmitted in a dierent medium, it is less likely to be found to be transformative. See, e.g., A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1015 (9th Cir. 2001) (concluding that “downloading MP3 les does not transform the copyrighted work.”); Innity Broadcast Corp. v. Kirkwood, 150 F.3d 104, 108 & n.2 (2d Cir. 1998) (holding radio rebroadcasts over telephone lines were not transformative, noting that “a change of format, though useful, is not technically a transformation.”); UMG Recordings, Inc. v. MP3.com, Inc., 92 F. Supp. 2d 349, 351 (S.D.N.Y. 2000) (nding that the reproduction of music from CD-ROMs to MP3 les did not transform the works; “defendant adds no ‘new aesthetics, new insights and understandings’ to the original music recordings it copies, . . . but simply repackages those recordings to facilitate their transmission through another medium.”). As explained by Judge Leval, transformativeness is dierent from transformation for purposes of evaluating derivative works. He wrote that “derivative works generally involve transformations in the nature of changes of form . . . ,” such as the translation of a novel into another language, the adaptation of a novel into a movie or play, or the recasting of a novel as an e-book or an audio book. Author's Guild, Inc. v. Google Inc., — F.3d —, 2015 WL 6079426, at *8 (2d Cir. 2015). By contrast, copying from an original for the purpose of criticism or commentary about the original, or provision of information about it, “tends most clearly to satisfy Campbell’s notion of the ‘transformative’ purpose involved in the analysis of Factor One.” Id.; see also supra § 4.05[3] (analyzing derivative works). Where a work is based on an earlier work, the new work may be deemed a fair use if it is suciently transformative, or otherwise held to be merely an infringing derivative work. See, e.g., Salinger v. Colting, 607 F.3d 68, 83 (2d Cir. 2010) (agreeing with the district court that the author of “60 Years Coming: Through the Rye” was not likely to prevail on its fair use defense in a suit alleging that the novel was merely an infringing derivative work of J.D. Salinger's “The Catcher in the Rye”). In Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007), the Ninth Circuit rejected the argument that providing access to infringing websites could never be deemed transformative and is inherently not a fair use. The court acknowledged that a party claiming fair use must act in a manner generally compatible with principles of good faith and fair dealing. It distinguished Video Pipeline, Inc. v. Buena Vista Home Entertainment, Inc., 342 F.3d 191, 198–200 (3d Cir. 2003), cert. denied, 540 U.S. 1178 (2004), and Atari Games Corp. v. Nintendo of America Inc., 975 F.2d 832 (Fed. Cir. 1992) as cases where the alleged infringers “intentionally misap- propriated the copyright owners' works for the purpose of commercial exploitation,” whereas in Amazon.com, Google was “operating a comprehensive search engine that only incidentally indexes infringing websites. This incidental impact does not amount to an abuse of the good faith and fair dealing underpinnings of the fair use doctrine ....Google's inclusion of thumbnail images derived from infringing websites in its Internetwide search engine activities does not preclude Google from raising a fair use defense.” 508 F.3d at 1164 n.8. In A.V. v. iParadigms, LLC,

Pub. 12/2015 4-173 4.10[1] E-Commerce and Internet Law

E the nature of the work;11

562 F.3d 630 (4th Cir. 2009), the Fourth Circuit rejected the argument that a defendant's use could not be transformative where the defendant added nothing additional to the work. In that case, the defendant operated a database designed to detect plagiarism in assignments submitted by high school students. Plaintis argued that their term papers were copied into the database without authorization by the defendant, who in turn argued that its copying was a fair use. Judge Traxler, writing for the panel, explained that “[t]he use of a copyrighted work need not alter or augment the work to be transformative in nature. Rather, it can be transformative in function or purpose without altering or actually adding to the original work.” A.V. v. iParadigms, LLC, 562 F.3d 630, 639 (4th Cir. 2009), citing Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1165 (9th Cir. 2007). He explained that just like Google's use of copyrighted images in thumbnails as part of a search index was highly transformative even though the images themselves were not altered (in that they served a dif- ferent function than the original images served), iParadigms' use of plaintis' works had an entirely dierent function and purpose than the original—to prevent plagiarism and stop student works from being plagiarized. Pierre Leval's terminology, while adopted by the Supreme Court, has been criticized as somewhat confusing by Seventh Circuit Judge Posner, who in an opinion joined by then-Chief Judge Flaum and Judge Rovner, sought to recast consideration of whether a work was “transformative” or “superseding” in economic terms. According to Judge Posner, “copying that is complementary to the copyrighted work (in the sense that nails are complements of hammers) is fair use, but copying that is a substitute for the copyrighted work (in the sense that nails are substitutes for pegs or screws), or for derivative works from the copyrighted work . . . is not fair use.” Ty, Inc. v. Publications Int'l Ltd., 292 F.3d 512, 517 (7th Cir. 2002) (citation omitted). 11 The Supreme Court has noted that creative works are ‘‘ ‘closer to the core of intended copyright protection’ than informational or functional works ‘with the consequence that fair use is more dicult to establish when the former works are copied.’ ’’ Dr. Seuss Enterprises, L.P. v. Penguin Books USA, Inc., 109 F.3d 1394, 1402 (9th Cir. 1997), quoting Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 586 (1994); see also Stewart v. Abend, 495 U.S. 207, 237 (1990) (“In general, fair use is more likely to be found in factual works than in ctional works.”). Unpublished works are entitled to enhanced protection. Once a work has been published, even a creative work will no longer be eligible for enhanced protection. See Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007). In evaluating this factor, Second Circuit Judge Pierre Leval has argued that the “transformative purpose inquiry” that is conventionally analyzed in connection with the purpose and character of the use, is also relevant to an evaluation of the nature of the work because “[o]ne cannot assess whether the copying work has an objective that diers from the original without considering both works, and their respective objectives.” Author's Guild, Inc. v. Google Inc., — F.3d —, 2015 WL 6079426, at *11 (2d Cir. 2015). It remains to be seen whether and to what extent other courts adopt this analysis.

4-174 Copyright Protection in Cyberspace 4.10[1]

E the amount and substantiality of the portion used in relation to the copyrighted work as a whole;12 and

Needless to say, “courts have hardly ever found that the second factor in isolation played a large role in explaining a fair use decision.” Id. at *12. 12 The extent of permissible copying varies with the purpose and character of the use. Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 586–87 (1994). Wholesale copying does not preclude a nding of fair use per se, but may weigh against it. See Cariou v. Prince, 714 F.3d 694, 710 (2d Cir. 2013); A.V. v. iParadigms, LLC, 562 F.3d 630, 642 (4th Cir. 2009); Kelly v. Arriba Soft Corp., 336 F.3d 811, 820 (9th Cir. 2003) (citing earlier case law). “[A]s the amount of the copyrighted material that is used increases, the likelihood that the use will constitute a ‘fair use’ decreases.” Bond v. Blum, 317 F.3d 385, 396 (4th Cir. 2003). By contrast, “[i]f the secondary user only copies as much as is necessary for his or her intended use, then this factor will not weigh against him or her.” Arriba Software, 336 F.3d at 820. However, unlike trademark fair use (infra § 6.14), “the law does not require that the secondary artist may take no more than is necessary.” Cariou v. Prince, 714 F.3d 694, 710 (2d Cir. 2013). In short, “[t]here are no absolute rules as to how much of a copyrighted work may be copied and still be considered a fair use.” Maxtone-Graham v. Burtchaell, 803 F.2d 1253, 1263 (2d Cir. 1986), cert. denied, 481 U.S. 1059 (1987). Courts typically look at both the size of an excerpt and its quality (or whether the “essence” of the work was copied). For example, in Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 564–65 (1985), the Court found that a comparatively short, 300 word excerpt in a book review of President Gerald Ford's memoirs supplanted the market for the genuine work because it included many of the more important details that otherwise were to appear in a licensed excerpt in a competing newsmagazine. By contrast, the defendant's inclusion of twenty seconds of footage, edited from a promotional trailer, in a forty-four-minute television biography program, was found to be a fair use in Hofheinz v. A & E Televi- sion Networks, 146 F. Supp. 2d 442 (S.D.N.Y. 2001). Similarly, in Hofheinz v. AMC Productions, Inc., 147 F. Supp. 2d 127 (E.D.N.Y. 2001), a court found that the unauthorized inclusion of certain movie clips and photographs in a documentary lm, in addition to excerpts which had been expressly licensed, was likely to be found a fair use, in part because the clips did not amount to a substantial portion of the lms from which they were excerpted. The court observed that the material did not “ge[t] at the ‘heart’ of the copyrighted works.” In evaluating the size of an excerpt, courts may focus both in absolute and percentage terms. See, e.g., Iowa State University Research Foundation, Inc. v. American Broadcasting Companies, Inc., 621 F.2d 57, 61–62 (2d Cir. 1980) (holding that a television program's copying of 2.5 minutes was held actionable, and not a fair use, because it amounted to 8% of the total show). Courts will also look at the nature of the copying. Thus, copying even an entire work may be deemed a fair use “where the use of the original work is limited in purpose and scope.” A.V. v. iParadigms, LLC, 544 F. Supp. 2d 473, 483 (E.D. Va. 2008) (holding that the amount and

Pub. 12/2015 4-175 4.10[1] E-Commerce and Internet Law

E the eect of the use upon the potential market for, or value of, the copyrighted work.13 substantiality of the portion used either favored neither party or a nding of fair use where the defendant used entire copies of high school students' papers for the limited purpose of storing them digitally and reviewing them electronically in connection with running a plagiarism detection service, where the use was also found to be highly transformative), a'd, 562 F.3d 630, 642 (4th Cir. 2009). Needless to say, there is no magic number or percentage below which the quantity and quality of the portion copied will be deemed a fair use. The Second Circuit has explained that a use is less likely to be fair when it involves extensive copying or encompasses the most important parts of the original work because of the relationship between the third and fourth factors. “The larger the amount, or the more important the part, of the original that is copied, the greater the likelihood that the secondary work might serve as an eectively competing substitute for the original, and might therefore diminish the original rights holder's sales and prots.” Author's Guild, Inc. v. Google Inc., — F.3d —, 2015 WL 6079426, at *12 (2d Cir. 2015). In addition to being potentially relevant to the fair use defense, the amount and substantiality of material copied without authorization could support a defense of de minimis copying under very limited circumstances. See supra § 4.08[1]. 13 17 U.S.C.A. § 107. In evaluating the eect on the market for the genuine work, courts should consider “whether the secondary use usurps or substitutes for the market of the original work.” Castle Rock Entertain- ment, Inc. v. Carol publishing Group, Inc., 150 F.3d 132, 145 (2d Cir. 1998); see also A.V. v. iParadigms, LLC, 562 F.3d 630, 643 (4th Cir. 2009) (courts must determine whether a use would “materially impair the marketability of the work and whether it would act as a market substitute” for them; citing earlier cases). The Second Circuit has made clear that this factor focuses not on “whether the secondary use suppresses or even destroys the market for the original work, or its potential derivatives, but whether the secondary use usurps the market for the original work.” Cariou v. Prince, 714 F.3d 694, 708 (2d Cir. 2013) (holding that the use of plainti's photographs in high end paintings that were marketed to a dif- ferent sort of collector than the copyright owner's original photographs did not usurp the copyright owner's market), quoting Blanch v. Koons, 467 F.3d 244, 258 (2d Cir. 2006). Stated dierently, a “fair use must not excessively damage the market for the original by providing the public with a substitute for that original work.” Author's Guild, Inc. v. HathiTrust, 755 F.3d 87, 95 (2d Cir. 2014). In general, “the more transformative the secondary use, the less likelihood that the secondary use substitutes for the original” even though “the fair use, being transformative, might well harm, or even destroy, the market for the original.” A.V. v. iParadigms, LLC, 562 F.3d 630 (4th Cir. 2009), citing Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 591–93 (1994) (“[A] lethal parody, like a scathing theater review, kills demand for the original, [but] does not produce a harm cognizable under the Copy- right Act.”); see also Sony Computer Entertainment, Inc. v. Connectix

4-176 Copyright Protection in Cyberspace 4.10[1]

Even a relatively small amount of copying, however, may be found impermissible if it deprives a copyright owner of its ability to exploit the work.14

Corp., 203 F.3d 596, 607 (9th Cir.) (“Whereas a work that merely sup- plants or supersedes another is likely to cause a substantially adverse impact on the potential market of the original, a transformative work is less likely to do so.”), cert. denied, 531 U.S. 871 (2000). As the Second Circuit explained, “[f]actor Four analysis is concerned with only one type of economic injury to the copyright holder: the harm that results because the secondary use serves as a substitute for the original work . . . . [A]ny economic ‘harm’ caused by transformative uses does not count because such uses, by denition, do not serve as substitutes for the original work.” Author's Guild, Inc. v. HathiTrust, 755 F.3d 87, 99 (2d Cir. 2014). Courts should also “consider the public benet resulting from a particular use notwithstanding the fact that the alleged infringer may gain commercially.” Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510, 1523 (9th Cir. 1992). 14 See American Geophysical Union v. Texaco Inc.,60F.3d913,923 (2d Cir.), cert. dismissed, 516 U.S. 1005 (1995). Moreover, the absence of an existing market for the genuine work may not be determinative if a defendant's use adversely aects the copyright owner's ability to later exploit it. The statute refers to the potential market for or value of the protected work. Thus, in UMG Recordings, Inc. v. MP3.com, Inc.,92F. Supp. 2d 349 (S.D.N.Y. 2000), the court rejected MP3.com's fair use defense in part because a copyright owner is entitled to refuse to license a work or to do so only on terms acceptable to it. The court found that the plaintis' ability to market digital music in the future had been damaged by MP3.com's unauthorized practices. Likewise, in a subsequent case brought against MP3.com, the court reiterated, in response to the argument that the plaintis themselves had oered free downloads of their protected MP3 music les, that “even if plaintis' own uses were more exploitative (as . . . defendant claimed . . .), defendant's activities would still ‘invade plaintis' statutory right to license their copyrighted sound recordings to others for reproduction’ and would still infringe ‘a copyrightholder's exclusive rights . . . within broad limits, to curb the development of such a derivative market by refusing to license a copyrighted work or by doing so only on terms the copyright owner nds acceptable.’ ’’ Teevee Toons, Inc. v. MP3.com, Inc., 134 F. Supp. 2d 546, 547 (S.D.N.Y. 2001), quoting UMG Recordings, Inc. v. MP3.com, Inc.,92 F. Supp. 2d at 352 (internal quotation marks omitted). The fact that a particular unauthorized use may actually enhance demand for the genuine work likewise has not necessarily been found to be a mitigating factor if the copyright owner in fact does not approve of the use. The court in UMG Recordings, Inc. v. MP3.com, Inc., 92 F. Supp. 2d 349 (S.D.N.Y. 2000), for example, rejected as relevant the argument that defendant's service enhanced sales of plaintis' works because subscribers were required to show that they already owned a genuine copy of a CD, or simultaneously purchase one, before being able to copy it from the My.MP3.com online database to their personal folders. Judge Rako wrote that “[a]ny allegedly positive impact of defendant's activities on plaintis'

Pub. 12/2015 4-177 4.10[1] E-Commerce and Internet Law

While no single factor is determinative,15 the eect of a defendant's use on the potential market for or value of the copyrighted work generally had been viewed as the most important factor in the past16 and may be especially signicant where a use substitutes for the original work. In the Second Circuit, however, and increasingly for other courts, the rst of the four considerations, the purpose and character of the use (and specically whether the use is transformative), is viewed as “[t]he heart of the fair use inquiry.”17 These four factors are not exclusive.18 They “are a checklist of things to be considered rather than a formula for decision; prior market [for the sale of CDs] in no way frees defendant to usurp a future market [online music sales] that directly derives from reproduction of the plaintis' copyrighted works.” UMG Recordings, Inc. v. MP3.com, Inc., 92 F. Supp. 2d 349, 352 (S.D.N.Y. 2000). On the other hand, if a copyright owner cannot articulate any credible theory of loss, the fact that a use enhances demand for the genuine product would weigh in favor of a nding of fair use, at least for purposes of assessing the fourth fair use factor. Judge Posner, in describing fair use of a book in connection with a book review, wrote that it would be “perverse” to treat copying that “increase[d] demand for the copyrighted works” as infringing. See Ty, Inc. v. Publications Int'l Ltd., 292 F.3d 512, 517 (7th Cir. 2002) 15 Congress intended the four statutory criteria to serve as guidelines for “balancing the equities” rather than “denitive or determinative” tests, which “are to be . . . weighed together, in light of the objectives of copyright ‘to promote the progress of science and the useful arts.’ ’’ H.R. Rep. No. 94-1476, 94th Cong. 2d Sess. 65 (1976), reprinted in 1976 U.S.C- .C.A.N. 5659, 5679. 16 See Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 566 (1985); A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 642 (4th Cir. 2009); Princeton University Press v. Michigan Document Services, Inc., 99 F.3d 1381, 1385 (6th Cir. 1996), cert. denied, 520 U.S. 1156 (1997). 17 On Davis v. The Gap, Inc., 246 F.3d 152, 174 (2d Cir. 2001); see also American Geophysical Union v. Texaco Inc., 60 F.3d 913, 926 (2d Cir.) (suggesting that the U.S. Supreme Court has abandoned the view that the most important factor is the eect on the potential market), cert. dismissed, 516 U.S. 1005 (1995); Hofheinz v. Discovery Communications, Inc.,60 U.S.P.Q.2d 1845, 2001 WL 1111970, at *3 n.6 (S.D.N.Y. Sept. 20, 2001) (describing the Second Circuit as following a minority view in placing greater emphasis on this factor). 18 Even though section 107 uses the mandatory term shall, a close reading of the somewhat unusual sentence structure preceding the four criteria shows that Congress did not intend that the four factors be the only ones considered; merely that in every fair use determination, each of the four factors (among other things) must be considered. See 17 U.S.C.A. § 107 (“In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include . . . .”).

4-178 Copyright Protection in Cyberspace 4.10[1] and likewise the list of statutory purposes.”19 They “provide only general guidance about the sorts of copying that courts and Congress most commonly had found to be fair uses.”20 They “are to be explored, and the results weighed together, in light of the purpose of copyright [law].”21 According to the Second Circuit, “[t]he ultimate test of fair use, therefore, is whether the copyright law's goal of ‘promoting the progress of science and useful arts,’, ‘would be better served by allowing the use than by preventing it.’ ’’22 As a practical matter, since courts may evaluate other factors consistent with the underlying objectives of the Copyright Act, but must consider each of the four statutory criteria, in many cases the four factors alone are determinative. Nevertheless, fair use may be found in cases where the four criteria alone might not otherwise justify the nding. Examples of fair use, when unauthorized copying has been deemed lawful, include parody, in the case of a rap song23

19 Ty, Inc. v. Publications Int'l Ltd., 292 F.3d 512, 522 (7th Cir. 2002). In the words of Judge Posner, the statutory denition, “while though extensive, is not illuminating. (More can be less, even in law).” Ty, Inc. v. Publications Int'l Ltd., 292 F.3d 512, 522 (7th Cir. 2002). 20 Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 577–78 (1994). 21 Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 577–78 (1994). 22 Castle Rock Entertainment, Inc. v. Carol publishing Group, Inc., 150 F.3d 132, 141 (2d Cir. 1998) (quoting an earlier case and U.S. Const., art. I, § 8, cl. 8). 23 See Campbell v. Acu-Rose Music, Inc., 510 U.S. 569 (1994) (sampling of a copyrighted song for use in a new parody composition). Parody is not per se fair use. A number of courts apply the “conjure up” test to determine the “purpose and character of the use,” under which “the parodist is permitted a fair use of a copyrighted work if it takes no more than necessary to ‘recall’ or ‘conjure up’ the object of his parody.” Dr. Seuss Enterprises, L.P. v. Penguin Books USA, Inc., 109 F.3d 1394, 1400 (9th Cir. 1997); see also, e.g., MCA, Inc. v. Wilson, 677 F.2d 180, 184 (2d Cir. 1981). To constitute a fair use parody—as opposed to mere satire—a work generally must be targeted at the original work and not merely bor- row its style “to get attention or to avoid the drudgery in working up something fresh ....”Campbell v. Acu-Rose Music, Inc., 510 U.S. at 580; see also Campbell v. Acu-Rose Music, Inc., 510 U.S. 569, 597 (1994) (Kennedy, J., concurring); Rogers v. Koons, 960 F.2d 301, 310 (2d Cir.) (“the copied work must be, at least in part, an object of the parody, otherwise there would be no need to conjure up the original work”), cert. denied, 506 U.S. 934 (1992). Thus, for example, the satiric book “The Cat Not in the Hat! By Dr. Juice,” a poetic account of the O.J. Simpson mur- der trial in the style of Dr. Seuss's “The Cat in the Hat” was held to not be a fair use in Dr. Seuss Enterprises, L.P. v. Penguin Books USA, Inc., 109

Pub. 12/2015 4-179 4.10[1] E-Commerce and Internet Law and a literary work,24 taping television transmissions on a videocassette recorder for future viewing,25 linking and copying visual images for the purpose of indexing websites as part of a visual search engine,26 caching (in connection with

F.3d 1394, 1400–03 (9th Cir. 1997) because the defendant's book used the style of plainti's work to mimic the O.J. Simpson trial, rather than “The Cat in the Hat.” 24 See Suntrust Bank v. Houghton Miin Co., 268 F.3d 1257 (11th Cir. 2001) (nding the defendant likely to prevail on its fair use defense in connection with “The Wind Done Gone,” a spoof of “Gone With the Wind” written from the perspective of slaves). 25 See Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417 (1984). 26 See Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1163–67 (9th Cir. 2007); Kelly v. Arriba Soft Corp., 336 F.3d 811 (9th Cir. 2003). In Kelly v. Arriba Software Corp., Ditto.com (previously Arriba Software Corp.) operated a visual search engine that allowed users to locate images on the Web. In response to a query, small, low-resolution “thumbnail” images were displayed next to a link and brief description of the corresponding site where the photograph could be found. Images were obtained automatically by a crawler program that downloaded full-size copies to Arriba's server, where they were converted to thumbnails. Thumbnail images could be copied by users, but their resolution could not be improved. Users, in turn, could access the site where a thumbnail originated from via a link or, for brief periods in 1999 and 2000, view full-size copies of the photographs via in-line links or frames (see infra §§ 9.03, 9.04), separate and apart from the rest of the content on the linked site. The Ninth Circuit ruled that the reproduction of thumbnail images constituted a fair use because defendants' copying was transformative (to index images on the Web) and did not adversely aect the potential market for the genuine works because the thumbnails were not a substitute for full-size, high- resolution images. The court found that the nature of the work (creative photographs) weighed slightly in favor of the plainti and the amount and substantiality of the portion used was a neutral factor because if Arriba had copied anything less than the complete works it would have been more dicult to identify each image, which would have reduced the usefulness of the search engine. In an earlier ruling that was subsequently vacated because the issue had not been properly preserved for appeal, the Ninth Circuit had ruled that the defendant's initial practice of also making available via in-line links and frames-full size copies of the photographs that appeared on indexed sites (with the surrounding text and other Web content removed) was not a fair use. Displaying the exact image from a site in isolation from the surrounding material via a frame or in-line link was held to serve no transformative purpose and to harm the market for genuine works because people receiving photographs in this format would have had no reason to visit the website from which it had been copied. See Kelly v. Arriba Soft Corp., 280 F.3d 934, 947–48 (9th Cir. 2002), vacated, 336 F.3d 811 (9th Cir. 2003).

4-180 Copyright Protection in Cyberspace 4.10[1]

In Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1163–67 (9th Cir. 2007), the Ninth Circuit rearmed its 2003 opinion in a case involving very similar facts. In that case, Perfect 10, an adult magazine whose images were widely available without authorization on the Internet, sued Google and Amazon.com arguing that their visual search engines made unauthorized thumbnail reproductions of infringing copies of their works that were displayed with search results. To distinguish Kelly v. Arriba Software Corp., Perfect 10 had argued that these thumbnail images undermined a market for thumbnail images sold for display on cell phones. Unlike in Kelly, Perfect 10 had argued (and the district court had agreed), the thumbnails displayed by Google had an adverse impact on the market for genuine products and therefore were not a fair use. The Ninth Circuit reversed, however, concluding that “the signicantly transformative nature of Google's search engine, particularly in light of its public benet, outweighs Google's superseding and commercial uses of the thumbnails in this case.” Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1166 (9th Cir. 2007). The court noted that no downloads for mobile phones in fact had taken place, making the superseding use “not signicant.” Likewise, although thumbnails directed users to Google AdSense partners, including partners that hosted infringing images, which the court conceded added “a commercial dimension that did not exist in Kelly,” the Ninth Circuit emphasized that the district court had not determined that this commercial element was signicant. Id. at 1167. Judge Ikuto, writing for the court, concluded that “the transformative nature of Google's use is more signicant than any incidental superseding use or the minor commercial aspects of Google's search engine and website.” Id. With respect to the nature of the copyrighted work, the court found the photos to be creative but because the images appeared on the Internet before used in search engine results, this factor weighted only slightly against a nding of fair use. Kelly v. Arriba and Perfect 10 v. Amazon were cited with approval by the Second Circuit in Author's Guild, Inc. v. Google Inc., — F.3d —, 2015 WL 6079426, at *9, 18 (2d Cir. 2015). In a subsequent case brought by Perfect 10 against a Russian search engine that, unlike Google, displayed full size versions of Perfect 10 images via in line links (and not merely thumbnails) and also displayed them separate and apart from the websites on which they appeared, the district court, in granting in part the defendant's motion for summary judgment, ruled, among other things, that the defendant's use of the images in connection with a search engine nonetheless constituted a fair use because it was highly transformative. See Perfect 10, Inc. v. Yandex, N.V., 962 F. Supp. 2d 1146, 1154–55 (N.D. Cal. 2013). The court wrote that “whether a browser window shows only a thumbnail and the full-size image—instead of the full-size image along with part of the surrounding web page—does not aect whether the use of the thumbnail has been transformed.” Id. (emphasis in original). Further, the court held that “even if yandex.com's use of the thumbnail were broadly described as an ‘in-line link connected to a full-size image,’ that use remains highly transformative.” Id.; see generally infra § 9.03[3][B] (discussing the case at greater length).

Pub. 12/2015 4-181 4.10[1] E-Commerce and Internet Law operation of an Internet search engine),27 viewing and printing copies of archived website pages from the Wayback

By contrast, reproducing thumbnail images of advertisements for the purpose of advertising sales of the genuine product was held not to constitute a fair use in Batesville Services, Inc. v. Funeral Depot, Inc., Copy L. Rep. ¶ 28,901 (S.D. Ind. 2004). Similarly, creating links to a stream of a live webcast of motor races that were shown in real time was held not be a fair use in Live Nation Motor Sports, Inc. v. Davis, 81 U.S.P. Q.2d 1826, 2007 WL 79311 (N.D. Tex. Jan. 9, 2007). In Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195 (N.D. Cal. 2004), the court found links to a database company's internal emails explaining technical aws in its electronic voting machines constituted a fair use (for purposes of evaluating an award of fees for knowingly and materially misrepresenting information in a DMCA notication pursuant to 17 U.S.C.A. § 512(f); see infra § 4.12[9][D]), where at least some of the emails were not entitled to copyright protection, even though the links directed users to the defendant's entire database. 27 Field v. Google Inc., 412 F. Supp. 2d 1106, 1118–22 (D. Nev. 2006). In Field, the court held that Google's practice of caching websites was highly transformative because it “added something new” rather than sup- planting the genuine work, based on ve separate functions. First, Google's cache functionality enables users to access content when the original page is inaccessible, thus providing archival copies of value to academics, researchers and journalists. Second, providing cached links allows users to detect changes that have recently been made to a site. Third, because it controls the archived copy cached on its servers, Google provides highlighting, which allows users to quickly see where searched terms are located within a page. Fourth, Google uses several design features to make it clear that the cached copy is not intended to be a substitute for the original page (including using a prominent disclaimer at the top of the page). Fifth, Google ensures that any site owner can disable the cache functionality. In the court's view, “site owners, not Google, control whether ‘cached’ links will appear for their pages. The fact that the owners of bil- lions of Web pages choose to permit these links to remain is further evidence that they do not view Google's cache as a substitute for their own pages.” 412 F. Supp. 2d at 1119. The court found that the commercial nature of the enterprise did not negate its fair use. With respect to the nature of the works, the court deemed it signicant that the photographs at issue had been made available for free on the plainti's own website and that Field had armatively sought to have the site indexed by Google by adding a “robots.txt” le to ensure that all search engines would index it, when he could have prevented Google from indexing and caching the site by simply using the “no archive” meta-tag. With respect to the amount and substantiality of the portion used, the court found that factor to be neutral because even though the entire work is used, Google used no more of the work than necessary. With respect to the market for the genuine product, the court found no evidence that there was any market for Field's photographs and no evidence of any harm, making this factor weigh strongly in favor of fair use. Finally, the court concluded that Google's good faith in operating the system was an independent factor weighing in favor of fair use.

4-182 Copyright Protection in Cyberspace 4.10[1] machine (www.Archive.org),28 authorizing automated copying and distribution of images over a Content Delivery Network (CDN),29 digitizing books to allow their texts to be fully searchable (and, among other things, used for data mining30) or to allow print-disabled library patrons access to

28 Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627 (E.D. Pa. 2007) (granting summary judgment for the defendants). 29 See Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *20-21 (C.D. Cal. Jan. 16, 2015). The court explained that to ensure adequate and ecient service, service providers across the internet use CDNs to actually distribute their content. This practice ensures that a service provider does not rely on a single server of its own to maintain full operation of its service and means that the burden is spread and networks operate smoothly. In essence, rather than keeping everything in one place, an outsourced network of multiple servers is used to ensure smooth operation of the internet generally and a service provider's services in particular. The widespread use of CDNs means that most content is passed from a service provider to one or more third parties before reaching an end user. Id. at *20-21. In nding distribution to a CDN network to be a fair use, Judge Michael Fitzgerald explained that “this distribution is an inevitable and necessary part of using the internet, and ultimately a trivial activity that falls within the protections of the fair use doctrine.” Id. at *20. He elaborated that “such usage is minimal and is a crucial part of maintaining not only internet commerce, but the ecient operation of the internet generally. It also causes only minor and wholly incidental copying and distribution of images.” Id. at *21. Analogizing the use to caching found permissible by the Ninth Circuit in Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1169-77 (9th Cir. 2007), Judge Fitzgerald explained that “[a]s in Amazom.com, eBay's use of CDNs is designed to ‘enhance [a user's] use, not to supersede the copyright holders' exploitation of their works.’ ’’ 2015 WL 1600081, at *21, quoting Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1169 (9th Cir. 2007). 30 Author's Guild, Inc. v. Google Inc., — F.3d —, 2015 WL 6079426 (2d Cir. 2015); Author's Guild, Inc. v. HathiTrust, 755 F.3d 87 (2d Cir. 2014). In Author's Guild, Inc. v. HathiTrust, the Second Circuit held that allowing library patrons to access the digitized book collections of member- research university libraries that had allowed Google to electronically scan and place their collections in a repository was a fair use where HathiTrust (1) allowed the general public to search for particular terms across all digital copies but, unless the copyright holder authorized broader use, the search results only showed page numbers on which the search term was found within each work and the number of times the word appeared on each page and (2) permitted member libraries to provide patrons with certied print disabilities access to the full text of copyrighted works in a format where they could perceive the works (such as via software that converted the text into spoken words or magnied the text). The appellate court remanded for further consideration the question of whether permitting members to create a replacement copy of a work, if the member already owned an original copy, where the original copy was lost,

Pub. 12/2015 4-183 4.10[1] E-Commerce and Internet Law

destroyed or stolen and where a replacement copy was unavailable at a “fair price” constituted a fair use. Judge Barrington D. Parker, writing for himself and Judges Walker and Cabranes, characterized the creation of a full-text searchable database as “a quintessentially transformative use” that was “dierent in purpose, character, expression, meaning, and message from the page (and the book) from which it was drawn” and did not merely supersede the purpose of the original creations or recast them in a new mode of presentation. Id. at 97. The court found the nature of the copyrighted work to be of limited usefulness because the creative works at issue were being used for a transformative purpose. With respect to the amount and substantiality of the portion taken, the court found that the amount copied was not exces- sive because it was reasonably necessary for the Trust “to make use of the entirety of the works in order to enable the full-text search function . . . .” Id. at 98. The appellate panel further found that maintaining four copies at two separate locations was “reasonably necessary” to facilitate legitimate uses (such as balancing the load of user web trac to avoid burden- ing a single site and for use as a backup at each location). Id. at 99. Finally, the court rejected as irrelevant the argument that digitizing books for search adversely impacted the market for licensing books for digital search that could emerge in the future because lost licensing revenue would only be relevant if it served as a substitute for the original product which full-text search did not. The court also rejected the argument that the risk of a security breach could adversely impact the market for genuine works based on unrebutted evidence of the extent to which the HathiTrust had implemented security measures to reduce the risk of a breach, noting, however, that it was not “foreclosing a future claim based on circumstances not predictable . . . .” Id. at 101. The court declined to determine whether making a replacement copy would be permissible if (1) the member already owned an original copy, (2) the member's original copy was lost or stolen and (3) a replacement copy was unavailable at a fair price, because the panel concluded the plaintis did not have standing to object to this practice. See id. at 103–04. In Author's Guild, Inc. v. Google, the Second Circuit, in an opinion written by Judge Pierre Leval on behalf of himself and Judges Cabranes and Parker, armed the lower court order entered by Second Circuit Judge Denny Chin, sitting as a district court judge, granting summary judgment for Google, based on the ndings that Google's digitization of books for its library and book projects, provision of digital copies to participating libraries that already owned the books, and display of snippets in response to search queries for particular terms contained in digitized books, constituted fair use of plaintis' works. Google, without permission of the rights holders, made digital copies of tens of millions of books that were submitted to it for that purpose by major libraries. Google scanned the digital copies and established a publicly available search tool. An Internet user could use this tool to search without charge to determine whether a book contained a specied word or term and would be shown ‘‘snippets’’ of text that included the searched-for terms. Google also allowed participating libraries to download

4-184 Copyright Protection in Cyberspace 4.10[1]

and retain digital copies of the books they submitted, pursuant to agreements that committed the libraries not to use their digital copies in violation of copyright laws. The appellate panel held that Google's making of a digital copy to provide what the court characterized as ‘‘a search function’’ was a transformative use that augmented public knowledge by ‘‘making available information about Plaintis' books without providing the public with a substantial substitute for matter protected by the Plaintis' copyright interests in the original works or derivatives of them.” Id. at *2 (emphasis in original). The court found that Google's provision of the snippet function was also a fair use because Google imposed signicant limitations on access to snippets, which meant that it did not supplant the market for those books that had been digitized. Specically, Google's search tool displayed a maximum of three snippets containing a given search term. A snippet was a horizontal segment of non-overlapping text comprising ordinarily an eighth of a page (or approximately three lines of text for a book that contains twenty four lines per page). The search tool did not allow a searcher to increase the number of snippets revealed by repeated entry of the same search term or by entering searches from dierent computers (although a user could see dierent snippets by searching dif- ferent terms). Google also made permanently unavailable for viewing one snippet on each page and one complete page out of every ten (through a process that Google called ‘‘blacklisting’’). Google also disabled snippet view entirely for books for which a single snippet would likely satisfy a researcher's need for the book, such as dictionaries, cook books and books of short poems. Since 2005, Google also excluded books from snippet view at the request of the rights holder. No advertising was displayed to users of its search tool. Nor did Google receive any payment by reason of a searcher's use of Google's link to purchase a book, in instances where a link to allow purchase of a book was provided. Judge Leval found Google's digitization of books to allow data mining and ‘‘text mining’’ to be transformative because it ‘‘provide[d] otherwise unavailable information about the originals.’’ Id. at *8. Judge Leval acknowledged that Google's use diered from HathiTrust in two signicant respects. First, HathiTrust did not display any text from the underlying work to a user, whereas Google Books provided a searcher with snippets containing the word that was the subject of a given search. Second, HathiTrust was a nonprot educational entity, whereas Google was ‘‘a prot-motivated commercial corporation.” Id. at *9. Judge Leval found neither dierence determinative, however. Snippets, Judge Leval wrote, added ‘‘important value to the basic transformative search function, which tells only whether and how often the searched term appears in the book.’’ Id. He explained that merely knowing that a given word is used a particular number of times does not tell the searcher whether he or she needs to obtain a copy of the book. For example, ‘‘a searcher seeking books that explore Einstein's theories, who nds that a particular book includes 39 usages of ‘Einstein’ will nonetheless conclude that she can skip that book if the snippets reveal that . . . ‘Einstein’ . . . is the name of the author's cat.” Id. In nding the provision of snippets to be transformative, Judge Leval wrote that ‘‘Google's division

Pub. 12/2015 4-185 4.10[1] E-Commerce and Internet Law

of the page into tiny snippets is designed to show the searcher just enough context surrounding the searched term to help her evaluate whether the book falls within the scope of her interest (without revealing so much as to threaten the author's copyright interests).’’ Id. at *10. With respect to Google's commercial motivation, Judge Leval conceded that although Google received no revenue from its operation of Google Books, Google indirectly proted from the service. He found, however, that Google's prot motivation did not outweigh Google Books' ‘‘highly convincing transformative purpose, together with the absence of signicant substitutive competition . . . .” Id. In so ruling he noted that ‘‘[m]any of the most universally accepted forms of fair use, such as news reporting and commentary, quotation in historical or analytical books, reviews of books, and perfomances, as well as parody, are all normally done commercially for prot.’’ Id. at *11. The panel held that the second fair use factor—the nature of the work—was not determinative. Although plaintis' works were factual, Judge Leval wrote that the authors' manner of expressing facts and ideas was entitled to copyright protection. On balance, however, the court found more signicant that “the secondary use transformatively provides valuable information about the original, rather than replicating protected expression in a manner that provides a meaningful substitute for the original.” Id. at *12. The appellate panel found that the amount and substantiality of the use favored Google because even though Google copied the entirety of each of plaintis' books, it did not reveal the digital copies to the public. Each copy was made “to enable search functions to reveal limited, important information about the books.” Id. at *13. The court likewise found that this facter weighed in favor of fair use with respect to the use of snippets because the amount and substantiality of the portion used in making a copy was not the relevant consideration. Rather, it was “the amount and substantiality of what is thereby made accessible to a public for which it may serve as a competing substitute.” Id. (emphasis in original). In that regard, Google had constructed the snippet feature to substantially protect against it serving as “an eectively competing substitute” for plaintis' books through a variety of limitations, including the small size of each snippet, the blacklisting of one snippet per page and one page in every ten, the fact that no more than three snippets were shown—and no more than one per page— for each term searched, and the fact that the same snippets were shown for a searched term no matter how many times, or from how many dierent computers, the term was searched. Judge Leval explained that “[t]he result of these restrictions is, so far as the record demonstrates, that a searcher cannot succeed, even after long extended eort to multiply what can be revealed, in revealing through a snippet search what could usefully serve as a competing substitute for the original.” Id. He explained that blacklisting permanently blocked 22% of a book's text from snippet view and the balance of the 78% that potentially could be shown in snippets was not in fact accessible. “[E]ven after protracted eort over a substantial period of time, only small and randomly scattered portions of a book will be accessible”—as evidenced by the fact that plaintis had employed

4-186 Copyright Protection in Cyberspace 4.10[1]

researchers for a period of weeks to do multiple word searches on plaintis' books and in no case were they able to access even 16% of the text “and the snippets collected were usually not sequential but scattered randomly throughout the book.” Id. at *14. For similar reasons, the court held that the eect of the copying on the market for or the value of the copyrighted work weighed in favor of fair use. Judge Leval wrote that “[e]specially in view of the fact that the normal purchase price of a book is relatively low in relation to the cost of manpower needed to secure an arbitrary assortment of randomly scattered snippets, we conclude that the snippet function does not give searchers access to eectively competing substitutes.” Id. at *15. Although Judge Leval conceded that some sales would be lost, this was not enough to amount to “a meaningful or signicant eect ‘upon the potential market for or value of the copyrighted work.’ ’’ Id., quoting 17 U.S.C.A. § 107(4). Moreover, he observed that the type of loss of sales likely to be experienced probably would involve “interests that are not protected by the copyright.” 2015 WL 6079426, at *15. For example, Judge Leval wrote, a researcher who wanted to nd out the date when President Roosevelt was stricken by polio likely could nd this information from a snippet. He explained, however, that this detail is a historical fact that an author's copyright does not cover. A copyright “does not extend to the facts communicated by . . . [a] book. It protects only the author's manner of expression.” Id. at *15. Judge Leval commented that “[t]he fact that, in the case of the student's snippet search, the information came embedded in three lines of . . . [an author's] writing, which were superuous to the searcher's needs, would not change the taking of an unprotected fact into copyright infringement.” Id. He further elaborated that: Even if the snippet reveals some authorial expression, because of the brevity of a single snippet and the cumbersome, disjointed, and incomplete nature of the aggregation of snippets made available through snippet view, we think it would be a rare case in which the searcher's interest in the protected aspect of the author's work would be satised by what is available from snippet view, and rarer still—because of the cumbersome, disjointed, and incomplete nature of the aggregation of snippets made available through snippet view—that snippet view could provide a signicant substitute for the purchase of the author's book. Id. at *16. In so ruling, the court rejected plaintis' argument that plaintis had a derivative right in the application of search and snippet view functions, nding “no merit” to this argument, which in Judge Leval's view confused transformativeness with the type of transformation that might be found when a derivative work is created. The court further found that there was no market for search and snippet licenses. Id. at *16-18. Judge Leval rejected plaintis' argument that exposure to risks of hacking undermined Google's fair use defense because of the potentially adverse impact on the market for the genuine products that a security breach could cause, because Google Books' digital scans were stored on computers walled o from public Internet access and the evidence presented suggested they were very secure. Id. at *18. The court noted, however, that: If, in the course of making an arguable fair use of a copyrighted work, a secondary user unreasonably exposed the rights holder to destruction of the value

Pub. 12/2015 4-187 4.10[1] E-Commerce and Internet Law works in formats accessible to them31), indexing television programs and displaying data about those programs,32

of the copyright resulting from the public's opportunity to employ the secondary use as a substitute for purchase of the original (even though this was not the intent of the secondary user), this might well furnish a substantial rebuttal to the secondary user's claim of fair use. Id. Finally, the appellate panel held that Google's distribution of digital copies to participant libraries was a fair use. The court observed that “[i]f the library had created its own digital copy to enable its provision of fair use digital searches, the making of the digital copy would not have been infringement.” Id. at 19. Similarly, Judge Leval wrote, the same act does not “become an infringement because, instead of making its own digital copy, the library contracted with Google that Google would use its expertise and resources to make the digital conversion for the library's benet.” Id. 31 Author's Guild, Inc. v. HathiTrust, 755 F.3d 87, 101–03 (2d Cir. 2014). The court held that providing expanded access to the print disabled was not a transformative use, but was still permissible because the making a copy of a copyrighted work for the convenience of a blind person was identied by the U.S. Supreme Court as an example of fair use recognized in the legislative history of the 1976 Copyright Act. Id. at 102, citing Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417, 455 n.40 (1984). The Second Circuit also found that the market for books accessible to visually impaired readers was so insignicant that authors typically forego royalties from specialized format versions of their works. 32 Fox News Network, LLC v. TVEyes, Inc., — F. Supp. 3d —, 2014 WL 4444043 (S.D.N.Y. 2014) (holding that TVEyes' copying of Fox News' broadcast content for indexing and clipping services to its subscribers constituted a fair use because it was transformative and served a new and dierent function from the original work, rather than constituting a substitute for it). In TVEyes, the defendant recorded all television and radio broadcasts for more than 1,400 stations, 24 hours a day, every day, and transformed this material into a searchable database for its paying subscribers, which included the White House, more than 100 members of Congress and ABC Television, among others (but only businesses, not consumers). Subscribers could search the content using keywords, which would then display thumbnail images of the videos that would play snippets (which began playing 14 seconds prior to the place where the keyword appeared) and display transactional data, including: the title of the program; the precise date and time of the clip; a transcript of the video; the name and location of the channel; market viewership of the clip according to the Nielsen Ratings data; the publicity value of the clip according to data from the television research company, SQAD; and a web address to the website for the channel that features the program or for the program itself if such a web address existed. The court found that the service was not a substitute for Fox News because users accessed clips and snippets “for an altogether dierent purpose—to evaluate and criticize broadcast journalism, to track and correct misinformation, to evaluate commercial advertising, to evaluate national security risks, and to track compliance with nancial market regulations.” To emphasize this point,

4-188 Copyright Protection in Cyberspace 4.10[1] reprinting legal briefs that had been publicly led in court cases in a database of legal resources,33 reproducing a copyrighted photograph in an article discussing a copyright infringement suit brought over the image34 or on a blog post critical of the person depicted in the image,35 including logos, images or text in documentary or artistic lms,36 taking a picture of a copyrighted object for the purpose of legitimately selling the object under the rst sale doctrine,37 and, under the court credited TVEyes' argument that “monitoring television is simply not the same as watching it.” The court, however, did not decide the issue of fair use for the full extent of TVEyes' service. Among other things, TVEyes provided features that allowed subscribers to save, archive, download, email, and share clips of Fox News' television programs. The court also did not rule on the date and time function, which allowed subscribers to search for content based solely on the date and time when it was broadcast. 33 White v. West Publishing Corp., 12 Civ. 1340 (JSR), 2014 WL 3385480 (S.D.N.Y. July 3, 2014) (granting summary judgment for West and Lexis). 34 See, e.g., Leveylm, Inc. v. Fox Sports Interactive Media, LLC, No. 13 C 4664, 2014 WL 3368893, at *9–12 (N.D. Ill. July 8, 2014) (holding that reprinting a copy of an image in an online article discussing a copyright infringement suit about the image was a fair use). 35 See, e.g., Katz v. Chevaldina, No. 12-22211-CIV, 2014 WL 2815496 (S.D. Fla. June 17, 2014) (granting summary judgment for the defendant- blogger in a suit where a real estate developer and part owner of the Mi- ami Heat purchased the copyright in an unattering image of himself and then sued the operator of a blog critical of his business practices for copyright infringement for displaying the image in connection with a critical post about him); Dhillon v. Does 1-10, No. C 13-01465 SI, 2014 WL 722592 (N.D. Cal. Feb. 25, 2014) (granting summary judgment for the defendant, holding that the use of a political candidate's ocial campaign photograph on a blog critical of her views constituted a fair use). 36 See, e.g., Bouchat v. Baltimore Ravens Limited Partnership, 737 F.3d 932 (4th Cir. 2014) (holding that the NFL had a fair use right to display an artist's copyrighted logo that was used as part of the Baltimore Ravens football team logo incidentally in videos about the team featured on television and on the web and in team photographs displayed at football stadiums); Arrow Productions, Ltd. v. Weinstein Co., — F. Supp. 2d —, 2014 WL 4211350 (S.D.N.Y. 2014) (holding that a movie production company's use of recreated scenes from the pornographic movie “Deep Throat” in a critical biographical lm about Linda Lovelace, one of the actors in that movie, was a fair use where the scenes served a completely dierent and transformative purpose from the original lm (to show how the actress was being manipulated)). 37 See Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *14-20 (C.D. Cal. Jan. 16, 2015) (photographs of magazines lawfully oered for resale that included licensed copies of plainti's

Pub. 12/2015 4-189 4.10[1] E-Commerce and Internet Law certain circumstances, temporary “intermediate copying” undertaken for the purpose of reverse engineering computer software.38 On the other hand, repackaging in a CD-ROM and selling

Paparazzi photographs). 38 Disassembly of object code was held to be a fair use in Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992) because (a) disassembly was necessary to analyze those aspects of the program that were unprotectable, and (b) Accolade had a legitimate interest in analyzing the program (to determine how to make its cartridges compatible with the Sega Genesis console). By contrast, disassembly was held not to be a fair use in Atari Games Corp. v. Nintendo of America Inc., 975 F.2d 832, 834 (Fed. Cir. 1992), although the court noted in dicta that disassembly may be fair use when the nature of the work makes such copying necessary to understand the unprotectable ideas and processes inherent in the program, and the reproduction is limited in scope and does not involve commercial exploitation of the protected aspects of the work. Subsequently, in Sony Computer Entertainment, Inc. v. Connectix Corp., 203 F.3d 596 (9th Cir.), cert. denied, 531 U.S. 871 (2000), the Ninth Circuit approved of disassembly of object code software for the purpose of creating simulated source code to allow the defendant to write an emulator program to be used to run plainti's protected video games—which are designed for proprietary PlayStation hardware—on Apple's operating systems. The Ninth Circuit ruled in favor of the defendant even though the process required the creation of multiple unauthorized temporary copies of plainti's work. See Connectix Corp., 203 F.3d at 601. The panel elaborated that intermediate copying of software may be found to be a fair use where it is necessary to gain access to unprotectable, functional elements of the software itself. See id. at 603. The court claried, however, that for purposes of evaluating whether intermediate copying of software is a fair use necessity means “the necessity of the method, i.e., disassembly, not the necessity of the number of times that method was applied.” Id.at605 (emphasis in original). In so ruling, the Ninth Circuit rejected plainti's argument that repeated intermediate copying could be found infringing in circumstances where limited intermediate copying would amount to fair use. Such a rule, the panel wrote, would force engineers in many cases to select the least ecient solution simply to avoid liability, which would involve “the kind of ‘wasted eort that the proscription against the copyright of ideas and facts . . . [is] designed to prevent.” Id., quoting Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340, 354 (1991). Not all intermediate copying necessarily is a fair use. See, e.g., Fox Broadcasting Co. v. Dish Network LLC, 905 F. Supp. 2d 1088, 1102–06 (C.D. Cal. 2012) (holding that intermediate copies of television programs made by Dish to allow use of an advertisement-skipping technology was not a fair use), a'd on other grounds, 747 F.3d 1060 (9th Cir. 2014) (af- rming the district court's nding that the plainti had not shown irreparable injury without reaching the issue of liability for intermediate copies); see also Fox Broadcasting Co. v. Dish Network LLC, No. CV 12-4529 DMG (SHx), 2015 WL 1137593, at *26-28 (C.D. Cal. Jan. 20, 2015) (granting partial summary judgment in favor of FOX based on the court's nd-

4-190 Copyright Protection in Cyberspace 4.10[1] shareware software that was available free of charge over the Internet (subject to a unilateral license providing that it could not be commercially distributed),39 making intermediate copies of television programs to allow subscribers to use an advertisement-skipping technology to replay the transmissions without commercial interruption,40 publishing previously unpublished wedding pictures of a celebrity in a celebrity gossip magazine,41 uploading to and downloading les from a storage locker located in the Cloud incident to the resale of digital music (as opposed to personal use),42 and ing that Dish's practice of making QA copies to determine where in a given transmission advertisements appeared did not constitute a fair use). For further discussion of reverse engineering as fair use, see William S. Coats & Heather D. Rafter, The Games People Play: Sega v. Accolade and the Right to Reverse Engineer Software, 15 Hastings Comm. & Ent. L.J. 557 (1993). 39 Storm Impact, Inc. v. Software of the Month Club, 13 F. Supp. 2d 782 (N.D. Ill. 1998). 40 Fox Broadcasting Co. v. Dish Network LLC, 905 F. Supp. 2d 1088, 1102–06 (C.D. Cal. 2012), a'd on other grounds, 747 F.3d 1060 (9th Cir. 2014) (arming the district court's nding that the plainti had not shown irreparable injury without reaching the issue of liability for intermediate copies); see also Fox Broadcasting Co. v. Dish Network LLC, No. CV 12- 4529 DMG (SHx), 2015 WL 1137593, at *26-28 (C.D. Cal. Jan. 20, 2015) (granting partial summary judgment in favor of FOX based on the court's nding that Dish's practice of making QA copies to determine where in a given transmission advertisements appeared did not constitute a fair use). 41 Monge v. Maya Magazines, Inc., 688 F.3d 1164 (9th Cir. 2012). 42 Capitol Records, LLC v. ReDigi, Inc., 934 F. Supp. 2d 640, 652–54 (S.D.N.Y. 2013). In ReDigi, the defendant created a secondary market for the resale of digital music. The defendant's Media Manager software, when downloaded by a user, automatically identied legitimate copies of sound recordings purchased from iTunes (or other ReDigi users), which could then be uploaded to ReDigi's “Cloud Locker,” at which point they would be deleted from the user's hard drive so that no more than one copy of the work existed at any one time. A user's music le could be sold to other ReDigi users, at which point the seller's access to the le would be terminated and transferred to the purchaser, who could store it in the Cloud Locker, stream it, resell it or download it to his or her computer or other device. The court held, on motion for summary judgment, that ReDigi's uploading and downloading of music les constituted reproduction and distribution that fell “well outside the fair use defense.” Id.at 653. The court found that each of the fair use factors weighed against ReDigi. ReDigi's copying did not add something new, with a further purpose or dierent character, to the copyrighted works and therefore its copying was not transformative. The court also rejected the argument that ReDigi's copying was noncommercial because it found that when a user downloaded a purchased le from the Cloud Locker, “the resultant

Pub. 12/2015 4-191 4.10[1] E-Commerce and Internet Law automatically scraping news stories to include 300 character and 140 character excerpts in a subscription report service43 have been held not to constitute a fair use. Needless to say, simply using a copy to save the cost of buying additional software licenses44 or downloading songs without paying for them ostensibly on a try-before-you-buy basis45 have also been found not to be a fair use. The fair use doctrine “has been called the most trouble- some in the whole law of copyright.”46 reproduction is an essential component of ReDigi's commercial enterprise.” Id. at 654. The nature of the copyrighted work weighed against a nding of fair use because creative works like sound recordings are close to the core of intended copyright protection. Id. The portion of the work copied similarly weighed against a nding of fair use because ReDigi transmitted works in their entirety. Finally, the court found that ReDigi's copying likely would divert buyers away from plainti's primary market because “[t]he product sold in ReDigi's secondary market is indistinguishable from that sold in the legitimate primary market save for its lower price.” Id. The court emphasized that its ruling applied to uploading to and downloading from the defendant's Cloud Locker incident to a sale and that plainti did not challenge uploading to or downloading from the cloud for personal use. See id. at 653. 43 Associated Press v. Meltwater U.S. Holdings, Inc., 931 F. Supp. 2d 562, 550–61 (S.D.N.Y. 2013). In Meltwater, the court held that the use of AP articles in Meltwater's news summaries was not transformative and that the summaries were substitutes for the genuine works, with subscribers clicking through to the AP articles only 0.08% of the time. The amount and substantiality of the portion taken also weighed against a nding of fair use because Meltwater's scraping tool automatically took the lede from every AP story which, depending on the length of the article, amounted to between 4.5% and 61% of a genuine work. The court rejected Meltwater's analogy of its service to the search engines at issue in Kelly v. Arriba Soft Corp., 336 F.3d 811 (9th Cir. 2003) and Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1163–67 (9th Cir. 2007) because, among other things, Meltwater's searches were not publicly available and were run against only a dened list of content providers. 44 See Wall Data Inc. v. Los Angeles County Sheri's Dept., 447 F.3d 769, 778–82 (9th Cir. 2006). 45 See BMG Music v. Gonzalez, 430 F.3d 888, 889–91 (7th Cir. 2005). Judge Easterbrook, on behalf of the panel, ridiculed Gonzalez's argument that she only copied 30 les as “no more relevant than a thief's contention that he shoplifted ‘only 30’ compact disks, planning to listen to them at home and pay later for any he liked.” 430 F.3d at 891. In any case, the defendant's argument that she was merely sampling songs for potential purchase was undercut by the fact that none of the 30 songs at issue had either been purchased or deleted from her hard drive. 46 Monge v. Maya Magazines, Inc., 688 F.3d 1164, 1170 (9th Cir. 2012), quoting Dellar v. Samuel Goldwyn, Inc., 104 F.2d 661, 662 (2d Cir. 1939).

4-192 Copyright Protection in Cyberspace 4.10[1]

The statutory criteria codied by Congress in the 1970s do not always translate exactly to cyberspace. In particular, there are many acts of copying that occur in cyberspace because of TCP/IP protocols (such as caching and routing)47 or other information dissemination practices (such as linking and framing),48 or that may occur as the result of third-party conduct that may be virtually impossible to monitor or control (such as acts of infringement by individual subscribers of large, legitimate ISPs or people who anonymously post material to interactive areas of corporate websites)49 that many people in the Internet community believe constitute—or should constitute—fair use.50 While there may be strong policy arguments why particular practices should be considered fair use, the applicability of the defense in a given case generally is determined in litigation. Whether the fair use defense may be asserted successfully also depends in part on who is asserting it.51 Because an evaluation of fair use involves a balancing of interests, the issue most often is resolved on motion for summary judgment or at trial. Where fair use determinations may be made based on a side-by-side comparison, however, fair use may be resolved on a motion to dismiss.52 Although fair use is merely a defense, rather than an af- rmative right, and is often dicult to gauge except in litigation, some users have sought to assert fair use af-

47 See supra §§ 1.04, 4.03. 48 Linking and framing are analyzed in chapter 9. 49 See infra §§ 4.11, 4.12, chapters 48 to 50. 50 Congress has established liability limitations that may apply to some of these acts. See infra § 4.12. Fair use in connection with information distribution systems also is addressed in chapter 9. The potential relevance of Internet time in fair use analysis is addressed below in § 4.10[3]. 51 As illustrated in the Church of Scientology cases analyzed below in § 4.10[4], the same act of copying may lead to liability for some defendants, while others may be exonerated under the fair use defense. For example, if an infringing lm clip is posted on a website by its owner, the owner may be held liable for copyright infringement while the companies hosting the site or providing Internet access to it might avoid liability under the fair use defense, depending on the particular facts of the case. 52 See Brownmark Films, LLC v. Comedy Partners, 682 F.3d 687, 690–92 (7th Cir. 2012) (arming dismissal of a suit where the issue of whether an episode of South Park constituted a fair use parody of the viral Internet video “What What (In The Butt)” could be determined by a side-by-side comparison of the two videos).

Pub. 12/2015 4-193 4.10[1] E-Commerce and Internet Law

rmatively in declaratory judgment actions53 or suits for damages based on the Digital Millennium Copyright Act54 or state law,55 where copyright owners have submitted notications under the DMCA or otherwise alleged infringement involving material or activity that the users contend amount to fair use.

4.10[2] Case Study: Grappling with Technology American Geophysical Union v. Texaco, Inc. In a controversial decision, the Second Circuit held in 1994 in American Geophysical Union v. Texaco, Inc.,1 that a scientist's practice of photocopying individual scientic articles that he kept in personal les in his oce as a matter of convenience (to save the time it otherwise would have taken to retrieve the articles in journals maintained in Texaco's library) did not constitute fair use in view of the predominantly archival (rather than research-oriented) purpose of the copying, and because of the harm this practice caused to the publisher's market for licensing photocopying. The majority wrote that the scientist's copying “served, at most, to facilitate [his] research, which in turn might have led to the development of new products and technology that could have

53 Suits by users seeking a declaration that a given use is fair may be dicult to maintain as declaratory judgment actions where the copyright owner denies that it intends to sue the user for copyright infringement. See, e.g., Brave New Films 501(C)(4) v. Weiner, 91 U.S.P.Q.2d 1262, 2009 WL 1622385 (N.D. Cal. June 10, 2009). Users ultimately may have dif- culty obtaining a judicial determination that a use is fair absent a real threat of litigation. It may also be dicult to bring a declaratory judgment action except with respect to particular uses of specic works, given that fair use determinations are often fact-specic and cannot be made in the abstract. Cf. Veoh Networks, Inc. v. UMG Recordings, Inc., 522 F. Supp. 2d 1265 (S.D. Cal. 2007) (dismissing a declaratory relief action brought by a user generated content site, where the plainti sought a declaration of its compliance with the Digital Millennium Copyright Act in general, rather than with respect to specic copyrighted works). 54 See 17 U.S.C.A. § 512(f); see generally infra § 4.12[9][D] (damages and attorneys' fees for misrepresentation in DMCA notices). 55 See infra § 4.12[9][F]. [Section 4.10[2]] 1 American Geophysical Union v. Texaco Inc., 37 F.3d 881 (2d Cir. 1994). The opinion subsequently was modied in American Geophysical Union v. Texaco Inc., 60 F.3d 913 (2d Cir.), cert. dismissed, 516 U.S. 1005 (1995).

4-194



       

 

  

 



    

 



DMCA SAFE HARBORS: AN ANALYSIS OF THE STATUTE AND CASE LAW

DIGITAL ENTERTAINMENT, MOBILE AND INTERNET REVIEW ENTERTAINMENT LAW AND INTELLECTUAL PROPERTY SECTION OF THE LOS ANGELES COUNTY BAR ASSOCIATION LAWRY’S RESTAURANT FEBRUARY 25, 2016

Ian C. Ballon Greenberg Traurig, LLP

[email protected] LinkedIn, Twitter, Facebook, Google+: IanBallon

Chapter 4 Copyright Protection in Cyberspace 4.01 Overview 4.02 Expression Protected by U.S. Copyright Law 4.03 When Is a Copy “Fixed” in Cyberspace? 4.03[1] Overview 4.03[2] Post-MAI Case Law and Analysis 4.03[3] Cartoon Network (the Cablevision Case) 4.04 Rights in Copyrighted Works 4.04[1] Copyright Owner's Exclusive Rights 4.04[2] Digital Transmissions 4.04[3] Overlapping Protection in Cyberspace 4.04[4] Moral Rights 4.04[5] Archival or Back-up Copies of Software 4.04[6] Motion Picture Content Made Imperceptible 4.05 Website Development: Obtaining Clearance for Multimedia Works and Other Content 4.05[1] Multimedia Dened 4.05[2] The Importance of Obtaining Clearance 4.05[3] Derivative Works, Collective Works and Compilations 4.05[4] The Complexity of Multimedia Clearance 4.05[5] Information in the Public Domain 4.05[5][A] In General 4.05[5][B] Works Unprotectable Due to Lack of Requisite Creativity 4.05[5][C] Expired Works and the Term of a Copyright

Pub. 12/2015 4-1 E-Commerce and Internet Law

4.05[5][D] Works in the Public Domain Because of the Owner's Failure to Comply with Formalities Required Prior to the Berne Convention Implementation Act of 1988 4.05[5][E] Works Restored Pursuant to the Berne Convention 4.05[6] Government Works 4.05[7] Content Subject to Exclusive, Non- Exclusive and Implied Licenses 4.05[8] Protected Content Authorized By Fair Use 4.05[9] Limited Access Government, Religious or Educational Copying 4.05[9][A] Overview 4.05[9][B] Educational and Instructional Transmissions 4.05[9][C] Works Used in Religious Services or a Library or Archive Copies (Including Preservation of Orphan Works) 4.05[9][D] Educational, Religious and Charitable Performances 4.05[9][E] Transmissions to the Deaf or Blind 4.06 Copyright Protection for World Wide Websites 4.07 Copyright Protection for Computer Code and Website and Other Software Interfaces 4.07[1] In General 4.07[2] Lotus v. Borland 4.07[2][A] Background 4.07[2][B] First Circuit's Ruling 4.07[2][C] Supreme Court's Decision 4.07[3] Dierent Approaches Among the Circuits 4.07[4] Law After Lotus v. Borland 4.07[5] [Reserved]

4-2 Copyright Protection in Cyberspace

4.07[6] Checklist of Unprotectable Software Elements 4.08 Copyright Litigation 4.08[1] Elements of A Claim and Proving Infringement—In General 4.08[2] Ownership and Registration 4.08[3] Infringement by Piracy (Including Literal Code Copying) 4.08[4] Infringement by Nonliteral Copying/ User Interface or “Look and Feel” Infringement 4.08[5] Infringement Based on Exceeding the Scope of a License—“Virtual Identicality” Required in Some Instances 4.08[6] Infringement On Foreign Servers, Overseas or Through Unauthorized Exports or Imports 4.08[7] Statute of Limitations 4.09 Liability Under the Computer Software Rental Amendments Act 4.10 Fair Use Defense and the Concept of Time in Cyberspace 4.10[1] The Fair Use Defense—In General 4.10[2] Case Study: Grappling with Technology American Geophysical Union v. Texaco, Inc. 4.10[3] Internet Time As a Relevant Fair Use Factor in Cyberspace 4.10[4] Service Provider Liability and Fair Use Criticism: The Church of Scientology Cases 4.10[5] New Technologies and Business Models (including P2P Technology, MP3.com and Napster) 4.10[5][A] In General 4.10[5][B] UMG Recordings, Inc. v. MP3.com, Inc. 4.10[5][C] A&M Records, Inc. v. Napster, Inc.

Pub. 12/2015 4-3 E-Commerce and Internet Law

4.10[5][D] In re Aimster Copyright Litigation 4.10[5][E] Arista Records, Inc. v. MP3Board, Inc. 4.11 Third-Party Liability (Including Liability for User Generated Content) 4.11[1] Third Party Liability—In General 4.11[2] Direct Liability 4.11[3] Contributory Infringement 4.11[3][A] Contributory Infringement—In General 4.11[3][B] Contributory Infringement— The Materiality Requirement 4.11[3][C] Contributory Infringement— Actual and Imputed Knowledge and the Potential Applicability of the Sony Safe Harbor 4.11[4] Vicarious Liability 4.11[4][A] In General 4.11[4][B] Direct Financial Interest 4.11[4][C] Right and Ability to Control and the Potential Applicability of the Sony Safe Harbor 4.11[5] Owner and Investor Liability and More Aggressive Assertions of Secondary Liability 4.11[5][A] In General 4.11[5][B] Individual Liability for the Conduct of Business Entities (Including the Potential Liability of Investors, Venture Capitalists, Ocers, Directors and Owners) 4.11[5][C] The Perfect 10 Cases: Financial Institution, Credit Card Processor, Search Engine/ Advertiser and Aliate Marketing Liability 4.11[6] Inducing Copyright Infringement 4.11[6][A] MGM Studios, Inc. v. Grokster,

4-4 Copyright Protection in Cyberspace

Ltd., and the Elements of a Claim for Inducement 4.11[6][B] The Sony-Betamax Safe Harbor and Its Inapplicability to Inducement Cases 4.11[6][C] Proving Inducement in Litigation 4.11[6][D] Guidelines for Developers and Distributors of New Technologies 4.11[6][E] Further Proceedings in Grokster 4.11[6][F] Subsequent Case Law on Inducement 4.11[7] The Potential Applicability of the Sony and DMCA Safe Harbors in Secondary Liability Cases 4.11[8] The Development of Digital Copyright Law 4.11[8][A] Early Cases 4.11[8][B] Religious Technology Center v. Netcom On-Line Communication Services, Inc. 4.11[8][C] Actual vs. Potential Control: Revisiting Netcom’s Vicarious Liability Analysis in the Context of Legitimate Service Providers and Those That Primarily Enable Piracy 4.11[8][D] Netcom Settlement and Policy Statement 4.11[9] Post-Netcom Case Law 4.11[9][A] Overview 4.11[9][B] The Sega Cases 4.11[9][C] Marobie-FL, Inc. v. National Association of Fire Equipment Distributors 4.11[9][D] Playboy Enterprises, Inc. v. Russ Hardenburgh, Inc. 4.11[9][E] Playboy Enterprises, Inc. v. Webbworld, Inc.

Pub. 12/2015 4-5 E-Commerce and Internet Law

4.11[9][F] A&M Records, Inc. v. Napster, Inc. 4.11[9][F][i] Overview 4.11[9][F][ii] Contributory Infringement 4.11[9][F][iii] Vicarious Liability 4.11[9][F][iv] The District Court's Original Injunction Order 4.11[9][F][v] Judge Patel's Order on Remand and the Second Ninth Circuit Appeal 4.11[9][F][vi] Broader Implications 4.11[10] Case Study: Software Publishers Association's ISP Code of Conduct 4.11[10][A] Overview 4.11[10][B] ISP Code of Conduct 4.11[10][C] SPA Demand Letters 4.11[10][D] Related Litigation 4.12 Third-Party Liability Limitations Available to Service Providers Under the Digital Millennium Copyright Act 4.12[1] In General 4.12[2] Denition of a Service Provider 4.12[3] Threshold Prerequisites 4.12[3][A] In General 4.12[3][B] Adoption, Reasonable Implementation and Notice of the Policy 4.12[3][B][i] Adoption, Reasonable Implementation and Notice of the Policy—In General 4.12[3][B][ii] Operational Considerations and the Obligation to Inform Subscribers and Account Holders 4.12[3][B][iii] Adopting a Policy and Dening “Repeat Infringer”

4-6 Copyright Protection in Cyberspace

4.12[3][B][iv] Reasonable Implementation of A Service's Repeat Infringer Policy 4.12[3][C] Standard Technical Measures 4.12[4] Transitory Digital Network Communications 4.12[5] System Caching 4.12[5][A] System Caching—In General 4.12[5][B] Transmission from a “Person Other than the Service Provider” Through the Service Provider's System or Network to A “Person Other than” that Person 4.12[5][C] Intermediate and Temporary Storage 4.12[6] Information Residing on Systems or Networks at the Direction of Users (User Storage) 4.12[6][A] In General 4.12[6][B] Designation of an Agent and the Obligation to Disable Access to or Remove Material in Response to Substantially Complying Notications 4.12[6][C] Knowledge, Awareness or Corrective Measures 4.12[6][D] Direct Financial Benet/Right and Ability to Control 4.12[7] Information Location Tools 4.12[8] Exemption from Liability to Subscribers for Removing or Disabling Access to Material Believed to be Infringing 4.12[9] Agent Designation, Notication, Counter Notication and Sanctions Under the System Caching, User Storage and Information Location Tools Limitations

Pub. 12/2015 4-7 E-Commerce and Internet Law

4.12[9][A] Designation of an Agent 4.12[9][B] Notications (and Service Provider Obligations in Response to Notications) 4.12[9][C] Counter Notication 4.12[9][D] Liability and Sanctions for Misrepresentations (Pursuant to Section 512(f)) 4.12[9][E] Subpoenas to Identify Infringers 4.12[9][F] Suits Against Copyright Owners Over Notications 4.12[9][F][i] Suits By Users Who Are Accused Infringers 4.12[9][F][ii] Suits by Service Providers 4.12[10] Liability Limitation for Nonprot Education Institutions 4.12[11] Injunctive Relief 4.12[12] Extra-Judicial Remedies Available to Copyright Owners 4.12[13] Compliance Burdens Imposed on ISPs 4.12[14] Liability of NSPs and Downstream Service Providers Under the Digital Millennium Copyright Act 4.12[15] Checklist of Service Provider Compliance Issues 4.12[16] Copyright Owners' Compliance Checklist 4.12[17] User Generated Content Principles 4.12[17][A] In General 4.12[17][B] UGC Principles 4.12[18] Discovery Issues and Spoliation of Evidence in DMCA Litigation 4.12[19] The DMCA's Applicability to Common Law Copyright Claims 4.13 Equitable Remedies and Defenses in Civil Litigation 4.13[1] Injunctive Relief and Equitable

4-8 Copyright Protection in Cyberspace

Defenses (including waiver, estoppel, laches and unclean hands) 4.13[2] Seizure and Destruction 4.13[3] Security for Preliminary Equitable Relief 4.13[4] Asset-Freeze Injunctions 4.14 Copyright Damages in Internet and Software Infringement Litigation 4.14[1] Overview 4.14[2] Statutory Damages 4.14[2][A] In General 4.14[2][A][i] Overview 4.14[2][A][ii] Willful Infringement 4.14[2][A][iii] Innocent Infringement 4.14[2][A][iv] Fair Use, Nonprot Educational Institutions and Public Broadcasting Entities 4.14[2][A][v] Infringement That is Neither Willful Nor Innocent 4.14[2][A][vi] Assessing Damages 4.14[2][A][vii] Providing Materially False Contact Information for a Domain Name Used in Connection with the Infringement 4.14[2][B] Multiple Awards and What Constitutes a “Work” in Software and Internet Cases 4.14[2][B][i] In General 4.14[2][B][ii] Derivative Works, Compilations and Dierent Versions of Software Programs 4.14[2][B][iii] Multiple Infringers and Joint and Several Liability 4.14[2][C] Failure to Timely Register as a Bar to Recovery

Pub. 12/2015 4-9 E-Commerce and Internet Law

4.14[2][D] Due Process Limitations on the Size of a Statutory Damage Award and Remittitur 4.14[3] Actual Damages and Prots 4.14[3][A] Statutory Framework and Shifting Burdens of Proof 4.14[3][B] Copyright Owner's Damages and Infringer's Prots 4.14[3][C] Deduction of the Defendant's Expenses 4.14[3][C][i] In General 4.14[3][C][ii] Overhead Expenses 4.14[3][D] Apportionment of Prots 4.14[3][E] Actual Damages Based on Revenues or Prots From Outside the United States 4.14[3][F] Reduction of Prots for Delay in Bringing Suit 4.14[4] Alternative Theories of Recovery in Internet-Related Cases 4.14[4][A] Strategic Considerations 4.14[4][B] Lost Sales Cases 4.14[4][C] The Value of Use Theory and Retroactive License Fees 4.14[4][D] Revenue or Prot Attributable to Sales of Noninfringing Products 4.14[4][E] Post-Infringement Damages 4.14[4][F] Research and Development Costs 4.14[4][G] Lost Attribution/Removal of Copyright Notice 4.14[4][H] Emotional Injuries 4.14[5] Prejudgment Interest 4.14[6] Punitive Damages and Damages Under Related Statutes 4.14[7] Remittitur 4.14[8] Damages for Contempt 4.15 Attorneys' Fees 4.15[1] In General

4-10 Copyright Protection in Cyberspace

4.15[2] Pre-Infringement Registration Required 4.16 Customs Remedies/ Liability for Imports 4.17 Criminal Copyright Infringement 4.17[1] Legal Framework 4.17[2] New Opportunities for Online Infringement and Enforcement 4.18 Preemption of Related Claims in Litigation and Common Law Copyrights 4.18[1] Copyright Preemption 4.18[2] Common Law and State Statutory Copyrights 4.19 Copyright Registration Practice 4.19[1] Benets of Registration 4.19[2] Registration Forms and Practice 4.19[3] Preregistration of Prerelease Versions of Works 4.20 European Union Law 4.21 Additional Remedies Under the Anti- Circumvention and Copyright Management Information Provisions of the Digital Millennium Copyright Act 4.21[1] Background on the Anti- Circumvention and Copyright Management Information Provisions of the DMCA 4.21[2] Circumvention of Copyright Protection Systems (Section 1201) 4.21[2][A] In General 4.21[2][B] Exemptions 4.21[3] Removal, Alteration or Falsication of Copyright Management Information (Section 1202) 4.21[4] Registration not Required 4.21[5] Damages, Other Remedies and Attorneys' Fees 4.21[5][A] In General 4.21[5][B] Statutory Damages for Violations of Section 1201 (Anti-Circumvention)

Pub. 12/2015 4-11 E-Commerce and Internet Law

4.21[5][C] Statutory Damages for Violations of Section 1202 (False Copyright Management Information) 4.21[6] Secondary Liability 4.22 Copyright Class Action Litigation 4.22[1] Overview 4.22[2] Rule 23(a) Issues 4.22[2][A] Numerosity 4.22[2][B] Lack of Typicality 4.22[2][C] Adequacy of Representation 4.22[2][D] Commonality 4.22[3] Rule 23(b)(1) Classes 4.22[4] Rule 23(b)(2) Classes 4.22[5] Rule 23(b)(3) Classes Appendix 1. Copyright Registration for Multimedia Works Appendix 2. Copyright Registration for Computer Program Appendix 3. Copyright Registration for Automated Databases Appendix 4. Designation of Agent to Receive Notication of Claimed Infringement (Copyright Oce Regulation) Appendix 5. Interim Designation of Agent to Receive Notication of Claimed Infringement Appendix 6. Amended Interim Designation of Agent to Receive Notication of Claimed Infringement (for a service provider to post on its website) Appendix 7. Sample Digital Millennium Copyright Act Notice (including Counter Notication procedures)

4-12 Copyright Protection in Cyberspace 4.01 Appendix 8. Email Acknowledging Receipt of Counter Notication Appendix 9. Email Notifying Copyright Owner of a Counter Notication Appendix 10. Email Notice to Users Aected By and Attaching a Takedown Notice [No Counter Notice] Appendix 11. Website Notice to Digital Millennium Copyright Act Complainants Documenting and Conrming Action

4.01 Overview Copyright law seeks to establish a delicate equilibrium. “On the one hand, it aords protection to authors as an incentive to create, and, on the other, it must appropriately limit the extent of that protection so as to avoid the eects of monopolistic stagnation.”1 Copyright law, in the words of the Second Circuit, grants “authors a limited monopoly over (and thus the opportunity to prot from) the dissemination of their original works of authorship.”2 As articulated by the Supreme Court, “the ultimate aim” of the Copyright Act is “to stimulate artistic creativity for the general public good.”3

[Section 4.01] 1 Computer Associates Int'l, Inc. v. Altai, Inc., 982 F.2d 693, 696 (2d Cir. 1992), citing Twentieth Century Music Corp. v. Aiken, 422 U.S. 151, 156 (1975). 2 Author's Guild, Inc. v. HathiTrust, 755 F.3d 87, 95 (2d Cir. 2014). 3 Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417, 432 (1984), quoting Twentieth Century Music Corp. v. Aiken, 422 U.S. 151, 156 (1975).

Pub. 12/2015 4-13 4.12 E-Commerce and Internet Law

4.12 Third-Party Liability Limitations Available to Service Providers Under the Digital Millennium Copyright Act1

4.12[1] In General The Online Copyright Infringement Liability Limitation Act incorporated as Title II of the Digital Millennium Copy- right Act (DMCA), which is codied at 17 U.S.C. § 512 and took eect on the day it was signed into law on Oct. 28, 1998, potentially provides an armative defense1 to claims for damages and attorneys' fees for federal (but not necessarily by Adobe Systems, Inc., Claris Corp. and Traveling Software, Inc., against Tripod, Inc., and its president, Bo Peabody). [Section 4.12] 1 Portions of this section were adapted in part from Ian C. Ballon & Keith M. Kupferschmid, “Third-Party Liability Under the Digital Millen- nium Copyright Act: New Liability Limitations and More Litigation for ISPs,” The Cyberspace Law., Nov. 1998, at 3. [Section 4.12[1]] 1 The DMCA provides an armative defense that potentially may be deemed to have been waived if not asserted in a party's answer to a complaint for copyright infringement. See Society of Holy Transguration Monastery, Inc. v. Gregory, 689 F.3d 29, 58–59 (1st Cir. 2012) (holding that the defendant waived its right to argue that it was insulated from liability by the DMCA by not pleading the armative defense in its answer to plainti's complaint). Entitlement to, or compliance with, DMCA safe harbors also potentially may be the subject of an armative claim for declaratory relief. See, e.g., Capitol Records, Inc. v. MP3tunes, LLC, 611 F. Supp. 2d 342, 348 (S.D.N.Y. 2009) (denying plaintis' motion to dismiss a counterclaim for a declaratory judgment that the defendant complied with the DMCA and that notices sent by plaintis were decient). A declaratory judgment, however, generally would have to be premised on compliance with respect to particular copyrighted works, rather than in general. See Veoh Networks, Inc. v. UMG Recordings, Inc., 522 F. Supp. 2d 1265 (S.D. Cal. 2007) (dismissing a declaratory relief action brought by Veoh seeking a declaration that its user generated content site complied with the DMCA, shortly before Veoh was sued by UMG for copyright infringement in the Central District of California). Suits seeking a declaration of rights will be more dicult to maintain where the copyright owner denies that it intended to sue the declaratory judgment plainti for copyright infringement. See, e.g., Brave New Films 501(C)(4) v. Weiner, 91 U.S.P. Q.2d 1262, 2009 WL 1622385 (N.D. Cal. June 10, 2009). While a service provider sued for copyright infringement bears the burden of proving its entitlement to the DMCA, the DMCA places the burden of notifying service providers of infringement on copyright owners or their agents and cannot be shifted to the service provider to disprove.

4-416 Copyright Protection in Cyberspace 4.12[1] common law2) copyright infringement asserted against ISPs, website owners, search engine services, cloud service providers, blogs, portals, storage lockers, social networks, UGC sites, email providers, e-commerce sites, corporate intranets and all other entities that qualify as service providers as dened under the terms of the Act, but only if—and to the extent—eligible parties comply with multiple, specic technical eligibility requirements. Concurrently, Title II of the DMCA eectively provides copyright owners (or their exclusive licensees) with potentially valuable extra-judicial remedies to have infringing material blocked or removed and infringing activity stopped without having to le suit in most cases. Separate provisions of the DMCA providing remedies for circumvention of copy protection and access control mechanisms and removal, alteration or falsication of Copy- right Management Information are addressed in section 4.21. A service provider that satises four threshold prerequi- sites3 may be entitled to liability limitations for copyright infringement based on (1) transmitting, routing, and providing connections to infringing material (the “routing” limitation, or what the statute refers to as “transitory digital network communications”);4 (2) system caching;5 (3) information stored at the direction of a user (the “user storage” limitation);6 or (4) linking or referring users to infringing material (the “information location tools” limitation);7 or to a broad exemption under any legal theory for (5) disabling access to or removing in good faith allegedly infringing material;8 but only if additional requirements specic to each of the ve separate categories also are met. Service providers that qualify for any of the rst four copyright infringement limitations also may be insulated from injunctive relief, except in limited circumstances. Special rules potentially further limit the liability of nonprot educational institutions NEIs for acts of infringement by faculty members or graduate

Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 113-15 (S.D.N.Y. 2013). 2 See infra § 4.12[19]. 3 See infra § 4.12[3]. 4 See infra § 4.12[4]. 5 See infra § 4.12[5]. 6 See infra § 4.12[6]. 7 See infra § 4.12[7]. 8 See infra § 4.12[8].

Pub. 12/2015 4-417 4.12[1] E-Commerce and Internet Law students that otherwise might make the NEI ineligible for the four copyright liability limitations created by the Act.9 Except for the broad exemption for removing or disabling access to material believed to be infringing (which in any event would not be premised on copyright law), section 512 merely limits a service provider's potential exposure for damages and attorneys' fees for copyright infringement, without creating an exemption for the underlying conduct. Thus, even where a service provider's liability is limited pursuant to one of the safe harbors, other parties may be held liable for direct, contributory or vicarious infringement or for inducement (based on the standards analyzed in section 4.11) for the same underlying act of infringement. The rst two limitations (routing and system caching) limit the risk of inadvertent liability that theoretically could arise for a service provider simply by virtue of the way the Internet operates. As discussed earlier in this chapter in section 4.03, under MAI Systems Corp. v. Peak Computer, Inc.10 and subsequent cases, a copy for purposes of the Copy- right Act may be created any time a “temporary copy” is made in a computer's random access memory, or RAM. Infringing copies therefore potentially may be created whenever a temporary copy is automatically made as information is routed over various computers connected to the Internet or when a copy is temporarily cached.11 Even absent DMCA protection, however, the risk of liability for service providers for routing or system caching generally is very low.12 The Act also allows service providers to limit their liability

9 See infra § 4.12[10]. 10 MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 (9th Cir. 1993), cert. dismissed, 510 U.S. 1033 (1994). 11 See Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361, 1378 n.25 (N.D. Cal. 1995) (dicta); see generally supra §§ 1.04, 4.03. But see Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008) (holding that a temporary copy is not actionable if it is xed for merely a transitory duration), cert. denied, 557 U.S. 946 (2009); supra § 4.03[3]. 12 It is unlikely that material in transit would be deemed xed for a sucient duration to be actionable in the Second Circuit under Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008), cert. denied, 557 U.S. 946 (2009). Yet, even if it were—or in a court outside the Second Circuit applying MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511, 516 (9th Cir. 1993), cert. dismissed, 510 U.S. 1033 (1994), pursuant to which information is transit likely would be deemed to create xed copies—the risk of exposure for most service providers for routing in

4-418 Copyright Protection in Cyberspace 4.12[1]

particular, but also for most types of system caching, generally would be small. The particular pathway traveled by a given message is somewhat random. Pursuant to TCP/IP protocols, information is broken into packets which may travel along separate routes before being reassembled at their ultimate destination. Moreover, the Internet dynamically reroutes trac through the most ecient pathways available at a given time. Caching, like routing, is premised on considerations of eciency and is undertaken without regard to the nature of the content temporarily copied. Even where an infringing copy is routed through a particular server as a result of a peering agreement—making the particular route traveled arguably less random—it may be dicult for a plainti to show causation; that a service provider's mere act of providing access to the Internet constituted the type of volitional conduct or direct action typically required by courts as a prerequisite for imposing direct copyright liability on an ISP. See Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361, 1370 (N.D. Cal. 1995) (Usenet postings; in order to nd direct liability, “there should still be some element of volition or causation which is lacking where a defendant's system is merely used to create a copy by a third party.”); see also, e.g., Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121, 131 (2d Cir. 2008) (holding that a cable service provider could not be held directly liable for its provision of a DVR service because “the operator . . . , the person who actually presses the button to make the recording, supplies the necessary element of volition, not the person who manufactures, maintains, or, if distinct from the operator, owns the machine.”), cert. denied, 557 U.S. 946 (2009); CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544 (4th Cir. 2004) (holding an ISP not liable for direct infringement where it was “simply the owner and manager of a system used by others who [we]re violating [plainti's] copyrights and [wa]s not an actual duplicator itself.”); Fox Broadcasting Co. v. Dish Network LLC, 747 F.3d 1060, 1066–68 (9th Cir. 2014) (following Cartoon Network in holding that a cable company that provided technology to its subscribers that they could use to make copies was not likely to be held directly liable because Dish itself did not make the copies; direct liability requires a showing of “copying by the defendant”); Sega Enterprises Ltd. v. MAPHIA, 948 F. Supp. 923, 932 (N.D. Cal. 1996) (no evidence that BBS operator caused infringing copies to be made merely by operating a BBS where third parties posted infringing software); Marobie- FL, Inc. v. National Ass'n of Fire Equipment Distributors, 983 F. Supp. 1167 (N.D. Ill. 1997) (company which hosted a website on which infringing material was posted held not liable for direct infringement because, even though it “provide[d] a service somewhat broader than the . . . Internet access provider in Religious . . . [it] only provided the means to copy, distribute or display plainti's works, much like the owner of a public copy machine used by a third party to copy protected material.”); Playboy Enterprises, Inc. v. Russ Hardenburgh, Inc., 982 F. Supp. 503, 513 (N.D. Ohio 1997) (some element of direct action is required); see generally supra § 4.11[2]. Moreover, a strong argument could be made that routing and system caching amounts to fair use “intermediate” copying. See supra § 4.10[1]. As a practical matter, because no circuit court had applied the volitional conduct requirement articulated by Judge Whyte in the Netcom case by 1998 when the DMCA was enacted, some service providers were

Pub. 12/2015 4-419 4.12[1] E-Commerce and Internet Law for information location tools, including links. Absent DMCA protection, search engines and others potentially could be held liable under limited circumstances for links that they themselves provide. Service providers also could have exposure for links created by users on sites or services they host. A link generally does not involve the creation of a copy under the Copyright Act and therefore exposure for linking usually is premised on theories of secondary liability.13 Li- ability for linking has been most often imposed where link- concerned that the issue of their potential liability for routing or caching was unclear. Since the DMCA merely limits the liability of service providers for routing or system caching—without creating an exemption—a service provider's act of routing or caching could serve as the underlying act of infringement on which a claim of contributory, vicarious or inducing infringement could be asserted against other parties (such as the people who initiated or received the communication) whose liability would not necessarily be limited by the Act—at least outside of the Second Circuit to the extent courts follow MAI but not Cartoon Network. 13 A link is merely an instruction to a browser to go from one location to another and does not involve the reproduction or distribution of content. See, e.g., Batesville Services, Inc. v. Funeral Depot, Inc., Copy L. Rep. ¶ 28,901 (S.D. Ind. 2004) (hyperlinking “does not itself involve a violation of the Copyright Act (whatever it may do for other claims) since no copying is involved.”); Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195, 1202 n.12 (N.D. Cal. 2004) (nding hyperlinking does not involve copying). Some courts, however, have held that a link may lead to liability by creating a public display or public performance. See Batesville Services, Inc. v. Funeral Depot, Inc., Copy L. Rep. ¶ 28,901 (S.D. Ind. 2004) (holding that a triable issue of fact existed on the issue of defendant's potential direct or contributory liability for creating links to unauthorized photographs of plainti's products, reproducing thumbnails of the photographs, and designing, creating and paying for the pages that it linked to, after having been warned to stop displaying the pictures itself on its own website.); Live Nation Motor Sports, Inc. v. Davis, 81 U.S.P. Q.2d 1826, 2007 WL 79311 (N.D. Tex. Jan. 9, 2007) (creating links to a stream of a live webcast of motor races that were shown in real time was held to be infringing of the plainti's public performance right). But see Flava Works, Inc. v. Gunter, 689 F.3d 754, 761 (7th Cir. 2012) (holding that creating an in-line link to videos via frames from the defendant's website did not amount to a public performance); see generally supra § 4.03 (analyzing these cases and what constitutes a public performance). In Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007), the Ninth Circuit considered linking and caching undertaken by Google and Amazon.com in connection with visual search engines that indexed the Internet. Google cached small thumbnail images on its servers and created links to full size copies of images located on third-party websites.

4-420 Copyright Protection in Cyberspace 4.12[1] ing occurs in connection with other misconduct that induces or materially contributes to the infringing activity of others.14 By contrast, links generated in connection with indexing the

The Ninth Circuit adopted the “server test” to evaluate whether a given online use violates a copyright owner's display right. Under this test, “a computer owner that stores an image as electronic information and serves that electronic information directly to the user . . . is displaying the electronic information in violation of a copyright holder's exclusive display right. Conversely, the owner of a computer that does not store and serve the electronic information to a user is not displaying that information, even if such owner in-line links to or frames the electronic information.” Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1159 (9th Cir. 2007). Applying the server test, the court held that Google could not be held directly liable for creating links to third-party locations on the Internet because the content that was linked to was not located on Google's own servers. In the words of the court, “Google transmits or communicates only an address which directs a user's browser to the location where a copy of the full-size image is displayed. Google does not communicate a display of the work itself.” Stated dierently, “it is the website publisher's computer, rather than Google's computer, that stores and displays the infringing image.” Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1162 (9th Cir. 2007). With respect to thumb nail images stored on Google's own servers (which were displayed in its search results page to help users determine where responsive material was located), the court held that Google could be held directly liable for storing those images on its servers, under the server test. The court, however, found that Google's use, undertaken to index the Internet, was highly transformative and likely to be found a fair use. See supra § 4.10[1]. The court nevertheless remanded the case for further consideration of whether Google could be held contributorily liable for creating links to images stored on third-party servers (which created unauthorized copies on the computer screens of users) to determine if Google “had knowledge that infringing Perfect 10 images were available using its search engine, could take simple measures to prevent further damage to Perfect 10's copyrighted works, and failed to take such steps.” Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1172 (9th Cir. 2007). But see Flava Works, Inc. v. Gunter, 689 F.3d 754 (7th Cir. 2012) (vacating a preliminary injunction against a social bookmarking site based on the nding that creating links to infringing videos submitted by users was not suf- ciently material to amount to contributory infringement; applying a dif- ferent test for contributory infringement than the Ninth Circuit had in Perfect 10); see generally infra §§ 9.03[1], 9.04[1] (analyzing these cases and linking and framing generally in greater detail). 14 See, e.g., Intellectual Reserve, Inc. v. Utah Lighthouse Ministry, Inc., 75 F. Supp. 2d 1290 (D. Utah 1999); Arista Records, Inc. v. MP3Board, Inc., Copy. L. Rep. (CCH) ¶ 28,483 (S.D.N.Y. Aug. 22, 2002); infra §§ 4.12[7], 9.03 to 9.06.

Pub. 12/2015 4-421 4.12[1] E-Commerce and Internet Law

Internet may be found to be a fair use.15 The liability limitation for information location tools nonetheless has been ef- fective (and rarely challenged) because it allows copyright owners to obtain quick relief that might otherwise be dif- cult or impossible to obtain in court, and eectively saves service providers the time and expense of having to litigate where they are willing to simply disable a link in response to a notication.16 By contrast, sites and services that host or store user generated content or allow users to transmit it, potentially face a greater risk of third-party liability in the absence of the DMCA safe harbor.17 Perhaps not surprisingly, most of the litigation under the DMCA has involved the user storage liability limitation. For service providers with interactive sites or services where users may post, store or transmit their own material—which encompasses a wide array of services from traditional ISPs to social network operators and cloud service providers—the user storage limitation is potentially very helpful. To limit its liability under any of the DMCA safe harbors, a service provider, as noted above, must meet specic threshold requirements.18 It must adopt, reasonably implement and inform subscribers and account holders19 of a policy of terminating the accounts or subscriptions of repeat infringers, in appropriate circumstances, and accommodate and not interfere with “standard technical measures.”20 If a service provider fails to meet these threshold requirements it will be ineligible for any of the safe harbors. Further, the DMCA only limits a service provider's liability as of the date the

15 See, e.g., Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007); Kelly v. Arriba Soft Corp., 336 F.3d 811, 820 (9th Cir. 2003); see generally supra § 4.10[1]. 16 The Digital Millennium Copyright Act does not limit liability for linking based on other theories of recovery, including the Lanham Act or state unfair competition laws (see infra chapter 6) or under federal securities or consumer protection laws. See infra §§ 25.04 (warranty information or disclaimers made available on a linked page), 28.12 (advertising), §§ 32.01, 32.04 (securities). Linking is analyzed more extensively in chapter 9. 17 See supra §§ 4.11[1] to 4.11[6]. 18 See infra § 4.12[3]. 19 Not every type of service will have subscribers or account holders. 20 See infra § 4.12[3].

4-422 Copyright Protection in Cyberspace 4.12[1] service provider began complying with the statute.21 For the user storage limitation (and potentially the information location tools22 and caching23 safe harbors), a service provider also must designate an agent to receive a special type of statutory demand letter called a notication of claimed infringement (referred to in this section of the treatise as a notication, or more colloquially as a DMCA notice) and expeditiously disable access to or remove material or activity (or links) identied as infringing in substantially complying notications.24 Failing to respond to a substantially complying notication may make a service provider ineligible for the safe harbor for the material identied in the notication.25 To take advantage of the user storage safe harbor, a service provider further must disable access to or remove material, even in the absence of a DMCA notice, if it has actual knowledge of infringing activity or is “aware of facts or circumstances from which infringing activity is apparent . . . ,” which in the legislative history is explained as material that raises a “red ag.”26 The DMCA was not intended to protect service providers that facilitate infringement or turn a blind eye to it. The liability limitations are “not presumptive, but granted only to ‘innocent’ service providers who can show that they do not have a dened level of knowledge.”27 The Second Circuit and Ninth Circuits have held that actual knowledge denotes subjective belief, whereas red ag

21 See Perfect 10, Inc. v. CCBill, LLC, 340 F. Supp. 2d 1077, 1092 (C.D. Cal. 2004) (holding that defendant Internet Key was ineligible for the DMCA liability limitations for acts of infringement that occurred prior to Aug. 21, 2002, when it rst implemented and distributed to clients its policy of terminating repeat infringers), a'd in part on other grounds, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 22 See infra § 4.12[7] (analyzing whether a DMCA agent must be designated to qualify for the information location tools liability limitation). 23 See infra § 4.12[5]. 24 See infra § 4.12[9]. 25 See, e.g., Ellison v. Robertson, 357 F.3d 1072 (9th Cir. 2004) (nding a triable issue of fact on the question of whether AOL satised the requirements of section 512(i) and therefore was entitled to limit its liability under the DMCA in a case where it failed to receive a notication, and therefore took no action, due to its own error). 26 See infra § 4.12[6]. 27 In re Aimster Copyright Litig., 252 F. Supp. 2d 634 (N.D. Ill. 2002), a'd on other grounds, 334 F.3d 643 (7th Cir. 2003).

Pub. 12/2015 4-423 4.12[1] E-Commerce and Internet Law awareness is judged by an objective reasonableness standard.28 Both Circuits have also claried that copyright owners, not service providers, have the obligation to investigate whether material on a site or service is infringing. While a service provider has no obligation to take down material in response to a defective notication sent by a copyright owner, and knowledge or awareness may not be inferred from a notication that does not substantially comply with the requirements of section 512(c)(3),29 the Ninth Circuit suggested in dicta that an unveried notice sent by a third party (as opposed to the copyright owner who led suit against the service provider) potentially could provide red ag awareness.30 Even in the absence of proof of actual knowledge or red ag awareness, a service provider may be deemed to have knowledge or awareness in the Second and Ninth Circuits where willful blindness is shown.31 Eligibility for the user storage liability limitation also requires a showing that a defendant not receive a nancial benet directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity.32 To lose safe harbor protection a service provider must have both a nancial interest and right and ability to control the infringing activity.33

28 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 31 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1025 (9th Cir. 2013) (quoting Viacom v. YouTube); infra § 4.12[6]. 29 See 17 U.S.C.A. § 512(c)(3)(B)(i); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1020–21 n.12 (9th Cir. 2013). 30 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1024–25 (9th Cir. 2013); infra § 4.12[6][A]. 31 See, e.g., Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 35 (2d Cir. 2012) (holding that knowledge or awareness may be established by evidence of willful blindness, which the court characterized as a deliberate eort to avoid guilty knowledge); Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043 (9th Cir. 2013) (explaining that “inducing actions”—or measures deemed to induce copyright infringement—were relevant to the court's determination that the defendant had red ag awareness); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1023 (9th Cir. 2013) (citing Viacom v. YouTube for the proposition that “a service provider cannot willfully bury its head in the sand to avoid obtaining . . . specic knowledge.”); infra § 4.12[6][C]. 32 See infra § 4.12[6][D]. 33 See infra § 4.12[6][D].

4-424 Copyright Protection in Cyberspace 4.12[1]

The Second,34 Fourth35 and Ninth36 Circuits have held that the degree of control required to disqualify a service provider from eligibility for the DMCA safe harbor is higher than what would be required to prove right and ability to control to establish common law vicarious liability (which is analyzed in section 4.11[4]). In the Second and Ninth Circuits, what is required is “something more than the ability to remove or block access to materials posted on a service provider's website.”37 That “something more” involves exerting “substantial inuence” on the activities of users, which may include high levels of control over user activities or purposeful conduct.38 The nancial interest prong has been construed in the Ninth Circuit as requiring a showing that ‘‘ ‘the infringing activity constitutes a draw for subscribers, not just an added benet.’ ’’39 Right and ability to control and nancial interest are analyzed in section 4.12[6][D]. At least for purposes of the user storage limitation (and presumably for the information location tools safe harbor, to the extent applicable service providers have account holders and subscribers), the Ninth Circuit has held that in evaluating a service provider's compliance with the threshold requirement that a service provider adopt, notify subscribers about and implement a policy of terminating “repeat infringers” in “appropriate circumstances,” a court must also consider the service provider's compliance with third-party notications and response to all instances where it had

34 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37–38 (2d Cir. 2012). 35 See CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544, 555 (4th Cir. 2004). 36 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–31 (9th Cir. 2013). 37 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012), quoting Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011); see also UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1030 (9th Cir. 2013) (following the Second Circuit on this point). 38 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1030 (9th Cir. 2013). 39 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117–18 (9th Cir.), cert. denied, 522 U.S. 1062 (2007); Ellison v. Robertson, 357 F.3d 1072, 1079 (9th Cir. 2004) (quoting legislative history).

Pub. 12/2015 4-425 4.12[1] E-Commerce and Internet Law actual knowledge or red ag awareness of infringement (not merely how it acted in responding to the plainti's own works), on the theory that a service provider may not be reasonably implementing a policy of terminating repeat infringers in appropriate circumstances if it is not, in the rst instance, adequately keeping track of who is an infringer.40 Thus, ignoring red ag material—or failing to disable access to or remove material when a service provider is aware of facts and circumstances from which infringing activity is ap- parent41—could disqualify a service provider from safe harbor protection not only with respect to the red ag material that remained online but overall for any acts of user infringement (to the extent the failure to disable access to or remove red ag material evidenced a failure to reasonably implement a repeat infringer policy, which is a threshold requirement for DMCA eligibility), at least in the Ninth Circuit. This ruling also potentially opens up a service provider to broad discovery (beyond the works at issue in a given case).42 With the safe harbor, Congress “intended to balance the need for rapid response to potential infringement with the end-users[‘] legitimate interests in not having material removed without recourse.”43 The statute thus creates “strong incentives for service providers and copyright owners to cooperate to detect and deal with copyright infringements that take place in the digital network environment.”44 To benet from the related exemption from liability for removing material stored by subscribers, service providers must also respond to counter notications which may be directed to their agents by subscribers whose content was removed (or access disabled) in response to a notication.45 When a substantially complying counter notication is received, a service provider must pay close attention to statu-

40 See Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1110–13 (9th Cir.), cert. denied, 522 U.S. 1062 (2007); infra § 4.12[3][B][iv]. 41 17 U.S.C.A. § 512(c)(1)(A)(ii). 42 See infra § 4.12[18] (discovery issues in DMCA litigation). 43 Rossi v. Motion Picture Ass'n of America Inc., 391 F.3d 1000, 1003 (9th Cir. 2004) (quoting legislative history), cert. denied, 544 U.S. 1018 (2005). 44 Rossi v. Motion Picture Ass'n of America Inc., 391 F.3d 1000, 1003 (9th Cir. 2004) (quoting legislative history), cert. denied, 544 U.S. 1018 (2005). 45 See infra § 4.12[13].

4-426 Copyright Protection in Cyberspace 4.12[1] tory time periods and either restore access to or re-post content that originally had been removed (if a copyright owner fails to timely respond to a counter notication), or take no further action, and leave the material oine (if the copyright owner timely provides evidence to the service provider that it has led suit against the subscriber or account holder).46 Needless to say, liability to subscribers for taking down material in response to a DMCA notication already may be limited by the service provider's contract with its subscribers and account holders47 and in some circumstances potentially by the Good Samaritan Exemption to the Telecommunications Act of 1996 (also known as the Com- munications Decency Act, or CDA).48 Compliance with the DMCA is optional. If a service provider chooses not to comply or fails to meet the statute's technical requirements, its liability will be determined under existing provisions of copyright law, including the standards for third-party liability (premised on direct, contributory, vicarious or inducement liability), fair use, injunctive relief and damages outlined in, respectively, sections 4.11, 4.10, 4.13 and 4.14. The fact that a company chooses not to or fails to meet the requirements for any of the specic limitations created by the Act may not itself be cited as evidence of infringement.49 Early on, some service providers were disinclined to comply with the DMCA based on concerns about the costs and burdens associated with compliance and the adverse impact that a notice and takedown system could have on Internet speech. The increased volume of complaints brought about through the designation of an agent, the time and manpower needed to evaluate whether notications and counter notications are substantially complying, and the obligation to adhere to multiple additional technical requirements (including strict time limitations) may impose signicant costs on service providers that choose to comply with

46 See infra § 4.12[9][C]. 47 See infra chapters 21 (click through and other unilateral contracts), 22 (Terms of Use) and 23 (ISP contracts). Whether and to what extent service provider agreements will be deemed enforceable is analyzed in sections 21.03 and 21.04. DMCA compliance is separately addressed in section 22. 05[2][A]. 48 See 47 U.S.C.A. § 230(c); see generally infra §§ 4.12[8], 37.05. 49 17 U.S.C.A. § 512(l).

Pub. 12/2015 4-427 4.12[1] E-Commerce and Internet Law the Act (which may be especially challenging for new or smaller companies). On the other hand, the costs associated with implementing a DMCA program may be small compared with the cost of litigating a copyright dispute (particularly one where the service provider may not be able to rely on the DMCA defense). Today, compliance with the liability limitations of the DMCA is widely seen as almost essential for service providers to better insulate themselves from liability for the conduct of their users. DMCA compliance also is required by many insurers of interactive sites or services.50 To reduce the costs and burdens of compliance, some service providers honor notications, but not counter notications. A service provider may seek to benet from the user storage safe harbor—to limit liability to copyright owners—but choose not to comply with the procedures for counter notications (as discussed in section 4.12[13]), which merely provides an exemption against liability to subscribers for disabling access to or removing material, based on a calculation that the risk of liability to subscribers for wrongfully removing material is likely to be limited and may be capped in the provider's contract with its customers. Failing to comply with procedures governing counter notication should not impact a service provider's entitlement to the safe harbors provided for transitory digital network communications, system caching, information stored at the direction of users or information location tools, because counter notication procedures merely provide a remedy for users accused of infringement. Oering users the opportunity to submit counter notications, however, may help deect user complaints about takedown notices and therefore may amount to a good business practice for some service providers. Complying with procedures for counter notications also allows a site that is philosophically uncomfortable with disabling access to or removing material that potentially could be protected by the fair use doctrine or otherwise reect a permitted use, to provide users with a mechanism to allow them to restore the material without exposing the service provider to liability. For copyright owners, the Digital Millennium Copyright

50 Whether and to what extent a given site should comply with the DMCA is separately considered in section 49.05 and chapter 50.

4-428 Copyright Protection in Cyberspace 4.12[1]

Act potentially provides valuable extra-judicial remedies. In lieu of spending tens of thousands of dollars or more to obtain injunctive relief, a copyright owner may be able to quickly and inexpensively have infringing content removed where a service provider complies with the DMCA. Even where a user challenges a notication by serving a counter notication—forcing the copyright owner to le suit if it wants to keep the material oine—any ensuing litigation would require the accused infringer to obtain injunctive relief to have the material placed back online (rather than compelling the copyright owner to obtain an injunction to have the material removed, as is usually the case in copyright infringement litigation).51 If the accused infringer does not seek injunctive relief, the material will automatically remain oine unless and until the court orders otherwise. Of course, the DMCA alone cannot stop alleged infringers or their supporters from repeatedly posting unauthorized material on multiple locations. Where a user engages in ongoing or widespread infringement, litigation may be required. While suits against individual users serve a deter- rent purpose, they are unlikely to stop viral distribution of an infringing le once it has been released on the Internet. The speed with which material may be posted, or reposted (either by the same user or others) following removal, is much faster than the time limits contemplated by the DMCA. Termination of a repeat infringer may prevent that infringer from reposting a work to a given site, but it does not stop the same user from posting the same le on another site or service.52 Indeed, the DMCA cannot prevent the same user, or other users who copied a le after it was initially posted,

51 See infra § 4.12[9][C] (counter notications), 4.13[1] (injunctive relief in copyright infringement suits). 52 Case law to date has held that service providers do not lose DMCA protection because of the mere possibility that a user terminated as a repeat infringer could regain access to the service by falsely posing as a dierent person. See, e.g., Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 516 (S.D.N.Y. 2013) (holding that it was reasonable for Vimeo to block the email address, but not the IP address, of users terminated as repeat infringers, despite the possibility that a rogue user might reappear under a dierent name; following Io Group); Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1144 (N.D. Cal. 2008) (holding that the “hypothetical possibility that a rogue user might reappear under a dierent user name and identity does not raise a genuine fact issue as to the implementation of Veoh's policy.”); Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1103 (W.D. Wash. 2004) (writing that “[a]lthough this type of behavior is understandably vexing for a copy-

Pub. 12/2015 4-429 4.12[1] E-Commerce and Internet Law from reposting the same le after it has been taken down. The viral nature of material posted on Internet sites and services means that copyright owners must look beyond the DMCA to ltering and other technologies—to adequately protect their works from infringement.53 The DMCA “represents a legislative determination that copyright owners must themselves bear the burden of policing for infringing activity—service providers are under no such duty.”54 The number of copyright notices sent to service providers each year is large. For example, as of mid-August, 2012, Google had processed takedown notices for 4.3 million URLs in the preceding 30 day period.55 In November 2013, Google was asked to block access to 24,545,299 URLs.56 As of October 2015, Google had been asked to remove 50,639,990 URLs and block 71,649 domains by 5,690 copyright owners and 2,469 reporting organizations in the preceding month.57 Where they do not otherwise have actual knowledge or “red ag” awareness, service providers have no obligation to act unless they receive a substantially complying notication (and neither knowledge nor awareness may be inferred from right holder like Corbis, it is not clear how Posternow's eorts to sidestep Amazon's policies amount to a failure of implementation.”). Except where a site has already been enjoined based on a court's determination that the plainti is likely to prevail on the merits and prove copyright infringement (as was the case in the Napster and Grokster lawsuits; supra § 4.11), courts have not required service providers to take extraordinary measures to prevent repeat infringers from anonymously gaining access to the site—largely out of recognition that an individual today can easily pose as someone else by assuming a dierent identity or using a dierent computer or ISP. 53 See infra § 17.05[3][C] (ltering technologies and the DMCA). 54 In re Aimster Copyright Litig., 252 F. Supp. 2d 634, 657–58 (N.D. Ill. 2002), a'd, 334 F.3d 643 (7th Cir. 2003). The House Report accompanying the law makes clear, however, that the DMCA was “not intended to discourage the service provider from monitoring its service for infringing material.” See infra § 4.12[4]. Moreover, as already noted, service providers have an obligation to disable access to or remove material, even absent a notication, if they have actual knowledge or “red ag” awareness. 55 Google Inside Search (The Ocial Google Blog), “An Update to Our Search Algorithms,” Aug. 10, 2012, http://insidesearch.blogspot.com/2012/ 08/an-update-to-our-search-algorithms.html. 56 See http://www.google.com/transparencyreport/removals/copyright/ ?hl=en (visited Dec. 8, 2013). 57 See https://www.google.com/transparencyreport/removals/copyright/ (visited October 12, 2015).

4-430 Copyright Protection in Cyberspace 4.12[1] a notication that is not substantially complying).58 Similarly, a service provider that otherwise meets the statutory requirements to qualify for the user storage safe harbor may not be held liable for copyright infringement if it was not rst provided the opportunity to respond to a substantially complying notication. For example, the district court in Perfect 10, Inc. v. CCbill, LLC59 ruled that a blanket statement that infringing copies of plainti's works were found within 22,000 pages of documents, without specic identication of the infringing pages, did not provide sucient notice to the service provider under the DMCA. Similarly, in UMG Recordings, Inc. v. Veoh Networks, Inc.,60 the court held that a notice that listed only a record company's artists, rather than a representative list of works, and omitted any reference to the les on a service provider's site alleged to be infringing, was decient. Likewise, in Hendrickson v. eBay, Inc.,61 a copyright owner's failure to authenticate a notication by including a written statement under penalty of perjury substantiating the accuracy of the notication (as required by section 512(c)(3)(A)(vi)) or certifying that he had “a good faith belief that use of the material in the manner complained of” was not authorized (as required by section 512(c)(3)(A)(v)) rendered the notice defective, justifying summary judgment for the defendant-service provider. Subsequently, in Hen- drickson v. Amazon.com, Inc.,62 a court claried that even a substantially complying notication will only be eective with respect to material online at the time it is sent, and

58 See 17 U.S.C.A. § 512(c)(3)(B)(i). Where a notication is decient but nonetheless substantially complies with the requirements for identifying the infringed work and the infringing material and includes sucient contact information to allow the service provider to contact the complainant, however, the service provider must attempt to do so or “tak[e] other reasonable steps to assist” in obtaining a substantially complying notication before it may benet from this provision. See 17 U.S.C.A. § 512(c)(3)(B)(ii); see generally infra §§ 4.12[6][C], 4.12[9]B]. 59 Perfect 10, Inc. v. CCBill, LLC, 340 F. Supp. 2d 1077, 1096 (C.D. Cal. 2004), a'd in part on other grounds, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 60 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099 (C.D. Cal. 2009), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 61 Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001). 62 Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914 (C.D. Cal. 2003).

Pub. 12/2015 4-431 4.12[1] E-Commerce and Internet Law cannot impose a continuing obligation on the service provider to monitor its service on an ongoing basis. In another district court case, where notice had been sent to the wrong entity, a court held in an unreported decision that a DMCA notice sent to a parent corporation was not eective in giving notice to the subsidiary.63 Both copyright owners and users are subject to penalty of perjury and potential liability for submitting false information in notications or counter notications.64 The Ninth Circuit has further held that a copyright owner faces liability under 17 U.S.C.A. § 512(f) if it knowingly misrepresents in a takedown notication that it has formed a good faith belief that the material identied in a DMCA notication was not authorized by law because the copyright owner failed to consider a user's potential fair use to the material before sending the DMCA notication.65 This provision also potentially may be used to sue for declaratory relief or to seek an injunction prohibiting a competitor from sending unmeritori- ous DMCA notices for the purpose of having material removed from the Internet.66 Wrongfully sending a DMCA notice potentially may also subject the complaining party to personal jurisdiction in the home state of the aected user because a substantially complying DMCA notice, unlike a simple cease and desist letter, will result in a service provider that complies with

63 See Perfect 10, Inc. v. Amazon.com, Inc., No. CV 05-4753 AHM (SHx), 2009 WL 1334364 (C.D. Cal. May 12, 2009). In that case, the court also held that DMCA notices sent after litigation was commenced were legally irrelevant in evaluating whether a service provider had notice of infringement. 64 See infra §§ 4.12[9][B], 4.12[9][C], 4.12[9][D], 4.12[9][F]. 65 See Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388 (9th Cir. 2015) (holding that a copyright owner must have a subjective good faith belief that allegedly infringing material does not constitute fair use before sending a DMCA takedown notice and that failing to form such a subjective good faith belief or being willfully blind would justify the imposition of sanctions under section 512(f)); see also Lenz v. Universal Music Corp., 94 U.S.P.Q.2d 1344, 2010 WL 702466 (N.D. Cal. Feb. 25, 2010) (narrowly construing damages and fees potentially recoverable under section 512(f) in an earlier ruling in the case that was not addressed expressly by the Ninth Circuit in its opinion); see generally infra §§ 4.12[9][D], 4.12[9][F] (discussing the case at greater length), 4.10[1] (analyzing fair use). 66 See infra §§ 4.12[9][D] (section 512(f) sanctions, declaratory and injunctive relief), 4.12[9][F] (suits against copyright owners).

4-432 Copyright Protection in Cyberspace 4.12[1] the DMCA expeditiously disabling access to or removing the oending material.67 Some service providers, including Google, will forward DMCA notications to chillingeects.org, which catalogs and publicizes DMCA notications, cease and desist letters and other legal notices, or otherwise post them online. DMCA notices, if sent by email, generally are exempt from the requirements of the federal CAN-SPAM Act.68 The statutory safe harbors, by their terms, apply to claims of copyright infringement, not specic theories of third-party liability. The DMCA therefore theoretically could apply to claims against service providers for third-party acts of infringement based on direct liability, contributory infringement, vicarious liability or inducing copyright infringement69 (even though the latter theory of recovery was judicially adopted approximately six-and-a-half years after the DMCA was enacted into law).70 In practice, however, where liability could be established for inducing infringement (or for con-

67 See Tuteur v. Crosley-Corcoran, 961 F. Supp. 2d 333, 339–40 (D. Mass. 2013); see generally infra § 53.04[5][F] (analyzing jurisdiction based on DMCA and other takedown notices). 68 15 U.S.C.A. §§ 7701 to 7713. Eorts to negotiate licenses incident to resolving a dispute, however, must comply with the Act, if communicated by email. See infra § 29.04[2][B][iv]. 69 See generally supra § 4.11 (analyzing secondary liability). 70 The statute itself makes it clear that it applies to all potential copyright infringement claims that t within the specic exemptions set forth in sections 4.12[4] to 4.12[7], not simply certain specic forms. See 17 U.S.C.A. § 512; see also Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 41 (2d Cir. 2012) (holding that “a nding of safe harbor application necessarily protects a defendant from all armative claims for monetary relief.”); Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1039–40 (9th Cir. 2013) (holding that the DMCA safe harbors potentially may be applied to a claim of inducement, but nding the transitory digital network communications, user storage and information location tools safe harbors inapplicable in that case); Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1158 n.4, 1175 (9th Cir. 2007) (writing that the DMCA may apply if a service provider is found liable for “direct, contributory or vicarious copyright infringement” and that “the limitations on liability contained in 17 U.S.C. § 512 protect secondary infringers as well as direct infringers.”); Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117 (9th Cir.) (“Section 512(c) ‘limits the liability of qualifying service providers for claims of direct, vicarious, and contributory infringement for storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider’ ’’; quoting H.R. Rep. No. 105-551, Pt. II, at 53 (1998)), cert. denied, 522 U.S. 1062 (2007).

Pub. 12/2015 4-433 4.12[1] E-Commerce and Internet Law tributory infringement, if based on actual knowledge or intent) a service provider may have diculty qualifying for the user storage liability limitation, which is inapplicable where a service provider has knowledge or awareness of the underlying acts of infringement and fails to act expeditiously in response to remove or disable access to the material or is willfully blind to infringing activity.71 Of course, knowledge or awareness are fact questions that would have to be proven in court if disputed.72 The DMCA liability limitations constitute armative defenses that, in litigation, should be separately considered from liability.73 At trial, this generally will mean that the defendant should be required to prove its entitlement to one or more of the liability limitations after the plainti rests its

71 See infra § 4.12[6][C]. This is not to say that the DMCA does not protect service providers from liability for contributory infringement or inducement; merely that if there is evidence sucient to prove inducement (and in some cases contributory infringement, if the theory of liability is based on knowledge) it is unlikely that a service provider could make the required showing for entitlement to the DMCA safe harbor. Inducement presupposes a level of intent that generally is inconsistent with lacking knowledge or awareness or reasonably implementing a policy of terminating repeat infringers in appropriate circumstances (and, depending on the facts of the case, in the Second Circuit, may also evidence right and ability to control). See generally supra § 4.11[6] (analyzing inducement); infra §§ 4.12[3][B] (repeat infringer), 4.12[6][C] (knowledge or awareness), 4.12[6][D] (right and ability to control). Contributory infringement in some cases presupposes knowledge and substantial participation, although knowledge potentially may be imputed and substantial participation could be based on a failure to act (neither of which would imply knowledge or red ag awareness within the meaning of the DMCA). See generally supra § 4.11[3] (analyzing contributory infringement). While the DMCA should insulate legitimate service providers that comply with its provisions from claims of inducement or contributory infringement, it should not shield pirate sites that induce or actively encourage (or turn a blind eye toward) infringement. As discussed later in this subsection, DMCA issues frequently are addressed by summary judgment motion, obviating the need to evaluate liability on the merits if the service provider prevails on its motion. 72 Knowledge and intent may be resolved on motion for summary judgment or, if disputed, on a material point by admissible evidence, at trial. 73 The defendant bears the burden of proving its entitlement to one or more of the DMCA safe harbors. See, e.g., ALS Scan, Inc. v. RemarQ Communities, Inc., 239 F.3d 619, 625 (4th Cir. 2001); Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1039 (9th Cir. 2013) (“Because the DMCA safe harbors are armative defenses, Fung has the burden of establishing that he meets the statutory requirements.”).

4-434 Copyright Protection in Cyberspace 4.12[1] case. In motion practice, the applicability of the DMCA liability limitations may be separately considered rst, since a service provider's entitlement to benet from section 512 would moot potentially more complex (or fact-specic) liability questions.74 As an armative defense, entitlement to the DMCA may be dicult to raise in a declaratory judgment action75 unless the complaint is specically directed to particular works. DMCA cases to date frequently have been decided (or largely decided) on summary judgment motions. Unless timely raised, a service provider's potential entitlement to the DMCA safe harbors may be deemed waived.76 To a surprising extent, case law construing the DMCA for the rst decade after its enactment was drawn disproportion- ately from district courts and appellate panels in one circuit—the Ninth Circuit. Even today, case law from outside the Ninth Circuit has been shaped and inuenced by Ninth Circuit law, including inuential district court cases from California applying Ninth Circuit precedent, because of the dearth of case law from other circuits. With the exception of two Fourth Circuit opinions and district court cases analyzing sanctions for misrepresentations in DMCA notices,77 all of the major cases construing the requirements of the DMCA for the rst 11 1/2 years after the statute was signed into law in 1998 were decided by the Ninth Circuit or district courts within that circuit. The rst Second Circuit opinion, Viacom Int'l, Inc. v. YouTube, Inc.,78 was decided approximately 13 1/2 years after the DMCA was signed into law, even though

74 See, e.g., Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 41–42 (2d Cir. 2012) (arming in part and vacating and remanding in part the lower court's summary judgment order on the applicability of the DMCA user storage safe harbor “without expressing a view on the merits of the plaintis' armative claims.”). 75 See Veoh Networks, Inc. v. UMG Recordings, Inc., 522 F. Supp. 2d 1265, 1271 (S.D. Cal. 2007) (dismissing a declaratory judgment action premised on the plainti's entitlement to the user storage safe harbor). 76 See Society of Holy Transguration Monastery, Inc. v. Gregory, 689 F.3d 29, 58–59 (1st Cir. 2012) (holding that the defendant waived its right to argue that it was insulated from liability by the DMCA by not pleading the armative defense in its answer to plainti's complaint). 77 Sanctions for misrepresentations in DMCA notications and counter notications are authorized by 17 U.S.C.A. § 512(f) and analyzed in section 4.12[9][D]. 78 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 41–42 (2d Cir. 2012) (arming in part, vacating and remanding in part a 2010 Southern District of New York order).

Pub. 12/2015 4-435 4.12[1] E-Commerce and Internet Law the Second Circuit is one of the most important circuits for copyright law decisions. Even as of late 2013, there was not much DMCA safe harbor case law to speak of outside the Second, Fourth and Ninth Circuits. Blogs, social networks, cloud service providers, and other sites that host user generated content (UGC) all are potentially eligible for the DMCA safe harbors, if they meet the specic requirements of the statute.79 Although these sites are technically more sophisticated and substantially dierent sociologically from the Internet sites and services that were popular in 1998 when the DMCA was enacted, Congress understood that it could not fully anticipate future technological developments and therefore broadly dened “service provider” to encompass future sites and services. Nevertheless, the sites and services that Congress plainly had in mind when the DMCA was passed are not materially dierent from a legal perspective than today's blogs, social networks and UGC sites. In 1998, Yahoo!, with its search features and links to other sites (or “information location tools”) and AOL, which allowed its users to post, store and transmit content (“material stored at the direction of users”) on personal homepages, websites and other interactive locations, collectively raised the same copyright law issues as today's UGC sites. Today, best practices supplement the legal framework created by the DMCA. For example, Google, in 2012, announced that it would take into account in its site rankings the number of legitimate DMCA takedown notices that a site received.80 A number of cross-industry accords have also been reached involving service providers and content owners. For example, a coalition of copyright owners and UGC sites promulgated

79 See, e.g., Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38–40 (2d Cir. 2012) (holding that transcoding and displaying user videos, among other things, were insulated from liability by the DMCA's user storage safe harbor); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1020–31 (9th Cir. 2013) (arming summary judgment for a user submitted video site, holding that transcoding, streaming and allowing downloading of user videos did not undermine safe harbor protection); infra § 4.12[6] (analyzing the user storage liability limitation); see generally infra § 4.12[17] (discussing the UGC principles). 80 Google Inside Search (The Ocial Google Blog), “An Update to Our Search Algorithms,” Aug. 10, 2012, http://insidesearch.blogspot.com/2012/ 08/an-update-to-our-search-algorithms.html.

4-436 Copyright Protection in Cyberspace 4.12[1] the Principles for User Generated Content Services in October 2007 as a series of “best practices” for UGC sites to further protect copyright owners, beyond what the DMCA requires.81 The UGC principles also create a quasi- contractual safe harbor for service providers that choose to comply with them, at least with respect to potential suits that otherwise could be brought by signatories to the UGC principles. Similarly, in July 2011 a Memorandum of Understanding was reached between the Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA) with major service providers, including Verizon, Comcast, Time Warner, SBC Internet Services and CSC Holdings on protocols to educate users about infringement and put in place a series of mitigation measures leading to sanctions such as reduced upload and download speeds. The MoU also led to the creation of the Center for Copyright Information (CCI) to help implement the MoU and combat online infringement.82 In 2013, the White House's Oce of the U.S. Intellectual Property Enforcement Coordinator, the Interactive Advertis- ing Bureau (IAB), and Google, Yahoo!, Microsoft, and AOL, agreed to voluntary best practice guidelines for advertising networks to avoid promotion of pirate sites.83 Participating ad networks agreed to maintain policies prohibiting websites that are principally dedicated to selling counterfeit goods or engaging in copyright piracy and have no substantial noninfringing uses from participating in advertising programs. Among other things, participants also agreed to accept and process “valid, reasonable, and suciently detailed notices from rights holders or their designated agents regarding websites participating in the Ad Network alleged to be principally dedicated to selling counterfeit goods or engaging in copyright piracy and to have no substantial non-infringing uses.”84 These voluntary agreements supplement that cooperation between copyright owners and service providers anticipated by Congress in its enactment of the DMCA. Additional issues involving the DMCA and user generated

81 A copy of the Principles for User Generated Content Services is reproduced in § 4.12[17][B]. 82 See http://www.copyrightinformation.org/ 83 See http://2013ippractices.com/ 84 See http://2013ippractices.com/

Pub. 12/2015 4-437 4.12[1] E-Commerce and Internet Law content may be found in chapters 17 (licensing UGC content), 28 (advertising), 49 (liability for user generated content under multiple state and federal laws), 50 (strategies for managing the risks associated with third-party liability) and 51 (storage lockers, cloud facilities, mobile and Web 2.0 applications: social networks, blogs, wiki and UGC sites). DMCA forms that may be used by both copyright owners and service providers (as well as sample cover communications that may be used by service providers in administering DMCA programs) may be found in the appendix to this chapter. While the DMCA safe harbors largely have worked for most copyright owners and service providers, the DMCA's liability scheme is not well suited to the needs of network service providers (NSP) or other entities that re-sell access to ISPs. For example, to benet from the user storage limitation, an NSP conceivably could be required to cut o access to a downstream service provider (aecting countless individual subscribers), merely as a result of the actions of one of the downstream provider's subscribers. Indeed, as predicted in the rst edition of this treatise, the broad statutory language of the DMCA has even been interpreted to compel service providers in particular instances to disable access to or block third-party content originating on other services or elsewhere on the Internet.85 For these reasons, some NSPs have chosen to comply with some, but not all, of the specic limitations available under the statute, to impose

85 In ALS Scan, Inc. v. RemarQ Communities, Inc., 239 F.3d 619 (4th Cir. 2001), for example, the Fourth Circuit held that a service provider was not entitled to DMCA liability limitations because it refused to block two Usenet groups in response to substantially complying notications relating to infringing materials accessible on these groups. Usenet groups, unlike websites, do not reside on a single server (or servers) accessed by users. Rather, the Usenet is an international collection of organizations and individuals (known as ‘peers’) whose computers connect to each other and exchange messages posted by Usenet users. Messages are organized into “newsgroups,” which are topic-based discussion forums where individuals exchange ideas and information .... Peers in Usenet enter into peer agreements, whereby one peer's servers automatically transmit and receive newsgroup messages from another peer's servers. As most peers are parties to a large number of peer agreements, messages posted on one . . . peer's server are quickly transmitted around the world. The result is a huge informational exchange system whereby millions of users can exchange millions of messages every day. Ellison v. Robertson, 189 F. Supp. 2d 1051, 1053–54 (C.D. Cal. 2002) (footnotes omitted), a'd in part and rev'd in part, 357 F.3d 1072 (9th Cir. 2004).

4-438 Copyright Protection in Cyberspace 4.12[1] compliance obligations by contract on downstream providers, or to disregard the statute entirely. The DMCA is an imperfect law. The statute and its legislative history are not a model of clarity (in part because of the complexity of carving out specic, targeted liability limitations for a medium that is multifaceted and constantly evolving). On the other hand, the DMCA has proven exible enough to adapt to changing technologies. Congress used broad terms—such as “information location tool,” rather than “link,” or “material stored at the direction of a user,” rather than “email account” or “website”—to expressly encompass future technologies.86 The DMCA has brought clarity to the law of secondary copyright liability, allowed copyright owners to largely avoid having to sue legitimate Internet sites and services to have user material taken down, and enabled Internet industries to thrive without the fear of horric liability for conduct that they cannot fully control. It also has enshrined a notice and takedown culture on the Internet that has largely been emulated internationally87 and even applied in other areas of law.88

86 One of the reasons that there have not been as many cases construing the DMCA as other statutes that address service provider liability and user misconduct (infra §§ 37.05 (the Communications Decency Act), 49.03 & chapter 49 (statutes governing service provider liability more generally)) is that pirate sites generally are ruled ineligible for the statute's safe harbors and copyright owners have largely sought to work with, rather than sue, legitimate service providers under the DMCA (subject to some notable exceptions such as Perfect 10 (an adult magazine) and Uni- versal Music Group). Unlike other Internet liability statutes, the DMCA also is potentially benecial to both rights owners and service providers by aording service providers a safe harbor from liability and copyright owners the ability to have material removed without having to le suit. In addition, the line between copyright owner and service provider increasingly has blurred, as content owners have established their own user generated content sites and service providers have recognized the benet of licensing, rather than merely disabling access to or removing, copyrighted works. 87 See infra § 4.21 (analyzing the EU's E-Commerce Directive). 88 See, e.g., Tiany (NJ) Inc. v. eBay Inc., 600 F.3d 93 (2d Cir.) (approving notice and take down and a policy of terminating repeat infringers in holding a service provider not liable for secondary trademark infringement), cert. denied, 562 U.S. 1082 (2010); infra § 6.10 & chapter 49 (analyzing service provider liability and exemptions under multiple dierent legal theories).

Pub. 12/2015 4-439 4.12[2] E-Commerce and Internet Law

4.12[2] Denition of a Service Provider The limitations and exemption created by the safe harbor provisions of the DMCA apply only to service providers, which is a term dened to include entities that oer the transmission, routing, or provision of connections “for digital online communications, between or among points specied by a user, of material of the user's choosing, without modication to the content of the material sent or received”; or (except for the transitory digital network communications limitation1) that provide “online services or network access,” or operate facilities therefor.2 The denition applicable to the transitory digital network communications liability limitation is much narrower than for the other safe harbors.3 Except in connection with transitory digital network communications, service provider, on its face, is broad enough to extend well beyond ISPs and other services traditionally thought of as service providers to encompass the owners and operators of corporate intranets, university networks, website hosts or co-locators, cloud service providers, plat-

[Section 4.12[2]] 1 17 U.S.C.A. § 512(a); infra § 4.12[4]. 2 17 U.S.C.A. § 512(k). 3 Compare 17 U.S.C.A. § 512(k)(1)(A) (narrowly dening the term service provider for purposes only of the transitory digital network communications safe harbor created by section 512(a)) with 17 U.S.C.A. § 512(k)(1)(B) (broadly dening the same term for purposes of the user storage, information location tools and caching safe harbors); see generally infra § 4.12[4] (discussing the denition in connection with the transitory digital network communications safe harbor). In Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1041–42 (9th Cir. 2013), the Ninth Circuit held that the operator of a Bit- Torrent tracker did not qualify as a service provider for purposes of the narrower denition applicable to the transitory digital network communications safe harbor because trackers select the “points” to which a user's client will connect in order to download a le using the BitTorrent protocol and a service provider for the transitory digital network communications safe harbor must provide “connections . . . between or among points specied by a user.” 17 U.S.C.A. § 512(k)(1)(A) (emphasis added). The court in A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000 WL 573136, at *3 n.5 (N.D. Cal. May 12, 2000) expressed skepticism that Napster qualied for the narrower denition of service provider set forth in section 512(k)(1)(B) but since the plaintis had not challenged its eligibility the court proceeded to rule that Napster was ineligible for the liability limitation for transmitting, routing or providing connections on other grounds (because users exchanged infringing les directly—not through Napster's servers).

4-440 Copyright Protection in Cyberspace 4.12[2] forms used for third-party sales,4 social networks, blogs, and other interactive websites and services where third-party material (including user generate content) may be stored or cached or where links to such material may be established.5 As one court commented in dicta, a “plain reading of both denitions reveals that ‘service provider’ is dened so broadly that we have trouble imagining the existence of an online service that would not fall under the denitions, particularly the second.”6 As a consequence, any business with an interactive presence in cyberspace where third parties could post, store or transmit infringing material or engage in infringing activity potentially could qualify as a service provider and should consider whether it would benet by complying with the provisions of the statute discussed in the following subsections so that it can qualify for safe harbor protection.

4 See, e.g., Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082, 1088 (C.D. Cal. 2001) (operator of a website for the purchase and sale of consumer goods); Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1100 (W.D. Wash. 2004) (“Amazon operates websites, provides retail and third-party selling services to Internet users, and maintains computers to govern access to its websites.”). 5 See, e.g., Lenz v. Universal Music Corp., No. 5:07-cv-03783-JF, 2013 WL 271673, at *4 (N.D. Cal. Jan. 24, 2013) (holding in a section 512(f) dispute between a user and a content owner that “YouTube qualies for protection under the DMCA safe harbor . . . .”), a'd on other grounds, — F.3d —, 2015 WL 5315388 (9th Cir. 2015); Obodai v. Demand Media, Inc., Case No. 11 Civ. 2503 (PKC), 2012 WL 2189740, at *4 (S.D.N.Y. June 12, 2012) (holding Demand Media, the operator of Cracked.com and other websites, to constitute a service provider; “Because the defendant operates a website that permits users to post and share materials, it falls within the broad denition of a service provider under 512(k)(1)(B).”), a'd mem. on other grounds, 522 F. App'x 41 (2d Cir. 2013); Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 744 (S.D.N.Y. 2012) (holding that “[b]ecause Photobucket oers a site that hosts and allows online sharing of photos and videos at the direction of users, Photobucket, like YouTube.com or Veoh.com, qualies as a ‘service provider’ under § 512(k)(1)(B)” for purposes of the user storage safe harbor), a’d mem., 569 F. App’x 51 (2d Cir. 2014); Viacom Int'l Inc. v. YouTube, Inc., 718 F. Supp. 2d 514, 518 (S.D.N.Y. 2010) (holding YouTube to be a service provider), a'd in relevant part on other grounds, 676 F.3d 19 (2d Cir. 2012). 6 In re Aimster Copyright Litig., 252 F. Supp. 2d 634 (N.D. Ill. 2002), a'd on other grounds, 334 F.3d 643 (7th Cir. 2003). The Seventh Circuit reiterated in its subsequent opinion in the same case that, “[a]lthough the Act was not passed with Napster-type services in mind, the denition of Internet service provider is broad . . . , and, as the district judge ruled, Aimster ts it.” 334 F.3d at 655 (statutory citation omitted).

Pub. 12/2015 4-441 4.12[2] E-Commerce and Internet Law

Even where a service provider's activities are not limited to the provision of online services, “courts have consistently found that websites that provide services over and above the mere storage of uploaded user content are service providers pursuant to . . . § 512(k)(1)(B)’s expansive denition.”7 In one case, Agence France Presse v. Morel,8 a district court in New York held that there was a material factual dispute precluding summary judgment on the issue of whether Getty Images constituted a service provider for purposes of the user storage safe harbor, but the case was wrongly decided. The court in Morel construed the denition of service provider in part by reference to the four safe harbors created by section 512(a), 512(b), 512(c) and 512(d)9 apparently without realizing that section 512(k) makes clear that the denition of the term is narrower when applied to the transitory digital network communications liability limitation created by section 512(a) than for the other safe harbors.10 The court relied on dictionary denitions of service for the proposition that a service provider must “do something useful,” concluding, somewhat inexplicably, that “licensing copyrighted material online more closely resembles the mere sale of goods (albeit, in this case, intellectual property) than facilitating users' activities online”11 even though there is no statutory basis for excluding sites that license content or sell products from the denition of service provider applicable to the user stor-

7 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 511 (S.D.N.Y. 2013) (citing earlier cases and holding that Vimeo, “a provider of online services that hosts and distributes user material by permitting its users to upload, share and view videos . . . ,” qualied as a service provider “[e]ven though Vimeo's activities are not limited to such . . . .”); Obodai v. Demand Media, Inc., Case No. 11 Civ. 2503 (PKC), 2012 WL 2189740, at *3 (S.D.N.Y. June 12, 2012) (holding that a website that published its own content in addition to hosting and sharing users' content was a service provider), a'd mem., 522 F. App'x 41 (2d Cir. 2013). 8 Agence France Presse v. Morel, No. 10 Civ. 02730 (AJN), 2013 WL 146035 (S.D.N.Y. Jan. 14, 2013). 9 Agence France Presse v. Morel, No. 10 Civ. 02730 (AJN), 2013 WL 146035, at *14 (S.D.N.Y. Jan. 14, 2013). 10 Compare 17 U.S.C.A. § 512(k)(1)(A) (narrowly dening the term service provider for purposes only of the transitory digital network communications safe harbor created by section 512(a)) with 17 U.S.C.A. § 512(k)(1)(B) (broadly dening the same term for purposes of the user storage, information location tools and caching safe harbors). 11 Agence France Presse v. Morel, No. 10 Civ. 02730 (AJN), 2013 WL 146035, at *14 (S.D.N.Y. Jan. 14, 2013).

4-442 Copyright Protection in Cyberspace 4.12[2] age safe harbor. The court in Morel seemed to draw a distinction between platforms where users may buy and sell products, such as eBay and Amazon.com, and those that sell or license material directly, such as Getty, even if the material oered for sale or license was stored at the direction of a user. The court did not adequately explain why providing a venue for consumers to purchase products from third parties was “useful” but directly selling third-party products to the public would not be so. More importantly, the court's novel focus on usefulness, and its own assumptions about whether sites that sell or license goods or services are more or less useful, is divorced from the language of the statute and, in the context of the safe harbor potentially claimed by Getty, the DMCA's focus on material stored at the direction of a user, which has been broadly and inclusively dened by both the Second and Ninth Circuits.12 The court's crimped denition of service provider is inconsistent with the broad construction of the statute given by appellate courts. It is also at odds with all prior court opinions construing the term service provider. In drawing distinctions based on usefulness and sales, the Morell court cited with approval13 the Second Circuit's holding that YouTube constitutes a service provider14 and the Ninth Circuit's similar nding that Veoh qualied as a ser-

12 See infra § 4.12[6][A] (broadly dening the scope of protection under the user storage safe harbor as applying in any instance where liability is premised on material stored at the direction of a user and but for the user's stored material liability would not be asserted against a service provider). 13 See Agence France Presse v. Morel, No. 10 Civ. 02730 (AJN), 2013 WL 146035, at *15 (S.D.N.Y. Jan. 14, 2013). 14 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 28 (2d Cir. 2012). The court in Morel characterized the issue as whether “Getty's role extends beyond merely providing a le-hosting service to AFP, and that Getty itself acted as a licensor of the photos ....”Agence France Presse v. Morel, No. 10 Civ. 02730 (AJN), 2013 WL 146035, at *16 (S.D.N.Y. Jan. 14, 2013). Yet, the Second Circuit in YouTube held that YouTube qualied as a service provider even though it syndicated content to third party mobile providers, as a licensor. In YouTube, the videos that were syndicated remained accessible from the YouTube servers and qualied as material stored at the direction of a user, within the meaning of the user storage safe harbor. See generally infra § 4.12[6][A]. Whether the photographs at issue in Morel qualied for the safe harbor as material stored at the direction of a user within

Pub. 12/2015 4-443 4.12[2] E-Commerce and Internet Law vice provider,15 apparently without realizing that YouTube and Veoh, like Getty, license content submitted by third parties for use by users, albeit not for a fee. YouTube also syndicated content, presumably for a fee, to third-party licensees.16 The court's analysis of service provider as distinguishing between sites that sell content and those that simply allow third parties to buy and sell products, and its resulting conclusion that there was a factual dispute over whether Getty, a site that licenses third-party content for a fee, constitutes a service provider, simply nds no support in the plain language of section 512(k)(1)(B) or cases construing that section. Although the denition of a service provider is quite broad, it appears to exclude individuals. The DMCA denes a service provider as an “entity,” which presumably precludes a person from qualifying as a service provider. This may be signicant for smaller Internet businesses operated by individuals or those considering whether to begin operations as a business entity or sole proprietorship.

4.12[3] Threshold Prerequisites 4.12[3][A] In General A service provider's liability may only be limited under the Act if it rst satises four threshold requirements set forth in 17 U.S.C.A. § 512(i).1 First, the service provider must have adopted a policy providing that it will terminate, “in appropriate circumstances,” the accounts or subscriptions of “repeat infringers.” Second, it must have informed its subscribers and account holders of its policy. Third, it must the meaning of section 512(c) is a separate question from whether Getty qualied as a service provider under section 512(k)(1)(B). 15 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1026, 1035 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006 (9th Cir. 2013). 16 See generally infra § 4.12[6][A]. [Section 4.12[3][A]] 1 Subsection (i) provides that “[t]he limitations on liability established by this section” apply where the threshold requirements have been met, without specically identifying the individual subsections of section 512 that are aected. The House Report accompanying the bill claries that the requirements of subsection (i) must be met in order to qualify for the limitations set forth in subsections (a) through (d) or the exemption created by subsection (g) (which the legislative history also refers to as a limitation).

4-444 Copyright Protection in Cyberspace 4.12[3][B][i] have “reasonably implemented” the policy. Fourth, it must accommodate and not interfere with “standard technical measures.”2 A sample DMCA policy that includes a repeat infringer policy notice is reproduced in the Appendix to this chapter.

4.12[3][B] Adoption, Reasonable Implementation and Notice of the Policy

4.12[3][B][i] Adoption, Reasonable Implementation and Notice of the Policy—In General Neither the statute nor its legislative history shed light on what type of policy is required, what constitutes “appropriate circumstances” or “reasonable implementation” of the policy, or at what point a person or entity might be deemed to constitute a “repeat infringer.” “The fact that Congress chose not to adopt . . . specic provisions when dening a user policy indicates its intent to leave the policy requirements, and the subsequent obligations of the service providers, loosely dened.”1 A service provider's policy literally must “provid[e] for the termination in appropriate circumstances of subscribers and account holders of the service provider's system or network who are repeat infringers ....”2 While service providers may adopt and publicize more detailed practices and procedures, as a practical matter they need only track this statutory language to eectively inform their subscribers and account holders of their policy and comply with the statute. To provide notice, service providers should include this language or (if they choose) post more detailed policies in their Terms of Use or on their websites (or, if an internal service, on their corporate intranets).3

2 17 U.S.C.A. § 512(i)(1) (emphasis added). [Section 4.12[3][B][i]] 1 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1101 (W.D. Wash. 2004); see also Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 513 (S.D.N.Y. 2013) (quoting Corbis). 2 17 U.S.C.A. § 512(i)(1). 3 For a discussion of how to structure, and where to post, website Terms and Conditions, see infra chapter 22.

Pub. 12/2015 4-445 4.12[3][B][ii] E-Commerce and Internet Law

4.12[3][B][ii] Operational Considerations and the Obligation to Inform Subscribers and Account Holders Service providers that have “account holders” and “subscribers,” such as ISPs or cable or phone companies, should reference the policy in their respective service or access agreements or Terms of Use.1 Employers likewise may choose to include their DMCA policy in employee manuals or policy books.2 As a practical matter, who is a subscriber or account holder has not been explored in litigation and is not dened in the statute or explained in its legislative history. Service providers that do not have subscribers or account holders (such as search engines that do not oer free email or other services or the owners of corporate websites) presumably do not need to adopt or implement termination policies. There does not appear to be any basis for construing either the term “subscribers” or “account holders” so broadly that they could extend to mere users of a service or visitors to a website (in the absence of some type of contractual or employment3 relationship with the service provider). Nevertheless, it is advisable as a best practice—in view of the mandatory language of section 512(i)—for the owners of any Internet site or service with an interactive component that allows users to post, store or transmit material on or through their servers to adopt and publicize a policy of restricting the access rights of “repeat infringers” if it is technologically feasible for them to do so. The requirement for notifying subscribers and account holders, imposes a relatively low burden on service providers. The statute “require[s] that the service provider ‘put users on notice that they face exclusion from the service if they repeatedly violate copyright laws’ . . . [but] does not ‘suggest what criteria should be considered by a service provider, much less require the service provider to reveal its decision-

[Section 4.12[3][B][ii]] 1 See infra §§ 22.05[2][A], 23.03[4]. 2 Employer policies and related issues are addressed in sections 58.09, 58.11 and 58.12. 3 An employee presumably could be characterized as an account holder if she is given a password that grants her access to a network. Anyone with an email address also may be viewed by a court as an account holder.

4-446 Copyright Protection in Cyberspace 4.12[3][B][ii] making criteria to the user.’ ’’4 Section 512(i) “does not require that a service provider reveal its decision-making criteria to users . . . [or] provide its users with a detailed version of its policy, including all of the criteria it uses to determine whether an account will be suspended.”5 Courts have found the notice requirement met where Terms and Conditions or another policy state that a user may be terminated for repeat infringement.6 One court further rejected the argument that a service provider failed to provide adequate notice where it did not post a formal “repeat infringer” policy on its website until 2011, but had, since it began operations in 2004, included in its Terms of Service “a more general policy—threatening account termination upon any violation of the Terms of Service including single or repeated instances of infringement ....”7 A service provider should be deemed to satisfy its obligations to inform its subscribers and account holders of its policy merely by posting a notice on its website. A better practice, however, is to require users to armatively assent to or at least acknowledge the policy. Many service providers include reference to the policy in their Terms of Use. Service providers of course may choose to formally notify existing customers and subscribers by email or other means. If a site has pre-existing subscribers or account holders at the time it implements its DMCA policy, or if it changes its policy, it should consider providing notice to existing subscribers and account holders by email or at the time they rst log on to the site after the new policy has taken eect, or by other

4 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 513 (S.D.N.Y. 2013), quoting Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1102 (W.D. Wash. 2004). 5 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *8-9 (C.D. Cal. Jan. 16, 2015). 6 See, e.g., Obodai v. Demand Media, Inc., Case No. 11 Civ. 2503 (PKC), 2012 WL 2189740, at *4 (S.D.N.Y. June 12, 2012) (holding that Demand Media, the operator of Cracked.com, met this requirement where its policy provided that it could terminate “any Account or user for repeated infringement . . . and . . . reserved[d] the right to terminate an Account or user for even one infringement.”), a'd mem. on other grounds, 522 F. App'x 41 (2d Cir. 2013). 7 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 514 (S.D.N.Y. 2013).

Pub. 12/2015 4-447 4.12[3][B][ii] E-Commerce and Internet Law means.8 For example, service providers that host blogs, social networks, chat rooms or other locations where user generated content may be posted may nd it advisable to provide notice via a pop-up box that could appear the rst time a vis- itor enters after a new DMCA policy goes into eect (through use of cookies or other means to identify when a user has not yet been notice of the new policy) or via a link, although courts have not required that this kind of notice be provided. Indeed, some user generated video sites and social networks provide a link to their copyright policies on all pages where material may be uploaded, downloaded or reviewed.9 Service providers also may opt to draft template responses such as a specic warning to send to rst time oenders. Such a warning should advise an oender that its account or network access will be terminated if a second complaint is received (or whatever the service provider's policy in fact provides).

4.12[3][B][iii] Adopting a Policy and Dening “Repeat Infringer” The threshold obligation to adopt a repeat infringer policy “should not be an overly burdensome one to meet.”1 As previously noted, “[t]he fact that Congress chose not to adopt . . . specic provisions when dening a user policy indicates its intent to leave the policy requirements, and the subsequent obligations of the service providers, loosely dened.”2 Many stated policies do little more than track the statutory language, stating that the service provider has a policy of terminating repeat infringers in appropriate circumstances.3 For the policy to have meaning, it is advisable that a service provider explicitly prohibit copyright infringement and

8 Suggestions about operational “best practices” are not meant to imply that such practices are necessarily required to benet from the DMCA safe harbors. 9 For a discussion of “best practices” for user generated video sites, see infra § 4.12[17]. [Section 4.12[3][B][iii]] 1 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 513 (S.D.N.Y. 2013). 2 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1101 (W.D. Wash. 2004); see also Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 513 (S.D.N.Y. 2013) (quoting Corbis). 3 See 17 U.S.C.A. § 512(i)(1)(A).

4-448 Copyright Protection in Cyberspace 4.12[3][B][iii] not merely state that it has a policy of terminating repeat infringers in appropriate circumstances. Many sites require an armative undertaking by users that material they upload to or otherwise store on a site or service is not infringing which, while not mandated by the DMCA, is certainly a good practice. In adopting a repeat infringer policy, a service provider must determine how it will identify a user as a repeat infringer, although it need not spell that out in the policy communicated to its subscribers and account holders. A repeat infringer, by denition, is someone who has engaged in infringing conduct on more than one occasion. Yet, neither the statute nor the legislative history dene repeat infringer. In discussing the provisions applicable to nonprot educational institutions,4 the House Report refers to more than two notications within a three-year period as “a pattern of infringing conduct ....”This reference arguably suggests that a person would be deemed to be a repeat infringer once a second notication was received (assuming that the notications were not based on material misrepresentations or otherwise invalid). Treating a repeat infringer as someone who has been the subject of a second notication is a prudent approach and one that has been upheld as reasonable by at least one court.5 On the other hand, district courts in the Central District of California and Southern District of New York have approved of repeat infringer policies premised on termination upon receipt of a third DMCA notice, rather than a second one.6 One court also expressly approved of a service provider's

4 See 17 U.S.C.A. § 512(e). 5 See Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 6 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 511-17 (S.D.N.Y. 2013); Viacom Int'l Inc. v. YouTube, Inc., 718 F. Supp. 2d 514 (S.D.N.Y. 2010), a'd in relevant part on other grounds, 676 F.3d 19, 40–41 (2d Cir. 2012); UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1118 (C.D. Cal. 2009), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013); Perfect 10, Inc. v. CCBill, LLC, 340 F. Supp. 2d 1077, 1094 n.12 (C.D. Cal. 2004), a'd in part on other grounds, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). In YouTube, the district court also rejected Viacom's argument that YouTube did not reasonably implement its repeat infringer policy because

Pub. 12/2015 4-449 4.12[3][B][iii] E-Commerce and Internet Law policy of treating notications received within a three-day period as a single strike.7 While there is nothing in the statute or legislative history specically to suggest that someone who has been the subject of two notices may be treated as not being a repeat infringer, Americans love baseball and it is dicult to imagine a judge or jury nding that a three strikes policy is unreasonable. Perhaps more importantly, it is clear from the fact that Congress modied the requirement that service providers terminate repeat infringers by the caveat that termination need only occur in appropriate circumstances, that the statute is intended to be exible and allow service providers to implement policies that they deem appropriate for their services or based on the type of infringing activity involved. Moreover, as discussed more extensively in section 4.12[3][B][iv], Congress further modied the requirement by providing that a policy of terminating repeat infringers in appropriate circumstances be reasonably implemented, which suggests both that the policy in fact must be implemented, but also that it may be reasonably, rather than strictly implemented. In the words of the Ninth Circuit, “[t]he statute permits providers to implement a variety of procedures.”8 Indeed, no single policy is mandated beyond what is literally set forth in the language of the statute—a policy of terminating repeat infringers in appropriate circumstances.9 it treated as only one strike: (1) a single DMCA takedown notice identifying multiple videos, and (2) multiple takedown notices identifying videos uploaded by a user received by YouTube within a two-hour period. The district court likewise discounted Viacom's argument that YouTube's repeat infringer policy was not reasonably implemented because YouTube only counted DMCA notices; it did not account for videos automatically removed by Audible Magic content lters. These aspects of the district court's ruling were not addressed in the Second Circuit's opinion, which focused narrowly on the issue of whether YouTube's provision of a search tool only to business partners, and not plaintis, meant that it had failed to reasonably implement its repeat infringer policy (which the appellate court concluded it had not). 7 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 516 (S.D.N.Y. 2013). 8 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1109 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 9 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1101 (W.D. Wash. 2004).

4-450 Copyright Protection in Cyberspace 4.12[3][B][iii]

In Capitol Records, LLC v. Vimeo, LLC,10 Judge Ronnie Abrams of the Southern District of New York held that the video sharing site Vimeo met the requirement for adopting a policy of terminating repeat infringers in appropriate circumstances where, since the time it began operations in 2004, it required users to assent to Terms of Service that informed them that Vimeo reserved the right to remove videos and terminate user accounts for violation of its Terms, Vimeo had implemented a three strikes policy and evidence showed that it in fact had terminated users as early as 2007, including in some instances upon receipt of a single takedown notice. In so ruling, the court rejected the plaintis' argument that Vimeo had not adopted a policy early on its existence. Judge Abrams explained that “Vimeo's policy became more structured and rened as Vimeo's employee roster and user base grew, but the evidence establishes that Vimeo had a policy in place that provided for the termination of service for repeat (or even rst-time) infringers from the company's inception. The DMCA requires nothing more . . .” to meet this threshold requirement.11 Some have argued that an infringer, by denition, is a person who has been adjudicated as such, and thus a repeat infringer policy would only apply to those who have been successfully sued for copyright infringement. This analysis, however, is unsupported by the statute or its legislative history. As noted above, the House Report's reference to two notications as evidencing a “pattern of infringement” belies the argument that an infringer for purposes of the DMCA is someone who has been found liable by a judge or jury for copyright infringement. Moreover, the notice and take down system created by the DMCA was intended, among other things, to allow copyright owners to obtain protection through cooperation with service providers, rather than litigation. Requiring a copyright owner to successfully sue a user repeatedly before a service provider would have an obligation to terminate access to an account holder or subscriber is simply inconsistent with the legislative scheme established by the DMCA. On the other hand, at least in the Ninth Circuit, consider-

10 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 511-13 (S.D.N.Y. 2013). 11 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 513 (S.D.N.Y. 2013).

Pub. 12/2015 4-451 4.12[3][B][iii] E-Commerce and Internet Law ation only of DMCA notications in determining whether an account holder or subscriber is a repeat infringer may be insucient in certain circumstances under Perfect 10, Inc. v. CCBill, LLC,12 in which the court held that whether a service provider has reasonably implemented its policy of terminating repeat infringers in appropriate circumstances requires evaluation of how the service provider responded both to notications and instances where it had actual knowledge or “red ag” awareness of infringement.13 Since a service provider's obligation to remove material in response to actual knowledge or red ag awareness only arises in connection with the user storage liability limitation, it may be hard to argue that these additional factors should be considered in evaluating a repeat infringer policy for purposes of the other three safe harbors or the exemption from liability for removing user material. Moreover, while a service provider may err on the side of caution in removing material on its own volition based on red ag awareness, it may not be appropriate to terminate an account holder or subscriber as a repeat infringer based solely on the intuition of a service provider. Hence, a policy that denes a repeat infringer in terms of actual notications received from copyright owners (who after all are in the best position to know whether their works in fact have been infringed, and whose notications of infringement are submitted under penalty of perjury and subject to sanctions under section 512(f)14) may in fact be reasonable, although a safer approach for risk averse service providers would be to terminate users as repeat infringers based on actual knowledge or reasonable awareness as well as notications submitted by copyright owners. At least in the Ninth Circuit, if not elsewhere,15 a plainti would likely be allowed discovery of a service

12 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir. 2007), cert. denied, 522 U.S. 1062 (2007). 13 Knowledge and “red ag” awareness are discussed below in section 4.12[6][C]. The Perfect 10 case is also discussed more extensively in the following subsection in connection with reasonable implementation of a repeat infringer policy in section 4.12[3][B][iv]. 14 See infra § 4.12[9][D]. 15 The Perfect 10 standard was cited approvingly in Arista Records LLC v. Usenet.com, Inc., 633 F. Supp. 2d 124, 139–42 (S.D.N.Y. 2009), a case where sanctions for spoliation of evidence were imposed on defendants that had failed to retain evidence relevant to their compliance with red ag material under Perfect 10.

4-452 Copyright Protection in Cyberspace 4.12[3][B][iii] provider's response to material and activity where it had actual knowledge or red ag awareness, to evaluate reasonable implementation of that policy in connection with a case where the service provider is relying on the user storage safe harbor. As a practical matter, service providers may benet more in the event of litigation by mechanically applying their repeat infringer policies and erring on the side of termination, rather than opening themselves up to discovery and motion practice (or even trial) on the question of whether the service provider reasonably implemented its policy of terminating repeat infringers in appropriate circumstances. Those that terminate accounts upon receipt of a second DMCA notication (and at least in the Ninth Circuit, for purposes of the user storage liability limitation, a second instance of infringement based on a notication or removal for actual knowledge or red ag awareness) may be more easily able to show their compliance with the statute and obtain summary judgment in litigation than service providers that apply their policies dierently in each instance, whose compliance may be so fact-dependent that their entitlement to the safe harbor cannot easily be resolved except at trial. Whereas termination of all potential repeat infringers may be shown by undisputed facts in connection with a motion for summary judgment, whether the failure to terminate a user was “appropriate” (and whether the user in fact was an infringer) may raise disputed factual questions that preclude summary judgment. This is not to say that a mechanical approach is required by the statute, because it is not. As noted above, the obligation to terminate repeat infringers only arises in appropriate circumstances. Indeed, simply because a DMCA notice has been sent does not mean that the user whose content is at issue is necessarily even an infringer. In some instances a copyright owner could be mistaken and material identied in a notication could be licensed or permitted as a fair use. A service provider that receives two or three notications from a copyright owner that are shown to be invalid, either based on mistake or misrepresentation or an account holder's submission of a counter notication that goes unanswered by the copyright owner, would have no obligation to terminate the aected user as a repeat infringer. A service provider that keeps good records and is prepared to defend its termination decisions in appropriate circumstances will

Pub. 12/2015 4-453 4.12[3][B][iii] E-Commerce and Internet Law not be denied the benets of the DMCA safe harbor. Never- theless, for companies that do not have the resources or ap- petite to justify their conduct in such a labor-intensive manner in litigation, a stricter interpretation may be the safer approach. The DMCA creates incentives for service providers to err on the side of removing material and terminating users.16 Al- though the statute merely mandates termination of repeat infringers in appropriate circumstances, where it is apparent that a subscriber or account holder is agrantly violating the Copyright Act—such as where a person is using a site exclusively or primarily to upload infringing images from a magazine, protected software or pirated music, lms or videogames—it may be prudent for a service provider (regardless of its policy) to simply terminate service at the time the infringement is rst discovered. That is not to say that an account holder or subscriber could be deemed a repeat infringer based on an initial notication (or discovery creating knowledge or awareness) of infringement involving multiple works. Congress used the term “repeat infringer,” which is focused on repetitive conduct, rather than “multiple infringements” or other terminology that would suggest that the volume of infringement, rather than repeated bad behavior, is the relevant consideration. Although it seems unlikely that someone whose rst violation involved multiple works could actually be considered a repeat infringer, it nonetheless may be prudent for service providers, in appropriate circumstances, to take action against subscribers or account holders whose sites or services contain multiple infringing works. In practice, service providers that appear to be compliance oriented and that do more than the statute requires are less likely to be sued and more likely to be given the benet of the doubt by judges and juries than those that do the bare minimum.

16 Except where a notication is received from a copyright owner, a service provider that otherwise complies with the threshold requirements of the Act will be exempt from liability for terminating service to someone who it believes in good faith is engaged in acts of infringement. 17 U.S.C.A. § 512(g); see generally infra § 4.12[8]. Conversely, if a service provider fails to act when it has reason to believe that infringing content may be online, it may be denied the benet of the user storage and information location tools limitations if a court determines that it had red ag awareness or actual knowledge. 17 U.S.C.A. § 512(c)(1)(A), 512(d)(1)(A).

4-454 Copyright Protection in Cyberspace 4.12[3][B][iv]

4.12[3][B][iv] Reasonable Implementation of A Service's Repeat Infringer Policy The requirement that a service provider's policy of terminating repeat infringers in appropriate circumstances be reasonably implemented, like the DMCA itself, reects an attempt to balance the needs and interests of both copyright owners and service providers. On the one hand, a service provider must in fact implement its repeat infringer policy,1 and must do so reasonably. On the other hand, Congress could have required strict adherence to termination policies, but instead merely required reasonable implementation, recognizing that service providers are not a monolithic group and that in a medium that is constantly evolving where user infringement may occur willfully or inadvertently, it is benecial to allow service providers exibility in how a policy is crafted, what constitutes appropriate circumstances for termination and how the policy in fact is implemented.2 One district court characterized the requirement in section 512(i) that a service provider reasonably implement its repeat infringer policy as serving “to deny protection to websites that tolerate users who agrantly disrespect copyrights.”3 What it means to reasonably implement a repeat infringer policy initially had been dened largely in negative terms

[Section 4.12[3][B][iv]] 1 Although it should go without saying, identifying but failing to actually terminate any repeat infringers without some explanation to justify reasonable implementation or appropriate circumstances would disqualify a service provider from the safe harbor. See, e.g., Datatech Enterprises LLC v. FF Magnat Ltd., No. C 12-04500 CRB, 2013 WL 1007360, at *5–6 (N.D. Cal. Mar. 13, 2013) (declining to dissolve a preliminary injunction against an oshore cloud le storage site accused of copyright infringement where the court found that the defendant was unlikely to prevail on its DMCA defense based on evidence that it had ignored copyright holders' requests to remove specically identied repeat infringers, including one individual who uploaded 1,600 separate copies of an infringing work). 2 Adoption of a repeat infringer policy is separately addressed in section 4.12[3][B][iii]. 3 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 637 (S.D.N.Y. 2011), reconsideration granted on other grounds, 2013 WL 1987225 (S.D.N.Y. May 14, 2013).

Pub. 12/2015 4-455 4.12[3][B][iv] E-Commerce and Internet Law based on what courts had found to be unreasonable,4 leaving

4 In In re Aimster Copyright Litig., 252 F. Supp. 2d 634 (N.D. Ill. 2002), a'd, 334 F.3d 643 (7th Cir. 2003), the court ruled that a peer-to- peer service that encouraged users to exchange unauthorized copies of protected music les, made it easy for them to do so, and encrypted the les and their users' identities (making detection of individual acts of infringement more dicult), was not entitled to benet from the DMCA's liability limitations where it had adopted a policy of terminating repeat infringers that amounted to “an absolute mirage” because it was never implemented. Defendants had argued that although plaintis may have identied copyrighted works residing on individual hard drives, plaintis could not demonstrate that any particular user actually transferred any of those les, and that they would terminate service to any user identied as a repeat infringer. The court noted that this assurance was “not nearly so helpful and agreeable as it seems . . . because, according to defendants themselves, such identication would be impossible” because Aimster les are encrypted. The Aimster court also took issue with the requirement in Aimster's termination policy that copyright owners identify the Internet protocol address of infringers using its system. On both of these grounds, the court ruled that “[a]dopting a repeat infringer policy and then purposefully eviscerating any hope that such a policy could ever be carried out is not an ‘implementation’ as required by § 512(i).” 252 F. Supp. 2d at 657–58. Although the Seventh Circuit did not address the issue as extensively as the district court in Aimster, Judge Posner, in arming the district court on this point explained that: The common element of its safe harbors is that the service provider must do what it can reasonably be asked to do to prevent the use of its service by “repeat infringers.” 17 U.S.C.A. § 512(i)(1)(A). Far from doing anything to discourage repeat infringers of the plaintis' copyrights, Aimster invited them to do so, showed them how they could do so with ease using its system, and by teaching its users how to encrypt their unlawful distribution of copyrighted materials disabled itself from doing anything to prevent infringement. 334 F.3d at 655. Similarly, in A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000 WL 573136 (N.D. Cal. May 12, 2000), the lower court in the Napster case held that there was a genuine issue of fact precluding summary judgment on the issue of whether Napster had reasonably implemented a policy of terminating repeat infringers in appropriate circumstances where Napster only adopted its copyright compliance policy after the onset of litigation and plaintis had presented evidence that Napster could have kept terminated users from re-accessing the service by blocking their IP addresses, but did not do so and generally turned a blind eye to infringement. A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000 WL 573136, at *9–10 (N.D. Cal. May 12, 2000); see also supra § 4.12[4] (discussing the court's ruling that Napster did not qualify for the transitory digital network communications safe harbor). Napster does not stand for the proposition that service providers are required to block IP addresses to reasonably implement a repeat infringer policy. See, e.g., Io Group, Inc. v. Veoh Networks, Inc., 586 F.

4-456 Copyright Protection in Cyberspace 4.12[3][B][iv] open tougher questions about how much exibility a service provider should have in particular cases. A service provider that in fact terminates subscribers and account holders upon receipt of a second DMCA notice (or discovery that the same user has posted, stored or transmitted a second or third le identied or believed to be infringing) would be deemed to “reasonably implement” its policy. The qualication that access by repeat infringers be terminated “in appropriate circumstances” suggests that a more lenient implementation— for example, a case-by-case analysis—could also be justied.

Supp. 2d 1132, 1145 (N.D. Cal. 2008) (explaining Napster and holding that a service provider need not seek to block IP addresses to reasonably implement its repeat infringer policy), citing Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1109–10 (9th Cir.), cert. denied, 522 U.S. 1062 (2007); see also Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 516 (S.D.N.Y. 2013) (following Io Group in rejecting the argument that a service provider did not reasonably implement its repeat infringer policy because it did not block IP addresses, where it blocked the email addresses of repeat infringers; “The Io court concluded that without testimony describing a more feasible or eective alternative, the defendant's policy of blocking a terminated user's e-mail account was reasonable.”). In Ellison v. Robertson, 357 F.3d 1072 (9th Cir. 2004), the Ninth Circuit ruled that there was a triable issue of fact on the issue of whether AOL satised the requirements of § 512(i) where, as a result of an error, AOL did not receive plainti's notication, and therefore took no action in response to it. AOL had changed the email address to which notications could be sent in late 1999, but failed to close the old account or forward messages from that account to the new address, and failed to notify the Copyright Oce of the new address for several months. The Ninth Circuit wrote that there was sucient evidence for a reasonable jury to conclude that AOL had not reasonably implemented its policy of terminating repeat infringers because “AOL allowed notices of potential copyright infringement to fall into a vacuum and to go unheeded ....”Ellison v. Robertson, 357 F.3d 1072, 1080 (9th Cir. 2004). This ruling, of course, does not mean that AOL today could be alleged to have not reasonably implemented its policy simply because of an error in implementation that may have occurred in late 1999 and early 2000. Ellison, however, underscores that even unintentional mistakes in implementing a policy potentially could result in a service provider being denied the protections of the DMCA liability limitations if the error was signicant enough to call into question the reasonableness of its implementation. In Perfect 10, Inc. v. CCBill, LLC, 340 F. Supp. 2d 1077 (C.D. Cal. 2004), a'd in part on other grounds, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007), the district court had written that a service provider that receives repeat notications that substantially comply with the requirements of 17 U.S.C.A. § 512(c)(3)(A) “about one of its clients but does not terminate its relationship with the client, has not reasonably implemented a repeat infringer policy.” 340 F. Supp. 2d at 1088.

Pub. 12/2015 4-457 4.12[3][B][iv] E-Commerce and Internet Law

As discussed below, courts have approved “three strikes” policies (consistent with America's love of baseball) as well as policies that count notications (which are submitted by a copyright owner under penalty of perjury) but not material removed based on knowledge or red ag awareness. In practice, some service providers will terminate access for some users on a rst strike (when it is apparent that the user is engaged in piracy) or be more lenient where users genuinely seem to have made a mistake (or where the problem is a user of a subscriber or account holder, not the actual subscriber or account holder itself). The exact contours of what constitutes reasonable implementation, however, is still an evolving question. Case law construing the DMCA's repeat infringer provisions largely is based on the Ninth Circuit's opinion in Perfect 10, Inc. v. CCBill, LLC.5 The Second Circuit briey addressed section 512(i) in Viacom Int'l, Inc. v. YouTube, Inc.,6 but decided the issue on very narrow grounds. In Viacom v. YouTube, the Second Circuit rejected a challenge to You- Tube's repeat infringer policy based on YouTube's provision of content identication tools to business partners, which allowed these business partners to proactively search the site for particular content. Plaintis had alleged that YouTube had not reasonably implemented its repeat infringer policy because it did not use its identication tools to search for plaintis' works—only those of its business partners—and therefore allegedly sought to avoid identifying plaintis' works. The Second Circuit, however, held that pursuant to section 512(m), service providers had no obligation to deploy search technology except to the extent that such monitoring constituted a “standard technical measure” within the meaning of section 512(i)7 (which plaintis had not alleged).8 While refusing to accommodate or implement a standard technical measure may deprive a service provider of the protection of the DMCA safe harbors, “refusing to provide access to mechanisms by which a service provider armatively moni-

5 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 6 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012). 7 See infra § 4.12[3][C] (analyzing the standard technical measures provision). 8 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 40–41 (2d Cir. 2012).

4-458 Copyright Protection in Cyberspace 4.12[3][B][iv] tors its own network has no such result.”9 The Second Circuit panel emphasized that YouTube could not “be excluded from the safe harbor by dint of a decision to restrict access to its proprietary search mechanisms.”10 In Perfect 10, Inc. v. CCBill, LLC,11 the Ninth Circuit, summarizing earlier district court case law, held that a service provider reasonably implements a repeat infringer policy if it “has a working notication system, a procedure for dealing with DMCA-compliant notications, and if it does not actively prevent copyright owners from collecting information needed to issue such notications,”12 and if it terminates users when “appropriate.”13 A limitation of the Perfect 10 test—like any test based on a summary of earlier court holdings—is that it potentially may be both over-inclusive or under-inclusive in its reach. The fact patterns that by hap- penstance were litigated rst may not accurately represent the universe of circumstances that are either reasonable or unreasonable. Nevertheless, once a test has been announced by a circuit court, there is a temptation for courts in later cases to apply it mechanically, rather than focusing specically on the language of the statute. What constitutes reasonable implementation may not be the same in every case, given the statutory requirement that repeat infringers be terminated “in appropriate circumstances.” What is appropriate in one instance may or may not be in another. What is clear, however, is that reasonable implementation does not mean 100% accuracy. Nor does it mean that a service provider should be subjected to a strict liability standard or to that of an insurer. In CCBill, the Ninth Circuit separately analyzed “implementation” and “reasonable implementation,” focusing on the importance of adequate record keeping.14 It found that the defendants met the statutory requirement for implement-

9 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 41 (2d Cir. 2012). 10 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 41 (2d Cir. 2012). 11 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 12 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1109 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 13 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1111 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 14 As noted in earlier editions of this chapter, “service providers should document and maintain records of all attempts to reasonably implement

Pub. 12/2015 4-459 4.12[3][B][iv] E-Commerce and Internet Law ing their repeat infringement policy by maintaining a system for keeping track of potential repeat infringers, such as a log identifying infringers. The court rejected Perfect 10's argument that there was a triable issue of fact based on the defendants' failure to adequately keep track of infringers (as evidenced by missing or blank data in its logs) because only “a substantial failure to record webmasters associated with allegedly infringing websites may raise a genuine issue of material fact as to the implementation of the service provider's repeat infringement policy.”15 While its records were incomplete (missing the names of some of the Webmas- ters), CCBill had “recorded most webmasters” and its DMCA log “indicate[d] that the email address and/or name of the webmaster [wa]s routinely recorded.”16 With respect to the reasonableness of implementation, according to the Ninth Circuit, a “policy is unreasonable only if the service provider failed to respond when it had knowledge of the infringement.”17 The court explained that “[t]o identify and terminate repeat infringers, a service provider need not armatively police its users for evidence of repeat infringement.”18 Indeed, in so holding, the Ninth Circuit expressly rejected Perfect 10's argument that CCBill had implemented its repeat infringer policy in an unreasonable manner because infringing material remained on the site even after non-complying DMCA notices had been submitted identifying the works.19 The Ninth Circuit went further, however, in conating the specic requirements for complying with the user storage liability limitation of section 512(c) with the requirement under section 512(i) that a service provider reasonably implement its repeat infringer policy. To evaluate reasonable implementation of a repeat infringer policy, the panel ruled their policies so that they are not denied the benets of the Act's liability limitations.” 15 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1110 (9th Cir.), cert. denied, 522 U.S. 1062 (2007) (emphasis added). 16 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1110–11 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 17 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1113 (9th Cir.), cert. denied, 522 U.S. 1062 (2007) (emphasis added). 18 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1111 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 19 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1111 (9th Cir.), cert. denied, 522 U.S. 1062 (2007).

4-460 Copyright Protection in Cyberspace 4.12[3][B][iv] that it was necessary to also assess whether a service provider in fact had taken down material in response to substantially complying DMCA notications both from the plainti and unrelated third parties and whether the service provider responded to “red ags” (involving any material— not merely the plaintis'). In theory, a service provider that fails to adequately respond to all DMCA notications and all red ags would not have adequate records of which of its users were repeat infringers. In practice, this approach puts at issue in discovery a service provider's entire record of compliance every time it is sued for infringement, at least where the user storage liability limitation is at issue. In CCBill, the Ninth Circuit found Perfect 10's own notications decient20 and therefore did not consider them in evaluating reasonable implementation of the defendants' repeat infringer policy. “Since Perfect 10 did not provide ef- fective notice, knowledge of infringement may not be imputed to CCBill or CWIE based on Perfect 10's communications.”21 With respect to non-party notices, the court ruled that the service providers' “actions toward copyright holders who are not a party to the litigation are relevant in determining whether CCBill and CWIE reasonably implemented their repeat infringer policy.” The panel explained that section 512(i)(1)(A) “requires an assessment of the service provider's ‘policy,’ not how the service provider treated a particular copyright holder.” Although the Ninth Circuit held that a “policy is unreasonable only if the service provider failed to respond when it had knowledge of the infringement” it nonetheless remanded the case for further consideration because the district court had deemed third-party notices to be irrelevant and therefore declined to consider evidence of notices provided by any party other than Perfect 10.22 The court likewise concluded that the service providers'

20 See infra § 4.12[9]. 21 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1113 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 22 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1113 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). In Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *8 (C.D. Cal. Jan. 16, 2015), District Court Judge Michael Fitzgerald ruled that where a service provider presents evidence to establish that its policy is reasonably implemented, a court need only consider the service provider's response to third party notices if that evidence is presented to the court by the copyright owner in

Pub. 12/2015 4-461 4.12[3][B][iv] E-Commerce and Internet Law response to “red ag” material was relevant to an evaluation of its repeat infringer policy. The court explained that “[i]n importing the knowledge standards of § 512(c) to the analysis of whether a service provider reasonably implemented its § 512(i) repeat infringer policy, Congress also imported the ‘red ag’ test of § 512(c)(1)(A)(ii)” and therefore may lose the benet of the safe harbor if it fails to take action with regard to infringing material when it is aware of facts or circumstances from which infringing activity is apparent.”23 In Io Group, Inc. v. Veoh Networks, Inc.,24 a district court in the Ninth Circuit applying CCBill to a UGC video site held that the defendant, Veoh, had reasonably implemented its repeat infringer policy where it had a working notication system, often responded to DMCA notices the same day they were received (or at most within a few days), upon receipt of a second DMCA notice it terminated the account of the aected user and disabled all content posted by that user (not just the material at issue in the DMCA notice) and blocked the user's email address so that a new account could not be established using the same address and Veoh generated a hash le or digital ngerprint for each video and thereby prevented additional identical les from ever being uploaded to the site.25 In so ruling, Judge Howard R. Lloyd, following Corbis Corp. v. Amazon.com26 (which is discussed below), rejected the argument that Veoh's policy was faulty because it did not prevent repeat infringers from reappearing on Veoh's site under a pseudonym, using a dierent email address. He also claried “[t]o identify and terminate repeat infringers, a service provider need not armatively police its users for ev- admissible form. 23 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1113–14 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). The court concluded that the defendants in CCBill had not ignored red ag material. Knowledge and red ag awareness are separately addressed in section 4.12[6][C]. 24 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 25 Veoh had asserted that it had terminated 1,096 users as repeat infringers since the time its site launched, which was not challenged by the plainti. 26 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090 (W.D. Wash. 2004).

4-462 Copyright Protection in Cyberspace 4.12[3][B][iv] idence of repeat infringers.”27 The “hypothetical possibility that a rogue user might reappear under a dierent user name and identity does not raise a genuine fact issue as to the implementation of Veoh's policy.”28 In that case, the plainti in fact had presented no evidence that any repeat infringers in fact had gotten back on to the service. The court in Io Group, Inc. v. Veoh Networks, Inc., also expressly rejected the notion that Veoh should have sought to block IP addresses associated with repeat infringers. Al- though the court noted that in an unreported decision in A&M Records, Inc. v. Napster, Inc.,29 Chief Judge Marilyn Patel of the Northern District of California had found that Napster had not reasonably implemented its repeat infringer policy because it did not block the IP addresses associated with infringers, Judge Lloyd wrote that Napster was readily distinguishable. He explained that in Napster, there was evidence that the defendant was not only capable of blocking IP addresses but in fact had done so for certain users. Judge Lloyd noted that while it was undisputed that IP addresses identied particular computers there was no evidence that Veoh could identify particular users. “More to the point,” he wrote, “section 512(i) does not require service providers to track users in a particular way to or armatively police users for evidence of repeat infringement.”30 The reasonableness of Veoh's implementation of its repeat infringer policy was also considered in UMG Recordings, Inc. v. Veoh Networks, Inc.,31 in which Judge Matz rejected UMG's argument that Veoh had failed to reasonably imple-

27 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1144 (N.D. Cal. 2008) (italics in original). 28 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1144 (N.D. Cal. 2008). 29 A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000 WL 573136 (N.D. Cal. May 12, 2000). 30 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1145 (N.D. Cal. 2008), citing Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1109–10 (9th Cir.), cert. denied, 522 U.S. 1062 (2007); see also Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 516 (S.D.N.Y. 2013) (following Io Group on this same point in rejecting the argument that a service provider did not reasonably implement its repeat infringer policy because it did not block IP addresses). 31 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099 (C.D. Cal. 2009), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013).

Pub. 12/2015 4-463 4.12[3][B][iv] E-Commerce and Internet Law ment its policy because Veoh did not automatically terminate users whose videos were blocked from being uploaded to its UGC site by Audible Magic lters.32 The district court, however, concluded that Audible Magic lters do “not meet the standard of reliability and veriability required by the Ninth Circuit to justify terminating a user's account.”33 Judge Matz wrote that identication by the Audible Magic lter lacks the reliability of a sworn declaration. The court noted that there was no way for Veoh to verify the information provided or evaluate Audible Magic's process for compiling the database. Indeed, Veoh had asked Audible Magic for the contact information of claimants for works identied by its lter so that Veoh could implement a counter notication procedure but Audible Magic turned down that request. Judge Matz also rejected the argument that Veoh had not reasonably implemented its policy because it did not necessarily terminate users who had uploaded multiple infringing works that were identied in a single DMCA notication. Veoh sent users a warning notice when it received a notication (or terminated users who had received two prior notications) without regard to the number of allegedly infringing videos identied in a given notice. Judge Matz concluded that this approach was reasonable, noting that even a DMCA notice is “not the sine qua non of copyright liability . . . A copyright owner may have a good faith belief that her work is being infringed, but may still be wrong.”34 Finally, the court approved Veoh's policy of terminating repeat infringers who had been the subject of two prior notications given that the term “repeat infringer” is not dened in the statute and the legislative history suggests an intent to leave the policy requirements and subsequent obligations of service providers loosely dened.35 Reasonable implementation of a repeat infringer policy

32 Audible Magic video lters—and ltering technologies in general— are discussed in section 17.05. 33 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1116 (C.D. Cal. 2009), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 34 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1117 (C.D. Cal. 2009) (quoting Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1105 (W.D. Wash. 2004)), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 35 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099,

4-464 Copyright Protection in Cyberspace 4.12[3][B][iv] was also considered in Corbis Corp. v. Amazon.com, Inc.,36 a district court opinion that pre-dated CCBill which was cited approvingly by the Ninth Circuit in that case. In Corbis Corp. v. Amazon.com, Judge Robert Lasnik of the Western District of Washington ruled that Amazon.com was shielded from liability for damages for its zShops platform (which allowed individuals and retail vendors to showcase their own products and sell them directly to online consumers),37 rejecting plaintis' argument that Amazon.com's policies were too vague to satisfy the requirements of the statute. Corbis had argued that Amazon.com's user policies did not include the term “repeat infringer” or describe the methodol- ogy employed in determining which users would be terminated as repeat infringers. The court ruled, however, that the open-ended language used in section 512(i)—such as the absence of a denition of “repeat infringer”—when contrasted with the very specic requirements set forth elsewhere in section 512 (such as those in section 512(c) relating to notications and take down requirements to comply with the user storage liability limitation) underscores that a user policy need not be as specic as Corbis had argued. “Given

1118 (C.D. Cal. 2009) (quoting Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1100–01 (W.D. Wash. 2004)), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 36 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090 (W.D. Wash. 2004). 37 Vendors sold their products on zShops by creating Web pages, known as “listings,” and paying Amazon.com $39.99 plus a percentage of all sales (ranging between 2.5% and 5%). If vendors chose to oer buyers the option to pay by credit card, Amazon.com required vendors to use its services for processing credit card transactions. If a product was paid for by another means, Amazon.com had no involvement in the transaction. Vendors entered into a Participation Agreement with Amazon.com, which prohibited the sale of infringing items and bound users to various policies including Community Rules, which further prohibited the sale of infringing items. Amazon.com further reserved the right, but did not undertake the obligation, to monitor any activity and content associated with the site. Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1094–95 (W.D. Wash. 2004). When Amazon.com received information that a vendor could be infringing another's copyrights, its practice had been to cancel the allegedly infringing listing and notify the vendor by email of the cancellation, providing a contact email address for the complaining party and reminding the vendor that “repeat violations of our Community Rules could result in permanent suspension from our Auction, zShops, and Am- azon Marketplace sites.” Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1095 (W.D. Wash. 2004).

Pub. 12/2015 4-465 4.12[3][B][iv] E-Commerce and Internet Law the complexities inherent in identifying and dening online copyright infringement, section 512(i) does not require a service provider to decide, ex ante, the specic types of conduct that will merit restricting access to its services.”38 The fact that Amazon.com did not use the term “repeat infringer” or track the exact language of the statute was immaterial because its policies adequately conveyed the message to users that there was a realistic threat that those who repeatedly or agrantly abused their access through disrespect for the intellectual property rights of others would lose their access. Judge Lasnik also rejected Corbis's argument that Amazon.com had not adequately communicated its termination policy to users because, in addition to the policies set forth in its Participation Agreement and Community Rules, it had an internal policy that had not been communicated to users, which set forth the criteria for determining when to terminate a user's access to the site. He wrote that “section 512(i) . . . is not so exacting. Amazon need only inform users that, in appropriate circumstances, it may terminate the user's accounts for repeated copyright infringement.”39 The court held unequivocally that “[t]he statute does not suggest what criteria should be considered by a service provider, much less require the service provider to reveal its decision- making criteria to the user.”40 Corbis also had challenged Amazon.com's reasonable implementation of its policy, arguing, among other things, that Amazon.com's policy had not been able to prevent certain vendors from reappearing on the zShops platform under pseudonyms after being terminated as repeat infringers, even though Amazon.com's policies prohibited vendors from opening new accounts after an account had been terminated. In rejecting this argument, with respect to a repeat infringer named Posternow, the court wrote that: Although this type of behavior is understandably vexing for a copyright holder like Corbis, it is not clear how Posternow's ef- forts to sidestep Amazon's policies amount to a failure of

38 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1101 (W.D. Wash. 2004). 39 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1102 (W.D. Wash. 2004). 40 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1102 (W.D. Wash. 2004).

4-466 Copyright Protection in Cyberspace 4.12[3][B][iv]

implementation. Corbis has not alleged that Amazon intentionally allowed Posternow to open a zShops account or suggested that a more eective means of denying Posternow's access could have been implemented by Amazon.41 Judge Lasnik held that “[a]n infringement policy need not be perfect; it need only be reasonably implemented.”42 Corbis further argued that Amazon.com tolerated agrant or blatant copyright infringement, based on its conduct with respect to two users. The court noted that because a service provider such as Amazon.com “does not have an armative duty to police its users, failure to properly implement an infringement policy requires a showing of instances where a service provider fails to terminate a user even though it has sucient evidence to create actual knowledge of that user's blatant repeat infringement of a willful and commercial nature.”43 Corbis presented evidence that Amazon.com received three emails about one of the problem vendors and seven emails about the other, but the court ruled that these examples did not constitute evidence that Amazon.com had knowledge of blatant, repeat infringement, such that it would have been required to terminate access to the vendor's zShops locations. In the words of the court, “[a]lthough the notices have brought the listings to Amazon's attention, they did not, in themselves, provide evidence of blatant copyright infringement.”44 Indeed, Judge Lasnik wrote that “even if Amazon acted unreasonably when it failed to terminate Posternow, that unreasonable act is not the equivalent of having actual knowledge that Posternow was engaged in blatant repeat infringement. Actual knowledge of repeat infringement cannot be imputed merely from the receipt of notices of infringement.”45 Stated dierently, “[w]ithout some evidence from the site raising a red ag, Amazon would not know enough about the photography, the copyright owner, or the user to make a determination that the vendor was

41 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1103 (W.D. Wash. 2004). 42 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1103 (W.D. Wash. 2004) 43 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1104 (W.D. Wash. 2004). 44 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1105 (W.D. Wash. 2004). 45 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1105 (W.D. Wash. 2004).

Pub. 12/2015 4-467 4.12[3][B][iv] E-Commerce and Internet Law engaging in blatant copyright infringement.”46 Summarizing Corbis, the court in Rosen v. eBay, Inc.47 explained that section 512(i) “does not require that a service provider reveal its decision-making criteria to its users . . . ,” that “implementation of the policy ‘need only put users on notice that they face exclusion from the service if they repeatedly violate copyright laws’ ’’ and that “the implementation of a policy need not be perfect to render it sucient to qualify a service provider for protection under § 512(c).”48 In Capitol Records, LLC v. Vimeo, LLC,49 Judge Ronnie Abrams of the Southern District of New York declined to nd that a video hosting site failed to reasonably implement its repeat infringer policy in the early years of its existence because its policy, and implementation, improved over time as the site grew and the size of its in-house sta expanded. Vimeo, a video sharing platform intended for original videos, began operations in 2004, at which time it required users to agree to its Terms of Service, which contained language stating that users would not use the website to infringe any copyright or other proprietary rights and warned users that it reserved the right to remove videos and terminate user accounts for violation of its Terms. As early as 2007, Vimeo actually disabled user accounts upon discovery of infringing activity. Since at least May 5, 2008, the Terms also warned expressly that Vimeo would “terminate rights of subscribers and account holders in appropriate circumstances if they are determined to be repeat infringers.” From around the time of its inception through mid-2008, Vimeo received approximately ve or fewer takedown notices per month. At some point in time (the exact date was unclear), Vimeo adopted a “three strikes” policy, pursuant to which it would terminate a user's account if the user became the subject of three separate, valid takedown notices and it would add the terminated user's email address to a list of banned addresses

46 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1106 (W.D. Wash. 2004). 47 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *8-9 (C.D. Cal. Jan. 16, 2015) (granting summary judgment for eBay on its entitlement to the DMCA safe harbor). 48 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *8 (C.D. Cal. Jan. 16, 2015), quoting Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1102 (W.D. Wash. 2004). 49 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500 (S.D.N.Y. 2013).

4-468 Copyright Protection in Cyberspace 4.12[3][B][iv] that would be blocked from opening new accounts. Any video removed pursuant to a takedown notice was placed on a “blocked video” list, which prevented other Vimeo users from re-uploading the same video. In addition to removing material identied in a notice, when a notice was received Vimeo also reviewed the other videos in the same account of the user who uploaded the allegedly infringing item to look for other potential Terms of Use violations. Pursuant to its policy, notices received within three days of one another were treated as a single instance of infringement. In October 2008, Vimeo also began using a “Purgatory Tool,” which facilitated the tracking of repeat infringers by collecting and maintaining all videos and accounts removed from the website, including those removed due to DMCA notices. A video placed in “Purgatory” was no longer accessible to anyone other than Vimeo employees with “Moderator status.” When a user's account was placed in purgatory, all videos uploaded by that same user are automatically placed in Purgatory. The court found that Vimeo reasonably implemented its repeat infringer policy, rejecting the argument that its later practices evidenced that earlier on Vimeo had not reasonably implemented its policy. Judge Abrams explained that: In its nascent years, Vimeo employees identied repeat infringers by reviewing e-mail records or recalling the names of users previously implicated in a takedown notice .... [U]ser accounts violating the Terms of Service “were often terminated upon the receipt of the rst DMCA takedown notice,” . . . and as early as June 2007, Vimeo disabled user accounts upon discovery of infringing conduct ....This evidence establishes that Vimeo reasonably implemented its policy from the beginning. The Court's nding of reasonableness is also informed by the evidence of Vimeo's business circumstances as they evolved during the relevant period. That is, the policies Vimeo implemented in the rst several years of its operation, as described above, were reasonable ones in light of the fact that Vimeo was, at the time, a small service provider, the twenty full-time employees of which were tasked with processing only a trickle (zero to ve) of takedown requests per month. The evidence reects that as the ow of those requests increased, Vimeo's policy became more robust—rst in the form of a “three strikes” rule and a blocked video list, implemented at some point after Vimeo's inception, and eventually in the form of the “Purgatory” tool, implemented later in October 2008. That Vimeo's enforcement mechanisms advanced in step with

Pub. 12/2015 4-469 4.12[3][B][iv] E-Commerce and Internet Law

the realities of its growing business further supports the reasonableness of its implementation system.50 Summarizing earlier case law, the court in Vimeo explained that a substantial failure to record infringers may raise a genuine question of material fact on the issue of reasonable implementation. In addition, implementation will be found unreasonable where notices of potential copyright infringement fall into a vacuum and go unheeded, where a site teaches users how to encrypt copyrighted works to avoid detection or where a site in fact fails to terminate users who repeatedly or blatantly infringe third-party copyrights,51 among other things. Potential defects in Vimeo's implementation of its repeat infringer policy were dismissed by Judge Abrams as either legally irrelevant under the DMCA or not rising to the level of a substantial failure. With respect to legal arguments, the court rejected plainti's contention that Vimeo failed to reasonably implement its repeat infringer policy because it only blocked the email addresses of repeat infringers, not their IP addresses.52 The court also rejected the argument that Vimeo's implementation was inadequate because it treated all notices received within a three-day period as a single instance of infringement.53 Plaintis further challenged Vimeo's reasonable implementation based on the deposition testimony of a Vimeo “Com- munity Director” who expressed ignorance about Vimeo's list of banned users or “blocked video list” and who did not know who was responsible for identifying repeat infringers. The court characterized the testimony as reecting a “troubling ignorance of Vimeo's tools for terminating infringing activity” but considered it to amount to no more than “isolated comments” rather than a “substantial failure” by Vimeo to

50 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 514–15 (S.D.N.Y. 2013). 51 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 514 (S.D.N.Y. 2013). 52 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 516 (S.D.N.Y. 2013) (following Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1143–45 (N.D. Cal. 2008)). 53 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 516 (S.D.N.Y. 2013).

4-470 Copyright Protection in Cyberspace 4.12[3][B][iv] reasonably implement its repeat infringer policy.54 Like Judge Lasnik in Amazon.com, Judge Abrams emphasized that “[i]mplementation . . . need not be perfect. Rather, by the terms of the statute, it need only be ‘reasonable.’ ’’55 By contrast, in Capitol Records, LLC v. Escape Media Group, Inc.,56 Southern District of New York Judge Allison Nathan, arming the report and recommendation of Magis- trate Judge Sarah Netburn, entered summary judgment in favor of Capitol Records and against Escape Media over the latter's operation of the Grooveshark music service for both federal and common law copyright infringement based on the nding that Escape Media did reasonably implement a repeat infringer policy and therefore did not meet the requirements for the DMCA safe harbor. In Escape Media, the defendant claimed to have a one strike policy, to justify its failure to retain any records of terminating repeat infringers. Escape Media argued that there could be no repeat infringers given its policy. In fact, however, 1,609 users received DMCA takedown notices for an upload that occurred after the user had already received a prior DMCA takedown notice. Moreover, 21,044 Grooveshark users who had received multiple DMCA takedown notices accounted for 7,098,634 uploads, or nearly 35% of all uploads on the site. Further, Escape Media had adopted a “DMCA Lite” procedure pursuant to which it did not treat defective notices as justifying a strike pursuant to its one strike policy. The evidence showed, however, that since February 2013 94.2% of takedowns were pursuant to this procedure. Judge Nathan questioned whether all of those notices could be so defective that Escape Media was still able to identify and remove the material at issue. The more reasonable inference is that this procedure allowed Escape Media to avoid having to terminate repeat infringers.

54 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 515 (S.D.N.Y. 2013) (“even assuming one could infer from Verdugo's apparent ignorance of aspects of Vimeo's tools for terminating infringement that Vimeo's overall implementation of its policy was aected in some way, such isolated comments, while certainly unfortunate, do not reect the sort of “substantial failure,” see CCBill, 488 F.3d at 1110, that courts have held gives rise to a genuine dispute as to the reasonableness of a repeat infringer policy.”). 55 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 515 (S.D.N.Y. 2013). 56 Capitol Records, LLC v. Escape Media Group, Inc., No. 12-CV-6646 (AJN), 2015 WL 1402049, at *6-13, 44-58 (S.D.N.Y. Mar. 25, 2015).

Pub. 12/2015 4-471 4.12[3][B][iv] E-Commerce and Internet Law

In Datatech Enterprises LLC v. FF Magnat Ltd.,57 Judge Charles Breyer of the Northern District of California ruled, in connection with declining to dissolve a preliminary injunction, that the defendant was unlikely to prevail on its DMCA defense based on evidence that it had ignored copyright holders' requests to remove specically identied repeat infringers, including one individual who uploaded 1,600 separate copies of an infringing work. In Perfect 10, Inc. v. Giganews, Inc.,58 the court denied summary judgment to the defendant on its entitlement to the DMCA defense because the fact that Giganews had terminated only 46 people as repeat infringers since 2008, despite having removed more than 531 million infringing messages just in the preceding year, created at least a possible inference that it had not reasonably implemented its repeat infringer policy (although the court made clear that this inference was not necessarily compelled by the evidence).59 In Disney Enterprises, Inc. v. Hotle Corp.,60 Judge Kathleen M. Williams of the Southern District of Florida held that Hotle, a heavily tracked oshore le storage site, was not entitled to the DMCA user storage safe harbor where it failed to reasonably implement its repeat infringer policy—and indeed, largely ignored it except in cases where Hotle was directly threatened with litigation—at least prior to being sued by Disney and the other motion picture studio plaintis. In granting the plaintis' motion for partial summary judgment on the issue of Hotle's entitlement to the DMCA armative defense, the court ruled that the number of notices of infringement sent to Hotle “indicated to Hotle that a substantial number of blatant repeat infringers made the system a conduit for infringing activity. Yet Hotle did not act on receipt of DMCA notices and failed to devise any actual policy of dealing with those oenders, even if it publicly asserted otherwise.” Hotle's designated Rule

57 Datatech Enterprises LLC v. FF Magnat Ltd., No. C 12-04500 CRB, 2013 WL 1007360, at *5–6 (N.D. Cal. Mar. 13, 2013). 58 Perfect 10, Inc. v. Giganews, Inc., 993 F. Supp. 2d 1192 (C.D. Cal. 2014). 59 Perfect 10, Inc. v. Giganews, Inc., 993 F. Supp. 2d 1192, 1197 (C.D. Cal. 2014). 60 Disney Enterprises, Inc. v. Hotle Corp., Case No. 11-20427-Civ, 2013 WL 6336286 (S.D. Fla. Order Granting in Part and Denying in Part Cross-Motions for Summary Judgment Sept. 20, 2013).

4-472 Copyright Protection in Cyberspace 4.12[3][B][iv]

30(b)(6) corporate representative testied that Hotle in fact did not keep track of who was or was not a repeat infringer, even though it would have been easy to do so. Despite receiving over eight million notices for ve million users, Hotle only terminated 43 users before being sued by Disney and the other studio plaintis—and of those, 33 were terminated in response to a TRO issued in another lawsuit and the others were terminated in response to express threats to take legal action. Most glaringly, the court wrote, there were 61 users who had accumulated more than 300 notices each. Indeed, by the time the lawsuit had been led, 24,790 Hotle users had accumulated more than three notices, “half of those had more than ten notices; half again had 25 notices; 1,217 had 100 notices; and 61 had more than 300 notices.” One single user, who had been suspended but then allowed back on after he contacted Hotle, had uploaded nearly 30,000 les to Hotle and accumulated 9,254 takedown notices. The potential importance of a repeat infringer policy to deterring infringement was illustrated by the fact that while those who were the subject of more than three infringement notices made up less than one percent of all Hotmail users, they were responsible for posting 50 million les (15.6 million of which were subsequently the subject of a takedown notice or removed for infringement), representing 44 percent of all les ever uploaded to Hotle. The court acknowledged that Hotle had made many improvements since being sued, but declined to rule on Hotle's cross-motion for partial summary judgment on its entitlement to the safe harbor for post-litigation conduct based on the plaintis' representation at oral argument that they only sought damages for infringement pre-dating the lawsuit. Judge Williams noted in dicta, however, that Hotle's request had raised questions such as whether a party can ever regain the protections of the DMCA and whether the court could trust Hotle not to revert to its prior oending conduct (as well as how the court would be able to determine an exact point at which Hotle began implementing a DMCA-compliant policy). Hotle and Escape Media illustrate the potential importance of discovery to copyright owners in seeking to overcome a service provider's contention that it reasonably implemented its repeat infringer policy. Given the potentially broad scope of discovery that could be permitted on the issue

Pub. 12/2015 4-473 4.12[3][B][iv] E-Commerce and Internet Law of reasonable implementation based on the Ninth Circuit's conclusion in CCBill that treatment of “red ag” material is relevant to reasonable implementation (at least in cases involving the user storage safe harbor and, by extension, presumably the information location tools safe harbor), service providers must be careful to preserve relevant evidence of all material removed and all communications that arguably could evidence a failure to respond in response to knowledge, notice or red ag awareness. In Arista Records LLC v. Usenet.com, Inc.,61 Judge Harold Baer, Jr., of the Southern District of New York imposed an evidentiary sanction on a service provider and other defendants for bad faith spoliation of documents and other evasive tactics that prevented the plaintis from conducting discovery on the defendants' compliance with the requirements of the DMCA. In precluding the defendants from raising the DMCA as a defense in plaintis' suit for copyright infringement, Judge Baer wrote that “if defendants were aware of such red ags, or worse yet, if they encouraged or fostered such infringement, they would be ineligible for the DMCA's safe harbor provisions.”62 Although evidentiary sanctions were imposed in Usenet.com for spoliation of evidence that eectively prevented the service provider from challenging plaintis' contention that it had notice, knowledge or red ag awareness of infringing activity, they could just as easily have been imposed for failing to preserve evidence relevant to reasonable implementation of the service provider's repeat infringement policy in the Ninth Circuit under CCBill, given the Ninth Circuit's analysis in that case that evidence of a service provider's response to red ag ma-

61 Arista Records LLC v. Usenet.com, Inc., 633 F. Supp. 2d 124 (S.D.N.Y. 2009). Magistrate Judge Katz's earlier recommendation may be found at Arista Records LLC v. Usenet.com, Inc., 608 F. Supp. 2d 409 (S.D.N.Y. 2009). 62 633 F. Supp. 2d at 142. In that case, the defendants had wiped clean seven hard drives that belonged to employees without backing up the data to a central server, and failed to adequately preserve email communications. The defendants also sent potentially key witnesses to Europe during the height of discovery to “engineer their unavailability,” encouraged witnesses to evade process, provided evasive or false sworn statements and violated two court orders requiring them to present information regarding the despoiled computer evidence, although Judge Baer concluded that while these abuses were not sucient on their own to justify terminating sanctions they supported the nding that sanctions for discovery abuse were warranted.

4-474 Copyright Protection in Cyberspace 4.12[3][C] terial is relevant to assessing its reasonable implementation of its repeat infringement policy. The issue of spoliation and the DMCA is addressed further in section 4.12[18].

4.12[3][C] Standard Technical Measures Service providers, as a prerequisite to being eligible to benet from the liability limitations, must accommodate and not interfere with “standard technical measures,” which are dened in the Act as technical measures used by copyright owners to identify or protect their works.1 Service providers whose systems interfere with certain anti-piracy technologies therefore potentially could be unable to benet from the liability limitations and exemption established by the DMCA. Not all anti-piracy devices will fall within the scope of the Act. Indeed, it is unclear whether there are any technologies that presently constitute “standard technical measures.” To qualify as a “standard technical measure,” the technical measure must “have been developed pursuant to a broad consensus of copyright owners and service providers in an open, fair, voluntary, multi-industry standards process.”2 In addition, the technical measure must be available to any person on reasonable and nondiscriminatory terms and must not impose substantial costs on service providers or substantially burden their systems or networks.3 In discussing analogous “industry standard communications protocols and technologies” in the context of the systems caching limitation, the House Report accompanying the nal bill states that Congress expected “that the Internet industry standards setting organizations, such as the Internet Engineering Task Force and the World Wide Web Consortium, will act promptly and without delay to establish these protocols.” However, this never happened.4 As noted by one court, “[t]here is no indication that the ‘strong urging’ of both the House and Senate committees reporting on this bill

[Section 4.12[3][C]] 1 17 U.S.C.A. § 512(i)(2). 2 17 U.S.C.A. § 512(i)(2)(A). 3 17 U.S.C.A. §§ 512(i)(2)(B), 512(i)(2)(C). 4 The Secure Digital Music Initiative (SDMI) represented an eort to develop a standard technical measure, but it was unsuccessful in achieving a broad consensus of copyright owners and service providers.

Pub. 12/2015 4-475 4.12[3][C] E-Commerce and Internet Law has led to ‘all of the aected parties expeditiously [commenc- ing] voluntary, interindustry discussions to agree upon and implement the best technological solutions available to achieve these goals.’ ’’5 Although “standard technical measures,” by denition, must be accepted by a broad consensus of copyright owners and service providers—and not merely Internet standard setting bodies—paradoxically service providers are not given any apparent incentive under the Act to cooperate with content owners to achieve such a consensus. In Perfect 10, Inc. v. CCBill, LLC,6 the Ninth Circuit found that the issue of a defendant's compliance with standard technical measures constituted a disputed fact precluding summary judgment on the question of entitlement to the DMCA safe harbor. In that case, the plainti had argued that one of the defendants interfered with “standard technical measures” by blocking plainti's access to its aliated websites to prevent it from discovering whether those sites infringed plainti's copyrights. The defendant had argued that it merely blocked access because the plainti signed up for subscriptions that it then canceled, causing the defendant to incur credit card charge-back and other fees. The Ninth Circuit panel directed the district court to determine whether accessing websites is a standard technical measure and if so whether CCBill interfered with that access. The court wrote that “[i]f CCBill is correct, Perfect 10's method of identifying infringement—forcing CCBill to pay the nes and fees associated with chargebacks—may well impose a substantial cost on CCBill. If not, CCBill may well have interfered with Perfect 10's eorts to police the websites in question for possible infringement.”7 While these points may be relevant to DMCA implementation in some way—and potentially go to the question of reasonable implementation of a repeat infringer policy under the Ninth Circuit test articulated in CCBill itself8—they do not relate to “a standard technical measure” which, by de-

5 Perfect 10, Inc. v. Cybernet Ventures, Inc., 213 F. Supp. 2d 1146, 1174 (C.D. Cal. 2002), quoting H.R. Rep. 105-551(II), at 61; S. Rep. at 52 (1998). 6 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 7 488 F.3d at 1115. 8 See supra § 4.12[3][B][iv].

4-476 Copyright Protection in Cyberspace 4.12[4] nition, is a technical standard (such as a ltering or a DRM standard) developed pursuant to a broad consensus of copyright owners and service providers, which did not exist in 1998. The Ninth Circuit's analysis on this point is simply incorrect. In Capitol Records, LLC v. Vimeo, LLC,9 plaintis had argued that a service provider's privacy settings prevented copyright owners from collecting information needed to issue takedown notices. The court ruled, however, that privacy settings do not constitute interference with standard technical measures. Other courts have fudged the issue and found that service providers have not interfered with standard technical measures without actually assessing whether a particular practice in fact could constitute a “standard technical measure” based on the high standard set by Congress for characterizing a technology as a standard technical measure. For example, in Wolk v. Kodak Imaging Network, Inc.,10 the court held that Photobucket's provision of editing tools did not interfere with standard technical measures and therefore did not disqualify it from safe harbor eligibility. In that case, the plainti had argued that Photobucket editing tools could be used to remove watermarks. Without analyzing whether watermarks in fact constitute standard technical measures, the court held that the fact that watermarks appear suggested that Photobucket accommodates standard technical measures and the fact that users, not Photobucket, use editing tools to attempt to circumvent copy protection measures already on the site did not disqualify Photobucket.11

4.12[4] Transitory Digital Network Communications A service provider that meets the threshold prerequisites for eligibility set forth in subsection 4.12[3] may, under certain circumstances, limit its liability for copyright infringement for “transmitting, routing, or providing connections for, material through a system or network controlled or operated by or for . . . [it,] or by reason of the intermediate

9 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 517 (S.D.N.Y. 2013). 10 Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733 (S.D.N.Y. 2012), a’d mem., 569 F. App’x 51 (2d Cir. 2014). 11 See Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 745 (S.D.N.Y. 2012), a’d mem., 569 F. App’x 51 (2d Cir. 2014).

Pub. 12/2015 4-477 4.12[4] E-Commerce and Internet Law or transient storage of that material in the course of such transmitting, routing, or providing connections.”1 Although not discussed in the House Report accompanying the nal version of the bill, the safe harbor created by section 512(a) is directed at the possibility that under MAI Systems Corp. v. Peak Computer, Inc.2 and its progeny a copy within the meaning of the Copyright Act may be created at multiple points over the Internet simply because of the way information is transmitted under TCP/IP and related Internet protocols.3 In the words of the Ninth Circuit, “[t]he Internet as we know it simply cannot exist if th[e] intervening computers” through which information travels pursuant to TCP/IP protocols could not benet from the DMCA safe harbor and had to “block indirectly infringing content.”4 To qualify for the limitation for “transmitting, routing, or providing connections for, material through a system or network controlled or operated by or for the service provider, or by reason of the intermediate or transient storage of that material in the course of such transmitting, routing, or providing connections”5 a defendant must meet the narrower requirements to be deemed a service provider applicable to section 512(a)6 and satisfy ve conditions.

[Section 4.12[4]] 1 17 U.S.C.A. § 512(a). 2 MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 (9th Cir. 1993), cert. dismissed, 510 U.S. 1033 (1994). 3 See Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361 (N.D. Cal. 1995) (analyzing MAI's impact on Internet communications); see generally supra § 4.03. Congress was plainly aware of the MAI case and its potential application to Internet liability, as evidenced by the fact that the very next sections (sections 301 and 302) of the Digital Millennium Copyright Act following the Online Copyright Infringement Liability Limitation Act modify the eects of MAI for independent service organizations, which are entities that provide post-warranty maintenance work on computers which they did not manufacture and who otherwise could be held liable for copyright infringement (like the defendant in MAI) simply by virtue of turning on a computer, which causes a temporary copy of the licensed operating system to be loaded into random access memory (RAM). See supra §§ 4.03, 4.04[5]. 4 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1116 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 5 17 U.S.C.A. § 512(a). 6 Service provider for purposes of the transitory digital network communications safe harbor means “an entity oering the transmission, rout-

4-478 Copyright Protection in Cyberspace 4.12[4]

First, a transmission must have been initiated by or at the direction of a person other than the service provider.7 Second, the “transmission, routing, provision of connections, or storage” must have been carried out by “an automatic technical process without selection of the material by the service provider.”8 ing, or providing of connections for digital online communications, between or among points specied by a user, of material of the user's choosing, without modication to the content of the material as sent or received.” 17 U.S.C.A. § 512(k)(1)(A). The term service provider is dened more narrowly when used in connection with the liability limitation created by section 512(a) than for the other DMCA safe harbors. Compare 17 U.S.C.A. § 512(k)(1)(A) (narrowly dening the term service provider for purposes only of the transitory digital network communications safe harbor created by section 512(a)) with 17 U.S.C.A. § 512(k)(1)(B) (broadly dening the same term for purposes of the user storage, information location tools and caching safe harbors); see generally supra § 4.12[2] (analyzing the denition of service provider in dierent contexts under the DMCA). In Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1041–42 (9th Cir. 2013), the Ninth Circuit held that the operator of a Bit- Torrent tracker did not qualify as a service provider for purposes of the transitory digital network communications safe harbor because trackers select the “points” to which a user's client will connect in order to download a le using the BitTorrent protocol and a service provider for purposes of this safe harbor must provide “connections . . . between or among points specied by a user.” 17 U.S.C.A. § 512(k)(1)(A) (emphasis added). The district court in A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000 WL 573136, at *3 n.5 (N.D. Cal. May 12, 2000) expressed skepticism in dicta that Napster, which provided a peer-to-peer software application that relied on an index located on a central server, qualied for the narrower denition of service provider set forth in section 512(k)(1)(B), but since the plaintis had not challenged Napster's eligibility on this basis the court proceeded to deny Napster's motion for summary adjudication on the issue of its entitlement to the DMCA defense on other grounds (ruling that to benet from the safe harbor, transmitting, routing, or providing connections must occur “through” a service provider's system or network and, because users exchanged infringing les directly— not through Napster's servers—Napstser did not “transmit, route, or provide connections through its system . . . .”). 7 17 U.S.C.A. § 512(a)(1). 8 17 U.S.C.A. § 512(a)(2). According to a House Report accompanying an earlier version of the bill, selection of the material means “the editorial function of determining what material to send, or the specic sources of material to place on-line (e.g., a radio station), rather than ‘an automatic technical process’ of responding to a command or request, such as one from a user, an Internet location tool, or another network.” H.R. Conf. Rep. No. 551, 105th Cong., 2d Sess. 51 (1998). The term automatic response to the request of another, according to this same source, “is intended to encompass a service provider's actions in responding to requests by a

Pub. 12/2015 4-479 4.12[4] E-Commerce and Internet Law

Third, the service provider may not select the recipients of the material except “as an automatic response to the request of another person.”9 Fourth, the service provider may not maintain any stored copy of the material made in the course of intermediate or transient storage on its system or network in a manner “ordinarily accessible to anyone other than anticipated recipients” or for longer than “reasonably necessary” to allow for the transmission, routing, or provision of connections.10 Fifth, the content of the material may not have been modied while it was transmitted through the service provider's “system or network ....”11 According to the legislative history, subsections “(a)(1) through (5) limit the range of activities that qualify under this subsection to ones in which a service provider plays the role of a ‘conduit’ for the communications of others.”12 Ac- cordingly, some courts have referred to section 512(a) in dicta as creating a safe harbor for service providers that act as “conduits” for the transmission of information.13 The safe harbor created by section 512(a) is consistent user or other networks, such as requests to forward e-mail trac or to route messages to a mailing list agent (such as a ‘Listserv’) or other discussion group.” H.R. Conf. Rep. No. 551, 105th Cong., 2d Sess. 51 (1998). 9 17 U.S.C.A. § 512(a)(3). 10 17 U.S.C.A. § 512(a)(4). A House Report accompanying an earlier version of the bill explains: The Committee intends subsection (a)(4) to cover copies made of material while it is en route to its destination, such as copies made on a router or mail server, storage of a web page in the course of transmission to a specic user, store and forward functions, and other transient copies that occur en route. The term “ordinarily accessible” is intended to encompass stored material that is routinely accessible to third parties. For example, the fact that an illegal in- truder might be able to obtain access to the material would not make it ordinarily accessible to third parties. Neither, for example, would occasional access in the course of maintenance by service provider personnel, nor access by law enforcement ocials pursuant to subpoena make the material “ordinarily accessible.” However, the term does not include copies made by a service provider for the purpose of making the material available to other users. Such copying is addressed in subsection (b) [the caching safe harbor]. H.R. Conf. Rep. No. 551, 105th Cong., 2d Sess. 51 (1998). 11 17 U.S.C.A. § 512(a)(5). 12 H.R. Conf. Rep. No. 551, 105th Cong., 2d Sess. 51 (1998). 13 See, e.g., In re Charter Communications, Inc., Subpoena Enforce- ment Matter, 393 F.3d 771, 775–76 (8th Cir. 2005) (characterizing section 512(a) as limiting “the liability of ISPs when they do nothing more than transmit, route, or provide connections for copyrighted material—that is,

4-480 Copyright Protection in Cyberspace 4.12[4] with and was inuenced by the court's analysis in Religious Technology Center. v. Netcom On-Line Communication Ser- vices, Inc.,14 which was the leading Internet secondary liability case at the time the DMCA was crafted and which inuenced the development of the statute. In that case, the court held that Netcom, an ISP that provided Internet access to a Usenet group where infringing material allegedly had been posted, was a passive participant in the infringement, and thus could not be held directly liable for copyright infringement in the absence of any evidence of “direct action” on its part to further the infringement. The court based its holding in part on the fact that Netcom did not “initiate” the transmissions and its acts of copying and transmitting infringing content were “automatic and indiscriminate.”15 There have been few court opinions that have analyzed the applicability of the safe harbor created by section 512(a) since it was signed into law in 1998. Courts have held that services where the defendant, rather than the user, species the point of connection (such as a BitTorrent tracker16)or where transmissions occur directly between users, rather than “through a system or network controlled or operated by or for” a service provider17 (such as a Peer-to-Peer network18), are ineligible for the safe harbor. On the other hand, the when the ISP is a mere conduit for the transmission” and applying when a service provider “merely acts as a conduit for infringing material without storing, caching, or providing links to copyrighted material.”); Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1041 (9th Cir. 2013) (stating that section “512(a) applies to service providers who act only as ‘conduits’ for the transmission of information.”). But see A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000 WL 573136, at *6 (N.D. Cal. May 12, 2000) (“the words ‘conduit’ or ‘passive conduit’ appear nowhere in 512(a), but are found only in the legislative history and summaries of the DMCA. The court must look rst to the plain language of the statute.”). 14 Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361 (N.D. Cal. 1995); see generally supra §§ 4.11[2], 4.11[8][B]. 15 In Ellison v. Robertson, 357 F.3d 1072, 1081 (9th Cir. 2004), the Ninth Circuit ruled that AOL was entitled to benet from this liability limitation for Usenet posts that, as in Netcom, originated on a dierent service and were only accessible for a limited time period (fourteen days, in comparison to eleven days in Netcom). 16 See Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1041–42 (9th Cir. 2013). 17 17 U.S.C.A. § 512(a). 18 In A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000

Pub. 12/2015 4-481 4.12[4] E-Commerce and Internet Law

Ninth Circuit claried that, where applicable, the safe harbor for transitory digital network communications applies to all transmissions and not merely for those that a service provider can show are directly infringing.19 If a service provider initiates or modies20 a transmission, stores it so that it becomes generally accessible or posts third-party content through a process involving some element of selection, presumably it would be unable to benet from the liability limitation for transitory digital network communications. In short, the statute's multipart test to evaluate whether a communication is genuinely transitory is directed specically—and narrowly—at circumstances where liability could be imposed by virtue of MAI Systems Corp. v. Peak Com- puter, Inc.21 and its extension to the Internet, where a service provider could not reasonably be expected to be able to

WL 573136 (N.D. Cal. May 12, 2000), the court held that Napster was not eligible for the liability limitation for transmitting, routing or providing connections, because users exchanged infringing les directly—not through Napster's servers. Napster was a service that facilitated infringement by providing software and an index on a central server that users could access to exchange les directly with each other. The court explained that to qualify for the safe harbor created by subsection 512(a), transmitting, routing, or providing connections must occur “through” a service provider's system or network and Napstser did not “transmit, route, or provide connections through its system ....”Id.at*8. 19 See Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1115–16 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). In Perfect 10, the Ninth Circuit remanded for consideration whether a Web hosting company that transmitted “digital online communications” in the form of credit card payments and proof of payments was entitled to this safe harbor. In so doing, the panel rejected the plainti's argument that the defendant was not entitled to protection under section 512(a) because it did not itself transmit the allegedly infringing material. It also rejected as “perverse” the argument that while the safe harbor might extend to infringing material it would not insulate a service provider from liability for noninfringing content that could form the basis of a claim of contributory infringement. Eligible service providers “are immune for transmitting all digital online communications, not just those that directly infringe.” 488 F.3d at 1116. 20 In In re Aimster Copyright Litig., 252 F. Supp. 2d 634 (N.D. Ill. 2002), a'd on other grounds, 334 F.3d 643 (7th Cir. 2003), the court wrote in dicta that the Aimster peer-to-peer service “modied” content by encrypting all information transferred between users. 21 MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 (9th Cir. 1993), cert. dismissed, 510 U.S. 1033 (1994); see generally supra § 4.03. The temporary copies created by some transmissions may not be actionable if they are not xed for a period of more than merely “a transitory

4-482 Copyright Protection in Cyberspace 4.12[4] monitor, control or prevent such communications. On the other hand, merely because a service provider monitors content that passes over its system or network should not provide sucient grounds—absent additional facts—for concluding that the liability limitation is inapplicable. The House Report makes clear that the “legislation [wa]s not intended to discourage the service provider from monitoring its service for infringing material. Courts should not conclude that the service provider loses eligibility for limitations on liability . . . solely because it engaged in a monitoring program.”22 Where a service provider qualies for the safe harbor created by section 512(a) it may not be held liable for damages or attorneys' fees and may only be subject to narrow injunctive relief.23 duration.” See Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121, 129–30 (2d Cir. 2008), cert. denied, 557 U.S. 946 (2009); see generally supra § 4.03. What constitutes a transitory duration may be evaluated dif- ferently outside the Second Circuit. See generally supra § 4.03. 22 H.R. Conf. Rep. No. 796, 105th Cong., 2d Sess. 73 (1998), reprinted in 1998 U.S.C.C.A.N. 639, 649. 23 Service providers that meet the requirements to qualify for the transitory digital network communications safe harbor may only be subject to the following injunctive relief: (i) An order restraining the service provider from providing access to a subscriber or account holder of the service provider's system or network who is using the provider's service to engage in infringing activity and is identied in the order, by terminating the accounts of the subscriber or account holder that are specied in the order. (ii) An order restraining the service provider from providing access, by taking reasonable steps specied in the order to block access, to a specic, identied, online location outside the United States. 17 U.S.C.A. § 512(j)(1)(B). Broader relief may be obtained against service providers that qualify for the other three safe harbors. See 17 U.S.C.A. § 512(j)(1)(A). The considerations relevant to whether injunctive relief should issue and provisions for notice and ex parte relief are set forth in sections 512(j)(2) and 512(j)(3), respectively. At least in the Ninth Circuit, an injunction compelling a service provider to remove user content is deemed to be a mandatory injunction, which is disfavored. Garcia v. Google, Inc., 786 F.3d 733, 740 & n.4 (9th Cir. 2015) (en banc); see generally infra § 4.13[1] (setting forth the standards for obtaining injunctive relief). It may also be viewed as an impermissible prior restraint. See Garcia v. Google, Inc., 786 F.3d 733, 746-47 (9th Cir. 2015) (en banc) (dissolving a previously entered preliminary injunction compelling YouTube to take down copies of the lm “Innocence of Muslims” and take all reasonable steps to prevent further uploads, which the en banc panel held had operated as a prior restraint), citing Alexander v. United States, 509

Pub. 12/2015 4-483 4.12[5] E-Commerce and Internet Law

4.12[5] System Caching 4.12[5][A] System Caching—In General The DMCA also potentially limits the liability of a service provider (which otherwise meets the four general threshold requirements set forth in section 4.12[3]) for the “intermediate and temporary storage of material on a system or network”—commonly referred to as caching.1 This provision is a logical compliment to the liability limitation created for transitory digital network communications, which only applies to the temporary storage of copyrighted material that occurs during transmission, routing, or provision of connections. Both limitations address the potential liability which inadvertently could be imposed on a service provider by virtue of the MAI Systems Corp. v. Peak Computer, Inc. case.2 To limit liability for system caching, eight specic requirements must be satised (in addition to the four threshold prerequisites). The rst four conditions are intended to limit the provision to system caching rather than other types of caching. The last four requirements are intended to ensure that copyright owners and third-party content providers are not disadvantaged by the caching safe harbor in circumstances such as where material is frequently updated and the cached copy could grow stale, where a rights owner implements content protection technology to deter infringement, where content is only made available for a fee or where access is password protected or otherwise restricted, or where the original material has been taken down as infringing but a cached copy remains online. While the rst four conditions are generally applicable, the last four will apply

U.S. 544, 550 (1993) (“Temporary restraining orders and permanent injunctions—i.e., court orders that actually forbid speech activities—are classic examples of prior restraints.”); infra § 4.13[1]. [Section 4.12[5][A]] 1 17 U.S.C.A. § 512(b)(1). The limitation applies both where a system or network is controlled by the service provider and where it is merely operated by or for the provider. See id. 2 MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 (9th Cir. 1993), cert. dismissed, 510 U.S. 1033 (1994); see generally supra §§ 4.03 (analyzing MAI and more recent case law), 4.12[4] (discussing why Congress was aware of the MAI case and intended to address potential exposure that could be created for temporary, cached copies by the liability limitations created in sections 512(a) and 512(b)).

4-484 Copyright Protection in Cyberspace 4.12[5][A] only to particular types of services. The rst three, which are set forth in section 512(b)(1), may be thought of as eligibility requirements, whereas the last ve, which are enumerated in section 512(b)(2), are characterized as “conditions.” Section 512(b) provides that a service provider shall not be liable for monetary relief, or except as provided in subsection (j) for injunctive or equitable relief,3 “for infringement of

3 With resect to the caching safe harbor, section 512(j) provides: (j) Injunctions.— The following rules shall apply in the case of any application for an injunction under section 502 against a service provider that is not subject to monetary remedies under this section: (1) Scope of relief.— (A) With respect to conduct other than that which qualies for the limitation on remedies set forth in subsection (a), the court may grant injunctive relief with respect to a service provider only in one or more of the following forms: (i) An order restraining the service provider from providing access to infringing material or activity residing at a particular online site on the provider's system or network. (ii) An order restraining the service provider from providing access to a subscriber or account holder of the service provider's system or network who is engaging in infringing activity and is identied in the order, by terminating the accounts of the subscriber or account holder that are specied in the order. (iii) Such other injunctive relief as the court may consider necessary to prevent or restrain infringement of copyrighted material specied in the order of the court at a particular online location, if such relief is the least burdensome to the service provider among the forms of relief comparably ef- fective for that purpose .... (2) Considerations.— The court, in considering the relevant criteria for injunctive relief under applicable law, shall consider— (A) whether such an injunction, either alone or in combination with other such injunctions issued against the same service provider under this subsection, would signicantly burden either the provider or the operation of the provider's system or network; (B) the magnitude of the harm likely to be suered by the copyright owner in the digital network environment if steps are not taken to prevent or restrain the infringement; (C) whether implementation of such an injunction would be technically feasible and eective, and would not interfere

Pub. 12/2015 4-485 4.12[5][A] E-Commerce and Internet Law copyright by reason of the intermediate and temporary storage of material on a system or network controlled or operated by or for the service provider” if the following requirements and conditions are met: (1) The allegedly infringing material at issue in a given suit must have been “made available online by a person other than the service provider.”4 (2) The material must have been “transmitted from the person described in subparagraph (A)”—i.e., “a person other than the service provider”5—“through the [service provider's] system or network6 to a person other

with access to noninfringing material at other online locations; and (D) whether other less burdensome and comparably eective means of preventing or restraining access to the infringing material are available. (3) Notice and ex parte orders.— Injunctive relief under this subsection shall be available only after notice to the service provider and an opportunity for the service provider to appear are provided, except for orders ensuring the preservation of evidence or other orders having no material adverse eect on the operation of the service provider's communications network. 17 U.S.C.A. § 512(j). At least in the Ninth Circuit, an injunction compelling a service provider to remove user content is deemed to be a mandatory injunction, which is disfavored. Garcia v. Google, Inc., 786 F.3d 733, 740 & n.4 (9th Cir. 2015) (en banc); see generally infra § 4.13[1] (setting forth the standards for obtaining injunctive relief). It may also be viewed as an impermissible prior restraint. See Garcia v. Google, Inc., 786 F.3d 733, 746-47 (9th Cir. 2015) (en banc) (dissolving a previously entered preliminary injunction compelling YouTube to take down copies of the lm “Innocence of Muslims” and take all reasonable steps to prevent further uploads, which the en banc panel held had operated as a prior restraint), citing Alexander v. United States, 509 U.S. 544, 550 (1993) (“Temporary restraining orders and permanent injunctions—i.e., court orders that actually forbid speech activities—are classic examples of prior restraints.”); infra § 4.13[1]. 4 17 U.S.C.A. § 512(b)(1)(A). 5 17 U.S.C.A. § 512(b)(1)(A). 6 The statute does not dene what constitutes a system or network controlled or operated by or for the service provider. The lower court in In re Aimster Copyright Litig., 252 F. Supp. 2d 634 (N.D. Ill. 2002), a'd on other grounds, 334 F.3d 643 (7th Cir. 2003), wrote in dicta that a peer-to- peer service could not benet from this limitation in part because material passed between users was not transmitted “through” the system within the meaning of 17 U.S.C.A. § 512(b)(1)(B); see also A&M Records, Inc. v. Napster, Inc., No. C 99–05183 MHP, 2000 WL 573136 (N.D. Cal. May 12, 2000) (reaching a similar conclusion in analyzing the safe harbor created by section 512(a) for transitory digital network communications); see gen-

4-486 Copyright Protection in Cyberspace 4.12[5][A]

than the person described in subparagraph (A) at the direction of that other person”7—such as when a user calls up a third-party website that is transmitted through the service provider's system or network. This requirement is poorly drafted and is explained in greater detail below in section 4.12[5][B]. (3) The storage is carried out “through an automatic technical process for the purpose of making the [cached] material available to users of the system or network” who requested it from the original location that was cached.8 (4) The material must have been transmitted (by the service provider) to subsequent users without modication (i.e., in exactly the same form as when it was originally posted or transmitted).9 (5) The service provider must have complied with “rules erally supra § 4.12[4]. The legislative history does not provide much guidance other than emphasizing that material stored on a system or network controlled or operated by or for the service provider refers to the service provider's own system or network. The House Report accompanying the DMCA states that “[t]he material in question is stored on the service provider's system or network for some period of time to facilitate access by users subsequent to the one who previously sought access to it.” H.R. Rep. No. 105-551, 105th Cong., 2d Sess. (1998). The Senate Report also explains that “[t]he liability limitations apply to networks ‘operated by or for the service provider,’ thereby protecting both service providers who oer a service and subcontractors who may operate parts of, or an entire, system or network for another service provider.” S. Rep. No. 105-190, 105th Cong., 2d Sess. (1998). 7 17 U.S.C.A. § 512(b)(1)(B). 8 See 17 U.S.C.A. § 512(b)(1)(C). The exact statutory language is: [T]he storage is carried out through an automatic technical process for the purpose of making the material available to users of the system or network who, after the material is transmitted as described in subparagraph (B), request access to the material from the person described in subparagraph (A) .... Id. In other words, the material must be stored automatically for the purpose of allowing users who subsequently request the original material to be given access to the cached copy. 9 See 17 U.S.C.A. § 512(b)(2)(A) (stating that “the material described in paragraph (1) is transmitted to the subsequent users described in paragraph (1)(C) without modication to its content from the manner in which the material was transmitted from the person described in paragraph (1)(A);”). In In re Aimster Copyright Litig., 252 F. Supp. 2d 634 (N.D. Ill. 2002), a'd on other grounds, 334 F.3d 643 (7th Cir. 2003), the court wrote in dicta that Aimster's peer-to-peer service “modied” content by encrypting all information transferred between users.

Pub. 12/2015 4-487 4.12[5][A] E-Commerce and Internet Law

concerning the refreshing, reloading, or other updating of the material when specied by the person making the material available online in accordance with a generally accepted industry standard data communications protocol10 for the system or network through which that person makes the material available ....”11 (6) The service provider must not “interfere with the ability of technology associated with the material” to return information to the party that originally posted or transmitted it that would have been available to the site owner if the material had been accessed directly, rather than from a cached copy (such as returning user statistics to a website owner when the cached copy of its site is accessed).12 This sixth requirement only applies, however, when the technology: (a) does not signicantly interfere with the performance of the service provider's system or network or the intermediate storage of the material; (b) is consistent with generally accepted industry standard communications protocols; and (c) does not extract information from the service provider's system or network other than information that would otherwise have been available to the person who originally

10 The House Report accompanying the statute acknowledged that these protocols and related technologies were only in the early stages of development at the time the DMCA was under consideration. The Report claries that the House and Senate conferees expected that “the Internet industry standards setting organizations, such as the Internet Engineer- ing Task Force and the World Wide Web Consortium, will act promptly and without delay to establish these protocols so that . . . [the subsection providing the system caching limitation] can operate as intended.” 11 17 U.S.C.A. § 512(b)(2)(B). This specic requirement is not applicable if the person who originally posted or transmitted the content (i.e., “the person described in paragraph (1)(A) . . .”) uses these rules “to prevent or unreasonably impair the intermediate storage” that is the subject of the caching limitation set forth in section 512(b). See id.In other words, if “the person described in paragraph (1)(A) . . . ,” which is dened to be “a person other than the service provider” (id. § 512(b)(1)(A)) and therefore typically refers to the owner or operator of a website or other online content that may be cached, uses rules concerning refreshing, reloading or other updating of material “to prevent or unreasonably impair” intermediate storage, the service provider will not lose safe harbor protection under the caching liability limitation created by section 512(b) if it fails to comply with those rules with respect to material from that owner or operator. 12 17 U.S.C.A. § 512(b)(2)(C).

4-488 Copyright Protection in Cyberspace 4.12[5][A]

posted or transmitted the material (i.e., “the person described in paragraph (1)(A) . . . ,” which is dened to be “a person other than the service provider”13), had subsequent users gained access to the material directly from that person, rather than from the service provider's cached copy.14 (7) If the site owner (or other “person other than the service provider”) has in eect a condition that a person must meet prior to gaining access to the material— such as payment of a fee or provision of a password or other information—the service provider must permit access to the stored material “in signicant part” only to users of its system or network that have met those conditions and only in accordance with those conditions.15 In other words, a service provider may not permit unrestricted access to cached content if the same material could not be accessed without restrictions, and must ensure that the same conditions imposed by a site owner or service provider are met (such as payment of a fee or provision of login credentials) before giving a user access to the cached version. Substantial compliance with this condition, not strict adherence, is required, as evidenced by the use of the qualier “in signicant part” in describing a service provider's compliance obligation, likely out of recognition that systems can fail and software malfunction. A service provider therefore will not lose safe harbor protection so long as this condition is met “in signicant part.” (8) Where a site or service (or other “person other than the service provider”) makes material available online without the authorization of the copyright owner, the service provider must respond expeditiously to remove, or disable access to, the material upon receipt of a notication pursuant to section 512(c)(3), which sets forth the requirement for responding to copyright owner notications in compliance with the user storage safe harbor (which is discussed below in

13 17 U.S.C.A. § 512(b)(1)(A). 14 17 U.S.C.A. § 512(b)(2)(C). 15 17 U.S.C.A. § 512(b)(2)(D).

Pub. 12/2015 4-489 4.12[5][A] E-Commerce and Internet Law

subsection 4.12[9][B]).16 This requirement only applies, however, if the material has previously been removed from the site where it originated from (or access to that site has been disabled) or a court has ordered that the material be removed (or access be disabled) and the party giving notice includes a statement conrming these facts.17 There is very little case law construing the caching safe harbor. The most detailed analysis is found in Field v Google, Inc.18 In that case, a district court in Nevada held that Google was entitled to the safe harbor created by section 512(b) for caching websites incident to the operation of its search engine and granted summary judgment in Google's favor on that basis. At issue was Google's practice of caching almost the entire Internet to allow users to access material when an original page was inaccessible, thus providing archival copies of value to academics, researchers and journalists. Google cached websites using a bot (or intelligent agent software) to automatically copy and store the HTML code for webpages, which were then indexed and made accessible to users via links displayed in response to user search queries.19 In ruling that Google's practices were protected by the caching safe harbor, the court rejected the plainti's argument that by retaining cached copies for fourteen to twenty days Google was ineligible for the safe harbor because copying material for that period of time did not involve “intermediate and temporary storage” within the meaning of section 512(b)(1). Relying on the Ninth Circuit's prior construction of the terms intermediate and transient in section 512(a) to include storage of Usenet postings for fourteen days,20 the court deemed Google's retention of cached copies for fourteen to twenty days to be merely “intermediate and temporary storage” within the meaning of section 512(b).21

16 See 17 U.S.C.A. § 512(b)(2)(E). 17 17 U.S.C.A. § 512(b)(2)(E). 18 Field v. Google Inc., 412 F. Supp. 2d 1106, 1123–25 (D. Nev. 2006). 19 See Field v. Google Inc., 412 F. Supp. 2d 1106, 1111 (D. Nev. 2006). 20 See Ellison v. Robertson, 357 F.3d 1072, 1081 (9th Cir. 2004); supra § 4.12[4]. 21 What constitutes intermediate and temporary storage is further analyzed below in section 4.12[5][C].

4-490 Copyright Protection in Cyberspace 4.12[5][B]

4.12[5][B] Transmission from a “Person Other than the Service Provider” Through the Service Provider's System or Network to A “Person Other than” that Person Subsection 512(b)(1)(B) is inartfully drafted and must be read in conjunction with section 512(b)(1)(A) to be understood. Read literally, the double negatives and cross- references included in subsection 512(b)(1)(B) may sound like a riddle from Lewis Carroll's “Jabberwocky” poem, although on close analysis the requirement is actually straightforward. The provision requires that a transmission be from a person other than the service provider (such as a third-party website or a service provider's user) and be made through the service provider's system or network to a “person other than the person” who in described in subsection 512(b)(1)(A) as the “person other than the service provider”— which by virtue of the use of double negatives may be the service provider or some other website or user. While Congress undoubtedly could have done a better job drafting the language of this section so as not to require that the transmission be to a “person other than a person” who is “a person other than a service provider,” sadly it did not do so. Subparts 512(b)(1)(A) and 512(b)(1)(B) literally require that the material at issue be: (A) . . . made available online by a person other than the service provider; and (B) . . . transmitted from the person described in subparagraph (A) through the system or network to a person other than the person described in subparagraph (A) at the direction of that other person.1 The statute is confusing in that subpart 512(b)(1)(B) refers to a “person other than the person described in subparagraph (A)” which in turn refers to “a person other than the service provider.” In holding that Google was entitled to the caching safe harbor for material that Google itself cached from third- party websites, the court in Field v Google, Inc.2 assumed that the “other person” referred to in subpart 512(b)(1)(B) could be the service provider given that subpart (A) includes any person other than the service provider (and, by exten-

[Section 4.12[5][B]] 1 17 U.S.C. § 512(b)(1). 2 Field v. Google Inc., 412 F. Supp. 2d 1106 (D. Nev. 2006).

Pub. 12/2015 4-491 4.12[5][B] E-Commerce and Internet Law sion, anyone other than that person could include the service provider). This interpretation also is supported by the plain text of section 512(b)(1)(B). The legislative history implies that to qualify for the caching safe harbor material must rst have been requested by a third party and could not be cached by a service provider on its own initiative, although there is no support for this reading on the face of the statute. The House and Senate Report explain that: The material in question is stored on the service provider's system or network for some period of time to facilitate access by users subsequent to the one who previously sought access to it. For subsection (b) to apply, the material must be made available on an originating site, transmitted at the direction of another person through the system or network operated by or for the service provider to a dierent person, and stored through an automatic technical process so that users of the system or network who subsequently request access to the material from the originating site may obtain access to the material from the system or network.3 Based on this language in the legislative history, some commentators have argued that Field v. Google was wrongly decided and that “a person other than the person described in subparagraph (A)” cannot be the service provider itself, through whose system or network cached material is made available at the direction of “that other person” and that to fall within the caching safe harbor a third-party user must rst request material before it may be cached by a service provider.4 However, there is no support on the face of the statute for this interpretation. Legislative history generally cannot provide a basis for construing the language of a statute on a point that is not ambiguous.5 While section 512(b)(1)(B) is inartfully drafted, it is not confusing with respect to the

3 H.R. Rep. No. 105-551, 105th Cong., 2nd Sess. (1998) (emphasis added); S. Rep. No. 105-190, 105th Cong., 2nd Sess. (1998) (emphasis added). 4 See, e.g., Nimmer on Copyright § 12B.03. 5 See, e.g., Murphy v. Millennium Radio Group LLC, 650 F.3d 295, 301–05 (3d Cir. 2011) (explaining that except in rare circumstances legislative history cannot trump the plain terms of a statute and construing a dierent provision of the Digital Millennium Copyright Act based on the terms of the statute, rather than imposing an additional requirement suggested by legislative history); MDY Industries, LLC v. Blizzard Entertain- ment, Inc., 629 F.3d 928, 951 (9th Cir. 2010) (holding that policy

4-492 Copyright Protection in Cyberspace 4.12[5][C] question of whether material must rst have been requested by a user before a service provider may create a cached copy for use by subsequent users. The terms of the statute merely require that the request be made by a person other than the person described in section 512(b)(1)(A), who is dened as a “person other than the service provider.” If one substitutes the words “third-party website” for the term “the person described in subparagraph (A)” (since that subparagraph merely requires that the material cached be made available by “a person other than the service provider”) it is clear that the material may be requested by the service provider itself and the statute imposes no obligation that material be cached only subsequent to a rst user's request. The material merely must be transmitted from a third-party website through a service provider's system or network to a person other than the third-party website at the direction of that other person. “That other person” therefore may be either a user or the service provider itself—just not the third-party website (and, pursuant to subpart 512(b)(1)(A), the material may not have been made available online by the service provider itself, as opposed to a third-party website). The unambiguous, albeit inartfully drafted words of the statute make clear that third-party material may be cached once requested by a user or it may be cached at the direction of a service provider. The result compelled by the terms of the statute also makes logical sense since caching is a technique used by service providers to make material more quickly and easily available to users.6 Requiring that material only be cached after another user rst requests it—so that the delivery to the rst requester necessarily will be slower and more inecient than for all subsequent users— nds no basis in logic or in the plain terms of the statute.

4.12[5][C] Intermediate and Temporary Storage What constitutes intermediate and temporary storage is not dened in the statute. Intermediate storage means storage by an intermediary that is neither the originating site nor the end user. The House and Senate reports accompanying the DMCA explain that “[t]he storage is intermediate in the sense that the ser- considerations “cannot trump the statute's plain text and structure” in construing section 1201(a) of the Digital Millennium Copyright Act). 6 See generally infra § 9.02 (analyzing caching).

Pub. 12/2015 4-493 4.12[5][C] E-Commerce and Internet Law vice provider serves as an intermediary between the originating site and the ultimate user.”1 Precisely what length of storage time would be deemed temporary is not dened in the statute nor explained in the DMCA's legislative history. The House and Senate reports, unhelpfully, explain that temporary storage would last for “some period of time.”2 This likely reects Congressional reluctance to impose specic time limits on changing technology. In Field v Google, Inc.,3 the court held that Google was entitled to section 512(b)'s caching liability limitation where it retained cached copies for fourteen to twenty days. In so ruling, the court relied on the Ninth Circuit's decision in El- lison v. Robertson,4 where a plainti sought to hold AOL liable for copyright infringement for hosting and allowing end users to access copyrighted materials that third parties had posted to a system of online bulletin boards.5 In Ellison, AOL had stored and allowed users to access user posts for approximately fourteen days. Citing the DMCA's legislative history, the Ellison court found that AOL's storage of the materials was “intermediate” and “transient” as required by section 512(a).6 Based on this holding, the Field court found that Google's practice of caching material for approximately fourteen to twenty days—like the fourteen days the Ellison court deemed “transient storage”—was “temporary” within the meaning of section 512(b).7 The Field court's decision rested on the statutory language used in subsections 512(a) and 512(b), which is similar but

[Section 4.12[5][C]] 1 H.R. Rep. No. 105-551, 105th Cong., 2d Sess. (1998); S. Rep. No. 105-190, 105th Cong., 2d Sess. (1998). 2 H.R. Rep. No. 105-551, 105th Cong., 2d Sess. (1998); S. Rep. No. 105-190, 105th Cong., 2d Sess. (1998). 3 Field v. Google Inc., 412 F. Supp. 2d 1106, 1123–24 (D. Nev. 2006). 4 Ellison v. Robertson, 357 F.3d 1072 (9th Cir. 2004). 5 Field v. Google Inc., 412 F. Supp. 2d 1106, 1123–24 (D. Nev. 2006), citing Ellison v. Robertson, 357 F.3d 1072, 1075–76 (9th Cir. 2004). 6 Field v. Google Inc., 412 F. Supp. 2d 1106, 1123–24 (D. Nev. 2006), citing Ellison v. Robertson, 357 F.3d 1072, 1081 (9th Cir. 2004). 7 Field v. Google Inc., 412 F. Supp. 2d 1106, 1124 (D. Nev. 2006).

4-494 Copyright Protection in Cyberspace 4.12[6][A] not identical.8 Subsection 512(b) requires that cached copying be “intermediate and temporary” whereas subsection 512(a) uses the term “intermediate and transitory.”9 Tempo- rary means “lasting for a limited time,” while transitory means only a “brief duration” of time.10 Thus, the dierence between temporary and transitory suggests that intermediate storage may last a longer time when material is cached than when it is in transit.

4.12[6] Information Residing on Systems or Networks at the Direction of Users (User Storage) 4.12[6][A] In General A service provider that meets the four threshold eligibility requirements set forth in section 4.12[3] may avoid liability for monetary relief “by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for” it, if it can meet four additional prerequisites. First, a service provider must “not receive a nancial benet directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity.”1 The nancial interest prong has been construed in the Ninth Circuit as requiring a showing that ‘‘ ‘the infringing activity constitutes a draw for subscribers, not just an added benet.’ ’’2

8 See Field v. Google Inc., 412 F. Supp. 2d 1106, 1124 (D. Nev. 2006) (citing Gustafson v. Alloyd Co., 513 U.S. 561, 570 (1995) for the principal that “identical words used in dierent parts of the same act are intended to have the same meaning”). 9 Compare 17 U.S.C. § 512(a) with 17 U.S.C. § 512(b). 10 Compare Temporary Denition, Merriam-Webster Dictionary.com, http://www.merriam-webster.com (last visited Apr. 29, 2013) with Transi- tory Denition, Merriam-Webster Dictionary.com, http://www.merriam- webster.com (last visited Apr. 29, 2013); see generally FDIC v. Meyer, 510 U.S. 471, 476 (1994) (using a dictionary to interpret a federal statute and stating, in the absence of a statutory denition, “we construe a statutory term in accordance with its ordinary or natural meaning”). [Section 4.12[6][A]] 1 17 U.S.C.A. § 512(c). 2 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117–18 (9th Cir.),

Pub. 12/2015 4-495 4.12[6][A] E-Commerce and Internet Law

With respect to right and ability to control, the Second,3 Fourth4 and Ninth5 Circuits have held that the degree of control required to disqualify a service provider from eligibility for the DMCA safe harbor is higher than what would be required to prove right and ability to control to establish common law vicarious liability (which is analyzed in section 4.11[4]). Prior disagreement between the Second and Ninth Circuits over what constitutes right and ability to control has been resolved in favor of the Second Circuit's interpretation that right and ability to control does not presuppose knowledge of specic infringing activity.6 According to the Second Circuit, what is required is “something more than the ability to remove or block access to materials posted on a service provider's website.”7 That “something more” is understood in the Second and Ninth Circuits to involve exerting “substantial inuence” on the activities of users, which may include high levels of control over user activities or purposeful conduct.8 Right and ability to control and nancial interest are analyzed in section 4.12[6][D]. Second, a service provider must designate an agent to receive notications of claimed infringement and publicize the name and contact information of the agent on its website and in a ling with the U.S. Copyright Oce. Issues involving agent designation are briey addressed in section 4.12[6][B] and more thoroughly analyzed in section 4.12[9][A]. cert. denied, 522 U.S. 1062 (2007); Ellison v. Robertson, 357 F.3d 1072, 1079 (9th Cir. 2004) (quoting legislative history). 3 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37–38 (2d Cir. 2012). 4 See CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544, 555 (4th Cir. 2004). 5 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–31 (9th Cir. 2013). 6 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 36 (2d Cir. 2012) (disagreeing with the original Ninth Circuit opinion from 2011 in Shelter Partners, which was replaced, following reconsideration, by UMG Record- ings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–31 (9th Cir. 2013)). 7 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012), quoting Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011). 8 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1030 (9th Cir. 2013).

4-496 Copyright Protection in Cyberspace 4.12[6][A]

Third, in response to a substantially complying notication, a service provider must disable access to or remove content identied in the notication.9 This requirement is discussed in section 4.12[6][B] and analyzed more thoroughly in section 4.12[9][B]. Fourth, even in the absence of a notication, a service provider must, on its own volition, disable access to or remove material where it has (a) actual knowledge of infringing activity or (b) awareness of facts or circumstances from which infringing activity is apparent (referred to in case law and the legislative history as material that raises a “red ag”10)—or risk losing DMCA protection for material stored at the direction of a user. The requirements for knowledge, awareness and corrective action are set forth in subsection 4.12[6][C]. As analyzed in that subsection, courts have held that generalized knowledge or awareness that a site or service may be used for infringing activity is not sucient; only knowledge or awareness of specic les or activity will disqualify a service provider from the safe harbor's protections pursuant to subsection 512(c)(1)(A).11 The Second Circuit and Ninth Circuits have held that actual knowledge denotes subjective belief, whereas red ag awareness is judged by an objective reasonableness standard.12 Both Circuits have also claried that copyright owners, not service providers, have the obligation to investigate whether material on a site or service is infringing. While a service provider has no obligation to take down material in

9 What it means to disable access to or remove material is addressed in section 4.12[6][C]. 10 Some courts refer to “red ag” knowledge but this terminology is confusing given that the statute addresses “actual knowledge” and “awareness of facts or circumstances from which infringing activity is apparent.” This treatise uses the term ‘‘ ‘red ag’ awareness” which describes the statutory provision more accurately. 11 See, e.g., Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 30–32 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1021–23 (9th Cir. 2013); infra § 4.12[6][C]. 12 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 31 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1025 (9th Cir. 2013) (quoting Viacom v. YouTube). The Ninth Circuit has underscored that “whether ‘the specic infringement’ is ‘objectively' obvious to a reasonable person’ may vary depending on the facts proven by the copyright holder in establishing liability.” UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026 n.15 (9th Cir. 2013).

Pub. 12/2015 4-497 4.12[6][A] E-Commerce and Internet Law response to a defective notication sent by a copyright owner, and knowledge or awareness may not be inferred from a notication that does not substantially comply with the requirements of section 512(c)(3),13 the Ninth Circuit suggested in dicta that an unveried notice sent by a third party (as opposed to the copyright owner who led suit against the service provider) potentially could provide red ag awareness.14 Hence, in litigation, red ag awareness may be shown by evidence such as internal emails and communications from third parties (other than the owner of a copyright allegedly infringed). Courts also have held that, even in the absence of proof of actual knowledge or red ag awareness, a service provider may be deemed to have knowledge or awareness where willful blindness is shown.15

13 See 17 U.S.C.A. § 512(c)(3)(B)(i); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1020–21 n.12 (9th Cir. 2013). 14 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1024–25 (9th Cir. 2013). In Shelter Capital, UMG had argued that Veoh had red ag awareness of infringing material based on emails sent to Veoh executives by copyright owners, including an email sent by Disney's CEO to Michael Eisner, a Veoh investor, stating that unauthorized copies of the movie Cinderella III and various episodes from the television show Lost were posted on Veoh's site. The Ninth Circuit panel explained that “[i]f this notication had come from a third party, such as a Veoh user, rather than from a copyright holder, it might meet the red ag test [assuming the material was not taken down in response to the notice] because it specied particular infringing material. As a copyright holder, however, Disney is subject to the notication requirements in § 512(c)(3), which this informal email failed to meet.” Id. (footnote omitted). 15 See, e.g., Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 35 (2d Cir. 2012) (holding that knowledge or awareness may be established by evidence of willful blindness, which the court characterized as a deliberate eort to avoid guilty knowledge); Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043 (9th Cir. 2013) (explaining that “inducing actions”—or measures deemed to induce copyright infringement—were relevant to the court's determination that the defendant had red ag awareness); Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *3–4 (S.D.N.Y. May 14, 2013) (reconsidering its earlier ruling granting summary judgment for the service provider on plainti's claim for contributory infringement of those songs not subject to DMCA-compliant takedown notices, in light of the importance the Second Circuit placed on explicit fact-nding in evaluating willful blindness as a potential bar to DMCA protection in Viacom v. YouTube, and holding that a jury could reasonably interpret several documents as imposing a duty to make further inquiries into specic and identiable instances of possible infringement); see also UMG Recordings, Inc. v. Shelter Capital Partners

4-498 Copyright Protection in Cyberspace 4.12[6][A]

Although responding to red ag material is plainly a requirement under section 512(c) to benet from the user storage safe harbor in a suit brought over that material, the Ninth Circuit, in Perfect 10, Inc. v. CCBill, LLC,16 eectively made ongoing compliance with notice, knowledge or awareness requirements under section 512(c) part of the threshold requirements for entitlement to any of the DMCA's safe harbors. In CCBill, the Ninth Circuit construed the threshold requirement in section 512(i)(1) that, to qualify for any of the liability limitations, a service provider adopt, notify subscribers about and reasonably implement a policy of terminating “repeat infringers” in “appropriate circumstances” to require consideration of whether a service provider has responded to material where it had actual knowledge or “red ag” awareness (as well as notications from third parties) to determine whether it is in fact keeping track of repeat infringers and reasonably implementing its termination policy. Thus, as a practical matter, a service provider that fails to disable access to material in response to notice, knowledge or red ag awareness, runs the risk, at least in the Ninth Circuit, of not only losing the benet of the user storage safe harbor in a suit over material that was not taken down, but being stripped of DMCA protection for any of the safe harbors in litigation brought by any copyright owner. It remains to be seen whether other circuits will read the requirements of section 512(c) into the threshold requirements of section 512(i)(1) in the same manner as the Ninth Circuit.17 The obligation to disable access to or remove material in response to notice, knowledge or red ag awareness is addressed in connection with the user storage liability limitation in sections 4.12[6][C] (knowledge and red ag awareness) and 4.12[6][B] (notications), and under CCBill,as part of the threshold requirement to reasonably implement a

LLC, 718 F.3d 1006, 1023 (9th Cir. 2013) (citing Viacom v. YouTube for the proposition that “a service provider cannot willfully bury its head in the sand to avoid obtaining . . . specic knowledge.”); Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 524 (S.D.N.Y. 2013) (analyzing but rejecting plaintis' argument that Vimeo had been willfully blind where the evidence presented, while “disconcerting” in the words of the court, did not relate to any of the specic videos at issue in that case). 16 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1111 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 17 See supra § 4.12[3] (analyzing the threshold requirements of section 512(i)(1)).

Pub. 12/2015 4-499 4.12[6][A] E-Commerce and Internet Law repeat infringer policy, in section 4.12[3][B][iv]. The respective burdens placed on copyright owners (to search for infringement and provide notice) and service providers (to respond to notications and act on their own in response to knowledge or red ag awareness) encourage copyright owners and service providers to cooperate with one another.18 From a practical perspective, the user storage limitation benets service providers by potentially allowing them to avoid litigation, and if sued to get out of a case on a motion for summary judgment based on their entitlement to the user storage safe harbor, rather than having to go to trial or otherwise litigate the ultimate issue of liability. Copyright owners, in turn, benet to the extent that service providers are given a tangible incentive to provide them with a quick and easy remedy when infringing content has been posted online, in lieu of having to seek injunctive relief simply to have material taken down from a site or service. By its terms, section 512(c) applies to “material that resides on a system or network controlled by or for the service provider . . . by reason of the storage at the direction of a user.”19 In Hendrickson v. eBay, Inc.,20 however, a federal court in California ruled, based on the express language of 17 U.S.C.A. § 512(c)(1)(A)(i),21 that section 512(c) applies both to (a) cases where a plainti seeks to hold a service provider responsible for infringing “material” stored and displayed on the service provider's website and (b) infringing “activity using the material” on a service provider's system, such as merely listing infringing works for sale. Without citing Hendrickson, the Ninth Circuit subsequently agreed.22 In all cases, however, the material at issues must have

18 The legislative history provides that the Act is intended to “preserve strong incentives for service providers and copyright owners to cooperate to detect and deal with copyright infringements” in cyberspace, while “[a]t the same time . . . provid[e] greater certainty to service providers concerning their legal exposure for infringements that may occur in the course of their activities.” H. Rep. No. 105-796, 105th Cong. 2d Sess. 1, 72 (1998). 19 17 U.S.C.A. § 512(c)(1). 20 Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001). 21 That section provides that a service provider may limit its liability under the user storage limitation if it “does not have actual knowledge that the material or an activity using the material on the system is infringing.” 22 See Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1042

4-500 Copyright Protection in Cyberspace 4.12[6][A] been stored at the direction of a user.23 Both the Second and Ninth Circuits have construed the user storage liability safe harbor broadly as applying not only literally to the act of a user storing material but to any instance where liability is sought to be imposed “by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider ....”24 In parallel cases involving user generated video sites, both circuits rejected the argument that transcoding videos uploaded by users—or convert- ing them into a standard display format so that they could be viewed by other users regardless of the software used to create the video—and creating a “playback” feature (delivering a copy of a video to a user's browser cache so that an uploaded video, once transcoded, could be viewed by others), transformed the uploaded works from material stored at the direction of a user (and therefore subject to the safe harbor) into new works for which the site itself could be held liable.25 The Second Circuit further held that YouTube's “related video” function—which displayed thumbnail images of clips determined automatically by a search algorithm to be “related” to a video selected for viewing by a user—did not bring YouTube outside the safe harbor, but remanded for further consideration the narrow question of whether third-party syndication of videos uploaded to YouTube was covered by the DMCA's user storage safe harbor (if in fact any of the videos at issue had been syndicated, which was a fact issue to be considered on remand).26 On remand, the district court held that YouTube's practice of syndicating user content to

(9th Cir. 2013) (holding that section 512(c), by virtue of the express terms of subsection 512(c)(1)(A)(i), “explicitly covers not just the storage of infringing material, but also the infringing ‘activit[ies]’ that ‘us[e] the material [stored] on the system or network.’ ’’). 23 See Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *6 (S.D.N.Y. May 14, 2013) (holding that MP3Tunes was not entitled to the user storage safe harbor for album art copied from Amazon.com because “while MP3Tunes' cover art algorithm retrieved and copied cover art solely in response to a user's song collection, the cover art itself was provided by Amazon.com, not other MP3Tunes users.”). 24 17 U.S.C.A. § 512(c)(1). 25 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38–40 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1015–20 (9th Cir. 2013). 26 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38–40 (2d Cir.

Pub. 12/2015 4-501 4.12[6][A] E-Commerce and Internet Law third-party mobile providers did not take YouTube outside the safe harbor because the videos syndicated to Apple, Sony, Panasonic, TiVo and AT&T remained stored on YouTube's servers and merely provided an alternative way to view material stored by users.27 The Ninth Circuit did not address the “related video” feature or syndication, but did consider other functions of a user generated video site, holding that a service provider did not lose safe harbor protection for creating chunked and ash les or allowing users to stream or even download videos from the site.28 A district court in the Southern District of New York similarly ruled that allowing users to download videos did not take a service provider outside the protection of the safe harbor for material stored at the direction of a user.29 The Second and Ninth Circuits have, in eect, set a bright

2012). 27 See Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 122-23 (S.D.N.Y. 2013). YouTube's syndication agreements with these companies allowed them to access videos directly from YouTube's servers to make user-submitted videos accessible to their customers using mobile devices, tablets and Internet-enabled television sets. Pursuant to these agreements, YouTube automatically transcoded user-uploaded videos into formats compatible with third party devices. YouTube's standard syndication licenses involved “no manual selection of videos by YouTube, and the videos accessible via the third-party devices at all times remain[ed] stored on and accessed only from YouTube's system.” Id. at 122. Judge Stanton therefore concluded that “[t]his ‘syndication’ serves the purpose of § 512(c) by ‘providing access to material stored at the direction of users,’ . . . and entails neither manual selection nor delivery of videos.” Id. (citations omitted). In rejecting Viacom's argument that YouTube's syndication agreements took YouTube outside the safe harbor because the agreements were entered into for YouTube's own business purposes, Judge Stanton wrote that “the critical feature of these transactions is not the identity of the party initiating them, but that they are steps by a service provider taken to make user-stored videos more readily accessible (without manual intervention) from its system to those using contemporary hardware. They are therefore protected by the § 512(c) safe harbor.” Id. at 123. Judge Stanton did not address YouTube's separate practice of manually selecting videos to copy and remove from YouTube's system, which were hand delivered to Verizon to make available on its own system, because none of the allegedly infringing videos at issue in the case had been syndicated to Verizon. See id. at 122. 28 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1015–20 (9th Cir. 2013). 29 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 519 (S.D.N.Y. 2013).

4-502 Copyright Protection in Cyberspace 4.12[6][A] line standard for determining whether a service provider is entitled to the user storage liability created by section 512(c) for material initially stored by a user which looks to whether liability is sought to be imposed “by reason of” material “stored at the direction of a user”30—and not what the site or service does with the material once stored by a user, or where on a site or service it is stored (or how prominently), so long as it “resides on a system or network controlled or operated by or for the service provider ....”31 By analogy, these circuits apply a “but for” standard of general causation, rather than a proximate cause test, in evaluating whether a claim is based on material stored at the direction of a user, and therefore subject to the safe harbor.32 If, but for the act of user storage, a service provider would not be exposed to liability for copyright infringement, then the service provider is entitled to the safe harbor (assuming it meets the other requirements for eligibility) regardless of what else it does with the material stored by the user on its site or service. To benet from the liability limitation, a claim need not relate narrowly to a user's act of storing material. Rather, the safe harbor applies if liability is premised on material that was stored at the direction of a user. Accord- ingly, a service provider that otherwise meets the eligibility requirements for the safe harbor will be insulated from liability for material stored at the direction of a user regardless of whether it is buried in a private storage locker in the cloud or prominently featured for public display on the homepage of a website33—or anywhere in between—and may be made available for users to stream (and in the Ninth

30 17 U.S.C.A. § 512(c)(1). 31 17 U.S.C.A. § 512(c)(1). 32 This analogy was articulated expressly by the Ninth Circuit. See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1017 n.6 (9th Cir. 2013). It is also consistent with the way the Second Circuit construed the DMCA's user storage safe harbor in Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012); see also, e.g., BWP Media USA Inc. v. Clarity Digital Group, LLC, Civil Action No. 14-cv-00467- PAB-KMT, 2015 WL 1538366 (D. Colo. Mar. 31, 2015) (following YouTube in broadly dening user for purposes of storage “at the direction of a user,” in granting summary judgment for the operator of Examiner.com based on its entitlement to the DMCA safe harbor; “service providers lose protection for activities they undertake that lack a causal connection to user- initiated storage of infringing material.”). 33 If material that appears to be infringing is prominently made available on a site or service it could raise red ag awareness issues if observed by a service provider's employees and not removed (see infra § 4.12[6][C]),

Pub. 12/2015 4-503 4.12[6][A] E-Commerce and Internet Law

Circuit, even download), provided that liability is premised on material stored at the direction of a user and the service provider does not do something with the material to bring itself outside the safe harbor, such as compiling user material for distribution on a DVD or otherwise outside of “a system or network controlled or operated by or for the service provider . . . ,”34 beyond which DMCA safe harbor protection does not extend.35 but the prominence of its display would not change its character as material stored at the direction of a user. 34 17 U.S.C.A. § 512(c)(1). 35 In another case, the Ninth Circuit went further, ruling that the user storage safe harbor potentially even applies in narrow circumstances where the infringing material itself is not resident on a defendant's “system or network” because subsection 512(c)(1)(A)(i) “explicitly covers not just the storage of infringing material, but also the infringing ‘activi- t[ies]’ that ‘us[e] the material [stored] on the system or network.’ ’’ Colum- bia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1042 (9th Cir. 2013) (explaining that “the infringing activity associated with Fung—the peer- to-peer transfer of pirated content—relied upon torrents stored on Fung's websites.”). In the context of the Fung case itself, however, this analysis was faulty. Section 512(c), by its terms, is limited to situations where liability is based on “storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider ....”17U.S.C.A. § 512(c)(1). The reference to activity in section 512(c)(1)(A)(i) accounts for the fact that the material residing on a system or network may not inherently be infringing. For example, a user lawfully may store a copy of a work in a cloud storage locker, but the act of selling access to that otherwise noninfringing copy to numerous third parties may amount to infringing activity in the form of unauthorized reproduction of an otherwise noninfringing copy. Hence, section 512(c)(1)(A)(i) stipulates that to be entitled to the safe harbor a service provider may “not have actual knowledge that the material or an activity using the material on the system or network is infringing ....”Id. § 512(c)(1)(A)(i) (emphasis added). This statement of one of several eligibility requirements for the safe harbor cannot reasonably be seen to modify the unambiguous provision at the outset of section 512(c)(1) that, if the various eligibility requirements (including section 512(c)(1)(A)(i)) are met, a service provider “shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider ....” Id. § 512(c)(1) (emphasis added). Even if this were not the case, the Ninth Circuit's implicit denition of material to include torrent les, rather than material that may be infringed or infringing (or form the basis for liability for infringement), does not make sense in the context of section 512(c). Section 512(c)(1)(A)(i), by its terms, requires that any “activity” involve material on the service provider's system or network. See id. § 512(c)(1)(A)(i) (mandating that a

4-504 Copyright Protection in Cyberspace 4.12[6][A]

Case law on the scope of the user storage liability limita- service provider “not have actual knowledge that the material or an activity using the material on the system or network is infringing . . .”; emphasis added). While liability for copyright infringement could be imposed for activities that use torrent les stored on a defendant's servers, the safe harbor, by its terms, applies where liability is premised on “infringement of copyright by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider ....”Id. § 512(c)(1) (emphasis added). The “materials” identied by the Ninth Circuit in Fung were tracker les, which are index les that enable works to be assembled using the BitTor- rent le sharing protocol but which themselves contain no copyrighted content. See Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1027 (9th Cir. 2013). Torrent les on their own are more akin to links (or “information location tools,” covered by section 512(d)) since they do not contain copyrighted material. Liability in Fung was not pursued by plaintis by reason of the storage of tracker les, but based on active inducement by the defendants (see supra § 4.11[5]), of which the presence of tracker les was merely once component that alone could not have formed the basis for copyright liability. By contrast, in Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001), the district court found that the DMCA applied to sales by eBay where the activity was “infringing activity—the sale and distribution of pirated copies of ‘Manson’ [a DVD]—using ‘materials’ posted eBay's website [a user's sales listing] ....”Id. at 1088. Unlike the presence of trackers in Fung, the material at issue in Hendrickson was the basis for plainti's copyright infringement suit. But for those listings, eBay could not have been held liable. On the other hand, in Fung, even without the presence of tracker les stored by users the defendants still would have been found liable for copyright inducement. See supra § 4.11[5] (discussing the Fung case in greater detail). The district court in Fung ultimately may have been correct in concluding that section 512(c) simply was inapplicable in Fung. While the Ninth Circuit was correct in noting that section 512(c) is not limited to material stored on a defendant's server (because the statute, by its terms, references a “system or network controlled or operated by or for the service provider, . . .” id. § 512(c)(1)), the panel's interpretation that section 512(c) extends to activities that use material (with material dened broadly to mean torrent les, and not more narrowly material for which direct copyright liability may be imposed), based on language used in a subsection dening an eligibility requirement for the safe harbor, appears to be incorrect. It may be possible that on these facts or others that a “system or network” could be construed to cover BitTorrent trackers or swarms or other systems or networks where collectively material is stored in pieces and thereafter reassembled. The mere reference in section 512(c)(1)(A)(i) to an activity, however, is not the proper rationale for holding that the user storage safe harbor may be applicable in a case where merely some torrents may have been stored on Fung's website. In Masck v. Sports Illustrated, 5 F. Supp. 3d 881, 888 (E.D. Mich. 2014), the court, without much elaboration, denied Walmart's motion for

Pub. 12/2015 4-505 4.12[6][A] E-Commerce and Internet Law tion for user-uploaded video sites evolved from a pair of Cal- ifornia district court rulings in 2008, both of which shaped the law in the Ninth Circuit and were subsequently relied upon by the Second Circuit. In the rst case to consider the applicability of the DMCA user storage safe harbor to a user generated video site, Io Group, Inc. v. Veoh Networks, Inc.,36 Northern District of California Magistrate Judge Howard Lloyd rejected the argument that a service provider's actions in transcoding user submitted videos changed the character of the material from that stored at the direction of a user (and therefore within the safe harbor) to material that “resides on the system or network operated by or for the service provider through its own acts or decisions and not at the direction of a user.”37 Among other things, Veoh transcoded uploaded videos so that they would play in ash format. It also extracted a still image from the video that it displayed along with information about the video to more ef- fectively index the videos. The court, however, held that Veoh was not disqualied from the protections of the safe harbor on these grounds. In granting summary judgment for the defendant based on its entitlement to the DMCA user storage safe harbor, Magistrate Judge Lloyd ruled that the “structure and language” of the safe harbor make clear that section 512(c) is “not limited to merely storing material.”38 Judge Lloyd noted that whereas the denition of service provider for purposes of the “conduit only” functions under section 512(a)39 is very narrow (only applying to an entity “oering the transmission, routing, or providing of connections for digital online communications, between or among points specied by a user, of material of the user's choosing, without modication to the content of the material as sent or re- summary judgment on its entitlement to the DMCA safe harbor, seemingly crediting the plainti's argument that unlike Amazon.com, Walmart operates both online and in physical stores, and that the DMCA safe harbor may not be available for retail operations in the physical world, although the court was not entirely clear on the basis for its denial. 36 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 37 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1146 (N.D. Cal. 2008) (quoting legislative history). 38 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1147 (N.D. Cal. 2008). 39 See supra § 4.12[4].

4-506 Copyright Protection in Cyberspace 4.12[6][A] ceived”),40 “no such limitation as to the modication of material is included in the broader denition of ‘service provider,’ ’’ that is applicable under section 512(c),41 which the parties stipulated applied to Veoh. The court concluded that “[h]ad Congress intended to include a limitation as to a service provider's modication of user-submitted information, it would have said so expressly and unambiguously.”42 Judge Lloyd also noted that case law supported “the conclusion that Veoh is not precluded from [the] safe harbor under Section 512(c) by virtue of its automated processing of user-submitted content.”43 He explained that in CoStar Group, Inc. v. LoopNet, Inc.,44 the court held that the defendant was entitled to the user storage limitation even though its employees manually reviewed photos submitted by users and posted to the website only those that met the defendant's criteria (photos that depicted real estate and did not appear to be obviously copyrighted). Judge Lloyd explained that the LoopNet court “concluded that the photos were uploaded, in the rst instance, at the volition of users and that defendant's employees simply performed a ‘gateway’ function that furthered the goals of the DMCA.”45 In Io Group, Inc. v. Veoh Networks, Inc., Judge Lloyd similarly reasoned that Veoh had simply established a system whereby software automatically processes user- submitted content and recasts it in a format that is readily accessible to users. Veoh preselects the software parameters . . . [b]ut Veoh does not itself actively participate or

40 586 F. Supp. 2d at 1147, quoting 17 U.S.C.A. § 512(k)(1)(A) (emphasis added by the court). 41 17 U.S.C.A. § 512(k) creates two dierent denitions for service provider, a broad one generally applicable to the various DMCA safe harbors and a narrower one applicable only to the transitory digital network communications safe harbor created by section 512(a). See generally supra § 4.12[2]. 42 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1147 (N.D. Cal. 2008). 43 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1147 (N.D. Cal. 2008). 44 CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688 (D. Md. 2001), a'd, 373 F.3d 544, 556 (4th Cir. 2004). 45 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1147–48 (N.D. Cal. 2008), citing CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 702 (D. Md. 2001), a'd on other grounds, 373 F.3d 544 (4th Cir. 2004).

Pub. 12/2015 4-507 4.12[6][A] E-Commerce and Internet Law supervise the uploading of les. Nor does it preview or select the les before the upload is completed. Instead, video les are uploaded through an automated process which is initiated entirely at the volition of Veoh's users.46 Later that year, in UMG Recordings, Inc. v. Veoh Networks, Inc.,47 Judge Howard Matz of the Central District of Califor- nia, denied Universal Music Group's motion for partial summary judgment in its suit against Veoh, based on an even broader challenge to its entitlement to the user storage liability limitation, in an opinion that subsequently was af- rmed by the Ninth Circuit in 2013.48 Whereas Io Group involved the issue of transcoding (or creating ash-formatted copies of video les), UMG argued that four of the things Veoh did to uploaded videos to make them viewable and downloadable on its site (including transcoding) did not involve “storage” and were not undertaken “at the direction of a user.” Specically, UMG challenged software functions that: (1) automatically created “ash-formatted” copies of video les uploaded by users; (2) automatically created copies of uploaded video les that were comprised of smaller 256-kilobyte “chunks” of the original le; (3) allowed users to access uploaded videos via streaming; and (4) allowed users to download entire video les. While the court did not address the question of whether these functions were actually infringing, Judge Matz noted that it was undisputed that all of these software functions were directed toward facilitating access to materials stored at the direction of users. In denying UMG's motion, the district court rejected UMG's argument for a narrow interpretation of the user storage liability limitation that would have extended protection to operational features only if they provided or consti-

46 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1148 (N.D. Cal. 2008). 47 UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 48 The Ninth Circuit originally armed Judge Matz's decision in UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022 (9th Cir. 2011), which was withdrawn and replaced by a new opinion on motion for reconsideration in light of the Second Circuit's disagreement with Shelter Capital Partners on the issue of what constitutes right and ability to control. The panel's subsequent opinion arming Judge Matz's order revised its prior analysis to conform to the Second Circuit. See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013).

4-508 Copyright Protection in Cyberspace 4.12[6][A] tuted storage. Judge Matz did not deem it necessary to dene the outermost limits of the safe harbor, but agreed with Veoh that the language of section 512(c) is “broad” and that Veoh was not disqualied from protection because of automated processing of user uploaded material to allow users to be able to view and access it when stored on Veoh's site. He explained that: The critical statutory language really is pretty clear. Common sense and widespread usage establish that “by reason of” means “as a result of” or “something that can be attributed to.” So understood, when copyrighted content is displayed or distributed on Veoh it is “as a result of” or “attributable to” the fact that users uploaded the content to Veoh's servers to be accessed by other means. If providing access could trigger liability without the possibility of DMCA immunity, service providers would be greatly deterred from performing their basic, vital and salutary function—namely, providing access to information and material for the public.49 Judge Matz noted that section 512(c) “codies the ‘notice and takedown’ procedure Congress instituted so that service providers and copyright owners could cooperate to protect copyrights.”50 Under UMG's theory, he wrote, the ‘‘ ‘safe harbor’ would in fact be full of treacherous shoals if the copyright owner still could recover damages because the service provider remained liable for having provided access to the stored material that had been removed.” Judge Matz found that the legislative history and case law51 bolstered his interpretation of the plain text of section 512(c), which he found “extend[s] to functions directly involved in providing access to material stored at the direction of a user.”52 Citing to the House Report's explanation that section 512 was intended to preserve strong incentives

49 UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1089 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 50 UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1089 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 51 See UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1091–92 (C.D. Cal. 2008) (discussing prior case law), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 52 UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1090 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013).

Pub. 12/2015 4-509 4.12[6][A] E-Commerce and Internet Law for service providers and copyright owners to cooperate to detect and deal with copyright infringement, he wrote that “this cooperative process would be pointless if service providers who provide access to material stored on their systems at the direction of users were precluded from limiting their potential liability merely because their services enabled users to access such works.”53 The threat of this liability “would create an enormous disincentive to provide access, thereby limiting the ‘variety and quality of services on the Internet.’ ’’54 The following year, Judge Matz granted summary judgment in favor of Veoh, nding that the DMCA user storage safe harbor insulated Veoh from all of UMG's copyright claims.55 On appeal, the Ninth Circuit characterized the question as “whether the functions automatically performed by Veoh's software when a user uploads a video fall within the meaning of ‘by reason of the storage at the direction of a user.’ ’’56 The appellate panel answered this question in the armative, rejecting UMG's argument that storage did not encompass the automatic processes undertaken by Veoh to allow public access to user-uploaded videos, based on the court's reading of “the language and structure of the statute, as well as the legislative intent that motivated its enactment

53 UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1091 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 54 UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081 (C.D. Cal. 2008) (citing S. Rep. 105-190, at 8 (“In the ordinary course of their operations service providers must engage in all kinds of acts that expose them to potential copyright infringement liability ....[B]ylimiting the liability of service providers, the DMCA ensures that the eciency of the Internet will continue to improve and that the variety and quality of services on the Internet will continue to expand.”)), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 55 See UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099 (C.D. Cal. 2009) (granting Veoh's motion for summary judgment, holding that Veoh was entitled to the DMCA safe harbor), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 56 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1015 (9th Cir. 2013).

4-510 Copyright Protection in Cyberspace 4.12[6][A]

....”57 Although the Ninth Circuit did not identify the outer reaches of the term by reason of the storage at the direction of a user, in rejecting UMG's argument for a narrow construction the appellate panel implied in dicta that “by reason of” in the context of the DMCA “should be read to require only ‘but for’ rather than proximate causation.”58 Judge Raymond C. Fisher, writing for himself and Judges Harry Pregerson and Marsha S. Berzon, emphasized that their doubts about UMG's narrow reading of the statutory term were conrmed by the fact that UMG's interpretation would lead to internal statutory conicts: By its terms, § 512(c) presupposes that service providers will provide access to users' stored material, and we would thus contravene the statute if we held that such access disqualied Veoh from the safe harbor. Section 512(c) codies a detailed notice and takedown procedure by which copyright holders inform service providers of infringing material accessible through their sites, and service providers then “disable access to” such materials. 17 U.S.C. § 512(c)(1)(A)(iii), (c)(1)(C) & (c)(3)(A)(iii) (emphasis added). This carefully considered protocol, and the statute's attendant references to “disabl[ing] access” to infringing materials, see id., would be superuous if we accepted UMG's constrained reading of the statute. See Greenwood v. CompuCredit Corp., 615 F.3d 1204, 1209 (9th Cir. 2010) (“We must, if possible, interpret a statute such that all its language is given eect, and none of it is rendered superuous.” (citing TRW Inc. v. Andrews, 534 U.S. 19, 31 (2001))). Indeed, it is not clear how copyright holders could even discover infringing materials on service providers' sites

57 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1016 (9th Cir. 2013). 58 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1017 n.6 (9th Cir. 2013) (citing and discussing cases interpreting similar language in other statutes). The court explained that: “‘But for’ causation is a short way of saying ‘[t]he defendant's conduct is a cause of the event if the event would not have occurred but for that conduct.’ It is sometimes stated as ‘sine qua non’ causation, i.e., ‘without which not ....’’’ Boeing Co. v. Cascade Corp., 207 F.3d 1177, 1183 (9th Cir. 2000). “In determining whether a particular factor was a but-for cause of a given event, we begin by assuming that that factor was present at the time of the event, and then ask whether, even if that factor had been absent, the event nevertheless would have transpired in the same way.” Price Waterhouse v. Hopkins, 490 U.S. 228, 240 (1989) (plurality opinion) .... Id.

Pub. 12/2015 4-511 4.12[6][A] E-Commerce and Internet Law

to notify them as the protocol dictates if § 512(c) did not contemplate that there would be access to the materials.59 The appellate panel likewise rejected what it characterized as UMG's “novel theory” that Congress intended for the user storage safe harbor to apply only to web hosting services, citing the Electronic Frontier Foundation's amicus cu- riae brief for the proposition that “these accessing activities dene web hosting—if the web host only stored information for a single user, it would be more aptly described as an online back-up service.”60 The panel emphasized that the language of the statute itself contemplated activities that went beyond mere storage in immunizing both infringing material and activity61 and in providing that, to comply with the safe harbor for infringing activity, service providers must remove or disable access to allegedly infringing material, “suggesting that if the material were still being stored by the service provider, but was inaccessible, it might well not be infringing.”62 The court also noted that if Congress had wanted to conne section 512(c) exclusively to web hosts, rather than reach a wider range of service providers, it likely would have made that clear in the denition of service provider which is narrowly dened only for section 512(a) (the safe harbor for routing) but more broadly dened for the other safe harbors, including section 512(c).63 Quoting from Judge Lloyd's opinion in Io Group, Inc. v. Veoh Networks, Inc., the Ninth Circuit concluded that: “Veoh has simply established a system whereby software automatically processes user-submitted content and recasts it in a format that is readily accessible to its users.” Id. at 1148. Veoh does not actively participate in or supervise le uploading, “[n]or does it preview or select the les before the upload is completed.” Id. Rather, this “automated process” for making les accessible “is initiated entirely at the volition of Veoh's users.” Id.; see also CoStar Grp., Inc. v. LoopNet, Inc., 373 F.3d 544, 555 (4th Cir. 2004). We therefore hold that Veoh has

59 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1018 (9th Cir. 2013). 60 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1018 (9th Cir. 2013). 61 See 17 U.S.C.A. §§ 512(c)(1)(A)(i), 512(c)(1)(A)(ii). 62 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1019 (9th Cir. 2013), citing 17 U.S.C.A. § 512(c)(1)(A)(iii). 63 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1019 & n.9 (9th Cir. 2013), citing 17 U.S.C.A. §§ 512(k)(1)(A), 512(k) (1)(B).

4-512 Copyright Protection in Cyberspace 4.12[6][A]

satised the threshold requirement that the infringement be “by reason of the storage at the direction of a user of material” residing on Veoh's system. 17 U.S.C. § 512(c)(1).64 The Second Circuit, in Viacom Int'l, Inc. v. YouTube, Inc.,65 likewise relied on Judge Lloyd's analysis in Io Group, Inc. v. Veoh Networks, Inc.,66 as well as the Ninth Circuit's decision in UMG Recordings, Inc. v. Shelter Capital Partners LLC67 and district court Judge Matz's earlier opinion in that case, in construing the term by reason of storage similarly broadly.68 Circuit Judge José Cabranes, on behalf of himself and Judge Livingston,69 cited Io Group for the proposition that “service providers seeking safe harbor under [section] 512(c) are not limited to merely storing material.”70 The panel also cited the broader denition of service provider applicable to the user storage safe harbor as evidence that section 512(c) “is clearly meant to cover more than mere storage lockers.”71 The panel further explained that section 512(c) “extends to software functions performed for the purpose of facilitating access to user-stored material.”72

64 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1020 (9th Cir. 2013), quoting Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1148 (N.D. Cal. 2008). 65 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012). 66 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 67 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 68 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38–40 (2d Cir. 2012). 69 Judge Roger J. Miner, who had also been assigned to the panel, passed away prior to the resolution of the case. See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 25 n.1 (2d Cir. 2012). 70 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 39 (2d Cir. 2012), quoting Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1147 (N.D. Cal. 2008). 71 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 39 (2d Cir. 2012), quoting UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1088 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLCC, 718 F.3d 1006 (9th Cir. 2013). 72 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 39 (2d Cir. 2012), quoting UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1088 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013) and citing UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1031–35 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006

Pub. 12/2015 4-513 4.12[6][A] E-Commerce and Internet Law

The Second Circuit panel held that three of YouTube's challenged software functions—transcoding videos into a standard display format, playback, which allowed users to view videos on “watch” pages, and the “related videos” function, which automatically displayed thumbnail images of related videos—did not cause YouTube to lose safe harbor protection. With respect to transcoding and playback, the Second Circuit agreed with the Ninth Circuit in Shelter Capital and district court Judge Louis L. Stanton's decision below that “to exclude these automated functions from the safe harbor would eviscerate the protection aorded to service providers by § 512(c).”73 The panel concluded that a similar analysis applied to YouTube's “related video” function, by which an algorithm identied and displayed thumbnail images of clips that were deemed “related” to videos viewed by a user. The Second Circuit declined to decide whether the phrase by reason of required a nding of proximate causation between the act of storage and the infringing activity, as Viacom had urged, because even if that showing was required, “the indexing and display of related videos retain a sucient causal link to the prior storage of those videos.”74 The Second Circuit remanded the case, however, on the narrow question of whether any of the videos at issue had been syndicated to third parties and, if so, whether potential liability for third-party syndication was outside the scope of the user storage safe harbor. The appellate panel explained

(9th Cir. 2013). 73 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 39 (2d Cir. 2012), opinion withdrawn and replaced, 718 F.3d 1006 (9th Cir. 2013) (citing the district court opinion in the case). 74 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 40 (2d Cir. 2012). The panel explained: The record makes clear that the related videos algorithm “is fully automated and operates solely in response to user input without the active involvement of YouTube employees.” Supp. Joint App'x I:237. Furthermore, the related videos function serves to help YouTube users locate and gain access to material stored at the direction of other users. Because the algorithm “is closely related to, and follows from, the storage itself,” and is “narrowly directed toward providing access to material stored at the direction of users[]” Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 40 (2d Cir. 2012), quoting UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F. Supp. 2d 1081, 1092 (C.D. Cal. 2008), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013).

4-514 Copyright Protection in Cyberspace 4.12[6][A] that in March 2007 YouTube had transcoded a select number of videos into a format compatible with mobile devices and syndicated (or licensed) the videos to Verizon Wireless and other companies. Plaintis had argued that business transactions do not occur at the direction of a user within the meaning of section 512(c)(1) “when they involve the manual selection of copyrighted material for licensing to a third party.”75 It was undisputed that none of the videos at issue in the lawsuit had been syndicated to Verizon Wireless. Ac- cordingly, to “avoid rendering an advisory opinion on the outer bounds of the storage provision,” the panel remanded for the narrow determination of whether any of the videos at issue in the lawsuit in fact had been syndicated to any third party.76 As noted earlier in this subsection, on remand, the district court again granted summary judgment for YouTube, holding that YouTube's practice of syndicating user content to third-party mobile providers did not take YouTube outside the safe harbor because the videos syndicated to Apple, Sony, Panasonic, TiVo and AT&T remained stored on YouTube's servers and merely provided users with an alternative way to view material stored by users.77 Second and Ninth Circuit case law ultimately make clear that section 512(c) does not distinguish between how widely accessible or prominently presented a work is once it is stored on a website at the direction of a user. Whether material is hidden inconspicuously or prominently displayed on the homepage of a site—or indeed on every single page of the site—should not aect safe harbor protection (even though it could aect damages78 or potentially even secondary liability, where safe harbor protection is inapplicable79)if it was stored at the direction of a user, rather than by the site itself, and if copyright liability is sought to be imposed on the service provider by reason of that stored material or the act of storing it and making it available for others.80 The relevant consideration is whether the allegedly infringing

75 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 40 (2d Cir. 2012). 76 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 40 (2d Cir. 2012). 77 See Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 122 (S.D.N.Y. 2013). 78 See infra § 4.14[3]. 79 See supra § 4.11. 80 The greater prominence given to material may be relevant to

Pub. 12/2015 4-515 4.12[6][A] E-Commerce and Internet Law material or activity, regardless of how characterized, is attributable to material stored by a service provider—i.e., “that resides on a system or network controlled or operated by or for the service provider . . .”81 —at the direction of a user. If it is, the user storage safe harbor applies, and the liability limitation is not lost regardless of the manner in which the material is stored by the service provider on its website or the various uses made of it (including even enabling user downloads, at least in the Ninth Circuit) so long as the material resides on a system or network controlled or operated by or for the service provider. On the other hand, Viacom v. YouTube underscores that if material is transferred by a service provider from its site or service to a third party, where it no longer “resides on a system or network controlled or operated by or for the service provider . . . ,”82 an open question may arise about whether the safe harbor applies to that transfer (and that material), at least in the Second Circuit. Material initially stored at the direction of a user but then redistributed by a service provider in the physical world, rather than on a service provider's system or network, for example, could place a service provider outside the safe harbor with respect to physical world distribution of that material. A service provider might not have protection for material redistributed over traditional radio or television, for example, even if that material originated with a user and originally was stored on a system or network controlled or operated by a service provider. If the content was accessed on a television or radio (or on a mobile device) from the service provider's system or network (or a system or network operated for the service provider), however, the safe harbor should apply. There is also potentially an open question about whether the user storage safe harbor is available for material stored by employees. The safe harbor applies to material stored at the direction of users. Whether material stored by employees is deemed to be stored by a user or by the site itself may whether the service provider has a nancial interest (infra § 4.12[6][D]) or red ag awareness (infra § 4.12[6][C]) but is not per se disqualifying and does not change its character as user-stored material if it was in fact stored at the direction of a user. 81 17 U.S.C.A. § 512(c)(1). 82 17 U.S.C.A. § 512(c)(1).

4-516 Copyright Protection in Cyberspace 4.12[6][A] turn on principles of common law agency.83 Courts in a number of less complicated cases have held service providers entitled to DMCA protection, typically in response to a motion for summary judgment,84 or found factual issues in dispute, precluding the entry of summary

83 See, e.g., Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 518-19 (S.D.N.Y. 2013) (holding that the issue of whether certain Vimeo employees were acting on behalf of the service provider or as individual users of the site, with respect to 10 infringing videos uploaded by them, represented a disputed factual issue precluding summary judgment); see also UMG Recordings, Inc. v. Escape Media Group, Inc., No. 11 Civ. 8407 (TPG), 2015 WL 1873098, at *7 (S.D.N.Y. Apr. 23, 2015) (holding, based on the agreement of the parties, that the DMCA was not relevant at trial in a case where the defendants' employees had uploaded allegedly infringing songs to the Grooveshark music service because “the infringements at issue involved the unauthorized uploading of copyrighted recordings, pursuant to the express direction of the defendants, by numerous Escape employees—not Grooveshark users.”) (emphasis in original). Employee liability has been addressed in other digital copyright cases in the context of liability, rather than in connection with eligibility for the user storage safe harbor. See, e.g., Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *4 (S.D.N.Y. 2014) (holding that the jury nding that MP3Tunes was liable under respondeat superior for MP3Tunes' executives sideloading infringing works into their personal lockers was supported by evidence that the individuals acted (1) within the scope of their authority as MP3Tunes employees and (2) in furtherance of MP3Tunes' business); Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 649 (S.D.N.Y. 2011) (holding the founder directly liable for personally “sideloading” (uploading to Sideload.com) infringing songs intended to “seed” the website with popular music, but denying summary judgment seeking to hold the corporate defendant liable under the doctrine of respondeat superior for uploading by employees where it was not clear whether the employees downloaded the songs from unauthorized sites during the course of their employment), a'd in part and modied in part, 2013 WL 1987225, at *7–8 (S.D.N.Y. May 14, 2013) (arming the founder's direct liability for most works, but holding that factual issues precluded summary judgment on the issue of whether a few of the songs sideloaded by the founder were in fact owned by plaintis); Columbia Pictures Industries, Inc. v. Fung, No. 06 Civ. 5578, 2009 WL 6355911, at *13 & n.21 (C.D. Cal. Dec. 21, 2009) (holding the defendant liable for inducement based in part on the conduct of moderators who were deemed to have acted with apparent authority), a'd in part on other grounds, 710 F.3d 1020, 1036 n.13 (9th Cir. 2013) (noting that Fung argued that he did not have the requisite level of control over moderators and clarifying that in light of other evidence the appellate court was not relying on statements made by anyone other than Fung himself). 84 See, e.g., Avdeef v. Google, No. 4:14-CV-788-A, 2015 WL 5076877 (N.D. Tex. Aug. 26, 2015).

Pub. 12/2015 4-517 4.12[6][A] E-Commerce and Internet Law judgment.85 Many people—especially non-lawyers—think of the user storage limitation as merely requiring the implementation of a notice and take down mechanism. As underscored in the following subsections, a service provider also must meet other eligibility requirements to benet from the safe harbor provided by section 512(c).

4.12[6][B] Designation of an Agent and the Obligation to Disable Access to or Remove Material in Response to Substantially Complying Notications To qualify for the user storage safe harbor (as well as the caching and information location tools provisions of the DMCA), a service provider must designate an agent and respond to notications. These obligations are addressed in greater detail in sections 4.12[9][A] (designation of an agent) and 4.12[9][B] (notications). In brief, a service provider must designate an agent to receive notications (and potentially counter notications) by ling a form with the U.S. Copyright Oce and publiciz- ing certain contact information about its designated agent on its website “in a location accessible to the public.”1 A sample agent designation form is included in the Appendix to this chapter. Additional requirements are set forth in section 4.12[9][A]. A list of all registered DMCA agents may be found on the Copyright Oce website.2 To benet from the user storage liability limitation, a service provider must expeditiously disable access to or remove material identied in a substantially complying notication. The requirements for a notication and a service provider's obligations in responding to a notication are analyzed in detail in section 4.09[9][B]. Case law construing the statute makes clear that the DMCA places the initial burden on copyright owners to search the Internet for infringing material (which presumably they are best able to identify) and advise service provid-

85 See, e.g., Ring v. Doe–1, Civil Action No. 09-563 (GMS), 2015 WL 307840 (D. Del. Jan. 23, 2015). [Section 4.12[6][B]] 1 17 U.S.C.A. § 512(c)(2). 2 http://www.copyright.gov/onlinesp/list/sagents.html

4-518 Copyright Protection in Cyberspace 4.12[6][B] ers by sending notications.3 A copyright owner cannot shift its obligation to search for material and send notications by instructing a service provider prospectively to disable access to or remove material stored in the future (or to remove “all copies” that ever may appear on a site or service).4 Once a notication has been sent to a service provider's designated agent, the DMCA shifts the burden to service providers to respond by expeditiously disabling access to or removing material identied in substantially complying noti- cations5 (and, as described below in section 4.12[6][C], by disabling access to or removing material that they know to be infringing or which raises a “red ag,” even if no notication has been sent). If a service provider does so, or if a copyright owner fails to send a substantially complying notication, the service provider will be shielded by the DMCA from liability for damages or attorneys' fees (assuming that it otherwise meets the other technical requirements under the statute).6 By contrast, if the service provider fails to expeditiously disable access to or remove material identied in a

3 See, e.g., Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1113 (9th Cir.) (“The DMCA notication procedures place the burden of policing copyright infringement—identifying the potentially infringing material and adequately documenting infringement—squarely on the owners of the copyright.”), cert. denied, 522 U.S. 1062 (2007). 4 See, e.g., Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914, 918 (C.D. Cal. 2003); see also Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 746–47 (S.D.N.Y. 2012) (rejecting plainti's contention that the defendant was required to proactively search for copies of the same work in the future once a notication is sent), a’d mem., 569 F. App’x 51 (2d Cir. 2014); see generally infra § 4.12[9][B] (analyzing the issue in greater detail). 5 17 U.S.C.A. § 512(c)(1)(C). 6 See, e.g., UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1021, 1024–25 (9th Cir. 2013) (arming summary judgment for Veoh, the service provider, where prior to the litigation UMG had not identied to Veoh any specic infringing video available on Veoh's system and Veoh otherwise satised the eligibility requirements for the user storage safe harbor); Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 535-36 (S.D.N.Y. 2013) (holding that Vimeo was not obligated to disable access to or remove material in response to notices that were not substantially complying but in any case expeditiously removed videos where it took down material on the same day on two occasions and within 3 1/2 weeks in response to a notice that covered 170 videos); Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 746–47 (S.D.N.Y. 2012) (holding that Photobucket was protected by the safe harbor where it disabled access to material identied in substantially complying notications, nding notications that did not include URLs to be noncomplying

Pub. 12/2015 4-519 4.12[6][B] E-Commerce and Internet Law substantially complying notication, it will not enjoy the benets of the user storage safe harbor.7 What it means to disable access to or remove material is addressed in section 4.12[6][C]. Copyright owner and service provider obligations with respect to notications are analyzed in greater detail in section 4.12[9][B]. A sample notication is included in the Appendix to this chapter.

4.12[6][C] Knowledge, Awareness or Corrective Measures To be eligible for the user storage safe harbor, a service provider must disable access to or remove material in response to a substantially complying notication, actual knowledge that material is infringing or awareness of facts or circumstances from which infringing activity is apparent (referred to as “red ag” awareness). Case law makes clear that knowledge or awareness must be of specic les or activity, not generalized knowledge that a site or service may be used for infringement.1 Knowledge or awareness are judged by objective and subjective criteria, based on evidence such and holding that Photobucket had no ongoing obligation to proactively search for other copies of the same works identied in the earlier DMCA notices), a’d mem., 569 F. App'x 51 (2d Cir. 2014); Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001) (granting summary judgment for the service provider where the copyright owner failed to submit a substantially complying notication). 7 See 17 U.S.C.A. § 512(c)(1)(C); CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 702 (D. Md. 2001), a'd on other grounds, 373 F.3d 544, 556 (4th Cir. 2004); see also Rosen v. Global Net Access, LLC, No. 10-2721-DMG (E), 2014 WL 2803752, at *4–5 (C.D. Cal. June 20, 2014) (holding that a delay in removing photographs identied in a DMCA notice for more than two months, until after the defendant was served with a copy of the complaint in the lawsuit, was not expeditious within the meaning of the DMCA). But see Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 535–36 (S.D.N.Y. 2013) (holding that removing 170 videos in response to a single notice within 3 weeks was expeditious). [Section 4.12[6][C]] 1 See, e.g., Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 30–32 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1021–23 (9th Cir. 2013); see also Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1109 (W.D. Wash. 2004) (holding, in a pre- Shelter Capital district court opinion that later inuenced the Ninth Circuit, that general knowledge of infringing activity is not “red ag awareness,” which must be based on specic acts of infringement); CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 704 (D. Md. 2001) (writ-

4-520 Copyright Protection in Cyberspace 4.12[6][C] as internal emails or other messages that reect knowledge or awareness of particular les at issue in a lawsuit (if not removed, once that knowledge or awareness is obtained). Whether a service provider has actual knowledge turns on whether it ‘‘ ‘subjectively’ knew of specic infringement, while the red ag provision turns on whether the provider was subjectively aware of facts that would have made the specic infringement ‘objectively’ obvious to a reasonable person.”2 The Ninth Circuit suggested in dicta that notice from a third party may create red ag awareness, although the statute makes clear that knowledge or awareness may not be inferred from a defective notication sent by a copyright owner.3 A service provider has no obligation to proactively search for infringing material.4 At the same time, knowledge or awareness may be shown by evidence of willful ing that it was impossible for LoopNet, the service provider, to know that particular images were infringing prior to receiving a notication from CoStar because the works did not include copyright notices, CoStar's own expert could not identify a given CoStar photograph simply by reviewing it, and LoopNet would have had no way to know about CoStar's licensing arrangements with its customers prior to receiving notice), a'd on other grounds, 373 F.3d 544 (4th Cir. 2004). 2 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 31 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1025 (9th Cir. 2013) (quoting Viacom v. YouTube). The Ninth Circuit has underscored that “whether ‘the specic infringement’ is ‘objectively’ obvious to a reasonable person' may vary depending on the facts proven by the copyright holder in establishing liability.” UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026 n.15 (9th Cir. 2013). 3 See 17 U.S.C.A. § 512(c)(3)(B)(i) (stating that neither knowledge nor awareness may be inferred from a notice that fails to meet statutory requirements); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1024–25 (9th Cir. 2013). In Shelter Capital, UMG had argued that Veoh had red ag awareness of infringing material based on emails sent to Veoh executives by copyright owners, including an email sent by Disney's CEO to Michael Eisner, a Veoh investor, stating that unauthorized copies of the movie Cinderella III and various episodes from the television show Lost were posted on Veoh's site. The Ninth Circuit panel explained that “[i]f this notication had come from a third party, such as a Veoh user, rather than from a copyright holder, it might meet the red ag test [assuming the material was not taken down in response to the notice] because it specied particular infringing material. As a copyright holder, however, Disney is subject to the notication requirements in § 512(c)(3), which this informal email failed to meet.” Id. (footnote omitted). 4 17 U.S.C.A. § 512(m); see also UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1022 (9th Cir. 2013).

Pub. 12/2015 4-521 4.12[6][C] E-Commerce and Internet Law blindness.5 The structure of the DMCA may at rst glance seem dif- cult to follow. In addition to responding to notications, a service provider, to benet from section 512(c), must either lack actual knowledge of the infringing material or “not be aware of facts and circumstances from which the infringing activity is apparent” on its system or network or, if it has such knowledge or awareness, act expeditiously to disable access to or remove the material or activity. Awareness short of actual knowledge, according to a committee report accompanying an earlier version of the DMCA, may be thought of as facts or circumstances “which raise a ‘red ag’ that . . . users are infringing.”6 Although the statute lists each of the three ways in which the rst requirement for the limitation may be satised in the alternative using the disjunction “or,” in fact a service provider must show that neither of the two requirements that are phrased in negative terms (that the service provider “not have actual knowledge” and that the service provider “in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is ap-

5 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 35 (2d Cir. 2012) (holding that knowledge or awareness may be established by evidence of willful blindness, which the court characterized as a deliberate eort to avoid guilty knowledge); Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043 (9th Cir. 2013) (explaining that “inducing actions”—or conduct deemed to induce copyright infringement—were relevant to the court's determination that the defendant had red ag awareness); Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *3–4 (S.D.N.Y. May 14, 2013) (reconsidering its earlier ruling granting summary judgment for the service provider on plainti's claim for contributory infringement of those songs not subject to DMCA-compliant takedown notices, in light of the importance the Second Circuit placed on explicit fact-nding in evaluating willful blindness as a potential bar to DMCA protection in Viacom v. YouTube, and holding that a jury could reasonably interpret several documents as imposing a duty to make further inquiries into specic and identiable instances of possible infringement); see also UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1023 (9th Cir. 2013) (citing Viacom v. YouTube for the proposition that “a service provider cannot willfully bury its head in the sand to avoid obtaining . . . specic knowledge.”); Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 524 (S.D.N.Y. 2013) (analyzing but rejecting plaintis' argument that Vimeo had been willfully blind where the evidence presented, while “disconcerting” in the words of the court, did not relate to any of the specic videos at issue in that case). 6 CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 702, (D. Md. 2001), a'd on other grounds, 373 F.3d 544, 556 (4th Cir. 2004).

4-522 Copyright Protection in Cyberspace 4.12[6][C] parent”) apply or that, if the service provider has either actual knowledge or awareness, it has satised the armative requirement to act expeditiously to remove or disable access to such material. Since a cardinal rule of statutory construction is that every word in a statute should be read in such a way as to give it meaning,7 this is the only logical reading of the two double negatives and one armative obligation listed as alternative requirements in subsection (c)(1)(A). If literally read as requiring compliance with any one of the three alternatives listed in the subsection, a service provider could qualify for the limitation merely by alleging that it lacked actual knowledge, which would render the other two provisions meaningless. The user storage safe harbor thus applies (assuming that the other eligibility requirements have been met) where a service provider expeditiously disables access to or removes material upon learning of infringement through a notication, actual knowledge or awareness of facts or circumstances from which infringement is apparent (i.e., awareness which raise a “red ag”). Conversely, it applies where material may have been overlooked but where the service provider did not receive a notication and had neither knowledge nor awareness that the material or activity was on its site or was infringing. Knowledge or awareness may not be imputed to a service provider based on the contents of a defective notication.8 Whether a notication is defective is separately addressed in section 4.12[9][B]. If, however, a service provider fails to disable access to or remove material expeditiously, based on notice, knowledge or awareness, its inaction will render it inel-

7 See, e.g., U.S. v. Nordic Village Inc., 503 U.S. 30, 35–36 (1992); Bailey v. United States, 516 U.S. 137, 145 (1995) (noting the “assumption that Congress intended each of its terms to have meaning”); U.S. v. Bass, 404 U.S. 336, 344 (1971). 8 See 17 U.S.C.A. § 512(c)(3)(B)(i) (a notication that is not substantially complying “shall not be considered under paragraph (1)(A) in determining whether a service provider has actual knowledge or is aware of facts or circumstances from which infringing activity is apparent”). Where a notication is decient but nonetheless substantially complies with the requirements for identifying the infringed work and the infringing material and includes sucient contact information to allow the service provider to contact the complainant, the service provider must attempt to do so or “tak[e] other reasonable steps to assist” in obtaining a substantially complying notication before it may benet from this provision. See 17 U.S.C.A. § 512(c)(3)(B)(ii); see generally infra § 4.12[9][B].

Pub. 12/2015 4-523 4.12[6][C] E-Commerce and Internet Law igible for the safe harbor.9 The requirement to disable access to or remove material is just that—a requirement that a service provider “remove or disable access to” material in response to notice, knowledge or red ag awareness.10 There are legitimate reasons why a service provider may prefer to disable access to material, rather than removing it, including so that a link may be restored in response to a counter notication or a court order in a lawsuit between the copyright owner and poster11 or to preserve evidence.12 In Rosen v. eBay, Inc.,13 a district court in Los Angeles held that eBay complied with the requirement to disable access to or remove copyrighted photographs in response to notications from the plainti, a Paparazzi photographer named Barry Rosen, even though Rosen contended that he was able to call up the images by directly accessing the URLs for links that had been removed in response to the notications he had sent eBay and via search engine queries. In that case, eBay had argued that it had disabled all “meaningful public” access and that (1) the plainti conceded that he might have accessed cached versions of the images from his own computer that were no longer accessible on eBay's servers, (2) the images accessed via search engine queries may have been cached by third party search engines and would disappear over time as those third party caches were cleared,14 and (3) even if the plainti had been able to access the images directly from eBay's servers,

9 See, e.g., ALS Scan, Inc. v. RemarQ Communities, Inc., 239 F.3d 619 (4th Cir. 2001). 10 See 17 U.S.C.A. § 512(c)(1)(C) (emphasis added). 11 See infra § 4.12[9][C] (analyzing counter notications and the corresponding optional obligations imposed on service providers that choose to comply with the requirements of 17 U.S.C.A. § 512(g)(1)). 12 The DMCA does not armatively require that material be preserved and indeed expressly authorizes that material be removed in response to notice, knowledge or red ag awareness. A service provider's failure to preserve certain evidence necessary to establish its entitlement to the DMCA safe harbor (such as records relating to termination of repeat infringers), however, could result in evidentiary sanctions that could disqualify the service provider from DMCA safe harbor protection. See generally infra § 4.12[18]. 13 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *11-12 (C.D. Cal. Jan. 16, 2015). 14 The DMCA also provides a mechanism for copyright owners to obtain injunctive relief requiring that a service provider disable access to or remove cached copies of infringing material. See 17 U.S.C.A. §§ 512(b),

4-524 Copyright Protection in Cyberspace 4.12[6][C] to do so he would have had to use the unique URL taken from the listing when it was live, which could not have been obtained by anyone outside of the company short of copying that URL prior to the time the link was disabled. In holding that eBay satised the requirement to disable access to or remove material in response to valid DMCA notications, the court explained that “this copying is clearly not a normal or expected use of eBay's systems, and it is unclear that anyone not specically compelled to exploit this work- around—as Rosen is—would ever use it.”15 Accordingly, the court ruled that “[i]n light of the somewhat extraordinary lengths Rosen had to go to obtain copies of his images, which may or may not have actually been accessed from eBay's servers, eBay adequately disabled access to his images when it took down the listings, even when the record is viewed in the light most favorable to Rosen.”16 The user storage safe harbor's focus on notice, knowledge or awareness, and corrective action, is consistent with Reli- gious Technology Center v. Netcom On-Line Communication Services, Inc.,17 in protecting service providers from the possibility that direct liability otherwise could be imposed without regard to their knowledge or intent.18 Netcom was the leading case on secondary liability at the time Congress enacted the DMCA and was inuential in its development. The DMCA limits liability for eligible service providers based on a notice and take-down system, which the court in Netcom acknowledged might in any event otherwise be

512(j); supra § 4.12[5][A] (analyzing the system caching safe harbor). In practice, this remedy is rarely invoked because search engines regularly refresh their caches—and usually do so more quickly than a court will act on a request for injunctive relief. Copyright owners also may be able to send DMCA takedown notications directed at cached content. 15 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *12 (C.D. Cal. Jan. 16, 2015). 16 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *12 (C.D. Cal. Jan. 16, 2015). 17 Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361, 1374 (N.D. Cal. 1995); see generally supra § 4.11[2]. 18 Although no district court has imposed liability on this basis since the time of the Netcom decision in 1995, the Clinton Administration in the NII White Paper had argued (prior to the time Netcom was decided) that direct liability could be imposed on that basis and some commentators believe that it was in fact in Playboy Enterprises, Inc. v. Frena, 839 F. Supp. 1552 (M.D. Fla. 1993). See supra §§ 4.11[2], 4.11[8][A], 4.11[9].

Pub. 12/2015 4-525 4.12[6][C] E-Commerce and Internet Law required in response to a cease and desist letter to avoid contributory infringement. Further, by requiring that a service provider not have actual knowledge or awareness, the DMCA eectively precludes the user storage limitation from being applied in most cases where a service provider could otherwise be held liable for contributory infringement (to the extent based on inducing, causing or materially contributing to the infringing conduct of another, rather than imputed knowledge)19 or the more recent cause of action for inducing copyright infringement20 (both of which presuppose at least actual awareness of the primary infringer's conduct, if not active encouragement). The requirement that a service provider act in response to red ag awareness is an obligation that did not exist prior to the enactment of the DMCA under common law theories of direct, contributory or vicarious liability, and therefore compels service providers to do more than otherwise would be required as a quid pro quo for being able to benet from the user storage safe harbor. It is for this reason, among others, that Congress made clear that a service provider's failure to meet the requirements of the DMCA could not be cited as evidence of infringement.21 Red ag awareness—when a service provider “in the absence of actual knowledge, . . . is not aware of facts or circumstances from which the infringing activity is apparent ...”22—may not be imputed merely because a service provider arguably should have known that content was infringing. Rather, it amounts to a requirement that a service provider, although lacking actual knowledge, not have awareness of facts or circumstances which would lead a reasonable person to conclude that an infringement had occurred. As explained by one court, “the question is not ‘what a reasonable person would have deduced given all the circumstances.’ . . . Instead, the question is whether the service provider deliberately proceeded in the face of blatant factors of which it was aware . . . [or] turned a blind eye to

19 See supra § 4.11[3]. 20 See supra § 4.11[6]. 21 17 U.S.C.A. § 512(l). Another reason for this provision is that DMCA liability limitations are optional—service providers are not required to comply but rather are induced to do so by the opportunity to limit their liability through safe harbors. 22 17 U.S.C.A. § 512(c)(1)(A).

4-526 Copyright Protection in Cyberspace 4.12[6][C]

‘red ags’ of obvious infringement.’ ’’23 The DMCA presupposes that users may post infringing material on a site or service, which is why the safe harbor for material stored at the direction of the user was created in the rst place. Accordingly, knowledge or awareness must relate to specic material or activity. Generalized knowledge that a site or service could be used for infringement or that infringing material may be found on the site is insucient to disqualify a service provider from the user storage safe harbor.24

23 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1108 (W.D. Wash. 2004) (citing Nimmer on Copyright and the legislative history). 24 See, e.g., Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 30–32 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1021–23 (9th Cir. 2013); see also Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1109 (W.D. Wash. 2004) (holding, in a pre- Shelter Capital district court opinion that later inuenced the Ninth Circuit, that general knowledge of infringing activity is not “red ag awareness,” which must be based on specic acts of infringement); CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 704 (D. Md. 2001) (writing that it was impossible for LoopNet, the service provider, to know that particular images were infringing prior to receiving a notication from CoStar because the works did not include copyright notices, CoStar's own expert could not identify a given CoStar photograph simply by reviewing it, and LoopNet would have had no way to know about CoStar's licensing arrangements with its customers prior to receiving notice), a'd on other grounds, 373 F.3d 544 (4th Cir. 2004). The DMCA also mandates specicity, rather than generalized notice, for DMCA notications, by requiring substantial compliance with the requirements for notications before a service provider has the obligation to disable access to or remove material. See 17 U.S.C.A. § 512(c)(3); see also, e.g., Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082, 1090 (C.D. Cal. 2001) (holding that, based on the facts of that case, the plainti was required to identify, among other things, specic listing numbers to meet the requirement of substantial compliance, while noting in dicta that a more general description could suce if a plainti were identifying all works of a particular nature on a site). Courts in the Ninth Circuit and Southern District of New York similarly have held that the knowledge required to establish contributory infringement must be of specic infringing les, not merely general knowledge that a site is used for infringement. See, e.g., Luvdarts, LLC v. AT&T Mobility, LLC, 710 F.3d 1068, 1072 (9th Cir. 2013) (arming that the plainti did not state a claim for contributory infringement against mobile phone carriers over the alleged infringement of their users in forwarding text messages containing original content without authorization to do so because a plainti must allege “more than a generalized knowledge . . . of the possibility of infringement.”); Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1172 (9th Cir. 2007) (“a computer system operator can be held

Pub. 12/2015 4-527 4.12[6][C] E-Commerce and Internet Law

As explained by the Second Circuit, the text of the DMCA itself compels the conclusion that the requisite level of actual knowledge or awareness must be based on “specic and identiable instances of infringement.”25 The Second Circuit rejected the argument that red ag awareness requires less contributorily liable if it ‘has actual knowledge that specic infringing material is available using its system . . .’ ’’; citation omitted, emphasis in the original); A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1021–22 (9th Cir. 2001) (holding that a service provider could be held contributorily liable where it had actual knowledge of specic infringing material, but not merely because the structure of the system allowed for the exchange of copyrighted material); Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 751 (S.D.N.Y. 2012) (holding that for liability to attach, actual or imputed knowledge must be based on specic and identiable infringements of individual items, not a general awareness of infringement), a’d mem., 569 F. App’x 51 (2d Cir. 2014); see also Tiany (NJ) Inc. v. eBay, Inc., 576 F. Supp. 2d 463, 510 n.37 (S.D.N.Y. 2008) (writing in dicta in a secondary trademark infringement case that “[u]nder copyright law, generalized knowledge that copyright infringement may take place in an Internet venue is insucient to impose contributory liability.”), a'd, 600 F.3d 93, 107 (2d Cir.) (“We agree with the district court. For contributory trademark infringement liability to lie, a service provider must have more than a general knowledge or reason to know that its service is being used to sell counterfeit goods. Some contemporary knowledge of which particular listings are infringing or will infringe in the future is necessary.”), cert. denied, 562 U.S. 1082 (2010); see generally supra § 4.11[3] (analyzing the requirements to prove contributory copyright infringement). By contrast, a site owner with generalized knowledge could be held liable for inducement if it actively encourages users to infringe (although a defendant found liable for inducing copyright infringement likely would be deemed to have red ag awareness and therefore be ineligible for the DMCA safe harbors). See supra § 4.11[6]. 25 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 30, 32 (2d Cir. 2012). Judge José Cabranes, writing for himself and Judge Livingston, explained that: [T]he basic operation of § 512(c) requires knowledge or awareness of specic infringing activity. Under § 512(c)(1)(A), knowledge or awareness alone does not disqualify the service provider; rather, the provider that gains knowledge or awareness of infringing activity retains safe-harbor protection if it “acts expeditiously to remove, or disable access to, the material.” 17 U.S.C. § 512(c)(1)(A)(iii). Thus, the nature of the removal obligation itself contemplates knowledge or awareness of specic infringing material, because expeditious removal is possible only if the service provider knows with particularity which items to remove. Indeed, to require expeditious removal in the absence of specic knowledge or awareness would be to mandate an amorphous obligation to “take commercially reasonable steps” in response to a generalized awareness of infringement. Viacom Br. 33. Such a view cannot be reconciled with the language of the statute, which requires “expeditious[ ]” action to remove or disable “the material” at issue. 17 U.S.C. § 512(c)(1)(A)(iii) (emphasis added). Id. at 30–31.

4-528 Copyright Protection in Cyberspace 4.12[6][C] specicity than actual knowledge, clarifying that the dierence between actual knowledge and red ag awareness is “not between specic and generalized knowledge, but instead between a subjective and objective standard.”26 The panel elaborated that: [T]he actual knowledge provision turns on whether the provider actually or “subjectively” knew of specic infringement, while the red ag provision turns on whether the provider was subjectively aware of facts that would have made the specic infringement “objectively” obvious to a reasonable person.27 How red a “red ag” has to be before liability will be imposed for inaction depends on whether the question is adjudicated in the Second or Ninth Circuit and remains open to debate in other courts. The standard in the Ninth Circuit is the clearest (and most favorable to service providers) while that applied in the Second Circuit is easier to recite than to specically apply and has yet to be eshed out in case law. Most opinions that address the issue have claried what is not red ag awareness, rather than elaborating on what it is. In Perfect 10, Inc. v. CCBill, LLC,28 the Ninth Circuit set a very high bar for when awareness short of actual knowledge may be imputed to a service provider. In the Ninth Circuit, a “red ag” must be “re engine red” before a service provider will be deemed to have an obligation to take down material on its own initiative (short of actual knowledge or receipt of a substantially complying notication). Lighter shades of red will not trigger a take down obligation, at least in the Ninth Circuit. In CCBill, Perfect 10, the publisher of an adult magazine, had alleged that CWIE, a website hosting company, and CCBill, a service that allowed consumers to use credit cards or checks to pay for subscriptions or memberships to

26 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 31 (2d Cir. 2012). 27 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 31 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1025 (9th Cir. 2013) (quoting Viacom v. YouTube). The Ninth Circuit subsequently noted that “whether ‘the specic infringement’ is ‘objectively’ obvious to a reasonable person' may vary depending on the facts proven by the copyright holder in establishing liability.” UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026 n.15 (9th Cir. 2013). 28 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007).

Pub. 12/2015 4-529 4.12[6][C] E-Commerce and Internet Law e-commerce venues, were not entitled to the user storage safe harbor because they were aware of a number of “red ags” that signaled apparent infringement. Perfect 10 argued that defendants had awareness of infringement by providing services to illegal.net and stolencelebritypics.com. The Ninth Circuit, however, disagreed. Judge Milan D. Smith, writing for himself and Chief Judge Alex Kozinski and Judge Ste- phen Reinhardt, wrote that: [W]hen a website tracs in pictures that are titillating by nature, describing photographs as “illegal” or “stolen” may be an attempt to increase their salacious appeal, rather than an admission that the photographs are actually illegal or stolen. We do not place the burden of determining whether photographs are actually illegal on a service provider.29 Perfect 10 also had argued that password hacking websites hosted by CWIE obviously hosted infringing content. While the Ninth Circuit conceded that Perfect 10 might have claims against password hacking sites for contributory infringement, it disagreed that providing service to sites that purported to oer free passwords to subscriptions sites meant that the defendants had awareness of infringing activity, which would have stripped them of protection under the DMCA safe harbor. The panel held that “[p]assword-hacking sites are . . . not per se ‘red ags’ of infringement.”30 Judge Smith wrote that: In order for a website to qualify as a “red ag” of infringement, it would need to be apparent that the website instructed or enabled users to infringe another's copyright ....Wend that the burden of determining whether passwords on a website enabled infringement is not on a service provider. The website could be a hoax, or out of date. The owner of the protected content may have supplied the passwords as a short- term promotion, or as an attempt to collect information from unsuspecting users. The passwords might be provided to help users maintain anonymity without infringing on copyright. There is simply no way for a service provider to conclude that the passwords enabled infringement without trying the passwords, and verifying that they enabled illegal access to copyrighted material. We impose no such investigative duties on service providers.31 The high bar set by the Ninth Circuit for when awareness

29 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1114 (9th Cir. 2007), cert. denied, 522 U.S. 1062 (2007). 30 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1114 (9th Cir. 2007), cert. denied, 522 U.S. 1062 (2007). 31 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1114 (9th Cir. 2007),

4-530 Copyright Protection in Cyberspace 4.12[6][C] or a “red ag” may be found was justied in CCBill by the fact that the DMCA places the primary burden of investigation on copyright owners (although the awareness prong plainly imposes some obligation on service providers to restrict access to or remove material that raises a red ag). In addition, the legislative history makes it clear that while service providers are not obligated to do so, they equally are not discouraged and may not be penalized (in the form of a nding of right and ability to control) from monitoring their sites or services.32 A low threshold for nding red ag awareness would deter voluntary monitoring (since the act of reviewing les could lead to greater liability). While CCBill established a standard for red ag awareness in the Ninth Circuit that is very favorable to service providers, it also imposes on them more stringent requirements for complying with the obligation to reasonably implement a repeat infringer policy under section 512(i). The Ninth Circuit remanded the case to the district court for consideration of whether potential red ags had been raised by third-party content.33 The court concluded that the requirements that a service provider disable access to or remove material in response to notice, knowledge or awareness were relevant not merely to the user storage safe harbor but to the question of whether a service provider has reasonably implemented its repeat infringer policy, which is a threshold eligibility requirement for all of the safe harbors established in section 512(i). Thus, under CCBill, failure to respond in the face of knowledge, notice or red ag awareness could put at risk not merely a service provider's entitlement to the user storage liability limitation for the material that was overlooked, but its very entitlement to any of the safe harbors if challenged by any copyright owner. The signicance of the Ninth Circuit's importing the requirement that service providers disable access to and remove material in response to notice, knowledge or awareness, into the threshold requirement of reasonable implementation of a repeat infringement policy, is addressed briey in section 4.12[6][A] and extensively in section 4.12[3][B][iv]. Applying CCBill, the district court in Io Group, Inc. v. cert. denied, 522 U.S. 1062 (2007). 32 See infra § 4.12[6][D] (discussing this issue in the context of right and ability to control). 33 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1114–15 (9th Cir. 2007), cert. denied, 522 U.S. 1062 (2007).

Pub. 12/2015 4-531 4.12[6][C] E-Commerce and Internet Law

Veoh Networks, Inc.34 ruled that Veoh, the operator of the UGC video site, could not be held to have had red ag awareness of infringing material because it allowed professional quality adult pornography to be posted to its site without the labeling information required by 22 U.S.C.A. § 2257 (which requires that certain records about the age of performers be retained and that notice of compliance be provided).35 Io argued that Veoh should have known that no legitimate producer of sexually explicit material would have omitted the requisite labels from video clips and that the excerpts uploaded therefore must be unauthorized. The court, however, ruled that the absence of adult labels did not give Veoh the requisite level of knowledge or awareness that plainti's copyrights were being violated. Among other things, the court noted that none of the clips at issue included copyright notices and although one clip had a trademark notice several minutes into the clip there was no evidence from which it could be inferred that Veoh was aware of, but chose to ignore, this information.36 The court, citing the House Report and Corbis Corp. v. Amazon.com,37 emphasized that the question is not what a reasonable person would have deduced given all the circumstances, but whether the service provider deliberately proceeded in the face of blatant factors of which it was aware (i.e., turned a blind eye to red ags of obvious infringement).38 In UMG Recordings, Inc. v. Veoh Networks, Inc.,39 the district court, in granting summary judgment for Veoh on all

34 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 35 See infra chapters 40, 41. 36 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1149 (N.D. Cal. 2008). The court also rejected plainti's argument that Veoh had failed to act expeditiously to disable access to or remove material, but the facts of that case were unusual. Io did not notify Veoh of the allegedly infringing works on its system. Independently, and for unrelated reasons, Veoh removed all adult material from its site twenty-one days after the rst unauthorized Io clip allegedly was uploaded. Io also presented no evidence suggesting that Veoh failed to act expeditiously once it acquired knowledge or awareness of infringing material. 37 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090 (W.D. Wash. 2004). 38 See Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1148 (N.D. Cal. 2008). 39 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099 (C.D. Cal. 2009), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital

4-532 Copyright Protection in Cyberspace 4.12[6][C] of UMG's copyright claims, followed CCBill in holding that Veoh did not have actual knowledge or red ag awareness of infringing material on its UGC site, and when it received a notication Veoh expeditiously disabled access to or removed the material that was the subject of the notice. Judge Matz rejected UMG's argument that Veoh had actual knowledge because it was hosting an entire category of content—music—that was subject to copyright protection, writing: If merely hosting user-contributed material capable of copyright protection were enough to impute actual knowledge to a service provider, the section 512(c) safe harbor would be a dead letter because vast portions of content on the Internet are eligible for copyright protection. UMG's theory would also make the DMCA's notice-and-takedown provisions completely superuous because any service provider that hosted copyrighted material would be disqualied from the section 512(c) safe harbor regardless of whether the copyright holder gave notice or whether the service provider otherwise acquired actual or constructive knowledge of specic infringements. The court noted that UMG's argument was also undercut by evidence that of the 244,205 videos on Veoh's service labeled “music videos,” 221,842 were not identied as unauthorized by the Audible Magic music lter that Veoh employed on its site.40 Judge Matz further rejected the argument that Veoh had knowledge based on a notice from the RIAA, where the notice merely provided names of artists, which the court held was not the same thing as a representative list of works and therefore merely a defective DMCA notication. The notices likewise did not identify the material claimed to be infringing. The court wrote that “[a]n artist's name is not information reasonably sucient to permit the service provider to locate [such] material.”41 Judge Matz held that Veoh did not have “red ag” aware-

Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 40 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1109 (C.D. Cal. 2009) (quoting Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1105 (W.D. Wash. 2004)), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013); see generally infra § 17.05[3] (discussing music video lters, including the Audible Magic lter). 41 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1110 (C.D. Cal. 2009) (citing 17 U.S.C.A. § 512(c)(3)(A)(iii)), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006

Pub. 12/2015 4-533 4.12[6][C] E-Commerce and Internet Law ness, which he construed narrowly, writing that “CCBill teaches that if investigation of ‘facts and circumstances’ is required to identify material as infringing, then those facts and circumstances are not ‘red ags.’ ’’42 UMG argued that Veoh's founders, employees and investors knew that widespread infringement was occurring on the Veoh system. The court held, however, that general awareness of infringement, without more, was not enough to preclude protection pursuant to section 512(c)'s safe harbor. Judge Matz wrote that “[n]o doubt it is common knowledge that most websites that allow users to contribute material contain infringing items. If such general awareness were enough to raise a ‘red ag,’ the DMCA safe harbor would not serve its purpose of ‘facilitat[ing] the robust development and worldwide expansion of electronic commerce, communications, research, development, and education in the digital age,’ and ‘balanc- [ing] the interests of content owners, online and other service providers, and information users in a way that will foster the continued development of electronic commerce and the growth of the Internet.”43 Judge Matz also rejected the argument that Veoh avoided gaining knowledge of infringement by delaying implementation of the Audible Magic ngerprinting system until October 2007, even though it was available in early 2005, and by waiting nine months before ltering videos already on the system. He noted that the DMCA did not require service providers to implement ltering technology and that Veoh had previously implemented “hash” ltering earlier and attempted to develop its own ltering tool. When it could not do so, it licensed Audible Magic's technology. The court wrote that these undertakings merely underscored Veoh's good faith eorts to avoid or limit storage of infringing content. Finally, the district court rejected UMG's argument that Veoh could have searched its indices for the names of artists whose videos were identied in the RIAA notices. The court held that “the DMCA does not place the burden of ferreting

(9th Cir. 2013). 42 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1108 (C.D. Cal. 2009), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 43 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1111 (C.D. Cal. 2009), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013).

4-534 Copyright Protection in Cyberspace 4.12[6][C] out infringement on the service provider.”44 On appeal, the Ninth Circuit armed Judge Matz's order granting summary judgment to Veoh, noting that UMG did not dispute that when Veoh became aware of allegedly infringing material as a result of the RIAA's DMCA notices, it removed the les. Rather, UMG argued that Veoh had knowledge or awareness of other infringing videos that it did not remove.45 The Ninth Circuit rejected UMG's argument that hosting a music category evidenced knowledge. First, the court pointed out that Veoh had licenses from Sony-BMG and therefore could have hosted licensed music. Second, the panel rejected the argument that generalized knowledge could take a service provider outside the safe harbor. The panel held that “merely hosting a category of copyrightable content, such as music videos, with general knowledge that one's services could be used to share infringing material, is insuf- cient to the meet the actual knowledge requirement of § 512(c)(1)(A)(i)” or red ag awareness pursuant to section 512(c)(1)(A)(ii).46 The appellate court similarly rejected the argument that tagging user submissions as “music videos” evidenced knowledge or awareness given that the court had already concluded that hosting music videos did not disqualify Veoh from safe harbor protection.47 The court likewise rejected the argument that Veoh's purchase of key words including “50 Cent,” “Avril Lavigne”

44 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1112 (C.D. Cal. 2009), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 45 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1020 (9th Cir. 2013). The appellate panel initially issued a decision arming the lower court's entry of summary judgment in December 2011, UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1036 (9th Cir. 2011), which subsequently was withdrawn and replaced by a new opinion in 2013 that, on reconsideration, harmonized the Ninth Circuit's analysis with the Second Circuit's intervening opinion in Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012). The Second Circuit's discussion of Shelter Partners in YouTube refers to the earlier, now withdrawn 2011 opinion. 46 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1021–23 (9th Cir. 2013). 47 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1023 (9th Cir. 2013).

Pub. 12/2015 4-535 4.12[6][C] E-Commerce and Internet Law and “Britney Spears” evidenced knowledge or awareness both because these UMG artists also had recorded for Sony- BMG, which had given Veoh a license for its artists’ videos, and because “companies sometimes purchase search terms they believe will lead potential customers to their websites even if the terms do not describe the goods or services the company actually provides.”48 The Ninth Circuit panel further rejected UMG's argument that Veoh's compliance with RIAA takedown notices gave it knowledge of infringement and should have caused it to take the initiative to use search and indexing tools to locate and remove other material by these same artists. Relatedly, UMG had argued that Veoh should have known from the MTV or other television logos watermarked on some videos removed from its site that unauthorized material had been posted, which it could have searched for. Applying CCBill, however, the appellate court refused to impose investigative duties on service providers (and also noted that this approach likely would have resulted in the removal as well of noninfringing content).49 Finally, the court rejected UMG's argument that Veoh had knowledge of infringement based on newspaper articles that referred to unauthorized material on its site, in which Veoh's CEO acknowledged the problem and stated that Veoh took infringement seriously and removed unauthorized content when found. Judge Raymond C. Fisher, writing for the unan- imous panel, explained: The DMCA's detailed notice and takedown procedure assumes that, “from time to time,” “material belonging to someone else ends up” on service providers' websites, and establishes a process for ensuring the prompt removal of such unauthorized material. If Veoh's CEO's acknowledgment of this general problem and awareness of news reports discussing it was enough to remove a service provider from DMCA safe harbor eligibility, the notice and takedown procedures would make

48 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1023 (9th Cir. 2013). The court explained that: For example, a sunglass company might buy the search terms “sunscreen” or “vacation” because it believed that people interested in such searches would often also be interested in sunglasses. Accordingly, Veoh's search term purchases do little to demonstrate that it knew it hosted infringing material. Id. 49 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1023–24 (9th Cir. 2013), citing Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1114 (9th Cir.), cert. denied, 522 U.S. 1062 (2007).

4-536 Copyright Protection in Cyberspace 4.12[6][C]

little sense and the safe harbors would be eectively nullied. We cannot conclude that Congress intended such a result, and we therefore hold that this evidence is insucient to warrant a trial.50 By contrast, as noted earlier in this section, Judge Fisher wrote in dicta that notices sent by third parties could provide red ag awareness, although the Ninth Circuit panel rejected the argument that email evidence presented by UMG was sucient to create a factual dispute over Veoh's entitlement to the DMCA safe harbor because there was no evidence presented that Veoh in fact did not remove les when it received these notices (and any notices from copyright owners, as opposed to third parties, had to satisfy the requirements for DMCA notications set forth in section 512(c)(3) before knowledge could be imputed to a service provider if it failed to disable access to or remove any material identied in the notication).51 In Viacom Int'l, Inc. v. YouTube, Inc.,52 the Second Circuit was unwilling to set the bar for red ag awareness as high as the Ninth Circuit previously had in CCBill, but it did set out a clear explanation of the dierence between actual knowledge and red ag awareness, which the Ninth Circuit subsequently also adopted.53 The Viacom v. YouTube panel explained that actual knowledge denotes subjective belief, whereas red ag awareness is judged by an objective reasonableness standard.54 A standard of objective reasonableness requires service

50 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1024 (9th Cir. 2013). 51 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1025 (9th Cir. 2013). The court, in dicta, explained how a user email informing a service provider of “infringing material and specifying its location” could provide red ag notice: Although the user's allegations would not give Veoh actual knowledge under § 512(c)(1)(A)(i), because Veoh would have no assurance that a third party who does not hold the copyright in question would know whether the material was infringing, the email nonetheless could act as a red ag under § 512(c)(1)(A)(ii) provided its information was suciently specic. Id. In its revised opinion, the Ninth Circuit panel also adopted the Second Circuit's analysis of the dierence between actual knowledge and red ag awareness, as discussed below. See id. at 1025–26. 52 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012). 53 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1025–26 (9th Cir. 2013). 54 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 31 (2d Cir.

Pub. 12/2015 4-537 4.12[6][C] E-Commerce and Internet Law providers to make sure that employees responsible for material stored at the direction of a user are well trained. Whether a service provider's conduct in fact is objectively reasonable, when challenged in litigation, may make determinations of red ag awareness dicult to resolve short of trial in some cases. Factual disputes over the propriety of failing to remove particular material in particular instances may be dicult to resolve on summary judgment, in at least some cases. In practice, courts in the Second Circuit, like those in the Ninth Circuit, have imposed a high bar for when material may be found to raise a red ag, as underscored in the Viacom v. YouTube case itself. Viacom v. YouTube, like UMG v. Shelter Capital Partners, was a case involving user-submitted videos where summary judgment had been granted in favor of the service provider and, on appeal, the copyright owner did not dispute that the service provider had removed every le identied in substantially complying DMCA notices. Indeed, in Viacom v. You- Tube, District Court Judge Stanton of the Southern District of New York had observed that Viacom had accumulated information on approximately 100,000 videos and then sent one mass take-down notice on February 2, 2007, in response to which, by the next day, YouTube had removed virtually all of the identied videos.55 The issue in each case was whether, notwithstanding compliance with DMCA notications asking that specic les be taken down, the service provider nonetheless had knowledge or awareness that would preclude safe harbor protection. In Viacom v. YouTube, the Second Circuit concluded that internal emails that referenced specic video les (as opposed to general percentages) could be viewed by a reasonable juror to evidence knowledge or awareness of specic instances of infringement. However, since the evidence did not make clear whether any of the videos referenced in internal emails were actually at issue in the lawsuit, the court remanded the case to the district court to determine whether any specic infringements of which YouTube had knowledge or awareness corresponded to any of the works at issue in

2012). 55 Viacom Int'l Inc. v. YouTube, Inc., 718 F. Supp. 2d 514 (S.D.N.Y. 2010), a'd in part, vacated in part, rev'd in part, 676 F.3d 19 (2d Cir. 2012).

4-538 Copyright Protection in Cyberspace 4.12[6][C] the lawsuit.56 By contrast, the Second Circuit panel rejected as irrelevant internal surveys showing that YouTube employees estimated that 75-80% of YouTube streams constituted copyrighted material. While these estimates suggested that defendants were aware that “signicant quantities of material on the YouTube website were infringing” the evidence was insucient to create a triable issue of fact about whether YouTube “actually knew, or was aware of facts or circumstances that would indicate, the existence of particular instances of infringement.”57 The Second Circuit panel remanded for further consideration the issue of whether YouTube had knowledge or awareness based on willful blindness. In Global-Tech Appliances, Inc. v. SEB, S.A.,58 the U.S. Supreme Court had held that willful blindness is equivalent to knowledge for purposes of evaluating patent infringement. Applying this principle to the DMCA, the Second Circuit held that if a service provider made a “deliberate eort to avoid guilty knowledge” the willful blindness doctrine could be applied, in appropriate circumstances, to demonstrate knowledge or awareness of specic instances of infringement under the DMCA.59 The appellate panel made clear that willful blindness under the DMCA, like other forms of knowledge or awareness, cannot be premised on generalized knowledge, but must be based on “specic instances of infringement ....”60 Judge Cabranes also explained that service providers cannot

56 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 33–34 (2d Cir. 2012). On remand, the district court again granted summary judgment for YouTube, ruling, among other things, that YouTube did not have knowledge or awareness of any specic acts of infringement and had not willfully blinded itself to specic acts of infringement. See Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110 (S.D.N.Y. 2013). 57 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 33 (2d Cir. 2012) (emphasis added). 58 Global-Tech Appliances, Inc. v. SEB S.A., 131 S. Ct. 2060, 2070–71 (2011); supra § 4.11[6][A] (analyzing the case and its applicability to the doctrine of copyright inducement). 59 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 35 (2d Cir. 2012), quoting In re Aimster, 334 F.3d at 650. On remand, the district court granted summary judgment for YouTube, holding that YouTube had not willfully blinded itself to specic acts of infringement. See Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110 (S.D.N.Y. 2013). 60 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 35 (2d Cir. 2012).

Pub. 12/2015 4-539 4.12[6][C] E-Commerce and Internet Law be compelled to monitor their sites or armatively seek facts evidencing infringing activity as a condition for beneting from the safe harbor, concluding that section 512(m) limited, but did not abrogate application of the willful blindness doctrine to the DMCA.61 Thus, willful blindness may provide grounds for nding knowledge or awareness under the DMCA, but involves a more limited inquiry than when evaluating willful blindness to establish inducement because under the DMCA willful blindness may not be premised on either generalized knowledge or a failure to monitor or proactively search a site or service for infringing activity. Given this formulation, it is perhaps not surprising that Judge Cabranes cautioned that willful blindness may be dif- cult to assess absent explicit fact nding.62 Although the Second Circuit characterized its analysis of willful blindness as involving an issue of rst impression, in an earlier district court opinion, Columbia Pictures Indus- tries, Inc. v. Fung,63 Judge Stephen Wilson in Los Angeles had held that willful blindness amounted to red ag awareness.64 In Fung, which is an inducement case discussed at length in section 4.11[6][F], the Ninth Circuit, applying

61 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 35 (2d Cir. 2012). 62 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 35 n.10 (2d Cir. 2012), citing Tiany (NJ) v. eBay, Inc., 600 F.3d 93, 110 (2d Cir.), cert. denied, 562 U.S. 1082 (2010). 63 Columbia Pictures Industries, Inc. v. Fung, No. 06 Civ. 5578, 2009 WL 6355911 (C.D. Cal. Dec. 21, 2009), a'd in relevant part, 710 F.3d 1020 (9th Cir. 2013). 64 The district court had found red ag awareness in connection with evaluating defendants' argument that they were entitled to the information location tools safe harbor, 17 U.S.C.A. § 512(d); infra § 4.12[7], because they disabled links whenever they received notices. Judge Wilson had found defendants ineligible for the user storage safe harbor set forth in 17 U.S.C.A. § 512(c) because the infringing material in Fung did not actually reside on Fung's servers. The Ninth Circuit disagreed with this analysis, declining to read requirements into the safe harbor that are not contained in the text of the DMCA and noting that section 512(c) “explicitly covers not just the storage of infringing material, but also infringing ‘activit[ies]’ that ‘us[e] the material [stored] on the system or network.’ ’’ Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1042 (9th Cir. 2013). As discussed earlier in this chapter, this analysis is incorrect. See supra § 4.12[6][A]. Section 512(c), while not limited to cases where material is stored on a service provider's servers, nonetheless is restricted to cases involving “storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider ....”17U.S.C.A. § 512(c)(1); supra § 4.12[6][A] (analyzing this aspect of the court's ruling). In Fung, the court did not nd that

4-540 Copyright Protection in Cyberspace 4.12[6][C] the Second Circuit's objective/subjective analysis of actual knowledge and red ag awareness from Viacom v. YouTube, ultimately ruled that Fung had red ag awareness of a broad range of infringing activity that precluded him from benet- ting from either the user storage or information location tools safe harbors.65 Fung and his company, isoHunt Web Technologies, Inc., operated the isohunt.com, torrentbox.com and podtropolis.com torrent sites and associated BitTorrent trackers, and the eDonkey site, ed2k-it.com.66 Fung's level of knowledge and awareness was summarized by the Ninth Circuit panel but explained in greater detail in the district court's opinion. The Ninth Circuit concluded that the record was replete with instances of Fung actively encouraging infringement, by urging his users to both upload and download particular copyrighted works, providing assistance to those seeking to watch copyrighted lms, and helping his users burn copyrighted material onto DVDs. The material in question was suciently current and well-known that it would have been objectively obvious to a reasonable person that the material solicited and assisted was both copyrighted and not licensed to random members of the public, and that the induced use was therefore infringing. Moreover, Fung does not dispute that he personally used the isoHunt website to download infringing material. Thus, while Fung's inducing actions do not necessarily render him per se ineligible for protection under § 512(c), they are relevant to our determination that Fung had “red ag” knowledge of infringement.67 With respect to knowledge, the district court had noted the Bit Torrent tracker sites at issue constituted “a system or network controlled or operated by or for” Fung. See 17 U.S.C.A. § 512(c)(1). As explained in section 4.12[6][A], the Ninth Circuit's reading of section 512(c) on this point therefore is not consistent with the plain terms of that statutory provision. 65 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043–44, 1047 (9th Cir. 2013). The same panel that decided Fung also decided UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006 (9th Cir. 2013). Fung was written by Judge Marsha S. Berzon, on behalf of herself and Judges Harry Preferson and Raymond C. Fisher. Shelter Partners was authored by Judge Raymond C. Fisher, on behalf of himself and Judges Harry Pregerson and Marsha S. Berzon. 66 A technical explanation of how BitTorrent protocols generally, and Fung's sites in particular, operate, is set forth in section 4.11[6][F] in connection with a discussion of the Fung court's analysis of defendants' liability for copyright inducement. 67 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043 (9th Cir. 2013).

Pub. 12/2015 4-541 4.12[6][C] E-Commerce and Internet Law that although Fung's sites were based in Canada, at the height of their popularity they had 10 million visitors each month, 25% of whom came from the United States to access content, more than 90% of which was found to be infringing. District Court Judge Wilson wrote that “unless Defendants somehow refused to look at their own webpages, they invari- ably would have known that (1) infringing material was likely to be available and (2) most of Defendants' users were searching for and downloading infringing material.”68 He wrote that in light of the “overwhelming evidence, the only way Defendants could have avoided knowing about their users' infringement is if they engaged in ‘ostrich-like refusal to discover the extent to which [their] system[s] w[ere] being used to infringe copyright.”69 More broadly, the district court emphasized that inducement and the DMCA “are inherently contradictory. Induce- ment liability is based on active bad faith conduct aimed at promoting infringement; the statutory safe harbors are based on passive70 good faith conduct aimed at operating a legitimate internet business.”71 The Ninth Circuit declined to

68 Columbia Pictures Industries, Inc. v. Fung, No. 06 Civ. 5578, 2009 WL 6355911, at *17 (C.D. Cal. Dec. 21, 2009), a'd in relevant part, 710 F.3d 1020 (9th Cir. 2013). The extent of defendants' knowledge and encouragement of infringing activities is set forth in section 4.11[6][F], which discusses the case in connection with the court's entry of summary judgment for the plaintis on their claim of copyright inducement. 69 Columbia Pictures Industries, Inc. v. Fung, No. 06 Civ. 5578, 2009 WL 6355911, at *18 (C.D. Cal. Dec. 21, 2009) (quoting In re Aimster Copyright Litig., 334 F.3d 643, 655 (7th Cir. 2003)), a'd in relevant part, 710 F.3d 1020 (9th Cir. 2013). 70 The district court's reference to the safe harbor being based on “passive” conduct by service providers may be criticized as perpetuating the myth that the narrow denition of service provider applicable only to the transitory digital network communications safe harbor set forth in section 512(a) applies generally under the DMCA notwithstanding the much broader denition of the term when used in connection with the other safe harbors (which by no means is limited to passive service providers). Compare 17 U.S.C.A. § 512(k)(1)(A) (narrowly dening the term service provider for purposes only of the safe harbor created by section 512(a)) with 17 U.S.C.A. § 512(k)(1)(B) (broadly dening the same term for purposes of the user storage, information location tools and caching safe harbors); see generally supra § 4.12[2] (analyzing the denition of service provider in dierent contexts under the DMCA). 71 Columbia Pictures Industries, Inc. v. Fung, No. 06 Civ. 5578, 2009 WL 6355911, at *18 (C.D. Cal. Dec. 21, 2009), a'd in part and rev'd in part, 710 F.3d 1020 (9th Cir. 2013).

4-542 Copyright Protection in Cyberspace 4.12[6][C] endorse this view, agreeing instead with the Second Circuit72 that DMCA safe harbors at least in theory are available to service providers in inducement cases.73 In fact, however, the district court's observation that evidence establishing inducement and proving entitlement to the user storage safe harbor “are inherently contradictory” represents the better view as a practical matter, even if theoretically safe harbor protection may be available, because of the requirement that a service provider not have red ag awareness (at least for the user storage and information location tools safe harbors and in some cases the caching safe harbor).74 In practice, the level of knowledge that may be proven or imputed based on a nding of inducement (which requires evidence both of intent and armative steps) necessarily would establish awareness of facts and circumstances from which infringing activity is apparent and therefore preclude DMCA safe harbor protection. In the appellate court ruling in Fung, the Ninth Circuit raised without deciding the question of whether red ag awareness would broadly preclude safe harbor protection or only for the specic les or activity at issue.75 The Ninth Circuit panel found it unnecessary to resolve the question because in Fung it also found defendants ineligible for the safe harbor based on having a nancial interest and the right and ability to control.76

72 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 41 (2d Cir. 2012) (holding that “a nding of safe harbor application necessarily protects a defendant from all armative claims for monetary relief.”). 73 See Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1039–40 (9th Cir. 2013) (holding that the DMCA potentially may be applied to a claim of inducement, although nding it inapplicable in that case). The Fung court did not suggest that the DMCA safe harbors in fact would be available in cases where a plainti otherwise could prove inducement, stressing merely that it was “conceivable that a service provider liable for inducement could be entitled to protection under the safe harbors” and explaining that it was “not clairvoyant enough to be sure that there are no instances in which a defendant otherwise liable for contributory copyright infringement could meet the prerequisites for one or more of the DMCA safe harbors.” Id. at 1040 (emphasis in original). 74 See 17 U.S.C.A. § 512(c)(1)(A)(ii). 75 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043 n.20 (9th Cir. 2013). 76 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043 n.20 (9th Cir. 2013). The nancial interest/right and ability to control pro-

Pub. 12/2015 4-543 4.12[6][C] E-Commerce and Internet Law

Subsequent cases have either found77 or declined to nd78 evidence of willful blindness. Among the Circuit Court opinions analyzing knowledge or awareness, Fung, on the one hand, and CCBill, Shelter Capital Partners and YouTube, on the other, bookend the circumstances under which red ag awareness may be found (or found lacking). While service providers have no obligation to proactively search for or block infringing material and cannot be deemed to have knowledge or awareness based on a defective DMCA notice or generalized knowledge that a site or service may be used for infringement, they may not stick their heads in the sand or turn a blind eye to specic vision set forth in 17 U.S.C.A. § 512(c)(1)(B) is analyzed in section 4.12[6][D]. 77 See, e.g., Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *3 (S.D.N.Y. May 14, 2013). In MP3Tunes, the district court held that certain evidence created a factual dispute on the issue of willful blindness, although the evidence described by the court sounded like it would be have been more relevant to the issue of red ag awareness based on subjective awareness judged by an objective standard of reasonableness, than willful blindness. Specically, the court found that a jury could reasonably interpret several documents as imposing a duty to make further inquiries into specic and identiable instances of possible infringement: For example, an email received by MP3Tunes in April 2007 gives a specic blog title and states, “[a]lthough I don't like ratting myself out, everything I post is in clear violation of the DMCA ....Another email from November 2007 states, “if you search for ‘the clash I fought the law’ . . . you will get 5 results . . . 2 of which point to the website www.ocerjellnutz.com[.] This website blatantly acknowledges that it contains infringing MP3's.” . . . In a third email, an MP3tunes employee acknowledges that while ‘it's not clear if [content from a user's site] is all copyright [six] material . . . it probably is .... Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *3 (S.D.N.Y. May 14, 2013). The court's confusion of red ag awareness with imputed awareness based on willful blindness merely underscores that red ag awareness in the Second and Ninth Circuits may be shown by either subjective awareness and an objectively unreasonable failure to disable access to or remove material or based on a deliberate attempt to avoid acquiring knowledge. 78 See, e.g., Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 523-25 (S.D.N.Y. 2013). In Vimeo, the court found that a service provider had not been willfully blind with respect to any of the 199 videos at issue. In that case, the plaintis had identied several emails where employees appeared to be willfully blinding themselves to acts of infringement by, for example, forwarding an email with the cover note “[i]gnoring but sharing” or characterizing Vimeo's copyright policy as “[d]on't ask, don't tell ....” Judge Abrams of the Southern District of New York characterized the evidence as “disconcerting” but discounted it because it did not relate to any of the videos at issue in the case. Id. at 524.

4-544 Copyright Protection in Cyberspace 4.12[6][C] instances of infringement and expect to claim entitlement to safe harbor protection. Ultimately, by setting a high bar for what constitutes a red ag, the Ninth Circuit, in CCBill, provided a measure of protection to legitimate service providers on an issue that is potentially very dicult to evaluate, subject to the caveat from dicta in Shelter Capital Partners that notice from a third party could provide red ag awareness. Fung,by contrast, shows that pirate sites and services found liable for inducement, may not benet from the generous leeway given to legitimate sites and services in evaluating whether they had knowledge or red ag awareness. Although one district court mistakenly characterized the issue to be evaluated in section 512(c)(1)(A) as whether a defendant had “the requisite intent . . . ,”79 that section requires consideration of knowledge or red ag awareness of material that was not expeditiously disabled or removed (if any), not intent. When material is stored at the direction of a user on a large site or service it may be very dicult in most instances for a service provider, absent receipt of a notication, to evaluate whether material is protected, in the public domain, created by the user, copied without authorization from a third party, licensed (expressly or impliedly) or employed as a fair use. The complexities associated with identifying potential red ag material may be signicant. For example, as of 2013, more than 100 hours of video were uploaded to YouTube every minute.80 In one unreported case, the court held that it would have been “nearly impossible” for a forum operator to

79 Agence France Presse v. Morel, No. 10 Civ. 02730 (AJN), 2013 WL 146035, at *16 (S.D.N.Y. Jan. 14, 2013) (denying a defendant's motion for summary judgment on the issue of its entitlement to the user storage safe harbor). Other aspects of the Morel court's DMCA analysis are also subject to criticism. See supra § 4.12[2] (criticizing the court's interpretation of the term service provider as inconsistent with the plain terms of section 512(k)); infra § 4.12[6][D] (criticizing the court's analysis of nancial interest without consideration of right and ability to control). 80 YouTube Statistics, http://www.youtube.com/yt/press/statistics.html (visited Aug. 3, 2013). As of that time, more than six billion hours of video were watched by YouTube users each month. See id. By comparison, as of May 2009, on average there were twenty hours of video uploaded every minute to YouTube. Timothy L. Alger, Deputy General Counsel, Google, Inc., Speech, American Bar Association Annual Meeting, Chicago, Aug. 2,

Pub. 12/2015 4-545 4.12[6][C] E-Commerce and Internet Law have known that certain candid photographs of celebrities uploaded to LiveJournal were paparazzi photographs in which the owners claimed copyright protection.81 Even where a service provider has knowledge or awareness that a particular le is on its site, it may not be able to easily determine if it is authorized or infringing. For example, aspiring lmmakers may post seemingly amateur- ish work on the Internet in which they nonetheless claim protection if it is copied without authorization and stored somewhere other than where it was posted originally by the copyright owner. Conversely, clips from protected professional TV shows or music videos may be posted surreptitiously by marketing people or promoters for viral marketing purposes.82 Accordingly, proving knowledge or awareness may raise evidentiary issues in litigation, especially where the number of les potentially at issue is substantial. On remand from the Second Circuit, the district court in Viacom Int'l, Inc. v. YouTube, Inc.83 addressed the issue of which party has the burden of proof when neither party can establish whether a service provider had knowledge or awareness of specic clips. In that case, YouTube had identied 63,060 video clips that were alleged to be infringing, for which it claimed it never received adequate notice from Viacom. At the time of the lawsuit, more than one billion videos were viewed daily on YouTube with more than 24 hours of new content uploaded every minute. Viacom argued that because neither side pos- sessed the kind of evidence that would allow a clip-by-clip assessment of actual knowledge YouTube could not claim safe harbor protection since the DMCA is an armative defense. Judge Stanton disagreed, however, holding that the DMCA places the burden of notifying service providers of in-

2009; YouTube Blog Post, http://youtube-global.blogspot.com/2009/05/ zoinks-20-hours-of-video-uploaded-every20.html (Wednesday, May 20, 2009). As of March 2010, that number had grown to twenty four hours of new video content uploaded every minute, with users partaking in more than 1 billion video views each day. Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 28 (2d Cir. 2012). 81 See Mavrix Photographs LLC v. LiveJournal, Inc., No. 8:13-cv- 00517-CJC-JPR, 2014 WL 6450094 (C.D. Cal. Sept. 19, 2014) (granting summary judgment to LiveJournal). 82 See infra § 28.05 (viral marketing). 83 Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110 (S.D.N.Y. 2013).

4-546 Copyright Protection in Cyberspace 4.12[6][C] fringement on copyright owners or their agents and cannot be shifted to the service provider to disprove.84 Where emails or other internal communications suggest knowledge, awareness or willful blindness, the outcome may be dierent.85 For example, in Capitol Records, LLC v. Vimeo, LLC,86 the court

84 Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 113–15 (S.D.N.Y. 2013). Judge Stanton characterized Viacom's argument as “ingenious, but . . . an anachronistic, pre-Digital Millennium Copyright Act (DMCA), concept.” Id. at 114. He explained: Title II of the DMCA (the Online Copyright Infringement Liability Limitation Act was enacted because service providers perform a useful function, but the great volume of works placed by outsiders on their platforms, of whose contents the service providers were generally unaware, might well contain copyright- infringing material which the service provider would mechanically “publish,” thus ignorantly incurring liability under the copyright law. The problem is clearly illustrated on the record in this case, which establishes that “. . . site trac on YouTube had soared to more than 1 billion daily video views, with more than 24 hours of new video uploaded to the site every minute” . . . , and the natural consequence that no service provider could possibly be aware of the contents of each such video. To encourage qualied service providers, Congress in the DMCA established a “safe harbor” protecting the service provider from monetary, injunctive or other equitable relief for infringement of copyright in the course of service such as YouTube's. The Act places the burden of notifying such service providers of infringements upon the copyright owner or his agent. It requires such notications of claimed infringements to be in writing and with specied contents and directs that decient notications shall not be considered in determining whether a service provider has actual or constructive knowledge. Id. § (3)(B)(i) ....If,asplaintis' assert, neither side can determine the presence or absence of specic infringements because of the volume of material, that merely demonstrates the wisdom of the legislative requirement that it be the owner of the copyright, or his agent, who identies the infringement by giving the service provider notice. 17 U.S.C. § 512(c)(3)(A). Id. at 114–15 (footnote omitted). The court further noted that “[t]he system is entirely workable: in 2007 Viacom itself gave such notice to YouTube of infringements by some 100,000 videos, which were taken down by YouTube by the next business day.” Id. at 115. 85 See, e.g., Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 518-19 (S.D.N.Y. 2013) (denying summary judgment where the issue of employee knowledge of particular videos created a factual dispute about whether the service provider had red ag awareness); Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *4 (S.D.N.Y. May 14, 2013) (“reluctantly” concluding that the issue of red ag awareness under the DMCA could not be resolved on summary judgment given that under Viacom v. YouTube “[s]omething less than a formal takedown notice may now establish red ag knowledge” and EMI had introduced communications purporting to acknowledge likely infringement); see also Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *3 (S.D.N.Y. May 14, 2013) (nding a factual dispute on the issue of willful blindness based on emails received by MP3Tunes or composed by MP3Tunes employees). 86 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 518-23

Pub. 12/2015 4-547 4.12[6][C] E-Commerce and Internet Law held that there was a factual dispute precluding summary judgment for the service provider on the issue of whether it had knowledge or awareness of fty-ve of the 199 videos at issue in that case, with which its employees had interacted.87 Those interactions included posting comments about the videos, liking them (by clicking a virtual button), placing them on channels that could only be created or supplemented by employees (such as the “Sta Picks” and “Vimeo HD” channels), whitelisting videos (disabling the function that otherwise would have allowed users to ag a video believed to violate Vimeo's Terms of Service), “burying” videos (preventing them from appearing on a site's “Discovery” tab, through which logged-in users could access a selection of currently popular videos, which was something that only employees could do) and reviewing them in “Vimeo Plus” user accounts.88 Judge Abrams rejected the plaintis’ argument in Vimeo that these instances of interaction necessarily evidenced actual knowledge or red ag awareness as a matter of law,89 but he likewise rejected the service provider's argument that even if employees watched the videos they could not have acquired knowledge or awareness as a matter of law because they would not have known if the material

(S.D.N.Y. 2013). 87 The court granted summary judgment for Vimeo on plaintis' claim of copyright infringement for the 144 videos with Vimeo employees undisputedly did not interact. See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 518-23 (S.D.N.Y. 2013). 88 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 521-22 (S.D.N.Y. 2013). On reconsideration, Judge Abrams concluded that it was unrealistic to infer that a Vimeo employee watched every “Plus” video, which accounted for 36% of the videos on the site and therefore a substantial portion of the 43,000 new videos uploaded each day. Accord- ingly, because defendants satised the other elements of Safe Harbor protection, he granted summary judgment for the defendants on the 10 videos for which the only evidence of employee interaction was that the videos had been uploaded by “Plus” users. Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 537, 544–45 (S.D.N.Y. 2013). Judge Abrams also granted summary judgment in favor of Vimeo on reconsideration with respect to ve videos for which the only evidence of employee interaction was that the user's account had been whitelisted. He explained that while “a jury could infer that when a Vimeo employee watched a specic video, the employee has watched that video . . . an employee's whitelisting of a user's entire account is too tenuous, without more, to permit the inference that the employee has watched all of the user's videos.” Id. at 545. 89 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 523 (S.D.N.Y. 2013).

4-548 Copyright Protection in Cyberspace 4.12[6][C] was authorized. He wrote that he was “unprepared to hold as a matter of law that a service provider may disclaim knowledge of infringing material under any circumstance short of an employee's awareness that the uploader has no legal defense for his or her otherwise infringing conduct.”90 Judge Abrams subsequently certied for interlocutory appeal the question of whether, under Viacom Int'l, Inc. v. YouTube, Inc.,91 “a service provider's viewing of a user- generated video containing all or virtually all of a recogniz- able, copyrighted song may establish ‘facts and circumstances’ giving rise to ‘red ag’ knowledge of infringement.”92 Where employee emails are at issue, there may also be a question of whether evidence of alleged employee knowledge, red ag awareness or willful blindness should be attributable to the service provider that employs them. In Vimeo, the employee interactions appeared to have involved employees responsible for reviewing or managing videos uploaded by users who presumably were acting within the scope of their employment. In an earlier part of the opinion, however, the court found a triable issue of fact about whether ten videos that had been uploaded by employees should be treated as content uploaded by Vimeo itself, and therefore outside the safe harbor, or material posted at the direction of users, who also happened to be Vimeo employees. The court explained that whether employees stored those videos as “users” within the meaning of section 512(c) or as employees acting within the scope of their employment would turn

90 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 523 (S.D.N.Y. 2013). On reconsideration, Judge Abrams granted summary judgment for Vimeo on two videos where the court concluded that evidence of infringement was not objectively obvious. Neither the name of the song nor the artist was displayed on either the video or the web page through which users viewed the videos. In addition, the copyrighted songs played for “only a short time in the background (approximately 38 and 57 seconds, respectively) during the middle of the video and [we]re otherwise a less signicant aspect of the videos.” Id. at 546. Judge Abrams declined to grant summary judgment on 18 others, however, where he found a jury could, but need not necessarily nd infringing activity that was objectively obvious to a reasonable person based on factors such as the length of time a song was included in the video (17 of the 18 played all or virtually all of the copyrighted song) and the credits shown (16 of the 18 videos displayed both the artist name and song title, either in the video itself or on the web page where viewers could access the video). Id. at 546–47. 91 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012). 92 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 537, 553 (S.D.N.Y. 2013).

Pub. 12/2015 4-549 4.12[6][C] E-Commerce and Internet Law on traditional agency principles.93 Whether employee communications evidence knowledge, red ag awareness or willful blindness similarly may raise agency questions where it is unclear whether a given employee had responsibility over material stored at the direction of a user or was employed in some other capacity by the service provider. While the objective component of the standard for evaluating red ag awareness may create factual disputes that make it dicult for either side to obtain summary judgment in some cases, those disputes likely will only arise where the service provider arguably has subjective awareness.94 Where a plainti cannot produce evidence suggesting knowledge, awareness or willful blindness, a service provider that otherwise qualies for the DMCA will not lose safe harbor protection.95 When DMCA cases go to trial, copyright owners may choose to streamline their trial presentation by selecting categories of works to present to the jury where the volume of allegedly infringing material is substantial. For example, in Capitol Records, Inc. v. MP3Tunes, LLC,96 the record company plaintis chose to focus on, and obtained jury ndings of red ag awareness and willful blindness, with respect to: (1) takedown notices identifying ten or more infringing les on a domain; (2) Sideloads of MP3s before January 2007; (3) Sideloads by MP3Tunes executives;97 and (4) works by The Beatles. In post-trial proceedings, the court granted the

93 See Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 518-19 (S.D.N.Y. 2013); see generally supra § 4.12[6][A] (discussing this aspect of the opinion in greater detail). 94 As previously noted, both the Second Circuit in Viacom v. YouTube and the Ninth Circuit in its revised opinion in Shelter Partners make clear that whether material raises a red ag in those circuits will depend on whether a service provider was “subjectively aware of facts that would have made the specic infringement ‘objectively’ obvious to a reasonable person.” UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1025–26 (9th Cir. 2013), quoting Viacom Int'l v. YouTube, Inc., 676 F.3d 19, 31 (2d Cir. 2012). 95 See Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 113-15 (S.D.N.Y. 2013). 96 Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719 (S.D.N.Y. 2014). 97 Evidence presented at trial, which the court ruled supported the jury's nding of red ag awareness and willful blindness, included that

4-550 Copyright Protection in Cyberspace 4.12[6][C] individual defendant's motion for judgment as a matter of law on the rst category because neither red ag awareness nor willful blindness could be imputed based on evidence that MP3Tunes could have but did not investigate domains listed multiple times in DMCA notices to uncover other instances of infringement not identied in the notices. Judge Pauley explained that the DMCA only imposes an obligation on service providers “to track repeat infringement by users, not third parties.”98 With respect to MP3s sideloaded before January 2007, when authorized MP3s were rarely available, the court held that “[k]nowledge that a high percentage of a type of content is infringing is insucient to create red ag knowledge . . . . A party is willfully blind, however, when it is aware of a high probability that a specic type of content is infringing, available on a service, and consciously avoids conrming that fact.”99 The court distinguished between willful blindness for purposes of imposing liability and willful blindness that could take a service provider outside the DMCA safe harbor, holding that MP3Tunes had no obligation to proactively monitor and therefore willful blindness could not be attributed to it for failing to investigate.100

MP3Tunes' executives sideloaded songs and, in the process of doing so, viewed the source domain's URL along with the artist and track title. They knew personal sites on storage service domains and student pages on college websites had a high probability of hosting infringing material and nonetheless sideloaded les from what the evidence suggested were obviously infringing websites such as clockworkchaos.net, leden.com, www.mylestash.com, and oregon-state.edu. Judge Pauley explained that “[b]ecause MP3Tunes' Executives observed those clearly infringing source domains, the jury could conclude that it would be objectively obvious to a reasonable person (here, MP3Tunes) that any tracks sideloaded from those domains were infringing.” Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *7 (S.D.N.Y. 2014). 98 Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *6 (S.D.N.Y. 2014). 99 Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *7 (S.D.N.Y. 2014), citing Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 33 (2d Cir. 2012). 100 Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *7 (S.D.N.Y. 2014). Judge Pauley explained: [I]n the context of the DMCA, willful blindness is limited by the express statutory disavowal of a duty to armatively monitor. Viacom, 676 F.3d at 35. The common law doctrine would require Defendants to actively conduct routine searches and eliminate material likely to be infringing. But under Viacom's interpretation of the DMCA, even when service providers possess sophisticated

Pub. 12/2015 4-551 4.12[6][C] E-Commerce and Internet Law

The record company plaintis focused on les by The Beatles because those were not available in MP3 format during the relevant time period. Judge Pauley cited an email Robertson sent in 2009 acknowledging that the Beatles had “never authorized their songs to be available digitally” and evidence that this fact was widely known in the music industry well before 2009 as grounds why the jury could have disbelieved Robertson's testimony that he was not aware of this fact prior to 2009. Nevertheless, Judge Pauley emphasized that a service provider “loses the protection of the safe harbor only if it also knew of specic instances of infringement” and therefore held that red ag awareness was only shown with respect to Beatles songs personally sideloaded by MP3Tunes executives and the song “Strawberry Fields Forever,” which was identied in a user email alert- ing MP3Tunes that this song was available on Sideload.com. The fact that other Beatles songs were available on the site did not evidence red ag awareness or willful blindness.101 Capitol Records, Inc. v. MP3Tunes, LLC102 underscores the potential costs to both copyright owners and service providers of litigating DMCA issues in cases where thousands of les are at issue. In ruling on post-trial motions in 2014, Judge William H. Pauley III lamented that “[w]hile the world has moved beyond the free–MP3–download craze, the parties in this case have not. This hard-fought litigation spans 7 years and 628 docket entries. Numerous substantive motions were heard. And decisions by this Court did not deter the parties from revisiting the same issues time and again. As trial approached, the parties launched salvos of motions in limine seeking to resurrect discovery disputes, relitigate prior motions, and level an impressive array of claims and defenses . . . . Despite this Court's eorts to winnow the issues, the parties insisted on an 82–page verdict sheet on liability and a 331–page verdict sheet on damages that included dense Excel tables, necessitating at least one juror's

monitoring technology, they are under no obligation to use it to seek out infringement. See Vimeo, LLC, 972 F. Supp. 2d at 525. Thus, MP3tunes cannot be held liable for failing to routinely search its servers for major-label MP3s released before January 2007. Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *7 (S.D.N.Y. 2014) (footnote omitted). 101 Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *7–9 (S.D.N.Y. 2014). 102 Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719 (S.D.N.Y. 2014).

4-552 Copyright Protection in Cyberspace 4.12[6][D] use of a magnifying glass.”103 The case resulted in a jury verdict against MP3Tunes and its owner of $48,061,073 in damages104 and ultimately could lead to a new trial.105 While the case involved a risky business model—characterized by Judge Pauley as one “designed to operate at the very periphery of copyright law”106—it nonetheless provides a cautionary tale for service providers on how complex and expensive it can be to litigate DMCA issues and how risky it may be to cut corners in implementing the DMCA, turn a blind eye to infringement or ignore red ags. Where service providers know or become aware of specic infringing material or activity, they must take action or risk losing safe harbor protection.

4.12[6][D] Direct Financial Benet/Right and Ability to Control The requirement that a service provider “not receive a nancial benet directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity”1 is derived from the common law test for vicarious copyright liability, which may be imposed where a defendant (1) has the right and ability to supervise the infringing activity, and (2) has a direct nancial interest in it.2 While a plainti has the burden of proving both prongs to establish vicarious liability, the analogous DMCA provision allows a service provider to benet from the user storage safe harbor so long as only one but not both elements apply. Thus, a service provider will be entitled to the safe harbor if it has a nancial interest but no right

103 Capitol Records, Inc. v. MP3Tunes, LLC, 48 F. Supp. 3d 703, 710 (S.D.N.Y. 2014). 104 Capitol Records, Inc. v. MP3Tunes, LLC, 48 F. Supp. 3d 703, 711 (S.D.N.Y. 2014). 105 Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *23 (S.D.N.Y. 2014) (ordering plaintis to elect remittitur or a new trial). 106 Capitol Records, Inc. v. MP3Tunes, LLC, 48 F. Supp. 3d 703, 710 (S.D.N.Y. 2014). [Section 4.12[6][D]] 1 17 U.S.C.A. § 512(c)(1)(B). 2 See, e.g., Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259, 262 (9th Cir. 1996); see generally supra §§ 4.11[4], 4.11[5] (discussing common law vicarious liability cases).

Pub. 12/2015 4-553 4.12[6][D] E-Commerce and Internet Law and ability to control3 or if it has the right and ability to control but no nancial interest4 (or if neither prong applies). The nancial interest prong has been construed in the Ninth Circuit to require a showing that ‘‘ ‘the infringing activity constitutes a draw for subscribers, not just an added benet.’ ’’5 The Second, Fourth and Ninth Circuits have held that right and ability to control within the meaning of section 512(c)(1)(B) of the DMCA requires a higher showing than what would be required to establish common law vicarious liability—i.e., more than merely the ability to block access or remove content—because otherwise section 512(c)(1)(B) would disqualify any service provider that in fact has the ability to do exactly what section 512(c) of the DMCA requires service providers to do to benet from the safe harbor, namely, to disable access to or remove material in response to notice, knowledge or awareness of infringing activity.6 Although the Ninth Circuit initially held in 2011

3 See, e.g., Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1110 (W.D. Wash. 2004) (“Because Amazon does not have the right and ability to control the infringing material, it is not necessary for this Court to inquire as to whether Amazon receives a direct nancial benet from the allegedly infringing activity.”). In Agence France Presse v. Morel, No. 10 Civ. 02730 (AJN), 2013 WL 146035, at *16 (S.D.N.Y. Jan. 14, 2013), the court denied the defendant's summary judgment motion in part because it found that there was a dispute over whether the defendant had received a nancial benet directly attributable to infringing activity. To the extent that the court made this ruling without considering whether the defendant had the right and ability to control it was wrongly decided. Other aspects of the court's DMCA analysis are also subject to criticism. See supra §§ 4.12[2] (criticizing the court's interpretation of the term service provider), 4.12[6][C] (criticizing the court's mischaracterization of the knowledge or awareness prong as requiring that a service provider have a “requisite intent” to qualify for the safe harbor). 4 See, e.g., Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1118 (9th Cir.) (“Because CWI does not receive a direct nancial benet, CWIE meets the requirements of § 512(c).”), cert. denied, 522 U.S. 1062 (2007). 5 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117–18 (9th Cir.), cert. denied, 522 U.S. 1062 (2007); Ellison v. Robertson, 357 F.3d 1072, 1079 (9th Cir. 2004) (quoting legislative history). 6 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37–38 (2d Cir. 2012); CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544, 555 (4th Cir. 2004); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–31 (9th Cir. 2013). Vicarious liability is addressed in section 4.11[4].

4-554 Copyright Protection in Cyberspace 4.12[6][D] that right and ability control presupposes knowledge or awareness of particular infringing activity,7 on reconsideration in 2013 it agreed with the Second Circuit that knowledge is irrelevant to right and ability to control; what must be shown in the Second and Ninth Circuits is “something more than the ability to remove or block access to materials posted on a service provider's website.”8 As discussed below, the exact contours of this test remain to be eshed out, but the standard set by these circuits is high and likely requires a showing that a service provider exerted substantial inuence on the activities of users in ways that encourage infringement or involve purposeful conduct. The Second and Ninth Circuit standard for what constitutes right and ability to control within the meaning of section 512(c)(1)(B) of the DMCA was derived from earlier, lower court opinions—largely from district courts in the Ninth Circuit. District courts had held that merely having the ability to disable access to or remove infringing material or discontinue service to an infringer,9 enforcing policies that prohibit users

7 See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1041 (9th Cir. 2011) (holding that “until [a service provider] becomes aware of specic unauthorized material, it cannot exercise its ‘power or authority’ over the specic infringing item. In practical terms, it does not have the kind of ability to control infringing activity the statute contemplates.”), opinion withdrawn and replaced, 718 F.3d 1006 (9th Cir. 2013). 8 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012), quoting Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1029–30 (9th Cir. 2013) (quoting Viacom v. YouTube and also explaining that “whereas the vicarious liability standard applied in Napster can be met by merely having the general ability to locate infringing material and terminate users' access, § 512(c) requires ‘something more.’ ’’). 9 See, e.g., Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1151 (N.D. Cal. 2008) (“the plain language of section 512(c) indicates that the pertinent inquiry is not whether Veoh has the right and ability to control its system, but rather, whether it has the right and ability to control the infringing activity.”); Perfect 10, Inc. v. CCBill, LLC,340F. Supp. 2d 1077, 1098, (C.D. Cal. 2004), a'd in relevant part, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007); Corbis Corp. v. Amazon. com, Inc., 351 F. Supp. 2d 1090, 1109–10 (W.D. Wash. 2004); CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 704 (D. Md. 2001), a'd, 373 F.3d 544, 556 (4th Cir. 2004); Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001).

Pub. 12/2015 4-555 4.12[6][D] E-Commerce and Internet Law from engaging in illegal or unauthorized conduct,10 or providing vendors with transaction processing capabilities for credit card purchases11 did not evidence “the right and ability to control” infringing activity within the meaning of section 512(c)(1)(B). The rst appellate court to consider the scope of right and ability to control under the DMCA was the Fourth Circuit, in CoStar Group Inc. v. LoopNet, Inc.,12 in 2004. In explaining that the defense provided by section 512(c)(1)(B) is not coextensive with the standard for vicarious liability, the Fourth Circuit court wrote that a service provider “can become liable indirectly upon a showing of additional involvement sucient to establish a contributory or vicarious violation of the Act. In that case, the ISP could still look to the DMCA for a safe harbor if it fullled the conditions therein.”13 In an earlier case, Hendrickson v. eBay, Inc.,14 a district court in California construed the “right and ability to control” language more narrowly than under the test for vicarious liability based on the language of the DMCA itself. The court explained: [T]he “right and ability to control” the infringing activity, as the concept is used in the DMCA, cannot simply mean the ability of a service provider to remove or block access to materials posted on its website or stored on its system. To hold otherwise would defeat the purpose of the DMCA and render the statute internally inconsistent. The DMCA specically requires a service provider to remove or block access to materials posted on its system when it receives notice of claimed infringement. See 17 U.S.C.A. § 512(c)(1)(C). The DMCA also provides that the limitations on liability only apply to a service provider that has “adopted and reasonably implemented . . . a policy that provides for the termination in appropriate circumstances of [users] of the service provider's system or network who are repeat infringers.” See 17 U.S.C.A. § 512(i)(1)(A). Congress could not have intended for courts to

10 See Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 11 See, e.g., Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1109–10 (W.D. Wash. 2004); Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914, 918 (C.D. Cal. 2003). 12 CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544 (4th Cir. 2004). 13 CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544, 555 (4th Cir. 2004). 14 Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001).

4-556 Copyright Protection in Cyberspace 4.12[6][D]

hold that a service provider loses immunity under the safe harbor provision of the DMCA because it engages in acts that are specically required by the DMCA. The Hendrickson v. eBay court likewise rejected the suggestion that eBay's voluntary practice of engaging in “limited monitoring” for apparent infringement under its VeRO15 program evidenced that it had the right and ability to control infringing conduct within the meaning of the DMCA. The court, citing legislative history, wrote that “Congress did not intend for companies such as eBay to be penalized when they engage in voluntary eorts to combat piracy over the Internet.”16 In Hendrickson v. Amazon.com, Inc.,17 Judge Hatter of the Central District of California ruled that Amazon.com's practice of providing payment processing services to third- party sellers on its site meant that Amazon.com received a nancial benet but did not give it “control over the sale” for purposes of the DMCA. As explained by the court (in describing a relationship between site owner and third-party seller that is common to many online businesses): Amazon merely provided the forum for an independent third- party seller to list and sell his merchandise. Amazon was not actively involved in the listing, bidding, sale or delivery of the DVD. The fact that Amazon generated automatic email responses when the DVD was listed and again when it was sold,

15 Additional information on eBay's Veried Rights Owner's—or VeRO—program may be found in section 6.10[2][I] and in chapter 50. 16 The court also concluded that that eBay did not have the right and ability to control the infringing activity at issue in the suit because the allegedly “infringing activity”—sales between third parties—occurred oine between eBay's users. The court emphasized that: [U]nlike a traditional auction house, eBay is not actively involved in the listing, bidding, sale and delivery of an item oered for sale on its website . . . eBay never has possession of, or opportunity to inspect, . . . items because . . . [they] are only in the possession of the seller ....Whenauctions end, eBay's system automatically sends an email to the high bidder and the seller identify- ingeachotherassuch....Afterthat,allarrangements to consummate the transaction are made directly between the buyer and seller ....eBayhasno involvement in the nal exchange and generally has no knowledge whether a sale is actually completed (i.e., whether payment exchanges hands and the goods are delivered) . . . If an item is sold, it passes directly from the seller to the buyer without eBay's involvement ....eBay makes money through the collection of an “insertion fee” for each listing and a “nal value fee” based on a percentage of the highest bid amount at the end of the auction.

17 Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914 (C.D. Cal. 2003).

Pub. 12/2015 4-557 4.12[6][D] E-Commerce and Internet Law

does not mean that Amazon was actively involved in the sale. Once a third-party seller decides to list an item, the responsibility is on the seller to consummate the sale. While Amazon does provide transaction processing for credit card purchases, that additional service does not give Amazon control over the sale.18 Two district courts in California suggested in dicta that “right and ability to control” for user generated video sites “presupposes some antecedent ability to limit or lter copyrighted material.”19 Discussing earlier common law

18 Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914, 918 (C.D. Cal. 2003). While Hendrickson v. Amazon.com, Inc. inuenced the development of subsequent district court case law on right and ability to control, it was not cited in either the Second Circuit's opinion in Viacom v. YouTube or the Ninth Circuit's ruling in UMG v. Shelter Capital Partners. Two other early district court opinions (both issued on the same day in the same case) were neither cited in Viacom v. YouTube or UMG v. Shelter Capital Partners nor particularly inuential in the development of DMCA law. In Tur v. YouTube, Inc., No. CV 064436 FMC AJWX, 2007 WL 4947612 (C.D. Cal. June 20, 2007), the court denied cross-motions for summary adjudication on the issue of YouTube's entitlement to the user storage safe harbor, in a suit brought by a videographer who alleged that unauthorized copies of his works had been posted to YouTube. Judge Coo- per denied the plainti's motion, which had been based solely on the argument that YouTube earned revenue from banner advertisements, writing that “as the statute makes clear, a provider's receipt of a nancial benet is only implicated where the provider also ‘has the right and ability to control the infringing activity.’ ’’ Id., quoting 17 U.S.C.A. § 512(c)(1). Similarly, in Tur v. YouTube, Inc., No. CV 064436 FMC AJWX, 2007 WL 1893635 (C.D. Cal. June 20, 2007), a'd as moot, 562 F.3d 1212 (9th Cir. 2009), the court denied YouTube's motion for summary judgment, concluding that it could not determine right and ability to control under the DMCA because insucient evidence had been presented on “the process undertaken by YouTube from the time a user submits a video clip to the point of display on the YouTube website.” In so ruling, the court cited both DMCA and vicarious liability cases for the proposition that “right and ability to control” under the DMCA “mean[s] ‘something more’ than just the ability of a service provider to remove or block access to materials posted on its website or stored in its system ....Rather, the requirement presupposes some antecedent ability to limit or lter copyrighted material.” The Ninth Circuit ultimately armed the denial of YouTube's motion for summary adjudication as moot, based on the lower court's subsequent order granting plainti's voluntary dismissal to allow him to join a putative class action suit against YouTube pending in the Southern District of New York. See Tur v. YouTube, Inc., 562 F.3d 1212 (9th Cir. 2009); see also Tur v. YouTube, Inc., No. CV 064436 FMC AJWX, 2007 WL 4947615 (C.D. Cal. Oct. 19, 2007) (granting plainti's motion for voluntary dismissal). 19 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1151

4-558 Copyright Protection in Cyberspace 4.12[6][D] cases, the district court in Io Group, Inc. v. Veoh Networks, Inc.20 also suggested that “[t]urning a blind eye to detectable acts of infringement for the sake of prot” (as in A&M Re- cords, Inc. v. Napster, Inc.)21 or engaging in “a mutual enterprise of infringement” (like the proprietor and vendors at the swap meet at issue in Fonovisa, Inc. v. Cherry Auction Inc.)22 would also likely qualify.23 In Io Group, Inc. v. Veoh Networks, Inc.,24 the court rejected the argument that Veoh had the right and ability to control because it had and enforced policies prohibiting users from (a) violating the intellectual property rights of others, (b) making unsolicited oers, sending ads, proposals or junk mail, (c) impersonating other people, (d) misrepresenting sources of material, (e) harassing, abusing, defaming, threatening or defrauding others, (f) linking to password protected areas and (g) spidering material. The court in Veoh held that “the plain language of section 512(c) indicates that the pertinent inquiry is not whether Veoh had the right and ability to control its system, but rather, whether it has the right and ability to control the infringing activity. Under the facts and circumstances presented here, the two are not one and the same.”25 As the court further explained, the statute presupposes a service provider's control of its system or network.26 The Veoh court rejected plainti's argument that Veoh, a

(N.D. Cal. 2008) (granting summary judgment for the defendant on this issue; quoting Tur v. YouTube, Inc.); Tur v. YouTube, Inc., No. CV 064436, 2007 WL 1893635 (C.D. Cal. June 20, 2007) (dicta in an order denying YouTube's motion for summary judgment), a'd as moot, 562 F.3d 1212 (9th Cir. 2009). 20 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 21 A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001); see generally supra § 4.11[9][F]. 22 Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996); see generally supra §§ 4.11[4], 4.11[8][B], 4.11[8][C]. 23 586 F. Supp. 2d at 1151–52 (citing other cases). Napster and other vicarious liability cases are analyzed extensively in section 4.11[4]. 24 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 25 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1151 (N.D. Cal. 2008) (emphasis in original). 26 See 17 U.S.C.A. § 512(c)(1) (applying the safe harbor to “material that resides on a system or network controlled or operated by or for the

Pub. 12/2015 4-559 4.12[6][D] E-Commerce and Internet Law

UGC video site, had the same right and ability to control as Napster because “Napster existed solely to provide the site and facilities for copyright infringement, and its control over its system was directly intertwined with its ability to control infringing activity.”27 It also emphasized that “Veoh's right and ability to control its system does not equate to the right and ability to control infringing activity.”28 Judge Lloyd explained that, unlike Napster, there was no suggestion that Veoh sought to encourage infringement.29 He also cast “right and ability to control” squarely in the context of infringement, noting that even if Veoh had the ability to review and remove infringing material there was no evidence to suggest that Veoh could easily identify what material was infringing.30 Finally, the court rejected the argument that Veoh should have changed its business practices to have veried the source of all incoming videos by obtaining and conrming the names and addresses of the submitting user, the producer and the user's authority to upload a given le. Judge Lloyd ruled that “[d]eclining to change business operations is not the same as declining to exercise a right and ability to control infringing activity.”31 In addition, he reiterated that “the DMCA does not require service providers to deal with infringers in a particular way.”32 In granting summary judgment for Veoh in UMG Record- ings, Inc. v. Veoh Networks, Inc.,33 Judge Howard Matz of the Central District of California addressed right and ability service provider”; emphasis added). 27 586 F. Supp. 2d at 1153. 28 586 F. Supp. 2d at 1153. 29 See supra § 4.11[9][F] (analyzing the Napster case). 30 586 F. Supp. 2d at 1153. The court wrote that “Veoh's ability to control its index does not equate to an ability to identify and terminate infringing videos.” 586 F. Supp. 2d at 1153 (emphasis in original). The court further stressed that there was no evidence presented to suggest that Veoh “failed to police its system to the fullest extent permitted by its architecture” and, to the contrary, the record showed that Veoh had “taken down blatantly infringing content, promptly respond[ed] to infringement notices, terminate[d] infringing content on its system and in its users' hard drives (and prevents that same content from being uploaded again), and terminates the accounts of repeat oenders.” 586 F. Supp. 2d at 1153– 54. 31 586 F. Supp. 2d at 1154. 32 586 F. Supp. 2d at 1154. 33 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099 (C.D. Cal. 2009), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital

4-560 Copyright Protection in Cyberspace 4.12[6][D] more pointedly in rejecting various arguments raised by UMG, writing that “the capacity to control and remove material are features that an internet service provider that stores content must have in order to be eligible for the safe harbor. ‘Congress could not have intended for courts to hold that a service provider loses immunity under the safe harbor provision of the DMCA because it engages in acts that are specically required by the DMCA.”34 The Ninth Circuit forcefully amplied this theme in af- rming the trial court's order in UMG Recordings, Inc. v. Shelter Capital Partners LLC.35 In Shelter Capital, the appellate panel rejected UMG's argument that right and ability to control under the DMCA should be considered coextensive with the common law standard for imposing vicarious liability, which the court pointed out was phrased “loose[ly] and has varied” in dierent court opinions.36 Judge Raymond C. Fisher, writing for himself and Judges Harry Pregerson and Marsha S. Berzon, explained that: Given Congress’ explicit intention to protect qualifying service providers who would otherwise be subject to vicarious liability, it would be puzzling for Congress to make § 512(c) entirely coextensive with the vicarious liability requirements, which would eectively exclude all vicarious liability claims from the § 512(c) safe harbor ....Inaddition, it is dicult to envi- sion, from a policy perspective, why Congress would have chosen to exclude vicarious infringement from the safe harbors, but retain protection for contributory infringement. It is not apparent why the former might be seen as somehow worse than the latter.37 The panel also noted that if that had been Congress's

Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 34 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1113 (C.D. Cal. 2009) (quoting Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082, 1093–94 (C.D. Cal. 2001)), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–31 (9th Cir. 2013). The court ruled that Veoh's ability to block and lter content did not amount to a right and ability to control. 35 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1041–45 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006 (9th Cir. 2013). 36 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–30 (9th Cir. 2013). 37 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1028–29 (9th Cir. 2013), citing Edward Lee, Decoding the DMCA Safe Harbors, 32 Colum. J.L. & Arts 233, 236–67 (2009) and Mark A. Lemley, Rationalizing Internet Safe Harbors, 6 J. Telecomm. & High

Pub. 12/2015 4-561 4.12[6][D] E-Commerce and Internet Law intention to exclude vicarious liability from the scope of DMCA safe harbor protection, “it would have been far simpler and much more straightforward to simply say as much.”38 Judge Fisher emphasized that section 512(c) “actually presumes that service providers have the sort of control that UMG argues satises the § 512(c)(1)(B) ‘right and ability to control’ requirement: they must ‘remove[] or disable access to’ infringing material when they become aware of it.”39 He explained that right and ability to control could not mean, as it does under Ninth Circuit common law vicarious liability law, the ability to locate infringing material and terminate users' access, because “[u]nder that reading, service providers would have the ‘right and ability to control’ infringing activity regardless of their becoming ‘aware of’ the material.”40 Quoting district court Judge Matz, the appellate panel explained that “Congress could not have intended for courts to hold that a service provider loses immunity under the safe harbor provision of the DMCA because it engages in acts that are specically required by the DMCA.”41 The Ninth Circuit initially had construed right and ability to control as requiring knowledge of specic les or activity, in a December 2011 opinion that subsequently was withdrawn and replaced in March 2013 following criticism from the Second Circuit and a motion for reconsideration. Initially, the Ninth Circuit panel had held that “the ‘right and ability to control’ under § 512(c) requires control over specic infringing activity the provider knows about. A service provider's general right and ability to remove materials

Tech. L. 101, 104 (2007). 38 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1029 (9th Cir. 2013), quoting Ellison v. Robertson, 189 F. Supp. 2d 1051, 1061 (C.D. Cal. 2002), a'd in part and rev'd in part on dierent grounds, 357 F.3d 1072 (9th Cir. 2004). 39 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1027 (9th Cir. 2013), quoting 17 U.S.C. §§ 512(c)(1)(A)(iii), 512(c)(1) (C). 40 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1027 (9th Cir. 2013). 41 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1027 (9th Cir. 2013), quoting UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1113 (C.D. Cal. 2009) (quoting Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082, 1093–94 (C.D. Cal. 2001)) (internal quotation marks omitted) and citing Io Grp., Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1151 (N.D. Cal. 2008) (same)).

4-562 Copyright Protection in Cyberspace 4.12[6][D] from its services is, alone, insucient.”42 Judge Fisher explained that: [I]t is not enough for a service provider to know as a general matter that users are capable of posting unauthorized content; more specic knowledge is required. Similarly, a service provider may, as a general matter, have the legal right and necessary technology to remove infringing content, but until it becomes aware of specic unauthorized material, it cannot exercise its “power or authority” over the specic infringing item. In practical terms, it does not have the kind of ability to control infringing activity the statute contemplates.43 In short, the appellate court explained that “the DMCA recognizes that service providers who are not able to locate and remove infringing materials they do not specically know of should not suer the loss of safe harbor protection.”44 As discussed below, this aspect of the court's ruling subsequently was withdrawn. In Viacom Int'l, Inc. v. YouTube, Inc.,45 the Second Circuit adopted a fact-based inquiry to right and ability to control, declining to follow the Ninth Circuit's analysis in its 2011 opinion in Shelter Partners. Judge José Cabranes, writing for himself and Judge Livingston,46 rejected the analysis of both the lower court and Shelter Partners that a service provider must know of a particular instance of infringement before it may control it because it would render the requirement that a service provider not have the right and ability to control duplicative of the provision requiring that a service provider not have knowledge of infringing activity and fail to act on that knowledge.47 Judge Cabranes explained: The trouble with this construction is that importing a specic

42 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1043 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006, 1026–30 (9th Cir. 2013). 43 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1041 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006, 1026–30 (9th Cir. 2013). 44 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1043 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006, 1026–30 (9th Cir. 2013). 45 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38–40 (2d Cir. 2012). 46 Judge Roger J. Miner, who had also been assigned to the panel, passed away prior to the resolution of the case. See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 25 n.1 (2d Cir. 2012). 47 See supra § 4.12[6][C] (analyzing knowledge, awareness and the

Pub. 12/2015 4-563 4.12[6][D] E-Commerce and Internet Law

knowledge requirement into § 512(c)(1)(B) renders the control provision duplicative of § 512(c)(1)(A). Any service provider that has item-specic knowledge of infringing activity and thereby obtains nancial benet would already be excluded from the safe harbor under § 512(c)(1)(A) for having specic knowledge of infringing material and failing to eect expeditious removal. No additional service provider would be excluded by § 512(c)(1)(B) that was not already excluded by § 512(c)(1)(A). Because statutory interpretations that render language superuous are disfavored, . . . we reject the District Court's interpretation of the control provision.48 On the other hand, the Second Circuit agreed with the Ninth Circuit in rejecting plainti's argument that the term “right and ability to control” codied the common law doctrine of vicarious liability because, to do so, would render the statute internally inconsistent by making the ability of a service provider to comply with the statute's requirement to disable access to or remove material in response to a DMCA notice, knowledge or awareness a disqualifying condition for the safe harbor.49 failure to take corrective measures). 48 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 36 (2d Cir. 2012) (citation omitted). 49 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37 (2d Cir. 2012). The panel acknowledged the “general rule with respect to common law codication . . . that when ‘Congress uses terms that have accumulated settled meaning under the common law, a court must infer, unless the statute otherwise dictates, that Congress means to incorporate the established meaning of those terms.’ ’’ Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37 (2d Cir. 2012), quoting Neder v. United States, 527 U.S. 1, 21 (1999). However, Judge Cabranes explained that since “[u]nder the common law vicarious liability standard, ‘[t]he ability to block infringer’ access to a particular environment for any reason whatsoever is evidence of the right and ability to supervise' . . . [t]o adopt that principle in the DMCA context . . . would render the statute internally inconsistent” because section 512(c) actually presumes that service providers have the ability to block access to infringing material. Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37 (2d Cir. 2012), quoting Arista Records LLC v. Usenet.com, Inc., 633 F. Supp. 2d 124, 157 (S.D.N.Y. 2009) (quoting A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1023 (9th Cir. 2001)). If the right and ability to control provision were read to be coextensive with the common law standard for vicarious liability then “the prerequisite to safe harbor protection under § 512(c)(1)(A)(iii) & (C) would at the same time be a disqualier under § 512(c)(1)(B).” Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37 (2d Cir. 2012). The panel noted that had Congress intended to carve out vicarious liability from the scope of the safe harbor “the statute could have accomplished that result in a more direct manner.” Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37 (2d

4-564 Copyright Protection in Cyberspace 4.12[6][D]

Instead, the Second Circuit held that “right and ability to control” infringing activity within the meaning of section 512(c)(1)(B) “requires something more than the ability to remove or block access to materials posted on a service provider's website.”50 The court conceded, however, that dening the “something more” that is required is a “more dicult . . . question ....”51 In remanding the case back to the district court to evaluate whether YouTube had had the right and ability to control, the court provided little guidance beyond suggesting that right and ability to control in the context of section 512(c) may involve instances where service providers exert “substantial inuence on the activities of users ....”52 The court cited two cases, however, as potential examples to consider. Judge Cabranes noted that only one court previously had found that a service provider had the right and ability to control infringing activity under section 512(c)(1)(B). In that case, Perfect 10, Inc. v. Cybernet Ventures, Inc.,53 Judge Cabranes explained that the court had found control “where the service provider instituted a monitoring program by which user websites received ‘detailed instructions regard[ing] issues of layout, appearance, and content’ and the service provider had forbidden “certain types of content and refused access to users who failed to comply with its instructions.”54 More specically, in Cybernet, the defendant, an adult verication service, not only dictated detailed instructions on acceptable layout, ap-

Cir. 2012), quoting UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022, 1045 (9th Cir. 2011), opinion withdrawn and replaced, 718 F.3d 1006, 1029 (9th Cir. 2013) (restating the same proposition). 50 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012)., quoting Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011). 51 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012). 52 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012). As discussed later in this section, the district court, on remand, granted summary judgment for YouTube, holding that YouTube did not exert substantial inuence over its users during the time period at issue in the lawsuit. See Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 117-22 (S.D.N.Y. 2013). 53 Perfect 10, Inc. v. Cybernet Ventures, Inc., 213 F. Supp. 2d 1146 (C.D. Cal. 2002). 54 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012), quoting Perfect 10, Inc. v. Cybernet Ventures, Inc., 213 F. Supp. 2d 1146, 1173 (C.D. Cal. 2002).

Pub. 12/2015 4-565 4.12[6][D] E-Commerce and Internet Law pearance and content, but also refused to allow sites to use its verication services unless they complied with its dictates and it monitored those sites to ensure that celebrity images did not “oversaturate the content found within the sites that make up Adult Check.”55 Judge Cabranes also suggested in dicta that copyright inducement under MGM Studios, Inc. v. Grokster, Ltd.,56 where liability is premised on ‘‘ ‘purposeful, culpable expression and conduct,’ . . . might also rise to the level of control under § 512(c)(1)(B).”57 Both of these opinions—one where a provider sought to af- rmatively control content, the other where defendants were found liable for inducing infringement—involved cases, according to Judge Cabranes, of “a service provider exerting substantial inuence on the activities of users, without necessarily—or even frequently—acquiring knowledge of specic infringing activity.”58 Where inducement is shown, a service provider in any case likely would be ineligible for the DMCA safe harbor based on willful blindness amounting to red ag awareness.59 Viewed in context, substantial inuence should be understood to mean inuence that encourages infringement given that the Second Circuit construed right and ability to control to not be coextensive with the common law standard for proving vicarious liability. Although the court's analysis of Cyber- net could be read to suggest that service providers that proactively monitor their sites or services to deter infringement could lose DMCA protection for their eorts to deter infringement, this would seem to run counter to the purpose of the DMCA. The House Report accompanying the DMCA makes clear that the “legislation [wa]s not intended to

55 Perfect 10, Inc. v. Cybernet Ventures, Inc., 213 F. Supp. 2d 1146, 1173 (C.D. Cal. 2002). 56 MGM Studios Inc. v. Grokster, Ltd., 545 U.S. 913 (2005). 57 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012), quoting MGM Studios Inc. v. Grokster, Ltd., 545 U.S. 913, 937 (2005). 58 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012). 59 See Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1043 (9th Cir. 2013) (explaining that “inducing actions”—or measures deemed to induce copyright infringement—were relevant to the court's determination that the defendant had red ag awareness); supra § 4.12[6][C] (analyzing knowledge, awareness and the failure to take corrective measures).

4-566 Copyright Protection in Cyberspace 4.12[6][D] discourage the service provider from monitoring its service for infringing material. Courts should not conclude that the service provider loses eligibility for limitations on liability . . . solely because it engaged in a monitoring program.”60 Thus, the court's reference to the exertion of substantial inuence should be understand to mean that a service provider could lose safe harbor protection for “exerting substantial inuence on the activities of users”61 in ways that encourage infringement. This conclusion is buttressed by a review of district court cases (from the Second and Ninth Circuit) that the court cited approvingly in support of its holding that “something more” was required to show right and ability to control than merely the ability to remove or block access to infringing material.62 The Second Circuit's holding on this point was quoted from Southern District of New York Judge William H. Pauley III's opinion in Capitol Records, Inc. v. MP3Tunes, LLC,63 which in turn cited Io Group, Inc. v. Veoh Networks, Inc.64 for the proposition that “the pertinent inquiry is not whether [the service provider] has the right and ability to control its system, but rather, whether it has the right and ability to control the infringing activity.”65

60 H.R. Conf. Rep. No. 796, 105th Cong., 2d Sess. 73 (1998), reprinted in 1998 U.S.C.C.A.N. 639, 649. 61 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012). 62 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012), citing Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011); Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 757–58 (S.D.N.Y. 2012), a’d mem., 569 F. App’x 51 (2d Cir. 2014); UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1114–15 (C.D. Cal. 2009), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1030 (9th Cir. 2013); Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1151 (N.D. Cal. 2008); and Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1110 (W.D. Wash. 2004). 63 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011), reconsideration granted on other grounds, 2013 WL 1987225 (S.D.N.Y. May 14, 2013). 64 Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132 (N.D. Cal. 2008). 65 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011), quoting Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1151 (N.D. Cal. 2008) (emphasis in original).

Pub. 12/2015 4-567 4.12[6][D] E-Commerce and Internet Law

In Capitol Records, Inc. v. MP3Tunes, LLC,66 the court found that a service provider did not have the right and ability to control simply because it could monitor and remove infringing songs downloaded by users. Judge Pauley emphasized that MP3tunes users alone chose the websites they linked to using the defendant's service and the songs they downloaded and stored in their lockers, without involvement by the service provider, MP3tunes. He explained that: At worst, MP3tunes set up a fully automated system where users can choose to download infringing content. Io Grp., 586 F. Supp. 2d at 1147 (granting safe harbor protection to a website that automatically created content from user submissions of unauthorized copyrighted work). If enabling a party to download infringing material was sucient to create liability, then even search engines like Google or Yahoo! would be without DMCA protection. In that case, the DMCA's purpose— innovation and growth of internet services—would be undermined. See CoStar Grp., 164 F. Supp. 2d at 704, n.9 (if the “standard could be met merely by the ability to remove or block access to materials[, it] would render the DMCA internally inconsistent”). Accordingly, this Court nds that there is no genuine dispute that MP3tunes neither received a direct nancial benet nor controlled the infringing activity.67 In Wolk v. Kodak Imaging Network, Inc.,68 which also was cited with approval by the Second Circuit in Viacom v. YouTube, Southern District of New York Judge Robert W. Sweet held that Photobucket did not have the right and ability to control the infringing activity of its users. In support of his nding, Judge Sweet cited Corbis Corp. v. Amazon.com, Inc.69 (another case cited approvingly in Viacom v. YouTube) for the proposition that the right and ability to control infringing activity “must take the form of prescreening

66 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627 (S.D.N.Y. 2011), reconsideration granted in part, 2013 WL 1987225 (S.D.N.Y. May 14, 2013). 67 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645–46 (S.D.N.Y. 2011). In ruling on defendants' motion for reconsideration, Judge Pauley, in evaluating plainti's claim for common law vicarious liability, emphasized that “the ‘direct nancial benet’ prong of the common law vicarious liability standard is construed more broadly than it is under the DMCA ....”Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *10 (S.D.N.Y. May 14, 2013). 68 Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733 (S.D.N.Y. 2012), a’d mem., 569 F. App’x 51 (2d Cir. 2014). 69 Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090 (W.D. Wash. 2004).

4-568 Copyright Protection in Cyberspace 4.12[6][D] content, rendering extensive advice to users regarding content and editing user content.”70 He added, however, that “considering that millions of images are uploaded daily [to Photobucket], it is unlikely that this kind of prescreening is even feasible.”71 Thus, while the Second Circuit test leaves for future courts to decide what conduct by a service provider in fact may amount to right and ability to control, rather than establishing a clearer, bright line test, the bar it sets is high and plainly should be focused on right and ability to control infringing activity as evidenced by a service provider's “exerting substantial inuence on the activities of users ....”72 In response to the Second Circuit's criticism, the Ninth Circuit, on motion for reconsideration, withdrew its opinion in Shelter Partners in March 2013 and replaced it with a new one that abandoned its conclusion that a service provider must have knowledge of infringing les or activity in order to have the right and ability to control.73 Instead, the Ninth Circuit adopted the Second Circuit's holding that right and ability to control may be shown by “something more” than the ability to remove or block access to materials posted on a service provider's website,74 thus eliminating a potential circuit split that could have justied U.S. Supreme Court review. That “something more” is understood in the Second and Ninth Circuits to involve exerting “substantial inuence” on the activities of users, which may include high

70 Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 748 (S.D.N.Y. 2012) (citing Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1110 (W.D. Wash. 2004)), a’d mem., 569 F. App’x 51 (2d Cir. 2014). 71 Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 748 (S.D.N.Y. 2012) (citing Io Group, Inc. v. Veoh Networks, Inc., 586 F. Supp. 2d 1132, 1153 (N.D. Cal. 2008) (writing that where “hundreds of thousands of video les” had been uploaded to a website, “no reasonable juror could conclude that a comprehensive review of every le would be feasible.”)), a’d mem., 569 F. App’x 51 (2d Cir. 2014). 72 Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012). 73 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–31 (9th Cir. 2013). 74 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012), quoting Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 645 (S.D.N.Y. 2011); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1029–30 (9th Cir. 2013).

Pub. 12/2015 4-569 4.12[6][D] E-Commerce and Internet Law levels of control over user activities or purposeful conduct.75 In Shelter Partners, the lower court had found that the allegedly infringing material resided on Veoh's system, Veoh had the ability to remove the material, Veoh could have searched for potentially infringing content and Veoh could have implemented and did implement ltering to deter infringing user uploads. The Ninth Circuit panel concluded that this was not enough to show right and ability to control under the DMCA, writing that “Veoh's interactions with and conduct towards its users” did not rise to the level of substantial inuence based on high levels of control over user activities, as in Cybernet, or purposeful conduct, as in Grokster.76 Accordingly, the panel again armed the entry of summary judgment for Veoh, albeit under a dierent standard for evaluating right and ability to control. Likewise, on remand, in Viacom v. YouTube, the district court again granted summary judgment for YouTube, nding that YouTube did not exert substantial inuence over the activities of its users during the time preceding its acquisition by Google.77 Summarizing case law, the district court emphasized that “knowledge of the prevalence of infringing activity, and welcoming it, does not itself forfeit the safe harbor. To forfeit that, the provider must inuence or participate in the infringement.”78 On remand, Viacom had argued that the “something more” was shown by YouTube's editorial decisions to remove some but not all infringing material, by its eorts to facilitate video searches on its site but restrict access to certain proprietary search tools and by enforcement of rules prohibiting pornographic content. Judge Stanton, however, concluded that these decisions merely placed much of the burden on Viacom and other copyright owners to search YouTube for

75 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 38 (2d Cir. 2012); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1030 (9th Cir. 2013). Although the Ninth Circuit referenced personal conduct, it might have been more appropriate to articulate the standard in terms of personal misconduct. 76 UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1030–31 (9th Cir. 2013). 77 Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 117-22 (S.D.N.Y. 2013). Viacom did not challenge YouTube's conduct subsequent to its acquisition by Google. 78 Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 118 (S.D.N.Y. 2013).

4-570 Copyright Protection in Cyberspace 4.12[6][D] infringing clips, which “is where it lies under the safe harbor ....”79 The court likewise found that YouTube's decisions to restrict its monitoring eorts to certain groups of infringing clips and to restrict access to its proprietary search mechanisms did “not exclude it from the safe harbor, regardless of their motivation.”80 Moreover, the only evidence that YouTube may have steered viewers toward infringing videos involved a show, “Lil Bush,” whose creators themselves had made the clip available on YouTube. In summary, the court explained that: [D]uring the period relevant to this litigation, the record establishes that YouTube inuenced its users by exercising its right not to monitor its service for infringements, by enforcing basic rules regarding content (such as limitations on violent, sexual or hate material), by facilitating access to all user- stored material regardless (and without actual or constructive knowledge) of whether it was infringing, and by monitoring its site for some infringing material and assisting some content owners in their eorts to do the same. There is no evidence that YouTube induced its users to submit infringing videos, provided users with detailed instructions about what content to upload or edited their content, prescreened submissions for quality, steered users to infringing videos, or otherwise interacted with infringing users to a point where it might be said to have participated in their infringing activity.81 In Capitol Records, LLC v. Vimeo, LLC,82 the court similarly found that a service provider did not have the right and ability to control within the meaning of the DMCA where it did not exert substantial inuence on user activity or substantial inuence through inducement of infringement. In Vimeo, evidence was presented that Vimeo used a form of monitoring program—which the court characterized as consisting “of the Community Team's removal of certain content from the Website with the assistance of Moderator Tools, its discretion to manipulate video visibility and its intermittent communication with users—[which] lacks the

79 Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 120 (S.D.N.Y. 2013). 80 Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 120 (S.D.N.Y. 2013). 81 Viacom Int'l, Inc. v. YouTube, Inc., 940 F. Supp. 2d 110, 121 (S.D.N.Y. 2013). 82 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500,526-27 (S.D.N.Y. 2013).

Pub. 12/2015 4-571 4.12[6][D] E-Commerce and Internet Law

‘something more’ that Viacom demands.”83 The Vimeo court contrasted these features with Cybernet, where the service provider dictated the “layout, appearance, and content” of participating sites and refused “to allow sites to use its system until they compl[ied] with [those] dictates.”84 Vimeo, the court emphasized, left editorial decisions to its users and used monitoring to lter out content that was not original to users.85 The Vimeo court also rejected the argument that because Vimeo employees had discretion on how they interacted with content on the site they exerted substantial inuence over user activity, writing that “it is dicult to image how Vimeo's sta of seventy-four (as of 2012) could, through its discretion- ary and sporadic interactions with videos on the Website, exert substantial inuence on approximately 12.3 million registered users uploading 43,000 new videos each day.”86 Among other things, the court noted that the “likes” of current Vimeo employees constituted approximately 0.2% of all “likes” on the website and the comments left by current Vimeo employees constituted 1.6% of all comments.87 The court also noted that the Sta Picks channel, which contained videos selected by Vimeo employees, represented only one of approximately 354,000 channels on the website as of November 2012.88 The court further rejected evidence that some employees responded to user questions by ignoring or turning a blind eye to infringement, as evidencing a right and ability to control. Judge Abrams wrote that he was “troubled” by these communications, but characterized them as “scattered examples” that did “not demonstrate a substantial inuence

83 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 529 (S.D.N.Y. 2013). 84 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 529 (S.D.N.Y. 2013), quoting Perfect 10, Inc. v. Cybernet Ventures, Inc., 213 F. Supp. 2d 1146, 1173 (C.D. Cal. 2002). 85 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 529 (S.D.N.Y. 2013). 86 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 530 (S.D.N.Y. 2013). 87 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 530 (S.D.N.Y. 2013). 88 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 530 (S.D.N.Y. 2013).

4-572 Copyright Protection in Cyberspace 4.12[6][D] over users' activities.”89 The Vimeo court likewise ruled that Vimeo had not exercised substantial inuence through inducement of infringement.90 Unlike the defendants in either Grokster or Columbia Pictures Industries, Inc. v. Fung,91 where the defendants “provided an expansive platform for wholesale infringement,” Vimeo, the court explained, presented “circumstances dramatically dierent in kind and smaller in scale and scope.”92 In Vimeo, plaintis had argued that Vimeo induced infringement “by example” by making videos that incorporated infringing content. Specically, the plaintis pointed to: (1) ten of the videos at issue that had been uploaded by Vimeo employees; (2) other videos not at issue in the suit which had also been uploaded by employees and included unauthorized music; (3) one video containing unauthorized music that had been created by the “Vimeo Street Team” (a group of employees who created videos and engaged with the Vimeo community; (4) videos created as part of a project to ac- company every song on a Beatles album, which included contributions from Vimeo employees (in some cases prior to their being hired by Vimeo); (5) a Vimeo tutorial video made available via link from a page containing a video that incorporated the Beatles' copyrighted sound recording “Helter Skelter”; and (6) “lip dub” videos featuring Vimeo's co-founder and other employees lip-syncing to commercial sound recordings.93 The court explained that this evidence “simply does not rise to the level of that adduced in Grokster—either in quantity or in kind.94 The court acknowledged that some of the videos created by Vimeo employees such as the co-founder's lip dub “incorporated infringing music, and users' submissions may have often incorporated

89 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 530 (S.D.N.Y. 2013). 90 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 530–35 (S.D.N.Y. 2013). 91 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020 (9th Cir. 2013). 92 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 535 (S.D.N.Y. 2013). 93 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 531-32 (S.D.N.Y. 2013).. 94 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 532 (S.D.N.Y. 2013)..

Pub. 12/2015 4-573 4.12[6][D] E-Commerce and Internet Law the same. But the relevant standard at issue here—inducement by way of the exertion of substantial inuence on the activities of users—cannot be met by evidence of stray instances of wrongful conduct by Vimeo employees . . . and/or a generalized eort to promote videos that incorporate music.”95 The court similarly rejected the argument that Vimeo employee communications with, and provision of technical assistance to, Vimeo users, constituted inducement. While the court conceded that instructing users how to engage in an infringing use could amount to the kind of active step taken to encourage direct infringement that was found actionable in Grokster, it characterized the emails identied by plaintis as merely “[o]ering technical support as to the ordinary use of a service” which the court explained is not inducement.96 Similarly, it wrote that “a handful of . . . examples of Vimeo employees responding to user requests about copyrighted music with statements that indicate tacit, or at times explicit, acceptance of infringing uploads” that “may have induced a particular user to infringe” did not rise to the level of inducement by way of exertion of substantial inuence on users' activities.97 That standard, the court wrote, “is not met by the limited anecdotal evidence Plaintis have provided. To establish the right and ability to control, there must be a showing that the service provider's substantial inuence over users' activities was signicantly more widespread and comprehensive.”98 The court likewise rejected the argument that structural aspects of the website, such as its privacy settings, evidenced inducement, where there was nothing in the record to suggest these features were implemented to enable users to upload infringing material and then restrict copyright holders' access to it.99 Judge Abrams also rejected the argument that Vimeo's

95 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 533 (S.D.N.Y. 2013).. 96 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 534 (S.D.N.Y. 2013).. 97 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 534 (S.D.N.Y. 2013).. 98 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 534 (S.D.N.Y. 2013).. 99 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 534

4-574 Copyright Protection in Cyberspace 4.12[6][D] failure to implement ltering technologies that could be used to locate infringing content amounted to inducement, writing that “just because Vimeo can exercise control does not mean that it must. A holding to the contrary would conict with the express language of § 512(m), which makes clear that service providers may not lose safe harbor protection for failure to monitor or armatively seek out infringement.”100 The court further rejected evidence of internal discussions about the lawsuit or the allegation that Vimeo sought to promote its site's permissive policy towards infringement of music, which was based largely on the fact that Vimeo, unlike other sites, had not implemented ltering technology.101 In Rosen v. eBay, Inc.,102 Judge Michael Fitzgerald of the Central District of California rejected the plainti's argument that eBay had the right and ability to control within the meaning of the DMCA because it required users to post pictures of items oered for sale on eBay and required that pictures conform to set size and quality requirements.103 In so ruling, the court emphasized that “eBay does not direct users what to list, does not come into contact with the items being posted, and beyond the basic content requirements, including the photograph requirement, has no control over what its users list until the listing is complete.”104 In contrast to the legitimate service providers at issue in Viacom v. YouTube, Shelter Partners and Rosen v. eBay and the more limited evidence presented in Vimeo, the Ninth Circuit panel in Columbia Pictures Industries, Inc. v. Fung,105 an inducement case, had little diculty nding that the defendants, the operators of various BitTorrent tracker sites who the court found liable for inducement, were ineligible

(S.D.N.Y. 2013).. 100 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 534 (S.D.N.Y. 2013).. 101 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 534-35 (S.D.N.Y. 2013).. 102 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081 (C.D. Cal. Jan. 16, 2015). 103 See Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *13 (C.D. Cal. Jan. 16, 2015). 104 Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *13 (C.D. Cal. Jan. 16, 2015). 105 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020 (9th Cir. 2013).

Pub. 12/2015 4-575 4.12[6][D] E-Commerce and Internet Law for the user storage safe harbor because they had the right and ability to control infringing activity. Applying the test adopted in Viacom v. YouTube and in the Ninth Circuit in Shelter Partners, the panel explained that while Fung's inducement activities did not “categorically remove him from protection under § 512(c), they demonstrate[d] the substantial inuence Fung exerted over his users' infringing activities ....”106 In Fung, the panel held that where a service provider fails to satisfy the right and ability to control/ nancial benet prong set forth in section 512(c)(1)(B), “the service provider loses protection with regard to any infringing activity using the service.”107 Neither the Second Circuit in Viacom v. YouTube nor the Ninth Circuit in UMG v. Shelter Capital Partners addressed the nancial interest prong of section 512(c)(1) and whether it should likewise be construed as imposing a tougher standard for proving vicarious liability. In CCBill, an earlier Ninth Circuit panel held that the nancial interest prong should be construed coextensively with the common law standard, rather than more narrowly.108

106 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1046 (9th Cir. 2013). The panel explained: Fung unquestionably had the ability to locate infringing material and terminate users' access. In addition to being able to locate material identied in valid DMCA notices, Fung organized torrent les on his sites using a program that matches le names and content with specic search terms describing material likely to be infringing, such as “screener” or “PPV.” And when users could not nd certain material likely to be infringing on his sites, Fung personally assisted them in locating the les. Fung also personally removed “fake[ ], infected, or otherwise bad or abusive torrents” in order to “protect[ ] the integrity of [his websites'] search index[es].” Crucially, Fung's ability to control infringing activity on his websites went well beyond merely locating and terminating users' access to infringing material. As noted, there is overwhelming evidence that Fung engaged in culpable, inducing activity like that in Grokster.... Id. For convenience, the Ninth Circuit referred to the defendants collectively as “Fung.” 107 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1046 (9th Cir. 2013). The panel explained that “[t]he term ‘right and ability to control such activity’ so reects, as it emphasizes a general, structural relationship and speaks of ‘such activity,’ not any particular activity.” Id. 108 See Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117 (9th Cir.) (“Based on the ‘well-established rule of construction that where Congress uses terms that have accumulated settled meaning under common law, a court must infer, unless the statute otherwise dictates, that Congress means to incorporate the established meaning of those terms,’ ’’ . . . we hold that ‘direct nancial benet’ should be interpreted consistent with

4-576 Copyright Protection in Cyberspace 4.12[6][D]

Some courts and commentators previously had concluded that section 512(c)(1)(B) merely codied the elements of a claim for vicarious liability as part of the user storage limitation, meaning that the DMCA safe harbor for user storage would not apply to claims of vicarious infringement.109 A coextensive reading of right and ability to control, which has now been clearly rejected by the Second, Fourth and Ninth Circuits,110 would have rendered superuous the requirements that a service provider disable access to or remove material where it has red ag awareness111 or rea- the similarly worded common law standard for vicarious liability.”; citations omitted), cert. denied, 522 U.S. 1062 (2007). In UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099 (C.D. Cal. 2009), a'd sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013), the court held that the phrase direct nancial benet should be construed consistently with the common law standard, but right and ability to control should be construed more narrowly to avoid a “catch 22” whereby the only entities that would benet from the DMCA would be sites that host user content, which by denition could be deemed ineligible under the common law standard for right and ability to control. On appeal, the Ninth Circuit agreed that the right and ability to control under the DMCA requires a higher showing than what is required to establish common law vicarious liability but did not address how to construe direct nancial benet. See UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026 n.16 (9th Cir. 2013). 109 See CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 704 (D. Md. 2001) (citing 3 Melville B. Nimmer and David Nimmer, Nimmer on Copyright § 12B.04[A][2], at 12B-38 (2001)), a'd on other grounds, 373 F.3d 544 (4th Cir. 2004); Ellison v. Robertson, 189 F. Supp. 2d 1051, 1061 (C.D. Cal. 2002), rev'd in relevant part on other grounds, 357 F.3d 1072 (9th Cir. 2004). In Ellison, the district court explained: The DMCA did not simply rewrite copyright law for the online world. Rather it crafted a number of safe harbors which insulate ISPs from most liability should they be accused of violation traditional copyright law ....[W]henCongress chooses to utilize exact phrases that have a specialized legal meaning under copyright law (i.e., “the right and ability to control infringing activity”), and gives those phrases a certain meaning in one context (i.e., under the DMCA, the ability to delete or block access to infringing materials after the infringement has occurred is not enough to constitute “the right and ability to control”), Congress's choice provides at least persuasive support in favor of giving that phrase a similar meaning when used elsewhere in copyright law. 189 F. Supp. 2d at 1061 (footnotes omitted). 110 See Viacom Int'l, Inc. v. YouTube, Inc., 676 F.3d 19, 37–38 (2d Cir. 2012); CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544, 555 (4th Cir. 2004); UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1026–31 (9th Cir. 2013); supra § 4.12[6][D]. 111 17 U.S.C.A. § 512(c)(1)(A); see generally supra § 4.12[6][C].

Pub. 12/2015 4-577 4.12[6][D] E-Commerce and Internet Law sonably implement a repeat infringer policy112 in vicarious infringement cases, since service providers are not otherwise required to do either of these things to avoid common law vicarious liability.113 Presumably, Congress would not have imposed additional requirements on service providers to qualify for a safe harbor if the safe harbor provided no further protection than what existed under common law standards. Construing the DMCA as merely codifying the common law standard for vicarious liability also would appear to conict with the explanation in the legislative history that “the limitations of liability apply if the provider is found to be liable under existing principles of law.”114 Congress intended to create a safe harbor applicable if liability otherwise would be imposed, and gave service providers an incentive to comply with provisions governing notications, red ag awareness and adoption and reasonable implementation of a repeat infringer policy that otherwise were not expressly required to avoid liability for secondary copyright infringement. A narrow reading of the element of “control” is also suggested by reference in the legislative history on content monitoring. The House Report states that the Act was “not intended to discourage the service provider from monitoring its service for infringing material.”115 It further directs that “[c]ourts should not conclude that the service provider loses eligibility for limitations on liability under section 512 solely because it engaged in a monitoring program.”116 Thus, it may be inferred that a service provider may not be found to have “the . . . ability to control . . .” an act of infringement merely because it monitors content online. A narrow reading of what constitutes a directly attributable nancial interest is also suggested by the House Report accompanying an earlier version of section 512(c)(1)(B),117 which explained that:

112 17 U.S.C.A. § 512(i); see generally supra § 4.12[3][B]. 113 See supra § 4.11[4]. 114 H. Rep. No. 105-796, 105th Cong. 2d Sess. 1, 73 (1998) (emphasis added). 115 H. Rep. No. 105-796, 105th Cong. 2d Sess. 1, 72 (1998). 116 H. Rep. No. 105-796, 105th Cong. 2d Sess. 1, 72 (1998). 117 Section 512(c)(1)(B) provides that a service provider “does not receive a nancial benet directly attributable to the infringing activity,

4-578 Copyright Protection in Cyberspace 4.12[6][D]

In determining whether the nancial benet criterion is satised, courts should take a common-sense, fact-based approach, not a formalistic one. In general, a service provider conducting a legitimate business would not be considered to receive a “nancial benet directly attributable to the infringing activity” where the infringer makes the same kind of payment as noninfringing users of the provider's service. Thus, receiving a one-time set-up fee and at, periodic payments for service from a person engaging in infringing activities would not constitute receiving a “nancial benet directly attributable to the infringing activity.” Nor is subsection (c)(1)(B) intended to cover fees based on the length of the message (e.g., per number of bytes) or by connect time. It would however, include any such fees where the value of the service lies in providing access to infringing material.118 This is a narrower reading of “nancial benet” than in Fonovisa, Inc. v. Cherry Auction, Inc.,119 for example, where the Ninth Circuit found that a ea market operator had a “direct nancial interest” in the infringing activity of some of the vendors at the ea market because it earned admission fees, concession stand sales and parking fees from such vendors, even though these same at fees were charged to all vendors—not just those who were engaged in infringing activity.120 Whether this in fact was intended to be narrower than the standard applied in common law cases is less clear. The same House Report asserts that Congress was merely “codify[ing] and clarify[ing]” the existing standard for vicarious liability: The nancial benet standard in subparagraph (B) is intended to codify and clarify the direct nancial benet element of vicarious liability as it has been interpreted in cases such as Marobie-FL, Inc. v. National Association of Fire Equipment Distributors ....AsinMarobie, receiving a one-time set-up fee and at periodic payments for service from a person engag- in a case in which the service provider has the right and ability to control such activity.” The earlier version included this language but used “if the provider” instead of “in a case in which the service provider,” which is not a material dierence. The structure of the bill in this earlier version distinguished between direct liability and secondary liability, treating each separately, whereas the version ultimately enacted refers only to copyright infringement. 118 H.R. Conf. Rep. No. 551, 105th Cong., 2d Sess. 54 (1998). 119 Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259, 262 (9th Cir. 1996). 120 See supra § 4.11[4] (analyzing vicarious liability).

Pub. 12/2015 4-579 4.12[6][D] E-Commerce and Internet Law

ing in infringing activities would not constitute receiving “a nancial benet directly attributable to the infringing activity.” Nor is subparagraph (B) intended to cover fees based on the length of the message (per number of bytes, for example) or by connect time. It would, however, include any such fees where the value of the service lies in providing access to infringing material.121 However, the Marobie122 court, in reaching this conclusion, relied on Religious Technology Center v. Netcom On-Line Communication Services, Inc.,123 which in turn reached this conclusion by following the lower court decision in Fonovisa, Inc. v. Cherry Auction Inc.,124 which was subsequently reversed on this very point by the Ninth Circuit in early 1996. It is apparent from the Committee Report that Congress, writing in 1998, did not realize that Marobie relied on Netcom which relied on another district court opinion that had been reversed on appeal, and that the law at that time in fact was that a one-time set-up fee and at periodic payments could be sucient to constitute a direct nancial interest, at least in the Ninth Circuit under Fonovisa. Alternatively, the draft- ers of the Committee Report perhaps appreciated this inr- mity which is why they cited Marobie, rather than Netcom itself. In either case, Congress arguably had conicting goals in mind in providing that section 512(c)(1)(B) was intended to both (a) codify and clarify existing common law; and (b) provide that a at fee or other payment charged without regard to whether a customer is an infringer does not constitute a “direct nancial interest.” While it is not entirely clear whether Congress was more concerned with codifying the standard for vicarious liability or clarifying that xed fee payments would not satisfy the “nancial benet” prong of section 512(c)(1)(B), the specic discussion and reference to Marobie suggest that it was the latter, not the former. In practice, the law continues to be muddled on what constitutes a direct nancial interest. Courts in the Ninth

121 H.R. Rep. 105-551, Pt. I, at 25 to 26 (1998). 122 Marobie-FL, Inc. v. National Ass'n of Fire Equipment Distributors, 983 F. Supp. 1167 (N.D. Ill. 1997); see generally supra § 4.11[9][C]. 123 Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361, 1376–77 (N.D. Cal. 1995). 124 Fonovisa, Inc. v. Cherry Auction, Inc., 847 F. Supp. 1492, 1496 (E.D. Cal. 1994), rev'd, 76 F.3d 259, 263 (9th Cir. 1996); see generally supra §§ 4.11[5], 4.11[8][B], 4.11[8][C].

4-580 Copyright Protection in Cyberspace 4.12[6][D]

Circuit purport to apply the same standard for “direct nancial benet” under section 512(c)(1)(B) as would apply at common law.125 In fact, the common law standards for “direct nancial benet” in digital copyright cases have evolved in the Ninth Circuit since the time the DMCA was enacted. Fonovisa, decided in 1996, held that a company that charged a at fee to all vendors nonetheless had a direct nancial interest in the activities. In A&M Records, Inc. v. Napster, Inc.,126 the Ninth Circuit appeared to adopt an even more liberal standard, holding that a defendant that charged no money at all nonetheless had a nancial interest in the infringing activities of its users where its future revenues were dependent on expanding its user base, and the draw that brought users to the site was the free availability of infringing material.127 That seemingly more liberal common law standard, however, was applied under the DMCA in two subsequent cases to nd a nancial interest lacking. In Ellison v. Robertson,128 the Ninth Circuit held that AOL did not have a nancial interest in third-party acts of infringement where AOL charged customers a monthly at fee for access and there was no evidence that AOL attracted or retained subscribers because of the alleged acts of infringement or lost subscriptions because of its eventual obstruc- tion of the infringement.129 Similarly, in Perfect 10, Inc. v.

125 See Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 126 A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001). 127 See supra § 4.11[5]. 128 Ellison v. Robertson, 357 F.3d 1072 (9th Cir. 2004). 129 Ellison v. Robertson, 357 F.3d 1072, 1079 (9th Cir. 2004). The lower court had accepted AOL's argument that with respect to infringing material originally posted on another service and automatically copied to AOL's Usenet servers, AOL did not have a direct nancial interest because “AOL did not receive any nancial compensation from its peering agreements and participation in Usenet.” In addition, the district court emphasized that Usenet usage constituted a very small percentage of AOL's total member usage (0.25%) and “any ‘draw’ to one particular newsgroup, such as alt.binaries.e-book, [wa]s miniscule and remote, as the pro rata ‘draw’ of any single newsgroup (AOL carries more than 43,000 total) constitute[d] approximately 0.00000596% of AOL's total usage.” Ellison v. Robertson, 189 F. Supp. 2d 1051, 1062 (C.D. Cal. 2002), a'd in relevant part on other grounds, 357 F.3d 1072 (9th Cir. 2004). The district court also noted that the portion of Usenet usage related to copyright infringement was even smaller, as evidenced by the fact that only 10 of AOL's 20 million users inquired when AOL blocked the relevant newsgroup.

Pub. 12/2015 4-581 4.12[6][D] E-Commerce and Internet Law

CCBill, LLC,130 the Ninth Circuit held that “the relevant inquiry is ‘whether the infringing activity constitutes a draw for subscribers, not just an added benet.’ ’’131 The same standard was applied in a subsequent Ninth Circuit case in which the court found that Fung, the operator of various BitTorrent tracker sites, and the entities he operated, were ineligible for the user storage safe harbor because they received a nancial benet and had the right and ability to control. In Columbia Pictures Industries, Inc.

Whereas Fonovisa involved ‘‘ ‘a symbiotic relationship . . . between the infringing vendors and the landlord’ . . . [b]y contrast, . . . Usenet usage related to copyright infringement constitute[d] a miniscule portion of AOL usage. The nancial benet accruing to AOL from such infringing usage, if any benet exists at all, is too indirect and constitutes far too small a ‘draw’ to fairly support the imposition of vicarious . . . liability.” 189 F. Supp. 2d at 1063. As with its analysis of the control prong, the district court in El- lison concluded, based on the Senate Report accompanying an earlier version of the statute, that the DMCA provided “persuasive support for interpreting ‘direct nancial benet’ to require something more than the indirect, insignicant benets that have accrued to AOL, as a result of copyright infringement on its Usenet servers.” Ellison v. Robertson, 189 F. Supp. 2d 1051, 1063 (C.D. Cal. 2002), a'd in relevant part on other grounds, 357 F.3d 1072 (9th Cir. 2004). But see Arista Records LLC v. Usenet.com, Inc., 633 F. Supp. 2d 124, 157 (S.D.N.Y. 2009) (rejecting the argument that infringing music accounted for less than 1% of the total newsgroups available on defendants' service because “the law is clear that to constitute a direct nancial benet, the ‘draw’ of infringement need not be the primary, or even a signicant, draw—rather, it need only be a draw.”), citing Ellison v. Robertson, 357 F.3d 1072, 1079 (9th Cir. 2004) (“The essential aspect of the ‘direct nancial benet’ inquiry is whether there is a causal relationship between the infringing activity and any nancial benet the defendant reaps, regardless of how substantial the benet in proportion to a defendant's overall prots.”) and Arista Records, Inc. v. Flea World, Inc., No. 03-2670 (JBS), 2006 WL 842883 (D.N.J. Mar. 31, 2006)). Ultimately, the dierence between Ellison and Usenet.com—which both involved services that made accessible the Usenet—is that AOL was a legitimate service provider that incidentally provided access to the Usenet, whereas Usenet.com was a service that made an eort to make infringing music les available—and available for longer—on its site. Thus, infringing content was not deemed to be a draw in Ellison, while it was in Usenet.com. 130 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 131 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117–18 (9th Cir.) (quoting Ellison v. Robertson, 357 F.3d 1072, 1079 (9th Cir. 2004)), cert. denied, 522 U.S. 1062 (2007).

4-582 Copyright Protection in Cyberspace 4.12[6][D] v. Fung,132 the court held that the connection between the infringing activity and the defendants' income stream derived from advertising “was suciently direct to meet the direct ‘nancial benet’ prong of § 512(c)(1)(B).”133 Applying Ninth Circuit law, the court in Fung explained that: [I]n the context of service providers who charge for their services, . . . a service provider receives a direct nancial benet from infringing activity where “there is a causal relationship between the infringing activity and any nancial benet a defendant reaps, regardless of how substantial the benet is in proportion to a defendant's overall prots.” . . . Thus, where a service provider obtains revenue from “subscribers,” the relevant inquiry is ‘‘ ‘whether the infringing activity constitutes a draw for subscribers, not just an added benet.’ ’’134 The court found that defendants promoted advertising by pointing to infringing activity; obtained advertising revenue that depended on the number of visitors to his sites; attracted primarily visitors who were seeking to engage in infringing activity, as that is mostly what occurred on his sites; and encouraged that infringing activity. The appellate panel explained, “[g]iven this conuence of circumstances, Fung's revenue stream was tied directly to the infringing activity involving his websites, both as to his ability to attract advertisers and as to the amount of revenue he received.”135 In contrast to the Ninth Circuit, a district court in the

132 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1044–46 (9th Cir. 2013). 133 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1045 (9th Cir. 2013). 134 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1044 (9th Cir. 2013) (citations and footnote omitted). 135 Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1045 (9th Cir. 2013). Fung was not a case involving a legitimate service provider. In Fung, the Ninth Circuit armed the entry of summary judgment for the plaintis on the issue of copyright inducement. See supra § 4.11[6][F] (discussing the Fung court's holding on inducement). In elaborating on the evidence that supported the nding that Fung received a nancial benet, the court wrote: Here, the record shows that Fung generated revenue by selling advertising space on his websites. The advertising revenue depended on the number of users who viewed and then clicked on the advertisements. Fung marketed advertising to one advertiser by pointing to the “TV and movies . . . at the top of the most frequently searched by our viewers,” and provided another with a list of typical user search queries, including popular movies and television shows. In addition, there was a vast amount of infringing material on his websites—whether 90–96% or somewhat less—supporting an inference that

Pub. 12/2015 4-583 4.12[6][D] E-Commerce and Internet Law

Southern District of New York expressed the view that “it is clear that the ‘direct nancial benet’ prong of the common law vicarious liability standard is construed more broadly than it is under the DMCA ....”136 As with the nancial interest prong, common law vicarious liability decisions applying the right and ability to control in digital copyright cases also have evolved since the time the DMCA was enacted (and indeed may have been inuenced by DMCA case law). While section 512(c)(1)(B) is arguably intended to be construed narrowly, right and ability to control also has been interpreted more strictly in vicarious liability cases involving service providers, at least in the Ninth Circuit. In Perfect 10, Inc. v. Amazon.com, Inc.137 and Perfect 10, Inc. v. VISA Int'l Service Ass'n,138 for example, Ninth Circuit panels held that the defendants did not have the right and ability to control even though they had contracts with third-party infringing sites for advertisements in Amazon.com and payment processing services in VISA. The courts in those cases distinguished the ability to terminate a contract from the right and ability to control whether infringing material was on the third-party sites they serviced. Courts in practice have thus far construed “nancial interest” and “right and ability to control” narrowly under section 512(c)(1)(B) although in some cases this construction may reect discomfort with the application of the vicarious liability doctrine to legitimate service providers.139 In reality, as courts blur the lines between DMCA and

Fung's revenue stream is predicated on the broad availability of infringing materials for his users, thereby attracting advertisers. And, as we have seen, Fung actively induced infringing activity on his sites. Id. 136 Capitol Records, Inc. v. MP3Tunes, LLC, No. 07 Civ. 9931 (WHP), 2013 WL 1987225, at *10 (S.D.N.Y. May 14, 2013). 137 Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007). 138 Perfect 10, Inc. v. Visa Int'l Service Ass'n, 494 F.3d 788 (9th Cir. 2007), cert. denied, 553 U.S. 1079 (2008). 139 For example, as previously noted, in CoStar Group Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 704 (D. Md. 2001), a'd on other grounds, 373 F.3d 544 (4th Cir. 2004), the court wrote that section 512(c)(1)(B) codied the vicarious liability standard, but then proceeded to apply it without reference to vicarious liability case law. The court instead relied on Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001), a DMCA case, for the proposition that the right and ability to control infringing

4-584 Copyright Protection in Cyberspace 4.12[6][D] common law case law, some courts eectively may apply a activity under the DMCA cannot simply mean the ability of a service provider to remove or block access to materials posted on its website or stored in its system. See also Perfect 10, Inc. v. CCBill, LLC, 340 F. Supp. 2d 1077, 1098, (C.D. Cal. 2004) (following the district court's analysis in CoStar on this point and further holding that where a defendant's right and ability to control infringing activity is limited to disconnecting access to the defendant's service, such control is insucient under the DMCA to deny a defendant the benet of the DMCA safe harbor), a'd in relevant part on dierent grounds, 488 F.3d 1102, 1117–18 (9th Cir.) (nding no nancial interest; holding that ‘‘ ‘direct nancial benet’ should be interpreted consistent with the similarly worded common law standard for vicarious copyright liability.”), cert. denied, 522 U.S. 1062 (2007); Corbis Corp. v. Amazon.com, Inc., 351 F. Supp. 2d 1090, 1109–10 (W.D. Wash. 2004) (ruling that Amazon.com satised the requirements of section 512(c) because “[o]utside of providing the zShops platform, Amazon did not have the right or ability to control vendor sales. Amazon is never in possession of the products sold by zShops vendors ....Amazon does not preview the products prior to their listing, does not edit the product descriptions, does not suggest prices, or otherwise involve itself in the sale”; “While Amazon does provide transaction processing for credit card purchases, that additional service does not give Amazon control over the sale.”). Hendrickson did not purport to apply vicarious liability case law in reaching this interpretation of section 512(c)(1)(B). By contrast, the Ninth Circuit in A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001), a vicarious liability case which the LoopNet court cited earlier in its opinion, held that, for purposes of vicarious liability, the ability of an Internet service provider to block access “for any reason whatsoever is evidence of the right and ability to supervise infringing conduct.” A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1023 (9th Cir. 2001); see generally supra § 4.11[9][F]. The Ninth Circuit also found a reservation of rights in posted terms and conditions to evidence an ability to control user infringement. A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1023 (9th Cir. 2001); see also Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117–18 (9th Cir.) (holding that “the relevant inquiry [to establish vicarious liability] is ‘whether the infringing activity constitutes a draw for subscribers, not just an added benet’ ’’ but nding no nancial interest under the Napster standard in that case), cert. denied, 522 U.S. 1062 (2007). The district court in LoopNet likewise interpreted the nancial interest prong narrowly, concluding that the defendant did not have a nancial interest in the infringement because users were not charged a fee. See 164 F. Supp. 2d at 704–05. Yet in Napster, the Ninth Circuit rejected this analysis in the context of a vicarious liability claim, ruling that a “[f]inancial benet exists where the availability of infringing material ‘acts as a draw’ for customers.” A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1023 (9th Cir. 2001); see also Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117–18 (9th Cir.) (holding that “the relevant inquiry is ‘whether the infringing activity constitutes a draw for subscribers, not just an added benet’ ’’ but nding no nancial interest under the Napster standard in that case), cert. denied, 522 U.S. 1062 (2007). The district

Pub. 12/2015 4-585 4.12[6][D] E-Commerce and Internet Law lower standard in cases such as Napster that involved massive piracy on a site that plainly had sought to monetize third-party acts of infringement than in cases such as El- lison that involve legitimate commercial services where the only issue is whether the service provider may be held liable for particular acts of user misconduct. The particular test applied in eect may be outcome-determinative. Whether the standard for nancial interest is coextensive with or narrower than the common law test for vicarious liability, case law to date generally provides that the nancial interest prong requires a showing that ‘‘ ‘the infringing activity constitutes a draw for subscribers, not just an added benet.’ ’’140

4.12[7] Information Location Tools A service provider that otherwise meets the general threshold prerequisites described in section 4.12[3] may limit its liability for infringement for linking or referring users to infringing material or activity by using “information location court in LoopNet noted in dicta that the nancial benet prong of the DMCA's user storage safe harbor, as set forth in section 512(c)(1)(B), could not be met where a service provider charged the same at fee to all users. 164 F. Supp. 2d at 704–05 (citing the proposed committee report to an earlier version of the DMCA); see also Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 748 (S.D.N.Y. 2012) (holding that defendants did not have a nancial interest where Kodak charged a at fee for reprints, regardless of the nature of the reprint, users selected what images to have reprinted, and Photobucket had no knowledge of what images in fact were sent to Kodak), a'd mem., 569 F. App'x 51 (2d Cir. 2014). Once again, this narrow view is inconsistent with vicarious liability case law on this same point. See, e.g., Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259, 263 (9th Cir. 1996); see generally supra §§ 4.11[4], 4.11[8][C]. 140 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1117–18 (9th Cir.), cert. denied, 522 U.S. 1062 (2007); Ellison v. Robertson, 357 F.3d 1072, 1079 (9th Cir. 2004) (quoting legislative history); see also Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 748 (S.D.N.Y. 2012) (holding that the defendants did not have a nancial interest directly attributable to infringing activity within the meaning of section 512(c)(1)(B) because there was no evidence that either Photobucket or the Kodak defendants “capitalizes specically because a given image a user selects to print is infringing . . . , [t]he Defendants' prots are derived from the service they provide, not a particular infringement . . . [and] Photobucket has no knowledge of which images users may select to send to the Kodak Defendants to be printed, and, as such, Photobucket has no ability to control whether users request that infringing material be printed.”), a’d mem., 569 F. App’x 51 (2d Cir. 2014).

4-586 Copyright Protection in Cyberspace 4.12[7] tools, including a directory, index, reference, pointer, or hypertext link.”1 None of these terms are dened in the Act. Given how quickly technology and business models change in cyberspace, Congress presumably intended the term “information location tools” to be broad enough to encompass future tools which would be akin to “a directory, index, reference, pointer, or hypertext link.” It remains unclear, however, whether framing—which is accomplished by linking—would fall within the scope of this limitation. To qualify for the information location tools limitation, a service provider must meet three of the requirements of the user storage limitation discussed in section 4.12[6]. Speci- cally, (1) a service provider must not have actual knowledge or awareness of the infringement or, if it has either, it must promptly remove or disable access to the infringing material; (2) where a service provider has the right and ability to control the infringing activity, it must not “receive a benet nancially directly attributable to the infringing activity”; and (3) the service provider must remove or disable access to infringing material upon receipt of substantially complying notication (as described below in section 4.12[9][B]).2 These requirements are addressed in greater detail in connection with the user storage liability limitation in section 4.12[6]. Through inartful drafting, the statute appears not to compel the designation of an agent. Section 512(d), by its terms, restates the requirements of section 512(c)(1) (notice, knowledge or awareness and nancial interest/right and ability to control) and incorporates by reference section 512(c)(3) (elements of a notication) modied expressly to refer to links, rather than user content, but excludes section 512(c)(2) (designation of an agent). Subsection (c)(3), however, provides that “a notication of claimed infringement must be a written communication provided to the designated agent of a service provider . . . ,” and therefore

[Section 4.12[7]] 1 17 U.S.C.A. § 512(d). 2 17 U.S.C.A. § 512(d); see also Columbia Pictures Industries, Inc. v. Fung, 710 F.3d 1020, 1046–47 (9th Cir. 2013) (holding the operator of Bit- Torrent tracker sites ineligible for the information location tools safe harbor where the defendant was aware of facts and circumstances from which infringing activity was apparent, received a direct nancial benet from infringing activity and had the right and ability to control such activity); see generally supra § 4.12[6] (analyzing these factors).

Pub. 12/2015 4-587 4.12[7] E-Commerce and Internet Law appears to implicitly compel compliance with subsection (c)(2), governing designation of an agent.3 Alternatively, since subsection 512(c)(2) is not deemed applicable to the information location tools liability limitation of section 512(d), it is possible that the term designated agent for purposes of section 512(d) merely refers to a designated agent to receive notications, rather than an agent formally designated pursuant to section 512(c)(2) through a notice led with the U.S. Copyright Oce. While a copyright owner plainly must serve a notication on a service provider to compel it to disable access to or remove a link or other information location tool, and a service provider in turn must respond expeditiously to the notication to benet from the liability limitation, the provisions governing counter notications have no applicability to the information location tools safe harbor, even though some courts have erroneously concluded that they are applicable.4 Section 512(g) provides a broad exemption to service providers from liability to “any person for any claim based on the service provider's good faith disabling of access to, or removal of, material or activity claimed to be infringing or based on facts or circumstances from which infringing activity is apparent, regardless of whether the material or activity is ultimately determined to be infringing.” For purposes of the user storage liability limitation only, this exemption does not apply if material is removed in response to a notication if the aected subscriber timely served a counter notication, in which case the service provider must comply with the requirements for counter notications to enjoy the exemption. The DMCA is unambiguous, however, that this exception only applies for removal for material stored at the direction of a subscriber.5 Service providers are exempt from liability to anyone for any claim based on disabling access to or removing an information location tool and need to comply with procedures for counter notications.6 The liability limitation for information location tools, by its terms, applies to a directory, index, reference, pointer or

3 See infra § 4.12[9][A]. 4 See Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195 (N.D. Cal. 2004) (dicta); Perfect 10, Inc. v. Cybernet Ventures, Inc., 213 F. Supp. 2d 1146, 1179 (C.D. Cal. 2002). 5 See 17 U.S.C.A. § 512(g)(2). 6 See 17 U.S.C.A. § 512(g)(1); see generally infra § 4.12[9][C].

4-588 Copyright Protection in Cyberspace 4.12[7] hypertext link. It is not necessary that a service provider maintain a large number of links or connections to other locations to benet from this limitation.7 Absent DMCA protection, however, the risk of copyright liability for linking generally is low (and certainly lower than for material stored at the direction of a user).8 Simply because a service provider does not satisfy the limitation created for information location tools does not necessarily mean that it may be held liable for linking. A link does not create a “copy” within the meaning of MAI Systems Corp. v. Peak Computer, Inc.,9 but merely constitutes an instruction to a browser to go to a dierent location. Hence, in the ordinary case the act of linking does not create a “copy,” although it may facilitate the creation of a “copy” in a user's screen RAM.10 At most, the creation of a link therefore potentially could expose the linking party to liability for inducement, contributory infringement or in limited circumstances (if the linking party derived a nancial benet from the link) vicarious liability.11

7 See Perfect 10, Inc. v. CCBill, LLC, 340 F. Supp. 2d 1077, 1097–98 (C.D. Cal. 2004) (rejecting the argument that because a defendant “merely links to a relatively small universe of websites with whom it has in place contractual relationships and established review procedures, it is not entitled to the protection under § 512(d)), a'd in part on other grounds, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 8 See supra § 4.12[6]. 9 MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 (9th Cir. 1993), cert. dismissed, 510 U.S. 1033 (1994). 10 See supra § 4.03. 11 See, e.g., Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007) (discussing in-line linking and potential liability); Intellectual Reserve, Inc. v. Utah Lighthouse Ministry, Inc., 75 F. Supp. 2d 1290 (D. Utah 1999) (nding secondary liability based on active encouragement); Batesville Services, Inc. v. Funeral Depot, Inc., Copy L. Rep. ¶ 28,901 (S.D. Ind. 2004) (holding that links under the unusual facts of the case could provide a basis for secondary liability); Arista Records, Inc. v. MP3Board, Inc., Copy. L. Rep. (CCH) ¶ 28,483 (S.D.N.Y. Aug. 22, 2002) (denying defendant's motion for summary judgment on plaintis' claim for copyright infringement because its provision of an “automated system devoted to searching for, aggregating, and organizing links” to infringing works presented a triable issue of fact); supra § 4.10[1] (fair use); infra §§ 9.03 to 9.06 (analyzing linking law). But see Live Nation Motor Sports, Inc. v. Davis, 35 Media L. Rep. (BNA) 1209, 81 U.S.P.Q.2d 1826, 2007 WL 79311 (N.D. Tex. Jan. 9, 2007) (holding that a link to a streamed live webcast constituted a public performance). In contrast to ordinary links, in-line links or frames may create greater risks of liability. See supra § 4.10[1];

Pub. 12/2015 4-589 4.12[8] E-Commerce and Internet Law

4.12[8] Exemption from Liability to Subscribers for Removing or Disabling Access to Material Believed to be Infringing A service provider that otherwise has met the threshold requirements set forth in section 512(i)1 may be entitled to a broad exemption from liability under any theory of recovery for any good faith act to disable access to or remove material believed to be infringing (even where a formal notication has not been submitted). The Act immunizes service providers from liability to any person for any claim based on the service provider's good faith disabling of access to, or removal of, material or activity claimed to be infringing or based on facts and circumstances from which infringing activity is apparent, regardless of whether the material or activity is ultimately determined to be infringing.2 This provision, by its terms, contemplates actions undertaken by a service provider “based on facts and circumstances from which infringing activity is apparent . . . ,” and is not limited to acts undertaken in response to formal notications. Thus, service providers may act on their own initiative or in response to customer or other third-party complaints to remove or disable access to content believed to be infringing. Unlike the four liability limitations set forth in subsections (a) through (d), the exemption created by subpart 512(g)(1) provided for removing or disabling access to content applies to “any claim”—not merely to copyright infringement claims. Indeed, the types of claims which conceivably could be brought against a service provider for removing or blocking access would not arise under the Copyright Act. In all likelihood, any cause of action for disabling access to or infra §§ 9.03, 9.04. An entity creating an in-line link, which reproduces a portion of content from another location, would likely have diculty qualifying for the liability limitation, which requires an absence of knowledge or awareness. On the other hand, a Web host or other third party potentially could benet from the limitation if, for example, it merely provided access to a site or service that created the in-line link. [Section 4.12[8]] 1 See supra § 4.12[3]. 2 17 U.S.C.A. § 512(g)(1). Although other provisions limit a service provider's liability, subsection (g)(1) creates a broad exemption (rather than merely a liability limitation) from liability “to any person for any claim.”

4-590 Copyright Protection in Cyberspace 4.12[8] removing content would arise under state contract or tort law. In order to be eective (given the type of claims likely to be asserted), the exemption presumably will be construed to preempt state law.3 There is one exception to the broad exemption provided for removing or blocking access to content. If a service provider receives a notication about allegedly infringing material stored at the direction of a subscriber,4 it must comply with the requirements of subparts (c)(3) and (g)(2) governing notications and counter notications (which are discussed in sections 4.12[9][B] and 4.12[9][C]) to both limit its liability to the copyright owner for infringement and to its subscriber for removing or disabling access to its content. Specically, a service provider would have to satisfy the requirements of subpart (c)(3) to limit its potential liability to the copyright owner for infringement and comply with subpart 512(g)(2) to avoid any liability to its subscriber for disabling access to or removing content in response to a notication. Stated dierently, if a service provider removes or disables access to content belonging to a subscriber (as opposed to other content) in response to a notication directed at content stored at the direction of a user, the service provider may not benet from the broad exemption created by subpart 512(g)(1) and instead must comply with the provisions of subpart 512(g)(2) governing counter notications in order to claim the exemption. Whether content is removed or access blocked pursuant to the requirements for subscriber content under subpart 512(g)(2) or under the broad exemption aorded by subpart 512(g)(1) in other circumstances, the safe havens created by subpart 512(g) apply regardless of whether the removed or disabled material ultimately is found to be infringing.5 The Act therefore encourages service providers to err on the side

3 See, e.g., English v. General Elec. Co., 496 U.S. 72, 79 (1990). 4 A subscriber is not dened under the Act but should be understood as someone who necessarily is also a user (which is also not a dened term). Not all users, however, are necessarily subscribers. Based on the statutory scheme created by Congress, a subscriber is a person whose content has been removed (or access to its disabled) by a service provider in response to a formal notication pursuant to the user storage limitation. A subscriber presumably also has a contractual relationship with the service provider given the use of the word “subscriber,” as opposed to “user.” See infra § 4.12[9]. 5 17 U.S.C.A. § 512(g)(1).

Pub. 12/2015 4-591 4.12[8] E-Commerce and Internet Law of protecting copyright owners. Although subsection (g) creates incentives for service providers to monitor and block content, they are not required to do so or to seek facts indicating infringing activity, except to the extent consistent with a “standard technical measure.”6 In addition, nothing in the DMCA shall be construed to condition eligibility to the DMCA liability limitations (sections 512(a) through 512(d)) on a service provider gaining access to, removing, or disabling access to material in cases in which such conduct is prohibited by law.7 Depending on the facts of the case, a service provider sued for disabling access to or removing content also may be able to benet from subpart 2 of the Good Samaritan exemption created by the Telecommunications Act of 1996.8 The Good Samaritan exemption (also referred to as the Communica- tions Decency Act or CDA) provides broad exemptions to an “interactive computer service” (which, as dened, would include a service provider) for content that originates with a third party and for “any action voluntarily taken in good faith to restrict access to or [the] availability of material that the provider or user considers to be obscene, lewd, lascivi- ous, lthy, excessively violent, harassing, or otherwise objectionable.” The Good Samaritan exemption preempts most inconsistent state laws, but not any law pertaining to intellectual property,9 among other things. Where a service provider removes material on its own initiative, it therefore may be able to rely on the Good Samaritan exemption in defense of any state law claim brought based on the removal of content, to the extent that the service provider acted in good faith, voluntarily, to restrict access to or the availability of material deemed “otherwise objectionable.”10 Where it removes material but fails to comply with the requirements of subpart 512(g)(2) after being served with a notication, however, the service provider may not be able to rely on the CDA to trump the express requirements of a federal statute pertaining to

6 17 U.S.C.A. § 512(m)(1). Standard technical measures are discussed above in § 4.12[3][C]. 7 17 U.S.C.A. § 512(m)(2). 8 See 47 U.S.C.A. § 230(c); see generally infra § 37.05. 9 See infra § 37.05[5]. 10 See 47 U.S.C.A. § 230(c)(2); see generally infra § 37.05.

4-592 Copyright Protection in Cyberspace 4.12[9][A] intellectual property.

4.12[9] Agent Designation, Notication, Counter Notication and Sanctions Under the System Caching, User Storage and Information Location Tools Limitations

4.12[9][A] Designation of an Agent The caching, user storage, and arguably the information location tools limitations1 compel service providers to designate an agent to receive notications. For the user storage liability limitation only, an agent also must transmit notications to subscribers and receive and process counter notications if a service provider seeks to benet from the exemption from any liability which otherwise could be imposed for removing or disabling access to subscriber content set forth in subpart 512(g)(2).2 The exemption

[Section 4.12[9][A]] 1 Whether a DMCA agent (as opposed to merely a designated agent to receive notications) is required under the information location tools safe harbor is addressed in section 4.12[7]. 2 The requirement for designating an agent to receive notications is set forth in subsection 512(c), which addresses information residing on systems or networks at the direction of a user. Subpart (2) of that subsection requires designation of an agent, while subpart (3) sets forth the information that must be set included in a notication. To benet from the information location tools limitation created by subsection 512(d), subpart (d)(3) compels a service provider to respond to notications as described in subpart (c)(3). Although subsection (d) expressly incorporates by reference only subpart (3) of subsection (c) (which describes the procedures for notications), subpart (c)(3) itself incorporates by reference subpart (c)(2) (compelling designation of an agent) by providing that “[t]o be eective . . . , a notication of claimed infringement must be a written communication provided to the designated agent of a service provider.” 17 U.S.C.A. § 512(c)(3)(A). Thus, although hardly a model of clarity, the information location tools limitation appears to compel a service provider to designate an agent to receive notications if the service provider intends to benet from the limitation. Service providers also must have an agent to receive notications to fully benet from the system caching limitation set forth in subsection 512(b). Subpart (b)(2)(E) provides that if a third-party places material online without the authorization of the copyright owner, the service provider must respond expeditiously to remove or disable access to the material alleged to be infringing in response to a notication described in subpart (c)(3) if: (1) the material was previously removed from the originating site or access to it has been disabled (or a court has entered an order compelling that result); or (2) the notication includes a statement

Pub. 12/2015 4-593 4.12[9][A] E-Commerce and Internet Law otherwise is available for service providers that disable access to or remove material pursuant to the other liability limitations, without complying with the provisions governing counter notications.3 Service providers must designate an agent to receive notication of claimed acts of infringement and make available certain contact information about the designated agent on their websites “in a location accessible to the public” and in a required ling with the U.S. Copyright Oce.4 The contact information must include “substantially” the following information: the name, address,5 phone number and email address of the designated agent, as well as any other conrming these facts. The caching limitation therefore compels a service provider to designate an agent to receive notications in this one limited circumstance where stale material has been cached. An agent need not be designated to benet from the other circumstances set forth in subsection 512(b) when the caching limitation might apply or to benet from the routing limitation created by subsection 512(a). A service provider must have an agent to receive counter notications to qualify for the exemption from liability when subscriber content is removed (or access to it disabled) set forth in subpart 512(g)(2). An agent need not be designated to take advantage of the broad exemption set forth in subpart 512(g)(1). The limitation for Nonprot Educational Institutions set forth in subsection 512(e) specically addresses conduct by university faculty members or graduate students. To the extent a Nonprot Educational Institution seeks to benet from the system caching, user storage and information location tools limitations, or the exemption created by subsection 512(g)(2), it also must designate an agent. 3 17 U.S.C.A. § 512(g). 4 17 U.S.C.A. § 512(c)(2). 5 The Copyright Oce's Interim Regulations provide that the address listed for an agent must be “[t]he full address, including a specic number and street name or rural route.” 37 C.F.R. § 201.38(a)(4). A post oce box “will not be sucient except where it is the only address that can be used in that geographic location.” 37 C.F.R. § 201.38(a)(4). This requirement may be problematic for certain consumer services where, for safety reasons, the service does not wish to reveal its exact street address. This concern undoubtedly was not considered in 1998 when the regulations were promulgated. Ten years later, the FTC issued more enlightened regulations dening a “valid physical postal address” under the federal CAN-SPAM Act, 15 U.S.C.A. §§ 7701 to 7713; see generally infra § 34.03 (analyzing the CAN-SPAM Act). Under that statute, a “valid physical postal address” means the sender's current street address, a post oce box that the sender has accurately registered with the U.S. Postal Service, or a private mailbox that the sender has accurately registered with a commercial mail receiving agency that is established pursuant to U.S. Postal Service regulations. 16 C.F.R. § 316.2(p). The rationale for this broader

4-594 Copyright Protection in Cyberspace 4.12[9][A] information that the Register of Copyrights may require (including a registration fee to cover the cost of publishing and maintaining a current directory of agents, which must be made available in both hard copy and electronic formats and made available over the Internet).6 While the statute requires provision of “substantially” the information enumerated in the statute (name, address, phone number and email address of the agent), the interim regulations specify that all of this information must be provided.7 The interim regulations, unlike the statute, further require that a facsimile number be provided.8 The interim regulations were issued on Nov. 3, 1998 and were still in eect as of September 1, 2015.9 In September 2011, the Copyright Oce solicited comments on proposed rulemaking to update the regulations for designating agents.10 It is therefore possible that the regulations will be amended at some point in the future. A copy of the current regulation and forms for designating a DMCA agent (and designating a new DMCA agent) and a sample DMCA policy are included in the Appendix to this chapter. denition is because it recognizes the privacy and security concerns of individuals who work from home or are fearful of publishing their street address for other reasons. See Denitions and Implementation Under the CAN-SPAM Act, 73 Fed. Reg. 29654, 29668 (May 21, 2008). 6 17 U.S.C.A. § 512(c)(2); 73 Fed. Reg. 29654, 29668 (May 21, 2008). 7 In Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 748–49 (S.D.N.Y. 2012), a’d mem., 569 F. App’x 51 (2d Cir. 2014), the court held that Photobucket met the statutory requirement where it “substantially” complied with the requirement by providing the following information (but no name or telephone number): Copyright Agent Photobucket.com, Inc. PO Box 13003 Denver, CO 80201 mailto:[email protected] Id. at 749. Similarly, in Rosen v. eBay, Inc., No. CV-13-6801 MWF (Ex), 2015 WL 1600081, at *10 (C.D. Cal. Jan. 16, 2015), the court held that eBay substantially complied with the requirements of section 512(c)(2) where “[i]n numerous places on its website eBay provided facsimile, telephone, email and mail contact information to parties interested in submitting infringement notices” but omitted the name of its agent (who was disclosed in its agent designation ling with the U.S. Copyright Oce. 8 37 C.F.R. § 201.38(c)(5). 9 See Designation of Agent to Receive Notication of Claims Infringe- ment, 63 Fed. Reg. 59233 (Nov. 3, 1998). 10 See Notice of Proposed Rulemaking, 76 Fed. Reg. 59,953 (Sept. 28, 2011).

Pub. 12/2015 4-595 4.12[9][A] E-Commerce and Internet Law

In BWP Media USA Inc. v. Hollywood Fan Sites LLC,11 Judge J. Paul Oetken of the Southern District of New York held that the designation of a DMCA agent by a parent company did not extend to the company's subsidiary. In that case, the court held that there was nothing in the earlier designation ling with the U.S. Copyright Oce that could be interpreted as referring to the subsidiary. Judge Oetken held that the DMCA did “not contemplate that a service provider entity can be shielded by the safe harbor where that entity has no presence at all” in the U.S. Copyright Of- ces directory of service providers.12 He explained that “[i]t is implausible that parties attempting to nd a provider's DMCA agent designation, using the USCO's database, are expected to have independent knowledge of the corporate structure of a particular service provider.”13 Judge Oetken also questioned whether a single designation could apply to multiple entities given the language used in the Copyright Oce's interim regulations.14 In its 1998 interim regulations, the Copyright Oce provided that: For purposes of these interim regulations, related companies (e.g., parents and subsidiaries) are considered separate service providers who would le separate Interim Designations. When it considers nal regulations, the Oce will solicit comments as to whether related companies (e.g., parent and subsidiary companies) should be permitted to le a single Designation of Agent to Receive Notications of Claimed Infringement.15 As noted above, the Copyright Oce has yet to issue nal regulations. It is not clear, however, that interim administrative regulations for lings with the Copyright Oce should necessarily control in evaluating the substantive law question of whether DMCA protection applies. In an analogous context, defects in copyright applications and compliance with the deposit requirement for obtaining copyright registration have

11 BWP Media USA Inc. v. Hollywood Fan Sites LLC, — F. Supp. —, 2015 WL 3971750, at *5 (S.D.N.Y. 2015). 12 BWP Media USA Inc. v. Hollywood Fan Sites LLC, — F. Supp. —, 2015 WL 3971750, at *5 (S.D.N.Y. 2015). 13 BWP Media USA Inc. v. Hollywood Fan Sites LLC, — F. Supp. —, 2015 WL 3971750, at *5 (S.D.N.Y. 2015). 14 BWP Media USA Inc. v. Hollywood Fan Sites LLC, — F. Supp. —, 2015 WL 3971750, at *6 (S.D.N.Y. 2015). 15 Designation of Agent to Receive Notication of Claimed Infringe- ment, 63 Fed. Reg. 59233, 59234 (Nov. 3, 1998).

4-596 Copyright Protection in Cyberspace 4.12[9][A] held to be harmless errors that do not aect entitlement to copyright protection.16 In addition, the DMCA, on its face, only requires substantial compliance with its requirements. District courts have also held albeit primarily in unreported decisions from a single district (the Northern District of California), that the user storage safe harbor was unavailable to defendants for alleged acts of infringement that pre- dated the time they registered their DMCA agents with the U.S. Copyright Oce.17 In Perfect 10, Inc. v. Yandex, N.V.,18 for example, Judge William Alsup of the Northern District of

16 See supra § 4.08[2]; infra § 4.19. 17 See, e.g., BWP Media USA Inc. v. Hollywood Fan Sites LLC, — F. Supp. —, 2015 WL 3971750, at *3-4 (S.D.N.Y. 2015) (citing Oppenheimer approvingly for the proposition that “[a] service provider cannot retroactively qualify for the safe harbor for infringements occurring before the proper designation of an agent under the statute” and holding that “§ 512(c) makes clear that it contemplates two parallel sources—the provider's website and the USCO directory—where each service provider's DMCA agent information is readily available to the public. For a service provider to fulll only one of these two requirements is insucient.”); Oppenheimer v. Allvoices, Inc., No. C 14–00499 LB, 2014 WL 2604033, at *6 (N.D. Cal. June 10, 2014) (holding the DMCA inapplicable to conduct that pre-dated the defendant's registration of its DMCA agent with the U.S. Copyright Oce, in ruling on a motion to dismiss); Nat'l Photo Group, LLC v. Allvoices, Inc., No. C–13–03627 JSC, 2014 WL 280391, at *4 (N.D. Cal. Jan. 24, 2014) (denying in part defendant's motion to dismiss, noting that “Plainti's claims predate Defendant's DMCA protection since Defendant's allegedly infringing activity began a number of weeks or months prior to Defendant's DMCA registration”); Perfect 10, Inc. v. Yandex, N.V., No. C 12-01521, 2013 WL 1899851, at *7 (N.D. Cal. May 7, 2013) (granting partial summary judgment for the plainti on Yandex's ineligibility for the DMCA user storage safe harbor for alleged infringement that occurred prior to the date Yandex registered its DMCA agent with the U.S. Copyright Oce); Datatech Enterprises LLC v. FF Magnat Ltd., No. C 12-04500 CRB, 2012 WL 4068624, at *4 (N.D. Cal. Sept. 14, 2012) (granting a preliminary injunction based in part on the nding that the operator of an oshore le sharing cloud storage service was not likely to prevail on its DMCA defense with respect to 12,000+ alleged violations that occurred prior to June 15, 2011, which was the date it registered its DMCA agent with the U.S. Copyright Oce, and because it failed to enforce its repeat infringer policy). In Datatech Enterprises, the court subsequently held that factual issues surrounding the defendant's designation of a DMCA agent precluded the plainti from obtaining partial summary judgment on the issue of the defendant's entitlement to the DMCA safe harbor but declined to dissolve its preliminary injunction order based on new evidence regarding agent designation where the record showed that the defendant had ignored copyright holders' requests to remove specically identied repeat infringers, including one individual who uploaded 1,600 separate copies of an

Pub. 12/2015 4-597 4.12[9][A] E-Commerce and Internet Law

California held that overseas entities were not entitled to DMCA safe harbor protection for notices sent prior to the time that they registered their DMCA agents with the U.S. Copyright Oce, over objections that the service providers had received and processed DMCA notices without having a registered agent and substantially complied with the requirements of the statute. The court reasoned that 17 U.S.C.A. § 512(c)(2) provides that the DMCA safe harbor applies “only if the service provider has designated an agent to receive notications of claimed infringement described in paragraph (3), by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Oce, . . .” the name and contact information of the agent.19 The Yandex court, however, did not thoroughly consider whether submission of information to the Copyright Oce, as opposed to designation of an agent, necessarily must occur as a precondition to eligibility for the safe harbor. The DMCA statute refers to designation, not registration, as a precondition to safe harbor eligibility. If a service provider designates an agent to receive DMCA notications on its website and begins substantial compliance with the DMCA so that copyright owners may submit DMCA notications to the agent to have infringing works removed, but the service provider does not notify the Copyright Oce until some time later, the conclusion that DMCA protection is only available as of the date notice is provided to the Copyright Oce, and not prior to that time when an agent was identied on the service provider's website (where most people look to see if a service provider has designated an agent) is not necessarily compelled by the plain terms of the statute. Even if designation requires identication of the agent on both the service provider's website and with the U.S. Copy- right Oce, it does not necessarily follow that when both steps have been completed protection does not relate back to the initial act of designation. Section 512(c)(2) uses the infringing work. District Court Judge Charles Breyer accordingly reiterated that, independent of the issue of registration, the defendant was unlikely to prevail on its DMCA defense based on its failure to implement its repeat infringer policy. Datatech Enterprises LLC v. FF Magnat Ltd., No. C 12-04500 CRB, 2013 WL 1007360, at *5–6 (N.D. Cal. Mar. 13, 2013). 18 Perfect 10, Inc. v. Yandex, N.V., No. C 12-01521, 2013 WL 1899851, at *7 (N.D. Cal. May 7, 2013). 19 17 U.S.C.A. § 512(c)(2) (emphasis added).

4-598 Copyright Protection in Cyberspace 4.12[9][A] terminology “only if” not “only when” in describing the preconditions for safe harbor protection. By analogy, the Copyright Act generally requires registration of a copyright as a precondition to ling suit, but allows a copyright owner to sue for infringement that pre-dates registration, but only after a copyright has been registered.20 It does not necessarily follow that if the technical requirements for designation of an agent occur at dierent times, protection is only available as of the last date when the last of the requirements set forth in section 512(c)(2) have been met—especially given that notice to the Copyright Oce arguably is the least important of the specic requirements set forth in section 512(c)(2). In Disney Enterprises, Inc. v. Hotle Corp.,21 Judge Kathleen M. Williams of the Southern District of Florida followed Yandex in ruling, as alternative grounds for denying safe harbor protection to Hotle, an overseas le storage site adjudged ineligible for failing to reasonably implement its repeat infringer policy, that Hotle would have been ineligible for the safe harbor for any acts of infringement that occurred on Hotle prior to May 2010, which was the date on which it published its DMCA agent's contact information on its website. In Hotle, the service provider had an “abuse report” form on its website and provided an email address for users to report infringing content for many years, but did not register a DMCA agent with the Copyright Oce until December 2009 and did not identify the agent on its website until May 2010. Judge Williams conceded that the statute “focuses on whether someone with an infringement complaint would be able to contact the company . . . ,” but nonetheless followed Yandex in holding that DMCA protection was unavailable until the agent was both identied in a Copyright Oce ling and on the defendant's website. Yandex and Hotle underscore a potential conundrum faced by foreign website owners and service providers that potentially could comply with the DMCA but may not otherwise be doing business in the United States. If a foreign site registers a DMCA agent with the U.S. Copyright Oce, this act could be viewed as evidencing purposeful availment of the privileges and benets of doing business in the United

20 See infra § 4.19[1]. 21 Disney Enterprises, Inc. v. Hotle Corp., Case No. 11-20427-Civ, 2013 WL 6336286 (S.D. Fla. Sept. 20, 2013).

Pub. 12/2015 4-599 4.12[9][A] E-Commerce and Internet Law

States and/or targeting the U.S. market, which could increase the chance that of being found subject to personal jurisdiction in the United States.22 On the other hand, if the entity does not register its agent with the U.S. Copyright Of- ce and otherwise is held subject to personal jurisdiction in the United States, under Yandex and Hotle it could be deprived of any safe harbor defense even if it substantially complies with the requirements of the statute.

4.12[9][B] Notications (and Service Provider Obligations in Response to Notications) A notication must be “a written communication” directed to the service provider's designated agent. This requirement may be satised by an email message since the signature requirement (discussed below) allows for electronic, as well as physical, signatures.1 In response to a notication, a service provider's obligations will vary depending on the type of infringement alleged. A service provider must expeditiously remove or disable access to allegedly infringing material that has been cached, but only if the material rst was removed from the originating site (or access to it was blocked).2 A service provider likewise must respond expeditiously to remove or disable links or similar information location tools3 or material stored on its system or network at the direction of a user.4 Where a notication relates to material stored at the direction of a user who is also a subscriber and the service provider seeks to benet from the exemption set forth in subpart 512(g)(2), the service provider also must take reasonable steps to promptly inform its subscriber (i.e., the alleged infringer) that it has removed or disabled access to the

22 See infra chapter 53 (analyzing personal jurisdiction over U.S. and foreign entities). [Section 4.12[9][B]] 1 17 U.S.C.A. § 512(c)(3)(A). Since the time the DMCA was enacted, Congress passed the federal e-SIGN statute, which signicantly liberal- ized the standards for electronic signatures. See 15 U.S.C.A. §§ 7001 et seq.; infra § 15.02[2]. 2 See 17 U.S.C.A. § 512(d)(2)(E). 3 See 17 U.S.C.A. § 512(d)(3). 4 17 U.S.C.A. § 512(c)(3).

4-600 Copyright Protection in Cyberspace 4.12[9][B] material described in the notication5 and comply with the more complex rules governing counter notication,6 which are discussed below in section 4.12[9][C]. A service provider that fails to comply with these additional requirements may still enjoy limited liability for copyright infringement under section 512(c) for material stored at the direction of a user even though it would not be exempt from potential liability to its subscriber under subpart 512(g)(2) for removing or disabling access to material which in good faith is believed to be infringing. In Hendrickson v. Amazon.com, Inc.,7 Judge Hatter of the Central District of California ruled in a case of rst impression that a notication is only eective with respect to material on a site “at the time the ISP receives the notice” and cannot impose a continuing obligation on the recipient- service provider to monitor its location for future acts of infringement. In Amazon.com, Inc., the plainti sent a substantially complying notication to Amazon.com on Jan.

5 17 U.S.C.A. § 512(g)(2)(A) (emphasis added). 6 See 17 U.S.C.A. § 512(g)(2). Subpart (g)(2)—which imposes potentially burdensome requirements on service providers to transmit notications to certain alleged infringers and accept and process counter notications in order to enjoy an exemption from liability—applies where content residing at the direction of a subscriber is removed (or access to it is blocked) based on a service provider's good faith belief that the material in question is infringing. The subscriber content removed will be material stored at the direction of a user within the meaning of the user storage limitation set forth in subpart (c)(3). It is possible, however, that a service provider, to limit its potential liability for copyright infringement in response to a notication, could remove user content that was not stored by a subscriber within the meaning of subpart (g)(2), in which case the service provider would not need comply with the requirements of subpart (g)(2) in order to be exempt from any liability for removing or disabling access to such content. Although the terms are not dened, subscribers should be thought of potentially as a subset of a service provider's users. Except where subscriber content is removed (or access to it disabled) in response to a formal notication (in which case the requirements of subpart (g)(2) must be met to benet from the exemption), service providers are exempt pursuant to subpart (g)(1) from any liability for removing or disabling access to material believed in good faith to be infringing. Thus, where a service provider acts on its own initiative, in response to a third-party complaint or in response to a notication that does not involve subscriber content stored by a user within the meaning of subpart (c)(3), it will be exempt, pursuant to subpart (g)(1), from any liability for removing or disabling access to content believed in good faith to be infringing. 7 Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914 (C.D. Cal. 2003).

Pub. 12/2015 4-601 4.12[9][B] E-Commerce and Internet Law

28, 2002, stating that as copyright owner he had never authorized a DVD release of the movie Manson. He subsequently sued Amazon.com, Inc., for a third-party listing of a DVD version of Manson that he noticed on the Amazon site on Oct. 21, 2002—almost nine months after the time he sent the notication. Judge Hatter ruled that although the Janu- ary 2002 notice was “adequate for the listings then on Ama- zon,” “there is a limit to the viability of an otherwise adequate notice.” The January 2002 notication could not “be deemed adequate notice for subsequent listings and sales, especially, as here, when the infringing item was posted for sale nine months after the date of notice.”8 Citing legislative history, Judge Hatter wrote: The DMCA places the burden on the copyright owner to monitor the Internet for potentially infringing sales. “[A] service provider need not monitor its service or armatively seek facts indicating infringing activity.” House Report No. 551(II), 105th Congress, 2d Session 1998, H.R. at 53. To allow a plainti to shift its burden to the service provider would be contrary to the balance crafted by Congress. “The goal of § 512 (c)(3)(A)(iii) is to provide the service provider with adequate information to nd and examine the allegedly infringing material expeditiously.” H.R. at 55.9 Under the statute, a notication must include: (i) A physical or electronic signature of a person au-

8 Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914, 917 (C.D. Cal. 2003). 9 Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914, 916 (C.D. Cal. 2003); see also Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 746–47 (S.D.N.Y. 2012) (rejecting plainti's contention that the defendant was required to proactively search for copies of the same work in the future once a notication is sent), a’d mem., 569 F. App’x 51 (2d Cir. 2014). In Hendrickson, Judge Hatter concluded that because the language of the statute is in the present tense, “it clearly indicates that Congress intended for the notice to make the service provider aware of the infringing activity that is occurring at the time it receives the notice.” Hendrick- son v. Amazon.com, Inc., 298 F. Supp. 2d 914, 917 (C.D. Cal. 2003). More- over, he wrote: The purpose behind the notice is to provide the ISP with adequate information to nd and examine the allegedly infringing material expeditiously. H.R. at 55. If the infringing material is on the website at the time the ISP receives the notice, then the information, that all Manson DVD's are infringing, can be adequate to nd the infringing material expeditiously. However, if at the time the notice is received, the infringing material is not posted, the notice does not enable the service provider to locate infringing material that is not there, let alone do it expeditiously. Hendrickson v. Amazon.com, Inc., 298 F. Supp. 2d 914 (C.D. Cal. 2003).

4-602 Copyright Protection in Cyberspace 4.12[9][B]

thorized to act on behalf of the copyright owner or exclusive licensee. (ii) Identication of the copyrighted work claimed to be infringed. If a notice refers to multiple works posted at a single location, it is sucient to include a representative list of works infringed at the site. (iii) Identication of the material claimed to be infringing together with “information reasonably sucient to permit the service provider to locate the material.” For purposes of the information location tools limitation, the notication must also identify the reference or link to the material or activity claimed to be infringing and information “reasonably sucient” to permit the service provider to locate the reference or link. (iv) Information “reasonably sucient” to permit the service provider to contact the complaining party. Such information may include the complaining party's address, telephone or email address. (v) A statement that the complaining party believes, in good faith,10 that the copyrighted material identied is being used in a manner that is not autho- rized11 by “the copyright owner, its agent, or the law.”

10 In Rossi v. Motion Picture Ass'n of America Inc., 391 F.3d 1000 (9th Cir. 2004), cert. denied, 544 U.S. 1018 (2005), the Ninth Circuit ruled that the “good faith belief” requirement in § 512(c)(3)(A)(v) encompasses a subjective, rather than an objective, standard. 11 In Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388 (9th Cir. 2015), the Ninth Circuit held that section 512(c)(3)(A)(v) requires a copyright owner to consider fair use in formulating a good faith belief that “use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.” The court ruled that a copyright owner need only have a subjective good faith belief that the material at issue in a DMCA notice is not entitled to fair use, but a copyright owner faces liability if it knowingly misrepresents in a takedown notice that it had formed a good faith belief that the material was not authorized by law without considering fair use. As explained by the court in Lenz, “[t]his inquiry lies not in whether a court would adjudge the video as a fair use, but whether Universal formed a good faith belief that it was not.” Id. at *6. The majority further explained that if a copyright holder forms a subjective good faith belief the allegedly infringing material does not constitute fair use, we are in no position to dispute the copyright holder's belief even if we would have reached a dierent conclusion. A copyright holder who pays lip service to the consideration of fair use by claiming it formed a good faith belief when there is evidence to the contrary is still subject to § 512(f) liability.

Pub. 12/2015 4-603 4.12[9][B] E-Commerce and Internet Law

(vi) A statement that the information in the notication is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.12 All six requirements do not necessarily have to be met for a particular notication to be considered valid. The Act merely requires that “substantially” all of the six categories of information be provided.13 While Congress did not specically dene what would constitute substantial compliance, a notication that only satises the second, third and fourth requirements apparently is not sucient, based on a later provision of the Act which refers to a notice that “fails to comply substantially with all the provisions of subparagraph (A) but substantially complies with clauses (ii), (iii) and (iv).”14 Congress thus apparently believed that some level of authentication was required in order for a notication to be in substantial compliance since elements (i), (v) and (vi) relate, respectively, to the requirements for a signature, a good faith statement that the material in question is infringing, verication of the accuracy of the notication and certi-

Id. at *7. The Ninth Circuit further claried that “formation of a subjective good faith belief does not require investigation of the allegedly infringing content.” Id. at *7. The panel suggested, for example, that computer programs could be used to identify potentially infringing material and ag items for manual review. Id. at *8. On the other hand, the Ninth Circuit panel made clear that liability could be imposed based on willful blindness if a copyright owner (1) subjectively believed there was a high probability that the subject of a DMCA notice constituted a fair use, and (2) took deliberate action to avoid learning of this fair use. Id. at *8, citing Global- Tech Appliances, Inc. v. SEB S.A., 563 U.S. 754 (2011); see generally supra § 4.11[6][A] (analyzing the case in greater detail in the context of liability for copyright infringement); infra § 4.12[6][C] (analyzing SEB and willful blindness in the context of knowledge or awareness that could disqualify a service provider from DMCA safe harbor protection). Where liability may be found, the Ninth Circuit held that even if an aected user has incurred no monetary loss the user may recover nominal damages for a knowing material misrepresentation under section 512. Id. at *10 (discussing nominal awards in tort cases). The appellate court declined, however, to decide the scope of recoverable damages, including “whether she may recover expenses following the initiation of her § 512(f) suit or pro bono costs and attorneys' fees, both of which arose as a result of the injury incurred.” Id. at 11; see infra §§ 4.12[9][D], 4.12[9][F] (discussing the case at greater length). 12 17 U.S.C.A. § 512(c)(3)(A) (emphasis added). 13 See 17 U.S.C.A. § 512(c)(3). 14 17 U.S.C.A. § 512(c)(3)(B)(ii).

4-604 Copyright Protection in Cyberspace 4.12[9][B]

cation under penalty of perjury that the person lodging the notication is authorized to do so.15 A notication that is not a “written communication provided to the designated agent of a service provider” would be defective, although it is unclear whether a notice complying with all six content requirements would be found to be in substantial compliance if it were directed to someone other than the designated agent. Presumably, Congress would not have required agent designation and the publication of lists of designated agents if the requirement that notice be provided to a designated agent had not been considered important. Failure to submit notication to the designated agent therefore may make a notication fatally defective (at least absent evidence of actual receipt by the service provider). In ALS Scan, Inc. v. RemarQ Communities, Inc.,16 the Fourth Circuit ruled that ALS Scan, the owner of copyrights in adult content, substantially complied with the notication requirement of the DMCA when it sent RemarQ a notication that (1) identied two Usenet groups—alt.als and alt.binaries.pictures.erotica.als—that it alleged had been created solely for the purpose of publishing ALS Scan's copyrighted works, (2) asserted that virtually all of the images on the two sites constituted infringing copies of its copyrighted photographs (and noted that material could be identied as ALS Scan's material because the images included reference to ALS Scan's name and/or copyright symbol), and (3) referred RemarQ to two URLs where RemarQ could nd pictures of ALS Scan's models and obtain

15 Although the issue was not thoroughly or carefully considered, the court in Brave New Films 501(c)(4) v. Weiner, 626 F. Supp. 2d 1013 (N.D. Cal. 2009) wrote that no authority had been presented by a defendant to suggest that a letter that otherwise met the requirements of a DMCA notication was not substantially complying merely because it did not include a statement that the sender had a good faith belief that the defendant's use of plainti's work was unauthorized. The issue of substantial compliance, although decided by the court, in fact was not relevant to the question of whether the plainti had stated a claim for misrepresentation under section 512(f), which does not in fact require that a notication be substantially compliant to be actionable. See generally infra § 4.12[9][D] (discussing the case in the context of section 512(f)). 16 ALS Scan, Inc. v. RemarQ Communities, Inc., 239 F.3d 619 (4th Cir. 2001).

Pub. 12/2015 4-605 4.12[9][B] E-Commerce and Internet Law copyright information.17 Although the district court had ruled that the notice was decient, the Fourth Circuit concluded that it substantially complied with the notication requirement of providing a “representative list” of infringing mate- rial18 as well as information “reasonably sucient”19 to enable RemarQ to locate the infringing material.20 Accordingly, the court ruled that RemarQ had been given notice of infringement and failed to act, and was therefore not entitled to the DMCA's liability limitations.21

17 RemarQ had responded to the notication by advising that it would eliminate individual infringing items if ALS Scan identied them “with sucient specicity.” ALS Scan objected that over 10,000 copyrighted images belonging to ALS Scan had been included in the newsgroups over a period of several months. 18 As previously noted, § 512(c)(3)(A)(ii) provides that “[i]f a notice refers to multiple works posted at a single location, it is sucient to include a representative list of works infringed at the site.” 19 See 17 U.S.C.A. § 512(c)(3)(A)(iii) (providing that a notication must include “information reasonably sucient to permit the service provider to locate the material.”). 20 239 F.3d at 625. RemarQ had argued that the notice was insuf- cient to identify the infringing works because the Usenet groups in question also included text commentaries and appeared to include non-ALS Scan photographs, in addition to works owned by ALS Scan. The two newsgroups at issue, however, included ALS Scan's name, which ALS Scan cited in arguing that the groups had been created solely for the purpose of publishing and exchanging ALS Scan images (which ALS Scan did not license for this purpose). ALS Scan, Inc. v. RemarQ Communities, Inc. is perhaps best understood as a case involving allegations of infringement on a massive scale, where the very names of the Internet locations betrayed that they had been created for the purpose of infringing plainti's works. Although not directly relevant, the Fourth Circuit may also have been inuenced by the fact that America Online, Erol's and Mindspring apparently responded to equivalent notices by blocking access to the two Usenet groups. See ALS Scan, Inc. v. RemarQ Communities, Inc., 239 F.3d 619, 621 (4th Cir. 2001). The decision was not well received by some service providers, because RemarQ was not actually hosting the newsgroups. Unlike websites, newsgroups do not reside on a single server. The DMCA, however, does not distinguish between hosts, content providers or access providers in its treatment of service providers. 21 See ALS Scan, Inc. v. RemarQ Communities, Inc., 239 F.3d 619 (4th Cir. 2001) (“The DMCA's protection of an innocent service provider disap- pears at the moment the service provider loses its innocence, i.e., at the moment it becomes aware that a third party is using the system to infringe.”). The Fourth Circuit reversed and remanded the case, reinstating ALS Scan's claim against RemarQ for direct infringement. Although the court ruled that RemarQ was not entitled to the protections aorded by the DMCA's safe harbor provisions and reversed the lower court's

4-606 Copyright Protection in Cyberspace 4.12[9][B]

In Perfect 10, Inc. v. CCBill, LLC,22 the Ninth Circuit found notications sent by Perfect 10 to a Web host and payment processor did not substantially comply with the requirements of the DMCA. Perfect 10 had argued that it met the requirements for substantially complying notications through a combination of three sets of documents: (1) a 22,185-page bates-stamped production that included pictures with URLs of Perfect 10 models allegedly posted on the websites of defendants' clients, but which did not contain a statement submitted under penalty of perjury that the complaining party was authorized to act; (2) a spreadsheet identifying the Perfect 10 models revealed in the rst set of documents, which was sent approximately nine months later; and (3) in- terrogatory responses that incorporated by reference the spreadsheet and which was signed under penalty of perjury approximately two and a half months later. The Ninth Circuit ruled that each document was defective because section 512(c)(3) contemplates ‘‘ ‘a written communication’ .... Permitting a copyright holder to cobble together adequate notice from separately defective notices . . . unduly burdens service providers.”23 The court emphasized that “[t]he DMCA notication procedures place the burden of policing copyright infringement—identifying the potentially infringing material and adequately documenting infringement—squarely on the owners of the copyright. We decline to shift a substantial burden from the copyright owner to the provider; Perfect 10's separate communications are inadequate.”24 In a later Ninth Circuit case, Luvdarts, LLC v. AT&T Mobility, LLC,25 the court held that mobile phone carriers could not be held secondarily liable for copyright infringement for user text messages that allegedly attached infringing copies of plainti's works where the notices sent to the entry of summary judgment for RemarQ, it declined to reverse the lower court's order denying summary judgment for ALS Scan, and instead remanded the case for further proceedings, nding that ALS Scan's conten- tions that the sole purpose of the newsgroups, and that “virtually all” of the images posted on the newsgroups are infringing, constituted disputed facts that precluded the entry of summary judgment. 22 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 23 488 F.3d at 1112–13 (emphasis in original). 24 488 F.3d at 1113. 25 Luvdarts, LLC v. AT&T Mobility, LLC, 710 F.3d 1068 (9th Cir. 2013).

Pub. 12/2015 4-607 4.12[9][B] E-Commerce and Internet Law carriers failed to qualify as proper notications under the DMCA. In Luvdarts, the notices were 150-page long lists of copyrighted works owned by the plainti along with a request for “accountability” for unauthorized distribution of those titles for the period from May 2008 to November 2009, which did not identify “which of these titles were infringed, who infringed them, or when the infringement occurred.”26 In short, they “failed to notify the Carriers of any meaningful fact.”27 In Wolk v. Kodak Imaging Network, Inc.,28 Judge Robert Sweet of the Southern District of New York held that notications sent to Photobucket that did not include URLs did not comply with the requirements of the statute.29

26 Luvdarts, LLC v. AT&T Mobility, LLC, 710 F.3d 1068, 1073 (9th Cir. 2013). 27 Luvdarts, LLC v. AT&T Mobility, LLC, 710 F.3d 1068, 1072 (9th Cir. 2013). 28 Wolk v. Kodak Imaging Network, Inc., 840 F. Supp. 2d 733, 746–47 (S.D.N.Y. 2012), a’d mem., 569 F. App’x 51 (2d Cir. 2014). 29 In an unreported decision, Perfect 10, Inc. v. Yandex, N.V., No. C 12-01521, 2013 WL 1899851 (N.D. Cal. May 7, 2013), a court approved of the suciency of DMCA notices that provided only truncated URLs, where the full URLs could be manually extracted by the service provider by right clicking on PDF les provided. The opinion, however, does not cite to Wolk or any of the many other cases addressing the suciency of DMCA notices, other than Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102, 1112–13 (9th Cir.), cert. denied, 522 U.S. 1062 (2007), which, ironically, is cited for the proposition that a DMCA notice may not be proper if it requires a service provide to “take substantial time to piece together the relevant information for each instance of claimed infringement.” See Perfect 10, Inc. v. Yandex, N.V., No. C 12-01521, 2013 WL 1899851, at *3 (N.D. Cal. May 7, 2013). Given that Perfect 10 has a long history of sending notices to service providers that are intended to make it dicult for the service provider to easily locate and remove material, as detailed in various court opinions, the court in Yandex should have at least given more serious consideration to whether Perfect 10's provision of truncated URLs (which are impossible to use to locate a web page) was intended to thwart the service provider's eorts at locating and removing the allegedly infringing material and cause it to “take substantial time to piece together relevant for information for each instance of claimed infringement.” The court ruled that section 512(c)(3) does not require any particular format for DMCA notices and likely was inuenced by the fact that Perfect 10's notices in Yandex improved upon the abysmal notices rejected by the Ninth Circuit in CCBill. Nevertheless, the Yandex court should have considered the context in which truncated URLs were provided in evaluating whether the notices satised ccBill. In light of the plaintis' record of sending decient notices, the fact that it was on notice about what was required based on its

4-608 Copyright Protection in Cyberspace 4.12[9][B]

In Capitol Records, LLC v. Vimeo, LLC,30 Judge Ronnie Abrams of the Southern District of New York held that Vimeo was not obligated to disable access to or remove material in response to notices that were not substantially complying but in any case expeditiously removed videos where it took down material on the same day on two occasions and within three and a half weeks in response to a notice that covered 170 videos. It is questionable whether other courts would agree that three and a half weeks represents an expeditious response, even to a notice that identies 170 videos. In Hendrickson v. eBay, Inc.,31 the plainti's failure to authenticate a notication sent to eBay by including a written statement under penalty of perjury substantiating the accuracy of the notication (section 512(c)(3)(A)(vi)) or certifying that he had “a good faith belief that use of the material in the manner complained of” was not authorized (section 512(c)(3)(A)(v)) rendered it defective. The court in Hendrickson also found the plainti's notication insucient under section 512(c)(3)(A)(iii) to identify the various listings that purportedly oered pirated copies of his work. In response to plainti's notice, eBay had asked for the specic item number(s) to facilitate locating them. The court wrote that it recognized that “there may be instances where a copyright holder need not provide eBay with specic numbers to satisfy the identication requirement.”32 It concluded, however, that specic items numbers were necessary in this case to allow eBay to identify the problematic listings.33 It also rejected the argument that information allegedly communicated orally to eBay was relevant, since a notication must be in writing. prior experience litigating the suciency of DMCA notices and given that it could easily have provided a list of complete URLs, the suciency of Perfect 10's notice in Yandex at a minimum deserved closer scrutiny. 30 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 535-36 (S.D.N.Y. 2013). 31 Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001). 32 As an example, the court wrote that “if a movie studio advised eBay that all listings oered to sell a new movie (e.g., “Planet X,”) that has not yet been released in VHS or DVD format are unlawful, eBay could easily search its website using the title “Planet X” and identify the oensive listings. 33 Among other things, the court noted that the plainti had never explained what distinguished an infringing copy from a genuine one.

Pub. 12/2015 4-609 4.12[9][B] E-Commerce and Internet Law

In UMG Recordings, Inc. v. Veoh Networks, Inc.,34 the court held that a notice from the RIAA that identied UMG artists, but not their works, and not the les on Veoh's site that allegedly infringed those works, was decient. In that case, UMG had relied on dicta from Hendrickson v. eBay, Inc.,in which the court had hypothesized that “if a movie studio advised eBay that all listings oering to sell a new movie . . . are unlawful, eBay could easily search its website using the title . . . and identify the oensive listings.”35 Judge Matz, however, held that UMG's “reliance on this dictum” was misplaced.36 “Here, the RIAA's notices did not identify titles of infringing videos. Nor did they advise Veoh that all videos by a certain artist, let alone all videos that would turn up in a search of an artist's name on Veoh's system, were infringing.”37 Although not specically discussed in the context of notice, the court, elsewhere in its opinion, had noted that at least some of the artists identied in RIAA notices as UMG artists also recorded music for Sony-BMG, which had licensed its music videos to Veoh. In Viacom Int'l Inc. v. YouTube, Inc.,38 Judge Stanton of the Southern District of New York followed Veoh in rejecting Viacom's argument that YouTube was not entitled to DMCA protection because it removed only the specic clips identied in DMCA notices, rather than other clips that also infringed the same works. The court held that a copyright owner, in meeting the statutory requirement for providing “information reasonably sucient to permit the service provider to locate the material,” must provide specic information, such as a copy or description of the material and a URL, rather than merely a generic description.

34 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1110 (C.D. Cal. 2009), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 35 Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082, 1090 (C.D. Cal. 2001). 36 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1110 (C.D. Cal. 2009), a'd on other grounds sub nom. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 37 UMG Recordings, Inc. v. Veoh Networks Inc., 665 F. Supp. 2d 1099, 1110 n.14 (C.D. Cal. 2009), a'd on other grounds sub nom. UMG Record- ings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006 (9th Cir. 2013). 38 Viacom Int'l Inc. v. YouTube, Inc., 718 F. Supp. 2d 514 (S.D.N.Y. 2010), a'd in relevant part on other grounds, 676 F.3d 19 (2d Cir. 2012).

4-610 Copyright Protection in Cyberspace 4.12[9][B]

In Perfect 10, Inc. v. Giganews, Inc.,39 Judge Audrey Col- lins of the Central District of California denied plainti's summary judgment motion based on the suciency of the ve DMCA takedown notices that plainti had sent to the defendant, which were comprised of search instructions, thumb nail images and screen shots of Usenet posts. The court found these notices to be inadequate because the results lists did not specically identify infringing items (as opposed to merely search results) and because material accessible through the Usenet is in a constant state of ux the images and search instructions did not meet the requirements of section 512(c)(3)(A)(iii). The notices likewise did not provide “information reasonably sucient to permit the service provider to locate the material” In contrast to providing Message IDs, which would have allowed Giganews to locate the material at issue, Judge Collins characterized plainti's practice as a “Rube Goldberg method of locating messages ....”40 A lower standard for substantial compliance may exist for notications relating to information location tools, which as a practical matter may be easier for a service provider to identify and locate than certain types of material stored by users. In Arista Records, Inc. v. MP3Board, Inc.,41 for example, a district court in New York held that a letter that named particular artists and songs, which was accompanied by printouts of screen shots of the defendant's service where relevant links had been highlighted and marked with an asterisk, was sucient even though plaintis did not actually provide the specic URLs of the pages connected via the links.42 Unlike the notices at issue in Veoh, the notications in MP3Board at least identied the material alleged to be infringing. If a notication is defective, it generally may not be cited

39 Perfect 10, Inc. v. Giganews, Inc., 993 F. Supp. 2d 1192 (C.D. Cal. 2014). 40 Perfect 10, Inc. v. Giganews, Inc., 993 F. Supp. 2d 1192, 1201 (C.D. Cal. 2014). 41 Arista Records, Inc. v. Mp3Board, Inc., 2002 Copr. L. Dec. P 28483, 2002 WL 1997918 (S.D.N.Y. 2002). 42 An earlier letter that merely identied ten artists whose works had been infringed was deemed not to be substantially complying. See Arista Records, Inc. v. Mp3Board, Inc., 2002 Copr. L. Dec. P 28483, 2002 WL 1997918 (S.D.N.Y. 2002). For further discussion of this case, see infra § 4.12[9][F].

Pub. 12/2015 4-611 4.12[9][B] E-Commerce and Internet Law as evidence that the service provider had knowledge or awareness of the infringement for purposes of the user storage limitation.43 If, however, the notication at least includes substantially complying details of the allegedly infringed and infringing works and contact information to allow the service provider to contact the complainant,44 the provider must disable access to or remove the material to benet from this provision.45 As a practical matter, the substantial compliance standard encourages service providers to respond even to defective notices in order to avoid a later judicial determination that a nonconforming notice nonetheless was in substantial compliance. A court generally may not consider whether a defective notice—which fails to comply substantially with the requirements of the Act—gave a service provider actual notice or awareness within the meaning of the user storage or information location tools limitations.46 Where a defective notice provided to a service provider's designated agent substantially complies with requirements (ii), (iii) and (iv), however, the notice may be cited as evidence that the service provider had knowledge of the infringement unless, upon receipt of the defective notice, the service provider promptly attempted to contact the person who submitted it “or takes other reasonable steps” to obtain notication that substantially complies with the statutory requirements.47 Where it does so, and the copyright owner refuses to provide the requested information, the service provider will not have liability for failing to act48 (assuming that it was not mistaken in the rst instance in concluding that additional information was required). To avoid a nding that a service provider had actual

43 See 17 U.S.C.A. § 512(c)(3)(B)(i) (a notication that is not substantially complying “shall not be considered under paragraph (1)(A) in determining whether a service provider has actual knowledge or if aware of facts or circumstances from which infringing activity is apparent”); see generally supra § 4.12[6][C]. 44 These three requirements are set forth in sections 512(c)(3)(A)(ii), 512(c)(3)(A)(iii) and 512(c)(3)(A)(iv). 45 See 17 U.S.C.A. § 512(c)(3)(B)(ii); see generally supra § 4.13[6][B]. 46 17 U.S.C.A. § 512(c)(3)(B)(i). 47 17 U.S.C.A. § 512(c)(3)(B)(ii). 48 See Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082, 1090–91 (C.D. Cal. 2001) (nding no liability where the plainti failed to cure defects in its notication to eBay, even after have been asked to do so by eBay).

4-612 Copyright Protection in Cyberspace 4.12[9][C] knowledge or awareness based on a defective notice, service providers may nd it easier simply to remove or block access to content reasonably described in a defective notice. If they do so, however, and if a notication relating to content stored at the direction of a user is later held to be substantially complying, they may run afoul of the requirements of subpart 512(g)(2) if they fail to serve a copy of the notication on a subscriber and thereby deny that party the ability to le a counter notication.49 Thus, on balance, service providers may be best advised to respond to all defective notices by promptly notifying the complainant of the specic defects in the notication and urging prompt resubmission. Service providers or aected users may publish notications on the Internet. Google, for example, forwards copies of all notications to chillingeects.org, a site that publishes and archives legal notices. Material misrepresentations in notications may lead to liability under section 512(f) of the DMCA50 or other theories of law.51 The contents of notications, however, may be protected against tort or other claims based on state law litigation privileges.52 What it means to disable access to or remove material is addressed in section 4.12[6][C].

4.12[9][C] Counter Notication Upon receipt of a notication, a service provider will be

49 As a practical matter, service providers may be able to limit their exposure to subscribers and account holders by contract in their subscriber agreements, ISP service agreement, Terms of Use or similar contracts. If a service provider will comply with the procedures for counter notications, it is prudent to disclose in both the privacy policy and DMCA policy (or copyright section of Terms of Use) that copies of notications will be sent to users accused of infringing activity. The sample DMCA policy found in the Appendix to this chapter includes such a provision. 50 See infra § 4.12[9][D]. 51 See infra § 4.12[9][F]. 52 See, e.g., Cal. Civil Code § 47(b) (statements made in judicial proceedings); Maponics, LLC v. Wahl, No. C07–5777 BZ, 2008 WL 2788282 (N.D. Cal. July 18, 2008) (discussing the potential applicability of Califor- nia Civil Code section 47(b) to DMCA notices as “reasonably relevant” to “achieve the objects of the litigation,” but concluding that the emails at issue in that case did not meet the requirements of section 512(c)(3)(A) and “seem more like an attempt . . . to gain business from a customer by charging a competitor with theft, than an attempt to mitigate a customer's damages.”).

Pub. 12/2015 4-613 4.12[9][C] E-Commerce and Internet Law exempt from liability for removing or disabling access to allegedly infringing content in good faith.1 However, this exemption will only apply with respect to material residing at the direction of a subscriber (i.e., material stored at the direction of a user which is removed in response to a notication sent pursuant to section 512(c), where the user is also a subscribed under section 512(g)(2)), if the service provider “take[s] reasonable steps promptly to notify the subscriber that it has removed or disabled access to the material” and thereby allows the alleged infringer to respond to the notication. An accused infringer's response is referred to in the statute as a “counter notication.” There is no obligation to comply with the procedures for counter notication with respect to material removed pursuant to any other liability limitation, including information location tools.2 Nor is there an obligation to comply with the procedures for counter notications unless the material stored at the direction of a user was removed pursuant to a notication (as opposed to in response to the service provider's knowledge or red ag awareness), and even then only if the user is also a subscriber. Indeed, restoring access to material pursuant to counter notication procedures except where expressly authorized by the DMCA for material stored by a subscriber who submits a counter notication in accordance with the rules set forth in section 512(g)— could result in a service provider being held liable for copyright infringement. Like a notication, a counter notication, to be considered proper, must be “a written communication provided to the service provider's designated agent” and satisfy certain content requirements. Specically, a counter notication must include: (1) A physical or electronic signature of the alleged infringer; (2) Identication of the material that was removed or disabled by the service provider and the location where the material appeared before it was removed or access to it was disabled; (3) A statement under penalty of perjury that the al-

[Section 4.12[9][C]] 1 17 U.S.C.A. § 512(g)(1). 2 See supra § 4.12[7].

4-614 Copyright Protection in Cyberspace 4.12[9][C]

leged infringer has a good faith belief that the material at issue was mistakenly removed or misidenti- ed; and (4) The alleged infringer's name, address, and telephone number and a statement that the alleged infringer consents to the jurisdiction of the federal district court for the judicial district in which the address it provides is located and that it will accept service of process from the person who provided the original notication. If the alleged infringer is located outside the United States, the alleged infringer must include a statement that it consents to the jurisdiction of any U.S. federal district court in which the service provider may be found.3 As noted above, an internet users who submits a counter notication, must consent to jurisdiction of a federal district court (pursuant to section 512(g)(3)), even though a copyright owner who submits a notication is not similarly required to consent to jurisdiction.4 A counter notication—like a notication—need only “substantially” include the information required by the statute.5 Upon receipt of a counter notication, a service provider must promptly provide the original complainant with a copy of the counter notication and notice that it will replace the removed material or cease disabling access to it within ten (10) business days. The original complainant must then le suit within the ten day period to obtain an order restraining the subscriber from engaging in infringing activity if it wants to prevent access to the material from being restored. Absent evidence that a lawsuit has been led “seeking a court order to restrain the subscriber from engaging in infringing activity . . .” a service provider is required by the Act to “replac[e] the removed material and cease disabling access to it not less than ten, nor more than fourteen, business days follow-

3 17 U.S.C.A. § 512(g)(3). 4 See 17 U.S.C.A. § 512(c)(3); Doe v. Geller, 533 F. Supp. 2d 996, 1011 (N.D. Cal. 2008) (“That dierence must be viewed as intentional ....If that result seems asymmetrical and unfair, then the problem should be resolved by Congress, not this court.”) (dismissing plainti's claim arising out of a notication, for lack of personal jurisdiction). 5 See 17 U.S.C.A. § 512(g)(3).

Pub. 12/2015 4-615 4.12[9][C] E-Commerce and Internet Law ing receipt of the counter notice.”6 It is noteworthy that the statute merely requires notice of a court action being led— rather than evidence that litigation has commenced or the entry of a court order—in order to trigger the service provider's obligation to maintain its blocking of the material. The time frame contemplated by the statute may work to the potential disadvantage of complainants—especially when a complainant fails to react in “Internet time.”7 Although there is no specic time period mandated for an alleged infringer to le a counter notication, once one is led, service providers must notify complainants “promptly” of receipt of the counter notication, and must in any event restore access to the content within ten to fourteen business days absent receipt of notice from the original complainant that a lawsuit has been led. Since the time period runs from the time a service provider receives the counter notication— rather than the time the counter notication is sent to or received by the original complainant—a service provider's delay in “promptly” transmitting the counter notication could be detrimental to a copyright owner. Complainants anxious to have infringing content removed therefore should act through their litigation counsel or otherwise be prepared to initiate litigation within days of receiving a copy of a counter notication. Material misrepresentations in counter notications may lead to liability under section 512(f) of the DMCA8 or other theories of law.9 The procedures set forth in the DMCA for notication and counter notication relieve service providers of any obligation to evaluate the merits of a dispute. Service providers that seek to benet from all of the protections aorded by the Act need only mechanically evaluate whether notications or counter notications substantially comply with the requirements of the statute and then automatically disable access to or remove oending content and/or restore access to or replace the content within the strict time frames established by the law.

6 17 U.S.C.A. § 512(g)(2). 7 See supra § 1.06. 8 See infra § 4.12[9][D]. 9 See infra § 4.12[9][F].

4-616 Copyright Protection in Cyberspace 4.12[9][D]

4.12[9][D] Liability and Sanctions for Misrepresentations (Pursuant to Section 512(f)) Both copyright owners and accused infringers who are subscribers within the meaning of the statute must be honest in their representations in notications and counter notications for the DMCA's system of notice and takedown to work properly, since service providers are required to mechanically comply with substantially complying notications and counter notications, rather than investigate the merits of the assertions of ownership or rights asserted in these notices. To minimize the risk of fraudulent notications or counter notications being led, Congress provided in 17 U.S.C.A. § 512(f) that both copyright owners and accused infringers may be subject to liability if they make material misrepresentations in notications or counter notications (although oddly a party's statement of the merits of its position is only required to be submitted under penalty of perjury in a counter notication).1 The Ninth Circuit has further extended this statutory obligation to hold that copyright owners also may be held liable for misrepresenting their rights under the DMCA if they fail to make a good faith subjective determination that the material at issue in a given DMCA notication is not a fair use before submitting a takedown notice under the DMCA.2 Specically, section 512(f) provides that any person who “knowingly materially misrepresents” that “material or activ-

[Section 4.12[9][D]] 1 See 17 U.S.C.A. § 512(g)(3)(C). A notication must include merely a statement of the merits made “in good faith” and a statement of its accuracy, although the certication that the complaining party is authorized to act on behalf of an owner of an exclusive right must be made under penalty of perjury. See 17 U.S.C.A. §§ 512(c)(3)(A)(v), 512(c)(3)(A)(vi). It is possible that this reects a drafting error and that Congress intended that both the certication and the statement of accuracy included in the notication be made under penalty of perjury (which would then parallel the obligation imposed on subscribers when signing counter notications), but for purposes of statutory construction courts must assume that this dierence was intentional. See Doe v. Geller, 533 F. Supp. 2d 996, 1011 (N.D. Cal. 2008) (writing, in connection with the lack of parallel structure between notications and counter notications with respect to submission to jurisdiction, “[t]hat dierence must be viewed as intentional.”; citation omitted). 2 See Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388 (9th Cir. 2015).

Pub. 12/2015 4-617 4.12[9][D] E-Commerce and Internet Law ity” is infringing or was removed or disabled “by mistake or misidentication” may be held liable for damages, including costs and attorneys' fees, in an action brought by an alleged infringer, a copyright owner or authorized licensee or a service provider injured by a service provider's reliance on the misrepresentation.3 Relief under section 512(f) may be sought by an armative claim.4 The statutory remedy focuses on misrepresentations that were relied upon by a service provider in disabling access to or restoring access to a work. It therefore does not matter whether the misrepresentation in fact was made in a substantially complying notication or counter notication or merely some other form of takedown notice.5

3 17 U.S.C.A. § 512(f). Section 512(f) reads in full: Misrepresentations.—Any person who knowingly materially misrepresents under this section— (1) that material or activity is infringing, or (2) that material or activity was removed or disabled by mistake or misidentication, shall be liable for any damages, including costs and attorneys' fees, incurred by the alleged infringer, by any copyright owner or copyright owner's authorized licensee, or by a service provider, who is injured by such misrepresentation, as the result of the service provider relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it.

4 See, e.g., Curtis v. Shinsachi Pharmaceutical Inc.,45F.Supp.3d 1190 (C.D. Cal. 2014) (entering a default judgment under section 512(f) where a seller alleged that between 2011 and 2013 defendants, who were her competitors, submitted 30 false Notices of Claimed Infringement to eBay, resulting in the removal of at least 140 listings and causing eBay to issue strikes against her selling account, as well as allegedly false notices to Google, PayPal and Serversea); T.D. Bank, N.A. v. Hill, Civil No. 12-7188 (RBK/JS), 2014 WL 413525, at *7–8 (D.N.J. Feb. 3, 2014) (denying motion to dismiss a claim under section 512(f)). 5 In Brave New Films 501(c)(4) v. Weiner, 626 F. Supp. 2d 1013 (N.D. Cal. 2009), the court denied a defendant's motion to dismiss a misrepresentation claim brought under section 512(f) over the defendant's objection that the letter at issue, which had resulted in plainti's videos being removed by YouTube, was not a substantially complying notication because it did not include a statement that the sender had a good faith belief that the defendant's use of plainti's work was unauthorized. While relevant to the question of whether a service provider must disable access to or remove the material or activity described in the notice (supra § 4.12[9][B]), whether a notication (or counter notication) in fact is substantially complying, as noted above in the text, should not be relevant in assessing whether a party has stated a claim under section 512(f) based on a misrepresentation.

4-618 Copyright Protection in Cyberspace 4.12[9][D]

Where a mistake is made in a DMCA notication or counter notication, even if it rises to the level of a misrepresentation, the mistake will not be actionable under section 512(f) unless it was acted upon. A representation that particular works are protected and should be removed will not rise to the level of a material misrepresentation under section 512(f), and a user will not be deemed to have suered any injury, if the service provider did not act on them.6 In Rossi v. Motion Picture Association of America, Inc.,7 the Ninth Circuit construed the scope of section 512(f) narrowly, writing that: In section 512(f), Congress included an expressly limited cause of action for improper infringement notications, imposing liability only if the copyright owner's notication is a knowing misrepresentation. A copyright owner cannot be liable simply because an unknowing mistake is made, even if the copyright owner acted unreasonably in making the mistake. See § 512(f). Rather, there must be a demonstration of some actual knowledge of misrepresentation on the part of the copyright owner. Juxtaposing the “good faith” proviso of the DMCA8 with the “knowing misrepresentation” provision of that same statute reveals an apparent statutory structure that predicated the imposition of liability upon copyright owners only for knowing misrepresentations regarding allegedly infringing websites. Measuring compliance with a lesser “objective reasonableness” standard would be inconsistent with Congress's apparent

6 See, e.g., Ground Zero Museum Workshop v. Wilson, 813 F. Supp. 2d 678, 704–05 (D. Md. 2011) (granting judgment for the defendant on plainti's section 512(f) claim where the service party that received the takedown notice responded by advising that it no longer hosted the website that was the subject of the notice; “Even assuming that Wilson acted knowingly, a fact not established by the record, his conduct did not violate the statute because it did not provoke a response from A1–Hosting and did not result in any harm to Plaintis.”); Capitol Records, Inc. v. MP3tunes, LLC, 611 F. Supp. 2d 342, 346–47 (S.D.N.Y. 2009) (dismissing defendant's DMCA counterclaim with prejudice where, notwithstanding plaintis' representation that all links to its copyrighted recordings were infringing, the service provider only removed songs on a representative list, and did not disable access to or remove the links that were alleged to lead to ve songs that allegedly were authorized for free download). 7 Rossi v. Motion Picture Ass'n of America Inc., 391 F.3d 1000 (9th Cir. 2004), cert. denied, 544 U.S. 1018 (2005). 8 The Ninth Circuit also ruled in Rossi that the requirement of section 512(c)(3)(A)(v) that notications include a statement that the complaining party believes, in good faith, that the copyrighted material identied is being used in a manner that is not authorized by the copyright owner, its agent or the law, encompasses a subjective, rather than objective, standard. See generally supra § 4.12[9][B].

Pub. 12/2015 4-619 4.12[9][D] E-Commerce and Internet Law

intent that the statute protect potential violators from subjectively improper actions by copyright owners. Rossi involved the operator of a website that advertised “Full Length Downloadable Movies” and posted graphics for copyrighted motion pictures. In response, the MPAA sent DMCA notices to Rossi's ISP. Rossi sued the MPAA for tortious interference, arguing in eect that the MPAA should be held liable for taking Rossi at his word based on what he advertised to be available on his website, when in fact his representations were untrue and users could not download motion pictures from his site. Based on both the facts and the law, the Ninth Circuit concluded that the MPAA could not be held liable based on the MPAA's subjective belief that infringing material was available on Rossi's site, rejecting Rossi's argument that a “reasonable investigation” would have shown that users could not download motion pictures from the site.9 The Ninth Circuit held that the DMCA's “interpretive case law and statutory structure support the conclusion that the ‘good faith belief requirement in § 512(c)(3)(A)(v) encompasses a subjective, rather than objective standard.”10 District courts in other circuits have applied this same standard.11 In Online Policy Group v. Diebold Election Systems, Inc.,12 a case decided shortly before Rossi by a district court in the Ninth Circuit, Judge Jeremy Fogel of the Northern District of California held that the defendant in a declaratory judgment action was liable for monetary relief, including attorneys’ fees and costs, pursuant to section 512(f), for sending notications to service providers for an email database that included material subject to the fair use defense—even though the defendant in fact never led a copyright infringement suit and the plainti's complaint for declaratory relief was dismissed as moot based on a nding that the defendant did not intend to initiate litigation. The plaintis had al-

9 Rossi v. Motion Picture Ass'n of America Inc., 391 F.3d 1000, 1003 (9th Cir. 2004), cert. denied, 544 U.S. 1018 (2005). 10 Rossi v. Motion Picture Ass'n of America Inc., 391 F.3d 1000, 1004 (9th Cir. 2004), cert. denied, 544 U.S. 1018 (2005). 11 See, e.g., Cabell v. Zimmerman, No. 09 CIV. 10134(CM), 2010 WL 996007, at *4–5 (S.D.N.Y. Mar. 12, 2010); Third Educational Group, Inc. v. Phelps, 675 F. Supp. 2d 916, 927 (E.D. Wis. 2009); Dudnikov v. MGA Entertainment, Inc., 410 F. Supp. 2d 1010, 1013 (D. Colo. 2005). 12 Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195 (N.D. Cal. 2004).

4-620 Copyright Protection in Cyberspace 4.12[9][D] leged that they had posted and linked to a database of Diebold's internal company emails to inform the public about problems associated with Diebold's electronic voting machines. In holding that Diebold knowingly materially misrepresented that plaintis had infringed its copyright interest, the court reasoned that: The misrepresentations were material in that they resulted in removal of the content from websites and the initiation of the present lawsuit. The fact that Diebold never actually brought suit against any alleged infringer suggests strongly that Diebold sought to use the DMCA's safe harbor provisions— which were designed to protect ISPs, not copyright holders—as a sword to suppress publication of embarrassing content rather than as a shield to protect its intellectual property. The court construed material to mean “that the misrepresentation aected the ISP's response to the DMCA letter.” While the Diebold court's analysis of materiality remains potentially relevant, its analysis of what constitutes a material misrepresentation is no longer good law. Citing Black's law dictionary, Judge Fogel had construed knowingly to mean “that a party actually knew, or should have known if it acted with reasonable care or diligence, or would have had no substantial doubt had it been acting in good faith, that it was making misrepresentation.” This standard, however, is too strict in light of the Ninth Circuit's subsequent ruling in Rossi that subjective, not objective intent is relevant under section 512(f). In Lenz v. Universal Music Corp.13—colloquially referred to as the “Dancing Baby Case”—the Ninth Circuit further held that a copyright owner faces liability under section 512(f) if it knowingly misrepresents in a takedown notication that it has formed a good faith belief that the material identied in a DMCA notication was not authorized by law because the copyright owner failed to consider a user's potential fair use of the material before sending the DMCA notication. Lenz was brought by a YouTube user who claimed that Universal Music Group failed to act in good faith when it sent a DMCA notication to YouTube alleging that a video that she posted on the service was infringing, because UMG failed to consider fair use. The video at issue

13 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388 (9th Cir. 2015).

Pub. 12/2015 4-621 4.12[9][D] E-Commerce and Internet Law was a twenty-nine second clip of plainti's son dancing. For twenty seconds, Prince's song “Let's Go Crazy” could be heard playing in the background. At the behest of Prince, UMG had sent a DMCA notice to YouTube, which removed the video. In response, Lenz sent a counter notication. Because UMG did not le suit for copyright infringement, the video was reposted to the site. Lenz sued, however, seeking damages and attorneys' fees from UMG pursuant to section 512(f) and for tortious interference with her contract with YouTube. In allowing the suit to proceed based on the allegation that UMG had acted in bad faith by issuing a takedown notice without proper consideration of fair use, Northern District of California Judge Jeremy Fogel ruled that section 512(c)(3)(A)(v) requires a copyright owner to consider fair use in formulating a good faith belief that “use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.”14 Seven years later, in 2015, the Ninth Circuit armed, holding that section 512(c)(3)(A)(v) requires a copyright owner to consider fair use in formulating a good faith belief that ‘‘use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.’’ The court ruled that a copyright owner need only have a subjective good faith belief that the material at issue in a DMCA notice is not entitled to fair use, but a copyright owner faces liability if it knowingly misrepresents in a takedown notice that it had formed a good faith belief that the material was not authorized by law without considering fair use. As explained by the majority, “[t]his inquiry lies not in whether a court would adjudge the video as a fair use, but whether Universal formed a good faith belief that it was not.”15 The majority further explained that if a copyright holder forms a subjective good faith belief the allegedly infringing material does not constitute fair use, we are in no position to dispute the copyright holder's belief even if we would have reached a dierent conclusion. A copyright holder who pays lip service to the consideration of fair use by

14 Lenz v. Universal Music Corp., 572 F. Supp. 2d 1150 (N.D. Cal. 2008), a'd — F.3d —, 2015 WL 5315388 (9th Cir. 2015). 15 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388, at *6 (9th Cir. 2015).

4-622 Copyright Protection in Cyberspace 4.12[9][D]

claiming it formed a good faith belief when there is evidence to the contrary is still subject to § 512(f) liability.16 The Ninth Circuit further claried that “formation of a subjective good faith belief does not require investigation of the allegedly infringing content.”17 The panel suggested, for example, that computer programs could be used to identify potentially infringing material and ag items for manual review.18 On the other hand, the Ninth Circuit panel made clear that liability could be imposed based on willful blindness if a copyright owner (1) subjectively believed there was a high probability that the subject of a DMCA notice constituted a fair use, and (2) took deliberate action to avoid learning of this fair use.19 Where liability may be found, the Ninth Circuit held that even if an aected user has incurred no monetary loss the user may recover nominal damages for a knowing material misrepresentation under section 512.20 The appellate court declined, however, to decide the scope of recoverable damages, including “whether she may recover expenses following the initiation of her § 512(f) suit or pro bono costs and attorneys' fees, both of which arose as a result of the injury incurred.”21 It remains to be seen what impact the Ninth Circuit's opinion will have on the volume of misrepresentation cases led and how courts will evaluate what damages may be recovered. While Judge Fogel's 2008 decision in Lenz initially led to a urry of complaints (mostly by pro se plaintis) and

16 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388, at *7 (9th Cir. 2015). 17 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388, at *7 (9th Cir. 2015). 18 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388, at *8 (9th Cir. 2015). 19 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388, at *8 (9th Cir. 2015), citing Global-Tech Appliances, Inc. v. SEB S.A., 563 U.S. 754 (2011); see generally supra § 4.11[6][A] (analyzing the case in greater detail in the context of liability for copyright infringement); infra § 4.12[6][C] (analyzing SEB and willful blindness in the context of knowledge or awareness that could disqualify a service provider from DMCA safe harbor protection). 20 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388, at *10 (9th Cir. 2015) (discussing nominal awards in tort cases). 21 Lenz v. Universal Music Corp., — F.3d —, 2015 WL 5315388, at *11 (9th Cir. 2015).

Pub. 12/2015 4-623 4.12[9][D] E-Commerce and Internet Law expressions of concern on the part of copyright owners, a later decision in the case dening the type of damages recoverable under section 512(f) substantially scaled back enthu- siasm for seeking sanctions under the DMCA. In early 2010, Judge Fogel held that a plainti's damages under section 512(f) must be “proximately caused by the misrepresentation to the service provider and the service provider's reliance on the misrepresentation.”22 In reaching this conclusion, based on the statute, legislative history and similar statutory language, Judge Fogel rejected both plainti's urging that more broadly any damages “but for” the misrepresentation could be recovered and UMG's argument that only substantial economic damages were recoverable. Judge Fogel observed that a “but for” test would allow any plainti to satisfy the damage element of their claims merely by hiring an attorney and ling suit, which could not be justied based on either the language of the statute or the statutory goal of deterrence. At the same time he conceded that “[i]t may be that the combination of the subjective bad faith standard and the proximate causation requirements will lead many potential § 512(f) plaintis to refrain from ling suit unless they have suered substantial economic harm or other signicant inconvenience. However, . . . this result is not necessarily at odds with what Congress intended.”23 Judge Fogel likewise narrowly construed the term “fees and costs,” which are an element of recoverable damages under section 512(f). He ruled that fees and costs incurred in responding to a takedown notice or otherwise prior to the institution of a lawsuit are recoverable under section 512(f), but fees and costs incurred after suit is led are not automatically recoverable. Judge Fogel noted that the Copy- right Act authorizes a court to award reasonable attorneys' fees in its discretion to the prevailing party and full costs in its discretion by or against any party other than the United States (or an ocer of the United States).24 Lenz's argument that post-suit fees and costs could be claimed as an element

22 Lenz v. Universal Music Corp., 94 U.S.P.Q.2d 1344, 2010 WL 702466 (N.D. Cal. 2010) (emphasis in original omitted). 23 Lenz v. Universal Music Corp., 94 U.S.P.Q.2d 1344, 2010 WL 702466 (N.D. Cal. 2010), citing Laura Quilter & Jennifer M. Urban, Ecient Process or “Chilling Eects”? Takedown Notices Under Section 512 of the Digital Millennium Copyright Act, 22 Santa Clara Computer & High Tech. L.J. 621, 631 (2006). 24 See 17 U.S.C.A. § 505; infra § 4.15.

4-624 Copyright Protection in Cyberspace 4.12[9][D] of damage under section 512(f), he wrote, “would remove the Court's discretion to award (or not award) fees to plaintis, force the Court to treat prevailing plaintis and defendants dierently with regard to fees, and contradict the application of § 505 to ‘any action under’ Title 17.” For the same reason that Congress “did not intend to allow plaintis to establish the damage element under § 512(f) merely by hiring an attorney and ling suit” Judge Fogel concluded that it there was no indication that Congress intended fees and costs incurred in ling suit to be an element of damage under section 512(f). With respect to damages, the Ninth Circuit majority in Lenz held that Lenz was not limited to actual monetary loss. The majority explained that section 512(k) denes monetary relief as “damages, costs, attorneys['] fees, and any other form of monetary payment.” The term monetary relief is used in sections 512(a), 512(b)(1), 512(c)(1) and 512(d), which outline the four DMCA safe harbors that potentially may insulate a service provider from monetary relief. The majority deemed it signicant that this term was “notably absent from § 512(f).” In fact, it is reasonable that Congress would broadly dene the range of monetary relief from which a service provider would be insulated by the DMCA safe harbors. Nevertheless, the court deemed it signicant that Congress used the term “any damages” in section 512(f), which it concluded evidenced an intent to depart from the common law presumption that a misrepresentation plainti must have suered a monetary loss. A more likely explanation, when the dierent purposes for the references to monetary relief and damage in the safe harbor provisions, on the one hand, and misrepresentation section, on the other, are considered, is that Congress wanted to broadly protect eligible service providers by the safe harbor and allow recovery of damages, if any, for misrepresentations. The Ninth Circuit's assumption that any damages was intended to be broader than the dened term monetary relief is simply unsupportable when the purpose for each section is considered. In Tuteur v. Crosley-Corcoran,25 Judge Richard G Stearns of the District of Massachusetts held that a blogger adequately stated a claim under section 512(f) by alleging that the defendant made “a knowing and material misrepresenta-

25 Tuteur v. Crosley-Corcoran, 961 F. Supp. 2d 333 (D. Mass. 2013).

Pub. 12/2015 4-625 4.12[9][D] E-Commerce and Internet Law tion” in a DMCA notice, but rejected the argument that a copyright owner is required to verify that it had explored an alleged infringer's armative defenses prior to sending a DMCA notice, noting that even the Lenz court, “in its most recent iteration (denying cross-motions for summary judgment) . . . substantially retreated from its ruling, acknowledging that ‘in light of Rossi,’ the ‘mere failure to consider fair use would be insucient to give rise to liability under § 512(f), and that a plainti must show that the defendant ‘had some actual knowledge that its Takedown Notice contained a material misrepresentation.’ ’’26 Judge Stearns found “[m]ore compelling . . . the fact that, in enacting the DMCA, Congress did not require that a notice-giver verify that he or she had explored an alleged infringer's possible armative defenses prior to acting, only that she arm a good faith belief that the copyrighted material is being used without her or her agent's permission.”27 Judge Stearns added that there was reason for this statutory scheme: “To have required more would have put the takedown procedure at odds with Congress's express intent of creating an ‘expeditious,’ ‘rapid response’ to ‘potential infringement’ on the Internet.”28 Tuteur arose out of the personal animosity of two bloggers towards one another. The defendant, Gina Crosley-Corcoran, was a doula who advocated home birthing methods on her blog, TheFeministBreeder, which the plainti, Amy Tuteur, a former OBGYN, disagreed with in a scathing critique on her blog, The Skeptical OB. After a heated exchange, the doula briey posted a photo of herself giving the OBGYN

26 Tuteur v. Crosley-Corcoran, 961 F. Supp. 2d 333, 343 (D. Mass. 2013), quoting Lenz v. Universal Music Corp., No. 5:07-cv-03783-JF, 2013 WL 271673, at *6 (N.D. Cal. Jan. 24, 2013). 27 Tuteur v. Crosley-Corcoran, 961 F. Supp. 2d 333, 343-44 (D. Mass. 2013). 28 Tuteur v. Crosley-Corcoran, 961 F. Supp. 2d 333, 344 (D. Mass. 2013), citing 17 U.S.C. § 512(c)(i)(A)(iii); S. Rep. 105-190, at 21. In response to the policy arguments presented by amici, Judge Stearns added: Undoubtedly abuses will occur-as is the case with almost any system that permits legal self-help (although EFF and DMLP point to but a handful of examples). For these abuses Congress provided a remedy in section 512(f). If experience ultimately proves that the remedy is weighted too heavily in favor of copyright owners at the expense of those who seek to make “fair use” of another's intellectual property, the resetting of the balance is for Congress and not a court to strike. 961 F. Supp. 2d at 344.

4-626 Copyright Protection in Cyberspace 4.12[9][D]

“the nger”29 with the caption that she was giving Tuteur “something else to go back to her blog and obsess about.” Crossley-Corcoran eventually thought better of the exchange and took down the photo but not before Tuteur had copied it and posted it on The Skeptical OB, without Crossley- Corcoran's permission. Crossly-Corcoran sent Tuteur a cease and desist letter and sent Tuteur's ISP a DMCA takedown notice. The ISP warned Tuteur to remove the photo, but she instead led a counter notice and, when her ISP, in the court's words, “washed its hands of the snowballing disputa- tion and notied Tuteur and Crosley-Corcoran that it was up to either or both of them to ‘pursue legal action’ ’’ Tuteur switched ISPs and reposted the photo, which led to another round of DMCA notications and counter notications and an exchange of legal letters between Tuteur's husband, the chair of Foley & Lardner's litigation practice in Boston, and counsel retained by the doula. Tuteur then sued the doula in a lawsuit in which multiple amici, including the Motion Picture Association of America (which was the defendant in Rossi) and the Electronic Frontier Foundation (pro bono counsel to the plainti in Lenz) led amicus briefs on the issue of the proper interpretation of section 512(f).30 In Automattic Inc. v. Steiner,31 a website owner and student blogger obtained sanctions by default judgment against a UK resident who was alleged to have knowingly misrepresented that plaintis violated his copyright. In so ruling, Judge Phyllis J. Hamilton, adopting the recommendations of Magistrate Judge Joseph C. Spero, held that plaintis were entitled to damages for the time and resources spent dealing with the improper notice, but not for any reputational damage. The cumulative eect of these rulings is that users ag-

29 In an earlier opinion, Judge Stearns described the photograph as involving Crosley-Corcoran “making a graphic gesture with her middle nger that is often associated with an unrealized ambition of French soldiers at the Battle of Agincourt.” Tuteur v. Crosley-Corcoran, 961 F. Supp. 2d 329, 330 (D. Mass. 2013). 30 The court also ruled on the question of whether sending a DMCA notice to Tuteur's ISP in Utah subjected Crosley-Corcoran, a resident of Illinois, to jurisdiction in Massachusetts (concluding that it did based on the facts of this case). See Tuteur v. Crosley-Corcoran, 961 F. Supp. 2d 333, 338-40, (D. Mass. 2013); see generally infra § 53.04[5][F] (analyzing jurisdiction based on DMCA and other takedown notices and discussing the court's ruling on personal jurisdiction in greater detail). 31 Automattic Inc. v. Steiner, 82 F. Supp. 3d 1011 (N.D. Cal. 2015).

Pub. 12/2015 4-627 4.12[9][D] E-Commerce and Internet Law grieved by an allegedly wrongful takedown notice may bring suit to recover damage, but the cost of litigation may deter anyone from doing so except where there is a substantial economic loss (for example, where a company sends a false DMCA notice to a service provider to have a competitor's website shut down during a sale) or in cases like Lenz where counsel is willing to represent the plainti on a pro bono basis, or Tuteur where the plainti's spouse is a litigator. In Lenz, the district court had found that the plainti had shown damages based on “time spent reviewing counter notice procedures, seeking the assistance of counsel, and responding to the takedown notice.” These damages, however, are likely to be de minimis in cases such as Lenz where a mother's home video of her child was o-line for 10 days. If courts allow broad recovery of any damages, including attorneys' fees as consequential damages, as suggested as a possibility by the Ninth Circuit majority in dicta in Lenz, there will be an explosion of section 512(f) litigation brought by users and contingent fee counsel who would have no incentive to resolve, and every incentive to litigate section 512(f) disputes. By contrast, if Judge Fogel's analysis and the analysis of other district courts to date is accurate, then most potential plaintis likely will think twice before ling suit to recover de minimis damages where attorneys' fees may only be recovered in the discretion of the court (and some courts may consider the de minimis amount at issue as grounds for denying a fee request, even where a plainti prevails).32 By contrast, in cases involving unfair competition between commercial entities or competitors, Lenz underscores that the DMCA authorizes potentially potent remedies. For example, if a competitor were to send a fraudulent takedown notice directed at another company's online storefront or seasonal sales promotion on December 17, hoping to keep a competitor oine during the Christmas shopping season, the aggrieved party could recover damages and potentially attorneys' fees. Some courts have also relied on section 512(f) of the DMCA to enjoin a competitor from sending improper takedown notices.33 Although an aected party may serve a counter notication in response to a notication to have material put

32 See infra § 4.15. 33 See Design Furnishings, Inc. v. Zen Path, LLC, 97 U.S.P.Q.2d 1284,

4-628 Copyright Protection in Cyberspace 4.12[9][D] back online,34 ten days or more may elapse before wrongfully removed material is restored.35 In addition, absent injunctive relief, an unethical party potentially could serve multiple take down notices to harass a competitor or interfere with a legitimate business. Both declaratory and injunctive relief potentially may be available in cases involving abuse of the DMCA notice and takedown system. Absent some evidence of abuse, injunctive relief generally could be dicult to obtain.36 Moreover, merely because a defendant prevails in litigation does not mean that sanctions

2010 WL 5418893 (E.D. Cal. Dec. 23, 2010) (enjoining the defendant from sending takedown requests to eBay directed at the plainti's wicker products, specically “from notifying eBay that defendant has copyrights in the wicker patio furniture oered for sale by plainti and that plainti's sales violate those copyrights.”); see also Amaretto Ranch Breedables, LLC v. Ozimals, Inc., 790 F. Supp. 2d 1024 (N.D. Cal. 2011) (allowing claims for unfair competition and copyright misuse to proceed, but dismissing tortious interference and section 512(f) claims where no takedown in fact occurred). The court in Amaretto Ranch rearmed its earlier unreported preliminary injunction order (issued pursuant to plainti's claim for declaratory relief) requiring the defendant to withdraw all DMCA takedown notications sent to Second Life and send no further notications. Amaretto Ranch was a suit between business competitors that sold virtual animals in Second Life. In an earlier ruling, the court had entered an ex parte TRO enjoining Second Life from taking down plainti's works in response to the defendant's takedown notices although Linden Labs, as the service provider, should not have been enjoined under the DMCA (and the preliminary injunction that subsequently issued in fact was directed at the competitor, not the service provider). See Amaretto Ranch Breedables v. Ozimals, Inc., 97 U.S.P.Q.2d 1664, 2010 WL 5387774 (N.D. Cal. Dec. 21, 2010) (entering an ex parte TRO). The court subsequently ruled that DMCA-related state law claims were preempted by section 512(f). See Amaretto Ranch Breedables, LLC v. Ozimals, Inc., 2011 Copr. L. Dec. P 30102, 2011 WL 2690437 (N.D. Cal. July 8, 2011); see generally infra § 4.12[9][F]. 34 See supra § 4.12[9][C]. 35 See supra § 4.12[9][C]. 36 See, e.g., Flynn v. Siren-Bookstrand, Inc., No. 4:13-CV-3160, 2013 WL 5315959 (D. Neb. Sept. 20, 2013) (declining to grant a TRO in a suit by a book author brought against the publisher of some but not all of her books seeking a TRO to prevent the publisher from sending further DMCA notices to Amazon.com for two books that the plainti claimed to have self published in ebook and paper format, which had been suspended by Amazon.com in response to DMCA notices sent by the publisher, because section 512(f) did not expressly authorize injunctive relief and the plainti had not demonstrated a sucient threat of irreparable harm that could not be ameliorated with money damages); see generally infra § 4.13 (equitable remedies in copyright cases).

Pub. 12/2015 4-629 4.12[9][D] E-Commerce and Internet Law necessarily should be awarded against a copyright owner for sending a DMCA notice that ultimately is found to have lacked merit. In UMG Recordings, Inc. v. Augusto,37 for example, Judge James Otero of the Central District of Cali- fornia granted summary judgment to UMG on a defendant's counterclaim for damages and attorneys' fees under section 512(f) in a case involving the defendant's sale of promotional CDs over eBay. In that case, UMG had sent a DMCA notice to eBay asking that defendant's listings for Promo CDs be removed. eBay stopped the auctions and temporarily suspended the defendant as a seller. UMG subsequently sued the defendant for copyright infringement. On the merits, the court ruled for the defendant, holding that under the rst sale doctrine UMG had given away, rather than licensed, the promotional CDs to music industry insiders, who then lawfully resold them to Augusto.38 Judge Otero nonetheless held that UMG had acted with subjective good faith in sending a DMCA notice to eBay alleging that the defendant was infringing its copyrights because UMG believed it could enforce the licensing language stamped on promo CDs, had carefully documented the defendant's conduct, and was aware that the defendant had previously entered into a consent judgment where he admitted to selling promo CDs and admitted that this act violated the owner's copyright. The court ruled that defendant's argument that UMG should have known better did not raise a genuine issue of material fact “given the uncertainty of the law in this area.”39 In perhaps the rst case decided under section 512(f)— Arista Records, Inc. v. MP3Board, Inc.40—a court in the Southern District of New York ruled that section 512(f) did not authorize liability for a notication that was merely insucient, in the absence of evidence that the copyright owner or its agents knowingly materially misrepresented

37 UMG Recordings, Inc. v. Augusto, 558 F. Supp. 2d 1055 (C.D. Cal. 2008), a'd on other grounds, 628 F.3d 1175 (9th Cir. 2011) (arming that the promotional CDs were transferred, not licensed). 38 That aspect of the court's decision is discussed in section 16.02 in the context of the rst sale doctrine and ultimately was armed on appeal. 39 558 F. Supp. 2d at 1064. 40 Arista Records, Inc. v. Mp3Board, Inc., 2002 Copr. L. Dec. P 28483, 2002 WL 1997918 (S.D.N.Y. 2002).

4-630 Copyright Protection in Cyberspace 4.12[9][E] the material or activity that was infringing.41 On balance, the risk of an award of damages and attorneys' fees creates an incentive for responsible copyright owners to think twice before sending a notice in cases like the “Danc- ing Baby” suit where their position may be questionable, while allowing meaningful relief where substantial injuries could result from misrepresentations and deterring frivolous suits for damages in cases where honest mistakes are made by copyright owners. Sanctions for misrepresentations under section 512(f) must be based on misrepresentations under section 512. Other alleged misrepresentations involving claims other than copyright infringement are not actionable under this section42 (although they potentially could support other causes of action, as discussed later in this chapter in section 4.12[9][F]).43 Jurisdiction based on DMCA and takedown notices is separately analyzed in chapter 53 and in particular in section 53.04[5][F].

4.12[9][E] Subpoenas to Identify Infringers Section 512(h) of the DMCA authorizes copyright owners to obtain a special subpoena to compel a service provider to disclose the identity of an alleged infringer prior to the initiation of litigation.1 Where applicable, a copyright owner or person authorized

41 This ruling is discussed further in § 4.12[9][F]. 42 See Twelve Inches Around Corp. v. Cisco Systems, Inc., No. 08 Civ. 6896 (WHP), 2009 WL 928077 (S.D.N.Y. Mar. 12, 2009) (dismissing a claim alleging misrepresentation about trademark ownership in a takedown notice sent to a service provider). 43 See, e.g., Flava Works, Inc. v. Gunter, No. 10 C 6517, 2013 WL 4734002 (N.D. Ill. Sept. 3, 2013) (denying plainti's motion to dismiss the defendant's counterclaim for tortious interference with contract and misrepresentation of intellectual property infringement (pursuant to 17 U.S.C.A. § 512(f)) based on alleged misrepresentations about the extent of allegedly infringing material available on the myVidster.com website made to defendant's service providers and in DMCA notications); see generally infra § 4.12[9][F]. [Section 4.12[9][E]] 1 17 U.S.C.A. § 512(h); see generally Signature Management Team, LLC v. Automattic, Inc., 941 F. Supp. 2d 1145 (N.D. Cal. 2013) (denying a blogger's motion to quash a section 512(h) subpoena on First Amendment grounds); In re Subpoena Issued Pursuant to the Digital Millennium Copyright Act to: 43SB.com, LLC, No. MS07–6236–EJL, 2007 WL 4335441

Pub. 12/2015 4-631 4.12[9][E] E-Commerce and Internet Law to act on the owner's behalf may request the clerk of “any United States district court”2 to issue a subpoena to a service provider requiring identication of an alleged infringer.3 An application must include a copy of a notication, a proposed subpoena, and a sworn declaration stating that the copyright owner will only use the information obtained from the subpoena for protecting its rights under the Copyright Act.4 If a request for a subpoena contains each of these elements and the notication substantially meets the statutory requirements, a subpoena will issue.5 A DMCA subpoena “shall authorize and order the service provider receiving the notication and the subpoena to expeditiously disclose . . . information sucient to identify the alleged infringer of the material described in the notication to the extent such information is available to the service provider.”6 Upon receiving a subpoena, a service provider must expeditiously disclose the information required by it, notwithstanding any other provision of law and regardless of whether the service provider responds to the notication.7 To “the greatest extent practicable . . . ,” the procedures for issuing, delivering and enforcing service provider subpoenas are to be governed by those provisions of the Federal Rules of Civil Procedure governing the issuance, service and enforcement of a subpoena duces tecum. The special subpoena contemplated by section 512(h) could issue in any federal case, including a lawsuit brought against the alleged infringer (either to obtain injunctive relief if a counter notication were led or strictly for damages if no objection were raised to the original notication). An unidentied infringer potentially could be sued by its cti- tious or pseudonymous Internet identication. Upon the service provider's compliance with the terms of the subpoena,

(D. Idaho Dec. 7, 2007) (denying motion to quash where the requirements for a section 512(h) subpoena had been met, but quashing the subpoena to the extent directed at comments critical of the plainti and not copyright infringement). 2 It is unclear whether Congress meant by this language to authorize national jurisdiction. See infra chapter 53. 3 17 U.S.C.A. § 512(h)(1). 4 17 U.S.C.A. § 512(h)(2). 5 17 U.S.C.A. § 512(h)(4). 6 17 U.S.C.A. § 512(h)(3). 7 17 U.S.C.A. § 512(h)(5).

4-632 Copyright Protection in Cyberspace 4.12[9][E] the copyright owner could then serve the alleged infringer and, if appropriate, amend its complaint to properly identify the alleged infringer.8 While section 512(h) in theory should provide a quick, easy, inexpensive mechanism for copyright owners to expeditiously identify pseudonymous infringers at the outset of a dispute, in practice courts have limited the reach of section 512(h) in cases involving peer-to-peer le sharing. Several courts have held that section 512(h), which by its terms authorizes the issuance of a subpoena upon submission of a substantially complying notication, potentially could only apply to cases involving user storage and information location tools (and at least some forms of caching)—which are the only safe harbors for which notications apply—and therefore does not authorize the issuance of a subpoena to a service provider acting solely as a conduit for communications not actually stored on its own servers (since there is no provision for notications where the relevant liability limitation is for the transitory digital network communications9 safe harbor).10 Hence, in cases involving peer-to-peer le sharing where copyright owners have sought to compel service providers to

8 For more information on suing anonymous and pseudonymous Internet actors, see infra §§ 37.02, 50.06, 57.03. 9 17 U.S.C.A. § 512(a). 10 See, e.g., Recording Industry Ass'n of America, Inc. v. Verizon Internet Services, Inc., 351 F.3d 1229, 1233–37 (D.C. Cir. 2003); In re Charter Communications, Inc., Subpoena Enforcement Matter, 393 F.3d 771, 775–77 (8th Cir. 2005); In re Subpoena To University of North Carolina at Chapel Hill, 367 F. Supp. 2d 945, 949 (M.D.N.C. 2005). In dicta, the majority in In re Charter Communications, Inc., Subpoena Enforcement Matter, 393 F.3d 771 (8th Cir. 2005) raised without deciding the possibility that section 512(h) “may unconstitutionally invade the power of the judiciary by creating a statutory framework pursuant to which Congress, via statute, compels a clerk of a court to issue a subpoena, thereby invoking the court's power.” Id. at 777–78. The majority also wrote in dicta that Charter Communications had “at least a colorable argument that a judicial subpoena is a court order that must be supported by a case or controversy at the time of its issuance.” Id. at 778. In the Chapel Hill case, the court also quashed the subpoena because it had called for production of information in Raleigh, which was outside of the Middle District of North Carolina. In so ruling, the court held that Rule 45—which allows for service within 100 miles of the place of a deposition, hearing, trial, production, or inspection specied in a subpoena was inapplicable to pretrial subpoenas issued pursuant to § 512(h).

Pub. 12/2015 4-633 4.12[9][E] E-Commerce and Internet Law produce identifying information for pseudonymous infringers, these courts have quashed subpoenas, holding that, by virtue of the nature of peer-to-peer communications, allegedly infringing material was not actually stored on the servers of the service provider to which the DMCA was directed. While other courts may adopt a broader interpretation of the scope of section 512(h),11 these cases present formidable potential obstacles to copyright owners seeking to take advantage of the special subpoena provision of the DMCA in cases that do not involve material stored on a service provider's servers or links or other information location tools (or in limited circumstances, cached content removed from the original location that remains on a service provider's servers). In one unreported case, a magistrate judge extended the rationale of cases holding that section 512(h) subpoenas could not apply when the basis for a service provider's connection to an alleged infringer was the transitory digital network communications safe harbor to quash a subpoena served with a DMCA notice and adavit for material stored at the direction of a user where the material at issue had been removed from the defendant's blog prior to the time the notice and subpoena issued. In Maximized Living, Inc. v. Google, Inc.,12 Magistrate Judge Elizabeth LaPorte granted the motion to quash of a pseudonymous blogger, ruling that section 512(h) does not authorize issuance of a subpoena to obtain identifying information for past infringement that has ceased and thus can no longer be removed or disabled and is limited to information about currently infringing activity. In so ruling, Judge LaPorte relied on the language of section 512(c) which, in describing the information required to be included in a DMCA notication, is phrased

11 See, e.g., In re Charter Communications, Inc., Subpoena Enforce- ment Matter, 393 F.3d 771, 778–86 (8th Cir. 2005) (Murphy, J., dissenting) (arguing forcefully that the majority had “focuse[d] too narrowly in its reading of the DMCA, overlook[ed] certain plain language used by Congress, and fail[ed] to give eect to the statute as a whole” where section 512(h) on its face does not limit a copyright owner's ability to obtain a subpoena based on the function performed by a service provider). In one case, Fatwallet, Inc. v. Best Buy Enterprise Services, Inc., Copy. L. Rep. (CCH) ¶ 28,799 (N.D. Ill. Apr. 12, 2004), a court ruled that a service provider lacked standing to object to a DMCA subpoena on behalf of anonymous posters. 12 Maximized Living, Inc. v. Google, Inc., No. C 11-80061 Misc. CRB (EDL), 2011 WL 6749017 (N.D. Cal. Dec. 22, 2011).

4-634 Copyright Protection in Cyberspace 4.12[9][E] in the present, rather than past tense. The plain terms of section 512(h) which governs the issuance of a DMCA subpoena, however, merely require “a copy of a notication described in subsection (c)(3)(A) . . .”13 without further qualication, a proposed subpoena and a “sworn declaration to the eect that the purpose for which the subpoena is sought is to obtain the identity of an alleged infringer and that such information will only be used for the purpose of protecting rights under this title.”14 There is nothing on the face of section 512(h) that limits its application to cases involving present infringement. Indeed, to the contrary, section 512(h) on its face contemplates that a DMCA subpoena could issue after the accompanying notication. Section 512(h)(5), in setting forth the obligations of a service provider upon service of a DMCA subpoena, specically refers to the subpoena as “either accompanying or subsequent to the receipt of a notication described in subsection (c)(3)(A) ....”15 Since service providers are required to expeditiously disable access to or remove material in response to a substantially complying notication,16 any subpoena served after a notication could well relate to material no longer on a site. There is simply no textual basis for reading into section 512(h) the requirement that infringement be ongoing for a section 512(h) subpoena to issue and Maximized Living should be viewed as wrongly decided.17 If a copyright owner is unable to obtain a DMCA subpoena,

13 17 U.S.C.A. § 512(h)(2)(A). 14 17 U.S.C.A. § 512(h)(2)(C). 15 17 U.S.C.A. § 512(h)(5). 16 17 U.S.C.A. § 512(c); see generally supra §§ 4.12[6][B], 4.12[9][B] (addressing service provider obligations in response to a substantially compliant DMCA notication). 17 If DMCA subpoenas could only issue where infringement was ongoing an alleged infringer could easily nullify the subpoena merely by voluntarily removing the material addressed by the accompanying notication and then moving to quash the subpoena (and then re-posting the material after winning his motion). A copyright owner in turn would be hesitant to send a DMCA notice in advance of a subpoena, even though the DMCA's text is permeated with terms such as expeditiously that underscore an intent by Congress to provide for prompt remedies in recognition of the harm that may be caused by online infringement. Given that a copyright owner may sue for injunctive relief even when a defendant has voluntarily discontinued his infringing activity (infra § 4.13), and may sue for damages for past infringement (infra § 4.14), it stretches credibility to believe that Congress intended a DMCA subpoena to be available only for so long as material remained online. The court's construction of section 512(h)

Pub. 12/2015 4-635 4.12[9][E] E-Commerce and Internet Law it may still seek a regular third-party subpoena, petition for pre-service discovery or, where available, sue a “John Doe” defendant and issue a third-party subpoena to the service provider.18 makes a mockery of Congress's obvious attempt to provide a fast, easy mechanism for copyright owners to identify so that they may then sue online infringers. These concerns are underscored by the facts of Maximized Living. In that case, the copyright owner had originally obtained its subpoena on March 22, 2011 (when the alleged infringement was ongoing), but the subpoena was quashed for procedural irregularities and substantive challenges, with leave to re-le, on May 25, 2011. The next day, counsel for the third party notied the plainti that the blogger had voluntarily removed the material at issue. Hence, by the time the plainti served a new subpoena, the material had already been taken down—and the blogger's lawyer then moved to quash the re-led subpoena on that basis. 18 See, e.g., Sony Music Entertainment Inc. v. Does 1-40, 326 F. Supp. 2d 556 (S.D.N.Y. 2004) (denying a motion to quash based on ndings that (1) le sharing was not, for the most part, expression, and whatever First Amendment protection might exist did not extend to infringement of copyrights; (2) the First Amendment rights of individuals to remain anonymous were not so strong that they precluded copyright owners from using the judicial process to pursue meritorious copyright infringement actions; and (3) defendants had, at most, only a minimal expectation of privacy, which did not defeat plaintis' right to conduct discovery); see also Arista Records, LLC v. Doe 3, 604 F.3d 110, 119 (2d Cir. 2010) (adopting Judge Chin's analysis in Sony). Under Doe 3 and Sony, whether a subpoena to compel the disclosure of the identity of an anonymous le sharer should be quashed turns on consideration of (1) the concreteness of the plainti's showing of a prima facie claim of actionable harm; (2) the specicity of the discovery request; (3) the absence of alternative means to obtain the subpoenaed information; (4) the need for the subpoenaed information to advance the claim; and (5) the objecting party's expectation of privacy. Arista Records, LLC v. Doe 3, 604 F.3d 110, 119 (2d Cir. 2010). The approach of subpoenaing records to identify pseudonymous users has become common in suits brought by record companies against individuals accused of illegal le sharing. See, e.g., LaFace Records, LLC v. Does 1-5, No. 2:07-CV-187, 2007 WL 2867351 (W.D. Mich. Sept. 27, 2007); Warner Brothers Records, Inc. v. Does 1-4, Copy. L. Rep. (CCH) ¶ 29,396 (D. Utah 2007); Capitol Records, Inc. v. Doe, Civil No. 07-cv- 1570-JM (POR), 2007 WL 2429830 (S.D. Cal. Aug. 24, 2007); Warner Bros. Records Inc. v. Does 1-20, Civil No. 07–cv–01131–LTB–MJW, 2007 WL 1655365 (D. Colo. June 5, 2007); Arista Records LLC v. Does 1-9, Civil Action No. 07–cv–00628–EWN–MEH, 2007 WL 1059049 (D. Colo. Apr. 4, 2007); Interscope Records v. Does 1-7, 494 F. Supp. 2d 388 (E.D. Va. 2007). In Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 2007), the court even ordered the operators of a BitTorrent site to preserve server log data to allow identication of infringers. See Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 2007) (arming the Magistrate Judge's order).

4-636 Copyright Protection in Cyberspace 4.12[9][E]

More recently, some copyright owners have sought to join large numbers of BitTorrent users as Doe defendants in a single proceeding. Some courts have quashed subpoenas or severed claims, while others have allowed BitTorrent swarm suits to proceed in a single action, at least pending discovery. Compare, e.g., Bicycle Peddler, LLC v. John Does 1-177, No. 13-cv-0671-WJM-KLM, 2013 WL 1103473 (D. Colo. Mar. 15, 2013) (severing and dismissing claims against defendants 2-177); Third Degree Films v. Does 1-47, 286 F.R.D. 188 (D. Mass. 2012) (severing claims); Patrick Collins, Inc. v. John Doe 1, 288 F.R.D. 233 (E.D.N.Y. 2012) (adopting Magistrate's recommendation to deny joinder); CineTel Films, Inc. v. Does 1-1,052, 853 F. Supp. 2d 545 (D. Md. 2012) (severing claims); Media Products, Inc. v. Does 1-58, Civil No. JFM 8:12-cv-00348, 2012 WL 1150816 (D. Md. Apr. 4, 2012); Patrick Collins, Inc. v. Does 1-23, Civil No. JFM 8:12-cv-00087, 2012 WL 1144918 (D. Md. Apr. 4, 2012); Third Degrees Films, Inc. v. Does 1-131, 280 F.R.D. 493 (D. Ariz. 2012) (severing claims); Liberty Mutual Holdings, LLC v. BitTorrent Swarm, 277 F.R.D. 672, 675–76 (S.D. Fla. 2011) (severing claims against 18 defendants (and dismissing all but the rst defendant) where plainti alleged that the defendants used BitTorrent on dierent days and times and because of the decentralized nature of BitTorrent swarms; “Merely participating in a BitTorrent swarm does not equate to participating in the same ‘transaction, occurrence, or series of transactions or occurrences.’ ’’); Hard Drive Productions, Inc. v. Does 1-188, 809 F. Supp. 2d 1150 (N.D. Cal. 2011) (granting Doe defendants' motion to quash in a suit brought against Doe defendants from dierent BitTorrent swarms who did not act simultaneously); On The Cheap, LLC v. Does 1-5011, 280 F.R.D. 500 (N.D. Cal. 2011) (severing Doe defendants 1-16 and 18-5011); Nu Image, Inc. v. Does 1-23,322, 799 F. Supp. 2d 34 (D.D.C. 2011) (denying jurisdictional discovery about any defendants who reside outside the District of Colum- bia); with Malibu Media, LLC v. John Does 1-14, 287 F.R.D. 513 (N.D. Ind. 2012) (denying motion to sever and motion to quash); Patrick Collins, Inc. v. John Does 1-21, 282 F.R.D. 161 (E.D. Mich. 2012) (Magistrate recommending denial of motion to quash and motion to dismiss for misjoinder); John Wiley & Sons, Inc. v. John Doe Nos. 1-30, 284 F.R.D. 185 (S.D.N.Y. Sep. 19, 2012) (denying defendant's motion for protective order and motion to quash subpoena served on nonparty internet service provider); Hard Drive Productions, Inc. v. Does 1-1,495, 892 F. Supp. 2d 334 (D.D.C. 2012) (denying motion for emergency stay and reconsideration); Raw Films, Ltd. v. John Does 1-15, Civil Action No. 11-7248, 2012 WL 1019067 (E.D. Pa. Mar. 26, 2012) (denying motion to quash); Liberty Mutual Holdings, LLC v. Does 1-62, No. 11-cv-575-MMA (NLS), 2012 WL 628309 (S.D. Cal. Feb. 24, 2012) (denying motion to quash and motion to dismiss where the defendants were alleged to be part of the same BitTor- rent swarm and all of the IP addresses identied with the defendants shared the same unique hash); Digital Sin, Inc. v. Does 1-176, 279 F.R.D. 239 (S.D.N.Y. Jan. 30, 2012) (declining to sever claims at an early stage in the proceedings); Call of the Wild Movie, LLC v. Does 1-1,062, 770 F. Supp. 2d 332, 344–45 (D.D.C. 2011) (denying a motion to quash based on a nding that the claims included common questions of law or fact and that joinder would not prejudice the parties or result in needless delay and was appropriate at least at the initial stage of the proceedings in that

Pub. 12/2015 4-637 4.12[9][E] E-Commerce and Internet Law

Alternative means to compel the disclosure of the identity case); Call of the Wild Movie, LLC v. Smith, 274 F.R.D. 334 (D.D.C. 2011) (declining to quash subpoenas issued to ISPs seeking the identifying information about ve putative le sharers who allegedly downloaded and illegally distributed plainti's lm and denying their motion to dismiss for improper joinder at the discovery stage, holding that discovery was required to determine whether the court had personal jurisdiction over the putative users); Patrick Collins, Inc. v. Does 1-2,590, No. C 11-2766 MEJ, 2011 WL 4407172 (N.D. Cal. Sept. 22, 2011) (holding that the plainti showed good cause under Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 578–80 (N.D. Cal. 1999) for ex parte discovery and that joinder was of BitTorrent users was appropriate where “Plainti has at least presented a reasonable basis to argue that the BitTorrent protocol functions in such a way that peers in a single swarm downloading or uploading a piece of the same seed le may fall within the denition of ‘same transaction, occurrence, or series of transactions or occurrences’ for purposes of Rule 20(a)(1)(A).”); Maverick Entertainment Group, Inc. v. Does 1-2,115, 810 F. Supp. 2d 1 (D.D.C. 2011) (declining to quash a subpoena or dismiss putative users for misjoinder pending discovery to determine whether the court had personal jurisdiction over the putative users); Voltage Pictures, LLC v. Does 1-5,000, 79 Fed. R. Serv. 3d 891 (D.D.C. 2011) (ruling the same way in a companion case); Donkeyball Movie, LLC v. Does 1-171, 810 F. Supp. 2d 20 (D.D.C. 2011) (ruling the same way); West Coast Productions, Inc. v. Does 1-5829, 275 F.R.D. 9 (D.D.C. 2011) (denying defendants' motion to proceed anonymously and to quash subpoenas seeking their identities, holding that the argument that court lacked personal jurisdiction was premature, that permissive joinder was appropriate and that the defendants, as subscribers, lacked standing to make procedural objections to the subpoenas). In some of these cases, courts expressed concern about joining large numbers of unnamed and unrepresented defendants, as a way for plaintis to avoid paying multiple ling fees, while other courts have deemed joinder proper or deferred consideration pending discovery where plaintis made detailed showings of the connections between the Doe defendants and the underlying transactions. In at least one case where discovery was permitted at an early stage, the court subsequently ordered the plainti to use IP address lookup services to determine the presumptive location of defendants and dismiss those where jurisdiction and venue likely were improper. See Patrick Collins, Inc. v. Does 1-2,590, No. C 11-2766 MEJ, 2011 WL 7460101 (N.D. Cal. Dec. 7, 2011). Some courts expressly ruled that joinder was permissible at the outset of a case for purposes of subpoenaing an ISP to determine the identity of defendants, noting that severance could always be ordered at a later stage in the proceedings. It is generally more time consuming and expensive to proceed with John Doe subpoenas than a DMCA subpoena. Both the service provider— and potentially later the individual John Does—may move to quash the subpoenas, causing additional time delays and expense. The practices and approaches among the dierent state and federal courts are not uniform in this area. See generally infra §§ 37.02 (suing anonymous defendants in defamation and other state law cases), 57.03 (anonymity and pseudonym- ity in litigation). Unless a copyright owner has separate state claims

4-638 Copyright Protection in Cyberspace 4.12[9][F][i] of anonymous and pseudonymous infringers are addressed in sections 37.02 and 50.06.

4.12[9][F] Suits Against Copyright Owners Over Notications 4.12[9][F][i] Suits By Users Who Are Accused Infringers Suits based on various theories of liability have been brought against copyright owners by aected site owners or users for sending notications alleging infringement. The DMCA expressly exempts service providers from liability for responding to notications and counter notications in accordance with the requirements of the statute,1 and allows copyright owners, service providers, users and others to recover damages, costs and attorneys' fees in connection with material misrepresentations knowingly made in notications or counter notications.2 Although an argument may be advanced that section 512(f) was intended to dene the exclusive rights of parties in the event of misrepresentations in a notication or counter notication, based on Congress's intent to create a pervasive regulatory scheme,3 this argument has yet to be raised in any reported decisions. To date, courts have allowed several suits to proceed based on the contents of notications, although some such suits have been dismissed for failure to state a claim4 or on summary judgment. In Rossi v. Motion Picture Association of America, Inc.,5 the Ninth Circuit armed the entry of summary judgment for the defendant-copyright owner on state tort law claims for tortious interference with contractual relations, tortious against a Doe defendant, the subpoena would have to issue in federal court (since federal courts have exclusive jurisdiction over copyright matters). [Section 4.12[9][F][i]] 1 See 17 U.S.C.A. § 512(g); supra § 4.12[8]. 2 See 17 U.S.C.A. § 512(f); supra § 4.12[9][D]. 3 See, e.g., Gade v. National Solid Wastes Management Ass'n, 505 U.S. 88, 98 (1992). 4 See, e.g., Capitol Records, Inc. v. MP3tunes, LLC, 611 F. Supp. 2d 342, 347–48 (S.D.N.Y. 2009) (dismissing claims under N.Y. Gen. Bus. Law § 349, Cal. Bus. & Prof. Code § 17200 and common law unfair competition). 5 Rossi v. Motion Picture Ass'n of America Inc., 391 F.3d 1000 (9th Cir. 2004), cert. denied, 544 U.S. 1018 (2005).

Pub. 12/2015 4-639 4.12[9][F][i] E-Commerce and Internet Law interference with prospective economic advantage, libel and defamation, and intentional iniction of emotional distress. In that case, the court had held that the copyright owner had complied with the procedures of the DMCA based on a “good faith belief” that the plainti's website had included infringing copies of its protected motion pictures (based on plainti's own representations on the site). The Ninth Circuit did not address the issue of preemption, nding in a case where there was no knowing material misrepresentation in the notication that plaintis' state law claims failed based on the elements required to support them—not preemption. In a case decided just prior to Rossi by a district court in the Ninth Circuit, a court ruled, in Online Policy Group v. Diebold Election Systems, Inc.,6 that section 512(f) represented the only remedy to the recipient of a notication that was found to have included knowing material misrepresentations, and thus plaintis' claim for tortious interference with contractual relations was preempted based on an irreconcilable conict between the DMCA and the state law.7 As explained by the court: Even if a copyright holder does not intend to cause anything other than the removal of allegedly infringing material, compliance with the DMCA's procedures nonetheless may result in disruption of a contractual relationship: by sending a letter, the copyright holder can eectuate the disruption of ISP service to clients. If adherence to the DMCA's provisions simultaneously subjects the copyright holder to state tort law liability, there is an irreconcilable conict between state and federal law. To the extent that plaintis argue that there is no conict because Diebold's use of the DMCA in this case was based on misrepresentation of Diebold's rights, their argument is undercut by the provisions of the statute itself. In section 512(f), Congress provides an express remedy for misuse of the DMCA's safe harbor provisions. It appears that Congress care-

6 Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195 (N.D. Cal. 2004); see also Amaretto Ranch Breedables, LLC v. Ozimals, Inc.,No. C 10-05696 CRB, 2011 WL 2690437 (N.D. Cal. July 8, 2011) (holding DMCA-related claims preempted by section 512(f)). 7 Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195 (N.D. Cal. 2004), citing Hillsborough County, Fla. v. Automated Medical Labora- tories, Inc., 471 U.S. 707, 713 (1985) (holding that preemption occurs “when compliance with both state and federal [laws] is a physical impos- sibility or when state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.”). In Diebold, the district court applied a stricter standard under § 512(f) than the one subsequently adopted by the Ninth Circuit. See supra § 4.12[9][D].

4-640 Copyright Protection in Cyberspace 4.12[9][F][i]

fully balanced the competing interests of copyright holders, ISPs, and the public, by providing immunity subject to relief for any misuse of the statute. In Lenz v. Universal Music Corp.,8 the same judge who decided Diebold denied a motion to dismiss a claim for tortious interference arising out of a DMCA notication. Lenz, a YouTube user, alleged that the Universal Music Corp. had failed to act in good faith when it sent a DMCA notication to YouTube about a video she posted on the service because Universal Music Corp. failed to consider fair use. The video in question was a twenty-nine second clip of plainti's son dancing, while Prince's song “Let's Go Crazy” could be heard in the background (in poor quality) playing for twenty seconds. At the behest of Prince, Universal had sent a DMCA notice to YouTube, which removed the video. In response, Lenz sent a counter notication. Because Universal did not le for copyright infringement, the video was reposted to the site. Lenz sued, however, seeking damages and attorneys' fees pursuant to section 512(f) and for tortious interference with her contract with YouTube. In one case, Judge Denny Chin, while still a district court judge in the Southern District of New York, granted summary judgment in favor of the copyright owner on a defendant's counterclaim for sending two DMCA notices for material that was found not be infringing, but retained jurisdiction over the case so that the defendants could turn to the court for relief if any further notices were served, writing that plaintis would have no good faith basis for serving new DMCA notices based on the dismissal of their copyright infringement claims.9 Other courts have allowed claims or counterclaims to proceed based on the allegedly tortious consequences of allegedly improper DMCA notications.10 For example, in Cur-

8 Lenz v. Universal Music Corp., 572 F. Supp. 2d 1150 (N.D. Cal. 2008), a'd on other grounds, — F.3d —, 2015 WL 5315388 (9th Cir. 2015); see generally supra § 4.12[9][D] (analyzing the case). 9 See Biosafe-One, Inc. v. Hawks, 639 F. Supp. 2d 358, 369–70 n.3 (S.D.N.Y. 2009). 10 See, e.g., Flava Works, Inc. v. Gunter, No. 10 C 6517, 2013 WL 4734002 (N.D. Ill. Sept. 3, 2013) (denying plainti's motion to dismiss the defendant's counterclaim for tortious interference with contract and misrepresentation of intellectual property infringement (pursuant to 17 U.S.C.A. § 512(f)) based on alleged misrepresentations about the extent of

Pub. 12/2015 4-641 4.12[9][F][i] E-Commerce and Internet Law tis v. Shinsachi Pharmaceutical Inc.,11 the court entered a default judgment against plainti's competitors under section 512(f) of the DMCA12 and for cybersquatting, trademark cancellation, trade libel, interference with contract and prospective economic advantage and a declaratory ruling of non- infringement where a seller alleged that between 2011 and 2013 defendants submitted 30 false Notices of Claimed In- fringement to eBay, resulting in the removal of at least 140 listings and causing eBay to issue strikes against her selling account, as well as allegedly false notices to Google, PayPal and Serversea. In certain circumstances, the contents of notications or counter notications may be protected against tort or other claims based on state law litigation privileges.13 Liability for misrepresentations in DMCA notications or counter notications is separately addressed in section 4.12[9][D].

4.12[9][F][ii] Suits by Service Providers In contrast to suits by alleged infringers against copyright owners, Fatwallet, Inc. v. Best Buy Enterprise Services, Inc.,1 was a suit by an ISP against copyright owners seeking a declaratory judgment that the service provider liability limitations of the DMCA were unconstitutional. In that case, Judge Philip Reinhard of the Northern District of Illinois ruled that the plainti lacked standing to challenge the user storage provision of the DMCA because it cannot claim that allegedly infringing material available on the myVidster.com website made to defendant's service providers and in DMCA notications). 11 Curtis v. Shinsachi Pharmaceutical Inc., 45 F. Supp. 3d 1190 (C.D. Cal. 2014). 12 See supra § 4.12[9][D]. 13 See, e.g., Cal. Civil Code § 47(b) (statements made in judicial proceedings); Maponics, LLC v. Wahl, No. C07-5777 BZ, 2008 WL 2788282 (N.D. Cal. July 18, 2008) (discussing the potential applicability of Califor- nia Civil Code section 47(b) to DMCA notices as “reasonably relevant” to “achieve the objects of the litigation,” but concluding that the emails at issue in that case did not meet the requirements of section 512(c)(3)(A) and “seem more like an attempt . . . to gain business from a customer by charging a competitor with theft, than an attempt to mitigate a customer's damages.”). [Section 4.12[9][F][ii]] 1 Copy L. Rep. (CCH) ¶ 28,799, 2004 WL 793548 (N.D. Ill. Apr. 12, 2004).

4-642 Copyright Protection in Cyberspace 4.12[9][F][ii] it suered any injury. As explained by the court: Nothing in the DMCA . . . creates liability for the ISP beyond that which already exists under copyright law generally. An ISP suers no adverse consequences under the DMCA for its failure to abide by the notice. It is free to thumb its nose at the notice and it will suer no penalty nor increased risk of copyright liability. Thus, plainti was in no worse a position regarding potential copyright liability for the postings of its subscribers whether it responded to the notice or not or for that matter even if the DMCA did not exist at all. In other words, the DMCA only inures to the benet of plainti and visits no negative consequences upon it. Because of the unique nature of the DMCA notice provisions and how they apply to an ISP, plainti cannot claim it suered any injury or harm from the invocation of the notice provisions by defendant. It was free to ignore the notice and no harm would befall it that did not already exist irrespective of the DMCA. That being said, if in fact an ISP chooses to respond to the notice by taking down the challenged material, it then triggers the safe harbor provision and is insulated from potential liability for copyright infringement. Put another way, the only implication of the notice provisions of the DMCA is a positive one. Plainti has failed to identify any harm it has suered as a result of its choosing to respond to the takedown notice and has therefore not shown it has standing under Article III of the Declaratory Judgment Act. The court also ruled that the plainti lacked standing to assert claims on behalf of third-party posters because of the lack of an actual injury by plainti. In Arista Records, Inc. v. MP3Board, Inc.,2 the defendant, MP3Board, asserted claims against the RIAA for (1) knowing material misrepresentations in violation of the DMCA (17 U.S.C.A. § 512(f)); and (2) tortious interference with contractual relations. The court granted summary judgment in favor of the RIAA on the DMCA claim, ruling that liability could not be imposed for sending a notication that merely was insucient to comply with statutory requirements, in the absence of any evidence that a copyright owner or its agent “knowingly materially misrepresent[ed] . . . that material or activity [wa]s infringing.”3 The court also rejected the argument that the RIAA's notication was actionable because of the alleged vagueness of its allegations.

2 Arista Records, Inc. v. Mp3Board, Inc., 2002 Copr. L. Dec. P 28483, 2002 WL 1997918 (S.D.N.Y. 2002). 3 Arista Records, Inc. v. Mp3Board, Inc., 2002 Copr. L. Dec. P 28483, 2002 WL 1997918 (S.D.N.Y. 2002), quoting 17 U.S.C.A. § 512(f).

Pub. 12/2015 4-643 4.12[9][F][ii] E-Commerce and Internet Law

The court further rejected the contention that the RIAA's notication constituted a “knowing material misrepresentation” because it threatened the service provider with liability for money damages. Judge Stein ruled that section 512 only penalizes copyright holders for materially misrepresenting “that material or activity is infringing.”4 The court also entered summary judgment in favor of the RIAA on MP3Board's claim of tortious interference with contractual relations and prospective economic advantage. The court found that MP3Board failed to present evidence to contradict that the RIAA acted in good faith in notifying MP3Board's service provider about the acts of alleged infringement, which constituted a full defense under applicable state law. Although Judge Stein did not reach the issue in the MP3Board case, a claim for tortious interference based on a notication ultimately arguably could fail as a privileged communication under the Noerr-Pennington doctrine.5 Since a service provider may obtain dismissal of a third- party suit if the copyright owner fails to tender a substantially complying notication,6 sending a notication ef- fectively amounts to a statutorily-required precondition to

4 Arista Records, Inc. v. Mp3Board, Inc., 2002 Copr. L. Dec. P 28483, 2002 WL 1997918 (S.D.N.Y. 2002). Although not discussed in the context of this claim, the court noted elsewhere in its opinion that there was no evidence presented that MP3Board's service provider was in fact immune from liability or that the RIAA knew this fact. Indeed, the threat of money damages should not have amounted to a misrepresentation since service providers are not exempt from liability under the statute. Rather, as discussed earlier in this section, 17 U.S.C.A. § 512 establishes liability limitation defenses that may, but do not automatically apply. 5 See, e.g., Matsushita Electronics Corp. v. Loral Corp., 974 F. Supp. 345, 354–59 (S.D.N.Y. 1997) (ruling that threatening litigation in bad faith, or ling a suit with no belief in its merit, may be actionable if the other elements of a claim for tortious interference are satised under New York law, but holding that even so a litigant is immune from liability for initiating legal action under the Noerr-Pennington doctrine, unless the sham litigation exception were found to apply; extending immunity to infringement warning letters sent to defendant's customers); Keystone Retaining Wall Systems, Inc. v. Rockwood Retaining Walls, Inc., No. CIV. 00–496RHK/SRN, 2001 WL 951582 (D. Minn. Apr. 22, 2001) (extending Noerr-Pennington immunity to notices of patent infringement that 35 U.S.C.A. § 287 requires be sent as a precondition to ling suit, provided the sham litigation exception is inapplicable). 6 See Hendrickson v. eBay, Inc., 165 F. Supp. 2d 1082 (C.D. Cal. 2001); see generally supra § 4.12[6][A].

4-644 Copyright Protection in Cyberspace 4.12[10] initiating litigation against the provider (in cases where the service provider fails to take action) and is therefore arguably privileged.7 In addition to potential Noerr-Pennington immunity, Cali- fornia has a statutory litigation privilege, Civil Code § 47(b), which has been judicially construed to extend to pre- litigation statements made in connection with proposed litigation that is “contemplated in good faith and under serious consideration.”8 In certain circumstances, the contents of notications or counter notications may be protected based on state law litigation privileges.9

4.12[10] Liability Limitation for Nonprot Education Institutions The DMCA creates an additional liability limitation for service providers that are also nonprot Education Institu- tions (NEIs) out of recognition that—according to the House Report—“the university environment is unique.” In addition to the four specic limitations created for all service providers, NEIs may benet from special rules that may limit the liability of universities and other educational institutions for the infringing acts of faculty members or graduate students that otherwise might be imputed to an NEI, as employer, and prevent it from beneting from the transitory digital network communications, system caching or user storage limitations. As explained in the House Report: Ordinarily, a service provider may fail to qualify for the liability limitations in Title II simply because the knowledge or actions of one of its employees may be imputed to it under basic principles of respondeat superior and agency law. The special relationship which exists between universities and their faculty members (and their graduate student employees)

7 See Keystone Retaining Wall Systems, Inc. v. Rockwood Retaining Walls, Inc., No. CIV. 00–496RHK/SRN, 2001 WL 951582 (D. Minn. Apr. 22, 2001). 8 Aronson v. Kinsella, 58 Cal. App. 4th 254, 262, 68 Cal. Rptr. 2d 305, 310 (4th Dist. 1997) (quoting earlier cases), review denied (Dec. 23, 1997). 9 See, e.g., Maponics, LLC v. Wahl, No. C07-5777 BZ, 2008 WL 2788282 (N.D. Cal. July 18, 2008) (discussing the potential applicability of California Civil Code section 47(b) to DMCA notices as “reasonably relevant” to “achieve the objects of the litigation,” but concluding that the emails at issue in that case did not meet the requirements of section 512(c)(3)(A) and “seem more like an attempt . . . to gain business from a customer by charging a competitor with theft, than an attempt to mitigate a customer's damages.”).

Pub. 12/2015 4-645 4.12[10] E-Commerce and Internet Law

when they are engaged in teaching or research is dierent from the ordinary employer-employee relationship. Since inde- pendence—freedom of thought, word and action—is at the core of academic freedom, the actions of university faculty and graduate student teachers and researchers warrant special consideration . . . embodied in new . . . special rules. Under this special limitation, the acts or knowledge of a faculty member or graduate student will not be imputed to the “public or other nonprot institution of higher education” that employs her if four specic criteria can be met. First, the “faculty member or graduate student” must be “an employee of such institution . . . performing a teaching or research function.” Second, the faculty member's or graduate student's infringement must not involve the provision of online access to instructional materials that are or were required or recommended by that faculty member or graduate student within the proceeding three-year period for a course taught at the NEI. Third, the NEI must not have received more than two DMCA notications (as dened in section 4.12[9][B]), which claim copyright infringement by such faculty member or graduate student, within the three- year period (provided such notications do not contain material misrepresentations, as dened in section 512(f)).1 Fourth, the NEI must provide all users of its system or network with informational materials that accurately describe and promote compliance with U.S. copyright laws.2 The legislative history emphasizes that the special limitation for NEIs does not apply “[w]hen the faculty member or the graduate student employee is performing a function other than teaching or research.” For example, “exercising institutional administrative responsibilities, or . . . carrying out operational responsibilities that relate to the institution's function as a service provider” would not constitute exempt activities under the statute. Moreover, the House Report states that “the research must be a genuine academic exercise—i.e. a legitimate scholarly or scientic investigation or inquiry—rather than an activity which is claimed to be research but is undertaken as a pretext for engaging in infringing activity.”

[Section 4.12[10]] 1 17 U.S.C.A. § 512(e)(1)(B). The eect of misrepresentations in a notication are discussed earlier in this chapter in section 4.12[9][D]. 2 17 U.S.C.A. § 512(e)(1).

4-646 Copyright Protection in Cyberspace 4.12[11]

The special provisions governing the acts of faculty members and graduate students do not otherwise aect an NEI's obligations to meet the technical requirements of the four liability limitations and one broad exemption created by the Act if it seeks to benet from the DMCA's safe harbors. NEIs must still designate agents to respond to notications and counter notications and comply with the terms of the statute in order to fully limit their liability.

4.12[11] Injunctive Relief The Act authorizes limited injunctive relief to deny access to infringers and block infringing content, both in the United States and overseas. A court may grant only three specic forms of equitable relief against a service provider (other than a service provider that is also an NEI) that is otherwise immune from liability under the system caching,1 user stor- age2 or information location tools3 limitations: (1) a court order restraining the service provider “from providing access to infringing material or activity residing at a particular site on the provider's system or network”; (2) a court order requiring that a particular infringer's account or subscription be terminated by the service provider in order to deny it access to the system or network; or (3) such other injunctive relief as the court may consider necessary to prevent or restrain infringement of specic material at a particular online location “if such relief is the least burdensome to the service provider among the forms of relief comparably eective for that purpose.”4 By contrast, a court may only enjoin a service provider (that is not also an NEI) whose liability is otherwise limited under the transitory digital network communications limitation from providing access to a subscriber or account holder who is using the service provider's services to engage in infringing activity by terminating its account or restraining

[Section 4.12[11]] 1 See supra § 4.12[5]. 2 See supra § 4.12[6]. 3 See supra § 4.12[7]. 4 17 U.S.C.A. § 512(j)(1)(A).

Pub. 12/2015 4-647 4.12[11] E-Commerce and Internet Law it from providing access (through reasonable steps to be specied in the court order) to infringing material at a particular online location outside the United States.5 This provision is signicant for copyright owners, in that it specically authorizes a court to compel a service provider subject to jurisdiction in the United States to block access to content which would be infringing under U.S. law, even though it may be located overseas in a country where it may not be deemed infringing under that country's laws or on a server owned by an entity that is not subject to U.S. jurisdiction. As a practical matter, however, it may be dicult for a copyright owner to fully benet from this provision because it is so easy for infringers to move content from one location to another in cyberspace. In determining whether to grant injunctive relief against a service provider otherwise immune from liability, courts are directed to weigh several factors, including: (1) whether the order would signicantly burden either the service provider or the operation of its system or network; (2) the magnitude of harm likely to be suered by the copyright owner if steps are not taken to prevent or restrain the online infringement; (3) whether implementation of a proposed injunction would be technically feasible and eective and would not interfere with access to noninfringing material at other online locations; and (4) whether other less burdensome and comparably eective means of preventing or restraining access to the infringing material are available. These criteria generally are consistent with the standards for granting injunctive relief applied in the various federal circuits in copyright infringement lawsuits.6 The Act provides that injunctive relief generally may only be granted where a service provider is given notice and the opportunity to appear. Advance notice is not required, however, for orders “ensuring the preservation of evidence or other orders having no material adverse eect on the operation of the service provider's communications network.” The ability of third parties to obtain ex parte relief to preserve evidence is benecial for copyright owners given how quickly information may be moved online and how dif- cult it has proven on occasion to convince a judge of the technological reasons why a TRO must be granted in an

5 17 U.S.C.A. § 512(j)(1)(B). 6 See infra § 4.13[1].

4-648 Copyright Protection in Cyberspace 4.12[12]

Internet-related infringement case. On the other hand, the provision for ex parte relief may encourage counsel for copyright owners to move swiftly to seek a TRO even in cases where time would allow for notice and a hearing (recognizing that the injunction sought would be against the service provider, rather than the direct infringer, who may not yet have notice of the suit at the time an injunction against the service provider is sought). The considerations for granting injunctive relief and requirement for notice apply equally to service providers that are also NEIs, although the limitations on the specic forms of injunctive relief which may be granted (as set forth in section 512(j) and discussed in this section) do not apply to NEIs.7 Thus, broader injunctive relief may be obtained against NEIs, which is not unreasonable since they potentially are entitled to broader protections from liability for monetary damages than other service providers. The standards for obtaining injunctive relief generally are addressed in section 4.13[1]. At least in the Ninth Circuit, an injunction compelling a service provider to remove user content is deemed to be a mandatory injunction, which is disfavored.8 It may also be viewed as an impermissible prior restraint.9

4.12[12] Extra-Judicial Remedies Available to Copyright Owners The Digital Millennium Copyright Act provides potentially valuable extra-judicial remedies to copyright owners who are careful to strictly comply with the technical requirements and time limits imposed by the Act. Whereas before the DMCA became law a copyright owner might have had to spend tens of thousands of dollars or more to obtain an injunction compelling a service provider to disable access to

7 See 17 U.S.C.A. § 512(e)(2). 8 Garcia v. Google, Inc., 786 F.3d 733, 740 & n.4 (9th Cir. 2015) (en banc); infra § 4.13[1]. 9 See Garcia v. Google, Inc., 786 F.3d 733, 746-47 (9th Cir. 2015) (en banc) (dissolving a previously entered preliminary injunction compelling YouTube to take down copies of the lm “Innocence of Muslims” and take all reasonable steps to prevent further uploads, which the en banc panel held had operated as a prior restraint), citing Alexander v. United States, 509 U.S. 544, 550 (1993) (“Temporary restraining orders and permanent injunctions—i.e., court orders that actually forbid speech activities—are classic examples of prior restraints.”); infra § 4.13[1].

Pub. 12/2015 4-649 4.12[12] E-Commerce and Internet Law or block allegedly infringing content, the same relief may be obtained at virtually no cost from a service provider that has chosen to comply with the statute by designating an agent to receive notications. Copyright owners potentially may obtain extra-judicial relief from service providers where alleged acts of infringement involve material stored at the direction of a user, information location tools or certain cached content that either was (or has been ordered to be) removed from its original location.1 In all other cases, or where a service provider has chosen not to comply with the Act, copyright owners must resort to more traditional means of enforcing their copyrights in cyberspace. Copyright owners also would need to bring suit to obtain damages or injunctive relief directly from the primary infringer or to compel the disclosure (by subpoena) of the identity of a pseudonymous infringer.2 Extra-judicial remedies are available to copyright owners only from service providers that have sought to limit their liability under the DMCA. Service providers need not comply with the Act and their failure to do so may not be cited as evidence that their conduct constitutes infringement.3 More- over, service providers may elect to comply with some, but not all of the statute's requirements, even though that may mean exposing themselves potentially to liability that otherwise could be limited or avoided under the DMCA. Whether a service provider will aord a copyright owner extra-judicial relief pursuant to the DMCA usually can be determined from information on the service provider's website. Participating service providers will have led the appropriate forms with the U.S. Copyright Oce to designate an agent. The identity of a service provider's agent—to whom notications must be directed—may be obtained from the U.S. Copyright Oce (both in person and online) and should be posted on the service provider's website. Simply by sending a notication that provides substan-

[Section 4.12[12]] 1 See supra § 4.12[9]. 2 See generally infra §§ 37.02 (standards for compelling the disclosure of the identity of anonymous and pseudonymous internet users), 50.06[4] (subpoenas directed to service providers). 3 See 17 U.S.C.A. § 512(l).

4-650 Copyright Protection in Cyberspace 4.12[12] tially all of the information required by the statute4 to the designated agent of a participating service provider, a copyright owner may obtain immediate relief. Upon receipt by its agent of a substantially complying notication, a service provider must expeditiously remove or disable access to any allegedly infringing content or links identied in the notication. Where a notication is based on information location tools or cached content, no further action will be taken by the service provider. When a notication concerns content stored at the direction of a user, a service provider that seeks to limit its liability to subscribers for removing or disabling access to infringing material must promptly notify its subscriber when the content is removed (or access to it disabled), in order to aord the subscriber the opportunity to serve a counter notication.5 If the aected subscriber ignores the notication, the material will remain o the Internet (or access to it will continue to be blocked) and the copyright owner will have obtained the rough equivalent of injunctive relief for next to no cost.6 The same result would obtain if the service provider has chosen not to comply with the provisions governing counter notications (if, for example, it concludes that it is unlikely to be exposed to signicant liability in suits brought by subscribers). Even where a subscriber serves a counter notication or les suit in response to a notication, a copyright owner may be in a much better position after having availed itself of the extra-judicial remedies under the DMCA than if, instead, it had simply led suit against the alleged infringer. If the subscriber serves a counter notication, the copyright owner must le suit and provide notice of the suit to the service

4 See supra § 4.12[9][B]. 5 See supra § 4.12[9][C]. 6 The subscriber responsible for the infringing content would not actually be enjoined and therefore could post the material elsewhere in cyberspace. Where an infringer appears likely to persist in its practices, injunctive relief should be obtained prohibiting the person responsible for the act of infringement from further activities. The extra-judicial remedies provided by the DMCA, however, are especially valuable because it is not always easy to identify a primary infringer. In addition, in many cases, infringing content is posted by people who will take no further action once advised that their use of a work is infringing. In those cases, a copyright owner may be able to obtain complete relief merely by preparing and transmitting a substantially complying notication.

Pub. 12/2015 4-651 4.12[12] E-Commerce and Internet Law provider's agent in order to maintain the status quo. Otherwise, between ten and fourteen business days after receiving the counter notication, the service provider must replace or restore access to the disputed content. If the copyright owner les suit (or if the subscriber initiates litigation in lieu of serving a counter notication), the burden will be on the subscriber to obtain a court order compelling restora- tion of the removed material. Unless and until the subscriber obtains such an order, the material will remain inaccessible. By contrast, in an ordinary copyright infringement suit, the copyright owner has the burden of obtaining an order to have infringing material armatively removed (or access to it disabled). A copyright owner also may obtain procedural advantages in the event of litigation by ling a notication. If a subscriber les a counter notication, the subscriber must consent to the jurisdiction of the federal district court for the address it provides (or if the subscriber is located outside of the United States, “for any judicial district in which the service provider may be found.”) and agree to accept service.7 While this provision may allow a subscriber to engage in limited forum shopping (by choosing which address to list for itself), it also allows a copyright owner to avoid costly procedural skirmishes by suing the subscriber in the jurisdiction where it has already consented to be sued. Where a subscriber is not located in the United States, the consent to jurisdiction may be especially valuable. Moreover, the statute does not compel a copyright owner to sue the subscriber in the location where the subscriber has consented to jurisdiction (or even to sue the subscriber at all). The statute merely provides the service provider with a potential procedural advantage. In point of fact, the requirement that a subscriber consent to jurisdiction and service of process in a counter notication itself may discourage many subscribers from even ling counter notications. The risk that an accused infringer will le a preemptive lawsuit in response to a notication is somewhat reduced by the fact that the statute also provides an incentive for subscribers to use the counter notication procedure to obtain inexpensive relief (at least in instances where a service provider has chosen to comply with the procedures for counter notications). By ling a counter notication, a sub-

7 17 U.S.C.A. § 512(g)(3)(D).

4-652 Copyright Protection in Cyberspace 4.12[12] scriber may compel a service provider to restore access to or replace content removed in response to a notication, if the original complainant fails to provide notice to the service provider within ten (10) business days that it has initiated litigation, in which case within fourteen (14) business days access to the content must be restored. While serving a counter notication therefore would likely trigger litigation in many instances, in some cases it could allow a subscriber to obtain relief if the copyright owner ultimately chose not to bring suit or missed the tight time deadlines established by the Act.8 If a copyright owner misses the deadline for responding to a counter notication, the statute does not place any express prohibition on it simply serving a new notication. A copyright owner that did so repeatedly at some point presumably could expose itself to liability for engaging in unfair trade practices or other state law claims. Moreover, if a service provider refused to respond to a second notication (served after the copyright owner failed to timely respond to an initial counter notication), the copyright owner would likely have no recourse but to le suit. The copyright owner would then have to convince a judge to grant it injunctive relief, after locating and serving the primary infringer. In such circumstances, the copyright owner could well have diculty seeking to hold a service provider liable when the service provider discharged its duties under the Act in response to the original notication. Although the extra-judicial remedies available under the DMCA may not provide complete relief in all cases, they af- ford potentially signicant, relatively inexpensive benets. Copyright owners therefore should be careful not to squander the benets aorded by the Act. Copyright owners must pay especially close attention to the deadlines for responding to counter notications. Although subscribers potentially have exibility in deciding when to le a counter notication, a copyright owner merely has ten business days from the time the service provider receives the counter notication—not the time the copyright owner receives it—to notify the service provider that it has initiated litigation.9

8 Unscrupulous subscribers may simply move the content to a dierent location on the Web, rather than even pursue a counter notication. 9 See supra § 4.12[9][C].

Pub. 12/2015 4-653 4.12[13] E-Commerce and Internet Law

4.12[13] Compliance Burdens Imposed on ISPs While the Act provides potentially valuable liability limitations for service providers, ISPs that seek to benet from all of the provisions face potentially complicated, time consuming and expensive compliance obligations. For this reason, some ISPs initially determined that the costs of compliance exceeded the benets. Today, it is more common for eligible entities to seek to comply with the DMCA. Even so, service providers potentially may comply with provisions governing notications but avoid the additional burden of honoring counter notications. The agent designation provisions applicable to the caching, user storage and information location tools limitations require service providers to incur limited administrative fees. Entities that choose to designate an agent, however, may face an increased volume of complaints, especially because the Act makes it easier and less costly for copyright owners to compel service providers to take action against alleged infringers. Indeed, within days of the statute being signed into law, the volume of demand letters received by some service providers increased signicantly (even before the aected companies designated agents to receive notications). For some companies, the cost of receiving and responding to notications may be signicant. Service providers that have subscribers potentially face the most onerous burdens under the Act if they seek to benet from the broad exemption created by subpart 512(g)(2) for removing content in response to a notication.1 To benet from both the user storage limitation2 and the exemption for removing content, an agent must accept and separately calendar its obligations in response to notications and counter notications to ensure that the appropriate content is located and expeditiously removed (or access to it disabled) and then—within ten to fourteen business days after a counter notication is received (if no response to the counter notication has been received within ten business days)—restore access to or replace the content. Service providers also must be sure to take reasonable steps to promptly notify subscribers when content has been removed

[Section 4.12[13]] 1 See supra § 4.12[8]. 2 See supra § 4.12[6].

4-654 Copyright Protection in Cyberspace 4.12[13]

(or access to it disabled) and promptly notify copyright owners when counter notications are received. While these procedures make sense in the abstract, in practice they impose signicant time and cost burdens on ISPs and compel them to use calendaring software or rely on counsel to ensure that statutory time frames are met. For this reason, service providers that calculate the risk of liability to a subscriber for removing content as being fairly low may choose to ignore entirely the procedures for beneting from the exemption created by subpart 512(g)(2). Service providers that comply with the user storage limitation, but not the exemption created by subpart 512(g)(2) (and corresponding procedures governing counter notications), may still nd that they face an increased volume of complaints. ISPs that resell service to other ISPs, for example, may nd themselves technically required to disable access to an entire system in order to literally comply with the Act's mandate to disable access to or remove infringing content (because it may not be technologically possible to do anything other than cut o service to the ISPs own “subscriber”).3 The information location tools limitation imposes less burdensome compliance demands on service providers. Search engine rms, portals, destinations and other entities sent notications relating to links or other information location tools simply must disable the links (or information location tools) in order to comply with the requirements of the Act. The system caching limitation imposes even fewer burdens (except to the extent an agent must evaluate whether certain cached content has been removed, or ordered to be removed, from the site where it originally was stored).4 Service providers complying with the user storage, information location tools and caching limitations must be prepared periodically to respond to the special subpoenas created by the Act. This procedure, however, actually may be less burdensome than under pre-existing law where the scope of a service provider's obligations potentially had to be re-litigated every time a service provider was sued. As a practical matter, DMCA subpoenas most commonly will be sought in response to material stored at the direction of a user.

3 See infra § 4.12[14]. 4 See supra §§ 4.12[5], 4.12[9][A].

Pub. 12/2015 4-655 4.12[13] E-Commerce and Internet Law

In general, the system caching limitation (except in cases involving cached content no longer found on the genuine site or subject to a court order) and transitory digital network communication limitations impose the fewest burdens on service providers. Aside from meeting the threshold requirements set forth in section 4.12[3], most service providers need not do anything further in order to benet from these limitations. Where a service provider fails to satisfy the requirements of any of the provisions established by the Act, its liability will be determined by existing law.5 The service provider's failure to meet the requirements for any one of the DMCA's safe harbors may not be cited as evidence of infringement or liability.6

4.12[14] Liability of NSPs and Downstream Service Providers Under the Digital Millennium Copyright Act The Digital Millennium Copyright Act does not account for dierences between individual or corporate subscribers and therefore does not adequately account for Network Service Providers (NSPs) whose own subscribers actually are ISPs, rather than individual account holders.1 While the Act's provisions may not be unduly onerous for service providers that do not have subscribers (such as some portals or search engine rms that do not also oer free email or other services) or ISPs that merely have individual subscribers, the statute is less well suited to large service providers that resell access to other commercial service providers.

5 See supra § 4.11. For a discussion of how to limit site owner and service provider liability, whether or not the site or service complies with the DMCA, see infra chapter 50. 6 See 17 U.S.C.A. § 512(l). [Section 4.12[14]] 1 The legislative history reveals that Congress intended to maximize the protections aorded service providers. The House Report provides that: The liability limitations apply to networks “operated by or for the service provider,” thereby protecting both service providers who oer a service and subcontractors who may operate parts of, or an entire, system or network for another service provider. H. Rep. No. 105-796, 105th Cong. 2d Sess. 1, 73 (1998). Congress apparently did not appreciate the problems a broad denition could create when liability is sought to be imposed on a reseller for the conduct of a downstream provider.

4-656 Copyright Protection in Cyberspace 4.12[14]

An NSP or other reseller of service is unlikely to have the technical capability to disable access to or remove the specic content placed online by an individual subscriber of a commercial purchaser of its service (or a “downstream service provider”). Yet, if a notication is directed to an NSP concerning infringing content posted on the personal homepage of a subscriber of a downstream service provider, the NSP, as a service provider, would be compelled by the Act to disable access to the downstream service provider—aecting potentially hundreds or thousands of customers of the downstream provider—in order to limit its liability. In such circumstances, the NSP may nd it more economical to risk liability for infringement than to cut o service to a commercial subscriber. Although the statute does not distinguish among service providers—and therefore could impose overlapping obligations where a service provider has downstream commercial customers that are both subscribers and service providers under the Act—NSPs may negotiate agreements (or impose conditions on) downstream service providers to minimize their potential liability. For example, downstream providers could be compelled to indemnify an NSP for acts of infringement by their users and suits brought by subscribers directly against the NSP for material removed (or access to it disabled) in response to a notication initially directed to the NSP. This type of indemnication provision should insulate an NSP from both liability for infringement and for removing (or disabling access to) content. Downstream providers also could be contractually bound to comply with the provisions of the DMCA and immediately (or at least expeditiously) respond whenever a notication relating to the conduct of their users or account holders is forwarded to them by the NSP. An NSP thus could simply transmit notications directly to the appropriate downstream service provider without having to either disable access to the downstream provider's service (which would be unreasonable) or expose itself to liability by ignoring the notication. So long as access to infringing material ultimately was disabled (or the content removed) expeditiously, the NSP could not be held liable under the DMCA. If a downstream service provider is further contractually obliged to comply with the DMCA, an NSP may eectively shift most of the burden of complying with notications directed to remote subscribers on the downstream provider

Pub. 12/2015 4-657 4.12[14] E-Commerce and Internet Law which is the primary service provider to the subscriber. To avoid complications or misunderstandings, NSPs also would be well advised to notify the original complainant that the proper recipient of the notication would be the downstream service provider (whose agent and contact information should be provided). This may encourage the complainant to deal directly with the downstream provider. While an NSP need not worry about the procedures for counter notications (assuming that it is properly indemnied by its downstream service provider), it should not put itself in the position of having to direct trac back and forth between a copyright owner, on the one hand, and its downstream service provider and a remote subscriber, on the other. Where responsibility could not be imposed by contract or where a downstream provider fails to expeditiously remove or disable access to infringing content, the NSP would be unable to limit its own liability unless it disabled access to the content itself. Unless the NSP also hosts the downstream service provider's servers, it may not have the technological capability to do so. Disabling access to an entire downstream service would not be commercially feasible and would likely result in greater nancial harm than simply risking liability for infringement. Even where an NSP may be unable to benet from the liability limitations created by the DMCA, it may not necessarily be held responsible for the conduct of remote infringers of downstream service providers. An NSP or commercial reseller of service ultimately may face more limited liability than other service providers. An NSP's conduct—in merely providing service to a downstream provider that in turn sells access to customers (one of whom may have posted infringing content)—is even more attenuated than that of a typical ISP. It would therefore be correspondingly more dicult for a plainti to show “direct action” or “volitional conduct” by the NSP, which is required to justify the imposition of direct liability under Religious Technology Center Services, v. Netcom On- Line Communication Services, Inc.2 and its progeny. Similarly, it would be more dicult for a plainti to establish that an NSP could be held contributorily liable for fail-

2 Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F. Supp. 1361 (N.D. Cal. 1995).

4-658 Copyright Protection in Cyberspace 4.12[15] ing to respond to a complaint about a remote subscriber when the NSP's only possible means of preventing the infringement would be to shut o all service to the downstream provider (and the copyright owner itself presumably could have contacted the downstream provider directly). An NSP also could well argue that liability should not be imposed because the service it sold had “substantial noninfringing uses.”3 It would also be more dicult for a copyright plainti to make out a case for vicarious liability against an NSP based on the NSP reselling service to a downstream service provider whose subscriber is alleged to have posted infringing material. An NSP's ability to control the conduct of the direct infringer is more attenuated in the case of a remote subscriber of a downstream service provider. Similarly, any nancial benet would be even more remotely connected to the act of infringement than in the case of a typical ISP.4 Thus, although the DMCA fails to adequately account for commercial resellers of service in its denition of service providers, in practice the risk of liability for NSPs as a result of third-party acts of infringement also may be lower in many cases than for many other categories of providers.

4.12[15] Checklist of Service Provider Compliance Issues The following is a short-hand checklist of the things a service provider should do in order to comply with all potential liability limitations under the Digital Millennium Copyright Act.1 This list is intended to supplement, rather than replace, any legal analysis of an individual company's specic obliga-

3 See Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417, 442 (1984); see generally supra § 4.10. 4 See supra § 4.11[8][C]. [Section 4.12[15]] 1 This checklist assumes that a service provider intends to fully comply with all provisions of the statute. Service providers that seek to benet from only some—but not all—of the provisions need not comply with all of the elements of the checklist. This checklist does not address the technical requirements for compliance with the transitory digital network (routing) or system caching limitations that describe the way information is transmitted over the Internet and within networks. These limitations generally apply so long as material is not altered while stored or transmitted and is not maintained for longer than necessary for the purpose of transmission. The caching limitation applies to system caching, rather than proxy caching. See generally supra §§ 4.12[4], 4.12[5].

Pub. 12/2015 4-659 4.12[15] E-Commerce and Internet Law tions in order to benet from the Digital Millennium Copy- right Act: E Adopt and implement a policy of terminating the accounts of “repeat infringers.” E Inform users and subscribers of the policy: ○ post the policy on your website or intranet (as part of “Terms of Use”);2 ○ reference the policy in any subscriber or user agreements; and ○ notify existing subscribers by email. E Implement the new policy: ○ notify rst-time infringers that they may not post infringing content and may lose their access rights if they infringe again in the future (and remove or disable access to infringing content—see below); ○ document all instances in which the accounts of “repeat infringers” were terminated; and ○ maintain records of communications sent to infringers and “repeat infringers” to verify that the policy was properly implemented (if challenged in litigation). ○ Accommodate “standard technical measures” (not yet applicable). E Designate an agent to respond to notications and counter notications: ○ le the appropriate form with the U.S. Copyright Oce; and ○ post the agent's contact information (name, address, email address, telephone and fax number) on your website and/or intranet. ○ Remove or disable access to material believed in good faith to be infringing. ○ The obligation to disable access to or remove material arises ○ when a service provider has actual knowledge that material is infringing; ○ when a service provider is aware of facts or circumstances from which infringement is apparent (i.e., it raises a “red ag”); or ○ upon receipt of a substantially complying notication

2 See infra § 22.05[2][A].

4-660 Copyright Protection in Cyberspace 4.12[15]

If the infringement is discovered because a notication has been sent to the designated agent, comply with the provisions described below. E Where an agent receives a notication, assuming that the notication substantially complies with the requirements of the statute,3 the service provider must: ○ expeditiously remove the allegedly infringing content or link or disable access to it; and ○ if the oending content has been posted by a user who is also a subscriber, promptly notify the subscriber that its material has been removed (or access to it disabled). In response to this notice, the agent may be served with a counter notication by the subscriber. Where a counter notication is received, the service provider must: ○ provide a copy to the complainant who led the original notication and inform it that the oending material will be replaced (or access to it restored) within ten business days from the date of the counter notication unless the complainant noties the service provider that it has initiated a lawsuit seeking a court order to restrain the subscriber from infringing activity;4 and ○ replace (or restore access to) the oending content within fourteen business days of the date of the counter notication if, and only if, the original complainant fails to notify the service provider's agent within ten business days that it has initiated a lawsuit against the subscriber. Where timely notice of litigation is provided, the service provider must not replace or restore access to the infringing content unless ordered to do so by the appropriate federal court.

3 Where a notication does not meet the requirements of the statute, the service provider, in appropriate circumstances, should promptly notify the complainant of deciencies and request additional information and/or remove or disable access to the content (if—independently of the information contained in the notication—the content appears to the service provider in good faith to be infringing). See supra § 4.12[9][B]. 4 Although no time period is specied in the statute, this should be done as soon as possible given that the ten-day period runs from the date of the service provider's receipt of the counter notication rather than the date the complainant is notied of it.

Pub. 12/2015 4-661 4.12[16] E-Commerce and Internet Law

4.12[16] Copyright Owners' Compliance Checklist The following checklist should be referenced by copyright owners seeking to benet from the extra-judicial remedies created by the Digital Millennium Copyright Act. When an infringing copy of a protected work is found online, the copyright owner should: E Identify the service provider's agent from the service provider's website or the database maintained by the U.S. Copyright Oce. E If the service provider on whose system infringing content has been posted has designated an agent, prepare a notication that substantially provides all of the information required by the statute.1 E Once material has been removed (or access to it disabled), anticipate the arrival of a counter notication.2 Where a counter notication is received, a copyright owner must initiate litigation and notify the service provider's agent within ten business days of the service provider's receipt of the counter notication (not the date when it was transmitted to or received by the copyright owner) in order to prevent the material from being placed back online (or access to it restored). E To the extent possible, verify that all copies of infringing content accessible electronically (including older copies that may have been cached) have been removed in response to a notication. Where appropriate, submit additional notications.

[Section 4.12[16]] 1 If the service provider has not designated an agent in accordance with the provisions of the Digital Millennium Copyright Act, the service provider may simply disregard the notication. Service providers are not required to comply with the Act and a service provider's refusal to do so may not be cited as evidence that its conduct constitutes infringement (which must be separately proven). 2 Copyright owners may nd it benecial (1) to determine if the particular service provider to whom a notication is directed complies with provisions governing counter notications, and (2) evaluate whether the infringing content was posted by a subscriber. Unless both of these conditions apply, a copyright owner need not worry about the prospect of a counter notication being served. A counter notication may only be served where material removed from the Internet was posted by a user who was also a subscriber and the service provider has opted to benet from the broad exemption for potential liability to subscribers for removing or disabling access to content in response to a notication.

4-662 Copyright Protection in Cyberspace 4.12[17][A]

4.12[17] User Generated Content Principles 4.12[17][A] In General In October 2007, a coalition of motion picture, television, computer and Web 2.0 companies promulgated the Principles for User Generated Content Services, which are best practices that they advance for UGC sites. The companies promoting the initiative at the time of its launch were Disney, CBS, NBC Universal, Daily Motion, Veoh, Viacom, MySpace, FOX and Microsoft. A copy of the UGC Principles is reproduced below in section 4.12[17][B]. From a legal standpoint, UGC sites are no dierent than the interactive websites, chat rooms and bulletin boards in existence at the time Congress enacted the DMCA. The user storage safe harbor applies to claims “for infringement . . . by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for a service provider . . . ,”1 which plainly applies to UGC sites. A UGC site is merely a location where users may post material for others to view (or in some cases copy). A legitimate UGC site is little more than a location, operated by a service provider, where material may be posted at the direction of a user. Indeed, it is the DMCA which has allowed these sites to emerge and ourish. Aside from terminology and sociology, technology is the only thing dif- ferent about UGC, video le sharing and blogging sites and social networks, on the one hand, and websites of the late 1990s, on the other. Better bandwidth connections, memory, more socially-oriented interfaces and numerous inexpensive devices (including cameras and mobile phones) have made it much easier for users to quickly and easily create, post, store and transmit rich media. The legal framework, however, is mostly the same. While most of the major sites are lled with legitimate UGC, as with any Internet location, some users may post material that is unauthorized. Given the community-based nature of many UGC sites, if unauthorized material is posted, it potentially may be disseminated quite quickly. Indeed, a number of suits were led against UGC sites starting in late 2006.2 To address these challenges, the UGC Principles were

[Section 4.12[17][A]] 1 17 U.S.C.A. § 512(c). 2 See Tur v. YouTube, Civil No. 0443 6-FMC (C.D. Cal. complaint

Pub. 12/2015 4-663 4.12[17][A] E-Commerce and Internet Law proposed as “best practices.” These guidelines reect practices that in fact have been implemented by leading sites and should be viewed as steps that UGC sites should take— beyond what may be required by the DMCA. Copyright owners who signed on to the UGC Principles agree not to sue service providers who comply with the principles for user submitted content. The rst principle calls for UGC sites to post information promoting respect for intellectual property and discourages users from uploading infringing material. This principle reects the importance in education in leading to responsible user conduct. The second principle provides that during the upload process, UGC services should prominently inform users that they may not post infringing material and ask them to af- rm that their upload complies with the site's Terms of use. One way to accomplish this is to require users to af- rmatively check a box certifying to their compliance with TOU and applicable law, including copyright law, and click their assent in conjunction with the upload process. The third principle calls for sites to implement eective content identication technology. In fact, many leading sites that host UGC including MySpace and others had already implemented Audible Magic Copysense ngerprinting technology as of the time the UGC Principles were adopted. Among other things, sites and services may employ audio and video lters to physically prevent users from being able to upload les that match the digital “ngerprint” of les registered with the site or third-party technology provider such as Audible Magic. The fourth principle focuses on cooperation between UGC

led July 14, 2006); UMG Recordings, Inc. v. Grouper Networks, Inc., Civil No. 06-CV-06561 (C.D. Cal. complaint led Oct. 16, 2006); UMG Record- ings, Inc. v. MySpace, Inc., Civil No. 06-C V-07361 (C.D. Cal. complaint led Nov. 17, 2006); Io Group, Inc. v. Veoh Networks, Inc., Case No. 06- 3926 HRL (N.D. Cal. 2006); Viacom Int'l, Inc. v. YouTube, Inc., No. 07-C V-2103 LLS (S.D.N.Y. complaint led Mar. 13, 2007); The Football Ass'n Premier League Ltd. v. YouTube, Inc., No. 07-CV-3582 (S.D.N.Y. complaint led May 4, 1007); Cal IV Entertainment, LLC v. YouTube, Inc.,No. 3:07-cv-00617 (M.D. Tenn. 2007); Veoh Networks, Inc. v. UMG Recordings, Inc., 522 F. Supp. 2d 1265 (S.D. Cal. 2007) (dismissing declaratory relief action brought by Veoh shortly before Veoh was sued by UMG in the Central District of California); UMG Recordings, Inc. v. Veoh Networks, Inc., 2:07-cv-05744 (C.D. Cal. 2007); Divx, Inc. v. UMG Recordings, Inc., 3:07cv1753 (S.D. Cal. 2007).

4-664 Copyright Protection in Cyberspace 4.12[17][B] sites and copyright owners to shut down illegitimate sites (such as locations that create links to unauthorized material that they nd on multiple dierent sites, creating in eect infringement locations). The fth principle calls on sites to provide commercially reasonable enhanced searching capabilities to allow copyright owners to more quickly remove unauthorized material. The eighth principle calls upon sites to comply with the DMCA, but also to provide copies of any counter notications received to the copyright owner who complained in the rst instance. The UGC Principles also address measures to assist copyright owners in vindicating their rights, such as tracking uploads to better identify repeat infringers, and preserving records. The principles also call upon copyright owners to account for fair use in sending takedown notices. The UGC Principles are intended to supplement the provisions of the DMCA, not supplant them. Companies signing on to the Principles also agree to implement them internationally. A copy of the UGC Principles is reproduced below. Practi- cal guidance on the DMCA and UGC Principles is set forth in section 50.03.

4.12[17][B] UGC Principles1 Leading commercial copyright owners (“Copyright Own- ers”) and services providing user-uploaded and user generated audio and video content (“UGC Services”) have col- laborated to establish these Principles to foster an online environment that promotes the promises and benets of UGC Services and protects the rights of Copyright Owners. In this context, UGC Services are services such as Soapbox on MSN Video, MySpace, Dailymotion and Veoh.com, and not other technologies such as browsers, applets, email, or search services. While we may dier in our interpretation of relevant laws, we do not mean to resolve those dierences in these Principles, which are not intended to be and should not be construed as a concession or waiver with respect to any legal or policy position or as creating any legally binding

[Section 4.12[17][B]] 1 Available at http://www.ugcprinciples.com

Pub. 12/2015 4-665 4.12[17][B] E-Commerce and Internet Law rights or obligations. We recognize that no system for deterring infringement is or will be perfect. But, given the development of new content identication and ltering technologies, we are united in the belief that the Principles set out below, taken as a whole, strike a balance that, on a going-forward basis, will result in a more robust, content- rich online experience for all. In coming together around these Principles, Copyright Owners and UGC Services recognize that they share several important objectives: (1) the elimination of infringing content on UGC Services, (2) the encouragement of uploads of wholly original and authorized user generated audio and video content, (3) the accommodation of fair use of copyrighted content on UGC Services, and (4) the protection of legitimate interests of user privacy. We believe that adhering to these Principles will help UGC Services and Copyright Owners achieve those objectives. 1. UGC Services should include in relevant and conspic- uous places on their services information that promotes respect for intellectual property rights and discourages users from uploading infringing content. 2. During the upload process, UGC Services should prominently inform users that they may not upload infringing content and that, by uploading content, they arm that such uploading complies with the UGC Service's terms of use. The terms of use for UGC Services should prohibit infringing uploads. 3. UGC Services should use eective content identication technology (“Identication Technology”) with the goal of eliminating from their services all infringing user-uploaded audio and video content for which Copyright Owners have provided Reference Material (as described below). To that end and to the extent they have not already done so, by the end of 2007, UGC Services should fully implement commercially reasonable Identication Technology that is highly eective, in relation to other technologies commercially available at the time of implementation, in achieving the goal of eliminating infringing content. UGC Services should enhance or update the Identi- cation Technology as commercially reasonable technology that makes a meaningful dierence in achieving the goal becomes available. a. If a Copyright Owner has provided: (1) the refer-

4-666 Copyright Protection in Cyberspace 4.12[17][B]

ence data for content required to establish a match with user-uploaded content, (2) instructions regarding how matches should be treated, and (3) representations made in good faith that it possesses the appropriate rights regarding the content (collectively, “Reference Material”), then the UGC Service should apply the Identication Technology to that content to implement the Filtering Process described below. UGC Services should ensure that reasonable specications, as well as any tools and/or technical support, for the delivery of Refer- ence Material are made available to Copyright Owners. If a Copyright Owner does not include in the Reference Material instructions regarding how matches should be treated, the UGC Service should block content that matches the reference data. b. The Identication Technology should use Reference Material to identify user-uploaded audio and video content that matches the reference data and should permit Copyright Owners to indicate how matches should be treated. c. If the Copyright Owner indicates in the applicable Reference Material that it wishes to block user- uploaded content that matches the reference data, the UGC Service should use the Identication Technology to block such matching content before that content would otherwise be made available on its service (“Filtering Process”). The Copyright Owner may indicate in the applicable Reference Material that it wishes to exercise an alternative to blocking (such as allowing the content to be uploaded, licensing use of the content or other options), in which case, the UGC Service may follow those instructions or block the content, in its discretion. d. Copyright Owners and UGC Services should cooperate to ensure that the Identication Technology is implemented in a manner that eectively balances legitimate interests in (1) blocking infringing user-uploaded content, (2) allowing wholly original and authorized uploads, and (3) accommodating fair use. e. UGC Services should use the Identication Technol- ogy to block user-uploaded content that matches Reference Material regardless of whether the UGC

Pub. 12/2015 4-667 4.12[17][B] E-Commerce and Internet Law

Service has any licensing or other business relationship with the Copyright Owners who have provided such Reference Material (except that UGC Services may require that Copyright Owners enter into agreements with respect to the specications for delivery of Reference Material that are commercially reasonable and that facilitate the provision of Reference Material by Copyright Owners and promote the goal of the elimination of infringing content). If a Copyright Owner authorizes specic users to upload content that would otherwise match Reference Material submitted by the Copyright Owner, the Copyright Owner should provide to the UGC Service a list of such users (a so-called white list). f. UGC Services may, at their option, utilize manual (human) review of all user-uploaded audio and video content in lieu of, or in addition to, use of Identication Technology, if feasible and if such review is as eective as Identication Technology in achieving the goal of eliminating infringing content. If a UGC Service utilizes such manual review, it should do so without regard to whether it has any licensing or other business relationship with the Copyright Owners. Copyright Owners and UGC Services should cooperate to ensure that such manual review is implemented in a manner that ef- fectively balances legitimate interests in (1) blocking infringing user-uploaded content, (2) allowing wholly original and authorized uploads, and (3) accommodating fair use. g. Copyright Owners should provide Reference Mate- rial only with respect to content for which they believe in good faith that they have the appropriate rights to do so, and should update rights information as reasonable to keep it accurate. The inclusion of reference data for content by, or at the direction of, a Copyright Owner shall be deemed to be an implicit representation made in good faith that such Copyright Owner has the appropriate rights regarding such content. Copyright Owners should reasonably cooperate with UGC Services to avoid unduly stressing the Services' Identication Tech- nology during limited periods when Copyright Own- ers, collectively, may be providing an overwhelm-

4-668 Copyright Protection in Cyberspace 4.12[17][B]

ingly high volume of Reference Material. UGC Services should reasonably cooperate with Copy- right Owners to ensure that such Reference Mate- rial is utilized by the Identication Technology as soon as possible during such overload periods. h. Promptly after implementation of Identication Technology, and at intervals that are reasonably timed throughout each year to achieve the goal of eliminating infringing content, UGC Services should use Identication Technology throughout their services to remove infringing content that was uploaded before Reference Material pertaining to such content was provided. i. Copyright Owners and UGC Services should cooperate in developing reasonable procedures for promptly addressing conicting claims with respect to Reference Material and user claims that content that was blocked by the Filtering Process was not infringing or was blocked in error. 4. UGC Services and Copyright Owners should work together to identify sites that are clearly dedicated to, and predominantly used for, the dissemination of infringing content or the facilitation of such dissemination. Upon determination by a UGC Ser- vice that a site is so dedicated and used, the UGC Service should remove or block the links to such sites. If the UGC Service is able to identify specic links that solely direct users to particular non-infringing content on such sites, the UGC Service may allow those links while blocking all other links. 5. UGC Services should provide commercially reasonable enhanced searching and identication means to Copyright Owners registered with a service in order: (a) to facilitate the ability of such Copyright Owners to locate infringing content in all areas of the UGC Service where user-uploaded audio or video content is accessible, except those areas where content is made accessible to only a small number of users (not relative to the total number of users of the UGC Ser- vice), and (b) to send notices of infringement regarding such content. 6. When sending notices and making claims of infringement, Copyright Owners should accommodate fair use.

Pub. 12/2015 4-669 4.12[17][B] E-Commerce and Internet Law

7. Copyright Owners should provide to UGC Services URLs identifying online locations where content that is the subject of notices of infringement is found—but only to the extent the UGC Service exposes such URLs. 8. When UGC Services remove content pursuant to a notice of infringement, the UGC Service should (a) do so expeditiously, (b) take reasonable steps to notify the person who uploaded the content, and (c) promptly after receipt of an eective counter- notication provide a copy of the counter-notication to the person who provided the original notice, and, at its option, replace the content if authorized by applicable law or agreement with the Copyright Owner. 9. When infringing content is removed by UGC Services in response to a notice from a Copyright Owner, the UGC Service should use reasonable eorts to notify the Copyright Owner of the removal, and should permit the Copyright Owner to provide, or request the UGC Service to provide on its behalf, reference data for such content to be used by the Identication Technology. 10. Consistent with applicable laws, including those directed to user privacy, UGC Services should retain for at least sixty (60) days: (a) information related to user uploads of audio and video content to their services, including Internet Protocol addresses and time and date information for uploaded content; and (b) user-uploaded content that has been on their services but has been subsequently removed following a notice of infringement. UGC Services should provide that information and content to Copyright Owners as required by any valid process and consistent with applicable law. 11. UGC Services should use reasonable eorts to track infringing uploads of copyrighted content by the same user and should use such information in the reasonable implementation of a repeat infringer termination policy. UGC Services should use reasonable ef- forts to prevent a terminated user from uploading audio and/or video content following termination, such as blocking re-use of veried email addresses. 12. In engaging in the activities set forth in these Principles outside the United States, UGC Services

4-670 Copyright Protection in Cyberspace 4.12[18]

and Copyright Owners should follow these Principles to the extent that doing so would not contravene the law of the applicable foreign jurisdiction. 13. Copyright Owners should not assert that adherence to these Principles, including eorts by UGC Services to locate or remove infringing content as provided by these Principles, or to replace content following receipt of an eective counter notication as provided in the Copyright Act, support disqualication from any limitation on direct or indirect liability relating to material online under the Copyright Act or sub- stantively similar statutes of any applicable jurisdiction outside the United States. 14. If a UGC Service adheres to all of these Principles in good faith, the Copyright Owner should not assert a claim of copyright infringement against such UGC Service with respect to infringing user-uploaded content that might remain on the UGC Service despite such adherence to these Principles. 15. Copyright Owners and UGC Services should continue to cooperate with each other's reasonable eorts to create content-rich, infringement-free services. To that end, Copyright Owners and UGC Services should cooperate in the testing of new content identication technologies and should update these Principles as commercially reasonable, informed by advances in technology, the incorporation of new features, variations in patterns of infringing conduct, changes in users' online activities and other appropriate circumstances.

4.12[18] Discovery Issues and Spoliation of Evidence in DMCA Litigation There have not been a lot of reported decisions involving discovery issues in DMCA litigation. Some amount of discovery generally will be permitted in a DMCA case on the elements of the defense as outlined in the statute, such as a service provider's policies for removing and potentially reviewing user material and trac statistics1 or other potential evidence of a service provider's nancial

[Section 4.12[18]] 1 See Io Group, Inc. v. Veoh Networks, Inc., No. C06-03926 HRL, 2007 WL 1113800 (N.D. Cal. Apr. 13, 2007) (granting in part a motion to compel

Pub. 12/2015 4-671 4.12[18] E-Commerce and Internet Law interest. Greater leeway in considering legal standards generally is indulged by courts in allowing discovery, so long as relevant to a claim or defense, than when ruling on the merits. Discovery requests, however, must be reasonable and may be scaled back by a court when they are overly broad or unduly burdensome. In Perfect 10, Inc. v. CCBill, LLC,2 the Ninth Circuit held that, in evaluating a service provider's compliance with the threshold requirement that a service provider adopt, notify subscribers about and reasonably implement a policy of terminating “repeat infringers” in “appropriate circumstances,” a court may also consider the service provider's responses in other instances where it received notications or had knowledge or red ag awareness of infringement (not merely how it acted in responding to the plainti's own works) to evaluate whether it is properly identifying infringers and, by extension, reasonably implementing its repeat infringer policy. This substantially expands the potential scope of relevant discovery—at least for user storage cases3 in the Ninth Circuit. In the Ninth Circuit, and to the extent followed elsewhere, plaintis presumably will be entitled to some level of discovery on a service provider's response to all instances where it had notice, knowledge or red ag awareness in any case in which the DMCA is asserted as a defense, subject potentially to limitations imposed in response to a motion for a protective order based on scope and burdensomeness. As discussed in section 4.12[3][B][iv], the court in Arista Records LLC v. Usenet.com, Inc.,4 following Perfect 10, imposed an evidentiary sanction on a service provider and on these issues). 2 Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.), cert. denied, 522 U.S. 1062 (2007). 3 The requirement that a service provider respond where it has knowledge or awareness also applies under the information location tools liability limitation, but would not necessarily impose similarly broad discovery obligations. Unless a service provider has subscribers or account holders, it is questionable whether it would have an obligation to terminate repeat infringers as a precondition to benet from the information location tools safe harbor. See supra § 4.12[7]. 4 Arista Records LLC v. Usenet.com, Inc., 633 F. Supp. 2d 124 (S.D.N.Y. 2009). Magistrate Judge Katz's earlier recommendation may be found at Arista Records LLC v. Usenet.com, Inc., 608 F. Supp. 2d 409 (S.D.N.Y. 2009).

4-672 Copyright Protection in Cyberspace 4.12[18] other defendants precluding them from raising the DMCA as a defense to plaintis' suit for copyright infringement, based on bad faith spoliation of documents and other evasive tactics. The court wrote that “if defendants were aware of . . . red ags, or worse yet, if they encouraged or fostered . . . infringement, they would be ineligible for the DMCA's safe harbor provisions.”5 Because adequate records were not preserved, the court drew a negative inference against defendants. Although not a DMCA case, it is worth noting that terminating sanctions also were imposed in Columbia Pictures, Inc. v. Bunnell,6 following the defendants' failure to comply with an earlier order entered in the case7 in which the court, ruling in response to recommendations by the magistrate judge,8 found that server log data that was temporarily stored in RAM was “extremely relevant” and ordered that it be preserved (in a manner that masked the IP addresses of the computers used by those accessing the site).9 Likewise, in UMG Recording, Inc. v. Escape Media Group, Inc.,10 which also was not a DMCA case because the plaintis focused on over 4,000 infringing sound recordings that had been uploaded by the defendant's own employees, Judge Thomas P. Griesa of the Southern District of New York entered evidentiary sanctions against the company that operated the Grooveshark online music service and its two co-

5 633 F. Supp. 2d at 142. In that case, the defendants had wiped clean seven hard drives that belonged to employees without backing up the data to a central server, and failed to adequately preserve email communications. The defendants also sent potentially key witnesses to Europe during the height of discovery to “engineer their unavailability,” encouraged witnesses to evade process, provided evasive or false sworn statements and violated two court orders requiring them to present information regarding the despoiled computer evidence, although Judge Baer concluded that while these abuses were not sucient on their own to justify terminating sanctions they supported the nding that sanctions for discovery abuse were warranted. 6 Columbia Pictures, Inc. v. Bunnell, 85 U.S.P.Q.2d 1448, 2007 WL 4877701 (C.D. Cal. Dec. 13, 2007). 7 Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 2007). 8 Columbia Pictures Industries v. Bunnell, NO. CV 06-1093FMCJCX, 2007 WL 2080419 (C.D. Cal. May 29, 2007). 9 Spoliation is addressed more extensively in chapter 58. 10 UMG Recording, Inc. v. Escape Media Group, Inc., No. 11 Civ. 8407, 2014 WL 5089743, at *8–14 (S.D.N.Y. 2014).

Pub. 12/2015 4-673 4.12[18] E-Commerce and Internet Law founders, where defendants deleted records showing which sound recordings one of the co-founders had personally uploaded to the service and where other records of employee uploads and source code that would have corroborated employee uploads had been deleted during the pendency of parallel state court litigation brought for common law copyright infringement. As sanctions, the court found that plaintis were entitled to a nding that 1,944 les had been illegally uploaded based on defendants' spoliation of employee upload les and defendant Greenberg's upload les (in addition to armative evidence of over 4,000 other infringing les) and precluded defendants from relying on a defense that could have been disproven by the deleted source code.11 In Viacom Int'l, Inc. v. YouTube, Inc.,12 Judge Louis L. Stanton of the Southern District of New York ruled that the contents of user videos posted to YouTube and marked “private” by users could not be produced in discovery based on the prohibition against knowingly divulging the contents of any stored electronic communications on behalf of subscribers, subject to exceptions which do not include civil discovery requests.13 Among other things, the court found that YouTube's user agreement did not expressly authorize

11 UMG Recording, Inc. v. Escape Media Group, Inc., No. 11 Civ. 8407, 2014 WL 5089743, at *8–14, 20 (S.D.N.Y. 2014). In a later ruling, Judge Griesa granted in part a motion in limine prohibiting the defendants from disputing at trial that they acted willfully and in bad faith, based on the court's earlier ndings in connection with plainti's summary judgment motion that Grooveshark overtly instructed its employees to upload as many les as possible, which the court held constituted purposeful conduct with a manifest intent to foster copyright infringement, and that Escape Media acted in bad faith in deleting relevant user data and source code, entitling the plaintis to potentially recover up to $150,000 per work infringed. He also ruled, however, that the defendants were entitled to present evidence about the degree and extent of their willfulness and bad faith in connection with the jury's consideration of the amount of statutory damages to award. See UMG Recordings, Inc. v. Escape Media Group, Inc., No. 11 Civ. 8407 (TPG), 2015 WL 1873098, at *3-4 (S.D.N.Y. Apr. 23, 2015); see generally infra § 4.14[2][A] (analyzing statutory damage awards). 12 Viacom Int'l Inc. v. YouTube Inc., 253 F.R.D. 256 (S.D.N.Y. 2008). 13 Viacom Int'l Inc. v. YouTube Inc., 253 F.R.D. 256, 264 (S.D.N.Y. 2008), citing 18 U.S.C.A. § 2702(a)(2) and In re Subpoena Duces Tecum to AOL, LLC, 550 F. Supp. 2d 606, 611–12 (E.D. Va. 2008).

4-674 Copyright Protection in Cyberspace 4.12[19] disclosure of this information.14 By contrast, the court held that non-content data, such as the number of times a video has been viewed on YouTube.com or made accessible on a third-party site through an embedded link to the video, was not barred from disclosure by the ECPA.15 In Viacom, the court also granted a protective order bar- ring disclosure of the source code for the YouTube.com search function or VideoID program, which the court found to be trade secrets, but ordered production of all videos removed from the site and data on viewing statistics. Discovery of electronically stored information and spoliation of electronic evidence are addressed more generally in chapter 58.16

4.12[19] The DMCA's Applicability to Common Law Copyright Claims There presently is a disagreement among courts in New York over whether the DMCA applies to common law copyrights, which is an issue that ultimately may be resolved by the New York Court of Appeals or the Second Circuit. Although the Copyright Act broadly preempts state law claims “that are equivalent to any of the exclusive rights within the general scope of the Copyright Act . . . ,”1 sound recording xed prior to February 15, 1972 are not entitled to federal copyright protection and therefore may be the subject of suits brought for infringement of common law copyrights (which otherwise generally are preempted by the federal Copyright Act) through February 15, 2067,2 at least under New York law.3 Copyright owners in sound recordings have brought suit against alleged infringers for common law copyright infringe-

14 253 F.R.D. at 264–65. 15 Viacom Int'l Inc. v. YouTube Inc., 253 F.R.D. 256, 265 (S.D.N.Y. 2008). 16 See generally infra §§ 58.03[5] (spoliation), 58.03[6] (fee shifting), 58.04[4] (discovery sanctions). [Section 4.12[19]] 1 17 U.S.C.A. § 301; infra § 4.18[1]. 2 See 17 U.S.C.A. § 301(c). 3 E.g., Capitol Records, Inc. v. Naxos of America, Inc., 4 N.Y.3d 540, 797 N.Y.S.2d 352, 830 N.E.2d 250, 263–64 (2005); Arista Records LLC v. Lime Group LLC, 784 F. Supp. 2d 398, 411 n.7 (S.D.N.Y. 2011).

Pub. 12/2015 4-675 4.12[19] E-Commerce and Internet Law ment of works that pre-date 1972 in a number of digital copyright infringement cases.4 Indeed, in suits against service providers, some copyright owners have sued for infringement of pre-1972 sound recordings in New York, rather than California, on the assumption that neither the DMCA nor the federal exemption from liability created by the Com- munications Decency Act5 would insulate service providers from liability in New York.6

4 See, e.g., Capitol Records, Inc. v. MP3Tunes, LLC, — F. Supp. 3d —, 2014 WL 4851719, at *14 (S.D.N.Y. 2014) (denying in part the owner of MP3Tunes' motion for judgment as a matter of law, nding that there was ample evidence to support the jury award against him for common law unfair competition based on infringement of pre-1972 common law copyrights by users of MP3Tunes' online locker service); Capitol Records, LLC v. ReDigi, Inc., 934 F. Supp. 2d 640, 657 n.8 (S.D.N.Y. 2013) (granting partial summary judgment against the operator of a secondary market for resale of digital music les for direct infringement by reproduction and distribution of plainti's common law copyrights and for direct and secondary infringement of plainti's federal copyrights); Arista Records LLC v. Lime Group LLC, 784 F. Supp. 2d 398 (S.D.N.Y. 2011) (granting summary judgment for the plaintis on claims of federal copyright inducement and common law copyright infringement and unfair competition). A claim for copyright infringement under New York common law requires a showing of: (1) the existence of a valid copyright; and (2) unauthorized reproduction of the work protected by the copyright. Capitol Records, Inc. v. Naxos of America, Inc., 4 N.Y.3d 540, 797 N.Y.S.2d 352, 830 N.E.2d 250, 266 (2005); see generally infra § 4.18[2] (analyzing common law copyrights). 5 47 U.S.C.A. § 230(c); see generally infra § 37.05. 6 A claim against an intermediary for common law (but not federal) copyright infringement based on user content and conduct may be preempted by the CDA in the Ninth Circuit but likely would not be held preempted in New York or a number of other jurisdictions. Compare Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102 (9th Cir.) (construing the term “any law pertaining to intellectual property” to be restricted to “federal intellectual property” and therefore holding that the plainti's right of publicity claim against an Internet payment processor was preempted), cert. denied, 522 U.S. 1062 (2007) with UMG Recordings, Inc. v. Escape Media Group, Inc., 948 N.Y.S.2d 881, 888–89 (N.Y. Sup. 2012) (granting plainti's motion to dismiss the defendant's CDA armative defense in a common law copyright case), rev'd on other grounds, 107 A.D.3d 51, 964 N.Y.S.2d 106 (N.Y. App. 2013); Atlantic Recording Corp. v. Project Playl- ist, Inc., 603 F. Supp. 2d 690 (S.D.N.Y. 2009) (construing the literal language of the statute the same way as the court in Doe and allowing a common law copyright claim under New York law to proceed); and Doe v. Friendnder Network, Inc., 540 F. Supp. 2d 288 (D.N.H. 2008) (holding that “any law pertaining to intellectual property” literally means any law—state or federal—and therefore denying the defendant's motion to dismiss plainti's right of publicity claim under New Hampshire law); see

4-676 Copyright Protection in Cyberspace 4.12[19]

In Capitol Records, Inc. v. MP3Tunes, LLC,7 Judge Wil- liam H. Pauley of the Southern District of New York held that the DMCA safe harbors insulate service providers from liability for common law copyright claims in sound recordings xed prior to February 15, 1972, in addition to claims brought under federal law.8 While the text of section 512 makes no reference to common law copyrights, the court construed its reference to “infringement of copyrights” to encompass violations of both federal and state copyright law (to the extent common law claims are not preempted by the Copyright Act itself9).10 Judge Pauley concluded that interpreting the DMCA as creating a safe harbor only for federal copyright claims would “eviscerate the purpose” of the Act “to clarify copyright law for internet service providers in order to foster fast and robust development of the internet.”11 In UMG Recordings, Inc. v. Escape Media Group, Inc.,12 however, a New York state intermediate appellate court declined to follow MP3Tunes, Inc., holding instead that the DMCA does not apply to common law copyright claims. The court ruled that the enactment of the DMCA in 1998 did not generally infra § 37.05[5]. 7 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627 (S.D.N.Y. 2011), reconsideration granted on other grounds, 2013 WL 1987225 (S.D.N.Y. May 14, 2013). 8 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 640–42 (S.D.N.Y. 2011), reconsideration granted on other grounds,2013 WL 1987225 (S.D.N.Y. May 14, 2013). 9 17 U.S.C.A. § 301; see generally infra § 4.18[1] (analyzing copyright preemption). 10 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 641 (S.D.N.Y. 2011), reconsideration granted on other grounds, 2013 WL 1987225 (S.D.N.Y. May 14, 2013). 11 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627, 642 (S.D.N.Y. 2011), reconsideration granted on other grounds, 2013 WL 1987225 (S.D.N.Y. May 14, 2013). Judge Pauley explained: Limiting the DMCA to recordings after 1972, while excluding recordings before 1972, would spawn legal uncertainty and subject otherwise innocent internet service providers to liability for the acts of third parties. After all, it is not always evident (let alone discernible) whether a song was recorded before or after 1972. The plain meaning of the DMCA's safe harbors, read in light of their purpose, covers both state and federal copyright claims. Thus, the DMCA applies to sound recordings xed prior to February 15, 1972. Id. 12 UMG Recordings, Inc. v. Escape Media Group, Inc., 107 A.D.3d 51, 964 N.Y.S.2d 106 (N.Y. App. 2013).

Pub. 12/2015 4-677 4.12[19] E-Commerce and Internet Law modify section 301(c) of the Copyright Act which expressly provides that with respect to sound recordings xed prior to February 15, 1972 “any rights or remedies under the common law or statutes of any State shall not be annulled or limited by this title until February 15, 2067.”13 Accordingly, the court construed references in the DMCA to copyright and copyright infringers to pertain only to those works protected by Title 17, not common law copyrights. The court noted that the same Congress that enacted the DMCA had modied section 301(c) to extend for an additional 20 years the amount of time before the Act could be used to “annul” or “limit” the rights inherent in pre-1972 sound recordings. In the absence of express language reconciling section 512 (the safe harbor provision) with section 301(c), this fact created an even stronger presumption in the court's view that Congress did not intend the DMCA to limit or annul common law rights protected by section 301(c). In so ruling, the Escape Media court undoubtedly was inuenced by a December 2011 U.S. Copyright Oce report to Congress that concluded that the DMCA does not apply to pre-1972 sound recordings and that Capitol Records, Inc. v. MP3Tunes, LLC14 was wrongly decided.15 Following Escape Media, Judge Ronnie Abrams of the Southern District of New York granted summary judgment for the plaintis in Capitol Records, LLC v. Vimeo, LLC16 for all videos at issue that incorporated sound recordings xed prior to February 15, 1972, holding the DMCA inapplicable to those videos. Judge Abrams agreed with the Escape Media court that it was for Congress, not the courts, to extend the Copyright Act to pre-1972 sound recordings, both with respect to the rights granted under the Act and the limitations on those rights (such as the DMCA safe harbor) set forth in

13 17 U.S.C.A. § 301(c). “[T]his title” refers to Title 17. The DMCA safe harbor is codied at 17 U.S.C.A. § 512. 14 Capitol Records, Inc. v. MP3Tunes, LLC, 821 F. Supp. 2d 627 (S.D.N.Y. 2011), reconsideration granted on other grounds, 2013 WL 1987225 (S.D.N.Y. May 14, 2013). 15 See U.S. Copyright Oce, Federal Copyright Protection for Pre-1972 Sound Recordings 130–32 (Dec. 2011). UMG cited this report in its arguments to the court. 16 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500 (S.D.N.Y. 2013).

4-678 Copyright Protection in Cyberspace 4.12[19] the Act.17 Judge Abrams subsequently certied the question of whether the DMCA's safe harbor provisions are applicable to sound recordings xed prior to February 15, 1972 for interlocutory appeal.18 In Capitol Records, LLC v. Escape Media Group, Inc.,19 Southern District of New York Judge Allison Nathan, af- rming the report and recommendation of Magistrate Judge Sarah Netburn, entered summary judgment in favor of Capitol Records and against Escape Media over the latter's operation of the Grooveshark music service for both federal and common law copyright infringement based on the nding that Escape Media did not meet the requirements for the DMCA safe harbor. Based on this ruling, it was unnecessary to decide whether the DMCA in fact applies to claims for common law copyright infringement. It remains to be seen whether other courts will follow MP3Tunes or agree with the intermediate appellate court in Escape Media Group that the DMCA provides merely a safe harbor for federal copyright claims. This issue ultimately is likely to be resolved by the Second Circuit or the New York Court of Appeals. Putting aside the legal uncertainty, it is potentially dif- cult for service providers to distinguish sound recordings xed prior to February 15, 1972 from those works xed after that date. Among other things, some artists recorded dierent versions of the same song before and after February 15, 1972. Moreover, many pre-1972 sound recordings were remastered after 1972 and separately registered as new or derivative works.19 In addition, works posted online may be mixes that could include excerpts from either pre- or post- 1972 sound recordings.

17 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 500, 536-37 (S.D.N.Y. 2013). 18 Capitol Records, LLC v. Vimeo, LLC, 972 F. Supp. 2d 537, 552 (S.D.N.Y. 2013). 19 Capitol Records, LLC v. Escape Media Group, Inc., No. 12-CV-6646 (AJN), 2015 WL 1402049, at *6-13, 44-58 (S.D.N.Y. Mar. 25, 2015). 19 See, e.g., UMG Recordings, Inc. v. Escape Media Group, Inc., No. 11 Civ. 8407 (TPG), 2015 WL 1873098, at *5 (S.D.N.Y. Apr. 23, 2015) (noting, without deciding, UMG's argument that works recorded before 1972 but remastered after 1972 may be the subject of a statutory damages award), citing Pryor v. Jean, No. 13 Civ. 02867 DDP (AJW), 2014 WL 5023088, at *4 (C.D. Cal. Oct. 8, 2014).

Pub. 12/2015 4-679



       

 

  

 



    

 



DEFENDING DATA PRIVACY CLASS ACTION LITIGATION

Excerpted from Chapter 26 (Data Privacy) of E-Commerce and Internet Law: A Legal Treatise With Forms, Second Edition, a 4-volume legal treatise by Ian C. Ballon (Thomson/West Publishing 2016)

DIGITAL ENTERTAINMENT, MOBILE AND INTERNET REVIEW ENTERTAINMENT LAW AND INTELLECTUAL PROPERTY SECTION OF THE LOS ANGELES COUNTY BAR ASSOCIATION LAWRY’S RESTAURANT FEBRUARY 25, 2016

Ian C. Ballon Greenberg Traurig, LLP

[email protected] LinkedIn, Twitter, Facebook, Google+: IanBallon

Data Privacy 26.15

change? Will the Legal Department receive notice when new marketing, business practices or technologies are implemented?

26.15 Class Action Litigation Since 2010, there has been an explosion of data privacy- related putative class action suits led against Internet companies, social networks, social gaming sites, advertising companies, application providers, mobile device distributors, and companies that (regardless of the nature of their business) merely advertise on the Internet, among others. While data privacy class actions have been brought since the 1990s, the dramatic increase in suits led beginning in 2010 largely results from increased attention given to data privacy in Washington during the early years of the Obama Administra- tion, including Congressional hearings and talk of potential consumer privacy legislation, the FTC's ongoing focus on behavioral advertising, and publicity about the settlement of two high prole putative class action suits where defendants paid large sums at the very outset of each case without engaging in signicant litigation. All of these developments, in turn, have created greater press attention and consumer awareness of privacy issues. Businesses potentially risk being sued if they engage in practices that are at variance with their stated privacy policies or in the event of a security breach that results in the disclosure of personally identifying information where liability for the breach can be established.1 Increasingly, however, lawsuits are brought challenging the use of new technologies or business models or for online advertising practices. Putative privacy class action suits also often are led following FTC investigations or news reports of alleged violations or even blog reports about new product features. Many businesses opt to settle putative class action suits— regardless of the merits—because the cost of settling often is less than the cost of litigation or to avoid adverse publicity. For a consumer-oriented company, constant press reports and blog posts about litigation alleging privacy violations

[Section 26.15] 1 Security breach class action suits are separately analyzed in section 27.07.

Pub. 12/2015 26-323 26.15 E-Commerce and Internet Law may be damaging to its business. Some class action lawyers exploit this fact by issuing press releases or giving interviews or speeches designed to maximize the impact of adverse publicity and try to force a settlement. A quick settlement may resolve the problem of bad publicity, but also may identify a company as a prime target for future cases. Some businesses believe that if they are willing to ght on the merits they may be less likely targets when the next round of potential cases are led. Ultimately, many factors inuence a company's decision to either litigate or settle a case. Earlier waves of Internet privacy litigation had largely proven unfruitful for plaintis' lawyers because of the absence of any monetary injury and the diculty of framing alleged Internet privacy violations into computer crime statutes largely concerned with protecting the security of networks and systems from hackers, rather than specically user privacy, as underscored by early litigation over the alleged collection of user information in cookie les2 and in suits against airline companies for allegedly sharing pas-

2 See, e.g., Chance v. Avenue A, Inc., 165 F. Supp. 2d 1153 (W.D. Wash. 2001) (granting defendants' motion for summary judgment and denying as moot plaintis' motion for class certication in a case arising out of defendants' alleged placement of cookies on user computers and tracking their activity; granting summary judgment on plaintis' claims under (1) the Computer Fraud and Abuse Act claim, because the minimum $5,000 damage requirement could not be met; (2) the Stored Com- munications Act, 18 U.S.C.A. §§ 2701 et seq., because in light of the technological and commercial relationship between users and the defendant's website, it was implausible to suggest that “access” was not intended or authorized; and (3) the Wiretap Act, 18 U.S.C.A. §§ 2510 et seq., based on the nding that it was implicit in the code instructing users' computers to contact the website that consent had been obtained to the alleged interception of communications between users and defendants); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (granting defendant's motion to dismiss with prejudice claims arising out of DoubleClick's proposed plan to allow participating websites to exchange cookie les obtained by users to better target banner advertisements because, among other things, defendant's aliated websites were the relevant “users” of internet access under the Electronic Communications Privacy Act (ECPA), submissions containing personal data made by users to defendant's aliated websites were intended for those websites, and therefore the sites' authorization was sucient to grant defendant's access under 18 U.S.C.A. § 2701(c)(2)); In re Intuit Privacy Litig., 138 F. Supp. 2d 1272 (C.D. Cal. 2001) (dismissing with leave to amend claims under 18 U.S.C.A. § 2511 and 18 U.S.C.A. § 1030 arising out of the alleged collection of information in cookie les because plaintis had failed to suf- ciently allege a tortious or criminal purpose or that they had suered damage or loss, but denying defendants' motion to dismiss plaintis' claim

26-324 Data Privacy 26.15 senger data.3 More recent cases have focused on the alleged disclosure of information through the use of social networks, behavioral advertising, mobile phone applications and other web 2.0 technologies, and cloud computing applications, although these cases often suer from similar defects.4 under 18 U.S.C.A. § 2701 for intentionally accessing electronically stored data); see also, e.g., In re Pharmatrak, Inc. Privacy Litig., 292 F. Supp. 2d 263 (D. Mass. 2003) (granting summary judgment for the defendant on plaintis' ECPA claim over the alleged collection of data from cookie les, based on the lack of evidence of intent). But see In re Toys R Us, Inc. Privacy Litig., No. 00-CV-2746, 2001 WL 34517252 (N.D. Cal. Oct. 9, 2001) (denying defendant's motion to dismiss plaintis' Computer Fraud and Abuse Act claim in a case alleging the collection of information from cookie les and granting leave for plaintis to amend their complaint to assert a Wiretap Act claim); see also In re Apple & AT & TM Antitrust Litig., 596 F. Supp. 2d 1288, 1308 (N.D. Cal. 2008) (following Toys R Us in permitting plaintis to aggregate their individual damages under the CFAA to reach the $5,000 threshold). 3 See, e.g., In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005) (dismissing a suit brought on behalf of airline passengers alleging that JetBlue had transferred personal information about them to a data mining company, holding that the airline's online reservation system did not constitute an “electronic communication service” within the meaning of the Electronic Communications Privacy Act and the airline was not a “remote computing service” under the Act merely because it operated a website and computer servers); In re American Airlines, Inc. Privacy Litig., 370 F. Supp. 2d 552 (N.D. Tex. 2005) (dismissing a putative class action suit brought over American's allegedly unauthorized disclosure of its passengers' personally identiable travel information to the Transport Safety Administration and its subsequent disclosure of that information to private research companies because the alleged disclosures did not violate ECPA, plaintis could not state a claim for breach of contract and plaintis' other state law claims were preempted by the Airline Deregulation Act, 49 U.S.C.A. § 41713(b)(1)); Dyer v. Northwest Airlines Corp., 334 F. Supp. 2d 1196 (D.N.D. 2004) (dismissing putative class action claims of passengers who alleged that the airline's unauthorized disclosure of their personal information to the government violated the Electronic Communications Privacy Act and constituted breach of contract where the court held that the airline was not an “electronic communications service provider” within the meaning of the Act and the airline's privacy policy did not constitute a contract). 4 See, e.g., In re Facebook Privacy Litig., 572 F. App'x 494 (9th Cir. 2014) (arming in part, reversing in part dismissal of claims arising out of the alleged transmission of personal information about users from a social network to third party advertisers); Svenson v. Google Inc., No. 13- cv-04080-BLF, 2015 WL 1503429 (N.D. Cal Apr. 1, 2015) (dismissing claims under the Stored Communications Act over alleged sharing of users' personal information with app vendors, but allowing breach of

Pub. 12/2015 26-325 26.15 E-Commerce and Internet Law

In 2010, for example, a number of suits were brought alleging that ash cookies5 were being used to “re-spawn” data contract, breach of the implied duty of good faith and fair dealing and unfair competition claims to proceed); Opperman v. Path, Inc., 84 F. Supp. 3d 962 (N.D. Cal. 2015) (granting in part, denying in part defendants' motions to dismiss relating to the transfer of data from user's mobile address books to defendants when users selected the “Find Friends” feature to connect with friends on social networks); Campbell v. Facebook, Inc.,77F. Supp. 3d 836 (N.D. Cal. 2014) (denying defendant's motion to dismiss ECPA and CIPA claims, but dismissing plaintis' UCL claim); In re Google, Inc. Privacy Policy Litigation, 58 F. Supp. 3d 968 (N.D. Cal. 2014) (dismissing with prejudice plaintis' CLRA and intrusion upon seclusion claims against Google for allegedly disclosing user data to third parties, but allowing claims for breach of contract and fraudulent business practices under the UCL to proceed); Opperman v. Path, Inc., Case No. 13-CV- 00453-JST, 2014 WL 1973378 (N.D. Cal. May 14, 2014) (dismissing all of plaintis' claims against all defendants with leave to amend, with the exception of the claim for common law intrusion upon seclusion; plaintis alleged that the defendant's apps had been surreptitiously accessing and disseminating contact information stored by customers on Apple devices); Yunker v. Pandora Media, Inc., No. 11–CV–03113 JSW, 2014 WL 988833 (N.D. Cal. Mar. 10, 2014) (dismissing with prejudice plainti's privacy claim under the California Constitution but denying defendant's motion to dismiss plainti's breach of contract claim premised on Pandora's alleged breach of its privacy policy and plaintis' UCL claims); In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434 (D. Del. 2013) (granting defendants' motions to dismiss allegations that defendants “tricked” users' internet browsers into accepting “cookies” which allowed defendants to track users' internet activities and communications and display targeted advertising); Del Vecchio v. Amazon. com, Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit for Computer Fraud and Abuse Act and state unfair competition, unjust enrichment and trespass claims based on the alleged use of browser and ash cookies); In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent); Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) (dismissing with prejudice all claims against the advertising defendants and CFAA and most other claims against the remaining defendant in a suit alleging the use of ash cookies and browser sning); LaCourt v. Specic Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing with leave to amend a putative class action suit brought over the alleged use of ash cookies to store a user's browsing history). 5 In contrast to browser cookies, ash cookies may be used in conjunction with ash media players to record information such as a user's volume preference, as a persistent identier or for other purposes. See supra § 26.03.

26-326 Data Privacy 26.15 that had been removed by users when they deleted their browser cookies, which was a practice that the defendants in these suits denied engaging in. While the rst round of cases settled early on terms that provided broad releases as part of a class action settlement,6 subsequent claims were dismissed on the merits in 2011.7 Data privacy cases based on behavioral advertising, information voluntarily disclosed by users in social networking proles or to app providers or other practices related to cloud computing generally involve, at most, theoretical violations where no injury has occurred. In a typical behavioral advertising suit, for example, if the plaintis' assertions are correct, at most, users might have been shown an advertisement potentially of interest to the user based on the websites accessed by a computer's browser, as opposed to an advertisement for herbal Viagra substitutes, unaccredited universities or other ads of no interest to most users. In either case, the user was free to disregard the advertisement, which typically is displayed on sites that of- fer free content.8 Similarly, in either case, the advertiser and ad agency generally would not know the identity of the

6 The rst suits, brought primarily against Internet advertising companies Quantcast and Clearspring and their alleged advertiser customers, were consolidated and settled for $2.4 million and an injunction against Quantcast and Clearspring, and broad releases to all downstream advertisers and websites on which Quantcast or Clearspring widgets had been placed. See In re Quantcast Advertising Cookie Litig., Case No. CV 10-5484-GW (JCGx) (C.D. Cal. Final Order and Judgment entered June 13, 2011); In re Clearspring Flash Cookie Litig., Case No. CV 10-5948-GW (JCGx) (C.D. Cal. Final Order and Judgment entered June 13, 2011). 7 See Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit for Computer Fraud and Abuse Act and state unfair competition, unjust enrichment and trespass claims based on the alleged use of browser and ash cookies); Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) (dismissing with prejudice all claims against the advertising defendants and most claims against the remaining defendant in a suit alleging the use of ash cookies and browser sning); LaCourt v. Specic Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing with leave to amend a putative class action suit brought over the alleged use of ash cookies to store a user's browsing history). The Specic Media case ultimately was dismissed by the plainti. 8 Data privacy cases increasingly challenge advertising practices that in many respects are not much dierent from the way that television viewers are shown advertisements based on what the advertiser assumes to be the interests of the demographic group likely to be watching a par-

Pub. 12/2015 26-327 26.15 E-Commerce and Internet Law user—only the persistent identiers associated with a given computer (which could be used by a single person or multiple people). Plaintis' counsel typically sue under statutes that authorize prevailing parties to recover statutory damages and attorneys' fees, since actual damages are de minimis or nonexistent. Consequently, many of these suits are brought in federal court under federal statutes that provide for statutory damages or attorneys' fee awards (or both). Putative privacy class action suits have been brought under the Electronic Communications Privacy Act (ECPA),9 which in Title I (also known as the Wiretap Act) proscribes the intentional interception of electronic communications and in Title II (also known as the Stored Communications Act) prohibits unauthorized, intentional access to stored information. Plaintis also have sued under the Computer Fraud and Abuse Act,10 which like ECPA, is largely an anti- hacking statute. Some suits also have been brought under the Video Privacy Protection Act.11 Claims additionally may be asserted under state law for breach of contract based on alleged breach of privacy policies and terms of use, under state computer crime statutes, for common law privacy claims or for unfair competition, where plaintis assert supplemental jurisdiction or jurisdiction under the Class Ac- tion Fairness Act (CAFA)12 as the basis for federal subject matter jurisdiction. In the absence of injury or damage, however, many of these cases may not survive in federal court. To have standing to bring suit in federal court, a plainti must have suered an “injury in fact,” which must be (a) “concrete and particularized” and (b) “actual or imminent, ticular program. Whether the advertiser is correct—and a user is interested in lip gloss rather than laxatives, for example—implicates “injuries,” if any, that are at most de minimis. The fact that a user might have been shown an ad that he or she was free to ignore but which might have been of interest is not the sort of “violation” which typically is compensable. See Ian C. Ballon & Wendy Mantell, Suing Over Data Privacy and Behavioral Advertising, ABA Class Actions, Vol. 21, No. 4 (Summer 2011). 9 18 U.S.C.A. §§ 2510 to 2521 (Title I), 2701 to 2711 (Title II); supra § 26.09; see generally infra §§ 44.06, 44.07, 47.01, 50.06[4], 58.06[3]. 10 18 U.S.C.A. § 1030; supra § 26.09; see generally infra § 44.08. 11 18 U.S.C.A. § 2710; see generally supra § 26.13[10]. 12 28 U.S.C.A. § 1332(d).

26-328 Data Privacy 26.15 not conjectural or hypothetical.”13 To establish injury in fact, “allegations of possible future injury are not sucient.”14 The threatened injury must be “certainly impending....”15 In addition to showing injury in fact, (1) a plainti must establish that there is “a causal connection between the injury and the conduct complained of” (specically, “the injury has to be fairly trace[able] to the challenged action of the defendant, and not th[e] result [of] the independent action of some third party not before the court”) and (2) “it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.”16 In short, standing

13 Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). The Constitution limits the judicial power of the federal courts to actual cases and controversies. U.S. Const. art. III, § 2, cl. 1. A case or controversy exists only when the party asserting federal jurisdiction can show “such a personal stake in the outcome of the controversy as to assure that concrete adverseness which sharpens the presentation of issues upon which the court so largely depends.” Baker v. Carr, 369 U.S. 186, 204 (1962). Absent Article III standing, there is no “case or controversy” and an Article III federal court therefore lacks subject matter jurisdiction over the suit. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 101 (1998); see also Whitmore v. Arkansas, 495 U.S. 149, 154–55 (1990) (“Article III . . . gives the federal courts jurisdiction over only ‘cases and controversies.’ ’’). For common law claims, the only standing requirement is that imposed by Article III of the Constitution. “When a plainti alleges injury to rights conferred by a statute, two separate standing-related inquiries pertain: whether the plainti has Article III standing (constitutional standing) and whether the statute gives that plainti authority to sue (statutory standing).” Katz v. Pershing, LLC, 672 F.3d 64, 75 (1st Cir. 2012), citing Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 89, 92 (1998). Article III standing presents a question of justiciability; if it is lacking, a federal court has no subject matter jurisdiction over the claim. Id. By contrast, statutory standing goes to the merits of the claim. See Bond v. United States, 131 S. Ct. 2355, 2362–63 (2011). 14 Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1147 (2013) (internal quotation marks omitted). 15 Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1146-47 (2013); see generally infra § 27.07 (analyzing Clapper in connection with security breach putative class action suits); see also infra § 27.07 (analyzing Clapper and discussing standing in the context of data security suits). 16 Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992) (internal citations and quotations omitted); see also Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1147 (2013) (“To establish Article III standing, an injury must be ‘concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.’ ’’; quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149-50 (2010)); Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 180–81 (2000) (applying the same standard as

Pub. 12/2015 26-329 26.15 E-Commerce and Internet Law depends on a showing of injury in fact, causation and redressability.17 Where standing cannot be established, a putative class action suit will be dismissed. Standing must be established based on the named plaintis that actually led suit, not unnamed putative class members.18 A number of privacy-related putative class action suits have been dismissed for lack of standing. In many cases— particularly those involving alleged behavioral advertising practices19 the failure to provide notice20 or other alleged

Lujan). 17 Katz v. Pershing, LLC, 672 F.3d 64, 71–72 (1st Cir. 2012) (explaining Lujan). 18 See, e.g., Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 40 n.20 (1976) (“That a suit may be a class action . . . adds nothing to the question of standing, for even named plaintis who represent a class ‘must allege and show that they personally have been injured, not that injury has been suered by other, unidentied members of the class to which they belong and which they purport to represent.’ ’’; quoting Warth v. Seldin, 422 U.S. 490, 502 (1975)); see also O'Shea v. Littleton, 414 U.S. 488, 494 (1974) (“if none of the named plaintis purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.”); Payton v. County of Kane, 308 F.3d 673, 682 (7th Cir. 2002) (“Standing cannot be acquired through the back door of a class action.” (internal quotation omitted)); see also Easter v. American West Financial, 381 F.3d 948, 962 (9th Cir. 2004) (holding that a court must rst evaluate the standing of named plaintis before determining whether a class may be certied). 19 See, e.g., In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434, 440-42 (D. Del. 2013) (granting defendants' motions to dismiss where plaintis alleged that defendants “tricked” users' internet browsers into accepting “cookies” which allowed defendants to track users' internet activities and communications and display targeted advertising; holding that plaintis did not allege injury- in-fact sucient to confer Article III standing); In re Google Android Consumer Privacy Litig., No. 11-MD-02264, 2013 WL 1283236, at *3-6 (N.D. Cal. Mar. 26, 2013) (rejecting diminution in the value of plaintis' PII, diminished battery capacity, overpayment or costs incurred as grounds to show injury-in-fact to sustain Article III standing, but holding plaintis had standing to assert a claim under the California Constitution and for statutory violations); Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (granting defendant's motion to dismiss claims for fraudulent misrepresentation, negligent misrepresentation, public disclosure of private facts, actual and constructive fraud, breach of contract and unjust enrichment, for lack of standing, with leave to amend, in a putative class action suit based on the defendant's alleged

26-330 Data Privacy 26.15 privacy violations21—there simply is no injury from the practice of including the search terms employed by a user in the URL for the search results page displayed in response to a search query, allegedly causing that information to be visible to advertisers in the referer header when a user clicks on an advertiser's link from the results page, but denying the motion with respect to plaintis' Stored Communications Act claim); Low v. LinkedIn Corp., No. 11-cv-01468-LHK, 2011 WL 5509848, at *3-4 (N.D. Cal. Nov. 11, 2011) (granting defendant's motion to dismiss, for lack of standing, with leave to amend, a putative privacy class action suit based on alleged privacy violations stemming from the alleged disclosure of personally identiable browsing history to third party advertising and marketing companies where plainti was unable to articulate what information of his, aside from his user identication number, had actually been transmitted to third parties, or how disclosure of his anonymous user ID could be linked to his personal identity); Cohen v. Facebook, Inc., No. C 10-5282 RS, 2011 WL 5117164 (N.D. Cal. Oct. 27, 2011) (dismissing with prejudice plaintis' statutory right of publicity claims over the use of the names and likenesses of non-celebrity private individuals without compensation or consent in connection with Facebook's “Friend Finder” tool, for failing to allege injury sucient to support standing, where plaintis could not allege that their names and likenesses had any general commercial value and did not allege that they suered any distress, hurt feelings, or other emotional harm); In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent); Cohen v. Facebook, Inc., 798 F. Supp. 2d 1090 (N.D. Cal. 2011) (dismissing Califor- nia common law and statutory right of publicity, California unfair competition and Lanham Act claims for lack of injury, with leave to amend, in a putative privacy class action suit based on Facebook's use of a person's name and likeness to alert their Facebook friends that they had used Facebook's “Friend Finder” tool, allegedly creating an implied endorsement); LaCourt v. Specic Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing a putative class action suit brought over the alleged use of ash cookies to store a user's browsing history). 20 See, e.g., Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug. 24, 2012) (dismissing, with leave to amend, plainti's claims under Cal Civil Code § 1798.83 and Cal. Bus. & Profes- sions Code § 17200 for lack of statutory standing due to lack injury and dismissing plainti's claim for injunctive relief for lack of Article III standing), a'd mem., 554 F. App'x 654 (9th Cir. 2014); see generally supra § 26.13[6][D] (analyzing section 1798.83 and cases construing it). 21 See, e.g., Carlsen v. Gamestop, Inc., Civil No. 14-3131, 2015 WL 3538906 (D. Minn. June 4, 2015) (dismissing plainti's putative class action suit with prejudice where plainti alleged that Game Informer Maga- zine shared his PII with Facebook whenever users employed Facebook's Like, Share or Comment functions on Game Informer's website, because plainti could not establish standing based on allegations that he had

Pub. 12/2015 26-331 26.15 E-Commerce and Internet Law complained of activity. Even in data breach cases, standing may be an issue if there has been no allegation of injury.22 overpaid for his subscription or would not have purchased it at all had he known what Gamestop's actual privacy practices were); Frezza v. Google Inc., No. 5:12-cv-00237, 2013 WL 1736788 (N.D. Cal. Apr. 22, 2013) (dismissing claims for breach of contract and breach of implied contract over Google's alleged failure to implement Data Security Standards (DSS) rules in connection with promotions for Google Tags; distinguishing cases where courts found standing involving the disclosure of personal information, as opposed to mere retention of data, as in Frezza); In re Google, Inc. Privacy Policy Litig., No. C 12-01382 PSG, 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012) (dismissing claims arising out of Google's new privacy policy where plaintis alleged injury based on the cost of replacing their Android phones “to escape the burden imposed by Google's new policy” but in fact could not allege that they had ever purchased a replacement mobile phone and where plaintis could not state a claim for a violation of the Wiretap Act; relying in part on Birdsong v. Apple, Inc., 590 F.3d 955, 960–61 (9th Cir. 2009) (dismissing for lack of standing a putative class action suit brought by iPod users who claimed that they suered or imminently would suer hearing loss because of the iPod's capacity to produce sound as loud as 120 decibels, where plaintis at most could claim a risk of future injury to others and therefore could not allege an injury concrete and particularized to themselves)). 22 See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011) (arming dismissal for lack of standing and failure to state a claim, noting that particularly “[i]n data breach cases where no misuse is alleged, . . . there has been no injury,” and that “[a]ny damages that may occur here are entirely speculative and dependent on the skill and intent of the hacker.”), cert. denied, 132 S. Ct. 2395 (2012); In re Science Applications International Corp. (SAIC) Backup Tape Data that Theft Litigation,45F. Supp. 2d 14, (D.D.C. 2014) (granting in part and denying in part defendant's motion to dismiss plaintis' claims arising out of a government data breach; holding, (1) the risk of identity theft alone was insuf- cient to constitute “injury in fact” for purposes of standing; (2) invasion of privacy alone was insucient to constitute “injury in fact” for purposes of standing; (3) allegations that victims lost personal and medical information was too speculative to constitute “injury in fact” for purposes of standing; (4) mere allegations that unauthorized charges were made to victims' credit cards or debit cards following theft of data failed to show causation; (5) plaintis' claim that victims received a number of unsolicited calls from telemarketers and scam artists following data breach did not suce to show causation, as required for standing; but (6) allegations that a victim received letters in the mail from credit card companies thanking him for applying for a loan were sucient to demonstrate causation; and (7) allegations that a victim received unsolicited telephone calls on her unlisted number from insurance companies and others targeted at her specic, undisclosed medical condition were sucient to demonstrate causation); In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089, 1092-95 (N.D. Cal. 2013) (dismissing plaintis' putative class action suit arising out of a hacker gaining access to their LinkedIn passwords and

26-332 Data Privacy 26.15

Where standing has been established in putative privacy class action suits, it is usually because a plainti can show entitlement to monetary damages23 or at least that sensitive personal data has been compromised which increases the risk of future harm,24 although a minority of courts may nd email addresses, for lack of Article III standing, where plaintis alleged no injury or damage). But see Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 695 (7th Cir. 2015) (holding that plaintis had standing to sue in a data breach case, even though they had not been victims of identity theft); see generally infra § 27.07 (analyzing standing in data security putative class action suits). 23 See, e.g., Perkins v. LinkedIn Corp., 53 F. Supp. 2d 1190 (N.D. Cal. 2014) (holding that plaintis had Article III standing to bring common law right of publicity, UCL, and section 502 causes of action because an individual's name has economic value where the name is used to endorse or advertise a product to the individual's friends and contacts); In re LinkedIn User Privacy Litigation, Case No. 5:12–CV–03088–EJD, 2014 WL 1323713 (N.D. Cal. Mar. 28, 2014) (holding that plainti had suf- ciently established standing under Article III and the UCL because she alleged that she purchased her premium subscription in reliance on LinkedIn's alleged misrepresentation about the security of user data); Fraley v. Facebook, Inc., 830 F. Supp. 2d 785 (N.D. Cal. 2011) (holding that plaintis had standing to bring a class action suit where they alleged entitlement to compensation under California law based on Facebook's alleged practice of placing members' names, pictures and the assertion that they had “liked” certain advertisers on other members pages, which plaintis alleged constituted a right of publicity violation, unfair competition and unjust enrichment). 24 See, e.g., Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 695 (7th Cir. 2015) (security breach where some members of the putative class had already been the victims of identity theft); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (suit for negligence and breach of contract by employees who had had their personal information, including names, addresses, and social security numbers, compromised as a result of the theft of a company laptop); In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S.D. Cal. 2014) (granting in part and denying in part defendants' motion to dismiss plaintis' allegations that defendants failed to provide reasonable network security, including utilizing industry-standard encryption, to safeguard plaintis' personal and nancial information stored on defendants' network; nding that plaintis had suciently established Article III standing by plausibly alleging a “credible threat” of impending harm based on the disclosure of their personal information following the intrusion); Doe I v. AOL, 719 F. Supp. 2d 1102, 1109–11 (N.D. Cal. 2010) (nding injury in fact where a database of search queries was posted online containing AOL members' names, social security numbers, addresses, telephone numbers, user names, passwords, and bank account information, which could be matched to specic AOL members); see generally infra § 27.07 (analyzing standing in data security putative class action cases). As discussed in section 27.07, there is a signicant circuit split on

Pub. 12/2015 26-333 26.15 E-Commerce and Internet Law standing merely based on the allegation of breach of a federal25 or even state26 statute that does not require a show- how courts view standing in cases where there has been no present economic harm. 25 See, e.g., In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434 (D. Del. 2013) (granting defendants' motions to dismiss; holding that plaintis did not allege injury-in-fact suf- cient to confer Article III standing, but because a statutory violation, in the absence of any actual injury, may in some circumstances create standing under Article III, the court addressed whether plaintis had pled suf- cient facts to establish a plausible invasion of the rights created by the various statutes asserted, concluding ultimately that plaintis failed to state claims under the ECPA, CIPA, CCL, CLRA, and the California Con- stitution, in addition to failing to allege the threshold loss of $5,000 required by the CFAA); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010 (N.D. Cal. 2012) (holding, after earlier dismissing plaintis' original complaint for lack of standing, that plaintis had standing to assert Stored Communications Act and California Constitutional Right of Privacy claims, as alleged in their amended complaint, but dismissing those claims with prejudice for failure to state a claim); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1053–55 (N.D. Cal. 2012) (holding that plaintis established injury in fact for purposes of Article III standing by alleging a violation of their statutory rights under the Wiretap Act); In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 2119193, at *8 (N.D. Cal. June 11, 2012) (holding that plaintis “establish[ed] an injury (and standing) by alleging a violation of [the Video Privacy Protection Act]”); Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (denying defendant's motion with respect to plaintis' Stored Com- munications Act claim, nding a violation of statutory rights to be a concrete injury, while dismissing claims for fraudulent misrepresentation, negligent misrepresentation, public disclosure of private facts, actual and constructive fraud, breach of contract and unjust enrichment in a putative class action suit, for lack of standing, with leave to amend, based on the defendant's alleged practice of including the search terms employed by a user in the URL for the search results page displayed in response to a search query, allegedly causing that information to be visible to advertisers in the referer header when a user clicks on an advertiser's link from the results page); In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712 (N.D. Cal. 2011) (granting in part defendant's motion to dismiss but nding Article III standing in a case where the plaintis alleged that a social network transferred data to advertisers without their consent because the Wiretap Act creates a private right of action for any person whose electronic communication is “intercepted, disclosed, or intentionally used,” and does not require any further injury), a'd in part, rev'd in part, on other grounds, 572 F. App'x 494 (9th Cir. 2014) (arming dismissal of plaintis' UCL claim but reversing dismissal of their breach of contract and fraud claims). 26 See In re Google Inc. Gmail Litig., Case No. 13–MD–02430–LHK, 2013 WL 5423918, at *17 (N.D. Cal. Sept. 26, 2013) (denying Google's motion to dismiss plaintis' claim for a violation of California's anti-

26-334 Data Privacy 26.15 ing of damage or injury to state a claim, based on Ninth Circuit law.27 The current split of authority over whether standing may be established by stating the elements of a wiretapping and anti-eavesdropping statute, Cal. Penal Code § 630, based on Google's alleged automatic scanning of Gmail messages for keywords for the purpose of displaying relevant advertising); see also In re Google Inc. Gmail Litigation, Case No. 5:13-MD-2430-LHK, 2014 WL 294441 (N.D. Cal. Jan 27, 2014) (denying the defendant's motion to certify the opinion for interlocutory appeal). 27 Courts in the Sixth, Eighth and Ninth Circuits will nd standing where a plainti alleges a violation of a statute that does not require a separate showing of actual damage, but courts in the Fourth and Federal Circuits may not absent separate injury-in-fact. See generally infra § 27.07 (analyzing standing in the context of data security cases). In Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012), the Ninth Circuit held that a plainti had standing to sue a title insurer under the anti-kickback provisions of Real Estate Settlement Procedures Act, 12 U.S.C.A. § 2607, regardless of whether she was overcharged for settlement services, because the statute did not limit liability to instances in which a plainti was overcharged. Another Ninth Circuit panel (without citing Edwards) subsequently held that a plainti had standing, at least for purposes of a motion to dismiss at the outset of the case, to allege Title I and Title II ECPA claims for Wiretap and Stored Communications Act violations, among others, based on the defendants' alleged telephone surveillance, even though the court acknowledged that the plainti ultimately might be unable to prove that she in fact had been subject to illegal surveillance, at which point the court, on a more developed record, might conclude that plainti lacked standing. See Jewel v. National Security Agency, 673 F.3d 902, 908–911 (9th Cir. 2011) (distinguishing ACLU v. NSA, 493 F.3d 644, 648 (6th Cir. 2007), cert. denied, 552 U.S. 1179 (2008), where the Sixth Circuit found that plaintis lacked standing on similar facts, because ACLU was decided on a more developed record on summary judgment, whereas Jewel was decided on a motion to dismiss and a plainti's well pleaded allegations are deemed true in evaluating Rule 12 motions); see also Robins v. Spokeo, Inc., 742 F.3d 409, 412-14 (9th Cir. 2014) (holding, in a case in which the plainti alleged that the defendant's website published inaccurate information about him, that because the plainti had stated a claim for a willful violation of the Fair Credit Reporting Act, for which actual harm need not be shown, the plainti had established Article III standing, where injury was premised on the alleged violation of plainti's statutory rights); In re Google, Inc. Privacy Policy Litigation, Case No. C-12-01382-PSG, 2013 WL 6248499 (N.D. Cal. Dec 3, 2013) (following Edwards in holding that plaintis had established Article III injury under the Wiretap Act and the Stored Communications Act by alleging unauthorized access and wrongful disclosure of communications, including disclosure to third parties, in addition to the interception of communications); Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (following Edwards in denying defendant's motion with respect to plaintis' Stored Communications Act claim).

Pub. 12/2015 26-335 26.15 E-Commerce and Internet Law statutory claim even where there is no economic injury may be resolved in 2016, when the U.S. Supreme Court decides

Courts in the Ninth Circuit have construed Edwards and Jewel as requiring that even where a plainti states a claim under a federal statute that does not require a showing of damage, plaintis must allege facts to “show that the claimed statutory injury is particularized as to them.” Mendoza v. Microsoft, Inc., No. C14-316-MJP, 2014 WL 4540213 (W.D. Wash. Sept. 11, 2014) (dismissing plaintis' claims under the Video Privacy Protection Act, California Customer Records Act, California Unfair Competition Law and Texas Deceptive Trade Practices Act where plaintis failed to identify an injury that was actual or imminent and particularized and merely oered “broad conclusory statements and formulaic recita- tions” of the statutes but did not allege facts to support the allegation that Microsoft allegedly retained and disclosed personally identiable information); see also Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1021 (N.D. Cal. 2012) (following Edwards and Jewel in nding standing in a case alleging that LinkedIn browsing histories and user identication numbers, sent in connection with third party cookie identication numbers, were transmitted to third parties by LinkedIn, while conceding that “the allegations that third parties can potentially associate LinkedIn identication numbers with information obtained from cookies and can de-anonymize a user's identity and browser history are speculative and relatively weak”; emphasis in original). The Sixth and Eighth Circuits take a similar approach. See Beaudry v. TeleCheck Services, Inc., 579 F.3d 702, 707 (6th Cir. 2009) (nding “no Article III (or prudential) standing problem arises . . .” where a plainti can allege all of the elements of a Fair Credit Reporting Act statutory claim); Hammer v. Sam's East, Inc., 754 F.3d 492, 498-500 (8th Cir. 2014) (holding that plaintis established Article III standing by alleging facts sucient to state a claim under the Fair and Accurate Credit Transac- tions Act and therefore did not separately need to show actual damage). The Fourth and Federal Circuits, however, do not accept the proposition that alleging an injury-in-law by stating a claim and establishing statutory standing to sue satises the standing requirements of Article III. See David v. Alphin, 704 F.3d 327, 333, 338-39 (4th Cir. 2013) (holding that statutory standing alone is insucient to confer Article III standing; arming dismissal of an ERISA claim where the plaintis stated a claim but could not establish injury-in-fact); Consumer Watchdog v. Wisconsin Alumni Research Foundation, 753 F.3d 1258, 1262 (Fed. Cir. 2014) (holding that a consumer group lacked standing to challenge an administrative ruling, explaining that ‘‘ ‘Congress may enact statutes creating legal rights, the invasion of which creates standing, even though no injury would exist without the statute.’ Linda R.S. v. Richard D., 410 U.S. 614, 617 n.3 (1973) (citations omitted). That principle, however, does not simply override the requirement of injury in fact.”). The U.S. Supreme Court had granted certiorari in Edwards to decide the issue of standing, but then dismissed the appeal based on the determination that certiorari had been improvidently granted. See Edwards v. First American Corp., 132 S. Ct. 2536 (2012). In 2015, the U.S. Supreme Court granted certiorari in Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014), cert. granted, 135 S. Ct. 1892

26-336 Data Privacy 26.15

Robins v. Spokeo, Inc.28 Less commonly, Article III standing also may be established based on invasion of a constitutional right.29 Even where a plainti has standing, claims based on alleged data privacy violations may not t well into existing federal statutes. A number of data privacy suits have been brought under the Electronic Privacy Communications Act (ECPA). ECPA authorizes claims under Title I for the intentional interception or disclosure of an intercepted communication, whereas claims under Title II may be based on unauthorized intentional access to stored communications or the intentional disclosure of those communications.30 In behavioral advertising cases, it is important to understand the underlying technology to determine whether a given communication is even covered by ECPA and, if so, permitted or prohibited. To the extent claims are based on disclosure under either Title I or II, as opposed to interception (under Title I) or access (under Title II), civil claims may only be based on the contents of a communication. Personal data, however, is not considered the contents of a communication, which is dened under ECPA as “information concerning the substance, purport, or meaning of that communication.”31 On this basis alone, claims premised on disclosure will not be actionable

(2015), and may resolve the circuit split in a decision expected by the end of June 2016. 28 See Robins v. Spokeo, Inc., 742 F.3d 409, 412-14 (9th Cir. 2014), cert. granted, 135 S. Ct.1892 (2015). 29 See Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *3-6 (N.D. Cal. Mar. 26, 2013) (holding that plainti in a putative data privacy class action suit had standing based on an unspeci- ed violation of his constitutional rights, while rejecting theories of standing based on the alleged diminution of the value of his PII, decrease in memory space resulting from use of Pandora's app and future harm). 30 See infra §§ 44.06, 44.07. 31 18 U.S.C. § 2510(8); see also id. § 2703(c)(1)(A) (“a provider of electronic communication service or remote computing service may disclose a record or other information pertaining to a subscriber to or customer of such service . . . to any person other than a governmental entity.”). “[I]nformation concerning the identity of the author of the communication,” which is generally what is at issue in data privacy cases, is not considered “contents.” Jessup-Morgan v. America Online, Inc.,20F. Supp. 2d 1105, 1108 (E.D. Mich. 1998). As the legislative history makes

Pub. 12/2015 26-337 26.15 E-Commerce and Internet Law

clear, ECPA “exclude[s] from the denition of the term ‘contents,’ the identity of the parties or the existence of the communication. It thus dis- tinguishes between the substance, purport or meaning of the communication and the existence of the communication or transactional records about it.” S. Rep. No. 541, 99th Cong., 2d Sess. (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3567; see also In re Zynga Privacy Litig., 750 F.3d 1098, 1105-09 (9th Cir. 2014) (holding that URLs, including referer header information, did not constitute the contents of a communication under ECPA; explaining that “Congress intended the word ‘contents’ to mean a person's intended message to another (i.e., the ‘essential part’ of the communication, the ‘meaning conveyed,’ and the ‘thing one intends to convey.’)” and that “[t]here is no language in ECPA equating ‘contents’ with personally identiable information.”); U.S. v. Reed, 575 F.3d 900, 916 (9th Cir. 2009) (holding that Call Data Content (CDC) is neither the contents of a communication nor a communication under Title I of ECPA; “CDC . . . is data that is incidental to the use of a communication device and contains no ‘content’ or information that the parties intended to communicate. It is data collected by the telephone company about the source, destination, duration, and time of a call.”), cert. denied, 559 U.S. 987 (2010); Svenson v. Google Inc., No. 13–cv–04080–BLF, 2015 WL 1503429, at *7-8 (N.D. Cal. Apr. 1, 2015) (applying Zynga in dismissing without leave to amend plainti's SCA claim premised on the alleged disclosure of credit card information (but not numbers), purchase authorization data, addresses, zip codes, names, phone numbers, and email addresses, in connection with the use of Google Wallet); In re: Carrier IQ, Inc. Consumer Litig., 78 F. Supp. 3d 1051, 1083-84 (N.D. Cal. 2015) (dismissing Wiretap Act claim for alleged interception of user names or passwords by the Carrier IQ Software in a putative consumer class action suit); In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434, 443-44 (D. Del. 2013) (explaining that URLs and “personally identiable information that is automatically generated by the communication” is not “contents” for the purposes of the Wiretap Act); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing plainti's claim because geolocation data was not the contents of a communication and holding that “personally identiable information that is automatically generated by the communication but that does not comprise the substance, purport, or meaning of that communication is not covered by the Wiretap Act.”); Viacom Int'l Inc. v. YouTube Inc., 253 F.R.D. 256, 265 (S.D.N.Y. 2008) (holding, in a copyright infringement suit, that YouTube was prevented by the Stored Communications Act from disclosing the content of videos marked by users as private, but ordering “production of specied non-content data about such videos” because “the ECPA does not bar disclosure of non-content data about the private videos (e.g., the number of times each video has been viewed on YouTube.com or made accessible on a third-party website through an ‘embedded’ link to the video).”); U.S. v. Parada, 289 F. Supp. 2d 1291, 1304 (D. Kan. 2003) (denying a criminal motion to suppress evidence on the basis that phone numbers stored on a cell phone were not the contents of a communication that could be unlawfully intercepted or disclosed under 18 U.S.C.A. § 2511 because “mere phone numbers that are recorded because a third party pulsed in a number from their phone are not communications” whereas

26-338 Data Privacy 26.15 under either Title I or Title II.32 ECPA, which is comprised of the Wiretap Act (Title I) and the Stored Communications Act (Title II) was never intended to regulate data privacy generally, and certainly not in ways that could never have been conceived of at the time the laws were rst enacted. As a statute largely intended to prohibit hacking (in Title II) or eavesdropping or interception (in Title I), ECPA is drawn narrowly in terms of what is covered, what is proscribed and what is permitted with authorization

“the contents would be the substance of the conversation”); Hill v. MCI WorldCom Communications, Inc., 120 F. Supp. 2d 1194, 1195–96 (S.D. Iowa 2000) (holding that electronically stored phone records, including “names, addresses, and phone numbers of parties [the plainti] called,” do not constitute the contents of communications under ECPA); see generally infra § 50.06[4] (analyzing contents and non-contents under ECPA in greater detail and discussing additional cases). In one behavioral advertising case, Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *6-7 (N.D. Cal. Mar. 26, 2013), the court held that the plainti stated a claim where it alleged that non-content data such as a person's UUID, zip code, gender or birthday, was the actual contents of a communication to the plainti and not data from a non-content record. Id. at *6-7 (distinguishing In re iPhone Applica- tion Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012)). This analysis, however, is either incomplete or incorrect. See infra § 50.06[4][B] (analyzing the case). A plainti should not be able to unilaterally expand the scope of protection aorded by ECPA by characterizing non-content records as the contents of a communication. Alternatively, the court's order denying the defendant's motion to dismiss may be viewed as one where the court applied a lax pleading standard, where later in the litigation the plainti would have to establish that Pandora only had access to this non- content data by virtue of accessing a stored communication where the data was recorded, which seems unlikely. 32 For similar reasons, claims based on non-content data also may fail to state claims under California's constitutional right to privacy or Cali- fornia's Invasion of Privacy Act, Cal. Penal Code § 631(a). See In re Yahoo Mail Litigation, 7 F. Supp. 3d 1016, 1037-42 (N.D. Cal. 2014) (dismissing with leave to amend plainti's claim for a violation of California's constitutional right to privacy where plaintis alleged that Yahoo's alleged scanning, storage and disclosure of email content violated their right to privacy); In re Nickelodeon Consumer Privacy Litigation, Case Nos. Civ. A. 12-07829, Civ. A. 13-03729, Civ. A. 13-03731, Civ. A. 13- 03755, Civ. A. 13-03756, Civ. A. 13-03757, 2014 WL 3012873, at *17 (D.N.J. July 2, 2014) (dismissing with prejudice plaintis' CIPA claim because allegations that Google placed cookies to intercept data could not state a claim where the alleged interception did not involve the contents of any communication); In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434, 444-45 (D. Del. 2013) (dismissing Wiretap and CIPA claims because plaintis' allegations did not demonstrate that Google intercepted any contents or meaning).

Pub. 12/2015 26-339 26.15 E-Commerce and Internet Law or consent. Behavioral advertising claims premised on unauthorized interception33 under Title I have failed where there has been no interception34 or no interception by the defendant.35 Col-

33 Intercept means “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical or other device.” 18 U.S.C. § 2510(4). To establish that a defendant “intercepted” an electronic communication, a plainti must allege facts that show the electronic communication has been “acquired during transmission, not while it is in electronic storage.” Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 878–79 (9th Cir. 2002). 34 See, e.g., Opperman v. Path, Inc., No. 3:13-cv-00453-JST, 2014 WL 1973378, at *29 (N.D. Cal. May 14, 2014) (dismissing Wiretap Act claim based on a mobile app's alleged copying and transmission of electronic address books; “Although Path allegedly transmitted the Class Members' Contact Address Books from the Class Members' mobile devices to Path's servers, Path did not ‘intercept’ a ‘communication’ to do so.”); Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *7–8 (N.D. Cal. Mar. 26, 2013) (holding, in a behavioral advertising case, that the plainti failed to state a Wiretap Act claim in part where (1) he alleged that he provided his personal information directly to Pandora and that Pandora “intercepted” the information from him, rather than alleging that the defendant used a device to intercept a communication from the plainti to a third party, and (2) the communication was directed to Pandora, within the meaning of 18 U.S.C.A. § 2511(3)(A)); Hernandez v. Path, Inc., No. 12-cv-01515-YGR, 2012 WL 5194120, at *3 (N.D. Cal. Oct. 19, 2012) (dismissing claim on the same grounds as Opperman, cited above); Marsh v. Zazoom Solutions, LLC, No. C–11–05226–YGR, 2012 WL 952226, at * 17 (N.D. Cal. Mar. 20, 2012) (dismissing plainti's Wiretap Act claim in a case involving payday loans, where the plainti did not allege that any defendant “acquired the information by capturing the transmission of information that was otherwise in the process of being communicated to another party,” or that any defendant used a “device” to intercept the communication); In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712–13 (N.D. Cal. 2011) (dismissing plaintis' Title I claim where the communication either was directed from the user to the defendant (in which case the service was the addressee or intended recipient and therefore could disclose the communication to advertisers as long as it had its own lawful consent) or was sent from the user to an advertiser (in which case the advertiser was the addressee or intended recipient), but in either case was not actionable), a'd in part, rev'd in part, on other grounds, 572 F. App'x 494 (9th Cir. 2014) (arming dismissal of plaintis' UCL claim and reversing dismissal of their breach of contract and fraud claims; plaintis did not appeal the dismissal of their ECPA claims); Crowley v. Cybersource, 166 F. Supp. 2d 1263, 1268-69 (N.D. Cal. 2001) (dismissing an interception claim premised on Amazon.com's alleged disclosure to co-defendant, Cybersource, where the plainti's email was sent directly to Amazon.com and was not acquired through use of a device). 35 See, e.g., Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011

26-340 Data Privacy 26.15 lecting user data such as a customer's requested URL, the referer[IB1] URL (the last URL visited before a request was made) and an encrypted advertising network cookie, to provide to a third party to analyze and send targeted advertising similarly has been held to not constitute an interception where the information was collected in the ordinary course of business.36 The Stored Communications Act, which is Title II of ECPA, prohibits both unauthorized access (or exceeding authorized access) in section 2701,37 subject to exceptions for access by the person or entity providing a wire or electronic communications service38 and by a user of that service with respect to a communication of or intended for that user;39 and knowingly divulging the contents of a communication while in electronic storage in section 2702,40 subject to exceptions including to an addressee or intended recipient of such communication,41 where authorized42 and with lawful consent.43 Behavioral advertising claims often do not t well into this framework because they often involve communications that are either not proscribed by the Stored Communications Act or are permitted.

WL 3651359, at *7-9 (D. Kan. Aug. 19, 2011) (granting summary judgment for the defendant on plainti's claim in a putative class action suit where the court found that a third party, rather the defendant, intercepted the plainti's communications), a'd, 702 F.3d 1245, 1246–47 (10th Cir. 2012) (holding that section 2520 does not impose civil liability on aiders or abettors), cert. denied, 133 S. Ct. 2743 (2013). 36 See Kirch v. Embarq Management Co., 702 F.3d 1245, 1248-51 (10th Cir. 2012) (holding that there was no interception, and hence no violation of ECPA, because the contents of the communications were acquired by Embarq in the ordinary course of its business within the meaning of 18 U.S.C.A. § 2510(5)(a)(ii)), cert. denied, 133 S. Ct. 2743 (2013). But see In re Google Inc. Gmail Litig., Case No. 13–MD–02430–LHK, 2013 WL 5423918, at *8–12 (N.D. Cal. Sept. 26, 2013) (denying Google's motion to dismiss plaintis' complaint based on the argument that automatically scanning Gmail messages for keywords for purposes of displaying relevant advertising came within the exception created by section 2510(5)(a)(ii)); see generally infra § 44.06[1] (discussing these cases in greater detail). 37 18 U.S.C.A. § 2701(a). 38 18 U.S.C.A. § 2701(c)(1). 39 18 U.S.C.A. § 2701(c)(2). 40 18 U.S.C.A. § 2702(a). 41 18 U.S.C.A. § 2702(b)(1). 42 18 U.S.C.A. § 2702(b)(2). 43 18 U.S.C.A. § 2702(b)(3).

Pub. 12/2015 26-341 26.15 E-Commerce and Internet Law

Section 2702 of the Stored Communications Act directs that an entity providing an electronic communication service to the public “shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.”44 However, a provider of an electronic communication service may divulge the contents of a communication to an addressee or intended recipient of such communication.45 A provider of an electronic communication service may also access the contents of a communication with the “lawful consent” of an addressee or intended recipient of such communication.46 In In re Facebook Privacy Litigation,47 the court dismissed plaintis' Title II claim alleging that by clicking on a banner advertisement, users unknowingly were transmitting information to advertisers, because the communication at issue either was sent to Facebook or to third party advertisers. As explained by the court: Under either interpretation, Plaintis fail to state a claim under the Stored Communications Act. If the communications were sent to Defendant, then Defendant was their “addressee or intended recipient,” and thus was permitted to divulge the communications to advertisers so long as it had its own “lawful consent” to do so. 18 U.S.C. § 2702(b)(3). In the alternative, if the communications were sent to advertisers, then the advertisers were their addressees or intended recipients, and Defendant was permitted to divulge the communications to them. Id. § 2702(b)(1).48 Plaintis' Title I claim against Facebook likewise suered from a similar defect in that case. The court ruled that a Wiretap Act claim may not be maintained where an allegedly unauthorized interception was either permitted by the statute or not made by the electronic communication service

44 18 U.S.C.A. § 2702(a)(1). 45 18 U.S.C.A. § 2702(b)(1). 46 18 U.S.C.A. § 2702(b)(3). 47 In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011), a'd in part, rev'd in part, on other grounds, 572 F. App'x 494 (9th Cir. 2014) (arming dismissal of plaintis' UCL claim and reversing dismissal of their breach of contract and fraud claims; plaintis did not appeal the dismissal of their ECPA claims). 48 In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 713–14 (N.D. Cal. 2011) (footnote omitted), a'd in part, rev'd in part, on other grounds, 572 F. App'x 494 (9th Cir. 2014).

26-342 Data Privacy 26.15 itself.49 In Low v. LinkedIn Corp.,50 the court similarly dismissed with prejudice plaintis' Stored Communications Act claim under section 2702 based on the allegation that LinkedIn transmitted to third party advertisers and marketers the LinkedIn user ID and the URL of the LinkedIn prole page viewed by a user at the time the user clicked on an advertisement because, even if true, LinkedIn would have been acting as neither an electronic communication service (ECS), such as a provider of email, nor a remote computing service (RCS), which provides computer storage or processing services to the public (analogous to a virtual ling cabinet used by members of the public for osite storage).51 In so holding, the court explained that LinkedIn IDs were numbers generated by LinkedIn, not user data sent by users for osite storage and processing. URL addresses of viewed pages similarly were not sent to LinkedIn by plaintis for storage or processing.52 Claims under section 2701 of the Stored Communications Act, for unauthorized access (or exceeding authorized access), may fail because they only apply to material in electronic storage when accessed from a facility through which an electronic communication service is provided, which may not apply to data stored and accessed from mobile devices, tablets or personal computers. Section 2701 requires a showing that a defendant accessed without authorization “a facility through which an electronic

49 See In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712–13 (N.D. Cal. 2011) (dismissing plaintis' Title I claim where the communication either was directed from the user to the defendant (in which case the service was the addressee or intended recipient and therefore could disclose the communication to advertisers as long as it had its own lawful consent) or was sent from the user to an advertiser (in which case the advertiser was the addressee or intended recipient), but in either case was not actionable), a'd in part, rev'd in part, on other grounds, 572 F. App'x 494 (9th Cir. 2014). 50 Low v. LinkedIn Corp., 900 F. Supp. 2d 1010 (N.D. Cal. 2012). 51 The legal regime governing ECS and RCS providers under ECPA is analyzed extensively in section 50.06[4] (service provider obligations in response to third party subpoenas and government search and seizure orders) and also touched on in sections 44.06 and 44.07 (criminal remedies). 52 See Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1021-22 (N.D. Cal. 2012).

Pub. 12/2015 26-343 26.15 E-Commerce and Internet Law communication service is provided.”53 “While the computer systems of an email provider, a bulletin board system, or an ISP are uncontroversial examples of facilities that provide electronic communications services to multiple users, . . .”54 courts have held that an individual's computer, laptop or mobile device does not meet the statutory denition of a “facility through which an electronic communication service is provided” within the meaning of the Stored Communications Act.55 Similarly, behavioral advertising claims premised on information stored on user devices will suer because the data at issue may not deemed to be in electronic storage. In addition to showing that a defendant intentionally accessed a facility through which an electronic communication service is provided without authorization (or exceeded authorized access), to state a claim under the Stored Communications Act a plainti also must show that the defendant, through this unauthorized access, “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage ....”56 Electronic storage is dened as “(a) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (b) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”57 Where the information accessed is stored on a user's device (such as a

53 18 U.S.C.A. § 2701(a)(1). 54 In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1057 (N.D. Cal. 2012). 55 See, e.g., Cousineau v. Microsoft Corp., 6 F. Supp. 3d 1167, 1174-75 (W.D. Wash. 2014) (holding that a mobile device is not a facility through which an electronic communications services is provided; explaining that “[t]he fact that the phone not only received but also sent data does not change this result, because nearly all mobile phones transmit data to service providers”); Lazette v. Kulmatycki, 949 F. Supp. 2d 748, 755-56 (N.D. Ohio 2013) (holding that a blackberry mobile device was not a “facility” within the meaning of section 2701(a)(1) in a case brought over an employer's access to a former employee's personal Gmail account; “the g-mail [sic] server, not the blackberry, was the ‘facility.”); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1057–58 (N.D. Cal. 2012) (operating system for computer, laptop or mobile device); Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263, 1270–71 (N.D. Cal. 2001) (a user's computer); see generally infra § 44.07. 56 18 U.S.C.A. § 2701(a). 57 18 U.S.C.A. § 2510(17).

26-344 Data Privacy 26.15 cookie58 or universally unique device identier (UUID)59 used in connection with advertising or email stored on a user's own computer60 or personal email stored on a Blackberry mobile device61), the information is not in electronic storage as dened in the Act.62 As explained by one court, “[t]itle II deals only with facilities operated by electronic communications services such as ‘electronic bulletin boards’ and ‘computer mail facilit[ies],’ and the risk that communications temporarily stored in these facilities could be accessed by hackers.”63 In other words, email stored on Gmail, Hotmail or Yahoo! servers or private messages stored on Facebook or MySpace servers are dierent from cookie les or other content stored locally on the hard drive of a user's home or oce computer, laptop, tablet or mobile phone. Even where a prima facie claim may be stated, section 2701 creates an express exclusion for conduct authorized “by a user of that service with respect to a communication of or intended for that user.”64 ECPA denes a user as “any person or entity who (A) uses an electronic communication service;

58 See, e.g., In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434, 447 (D. Del. 2013) (explaining, in connection with dismissing plainti's SCA claim, that “[t]here seems to be a consensus that ‘[t]he cookies’ long-term residence on plaintis' hard drives places them outside of § 2510(17)'s denition of ‘electronic storage’ and, hence, [the SCA's] protection”); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1058–59 (N.D. Cal. 2012); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 512–13 (S.D.N.Y. 2001); In re Toys R Us, Inc. Privacy Litig., No. 00-CV-2746, 2001 WL 34517252, at *4 (N.D. Cal. Oct. 9, 2001). 59 See Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *8–9 (N.D. Cal. Mar. 26, 2013). 60 See, e.g., Hilderman v. Enea TekSci, Inc., 551 F. Supp. 2d 1183, 1204–05 (S.D. Cal. 2008). 61 See Lazette v. Kulmatycki, 949 F. Supp. 2d 748, 758 (N.D. Ohio 2013) (denying defendants’ motion to dismiss but holding that the plainti could not prevail to the extent that she sought to recover “based on a claim that Kulmatycki violated the SCA when he accessed e-mails which she had opened but not deleted. Such e-mails were not in ‘backup’ status as § 2510(17)(B) uses that term or ‘electronic storage’ as § 2701(a) uses that term.”). 62 See generally supra § 44.07 (analyzing the issue in greater detail). 63 In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 512–13 (S.D.N.Y. 2001) (cookie les stored on a user's computer). 64 18 U.S.C.A. § 2701(c)(2).

Pub. 12/2015 26-345 26.15 E-Commerce and Internet Law and (B) is duly authorized by the provider of such service to engage in such use.”65 Accordingly, courts have held that App providers and websites that accessed personal information from mobile phones or website cookies were users within the meaning of ECPA (and any disclosure of personal information therefore was authorized and not actionable).66 For purposes of ECPA, consumers or other end users are not the users referenced by the statute.67 In the nomenclature of the

65 18 U.S.C.A. § 2510(13). 66 See, e.g., In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1060 (N.D. Cal. 2012) (holding that “because the communications [personal information stored on user iPhones, accessed by App providers when users downloaded and installed Apps on their phones] were directed at the App providers, the App providers were authorized to disclose the contents of those communications to the Mobile Industry Defendants.”); In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintis' Wiretap and Stored Communications Act claims under Titles I and II of ECPA, with leave to amend, where “the electronic communications in question were sent to Defendant itself, to Facebook, or to advertisers, but both Acts exempt addressees or intended recipients of electronic communications from liability for disclosing those communications.”); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 508–09 (S.D.N.Y. 2001) (holding that DoubleClick-aliated websites are users under the statute and therefore authorized to disclose any data sent to them). 67 In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 509 (S.D.N.Y. 2001) (noting that the denition of user refers to a person or entity). In In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012), the court held that certain mobile advertising providers, but not Apple itself, were authorized recipients of personal information pursuant to section 2701(c). The court explained: Plaintis allege that Apple itself caused a log of geolocation data to be generated and stored, and that Apple designed the iPhone to collect and send this data to Apple's servers ....Apple, however, is neither an electronic communications service provider, nor is it a party to the electronic communication between a user's iPhone and a cellular tower or WiFi tower. Thus, the Court fails to see how Apple can avail itself of the statutory exception by creating its own, secondary communication with the iPhone. With respect to the Mobile Industry Defendants, Plaintis allege that when users download and install Apps on their iPhones, the Mobile Industry Defendants' software accesses personal information on those devices and sends that information to Defendants ....Thus, the App providers are akin to the web sites deemed to be “users” in In re DoubleClick, and the communications at issue were sent to the App providers. See 154 F. Supp. 2d at 508–09. Thus, because the communications were directed at the App providers, the App providers were authorized to disclose the contents of those communications to the Mobile Industry Defendants. The Mobile Industry Defendants' actions therefore fall within the statutory exception of the SCA. In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1060 (N.D. Cal. 2012).

26-346 Data Privacy 26.15 statute, end users, or consumers, are referred to as customer or subscribers.68 In addition to user authorization, both Title I and Title II of ECPA create express exceptions where consent has been obtained from customers or subscribers.69 Customer or subscriber consent may be obtained through assent to the provisions of a Privacy Policy or Terms of Use and thereby provide a defense in litigation. As noted in the House Report, a subscriber who places a communication on a computer ‘electronic bulletin board,’ with a reasonable basis for knowing that such communications are freely made available to the public, should be considered to have given consent to the disclosure or use of the communication. If conditions governing disclosure or use are spelled out in the rules of an electronic communication service, and those rules are available to users or in contracts for the provision of such services, it would be appropriate to imply consent on the part of a user to disclosures or uses consistent with those rules.70 Courts have entered judgment for the defendant or dismissed putative privacy class action suits where consent was inferred from TOU or a Privacy Policy.71 In contrast to Title II, Title I addresses communications in

68 See infra § 50.06[4] (analyzing ECPA in greater detail). 69 See 18 U.S.C.A. §§ 2511(2)(d), 2511(3)(b)(ii), 2702(b)(3). 70 H.R. Rep. No. 99-647, 99th Cong., 2d Sess. 66 (1986). 71 See, e.g., Cain v. Redbox Automated Retail, LLC, No. 12-CV-15014, 2015 WL 5728834 (E.D. Mich. Sept. 30, 2015) (granting summary judgment in favor of Redbox on plaintis' Michigan Video Rental Privacy Act, breach of contract and unjust enrichment claims in a putative class action suit where the plaintis provided written permission to Redbox to allow it to disclose information as set forth in its Privacy Policy); Garcia v. Enterprise Holdings, Inc., 78 F. Supp. 3d 1125, 1135-37 (N.D. Cal. 2015) (dismissing plainti's California Invasion of Privacy Act claim with leave to amend where the defendant—app provider's Terms of Use and Privacy Policy provided consent for the alleged disclosures); In re Yahoo Mail Litigation, 7 F. Supp. 3d 1016, 1027-31 (N.D. Cal. 2014) (granting defendant's motion to dismiss with prejudice plaintis' Wiretap Act claim based on the allegation that Yahoo scanned and analyzed emails to provide personal product features and targeted advertising, detect spam and abuse, create user proles, and share information with third parties, and stored email messages for future use based on explicit consent set forth in the Yahoo Global Communications Additional Terms of Service for Yahoo Mail and Yahoo Messenger agreement); Perkins v. LinkedIn Corp.,53F. Supp. 2d 1190 (N.D. Cal. 2014) (dismissing Wiretap Act and SCA claims because plaintis consented to LinkedIn's collection of email addresses from users' contact lists through LinkedIn's disclosure statements); Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D.

Pub. 12/2015 26-347 26.15 E-Commerce and Internet Law transit (or temporary, intermediate storage). In In re iPhone Application Litigation,72 the court held that geolocation data

Wash. Dec. 1, 2011) (dismissing, with leave to amend, a trespass and CFAA claim based on the alleged use of browser and ash cookies where, among other things, the potential use of browser and ash cookies was disclosed to users in the defendant's ‘‘Conditions of Use and Privacy No- tice’’); Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011 WL 3651359, at *7–9 (D. Kan. Aug. 19, 2011) (holding, in granting summary judgment for the defendant, that the plaintis consented to the use by third parties of their de-identied web-browsing behavior when they accessed the Internet under the terms of Embarq's Privacy Policy, which was incorporated by reference into its Activation Agreement, and which provided that de-identied information could be shared with third parties and that the Agreement could be modied; and because the Policy was amended in advance of the NebuAd test to expressly disclose the use and allow users to opt out by clicking on a hypertext link), a'd on other grounds, 702 F.3d 1245 (10th Cir. 2012), cert. denied, 133 S. Ct. 2743 (2013); Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (dismissing plainti's ECPA claim based on the terms of defendant's privacy policy and an email sent to subscribers advising them that the Policy had been updated, in a putative class action suit over sharing of cookie and web beacon data); Mortensen v. Bresnan Communication, LLC, No. CV 10-13-BLG-RFC, 2010 WL 5140454 (D. Mont. Dec. 13, 2010) (dismissing plainti's ECPA claim where the defendant-ISP provided notice to consumers in its Privacy Notice and Subscriber Agreement that their electronic transmissions might be monitored and would in fact be transferred to third parties, and also provided specic notice via a link on its website of its use of the NebuAd Appliance to transfer data to NebuAd and of subscribers' right to opt out of the data transfer (via a link in that notice)), vacated on other grounds, 722 F.3d 1151 (9th Cir. 2013) (holding that the lower court erred in declining to compel arbitration); supra § 26.14[2] (analyzing these cases). But see In re Google Inc. Gmail Litig., Case No. 13–MD–02430–LHK, 2013 WL 5423918, at *12-15 (N.D. Cal. Sept. 26, 2013) (denying Google's motion to dismiss based on the court's nding that it did not have express or implied consent within the meaning of 18 U.S.C.A. § 2511(2)(d) to intercept incoming email to create proles to send targeted advertising to recipients based on its Terms of Service and Privacy Policy); In re iPhone Applica- tion Litig., 844 F. Supp. 2d 1040, 1076–77 (N.D. Cal. 2012) (denying plaintis' motion to dismiss claims in a putative class action suit where the court found some ambiguity in the defendant's Terms and Conditions). Consent also may be relevant to the issue of class certication. See, e.g., Sherman v. Yahoo! Inc., No. 13cv0041–GPC–WVG, 2015 WL 5604400 (S.D. Cal. Sept. 23, 2015) (denying class certication in a TCPA case based in part on individualized issues of consent); In re Google Inc. Gmail Litigation, Case No. 13–MD–02430–LHK, 2014 WL 1102660 (N.D. Cal. Mar. 18, 2014) (denying class certication because “consent must be litigated on an individual, rather than classwide basis.”). 72 In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1059 (N.D. Cal. 2012).

26-348 Data Privacy 26.15 stored for up to a one-year time period did not amount to “temporary, intermediate storage . . . incidental to the electronic transmission . . .” of an electronic communication.73 Title I claims also may fail where they are brought over information that is “readily accessible to the general public,”74 such as material posted on a website75 or on publicly accessible area of a social network prole page. In some cases, such as those involving social media, the information at issue was intended to be shared or was not otherwise actually private. By contrast, the Ninth Circuit has held that payload data transmitted over unencrypted Wi-Fi networks that was inadvertently collected by Google on public roads, incident to capturing photographs for its free Street View service, was not “readily accessible to the public.”76 Given the number of parties involved in behavioral advertising, some suits have sought to hold defendants liable for third party practices. Where direct liability cannot be established under ECPA, however, civil claims may not be maintained based on aider and abettor, conspiracy or secondary liability, at least not under Title I.77 To state a civil claim for a CFAA violation, a plainti must

73 18 U.S.C.A. § 2510(17). 74 See 18 U.S.C.A. § 2511(2)(g)(i) (“It shall not be unlawful under . . . chapter 121 of this title for any person—(i) to intercept or access an electronic communication made through an electronic communication system that is congured so that such electronic communication is readily accessible to the general public . . . .”). 75 See, e.g., Snow v. DirecTV, Inc., 450 F.3d 1314, 1320–21 (11th Cir. 2006) (dismissing an SCA claim brought by an operator of an online bulletin board based on access to a website that was publicly accessible). 76 See Joe v. Google, Inc., 746 F.3d 920, 926-35 (9th Cir. 2013) (af- rming the district court's ruling that data transmitted over a Wi–Fi network is not a “radio communication” under the Wiretap Act, and thus could not qualify under the exemption for electronic communications that were “readily accessible to the general public”), cert. denied, 134 S. Ct. 2877 (2014); see generally infra § 44.06[1] (discussing the case and criticizing the Ninth Circuit's holding). 77 See, e.g., Peavy v. WFAA-TV, Inc., 221 F.3d 158, 168–69 (5th Cir. 2000), cert. denied, 532 U.S. 1051 (2001); Doe v. GTE Corp., 347 F.3d 655, 658 (7th Cir. 2003) (“[N]othing in the statute condemns assistants, as opposed to those who directly perpetrate the act.”); Reynolds v. Spears,93 F.3d 428, 432–33 (8th Cir. 1996); Freeman v. DirecTV, Inc., 457 F.3d 1001, 1005-06 (9th Cir. 2006) (rejecting the argument that “a person or

Pub. 12/2015 26-349 26.15 E-Commerce and Internet Law allege $5000 in damages,78 which is a threshold that bars many privacy claims—especially those based on behavioral advertising where there is no economic loss or injury or merely de minimis damage. The $5,000 threshold requirement alone has proven to be an insurmountable bar in many data privacy cases.79 Courts also have been reluctant to treat the disclosure of personal information as having economic entity who aids and abets or who enters into a conspiracy is someone or something that is ‘engaged’ in a violation.”); Kirch v. Embarq Management Co., 702 F.3d 1245, 1246-47 (10th Cir. 2012) (holding that section 2520 “does not impose civil liability on aiders or abettors.”), cert. denied, 133 S. Ct. 2743 (2013); In re: Carrier IQ, Inc. Consumer Litig., 78 F. Supp. 3d 1051, 1089-90 (N.D. Cal. 2015) (dismissing plaintis' Wiretap Act claim where plaintis did not allege that the device manufacturers acquired the contents of any of plaintis' communications because “there is simply no secondary liability (such as aiding and abetting) under the ECPA”); Byrd v. Aaron's, Inc., 14 F. Supp. 3d 667, 675 (W. D. Pa. 2014) (dismissing plainti's claim of conspiracy to commit ECPA violations because “secondary liability no longer exists under the current statutory structure of the ECPA.”); Shefts v. Petrakis, 954 F. Supp. 2d 769, 774-76 (C.D. Ill. 2013) (granting summary judgment because “Defendant Morgan cannot be held liable under the ECPA under ‘procurement,’ ‘agency,’ ‘conspiracy,’ or any other ‘secondary’ theories of liability . . . .”); Council on American-Islamic Relations Action Network, Inc. v. Gaubatz, 891 F. Supp. 2d 13, 23–24 (D.D.C. 2012) (holding that there is no cause of action under ECPA for secondary liability, aiding and abetting liability or liability for procuring a primary violation (which existed prior to the 1986 amendments to the statute)); Perkins-Carillo v. Systemax, Inc., No. 03-2836, 2006 WL 1553957 (N.D. Ga. May 26, 2006); see generally infra § 44.06[1]. 78 18 U.S.C.A. §§ 1030(c)(4)(A)(i), 1030(g). A civil CFAA claim where $5,000 in damages need not be shown may be made on limited grounds generally not applicable to data privacy cases. See id.; infra § 44.08[1] (analyzing the statutory provisions in greater detail). 79 See, e.g., In re Google Android Consumer Privacy Litig., No. 11– MD–02264 JSW, 2014 WL 988889, at *4 (N.D. Cal. Mar. 10, 2014) (dismissing plainti's amended CFAA claim without leave to amend based on plaintis' inability to allege $5,000 in damages based on diminished battery life and data plan use); In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434, 447-48 (D. Del. 2013) (granting defendants' motions to dismiss, including a claim brought under the CFAA for failure to allege the threshold loss of $5,000 required to state a civil claim under the CFAA); In re Google Android Consumer Privacy Litig., No. 11-MD-02264, 2013 WL 1283236, at *7 (N.D. Cal. Mar. 26, 2013) (dismissing plainti's CFAA claim in a suit brought over the alleged sharing of information between the Android Market and advertisers, with leave to amend); Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *10 (N.D. Cal. Mar. 26, 2013) (dismissing with leave to amend plainti's CFAA claim in a behavioral advertising putative class action suit where the plainti alleged diminished memory storage but did not allege $5,000 in damages); In re iPhone Application Litig., 844

26-350 Data Privacy 26.15 value,80 at least in the absence of any evidence to the contrary.

F. Supp. 2d 1040, 1066–67 (N.D. Cal. 2012) (dismissing with prejudice plaintis' CFAA claim premised on the cost of memory space on class members' iPhones as a result of storing allegedly unauthorized geolocation data); Del Vecchio v. Amazon.com, Inc., No. C11–366RSL, 2012 WL 1997697 (W.D. Wash. Jun. 1, 2012) (dismissing with prejudice plainti's CFAA claim for failure to allege $5,000 in damages); Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *4 (W.D. Wash. Dec. 1, 2011) (dismissing, with leave to amend, a CFAA claim based on the alleged use of browser and ash cookies for failure to allege $5,000 in damages or any injury, and questioning in dicta whether plaintis, in an amended complaint, could allege unauthorized access under the CFAA where the use of browser and ash cookies was disclosed to users in the defendant's “Conditions of Use and Privacy Notice”); Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) (dismissing with prejudice a CFAA claim alleging general impairment to the value of plainti's computer in a putative behavioral advertising class action suit); LaCourt v. Specic Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011); Czech v. Wall Street on Demand, Inc., 674 F. Supp. 2d 1102 (D. Minn. 2009) (dismissing a class action based on allegedly unauthorized text messages sent to plaintis' phones where plaintis merely alleged in conclusory fashion that the unwanted text messages depleted RAM and ROM, causing phone functions to slow down and lock up, caused phones to shut down, reboot or reformat their memory, interfered with bandwidth and hard drive capacity); Fink v. Time Warner Cable, No. 08 Civ. 9628 (LTS) (KNF), 2009 WL 2207920, at *4 (S.D.N.Y. July 23, 2009) (dismissing a CFAA claim because the plainti merely alleged damage by “impairing the integrity or availability of data and information,” which was “insuciently factual to frame plausibly the damage element of Plainti's CFAA claim”); In re Double- Click Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001); see generally supra § 5.06 (CFAA case law on database law and screen scraping); infra § 44.08 (analyzing the CFAA and case law construing it in greater detail). 80 See, e.g., In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1068 (N.D. Cal. 2012); Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *3 (W.D. Wash. Dec. 1, 2011) (dismissing plainti's CFAA claim, with leave to amend, noting that “[w]hile it may be theoretically possible that Plaintis' information could lose value as a result of its collection and use by Defendant, Plaintis do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”); Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517, at *4 (S.D.N.Y. Aug. 17, 2011) (dismissing plainti's CFAA claim with prejudice; holding that “[t]he collection of demographic information does not constitute damage to consumers or unjust enrichment to collectors.”); In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *3 (N.D. Cal. June 15, 2011) (dismissing plaintis' CFAA claim with prejudice where plaintis oered “no legal authority in support of the theory that personally identiable information constitutes a form of money or property.”).

Pub. 12/2015 26-351 26.15 E-Commerce and Internet Law

To state a CFAA claim, a plainti also must establish that a defendant accessed a protected computer “without authorization” or “exceeded authorized access.”81 At least in the Fourth and Ninth Circuits, however, CFAA violations premised on use (rather than access) restrictions in a Privacy Policy, Terms of Use or company policy would not be viable.82 Authorization similarly may be dicult to show in some data privacy cases where the plainti voluntarily downloaded the application that is challenged in the litigation.83 In In re iPhone Application Litigation,84 a CFAA claim was dismissed for the further reason that the allegation that Apple had failed to enforce its privacy policy against third party App providers, who made Apps available through Ap- ple's iStore, was barred because a negligent software design cannot serve as the basis of a CFAA claim.85 Claims under the Video Privacy Protection Act may be brought against a “video tape service provider who knowingly discloses, to any person, personally identiable infor-

81 18 U.S.C.A. § 1030(a)(4); see generally infra § 44.08[1] (analyzing the CFAA in greater detail). 82 See WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199 (4th Cir. 2012), cert. dismissed, 133 S. Ct. 831 (2013); U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc); infra § 44.08[1] (analyzing this issue in greater detail). 83 See In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1066 (N.D. Cal. 2012) (dismissing with prejudice plaintis' CFAA claim against the “iDevice class” premised on Apple's alleged practice of using iDevices to retain location history les because, among other things, plaintis voluntarily downloaded the software at issue and therefore Apple could not have accessed the devices without authorization); see id. at 1068 (dismissing with prejudice claims against the “geolocation class” where “the software or ‘apps’ that allegedly harmed the phone were voluntarily downloaded by the user . . . .”). In the iPhone Application Litigation case, the court noted in dicta that “Apple arguably exceeded its authority when it continued to collect geolocation data from Plaintis after Plaintis had switched the Location Services setting to ‘o,’ . . .” but dismissed plaintis' claim because they had sued for lack of authorization, not exceeding authorized access. See id. at 1066. 84 In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011). 85 In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *11 (N.D. Cal. Sept. 20, 2011), citing 18 U.S.C. § 1030(g) (“No cause of action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or rmware.”).

26-352 Data Privacy 26.15 mation” about the consumer.86 However, an online video is not necessarily a video tape. The statutory denition of a video tape service provider appears to be limited to providers of audio visual and video works in tangible media, not works distributed electronically. The denition generally applies to any person engaged in the business of “rental, sales or delivery of prerecorded video cassette tapes or similar audio visual materials ....”87 The Senate Report accompanying the bill claries that “similar audio visual materials” include such things as “laser discs, open -reel movies, or CDI technology . . .,”88 which was a technology for delivering movies on CD-like disks. All of these materials involve video stored on tangible media. Nevertheless, this argument has not been made in litigation. A magistrate judge allowed one VPPA behavioral advertising putative class action suit to proceed in an unreported opinion against Hulu where the arguments advanced here were not raised,89 while in most other cases the issue of the applicability of the VPPA to online video players has not even been addressed.90 A number of VPPA suits have resulted in defense judgments, however, because a plainti must show a knowing disclosure,91 because the recipient of a knowing disclosure falls within the list of statutory exceptions, because the information disclosed does not qualify as PII under the VPPA's statutory denition92 or because a cause of action under the VPPA may only be

86 See 18 U.S.C.A. § 2710(b)(1); see generally supra § 26.13[10]. 87 See 18 U.S.C.A. § 2710(a)(4). 88 S. Rep. No. 100-599, 100th Cong. 2d Sess. 9, 12 (1988), reprinted in 1988 U.S.C.C.A.N. 4342-1, 3435-9 to 3435-10. 89 In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012). 90 See, e.g., Mollett v. Netix, Inc., 795 F.3d 1062 (9th Cir. 2015); see generally supra § 26.13[10] (analyzing Netix and more recent case law in greater detail). 91 See In re: Hulu Privacy Litig., 86 F. Supp. 3d 1090 (N.D. Cal. 2015) (granting summary judgment for Hulu because there was no evidence of knowledge); see generally supra § 26.13[10] (analyzing the VPPA in greater detail). 92 See, e.g., Locklear v. Dow Jones & Co., —F. Supp. 3d — 2015 WL 1730068, at *4-6 (N.D. Ga. 2015); In re Nickelodeon Consumer Privacy Litig., Case Nos. 12–07829, 13–03755, 13–03729, 13–03757, 13–03731, 13–03756, 2015 WL 248334, at *3 (D.N.J. Jan. 20, 2015); Ellis v. Cartoon Network, Inc., No. 1:14–cv–484–TWT, 2014 WL 5023535, at *3 (N.D. Ga. Oct. 8, 2014) (dismissing plainti's Video Privacy Protection Act claim because an Android ID is not “personally identiable information”), a'd

Pub. 12/2015 26-353 26.15 E-Commerce and Internet Law maintained for knowing disclosures, not the failure to delete information within the statutorily prescribed time limit.93 Several suits also have been dismissed because users of mobile apps or website video players frequently do not qualify as consumers eligible to sue under the statute.94 Because alleged cloud-based privacy concerns do not t well within the connes of anti-hacking statutes or other narrow federal privacy statutes, plaintis' lawyers may seek federal jurisdiction under the Class Action Fairness Act (CAFA).95 Under CAFA, federal jurisdiction is permissible where more than two-thirds of the members of the putative class are alleged to be citizens of states other than that of the named plainti and the amount of damages alleged exceeds $5 million dollars. Even where plainti's counsel alleges the existence of a class of millions of people, the $5 million bar may be dicult to meet in a case where there has been no economic injury. If the named plaintis cannot meet the $5,000 threshold to state a CFAA claim, for example, a potential class of similarly situated parties who also have not been injured may not meet CAFA's $5 million threshold.96 State law claims may suer from some of the same defects on other grounds, — F.3d —, 2015 WL 5904760 (11th Cir. 2015); see generally supra § 26.13[10] (analyzing these cases). 93 See Daniel v. Cantrell, 375 F.3d 377, 384-85 (6th Cir. 2004) (holding that “only § 2710(b) can form the basis of liability.”); Sterk v. Redbox Automated Retail, LLC, 672 F.3d 535, 538-39 (7th Cir. 2012); Rodriguez v. Sony Computer Entertainment America, LLC, — F.3d —, 2015 WL 5166788, at *5-7 (9th Cir. 2015); In re Nickelodeon Consumer Privacy Lit- igation, Case Nos. Civ. A. 12-07829, Civ. A. 13-03729, Civ. A. 13-03731, Civ. A. 13-03755, Civ. A. 13-03756, Civ. A. 13-03757, 2014 WL 3012873, at *5-7 (D.N.J. July 2, 2014); see generally supra § 26.13[10] (analyzing these cases). 94 A consumer is ‘‘any renter, purchaser, or subscriber of goods or services from a video tape service provider . . . .’’ 18 U.S.C.A. § 2710(a)(1). Users of free services are not renters or purchasers and frequently may not qualify as subscribers if they merely downloaded a free app or visited a website. See, e.g., Ellis v. Cartoon Network, Inc., — F.3d —, 2015 WL 5904760, at *4-6 (11th Cir. 2015); Yershov v. Gannett Satellite Information Network, Inc., — F. Supp. 3d —, 2015 WL 2340752, at *9-10 (D. Mass. 2015); Austin-Spearman v. AMC Network Entertainment LLC, — F. Supp. 3d —, 2015 WL 1539052, at *6-8 (S.D.N.Y. 2015); see generally supra § 26.13[10] (analyzing the VPPA in greater detail). 95 28 U.S.C.A. § 1332(d). 96 See Ian C. Ballon & Wendy Mantell, Suing Over Data Privacy and Behavioral Advertising, ABA Class Actions, Vol. 21, No. 4 (Summer 2011).

26-354 Data Privacy 26.15 as federal claims in cases where there is no injury or actual damage or where consent has been obtained or notice provided in Terms of Use or a Privacy Policy. For example, to maintain a state law breach of contract claim, plaintis generally must be able to plead and prove actual injury and damage97 (although in the Ninth Circuit plaintis may be able to plead diminishment of the market value of personal information98).

97 See, e.g., Svenson v. Google Inc., 65 F. Supp. 2d 717, 724–25 (N.D. Cal. 2014) (dismissing plainti's breach of contract claim with leave to amend for failing to suciently allege damage where “Plainti has not alleged any facts showing that Defendants' business practice—disclosing users' Contact Information to third-party App vendors—changed her economic position at all.”); Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *13 (N.D. Cal. Mar. 26, 2013) (dismissing plainti's breach of privacy policy claim with leave to amend where the plainti failed to allege “actual and appreciable damage based on the collection and dissemination of his PII.”); Rudgayzer v. Yahoo! Inc., No. 5:12-CV-01399 EJD, 2012 WL 5471149, at *7 (N.D. Cal. Nov. 9, 2012) (dismissing plainti's suit alleging breach of contract because his rst and last name was disclosed in the “from” line of his Yahoo! email account where “an allegation of the disclosure of personal or private information does not constitute actionable damage for a breach of contract claim.”); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1028-29 (N.D. Cal. 2012) (dismissing plaintis' contract claim with prejudice because emotional and physical distress damages are not recoverable for breach of contract under California law and because the unauthorized collection of personal information does not create economic loss and plaintis did not allege that the collection foreclosed their opportunities to capitalize on the value of their personal information or diminished its value); In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintis' breach of contract claim because California law requires a showing of “appreciable harm and actual damage” to assert such a claim). 98 See In re Facebook Privacy Litig., 572 F. App'x 494 (9th Cir. 2014) (reversing dismissal of plaintis' breach of contract claim because alleging that plaintis “were harmed both by the dissemination of their personal information and by losing the sales value of that information” was suf- cient to state a claim under California law), rev'g, 791 F. Supp. 2d 705, 717 (N.D. Cal. 2011) (dismissing plaintis' contract claim because the unauthorized collection of information by a third party does not amount to an economic loss); Svenson v. Google Inc., Case No. 13–cv–04080–BLF, 2015 WL 1503429, at *4-5 (N.D. Cal. Apr. 1, 2015) (denying defendant's motion to dismiss breach of contract claim under the benet of the bargain and diminution of value of personal information theories, where the plainti alleged (1) a contract for each Google Wallet transaction whereby she would receive payment processing service that would facilitate her Play Store purchase while keeping her private information condential in all but specic circumstances under which disclosure was authorized, and

Pub. 12/2015 26-355 26.15 E-Commerce and Internet Law

A claim for breach of the implied duty of good faith and fair dealing based on privacy violations may similarly be defective if the claim is merely duplicative of a plainti's breach of contract claim or contradicted by the plain terms of the contract.99 State computer crime statutes may not provide grounds for relief in a case where there has been no economic harm.100 Even specialized statutes intended to make it easy for plainti's counsel to bring consumer class action cases may not be well suited to data privacy suits based on behavioral advertising or other perceived privacy violations where there is no quantiable harm or only de minimis damage. For example, the California Legal Remedies Act,101 which provides a potential remedy to consumers for damages suf- fered in connection with a consumer transaction, denes a consumer as an individual who purchases or leases any goods or services for personal, family or household purposes.102 A

(2) the existence of a market for personal information where the value of her information was diminished by Google's alleged use). Some of the theories alleged by plaintis' counsel to survive motions to dismiss would likely be dicult if not impossible to prove at trial or on summary judgment. Cf. Yunker v. Pandora Media, Inc., No. 11–CV– 03113 JSW, 2014 WL 988833, at *5 (N.D. Cal. Mar. 10, 2014) (denying defendant's motion to dismiss plainti's amended breach of contract claim, but noting that “Plaintis may face an uphill battle proving this claim”). 99 See, e.g., Svenson v. Google Inc., 65 F. Supp. 2d 717, 725-26 (N.D. Cal. 2014) (dismissing plainti's breach of the implied duty of good faith and fair dealing claim as duplicative of her breach of contract claim); see also Song Fi Inc. v. Google, Inc., — F. Supp. 3d —, 2015 WL 3624335, at *5 (N.D. Cal. 2015) (granting Google's motion to dismiss claims for breach of YouTube's Terms of Service and breach of the duty of good faith and fair dealing arising out of plaintis' removal of a video where the Terms of Service permitted YouTube to remove the video “and eliminate its view count, likes, and comments”; “if defendants were given the right to do what they did by the express provisions of the contract there can be no breach [of the duty of good faith and fair dealing].”). 100 See, e.g., In re Nickelodeon Consumer Privacy Litig., Case Nos. 12– 07829, 13–03755, 13–03729, 13–03757, 13–03731, 13–03756, 2015 WL 248334, at *4-5 (D.N.J. Jan. 20, 2015) (dismissing with prejudice plaintis' claims under the New Jersey Computer Related Oenses Act (CROA), N.J. Stat. Ann. § 2A:38A–3, an anti-hacking statute, because even if it was potentially applicable, plaintis could not “allege ‘business or property’ damage stemming from Defendants' conduct.”). 101 Cal. Civil Code §§ 1750 et seq.; see generally supra § 25.04[3] (analyzing the statute). 102 Schauer v. Mandarin Gems of California, Inc., 125 Cal. App. 4th

26-356 Data Privacy 26.15

CLRA claim therefore may not be maintained where a plainti seeks a remedy from a free Internet site or free app where no purchase has been made,103 although a Ninth Circuit panel, in an unreported decision, allowed a CLRA claim to proceed premised on the lost sales value of personal information.104 Some courts have also suggested that a CLRA claim may not be made when based on the collection of information by software, as opposed to the sale of goods or services.105 A CLRA claim also may fail where the plaintis cannot allege reliance (for example, when a CLRA claim is

949, 960, 23 Cal. Rptr. 3d 233 (4th Dist. 2005). 103 See In re Google Inc. Cookie Placement Consumer Privacy Litiga- tion, 988 F. Supp. 2d 434, 451 (D. Del. 2013) (rejecting the argument that plainti's personal information constituted a form of payment to Google; dismissing plaintis' claim); Yunker v. Pandora Media, Inc., No. 11-CV- 03113 JSW, 2013 WL 1282980, at *12 (N.D. Cal. Mar. 26, 2013) (rejecting the argument that the plainti “purchased” Pandora's services by providing his PII and holding that plainti failed to allege he was a “consumer” within the meaning of the CLRA; granting Pandora's motion to dismiss with leave to amend); In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintis' CLRA claim, with leave to amend, because a CLRA claim may only be brought by someone who purchases or leases goods or services but the plainti alleged that the defendant's services were oered for free). But see In re Sony Gaming Networks and Customer Data Security Breach Litig., 996 F. Supp. 2d 942, 992 (S.D. Cal. 2014) (holding that a CLRA claim arising out of a security breach of the PlayStation Network could not be premised on plaintis' registration for this free service, but could proceed based on omissions about the security of the service at the time they purchased their PlayStation consoles (a good)); In re iPhone Applica- tion Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012) (denying defendants' motion to dismiss where plaintis in a data privacy putative class action suit, in their amended complaint, did not merely allege that free apps failed to perform as represented but that the value of their iPhones (a good) would have been materially lower if defendants had disclosed how the free apps in fact allegedly operated). 104 See In re Facebook Privacy Litig., 572 F. App'x 494 (9th Cir. 2014) (reversing dismissal with prejudice of plaintis' CLRA claim where plaintis alleged injuries from the lost sales value of personal information allegedly disseminated to advertisers). 105 See, e.g., Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *13 (N.D. Cal. Mar. 26, 2013) (holding that the Pandora app was not a “good” for purposes of the CLRA); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012) (citing an earlier case for the proposition that software is neither a good nor a service under the CLRA); In re iPhone Application Litig., Case No. 11-MD- 02250-LHK, 2011 WL 4403963, at *10 (N.D. Cal. Sept. 20, 2011) (same); see also In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434, 450-51 (D. Del. 2013) (rejecting the argument that

Pub. 12/2015 26-357 26.15 E-Commerce and Internet Law premised on the breach of a privacy policy).106 Claims under California's Invasion of Privacy Act (CIPA)107 or the California Constitution108 likewise will not be actionable, as under ECPA, if premised on non-content data, as opposed to the contents of communications.109 California privacy claims also may not be viable where consent has been obtained110 or where a privacy violation is not substantial.111

Google's advertising constituted a “service” and not software; dismissing plaintis' claim). 106 See In re Google, Inc. Privacy Policy Litigation, 58 F. Supp. 3d 968, 982-83 (N.D. Cal. 2014) (dismissing with prejudice plaintis' CLRA claim, explaining that “[i]f Nisenbaum and the other members of his subclass did not see, read, hear or consider the terms of Google's then-active privacy policy before creating their account, they could not have relied on any representation it contained in making their decisions to purchase Android phones, and without armatively alleging reliance on Google's misrepresentations, the CLRA claim cannot survive.”). 107 California's Invasion of Privacy Act (CIPA), Penal Code § 630, af- fords a cause of action where a defendant “willfully and without the consent of all parties to the communication, or in any unauthorized manner,” intercepted, used, or disclosed the “contents or meaning” of a “communication” that is “in transit.” Cal. Penal Code § 631(a). 108 See supra § 26.07[2] (analyzing the contours of California's Constitutional right to privacy, as set forth in Article I, Section 1 of the California Constitution). 109 See In re Yahoo Mail Litigation, 7 F. Supp. 3d 1016, 1037-42 (N.D. Cal. 2014) (dismissing with leave to amend plainti's claim for a violation of California's constitutional right to privacy where plaintis alleged that Yahoo's alleged scanning, storage and disclosure of email content violated their right to privacy); In re Nickelodeon Consumer Privacy Litigation, Case Nos. Civ. A. 12-07829, Civ. A. 13-03729, Civ. A. 13-03731, Civ. A. 13- 03755, Civ. A. 13-03756, Civ. A. 13-03757, 2014 WL 3012873, at *17 (D.N.J. July 2, 2014) (dismissing with prejudice plaintis' CIPA claim because allegations that Google placed cookies to intercept data could not state a claim where the alleged interception did not involve the contents of any communication); In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F. Supp. 2d 434, 444-45 (D. Del. 2013) (dismissing Wiretap and CIPA claims because plaintis' allegations did not demonstrate that Google intercepted any contents or meaning). 110 See Garcia v. Enterprise Holdings, Inc., 78 F. Supp. 3d 1125, 1135-37 (N.D. Cal. 2015) (dismissing plainti's California Invasion of Privacy Act claim with leave to amend where the defendant—app provider's Terms of Use and Privacy Policy provided consent for the alleged disclosures). 111 See, e.g., Yunker v. Pandora Media, Inc., No. 11–CV–03113 JSW, 2014 WL 988833, at *5-6 (N.D. Cal. Mar. 10, 2014) (dismissing with prej-

26-358 Data Privacy 26.15

Similarly, California's notoriously-broad unfair competition statute requires a showing of actual injury. That statute—California Business and Professions Code section 17200112—allows claims to be based on violations of statutes that do not expressly create independent causes of action.113 Indeed, under section 17200, “[u]nlawful acts are ‘anything that can properly be called a business practice and that at the same time is forbidden by law . . . be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court- made,’ where court-made law is, ‘for example a violation of a prior court order.’ ’’114 A claim under section 17200, however, may not be made absent a showing that a plainti “suered injury in fact and has lost money or property as a result of such unfair competition.”115 Hence, a plainti generally may not maintain suit for privacy violations where the plainti obtained access to the defendant's service free of charge116 unless the claim may be premised on the value of a product udice plainti's claim under the California Constitution based on their inability to allege conduct that was “suciently serious in [its] nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.”; citation omitted); see generally supra supra § 26.07[2] (analyzing the California Constitutional right to privacy). 112 Cal. Bus. & Prof. §§ 17200 et seq. 113 See, e.g., Kasky v. Nike, Inc., 27 Cal. 4th 939, 950, 119 Cal. Rptr. 2d 296, 304 (2002); Stop Youth Addiction, Inc. v. Lucky Stores, Inc., 17 Cal. 4th 553, 561–67, 71 Cal. Rptr. 2d 731, 736–40 (1998); see generally supra § 25.04[3]. 114 Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151–52 (9th Cir. 2008), citing National Rural Telecommunications Co-op. v. DIRECTV, Inc., 319 F. Supp. 2d 1059, 1074 n.22 (C.D. Cal. 2003) (quoting Smith v. State Farm Mutual Automobile Ins. Co., 93 Cal. App. 4th 700, 113 Cal. Rptr. 2d 399, 414 (2d Dist. 2001); Saunders v. Superior Court,27 Cal. App. 4th 832, 33 Cal. Rptr. 2d 438, 441 (2d Dist. 1994) (internal quotations omitted)). 115 Cal. Bus. & Prof. Code § 17200. “An injury in fact is ‘[a]n actual or imminent invasion of a legally protected interest, in contrast to an invasion that is conjectural or hypothetical.” Hall v. Time Inc., 158 Cal. App. 4th 847, 853, 70 Cal. Rptr. 3d 466, 470 (4th Dist. 2008). A plainti must show loss of money or property to have standing to seek injunctive relief or restitution. Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 323-34, 336, 120 Cal. Rptr. 3d 741 (2011); see generally supra § 6.12[6] (analyzing section 17200). 116 See In re Facebook Privacy Litig., 572 F. App'x 494 (9th Cir. 2014) (arming dismissal with prejudice of plaintis' UCL claim where plaintis could not allege that they “lost money or property as a result of the unfair competition.”), a'g, 791 F. Supp. 2d 705, 714-15 (N.D. Cal. 2011) (dismiss-

Pub. 12/2015 26-359 26.15 E-Commerce and Internet Law purchased in conjunction with obtaining free services117 or potentially for breach of a statutory duty to adhere to the terms of a company's privacy policy.118 Since many Internet sites and services provide free access, this restriction limits potential unfair competition claims against many of the more popular Internet and social media sites. Absent injury, statutory unfair competition claims under ing with prejudice plaintis' UCL claim where plaintis alleged that the defendant unlawfully shared their ‘‘personally identiable information’’ with third-party advertisers because personal information does not constitute property for purposes of a UCL claim; ‘‘Because Plaintis allege that they received Defendant's services for free, as a matter of law, Plaintis cannot state a UCL claim.’’); Yunker v. Pandora Media, Inc., No. 11-CV- 03113 JSW, 2013 WL 1282980, at *11 (N.D. Cal. Mar. 26, 2013) (dismissing plainti's claim with leave to amend where the plainti alleged that his PII was diminished in value based on Pandora's alleged use); In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintis' UCL claim, with leave to amend, where plaintis did not allege that they lost money as a result of defendants' conduct, but instead merely alleged that defendants shared their personally identiable information with third party advertisers). 117 See Svenson v. Google Inc., 65 F. Supp. 2d 717, 730 (N.D. Cal. 2014) (dismissing plainti's UCL claim with leave to amend for failure to allege economic injury); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071–74 (N.D. Cal. 2012) (denying defendants' motion to dismiss in a data privacy putative class action suit where plaintis, in their amended complaint, did not merely allege a UCL violation based on alleged information gathering in connection with free apps, but asserted that they purchased their mobile devices based on the availability of thousands of free apps, but would not have done so if the true value of the devices had been disclosed by revealing that the apps allegedly allowed third parties to collect consumers' information). 118 See Svenson v. Google Inc., Case No. 13–cv–04080–BLF, 2015 WL 1503429, at *8-10 (N.D. Cal. Apr. 1, 2015) (denying defendants' motion to dismiss plainti's UCL claim, holding that plainti stated a claim under both the unlawful and unfairness prongs of the statute by alleging that the defendant failed to adhere to the terms of its own Privacy Policy in violation of Cal. Bus. & Prof. Code § 22576, and plainti alleged that defendants' payment processing services were not free because they allegedly retained a portion of the $1.77 app price for each transaction); see generally supra § 26.13[6] (analyzing the duty to post a privacy policy imposed on companies that collect personal information from California residents). In Svenson, the plainti pled around In re Facebook Privacy Litig., 572 F. App'x 494 (9th Cir. 2014) (arming dismissal with prejudice of plaintis' UCL claim where plaintis could not allege that they “lost money or property as a result of the unfair competition.”) by alleging the existence of a contract and a fee that does not appear to have been plausible in light of the actual written contract entered into by the plainti and defendants.

26-360 Data Privacy 26.15 the laws of other states similarly may not be viable.119 Statutory violations framed as unfair competition claims will suer a similar fate. For example, claims for alleged statutory privacy violations—such as a failure to provide notice of the right to request information—and unfair competition claims premised on that alleged failure, may be dismissed where no real injury can be pled.120 False advertising claims under California law121 likewise will be dismissed where a plainti cannot show that it has suered injury in

119 See, e.g., Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 448–51 (D. Mass. 2012) (dismissing a claim under Massachusetts' unfair trade practices statute, Mass. Gen. Laws ch. 93A, § 2 because receiving unwanted mail and other alleged injuries stemming from the defendant's alleged disclosure of her zip code information was not an injury cognizable under chapter 93A); Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *5–6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend an unfair competition claim in a putative class action suit over the alleged use of browser and ash cookies because Washington's Consumer Protection Act requires “a specic showing of injury”). 120 See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942, 1009-10 (S.D. Cal. 2014) (dismissing plaintis' section 1789.84(b) claim for economic damages, but allowing plaintis to pursue their injunctive relief claims under section 1798.84(e)); Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug. 24, 2012) (dismissing, with leave to amend, plainti's claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury and dismissing plainti's claim for injunctive relief for lack of Article III standing; rejecting arguments that plaintis had experienced economic or informational injury); Boorstein v. Men's Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 3791701 (C.D. Cal. Aug. 17, 2012) (dismissing with prejudice plainti's claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury; rejecting arguments that plaintis had experienced economic or informational injury); King v. Condé Nast Publications, No. CV-12-0719-GHK (Ex), 2012 WL 3186578 (C.D. Cal. Aug. 3, 2012) (dismissing the same claims on the same grounds, with leave to amend); Miller v. Hearst Communications, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241 (C.D. Cal. Aug. 3, 2012) (dismissing the same claims, on the same grounds, with leave to amend); Boorstein v. Men's Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 2152815 (C.D. Cal. June 14, 2012) (dismissing the same claims on the same grounds, with leave to amend); see generally supra § 26.13[6][D] (analyzing section 1798.83). 121 Cal. Bus. & Prof. Code §§ 17500, et seq. California's false advertising law reaches advertising that is false as well as advertising that, although true, is either actually misleading or has “a capacity, likelihood or tendency to deceive or confuse the public.” Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1026 (N.D. Cal. 2012), quoting Leoni v. State Bar,39Cal. 3d 609, 626, 217 Cal. Rptr. 423 (1985).

Pub. 12/2015 26-361 26.15 E-Commerce and Internet Law fact and lost money or property.122 Similarly, a claim under California's Computer Crime law123 is only actionable where a plainti can show “damage or loss.”124 Common law privacy claims may be dicult to assert in data privacy cases absent an ability to characterize the alleged intrusion as highly oensive to a reasonable person,125 as opposed to merely de minimis.126

122 See Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1026-27 (N.D. Cal. 2012) (dismissing with prejudice Low's false advertising claim because personal information does not constitute money or property and dismissing with prejudice both his claim and that of plainti Masand, who paid $24.99 for a “Job Seeker Platinum” LinkedIn subscription and therefore met the threshold requirement of showing a loss of money or property, where neither could allege reliance on the allegedly false advertisements or misrepresentations). 123 Cal. Penal Code § 502. 124 Cal. Penal Code § 502(e); In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 715–16 (N.D. Cal. 2011) (dismissing plaintis' section 502 claims, some with and some without prejudice), a'd in part, rev'd in part, on other grounds, 572 F. App'x 494 (9th Cir. 2014) (arming dismissal of plaintis' UCL claim but reversing dismissal of their breach of contract and fraud claims; plaintis did not appeal the dismissal of their section 502 claim); see generally infra § 44.09 (analyzing section 502). 125 See Opperman v. Path, Inc., 84 F. Supp. 3d 962, 991-93 (N.D. Cal. 2015) (denying defendants' motions to dismiss intrusion on seclusion claims arising from the transfer of contact information from users' mobile address books when users selected the “Find Friends” feature to connect with friends on social networks); In re Google, Inc. Privacy Policy Litiga- tion, 58 F. Supp. 3d 968, 987-88 (N.D. Cal. 2014) (dismissing with prejudice plaintis' intrusion upon seclusion claim based on plaintis' inability to meet the “high bar” to allege the requisite “intrusion [that is] highly of- fensive to a reasonable person”). 126 See In re Nickelodeon Consumer Privacy Litigation, Case No. Civ. A. 12-07829, Civ. A. 13-03729, Civ. A. 13-03731, Civ. A. 13-03755, Civ. A. 13-03756, Civ. A. 13-03757, 2014 WL 3012873, at *18-19 (D.N.J. July 2, 2014) (dismissing plaintis' invasion of privacy claim under New Jersey law with leave to amend where the plaintis had not demonstrated why Google's “collection and monetization of online information,” including the use of cookies to acquire or intercept IP addresses and URLs, would be “highly oensive” to a reasonable person); In re Nickelodeon Consumer Privacy Litig., Case Nos. 12–07829, 13–03755, 13–03729, 13–03757, 13– 03731, 13–03756, 2015 WL 248334, at *5-7 (D.N.J. Jan. 20, 2015) (rejecting polling data as probative of what a reasonable person would consider to be “highly oensive” and rejecting the argument that the practice was necessarily highly oensive because directed at children, in dismissing with prejudice plainti's Second Amended Complaint; “It may indeed strike most people as undesirable that companies routinely collect information about anonymous web users to target ads in a more sophisticated

26-362 Data Privacy 26.15

Alleged data privacy violations also may be dicult to assert as common law privacy claims where information may have been exposed but it is not clear that it in fact was accessed. At least at common law, “[f]or a person's privacy to be invaded, their personal information must, at a minimum, be disclosed to a third party.”127 Some claims also suer because of eorts to shoehorn novel privacy theories into existing unfair competition, statutory or common law remedies. For example, in Steinberg v. CVS Caremark Corp.,128 the court dismissed claims under the Pennsylvania Unfair Trade Practices and Consumer Protec- tion Law and for unjust enrichment and invasion of privacy, in a putative class action brought by a union and its members, alleging that the defendant sold de-identied information obtained in connection with lling plaintis' way; yet this theory of relief requires more.”); see generally supra §§ 12.02[3][B], 26.08 (analyzing the case, and the tort of unreasonable intrusion, at greater length). 127 In re SAIC Corp., 45 F. Supp. 2d 14, 28 (D.D.C. 2014); see also Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012) (dismissing with prejudice plaintis' invasion of privacy claims under the Califor- nia Constitution and common law where plaintis alleged that the defendant disclosed to third parties their LinkedIn IDs and the URLs of the LinkedIn prole pages that the users viewed because ‘‘[a]lthough Plaintis postulate that these third parties could, through inferences, de- anonymize this data, it is not clear that anyone has actually done so.’’). In SAIC, Judge James E. Boasbert, Jr. explained that “[i]f no one has viewed your private information (or is about to view it imminently), then your privacy has not been violated.” Id. at 28-29, citing 5 C.F.R. § 297.102 (Under Privacy Act, “[d]isclosure means providing personal review of a record, or a copy thereof, to someone other than the data subject or the data subject's authorized representative, parent, or legal guardian.”) (emphasis added); Walia v. Cherto, No. 06—6587, 2008 WL 5246014, at *11 (E.D.N.Y. Dec. 17, 2008) (“accessibility” is not the same as “active disclosure”); Schmidt v. Dep't of Veterans Aairs, 218 F.R.D. 619, 630 (E.D. Wis. 2003) (Disclosure is “the placing into the view of another information which was previously unknown,” requiring that information be “actually viewed.”); Harper v. United States, 423 F. Supp. 192, 197 (D.S.C. 1976) (Disclose means “the imparting of information which in itself has meaning and which was previously unknown to the person to whom it was imparted.”); Fairfax Hospital v. Curtis, 492 S.E.2d 642, 644 (Va. 1997) (violation where third party “possess[ed]” and “reviewed” records); see also Storm v. Paytime, Inc., 90 F. Supp. 3d. 359, 368 (M.D. Pa. 2015) (dismissing Pennsylvania privacy claims of employees for lack of standing where no information had been disclosed to a third party after a cyberattack on the defendant's payroll provider). 128 Steinberg v. CVS Caremark Corp., Civil Action No. 11-2428, 2012 WL 507807 (E.D. Pa. Feb. 16, 2012).

Pub. 12/2015 26-363 26.15 E-Commerce and Internet Law prescriptions to third parties who plaintis alleged potentially could de-anonymize it. Plaintis had alleged that the defendants made material misrepresentations in their privacy statements, but the court found this practice to be consistent with CVS's privacy policy statement that defendants safeguarded information that “may identify” consumers, noting that the FTC's Privacy Rule promulgated under HIPAA129 places no restrictions on the use of information once de-identied.130 Plaintis' unfair competition and unjust enrichment claims were dismissed based on the lack of any value to the information, among other grounds.131 A claim for common law trespass generally requires a showing of substantial impairment, not merely unauthorized access.132 For this reason, plaintis in putative behavioral advertising privacy class action suits may have diculty stating a claim even where unauthorized access is alleged.133 Where a plainti cannot state a claim under ECPA

129 45 C.F.R. §§ 160.103, 164.502(d)(1) to 164.502(d)(2); supra § 26.11. 130 See Steinberg v. CVS Caremark Corp., Civil Action No. 11-2428, 2012 WL 507807, at *6–7 (E.D. Pa. Feb. 16, 2012). 131 See Steinberg v. CVS Caremark Corp., Civil Action No. 11-2428, 2012 WL 507807, at *8–9 (E.D. Pa. Feb. 16, 2012). 132 See, e.g., Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1347, 1 Cal. Rptr. 3d 32 (2003); see generally supra § 5.05[1] (analyzing computer trespass cases). 133 See, e.g., In re Google Android Consumer Privacy Litig., No. 11-MD- 02264, 2013 WL 1283236, at *13 (N.D. Cal. Mar. 26, 2013) (dismissing plainti's trespass to chattels claim because CPU processing, battery capacity, and Internet connectivity do not constitute a harm sucient to establish a cause of action for trespass); Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *15-16 (N.D. Cal. Mar. 26, 2013) (dismissing plainti's trespass claim with leave to amend where the plainti alleged that Pandora installed unwanted code that consumed portions of the memory on his mobile device); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1069 (N.D. Cal. 2012) (dismissing plaintis' trespass claims with prejudice where plaintis alleged that (1) the creation of location history les and app software components “consumed portions of the cache and/or gigabytes of memory on their devices” and (2) apps had taken up valuable bandwidth and storage space on mobile devices and the defendants' conduct subsequently shortened the battery life of the device; “While these allegations conceivably constitute a harm, they do not plausibly establish a signicant reduction in service constituting an interference with the intended functioning of the system, which is necessary to establish a cause of action for trespass.”); Del Vecchio v. Amazon. com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action claim for trespass under Washington law based on the alleged use of browser and

26-364 Data Privacy 26.15 because access was found to be authorized by a Privacy Policy, TOU or otherwise, the plainti also may have dif- culty establishing a claim for common law invasion of privacy premised on the same unauthorized access.134 Privacy claims arising at common law or created by the California Constitution likewise may not be viable in a data privacy or behavioral advertising case where the information allegedly disclosed is anonymized data such as social network prole IDs or the URLs viewed by users135 or unique mobile device

ash cookies where plaintis “failed to plead any facts that would permit the Court to infer that they sustained any plausible harm to a materially valuable interest in the condition, quality, or value of their computers.”). 134 See, e.g., Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *15 (N.D. Cal. Mar. 26, 2013) (dismissing plainti's California common law privacy claim based on public disclosure of private facts and intrusion with leave to amend where the plainti alleged merely that he provided Pandora with PII, which it then disclosed to third parties; “Yunker does not allege that Pandora tracked his movements or obtained and then either disclosed or left unencrypted any type of sensitive nancial information, medical information, or passwords.”); Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (dismissing a putative class action alleging an ECPA violation and intrusion upon seclusion under Montana law where defendant's privacy policy and an email sent to subscribers advising them that the Policy had been updated, notied subscribers that CenturyTel, an ISP, used cookies and web beacons to gather information on its subscribers' browsing history, which it shared with NebuAd, a provider of tailored advertising services); Mortensen v. Bresnan Communication, LLC,No.CV 10-13-BLG-RFC, 2010 WL 5140454 (D. Mont. Dec. 13, 2010) (dismissing plainti's invasion of privacy claim where the complaint suciently alleged plainti's subjective expectation of seclusion or solitude but this subjective expectation was not objectively reasonable in light of the disclosures in defendant's Subscriber Agreement and Privacy Notice and notice that use of the defendant's service constituted acceptance of the terms of the Subscriber Agreement and Privacy Notice; also dismissing plainti's ECPA claim, but denying defendant's motion with respect to trespass and CFAA claims), vacated on other grounds, 722 F.3d 1151, 1157-61 (9th Cir. 2013) (holding that the lower court erred in declining to compel arbitration). In the words of the Deering court, “there is no [objectively] reasonable expectation of privacy when a plainti has been notied that his Internet activity may be forwarded to a third party to target him with advertisements.” Deering v. CenturyTel, Inc., No. CV-10- 63-BLG-RFC, 2011 WL 1842859, at *2 (D. Mont. May 16, 2011). 135 See, e.g., Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012) (dismissing with prejudice plaintis' invasion of privacy claims under the California Constitution and common law where plaintis alleged that the defendant disclosed to third parties their LinkedIn IDs and the URLs of the LinkedIn prole pages that the users viewed because “[a]lthough Plaintis postulate that these third parties could, through

Pub. 12/2015 26-365 26.15 E-Commerce and Internet Law identier numbers, personal data and geolocation information.136 A plainti may be unable to state a claim for common law claim for unjust enrichment, which is a quasi-contract claim, where he or she entered into an express agreement, such as Terms of Use or a Privacy Policy, explicitly permits the collection, use or dissemination of personal information.137 A inferences, de-anonymize this data, it is not clear that anyone has actually done so.”). 136 See In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (holding that the alleged disclosure to third parties of the unique device identier numbers of Apple mobile devices, personal data stored by users on those devices and geolocation information did not involve an egregious breach of social norms and therefore was not actionable under California's constitutional right to privacy); see also In re Nickelodeon Consumer Privacy Litig., Nos. 12–07829, 13–03755, 13–03729, 13–03757, 13–03731, 13–03756, 2015 WL 248334, at *5-7 (D.N.J. Jan. 20, 2015) (dismissing plaintis' intrusion upon seclusion claim with prejudice, stating that collection of anonymous browsing history and other data from minor registrants of a children's website fell short of the highly oensive behavior required to state a claim); In re Google Android Consumer Privacy Litig., No. 11-MD-02264, 2013 WL 1283236, at *10 (N.D. Cal. Mar. 26, 2013) (following iPhone Application Litigation in dismissing plainti's constitutional right to privacy claim where plaintis alleged that Google allowed third party aliates such as AdMob and AdWhirl to obtain unencrypted user data); Yunker v. Pandora Media, Inc., No. 11-CV- 03113 JSW, 2013 WL 1282980, at *14-15 (N.D. Cal. Mar. 26, 2013) (following iPhone Application Litigation in dismissing plainti's claim with leave to amend where the plainti merely alleged that Pandora obtained his PII and provided it to advertising libraries for marketing purposes, allegedly in violation of Pandora's privacy policy). But see Opperman v. Path, Inc., 84 F. Supp. 3d 962 (N.D. Cal. 2015) (dismissing conversion and injunctive relief claims but denying defendants' motions to dismiss intrusion on seclusion claims arising from the transfer of contact information from users' mobile address books when users selected the “Find Friends” feature to connect with friends on social networks). 137 See, e.g., Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit over the alleged use of browser and ash cookies where the defendant's potential use of browser and ash cookies was disclosed to users in the defendant's “Conditions of Use and Privacy Notice” so therefore any use was not inequitable and because “Plaintis have not plead any facts from which the Court might infer that Defendant's decision to record, collect, and use its account of Plaintis' interactions with Defendant came at Plaintis' expense.”); In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 718 (N.D. Cal. 2011) (dismissing plaintis' unjust enrichment claim with prejudice where plaintis as- sented to Facebook's “Terms and Conditions and Privacy Policy”), a'd in part, rev'd in part, on other grounds, 572 F. App'x 494 (9th Cir. 2014) (af-

26-366 Data Privacy 26.15 state law conversion claim may suer the same defect.138 Conversion claims similarly may fail if user contact information is not viewed as property under applicable state law or if the data at issue is generated by the Internet site or service, rather than the consumer.139 Although not analyzed to date in a data privacy case, conversion claims also may not be viable under some state's laws because data privacy cases usually involve sharing personal information, not dispossession, but most states require a showing of dispossession (or at least substantial

rming dismissal of plaintis' UCL claim but reversing dismissal of their breach of contract and fraud claims; plaintis did not appeal the dismissal of their unjust enrichment claim). 138 See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F. Supp. 2d 942, 974 (S.D. Cal. 2012) (dismissing with prejudice plaintis' claims for conversion because personal information could not be construed as property that was somehow “delivered” to Sony and expected to be returned, and because the information was stolen as a result of a criminal intrusion of Sony's Network); AD Rendon Communications, Inc. v. Lumina Americas, Inc., No. 04-CV-8832 (KMK), 2007 WL 2962591 (S.D.N.Y. Oct. 10, 2007) (“[E]ven if a plainti meets all of the elements of a conversion claim, the claim will still be dismissed if it is duplicative of a breach of contract claim.”), citing Wechsler v. Hunt Health Systems, Ltd., 330 F. Supp. 2d 383, 431 (S.D.N.Y. 2004) and Richbell Information Services, Inc. v. Jupiter Partners, L.P., 309 A.D.2d 288, 765 N.Y.S.2d 575, 590 (1st Dep't 2003); see generally supra § 5.05[2] (analyzing conversion claims in connection with database protection and screen scraping). 139 See, e.g., Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1030-31 (N.D. Cal. 2012) (dismissing with prejudice plaintis' claim for conversion because personal information does not constitute property under Califor- nia law, plaintis could not establish damages and some of the information allegedly “converted,” such as a LinkedIn user ID number, was generated by LinkedIn, and therefore not property over which a plainti could claim exclusivity); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1074–75 (N.D. Cal. 2012) (dismissing with prejudice plaintis' conversion claim because personal information does not constitute property under California law, plaintis failed to establish that “the broad category of information referred to as ‘personal information’ is an interest capable of precise denition” and the court could not conceive how “the broad category of information referred to as ‘personal information’ . . . is capable of exclusive possession or control.”); see also Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *16-17 (N.D. Cal. Mar. 26, 2013) (following iPhone Application Litigation in dismissing plainti's conversion claim based on Pandora's alleged use of his PII with leave to amend); see generally supra §§ 5.05[2] (analyzing the law of conversion), 7.21 (intangible property and the law of conversion, addressed in the context of domain name registrations).

Pub. 12/2015 26-367 26.15 E-Commerce and Internet Law interference).140 Courts also have been skeptical that a legally cognizable benet has been conferred when an unjust enrichment claim is premised on the alleged use of a user's browsing informa- tion141 or zip code data142 or the sale of de-identied personal information.143 Under California law, it is no longer clear that a separate

140 See, e.g., Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 437–38 (2d Cir. 2004) (“Traditionally, courts have drawn a distinction between interference by dispossession, . . . which does not require a showing of actual damages, . . . and interference by unauthorized use or intermed- dling, . . . which requires a showing of actual damages . . . .”; citations omitted) (New York law); eBay, Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058, 1067 (N.D. Cal. 2000) (distinguishing trespass from conversion); see generally supra § 5.05[2] (analyzing the law of conversion). 141 See, e.g., Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit over the alleged use of browser and ash cookies where the court held that the plaintis had failed to allege any legally cognizable benet). Under Washington law, to establish unjust enrichment, a plainti must show that: (1) one party conferred a benet on the other; (2) the party receiving the benet had knowledge of that benet; and (3) the party receiving the benet accepted or retained the benet under circumstances that would make it inequitable for the receiving party to retain it without paying for its value. See id., quoting Cox v. O'Brien, 150 Wash. App. 24, 37, 206 P.3d 682 (2009). “The crux of an unjust enrichment claim is ‘that a person who is unjustly enriched at the expense of another is liable in restitution to the other.’ ’’ Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011), quoting Dragt v. Dragt/DeTray, LLC, 139 Wash. App. 560, 576, 161 P.3d 473 (2007). 142 See Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 451–52 (D. Mass. 2012) (dismissing plainti's unjust enrichment claim under Mas- sachusetts law where the plainti had not alleged that Michaels ever paid for zip codes or that reasonable people would expect payment for revealing a zip code in connection with a routine retail transaction); see also Karp v. Gap, Inc., No. 13–11600–GAO, 2014 WL 4924229, at *2 (D. Mass. Sept. 29, 2014) (dismissing unjust enrichment claim arising out of the merchant's collection of zip codes); Lewis v. Collective Brands, Inc.,No. 13–12702–GAO, 2014 WL 4924413, at *1-2 (D. Mass. Sept. 29, 2014) (dismissing unjust enrichment claim arising out of a merchant's collection of zip codes). 143 See Steinberg v. CVS Caremark Corp., Civil Action No. 11-2428, 2012 WL 507807, at *9 (E.D. Pa. Feb. 16, 2012) (dismissing plaintis' claim for unjust enrichment under Pennsylvania law, in a putative class action suit, where plaintis had no reasonable expectation that they would be compensated for disclosing information for the purpose of having their prescriptions lled).

26-368 Data Privacy 26.15 claim may even be asserted for unjust enrichment, which since 2011 courts have characterized as a request for restitution, not a separate cause of action under California law.144 Other states, such as New Jersey, similarly do not recognize unjust enrichment as a separate cause of action.145 California likewise does not recognize a separate cause of action for restitution, which is a remedy that a plainti may elect, not a claim.146 Even negligence claims may be dicult to sustain in the absence of economic injury.147 Negligence generally requires a showing of (1) a legal duty to use due care, (2) a breach of that duty, (3) injury and (4) proximate causation (that the breach was the proximate or legal cause of injury).148 To state a claim, a plainti in a data privacy case generally must show an “appreciable, nonspeculative, present

144 See Hill v. Roll Int'l Corp., 195 Cal. App. 4th 1295, 1307, 128 Cal. Rptr. 3d 109 (2011) (holding that “[u]njust enrichment is not a cause of action, just a restitution claim.”); see also, e.g., Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1031 (N.D. Cal. 2012) (dismissing with prejudice plaintis' claim for unjust enrichment because such a claim is not viable under California law); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1075–76 (N.D. Cal. 2012) (dismissing with prejudice plaintis' claim for unjust enrichment based on Hill v. Roll Int'l Corp.); Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 814–15 (N.D. Cal. 2011) (dismissing a claim for unjust enrichment in light of Hill v. Roll Int'l Corp., “[n]otwithstanding earlier cases suggesting the existence of a separate, stand-alone cause of action for unjust enrichment . . . .”); In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *15 (N.D. Cal. Sept. 20, 2011) (dismissing a claim for unjust enrichment, nding there is no longer any such cognizable claim under California law). 145 See In re Nickelodeon Consumer Privacy Litigation, Case Nos. Civ. A. 12-07829, Civ. A. 13-03729, Civ. A. 13-03731, Civ. A. 13-03755, Civ. A. 13-03756, Civ. A. 13-03757, 2014 WL 3012873, at *19 (D.N.J. July 2, 2014) (dismissing with prejudice plaintis' common law unjust enrichment claim in a data privacy case). 146 In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1076 (N.D. Cal. 2012) (dismissing with prejudice plaintis' claim for unjust enrichment, assumpsit and restitution). 147 See Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1031-32 (N.D. Cal. 2012) (dismissing with prejudice plaintis' claim); In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *9 (N.D. Cal. Sept. 20, 2011) (dismissing plaintis' claim with leave to amend); see also infra § 27.07 (analyzing the extensive body of negligence case law in data security breach putative class action suits). 148 E.g., Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1031-32 (N.D. Cal. 2012); In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *9 (N.D. Cal. Sept. 20, 2011).

Pub. 12/2015 26-369 26.15 E-Commerce and Internet Law injury.”149 Further, in most states, purely economic losses generally are not recoverable as tort damages.150 A negligence claim also may be dicult to sustain where a privacy policy discloses that information will be shared, undermining any argument that there was a duty to keep it condential. In some cases involving the use of mobile devices, plaintis have alleged breach of the implied warranty of merchantability, which may fail because any alleged privacy violation does not necessarily mean that the device is not “t for the ordinary purposes” for which the goods were intended.151

149 Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1032 (N.D. Cal. 2012); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012); see also Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 913–14 (N.D. Cal. 2009) (granting summary judgment for the defendant on plainti's negligence claim in a security breach case brought by a job applicant whose personal information had been stored on a laptop of the defendant's that had been stolen, because the risk of future identity theft did not rise to the level of harm necessary to support plainti's negligence claim, which under California law must be appreciable, non-speculative, and present), a'd mem., 380 F. App'x 689 (9th Cir. 2010); Pinero v. Jackson Hewitt Tax Service Inc., 594 F. Supp. 2d 710 (E.D. La. 2009) (holding that the mere possibility that personal information was at increased risk did not constitute an actual injury sucient to state claims for fraud, breach of contract (based on emotional harm), negligence, among other claims, but holding that the plainti had stated a claim for invasion of privacy). 150 See, e.g., In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 499–500 (1st Cir. 2009) (arming, in a security breach case arising out of a hacker attack, dismissal of plaintis' negligence claim based on the economic loss doctrine (which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage)); Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162, 175–76 (3d Cir. 2008) (dismissing issuer bank's negligence claim against a merchant bank for loss resulting from a security breach based on the economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unac- companied by physical or property damage); In re Target Corp. Data Security Breach Litigation, 66 F. Supp. 3d 1154, 1171-76 (D. Minn. 2014) (dismissing plaintis' California, Illinois and Massachusetts negligence claims under the economic loss rule in data security breach putative class action suit); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) (dismissing with prejudice plaintis' negligence claim in a data privacy putative class action suit, holding that under California law injuries from disappointed expectations from a commercial transaction must be addressed through contract, not tort law); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 528–31 (N.D. Ill. 2011) (dismissing plaintis' negligence and negligence per se claims under the economic loss rule in a security breach putative class action suit). 151 See, e.g., In re iPhone 4S Consumer Litig., No. C 12-1127 CW, 2013

26-370 Data Privacy 26.15

Even if some Internet privacy claims can survive motions to dismiss or summary judgment, they are often ill-suited for class certication because the proposed classes are dened in terms of conduct for which no records exist, and are therefore unascertainable,152 or involve numerous individualized inquiries into issues of consent, causation, reliance, and injury that may be specic to individual claimants and therefore potentially ill suited for class adjudication. For example, in Murray v. Financial Visions, Inc.,153 the court denied class certication in a case alleging that the defendants, including a web hosting and email services company, violated plainti's privacy by intercepting and forwarding emails to comply with broker-dealer regulations, because demonstrating liability would have required numerous individualized inquiries, including whether the plainti had a reasonable expectation of privacy in each email, whether the email contained private information, and whether defendant's conduct caused any harm. Class certication also may be inappropriate where plaintis seek certication of a nationwide class based on state consumer protection

WL 3829653, at *15-16 (N.D. Cal. July 23, 2013) (holding that the implied warranty of merchantability is limited to “functions like making and receiving calls, sending and receiving text messages, or allowing for the use of mobile applications.”; citing Cal. Civ. Code § 1791.1(a); Cal. Com. Code § 2134(2)(c)); see also Birdsong v. Apple, Inc., 590 F.3d 955, 958 (9th Cir. 2009) (dismissing California implied warranty claim because the allegation that iPods were capable of operating at volumes that could damage users' hearing did not constitute an allegation that the product lacked ‘‘even the most basic degree of tness’’ for the ordinary purpose of listen- ing to music); Williamson v. Apple, Inc., No. 5:11-cv-00377 EJD, 2012 WL 3835104, at *8 (N.D. Cal. Sept. 4, 2012) (dismissing implied warranty claim based on plainti's allegation that his iPhone 4's glass housing was defective because plainti did not allege his phone was decient in making and receiving calls, sending and receiving text messages or allowing for the use of mobile applications). But see In re: Carrier IQ, Inc. Consumer Litig., 78 F. Supp. 3d 1051, 1108-11 (N.D. Cal. 2015) (allowing breach of implied warranty claims to proceed under the laws of several states where plaintis alleged that software was included on mobile devices that collected and transmitted personal information provided adequate grounds under the laws of some states to allege that the devices were unmerchantable). 152 See, e.g., Messner v. Northshore University Healthsystem, 669 F.3d 802, 825 (7th Cir. 2012) (holding that a class whose membership is dened by liability is improper). 153 Murray v. Financial Visions, Inc., No. CV-07-2578-PHX-FJM, 2008 WL 4850328 (D. Ariz. Nov. 7, 2008).

Pub. 12/2015 26-371 26.15 E-Commerce and Internet Law laws.154 Similarly, in In re Google Inc. Gmail Litigation,155 the court declined to certify a class action suit where common questions did not predominate because of the variety of dierent privacy policies and disclosures made to class members and the need for individualized proof of whether class members provided consent. On the other hand, in Harris v. comScore,156 a court certied a class in a suit alleging Stored Communications Act and Computer Fraud and Abuse Act violations arising out of ComScore's alleged practice of tracking the browsing activities of users who downloaded its tracking software. While suits seeking to frame uses of new technologies as computer crime violations on the whole have not been very successful on the merits, potential claims may be easier to plead where a defendant can show a real injury and a clear lack of consent or authorization. For example, a court may allow a claim to proceed where a defendant is alleged to have engaged in conduct materially dierent from what was represented.157 A violation of a privacy policy, for instance, is potentially actionable, but only if material and typically only if a plainti can show actual injury or damage, as well as standing to sue for a privacy policy violation.158 Likewise, where there is a security breach and resulting

154 See, e.g., Mazza v. American Honda Motor Co., 666 F.3d 581 (9th Cir. 2012) (holding that common questions did not predominate for purposes of class certication where a nationwide state law consumer class was sought given material dierences between California and other state consumer protection laws). 155 In re Google Inc. Gmail Litigation, Case No. 13-MD-02430-LHK, 2014 WL 1102660 (N.D. Cal. Mar. 18, 2014) (denying plainti's motion for class certication in consolidated privacy cases alleging violations of state and federal antiwiretapping laws in connection with the operation of Gmail). 156 Harris v. ComScore, 292 F.R.D. 579 (N.D. Ill. 2013). 157 See, e.g., Pinero v. Jackson Hewitt Tax Service Inc., 638 F. Supp. 2d 632 (E.D. La. 2009) (declining to dismiss plainti's fraud claim in a putative class action suit where plainti alleged that defendants' representation that they maintained privacy policies and procedures was false because at the time they made the statements defendants had not yet adopted policies to protect customer information). 158 Not all privacy policies will support breach of contract claims. See, e.g., Dyer v. Northwest Airlines Corp., 334 F. Supp. 2d 1196 (D.N.D. 2004) (holding that plaintis could not sue Northwest Airlines for breach of its privacy statement because the privacy policy did not give rise to a contract

26-372 Data Privacy 26.15 harm, a plainti may be able to state a claim.159 State law claims also may be framed as class action suits to try to force settlements, whether or not meritorious. For example, more than 150 class action suits were led alleging violations of California's Song-Beverly Credit Card Act in the rst six months of 2011 following the California Supreme Court's ruling earlier that year that collection of a person's zip code, without more, in connection with a credit card transaction, could constitute a privacy violation under Cali- fornia law.160 The Act provides for statutory damages in cases where violations may be shown. Where litigation is premised on a third party's privacy violation, rather than a direct violation by the defendant, or on a defendant's mere republication of material, the suit may be preempted by the Communications Decency Act.161 The exemption, however, does not apply, among other things, claim and they acknowledged that they had not read it). Even where actionable, a privacy policy may insulate a company from liability, rather than create exposure, if the practice at issue was adequately disclosed. See, e.g., Johnson v. Microsoft Corp., No. C06–0900RAJ, 2009 WL 1794400 (W.D. Wash. June 23, 2009); see generally supra § 26.14 (analyzing privacy statements and how to draft them). In Johnson, the court granted partial summary judgment for Microsoft on plaintis' breach of contract claim in a putative class action suit where plaintis had alleged that Microsoft breached its End User License Agreement (EULA), which prohibited Microsoft from transmitting “personally identiable information” from the user's computer to Microsoft, by collecting IP addresses. The court held that the term, personally identiable information, did not include IP addresses, which identify a computer rather than a person. In the words of the court, “[i]n order for ‘personally identiable information’ to be personally identiable, it must identify a person.” Johnson v. Microsoft Corp., No. C06-0900 RAJ, 2009 WL 1794400, at *4 (W.D. Wash. June 23, 2009). 159 See generally infra § 27.07 (analyzing putative security breach class action suits). 160 See Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524, 120 Cal. Rptr. 3d 531 (2011); Ian C. Ballon & Robert Herrington, Are Your Data Collection Practices Putting Your Company At Risk?, ABA Informa- tion Security & Privacy News (Autumn 2011); see generally supra § 26.13[6][E] (analyzing the case and underlying statute). 161 See 47 U.S.C.A. § 230(c); see also, e.g., Carafano v. Metrosplash.com. Inc., 339 F.3d 1119, 1125 (9th Cir. 2003) (holding plainti's privacy claim preempted); Collins v. Purdue University, 703 F. Supp. 2d 862, 877–80 (N.D. Ind. 2010) (false light); Doe v. Friendnder Network, Inc., 540 F. Supp. 2d 288 (D.N.H. 2008); Parker v. Google, Inc., 422 F. Supp. 2d 492, 500–01 (E.D. Pa. 2006), a'd mem., 242 F. App'x 833 (3d Cir. 2007), cert. denied, 552 U.S. 156 (2008); Barrett v. Fonorow, 343 Ill. App. 3d 1184, 279

Pub. 12/2015 26-373 26.15 E-Commerce and Internet Law to the federal Electronic Communications Privacy Act162 “or any similar State law.”163 As noted earlier, many putative class action cases settle. Class action settlements typically are structured to provide payments and/or equitable relief, in addition to an award of attorneys' fees to class counsel.164 While certication of a liability class is usually fought by defendants, once a settlement is reached the parties typically jointly seek court approval for a settlement class, which maximizes the preclusive eect of any settlement. Settlements and fee awards are subject to court approval.165 The volume of putative privacy class action suits led since 2010 underscores that privacy suits, whether or not meritorious, may impose a signicant cost on an Internet companies. Businesses may limit their risk of exposure to class action litigation by users or customers where there is privity of contract by including binding arbitration provisions and class action waivers in consumer contracts. As analyzed at length in section 22.05[2][M], arbitration provisions (includ-

Ill. Dec. 113, 799 N.E.2d 916 (2d Dist. 2003) (false light invasion of privacy and defamation); see generally infra § 37.05 (analyzing the CDA and discussing other cases). 162 47 U.S.C.A. § 230(e)(4). The Electronic Communications Privacy Act, 18 U.S.C.A. §§ 2510 et seq., is discussed briey in section 26.09 and more extensively in sections 44.06, 44.07 and 50.06[4] (and briey in section 58.07[5][A]). 163 47 U.S.C.A. § 230(e)(4). 164 See, e.g., Lane v. Facebook, Inc., 696 F.3d 811 (9th Cir. 2012) (approving an attorneys' fee award of $2,364,973.58 and a $9.5 million cy pres class action settlement in a suit over Facebook's beacon program brought under the Electronic Communications Privacy Act, Video Privacy Protection Act, Computer Fraud and Abuse Act, the California Consumer Legal Remedies Act, and California Computer Crime Law (Cal. Penal Code § 502), and for remedies for unjust enrichment), cert. denied, 134 S. Ct. 8 (2013); In re Google Referrer Header Privacy Litig.,87F.Supp.3d 1122 (N.D. Cal. 2015) (granting nal approval to a class action settlement relating to Google's alleged disclosure of referer header information from search queries to third parties); Kim v. Space Pencil, Inc., No. C 11-03796 LB, 2012 WL 5948951 (N.D. Cal. Nov. 28, 2012) (approving settlement of a suit alleging that KISSmetrics surreptitiously tracked plaintis' web browsing activities, pursuant to which KISSmetrics had agreed not to use the browser cache, DOM (HTML 5) local storage, Adobe Flash LSOs or eTags to “respawn” or repopulate HTTP cookies and awarding plaintis $474,195.49 in attorneys' fees in addition to costs and incentive payments to the named plaintis). 165 See supra § 25.07[2].

26-374 Data Privacy 26.15 ing those containing a prohibition on class-wide remedies) are generally enforceable in standard form consumer contracts, including Terms of Use, as a result of the U.S. Supreme Court's 2011 decision in AT&T Mobility, LLC v. Concepcion166 and subsequent case law. Class action waivers in contracts litigated in court, however, may or may not be enforceable, depending on the jurisdiction whose law is applied.167 Even without a class action waiver, if the court nds that there is a binding arbitration agreement, the entire case will be stayed and arbitration compelled—eectively preventing plaintis' counsel from even moving for class certication.168 Judges, however, closely scrutinize unilateral contracts with consumers and will not enforce arbitration provisions if assent to the proposed agreement has been obtained169 or if the agreement is unconscionable. A court, however, may not nd an agreement unconscionable merely because it would deprive a plainti of the ability to seek class-wide relief.170 The law governing arbitration agreements and class action waivers in unilateral contracts is analyzed in section 22.05[2][M] and chapter 56. How to draft an arbitration provision to maximize its enforceability is separately considered in section 22.05[2][M][vi]. Like patent troll and stock drop cases, data privacy suits may be viewed as a cost of doing business in today's digital economy. Whether and how a company responds to these suits may determine how many more get brought against it by class action lawyers down the road.

166 AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011). 167 See supra § 22.05[2][M]. 168 See, e.g., In re RealNetworks, Inc. Privacy Litig., Civil No. 00 C 1366, 2000 WL 631341 (N.D. Ill. May 8, 2000) (denying an intervenor's motion for class certication where the court found that RealNetworks had entered into a contract with putative class members that provided for binding arbitration); see generally supra § 22.05[2][M] (analyzing the issue and discussing more recent case law). 169 See, e.g., Specht v. Netscape Communications Corp., 306 F.3d 17 (2d Cir. 2002) (declining to enforce an arbitration provision contained in posted terms accessible via a link and holding such terms to not be binding on users because assent was not obtained); see generally supra §§ 21.03 (analyzing online contract formation), 22.05[2][M] (arbitration provisions in unilateral consumer contracts). 170 See AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011); supra § 22.05[2][M].

Pub. 12/2015 26-375



       

 

  

 



    

 



DEFENDING SECURITY-BREACH CLASS ACTION LITIGATION

Excerpted from Chapter 27 (Internet, Network and Data Security) of E-Commerce and Internet Law: A Legal Treatise With Forms, Second Edition, a 4-volume legal treatise by Ian C. Ballon (Thomson/West Publishing 2016)

DIGITAL ENTERTAINMENT, MOBILE AND INTERNET REVIEW ENTERTAINMENT LAW AND INTELLECTUAL PROPERTY SECTION OF THE LOS ANGELES COUNTY BAR ASSOCIATION LAWRY’S RESTAURANT FEBRUARY 25, 2016

Ian C. Ballon Greenberg Traurig, LLP

[email protected] LinkedIn, Twitter, Facebook, Google+: IanBallon

27.06 E-Commerce and Internet Law ment action generally need not adopt security compliance programs (unless otherwise obligated to do so under state or federal law),65 ongoing eorts to ensure security are required. Express or implied representations about the security of personal information will be treated as “privacy promises” by the FTC and the subject of enforcement actions if breached. While a security breach may bring a company's practices into sharp focus—leading to regulatory scrutiny and possibly litigation—an FTC enforcement action may be brought even where no security breach has yet occurred, to enjoin a highly publicized practice.66 Conversely, FTC guidelines recognize that even if a breach has occurred it does not necessarily mean that a company has acted unfairly or deceptively (if a company has taken measures that are “reasonable and appropriate under the circumstances” and has taken every reasonable precaution to prevent a breach). However, if a company maintains inadequate security practices and procedures that fact alone will be sucient to justify an enforcement action based on unfairness. Moreover, what is reasonable may change quickly. Practices that are reasonable today may become unfair over time if a company fails to adjust them to keep up with trends, monitor emerg- ing security threats (especially in its industry) and implement new safeguards—in short constantly improve its capabilities to address security threats. Finally, where specic security-related promises have been made, armative steps must be taken to ensure that adequate security in fact is provided, which may require a higher level of oversight to ensure compliance.

27.07 Class Actions and Other Security Breach Litigation Litigation arising out of a security breach may be brought by or against a business that experienced the loss. A company may choose to pursue civil or criminal remedies

65 See infra § 27.11 (discussing security compliance programs and audits). 66 See In the Matter of Microsoft Corp., File No. 012 3240, 2002 WL 1836831 (FTC Aug. 8, 2002) (involving allegations about its Passport service).

27-106 Internet, Network and Data Security 27.07 against the person or persons responsible for the breach,1 which in civil actions may require satellite litigation to compel the disclosure of the identity of an anonymous or pseudonymous thief.2 A company that experienced a data loss also may be sued by its customers or other third parties allegedly impacted by the breach, including in putative class action suits. Litigation initiated by companies that were targeted for a security attack may be brought against employees and contractors or corporate spies and hackers, depending on whether the source of the loss was internal to the company or external, based on trade secret misappropriation (if condential trade secrets were taken),3 Copyright law4 or various claims relating to database protection5 (if material taken is copied), the Computer Fraud and Abuse Act6 or common law trespass7 (for an unauthorized intrusion), the Electronic Communications Privacy Act8 (for unauthorized interception of material in transit (such as through the use of key loggers or sniers) or material in storage) or an array of state law causes of action, including unfair competition and claims for relief under those state laws that aord a

[Section 27.07] 1 The tradeo between civil and criminal remedies for the theft of information and other Internet crimes is analyzed in chapter 43. Crimes and related penalties are analyzed in chapter 44. Remedies for phishing and identity theft are analyzed in chapter 46. 2 See infra §§ 37.02 (compelling the disclosure of the identity of anonymous and pseudonymous tortfeasors), 50.06 (service provider obligations in response to civil subpoenas). 3 See supra chapter 10 (misappropriation of trade secrets). 4 See supra chapter 4 (digital copyright law). A security claim may be preempted by the Copyright Act where it amounts to claim based on copying. See, e.g., AF Holdings, LLC v. Doe, 5:12-CV-02048-EJD, 2012 WL 4747170, at *2-3 (N.D. Cal. Oct. 3, 2012) (holding that plainti's negligence claim based on the theory that Botson had a duty to secure his Internet connection to protect against unlawful acts of third parties was preempted by the Copyright Act because it amounted to little more than the allegation that Botson's actions (or inaction) played a role in the unlawful reproduction and distribution of plainti's video in violation of the Copy- right Act); see generally supra § 4.18 (analyzing copyright preemption). 5 See supra chapter 5 (database protection). 6 18 U.S.C.A. § 1030; see generally infra § 44.08. 7 See supra § 5.05[1] (analyzing computer trespass cases). 8 18 U.S.C.A. §§ 2510 to 2521 (Title I), 2701 to 2711 (Title II); see generally infra §§ 44.06, 44.07.

Pub. 12/2015 27-107 27.07 E-Commerce and Internet Law statutory remedy for a security breach.9 Where companies are sued by consumers or their business customers over a security breach, the most common theories of recovery are breach of contract, breach of implied contract, breach of duciary duty, public disclosure of private facts, and negligence, depending on the facts of a given case. Secu- rity breach suits brought by consumers against companies that have experienced a breach therefore frequently are framed in terms of common law and state statutory remedies. Those few federal statutes that impose express data security obligations on persons and entities—The Children's Online Privacy Protection Act10 (which regulates information collected from children under age 13), The Gramm-Leach-Bliley Act (which imposes security obligations on nancial institu- tions11) and the Health Insurance Portability and Account- ability Act (HIPAA)12 (which regulates personal health information)—typically do not authorize a private cause of action (although the same underlying conduct that violates obligations under these laws potentially could be actionable under other theories of recovery). Claims also sometimes are asserted under federal computer crime statutes, such as the Stored Communications Act,13 but those statutes usually aren't well-suited to data breach cases.14 Claims arising out of security breaches also have been brought under the Fair

9 See infra § 27.08[10]. 10 15 U.S.C.A. §§ 6501 to 6506; supra §§ 26.13[2], 27.04[2]. 11 15 U.S.C.A. §§ 6801 to 6809, 6821 to 6827; supra § 27.04[3]. 12 42 U.S.C.A. §§ 1320d et seq.; supra § 27.04[4]. 13 18 U.S.C.A. §§ 2701 to 2711; see generally supra § 26.15 (putative privacy class action suits brought under the Stored Communications Act); infra §§ 44.07 (analyzing the statute in general), 50.06[4] (subpoenas). 14 See, e.g., Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill. 2012) (dismissing without prejudice plainti's claim under the Stored Communications Act in a putative class action suit brought against a company that stored personal health information, where the plainti alleged that the company failed to implement adequate safeguards to protect plainti's information when a computer hard drive containing the information was stolen, but could not show that the disclosure was made knowingly, as required by sections 2702(a)(1) and 2702(a)(2)); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 523–24 (N.D. Ill. 2011) (dismissing plaintis' Stored Communications Act claim in a putative security breach class action suit resulting from a hacker skimming credit card information and PIN numbers from PIN pads in defendant's stores; holding that Michaels Stores was neither an ECS provider nor an RCS provider and therefore not subject to the SCA).

27-108 Internet, Network and Data Security 27.07

Credit Reporting Act,15 but that statute imposes obligations on consumer reporting agencies, users of consumer reports, and furnishers of information to consumer reporting agencies,16 and therefore does not provide a general remedy in the case of security breaches if the defendant is not a member of one of those three groups.17 Where a company fails to provide notice to consumers, it also potentially could be sued for statutory remedies in those states that aord a private cause of action to enforce rights under state security breach notication laws. Public companies that experience data breaches also may be subject to securities fraud class

The court's ruling in Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill. 2012) underscores why most security breach cases brought by customers against businesses that experienced security incidents are ill suited to Stored Communications Act claims. In Worix, the plainti had alleged that MedAssets deliberately failed to take commercially reasonable steps to safeguard sensitive patient data by failing to encrypt or password-protect it. The court, however, explained that “[t]he rst of these allegations is beside the point, and the latter is insucient.” Judge Ken- nelly of the Northern District of Illinois emphasized that “[t]he SCA requires proof that the defendant ‘knowingly divulge[d]’ covered information, not merely that the defendant knowingly failed to protect the data.” Id. at 703 (emphasis in original), citing 18 U.S.C.A. §§ 2702(a)(1), 2702(a) (2). In so holding, the court explained that “knowing conduct includes willful blindness, but not recklessness or negligence.” Id. at 702. 15 15 U.S.C.A. §§ 1681 et seq. 16 Chipka v. Bank of America, 355 F. App'x 380, 382 (11th Cir. 2009). 17 See, e.g., Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 652–53 (S.D. Ohio 2014) (holding that plaintis' allegation that the defendant in a security breach case violated the FCRA's statement of purpose in 15 U.S.C.A. § 1681(b) (which plainti alleged was actionable under sections 1681n(a) and 1681o) was insucient to confer statutory standing because it failed to allege a specic violation); In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942, 1010–12 (S.D. Cal. 2014) (dismissing plaintis' Fair Credit Reporting Act claim because Sony was not a consumer reporting agency); Burton v. MAPCO Express, Inc., 47 F. Supp. 2d 1279, 1286–87 (N.D. Ala. 2014) (dismissing a FCRA claim arising out of a security breach where the defendant was not a consumer reporting agency); Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 881–82 (N.D. Ill. 2014) (dismissing a FCRA claim where the defendant in a security breach case was not a “consumer reporting agency,” which is dened as an entity engaged in the practice of assembling or evaluating consumer credit information for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing reports, 15 U.S.C.A. § 1681a(f), and could not allege that Trustwave's “purpose” was to furnish the information to data thieves).

Pub. 12/2015 27-109 27.07 E-Commerce and Internet Law action suits.18 A company's obligation to comply with security breach notication laws often results in publicity that leads to litigation, including class action litigation, as well as regulatory scrutiny (which alternatively may lead to litigation).19 Higher stakes security breach litigation typically is brought by business customers of a company that has experienced a breach over which party bears the risk of loss. By contrast, consumers often are insulated from the nancial consequences of a security breach. In cases involving credit card theft, for example, credit card companies sometimes cancel accounts before consumers could be impacted (or refund the maximum $50 charge that a customer could incur as a result of credit card fraud under federal law).20 While potential plaintis may have a justied apprehension of potential future harm that could result from identity theft, that apprehension may not translate to present injury or damage sucient to establish Article III standing or state a claim (or, where it is, it may not be directly traceable to a particular breach, or a particular company's responsibility for the breach, as opposed to other factors). When a breach occurs, and an actual nancial loss can be established, a plainti may maintain suit for breach of contract, breach of duciary duty, negligence or similar claims, depending on the facts of a given case.21 These common law claims rarely aord either statutory damages or at-

18 See supra § 27.04[5][B] (S.E.C. guidelines). 19 See infra § 27.08[1] (addressing state security breach laws and cross-referencing cites to notice obligations under federal law). 20 See 15 U.S.C.A. §§ 1643, 1693g; 12 C.F.R. § 205.6(b) (limiting liability for unauthorized charges to $50). A consumer's liability will be capped at $50 only where the consumer reported the loss within two business days of learning about it. Otherwise, the loss may be capped at $500. Where a loss is not reported within sixty days of the time a nancial institution transmitted a statement on which the unauthorized loss was shown, the consumer will bear the full loss. See 12 C.F.R. § 205.6(b); see infra § 31.04[3]. To evaluate whether risk of loss rules for a given transaction are determined by Regulation Z or Regulation E, see 12 C.F.R. §§ 205.6(d), 226.12(g). 21 See, e.g., Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (holding that victims of identity theft had standing to sue for negligence, negligence per se, breach of duciary duty, breach of contract, breach of implied contract, breach of the duty of good faith and fair dealing and

27-110 Internet, Network and Data Security 27.07 torneys' fees and, as a consequence, in most consumer security breach cases standing to sue in federal court may present a real obstacle. Standing must be established based on the named plaintis that actually led suit, not unnamed putative class members.22 In many security breach cases, plaintis' information may have been compromised but there is no immediate injury (and in many cases there never will be). In rare instances, a suit may be brought where emotional injuries can be shown,23 unjust enrichment/restitution, in a suit arising out of the disclosure of sensitive information (including protected health information, Social Secu- rity numbers, names, addresses and phone numbers) when two laptops containing unencrypted data were stolen, where plaintis had both been victims of identity theft following the breach); Lambert v. Hartman, 517 F.3d 433, 437 (6th Cir. 2008) (nding standing to bring a constitutional right to privacy claim where plainti's information was posted on a municipal website and then taken by an identity thief, causing her actual nancial loss fairly traceable to the defendant's conduct), cert. denied, 555 U.S. 1126 (2009). 22 See, e.g., Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 40 n.20 (1976) (“That a suit may be a class action . . . adds nothing to the question of standing, for even named plaintis who represent a class ‘must allege and show that they personally have been injured, not that injury has been suered by other, unidentied members of the class to which they belong and which they purport to represent.’ ’’; quoting Warth v. Seldin, 422 U.S. 490, 502 (1975)); see also O'Shea v. Littleton, 414 U.S. 488, 494 (1974) (“if none of the named plaintis purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.”); Payton v. County of Kane, 308 F.3d 673, 682 (7th Cir. 2002) (“Standing cannot be acquired through the back door of a class action.” (internal quotation omitted)); see also Easter v. American West Financial, 381 F.3d 948, 962 (9th Cir. 2004) (holding that a court must rst evaluate the standing of named plaintis before determining whether a class may be certied). 23 See, e.g., Rowe v. UniCare Life and Health Ins. Co., No. 09 C 2286, 2010 WL 86391, at *6 (N.D. Ill. Jan. 5, 2010) (denying defendant's motion to dismiss common law negligence, invasion of privacy and breach of implied contract claims where the plainti had alleged that he suered emotional distress, which, if proven, would constitute a present injury resulting from his insurance company's disclosure of insurance identication numbers, Social Security numbers, medical and pharmacy information, medical information about their dependents, and other protected health information; holding that a plainti whose personal data had been compromised ‘‘may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suered from some present injury beyond the mere exposure of his information to the pub-

Pub. 12/2015 27-111 27.07 E-Commerce and Internet Law but more often than not (as discussed later in this section) the economic loss doctrine bars recovery of damages for potential emotional injuries arising from fear and apprehension of potential identity theft. As one court observed, under current pleading standards it may be “dicult for consumers . . . to assert a viable cause of action stemming from a data breach because in the early stages of the action, it is challenging for a consumer to plead facts that connect the dots between the data breach and an actual injury so as to establish Article III standing.”24 Most security breach suits where standing is an issue involve an actual security breach, but individual harm may be absent or merely de minimis. In such cases, plaintis' counsel frequently argue that plaintis have standing based on the risk of future harm, the costs associated with mitigating that risk (if any) and/or the loss of value experienced by paying for a product or service that plaintis allege was over-priced based on the actual level of security provided. Plaintis’ counsel sometimes seek to bolster their clients’ claims based on apprehension of a potential future harm by encouraging them to subscribe to credit monitoring services, alleging that the cost of credit monitoring is a present loss occasioned by the breach.25 Some courts, however, have rejected the notion that credit monitoring costs can confer standing where the threat that these costs address is itself viewed as speculative or at least not certainly impending.26 As the U.S. Supreme Court explained in Clapper v. Amnesty lic.’’). 24 Burton v. MAPCO Express, Inc., 47 F. Supp. 2d 1279 (N.D. Ala. 2014). 25 For this reason, companies that experience a security breach sometimes voluntarily oer aected consumers free credit monitoring services to deprive plaintis' counsel of a potential argument for standing to sue in litigation in federal court. See generally infra § 27.08 (analyzing state security breach notication laws and alternative responses, including oering credit monitoring services, including in particular section 27.08[9] on credit monitoring). 26 See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 46 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012); Remijas v. Neiman Marcus Group, LLC, No. 14 C 1735, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014); Moyer v. Michael's Stores, Inc., No. 14 C 561, 2014 WL 3511500, at *4 (N.D. Ill. July 14, 2014); In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *7 (D.D.C. 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 657–58 (S.D. Ohio 2014); Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 470–71 (D.N.J. 2013). As one court explained:

27-112 Internet, Network and Data Security 27.07

International USA,27 plaintis “cannot manufacture standing merely by inicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”28 Although at the margins and in some courts plaintis' counsel may still be able to allege an injury suf- cient to meet standing requirements, in general it is getting more dicult for plaintis to establish standing to sue in security breach cases absent real injury, even as the volume of security breaches continues to skyrocket. Prior to Clapper, the Seventh29 and Ninth30 Circuits and

The cost of guarding against a risk of harm constitutes an injury-in-fact only if the harm one seeks to avoid is a cognizable Article III injury. See Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1151 (2013). Therefore, the cost of precautionary measures such as buying identity theft protection provides standing only if the underling risk of identity theft is suciently imminent to constitute an injury-in-fact. Id. Moyer v. Michael's Stores, Inc., No. 14 C 561, 2014 WL 3511500, at *4 n.1 (N.D. Ill. July 14, 2014). But see In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1217 (N.D. Cal. 2014) (holding that where the court found that plaintis adequately alleged that they faced “a certainly impending future harm from the theft of their personal data, . . . the costs Plaintis . . . incurred to mitigate this future harm constitute an additional injury–in–fact.”). 27 Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013). 28 Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1143, 1151 (2013) (rejecting respondents' alternative argument that they were suering “present injury because the risk of . . . surveillance already has forced them to take costly and burdensome measures to protect the condentiality of their international communications.”). The Supreme Court explained that allowing plaintis to bring suit “based on costs they incurred in response to a speculative threat would be tantamount to accepting a repack- aged version of [their] rst failed theory of standing.” Id. 29 Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (nding standing in a security breach class action suit against a bank, based on the threat of future harm from an intrusion that was “sophisticated, intentional and malicious.”). In Pisciotta, plaintis sued a bank after its website had been hacked, alleging that it failed to adequately secure the personal information that it had solicited (including names, addresses, birthdates and Social Security numbers) when customers had applied for banking services on its website. Plaintis did not allege that they had yet incurred any nancial loss or been victims of identity theft. Rather, the court held that they satised the “injury in fact” requirement to establish standing based on the threat of future harm or “an act which harms the plainti only by increasing the risk of future harm that the plainti would have otherwise faced, absent the defendant's actions.” Id. at 634. 30 Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010) (nding standing in a suit where plaintis' unencrypted information

Pub. 12/2015 27-113 27.07 E-Commerce and Internet Law district courts elsewhere31 held that consumers impacted by security breaches where data has been accessed by unauthorized third parties, but no loss has yet occurred, have stand- ing32 to maintain suit in federal court based on the threat of future harm, while the Third Circuit, in a better reasoned, more detailed analysis, disagreed33 (and various district

(names, addresses and Social Security numbers) was stored on a stolen laptop, where someone had attempted to open a bank account with plainti's information following the theft, creating “a credible threat of real and immediate harm stemming from the theft . . . .”); see also Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009) (holding, prior to Krottner, that a job applicant whose personal information (including his Social Security number) had been stored on a laptop of the defendant's that had been stolen had standing to sue but granting summary judgment for the defendant where the risk of future identity theft did not support claims for negligence, breach of contract, unfair competition or invasion of privacy under the California constitution), a'd mem., 380 F. App'x 689 (9th Cir. 2010). But see In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013) (dismissing plaintis' putative class action suit arising out of a hacker gaining access to their LinkedIn passwords and email addresses, for lack of Article III standing, where plaintis alleged no injury or damage). 31 See, e.g., Holmes v. Countrywide Financial Corp., No. 5:08-CV- 00205-R, 2012 WL 2873892, at *5 (W.D. Ky. July 12, 2012) (holding that plaintis had standing to maintain suit over the theft of sensitive personal and nancial customer data by a Countrywide employee where plaintis had purchased credit monitoring services to ensure that they would not be the targets of identity thieves or expended sums to change their telephone numbers as a result of increased solicitations); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273 (S.D.N.Y. 2008) (holding that the plainti had standing to sue his employer's pension consultant, seeking to recover the costs of multi-year credit monitoring and identity theft insurance, following the theft of a laptop containing his personal information from the consultant's oce). 32 To have standing to bring suit in federal court, a plainti must have suered an “injury in fact,” which must be (a) “concrete and particularized” and (b) “actual or imminent, not conjectural or hypothetical.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). More specically, “[t]o establish Article III standing, an injury must be ‘concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.’ ’’ Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1147 (2013), quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149-50 (2010); see generally supra § 26.15 (analyzing standing in greater depth in connection with data privacy class action cases). 33 Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (nding no standing in a suit by law rm employees against a payroll processing rm alleging negligence and breach of contract relating to the risk of identity theft and costs for credit monitoring services in a case where defendant's

27-114 Internet, Network and Data Security 27.07 courts in other circuits34 have found the threat of future

rewall had been penetrated but there was no evidence that the intrusion was intentional or malicious and no allegation of misuse and therefore injury), cert. denied, 132 S. Ct. 2395 (2012); see also Allison v. Aetna, Inc., No. 09–2560, 2010 WL 3719243, at *5 n.7 (E.D. Pa. Mar. 9, 2010) (pre- Ceridian district court case rejecting claims for negligence, breach of express and implied contract and invasion of privacy, for time and money spent on credit monitoring due to a perceived risk of harm as the basis for an injury in fact, in a case where the plainti did not allege any harm as a result of a job application website breach of security); Hinton v. Heartland Payment Systems, Inc., Civil Action No. 09–594 (MLC), 2009 WL 704139, at *1 (D.N.J. Mar. 16, 2009) (pre-Ceridian opinion, dismissing the case sua sponte because plainti's allegations of increased risk of identity theft and fraud “amount to nothing more than mere speculation.”); Giordano v. Wachovia Securities, LLC, No. 06 Civ. 476, 2006 WL 2177036, at *5 (D.N.J. July 31, 2006) (pre-Ceridian district court case holding that credit monitoring costs resulting from lost nancial information did not constitute an injury sucient to confer standing). 34 See, e.g., In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089, 1092–95 (N.D. Cal. 2013) (dismissing plaintis' putative class action suit arising out of a hacker gaining access to their LinkedIn passwords and email addresses, for lack of standing, where plaintis failed to allege any present harm and their allegations of possible future harm were “too theoretical to support injury-in-fact for the purposes of Article III standing.”); Whitaker v. Health Net of California, Inc., No. 11-910, 2012 WL 174961, at *2 (E.D. Cal. Jan. 20, 2012) (granting IBM's motion to dismiss for lack of standing where plaintis did “not explain how the loss here has actually harmed them . . . or that third parties have accessed their data. Any harm stemming from their loss thus is precisely the type of conjectural and hypothetical harm that is insucient to allege standing.”); Hammond v. Bank of N.Y. Mellon Corp., No. 08–6060, 2010 WL 2643307, at *4, *7 (S.D.N.Y. June 25, 2010) (nding no standing and, in the alternative, granting summary judgment on plainti's claims for negligence, breach of duciary duty, implied contract and state consumer protection violations based, among other things, on the absence of any injury); Allison v. Aetna, Inc., 09–CV–2560, 2010 WL 3719243 (E.D. Pa. Mar. 9, 2010) (nding no standing based solely on the increased risk of identity theft); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051–53 (E.D. Mo. 2009) (dismissing claims for negligence, breach of contract with respect to third- party beneciaries, breach of implied contract, violations of various states' data breach notication laws, and violations of Missouri's Merchandising Practices Act, arising out of an alleged database security breach, because the increased risk of future identity theft was insucient to confer standing and for failure to state a claim); Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007) (granting defendant's motion for summary judgment in a suit for negligence, arising out of the theft of a mortgage loan service provider's computer equipment, where the plainti could not establish injury or causation); Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1 (D.D.C. 2007) (holding that plaintis lacked standing to sue their insurer for public disclosure of private facts, negligence, gross negligence or breach of duciary duty after a laptop

Pub. 12/2015 27-115 27.07 E-Commerce and Internet Law harm to be too speculative to support standing). In Reilly v. Ceridian Corp.,35 the Third Circuit rejected the analogy drawn by the Seventh and Ninth Circuits between data security breach cases and defective-medical-device, toxic-substance-exposure or environmental injury cases, where courts typically nd standing. First, in those cases, an injury “has undoubtedly occurred” and damage has been done, even if the plaintis “cannot yet quantify how it will manifest itself.”36 In data breach cases where no misuse is alleged, however, “there has been no injury—indeed, no change in the status quo ....[T]here is no quantiable risk of damage in the future ....Anydam- ages that may occur . . . are entirely speculative and dependent on the skill and intent of the hacker.”37 Second, standing in medical-device and toxic-tort cases “hinges on human health concerns” where courts resist strictly applying the “actual injury” test “when the future harm involves human suering or premature death.”38 Similarly, standing in environmental injury cases is unique “because monetary compensation may not adequately return plaintis to their original position.”39 By contrast, in a data breach case, “there is no reason to believe that monetary containing their private personal information was stolen, where plaintis' alleged increased risk of identity theft and the costs incurred to protect themselves against that alleged increased risk did not amount to injury in fact sucient for standing); Key v. DSW, Inc., 454 F. Supp. 2d 684, 688–90 (S.D. Ohio 2006) (dismissing a putative class action suit alleging negligence, breach of contract, conversion, and breach of duciary duty, for lack of standing, where a security breach allowed unauthorized persons to obtain access to personal nancial information of approximately 96,000 customers but the breach created “only the possibility of harm at a future date.”); Bell v. Acxiom Corp., No. 4:06 Civ. 00485, 2006 WL 2850042, at *2 (E.D. Ark. Oct. 3, 2006) (nding no standing where plainti pled only an increased risk of identity theft rather than “concrete damages.”). 35 Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012). 36 Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012). 37 Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012). As the court explained, in Reilly “Appellant's credit card statements are exactly the same today as they would have been had Ceridian's database never been hacked.” Id. 38 Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012). 39 Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011), cert. denied,

27-116 Internet, Network and Data Security 27.07 compensation will not return plaintis to their original position completely—if the hacked information is actually read, copied, understood, and misused to a plainti's detriment. To the contrary, . . . the thing feared lost . . . is simply cash, which is easily and precisely compensable with a monetary award.”40 In Ceridian, the Third Circuit also rejected the argument that time and money spent to monitor plaintis' nancial information established standing because “costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for Appellants' claims.”41 While there is a split of authority in these cases (as noted above), the argument for standing in a lawsuit based on the mere threat of a potential security breach, without even evidence of present injury, is weak. In Katz v. Pershing, LLC,42 the First Circuit distinguished both the Third Circuit's holding in Ceridian43 and Seventh and Ninth Circuit opinions nding standing in data breach suits,44 in a putative class action suit in which the plainti had sued based on an increased risk that someone might access her data, rather than an actual security breach. The court held that plainti's allegations—which it characterized as “unanchored to any actual incident of data breach”—were too remote to support Article III standing.45

132 S. Ct. 2395 (2012). 40 Reilly v. Ceridian Corp., 664 F.3d 38, 45–46 (3d Cir. 2011) (emphasis in original), cert. denied, 132 S. Ct. 2395 (2012). 41 Reilly v. Ceridian Corp., 664 F.3d 38, 46 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012). 42 Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012). 43 Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012). 44 Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). 45 Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (holding that the plainti did not have Article III standing to sue the defendant for failing to provide notice pursuant to Massachusetts' security breach notication law where “the plainti purchased identity theft insurance and credit monitoring services to guard against a possibility, remote at best, that her nonpublic personal information might someday be pilfered. Such a purely theoretical possibility simply does not rise to the level of a reasonably

Pub. 12/2015 27-117 27.07 E-Commerce and Internet Law

In Frezza v. Google Inc.,46 the court, in dismissing a breach of implied contract claim brought over Google's alleged failure to implement Data Security Standards (DSS) rules in connection with promotions for Google Tags, distinguished cases where courts found standing involving the disclosure of personal information, as opposed to mere retention of data, which was what was alleged in Frezza. In 2013, the U.S Supreme Court, in Clapper v. Amnesty International USA,47 emphasized that to establish standing “allegations of possible future injury are not sucient.”48 The threatened injury must be “certainly impending” to constitute injury in fact.49 In Clapper, the Supreme Court held that U.S.-based attorneys, human rights, labor, legal and media organizations did not have standing to challenge section 702 of the Foreign Intelligence Surveillance Act of 1978,50 based on their allegation that their communications with individuals outside the United States who were likely to be the targets of surveillance under section 702 made it likely that their communications would be intercepted. The Court characterized their fear as “highly speculative” given that the respondents did not allege that any of their communications had actually been intercepted, or even that the U.S. impending threat.”). In Katz, the First Circuit emphasized that the plainti has not alleged that her nonpublic personal information actually has been accessed by any unauthorized person. Her cause of action rests entirely on the hypothesis that at some point an unauthorized, as-yet unidentied, third party might access her data and then attempt to purloin her identity. The conjectural nature of this hypothesis renders the plainti's case readily distinguishable from cases in which condential data actually has been accessed through a security breach and persons involved in that breach have acted on the ill-gotten information. Cf. Anderson v. Hannaford Bros., 659 F.3d 151, 164–65 (1st Cir. 2011) (holding purchase of identity theft insurance in such circumstances reasonable in negligence context). Given the multiple strands of speculation and surmise from which the plainti's hypothesis is wo- ven, nding standing in this case would stretch the injury requirement past its breaking point. Katz v. Pershing, LLC, 672 F.3d 64, 79–80 (1st Cir. 2012). 46 Frezza v. Google Inc., No. 5:12-cv-00237, 2013 WL 1736788 (N.D. Cal. Apr. 22, 2013). 47 Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013). 48 Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1147 (2013) (internal quotation marks omitted). 49 Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1146–47 (2013). 50 50 U.S.C.A. § 1881a.

27-118 Internet, Network and Data Security 27.07

Government sought to target them directly.51 Clapper arguably makes it even more dicult for plaintis in security breach cases to establish standing in federal court in the absence of identity theft. Indeed, courts in many data security cases have read Clapper this way.52 Courts in some jurisdictions that previously had more permissive standing rules, however, have applied more liberal standing requirements to security breach cases, consistent with pre-Clapper circuit court law. In In re Sony Gaming Networks & Customer Data Security Breach Litigation,53 a court in San Diego reiterated, in Janu- ary 2014, its earlier ruling nding that plaintis in a secu-

51 Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1148 (2013). 52 See, e.g., Burton v. MAPCO Express, Inc., 47 F. Supp. 2d 1279 (N.D. Ala. 2014) (dismissing plainti’s negligence claim with leave to amend, citing cases that applied Clapper but not Clapper itself); In re SAIC Corp., 45 F. Supp. 3d 14 (D.D.C. 2014) (dismissing claims brought on behalf of 4.7 million military members and their families whose data was exposed by a government contractor, but allowing a few very specic claims where actual loss was alleged to proceed); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014) (holding that (1) the alleged increased risk that consumers would be victims of identity theft at some indeterminate time in the future (alleged by plaintis to be 9.5 times more likely than members of the general public, reecting a fraud incidence rate of 19%), and expenditures to mitigate that potential future risk was not “certainly impending” and therefore did not constitute injury sucient to confer standing, and (2) consumers’ allegation that they suf- fered a loss of privacy when their personally identiable information was stolen did not constitute injury sucient to confer standing to bring negligence or bailment claims, although it did establish standing to sue for state law invasion of privacy); Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 467–71 (D.N.J. 2013) (relying on Clapper and Reilly to conclude that the mere loss of data, without misuse, is not a sucient injury to confer standing); In re Barnes & Noble Pin Pad Litig., 12-CV-8617, 2013 WL 4759855 (N.D. Ill. Sept. 3, 2013) (rejecting arguments that the delay or inadequacy of breach notication increased the risk of injury and, citing Clapper, explaining that “[m]erely alleging an increased risk of identity theft or fraud is insucient to establish standing.”); see also Yunker v. Pandora Media, Inc., No. 11–3113, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013) (holding, in a privacy case, that plainti lacked standing to sue under Clapper based on theories that (1) Pandora's conduct diminished the value of his personally identiable information (“PII”); (2) Pandora's conduct decreased the memory space on his mobile device; and (3) Pandora's disclosure of his PII put him at risk of future harm, but holding that the plainti had standing to sue based on the theory that Pandora invaded his constitutional right to privacy when it allegedly disseminated his PII to third parties). 53 In re Sony Gaming Networks & Customer Data Security Breach

Pub. 12/2015 27-119 27.07 E-Commerce and Internet Law rity breach case had standing, which had been decided before Clapper, based on Krottner v. Starbucks Corp.,54 the leading pre-Clapper Ninth Circuit security breach standing case. In Sony, Judge Anthony Battaglia concluded that Krottner remained binding precedent and was not inconsistent with Clapper. He wrote that “although the Supreme Court's word choice in Clapper diered from the Ninth Circuit's word choice in Krottner, stating that the harm must be ‘certainly impending,’ rather than ‘real and immediate,’ the Supreme Court's decision in Clapper did not set forth a new Article III framework, nor did the Supreme Court's decision overrule previous precedent requiring that the harm be ‘real and immediate.’ ’’55 Thereafter, in September 2014, in what at rst appeared to be an aberrational opinion that eventually proved inuential, Northern District of California Judge Lucy Koh ruled in In re Adobe Systems, Inc. Privacy Litigation56 that plaintis whose information had been compromised but who had not been victims of identity theft had standing to bring a putative class action suit based on pre-Clapper Ninth Circuit law. In Adobe, Judge Koh held that plaintis had standing to assert claims for declaratory relief and under Cal. Civil Code § 1798.81.5 for Adobe's alleged failure to maintain reasonable security for their data and for unfair competition for failing to warn about allegedly inadequate security in connection with a security breach that exposed the user names, passwords, credit and debit card numbers, expiration dates, and email addresses of 38 million customers. At the same time, she dismissed plaintis' claims for allegedly delaying consumer breach notication where there was no traceable harm and plaintis' claim that they had spent more money on Adobe products than they would have had they known the true level of security provided by the company. Judge Koh wrote that “Clapper did not change the law governing Article III standing” because the U.S. Supreme Court did not overrule any of its prior precedents and did

Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014). 54 Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010). 55 In re Sony Gaming Networks & Customer Data Security Breach Litig., 996 F. Supp. 2d 942, 961 (S.D. Cal. 2014). 56 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014).

27-120 Internet, Network and Data Security 27.07 not “reformulate the familiar standing requirements of injury-in-fact, causation and redressability.” Accordingly, Judge Koh expressed reluctance to construe Clapper broadly as expanding the standing doctrine. Judge Koh also distinguished Clapper because in that case standing arose in the sensitive context of a claim that “other branches of government in that case were violating the Con- stitution, and the U.S. Supreme Court itself noted that its standing analysis was unusually rigorous as a result.”57 She explained: “[D]istrict courts should consider themselves bound by . . . intervening higher authority and reject the prior opinion of [the Ninth Circuit] as having been eectively overruled” only when the intervening higher authority is “clearly irreconcilable with [the] prior circuit authority.” Miller v. Gammie, 335 F.3d 889, 900 (9th Cir. 2003) (en banc). The Court does not nd that Krottner and Clapper are clearly irreconcilable. Krott- ner did use somewhat dierent phrases to describe the degree of imminence a plainti must allege in order to have standing based on a threat of injury, i.e., “immediate[ ][ ] danger of sustaining some direct injury,” and a “credible threat of real and immediate harm.” 628 F.3d at 1142–43. On the other hand, Clapper described the harm as “certainly impending.” 133 S. Ct. at 1147. However, this dierence in wording is not substantial. At the least, the Court nds that Krottner ‘s phras- ing is closer to Clapper ‘s “certainly impending” language than it is to the Second Circuit's “objective reasonable likelihood” standard that the Supreme Court reversed in Clapper. Given that Krottner described the imminence standard in terms similar to those used in Clapper, and in light of the fact that nothing in Clapper reveals an intent to alter established standing principles, the Court cannot conclude that Krottner has been eectively overruled.58 In the alternative, she ruled that even if Krottner v. Starbucks Corp.59 was “no longer good law, the threatened harm alleged . . . [in Adobe was] suciently concrete and

57 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014), citing Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1147 (2013) (“Our standing inquiry has been especially rigorous when reaching the merits of the dispute would force us to decide whether an action taken by one of the other two branches of the Federal Govern- ment was unconstitutional.” (alteration omitted) (internal quotation marks omitted). 58 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014). 59 Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010).

Pub. 12/2015 27-121 27.07 E-Commerce and Internet Law imminent to satisfy Clapper.”60 Unlike in Clapper, Judge Koh wrote, where respondents' claim that they would suer future harm rested on a chain of events that was both “highly attenuated” and “highly speculative,” the risk that plaintis' personal data in Adobe would be misused by the hackers who breached Adobe's network was “immediate and very real” because plaintis alleged that the hackers deliberately targeted Adobe's servers and spent several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates and plaintis' personal information was among the information taken during the breach. “Thus, in contrast to Clapper, where there was no evidence that any of respondents' communications either had been or would be monitored under Section 702,...[inAdobe there was] no need to speculate as to whether Plaintis' information has been stolen and what information was taken. Neither is there any need to speculate as to whether the hackers intend to misuse the personal information stolen in the 2013 data breach or whether they will be able to do so.”61 In so ruling, Judge Koh distinguished Polanco v. Omnicell, Inc.,62 as a case involving the theft of a laptop from a car where there was no allegation that the thief targeted the laptop for the data stored on it, and Strautins v. Trustware Holdings, Inc.63 and In re Barnes & Noble Pin Pad Litigation,64 as cases where it was not clear that any data was stolen at all. By contrast, Judge Koh disagreed with Galaria v. Nation- wide Mutual Insurance Co.,65 which she characterized as the most factually similar of the cases she discussed, taking issue with the court's conclusion in that case that “whether plaintis would be harmed depended on the decision of the unknown hackers, who may or may not attempt to misuse

60 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014). 61 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1215 (N.D. Cal. 2014). 62 Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 456 (D.N.J. 2013). 63 Strautins v. Trustware Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill. 2014). 64 In re Barnes & Noble Pin Pad Litig., No. 12 C 8617, 2013 WL 4759588, at *4 (N.D. Ill. Sept. 3, 2013). 65 Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014).

27-122 Internet, Network and Data Security 27.07 the stolen information.”66 Judge Koh characterized this reasoning as unpersuasive and declined to follow it, asking rhetorically, “why would hackers target and steal personal customer data if not to misuse it?....”67 Regardless, she wrote, Galaria’s reasoning lacked force in Adobe, where plaintis alleged that some of the stolen data already had been misused. In a footnote, Judge Koh further noted that “requiring Plaintis to wait for the threatened harm to materialize in order to sue would pose a standing problem of its own, because the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not ‘fairly traceable’ to the defendant's data breach.”68 Judge Koh's analysis proved inuential in Remijas v. Neiman Marcus Group, LLC,69 in which the Seventh Circuit, in an opinion written by Chief Judge Wood, reversed the district court, holding that the plaintis in that case plausibly alleged standing. The security breach at issue in that case was the same one that had aected Target in late 2013. On January 10, 2014, Neiman Marcus announced that a cyberattack had occurred between July 16, 2013 and October 30, 2013, exposing approximately 350,000 credit cards. The district court had dismissed plaintis' claim as too speculative. On appeal, the Seventh Circuit panel emphasized that the personal data of all putative class members had been stolen and 9,200 people had already incurred fraudulent charges. Although these people had been reimbursed for the charges, the appellate panel emphasized that there were “identiable costs associated with the process of sorting things out.”70 Relying on Adobe and Judge Koh's interpretation of Clap- per, the Seventh Circuit held that it was plausible to infer

66 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1216 (N.D. Cal. 2014). 67 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1216 (N.D. Cal. 2014). 68 In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1215 n.5 (N.D. Cal. 2014). 69 Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). 70 Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 692 (7th Cir. 2015).

Pub. 12/2015 27-123 27.07 E-Commerce and Internet Law that the plaintis had shown a substantial risk of harm from the data breach. The panel surmised that hackers would not break into a store's database and steal personal information if they did not actually intend to make use of it “sooner or later ....”71 In addition to future injuries, the appellate panel credited plaintis' assertion that they had already lost time and money protecting themselves against future identity theft. Citing Clapper, the panel acknowledged that mitigation expenses do not qualify as actual injuries when the harm is not imminent, but unlike in Clapper, where the alleged harm was speculative, in Remijas, the panel explained, the threat was more imminent. In this regard, the fact that Neiman Marcus had oered a year of free credit monitoring services to plaintis was viewed by the Seventh Circuit panel as evidence that the threat of future harm was real and the cost of identity theft protection (even though borne by Neiman Marcus) was “more than de minimis.”72 Ironically, credit monitoring services are often provided by companies that have experienced a security breach as a litigation tactic to minimize the risk that putative class members would be able to establish standing through mitigation expenses, or to build consumer goodwill in the face of a breach, or as required under state law.73 The court's assumption that a company's voluntary provision of credit monitoring services evidences the severity of the breach for purposes of Article III standing is simply unjustied. Remijas is consistent with pre-Clapper Seventh Circuit case law but had a signicant impact when the case was decided because it was the rst data breach standing case decided by a Circuit Court since Clapper. While the Seventh Circuit broadly recognized that even people who have not been victims of identity theft may have standing where a breach, by its nature, suggests that the

71 Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015). It is not clear that this assumption is correct. When credit card information is stolen it is most valuable initially before consumers and their credit card companies cancel the accounts and issue new cards. 72 Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693-94 (7th Cir. 2015). 73 See infra § 27.08[9] (discussing identity theft mitigation and preven- tion services, including credit monitoring, in connection with compliance with state security breach notication laws).

27-124 Internet, Network and Data Security 27.07 plaintis were targeted for their information, or that it was likely to be used, the appellate panel declined to address two of the plaintis' more aggressive theories of standing. Plaintis had argued that their actual expenditures with Neiman Marcus included a portion of money that should have been dedicated to securing their information and, because it was not, represented a premium to the company that amounted to a loss to the putative class. The plaintis also argued that their personal information has resale value and that by virtue of the security breach that value has been diminished, which the panel characterized “some form of unjust enrichment ....”74 In an earlier case, In re Target Corp. Data Security Breach Litigation,75 Judge Paul A. Magnuson of the District of Min- nesota found standing in a case that at that time represented one of the largest data security breaches in U.S. history. Judge Magnuson held that plaintis who alleged that they incurred unlawful charges or faced restricted or blocked access to their bank accounts, along with an inability to pay other bills and charges for late payments or new cards, had standing to sue. He also ruled that some of the plaintis stated claims under various state consumer protection laws by alleging that Target (1) failed to maintain adequate computer systems and data security practices, (2) failed to disclose the material fact that it did not have adequate computer systems and safeguards to adequately protect consumers' personal and nancial information, (3) failed to provide timely and adequate notice to plaintis of the breach, and (4) continued to accept plaintis' credit and debit cards for payments after Target knew or should have known of the data breach, but before it purged its systems of the hackers' malware. The court also allowed some plaintis to proceed to seek remedies available under state security breach notication laws,76 to the extent available, while dismissing negligence claims under the laws of a number of states based on the economic loss rule. Judge Magnuson rejected plaintis' theory of unjust enrichment premised on the argument that every price of goods or services oered by Target included a

74 Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 695 (7th Cir. 2015). 75 In re Target Corp. Data Security Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. 2014). 76 See infra § 27.08 (analyzing state security breach notication laws and remedies aorded for private causes of action, if any).

Pub. 12/2015 27-125 27.07 E-Commerce and Internet Law premium for adequate security, to which class members were entitled. He did allow plaintis to proceed, however, with their claim for unjust enrichment premised on the theory that they would not have shopped at Target had they known the true state of Target's readiness for a potential security breach. The Target suit ultimately settled.77 As an example of the more typical analysis undertaken since Clapper, in In re SAIC Corp.,78 the U.S. District Court for the District of Columbia held that the risk of identity theft alone and invasion of privacy to be insucient to constitute “injury in fact,” and the allegation that plaintis lost personal medical information to be too speculative in a security breach involving 4.7 million members of the U.S. military and their families. The court held that mere allegations that unauthorized charges were made to plaintis' credit and debit cards following the theft of data failed to show causation, but allegations that a specic plainti received letters in the mail from a credit card company thanking him for applying for a loan were sucient. Similarly, the court held that the allegation that a plainti received a number of unsolicited calls from telemarketers and scam artists following the data breach did not suce to show causation, but the allegation that unsolicited telephone calls were received on a plainti's unlisted number from insurance companies and others targeted at her specic, undisclosed medical condition were sucient.79 In so ruling, Judge James E. Boasberg, Jr. held that the increased risk of harm alone does not confer standing; “as Clapper makes clear, . . . [t]he degree by which the risk of harm has increased is irrelevant – instead, the question is whether the harm is certainly impending.”80 He explained: Here, the relevant harm alleged is identity theft. A handful of Plaintis claim that they have suered actual identity theft, and those Plaintis have clearly suered an injury. At least twenty-four, however, allege only a risk of identity theft . . . .

77 See In re Target Corp.Customer Data Security Breach Litigation, — F.R.D. —, 2015 WL 5432115 (D. Minn. 2015) (providing preliminary approval of a class action settlement). 78 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458 (D.D.C. 2014). 79 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458 (D.D.C. 2014). 80 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *6 (D.D.C. 2014).

27-126 Internet, Network and Data Security 27.07

At this point, the likelihood that any individual Plainti will suer harm remains entirely speculative. For identity theft to occur . . . the following chain of events would have to transpire: First, the thief would have to recognize the tapes for what they were, instead of merely a minor addition to the GPS and stereo haul. Data tapes, after all, are not something an average computer user often encounters. The reader, for example, may not even be aware that some companies still use tapes—as opposed to hard drives, servers, or even CDs—to back up their data . . . . Then, the criminal would have to nd a tape reader and attach it to her computer. Next, she would need to acquire software to upload the data from the tapes onto a computer—otherwise, tapes have to be slowly spooled through like cassettes for data to be read . . . . After that, portions of the data that are encrypted would have to be deciphered. See Compl., ¶ 95 (“a portion of the PII/PHI on the data tapes was encrypted”). Once the data was fully unencrypted, the crook would need to acquire a familiarity with TRICARE's database format, which might require another round of special software. Finally, the larcenist would have to either misuse a particular Plainti's name and social security number (out of 4.7 million TRICARE customers) or sell that Plainti's data to a willing buyer who would then abuse it.81 Judge Boasberg acknowledged that his ruling was, “no doubt, cold comfort to the millions of servicemen and women who must wait and watch their credit reports until something untoward occurs. After all, it is reasonable to fear the worst in the wake of such a theft, and it is understandably frustrat- ing to know that the safety of your most personal information could be in danger.”82 He explained, however, that the Supreme Court “held that an ‘objectively reasonable likelihood’ of harm is not enough to create standing, even if it is enough to engender some anxiety . . . . Plaintis thus do not have standing based on risk alone, even if their fears are rational.”83 Judge Boasberg noted that the Supreme Court in Clapper acknowledged “that it sometimes ‘found standing based on a ‘substantial risk’ that . . . harm will occur, which [could] prompt plaintis to reasonably incur costs to mitigate or

81 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458 (D.D.C. 2014). 82 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *7 (D.D.C. 2014). 83 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *7 (D.D.C. 2014), quoting Clapper, 133 S. Ct. at 1147–48.

Pub. 12/2015 27-127 27.07 E-Commerce and Internet Law avoid the harm.’ ’’84 In SAIC, however, the fact that breach victims had a 19% risk of experiencing identity theft meant that injury was likely not imminent for more than 80% of the victims (and the court suggested the actual number could be much higher “where the theft was unsophisticated and where the lack of widespread harm suggests that the tapes have not ever been accessed.”).85 The Court in SAIC also distinguished pre-Clapper court opinions that allowed cases to move forward “where some sort of fraud had already taken place.”86 By contrast, SAIC involved “a low-tech, garden-variety” breach where two individuals alleged personalized injuries but there were no facts that “plausibly point[ed] to imminent, widespread harm” and where it remained likely that no one had accessed the personal information stored on the stolen tapes. More- over, Judge Boasberg explained, the fact that two plaintis (Curtis and Yarde) could assert plausible claims does not lead to the conclusion that wide-scale disclosure and misuse of all 4.7 million TRICARE customers’ data is plausibly “certainly impending.”87 After all, as previously noted, roughly 3.3% of Americans will experience identity theft of some form, regardless of the source . . . . So one would expect 3.3% of TRICARE's customers to experience some type of identity theft, even if the tapes were never read or misused. To quantify that percentage, of the 4.7 million customers whose data was on the tapes, one would expect around 155,100 of them to experience identity fraud simply by virtue of living in America and engaging in commerce, even if the tapes had not been lost. Here, only six Plaintis allege some form of identity theft, and out of those six only Curtis oers any

84 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *7 (D.D.C. 2014), quoting Clapper, 133 S. Ct. at 1150 n.5 (emphasis added by Judge Boasberg). 85 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *7 (D.D.C. 2014). 86 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *13 (D.D.C. 2014) (discussing Anderson v. Hannaford Brothers, 659 F.3d 151, 162–67 (1st Cir. 2011), where the First Circuit declined to question the plaintis' standing where 1,800 instances of credit- and debit-card fraud had already occurred and had been clearly linked to the data breach, and Pisciotta v. Old National Bancorp., 499 F.3d 629, 632 (7th Cir. 2007), where “the court allowed plaintis to proceed where ‘the scope and manner of access suggest[ed] that the intrusion was sophisticated, intentional and malicious,’ and thus that the potential for harm was indeed substantial.”). 87 Clapper, 133 S. Ct. at 1147.

27-128 Internet, Network and Data Security 27.07

plausible link to the tapes. And Yarde is the only other Plainti—out of a population of 4.7 million—who has oered any evidence that someone may have accessed her medical or personal information . . . . Given those numbers, it would be entirely implausible to assume that a massive identity–theft scheme is currently in progress or is certainly impending. Indeed, given that thirty-four months have elapsed, either the malefactors are extraordinarily patient or no mining of the tapes has occurred.88 Standing also proved elusive (or largely elusive) in a number of other security breach cases based on common law remedies, that were brought in various locations around the country.89 In a small percentage of cases, security breach claims may be brought under federal statutes.90 If so, courts in some circuits will nd standing where a plainti can state all of the elements of a claim for relief under a federal statute, even if the plainti cannot show any demonstrable injury or harm. In other circuits, however, even this more relaxed approach to standing under federal statutes will not hold.

88 In re SAIC Corp., — F. Supp. 3d —, 2014 WL 1858458, at *13–14 (D.D.C. 2014). 89 See, e.g., Austin-Spearman v. AARP, — F. Supp. 3d —, 2015 WL 4555098 (D.D.C. 2015) (holding that plaintis did not sustain an injury in fact resulting from their information having been shared where the defendant's privacy policy permitted the disclosure and, even if it had not, the plainti experienced no economic injury); In re Zappos.com, Inc., — F. Supp. 3d —, 2015 WL 3466943 (D. Nev. June 1, 2015) (holding that devaluation of consumers' personal information, increased threat of identity theft and fraud and the purchase of credit monitoring services did not constitute injuries-in-fact); Green v. eBay, Inc. , Civil No. 14–1688, 2015 WL 2066531 (E.D. La. May 4, 2015) (dismissing claim for lack of standing); In re Horizon Healthcare Data Breach, Civil Action No. 13-7418 (CCC), 2015 WL 1472483 (D.N.J. Mar. 31, 2015) (dismissing plaintis' claims arising out of the theft of laptops that contained personal information, for lack of standing); Storm v. Paytime, Inc., 90 F. Supp. 359 (M.D. Pa. 2015) (holding that employees lacked standing to sue over a cyber-attack, that incurring costs to take certain precautions following the breach was not an injury in fact, and that the attack was not an invasion of privacy); Peters v. St. Joseph Services Corp., 74 F. Supp. 3d 847 (S.D. Tex. 2015) (holding that the increased risk of future identity theft or fraud was not a cognizable Article III injury and that even actual identity theft or fraud did not create standing where there was no injury). But see Enslin v. Coca-Cola Co., No. 2:14-cv-06476, 2015 WL 5729241 (E.D. Pa. Sept, 30, 2015) (holding that the plainti had standing to pursue claims resulting from the theft or loss of a laptop containing his personal information). 90 By comparison, data privacy cases frequently are brought under federal statutes. See generally supra § 26.15.

Pub. 12/2015 27-129 27.07 E-Commerce and Internet Law

Courts in the Sixth, Eighth and Ninth Circuits will nd standing where a plainti can state a claim for violation of a statute that does not require a showing of actual harm.91 Courts in the Ninth Circuit have construed this rule, rst articulated in Edwards v. First American Corp.,92 as requiring that even where a plainti states a claim under a federal statute that does not require a showing of damage, plaintis must allege facts to “show that the claimed statutory injury is particularized as to them.”93 The Fourth and Federal Circuits, however, do not accept the proposition that alleging an injury-in-law by stating a claim and establishing statutory standing to sue satises the constitutional standing requirements of Article III.94

91 See Beaudry v. TeleCheck Services, Inc., 579 F.3d 702, 707 (6th Cir. 2009) (nding “no Article III (or prudential) standing problem arises . . .” where a plainti can allege all of the elements of a Fair Credit Reporting Act statutory claim); Hammer v. Sam's East, Inc., 754 F.3d 492, 498–500 (8th Cir. 2014) (holding that plaintis established Article III standing by alleging facts sucient to state a claim under the Fair and Accurate Credit Transactions Act and therefore did not separately need to show actual damage); Robins v. Spokeo, Inc., 742 F.3d 409, 412–14 (9th Cir. 2014) (holding, in a case in which the plainti alleged that the defendant’s website published inaccurate information about him, that because the plainti had stated a claim for a willful violation of the Fair Credit Report- ing Act, for which actual harm need not be shown, the plainti had established Article III standing, where injury was premised on the alleged violation of plainti’s statutory rights); Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012); supra § 26.15. 92 Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012). 93 Mendoza v. Microsoft, Inc., No. C14-316-MJP, 2014 WL 4540213 (W.D. Wash. Sept. 11, 2014) (dismissing plaintis' claims under the Video Privacy Protection Act, California Customer Records Act, California Unfair Competition Law and Texas Deceptive Trade Practices Act), citing Jewel v. National Security Agency, 673 F.3d 902, 908 (9th Cir. 2011); see also Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1021 (N.D. Cal. 2012) (following Edwards and Jewel in nding standing in a data privacy case); see generally supra § 26.15. 94 See David v. Alphin, 704 F.3d 321, 333, 338–39 (4th Cir. 2013) (holding that statutory standing alone is insucient to confer Article III standing; arming dismissal of an ERISA claim where the plaintis stated a claim but could not establish injury-in-fact); Consumer Watchdog v. Wisconsin Alumni Research Foundation, 753 F.3d 1258, 1262 (Fed. Cir. 2014) (holding that a consumer group lacked standing to challenge an administrative ruling, explaining that ‘‘ ‘Congress may enact statutes creating legal rights, the invasion of which creates standing, even though

27-130 Internet, Network and Data Security 27.07

The current split of authority over whether standing may be established by stating the elements of a statutory claim even where there is no economic injury may be resolved in 2016, when the U.S. Supreme Court decides Robins v. Spokeo, Inc.95 Most consumer security breach putative class action suits, as previously noted, are brought under contract, quasi- contract or other state law theories of recovery. Accordingly, relaxed standards for standing in federal question cases will not apply in many cases. Even where standing is established, security breach claims based on potential future harm have proven dicult to maintain in the absence of any injury in either state96 or federal appellate97 and district98 courts. no injury would exist without the statute.’ ’’ Linda R.S. v. Richard D., 410 U.S. 614, 617 n.3 (1973) (citations omitted). That principle, however, does not simply override the requirement of injury in fact.”). 95 See Robins v. Spokeo, Inc., 742 F.3d 409, 412-14 (9th Cir. 2014), cert. granted, 135 S. Ct.1892 (2015). 96 See, e.g., Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708–11 (D.C. 2009) (dismissing claims by participants against a plan administrator for negligence, gross negligence and breach of duciary duty because participants did not suer any actual harm as a result of the theft of a laptop computer, and for invasion of privacy because plainti's allegation that defendants failed to implement adequate safeguards did not support a claim for intentional misconduct); Cumis Ins. Soc'y, Inc. v. BJ's Wholesale Club, Inc., 455 Mass. 458, 918 N.E.2d 36 (Mass. 2009) (af- rming dismissal of contract and negligence claims and summary judgment on the remaining of the issuing credit unions' claims against a retailer that had improperly stored data from individual credit cards in a manner that allowed thieves to access the data, and against the retailer's acquiring bank that processed the credit card transactions, where the credit unions were not third-party beneciaries to the agreements between the retailer and acquiring bank, plaintis' negligence claims were barred by the economic loss doctrine, the retailer made no fraudulent representations and the credit unions could not have reasonably relied on any negligent misrepresentations); Paul v. Providence Health System– Oregon, 351 Or. 587, 273 P.3d 106, 110–11 (Or. 2012) (arming dismissal of claims for negligence and a violation of Oregon's Unlawful Trade Prac- tices Act (UTPA) in a putative class action suit arising out of the theft from a health care provider's employee's car of digital records containing patients' personal information where credit monitoring costs, as incurred by patients to protect against the risk of future economic harm in form of identity theft, were not recoverable from the provider as economic damages; patients could not recover damages for negligent iniction of emotional distress based on future risk of identity theft, even if provider owed a duty based on physician-patient relationship to protect patients from such emotional distress; and credit monitoring costs were not a compensable loss under UTPA).

Pub. 12/2015 27-131 27.07 E-Commerce and Internet Law

While a company may have a contractual claim against a

97 See, e.g., Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (arming dismissal of a brokerage accountholder's putative class action suit alleging that the clearing broker charged fees passed along to accountholders for protecting electronically stored non-public personal information that in fact was vulnerable to unauthorized access, because the accountholder was not a third party beneciary of the data condentiality provision of the clearing broker's contract with its customers, the disclosure statement that the broker sent to accountholders did not support a claim for implied contract in the absence of consideration and plainti could not state a claim for negligence in the absence of causation and harm, in addition to holding that the plainti did not have Article III standing to allege claims for unfair competition and failure to provide notice under Massachusetts law); In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489 (1st Cir. 2009) (arming, in a security breach case arising out of a hacker attack, dismissal of plaintis' (1) negligence claim based on the economic loss doctrine (which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage) and rejecting the argument that plaintis had a property interest in payment card information, which the security breach rendered worthless, because the loss at issue was not the result of physical destruction of property; and (2) breach of contract claim, because plaintis were not intended beneciaries of the contractual security obligations imposed on defendant Fifth Third Bank by VISA and MasterCard; but reversing the lower court's dismissal of plainti's unfair competition claim and arming the lower court's order denying defendant's motion to dismiss plainti's negligent misrepresentation claim, albeit with signicant skepticism that the claim ultimately would survive); Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008) (dismissing the issuer bank's negligence claim against a merchant bank for loss resulting from a security breach based on the economic loss doctrine, and the bank's claim for indemnication, in a suit brought to recover the costs incurred to issue new cards and reimburse cardholders for unauthorized charges to their accounts; and reversing summary judgment for the defendant because of a material factual dispute over whether Visa intended to give Sovereign Bank the benet of Fifth Third Bank's promise to Visa to ensure that merchants, including BJs, complied with provisions of the Visa-Fifth Third Member Agreement prohibiting merchants from retaining certain credit card information); Stollenwerk v. Tri–West Health Care Alliance, 254 F. App'x 664, 666–68 (9th Cir. 2007) (arming summary judgment on claims for damages for credit monitoring services under Arizona law entered against two plaintis whose names, addresses and Social Security numbers were stored on defendant's stolen computer servers but who “produced evidence of neither signicant exposure of their information nor a signicantly increased risk that they will be harmed by its misuse” and reversing summary judgment granted against a third plainti who had presented evidence showing a causal relationship between the theft of data and instances of identity theft). 98 See, e.g., Moyer v. Michael's Stores, Inc., No. 14 C 561, 2014 WL 3511500 (N.D. Ill. July 14, 2014) (dismissing claims for breach of implied contract and state consumer fraud statutes based on Michael's alleged

27-132 Internet, Network and Data Security 27.07

failure to secure their credit and debit card information during in-store transactions); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 661–63 (S.D. Ohio 2014) (dismissing plainti's invasion of privacy claim under Ohio law); In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942, 963–1014 (S.D. Cal. 2014) (dismissing Fair Credit Reporting Act, negligence (based on a duty to timely disclose the intrusion and duty to provide reasonable security), negligent misrepresentation/omission, breach of implied warranty (as disclaimed by Sony's user agreements), unjust enrichment and claims under the New York Deceptive Practices Act, Ohio and Texas law and for damages (but not injunctive and declaratory relief under) the Michigan Consumer Protection Act); In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F. Supp. 2d 942 (S.D. Cal. 2012) (dismissing plaintis' negligence claims under the economic loss rule and as barred by a provision of California's “Shine the Light” law and dismissing plaintis' claim for bailment because personal information could not be construed as property that was somehow “delivered” to Sony and expected to be returned, and because the information was stolen as a result of a criminal security breach); Holmes v. Countrywide Financial Corp., No. 5:08-CV-00205-R, 2012 WL 2873892 (W.D. Ky. July 12, 2012) (holding that plaintis had standing to maintain suit over the theft of sensitive personal and nancial customer data by a Countrywide employee but dismissing claims for lack of injury in a “risk-of-identity-theft” case because “an increased threat of an injury that may never materialize cannot satisfy the injury requirement” under Kentucky or New Jersey law and credit monitoring services and “the annoyance of unwanted telephone calls” and telephone cancellation fees were not compensable; dismissing claims for unjust enrichment (where no benet was conferred on Countrywide by the breach), common law fraud (where no damages were incurred in reliance on Countrywide), breach of contract (because of the absence of direct nancial harm), alleged security breach notication, consumer fraud and Fair Credit Reporting Act violations and civil conspiracy); In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., M.D.L. No. 09-2146, Civil Action No. H-10-171, 2012 WL 896256 (S.D. Tex. Mar. 14, 2012) (dismissing with prejudice plaintis' breach of contract claim where the nancial institution plaintis could not allege that they were intended beneciaries of Heartland's third party contracts containing condentiality provisions and dismissing with prejudice plaintis' breach of duciary duty claim because of the absence any joint venture relationship); Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill. 2012) (dismissing without prejudice claims for common law negligence and negligence per se and violations of the Illinois Consumer Fraud Act brought in a putative class action suit against a company that stored personal health information, where plainti alleged that the company failed to implement adequate safeguards to protect plainti's information and notify him properly when a computer hard drive containing that information was stolen, because the costs associated with the increased risk of identity theft are not legally cognizable under Illinois law); In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 834 F. Supp. 2d 566 (S.D. Tex. 2011) (dismissing the nancial institution plaintis' claims for: (1) breach of contract and breach

Pub. 12/2015 27-133 27.07 E-Commerce and Internet Law

of implied contract, with leave to amend, but only to the extent plaintis could assert in good faith that they were third party beneciaries of agreements with Heartland and that those agreements did not contain damage limitation provisions that waived claims for indirect, special, exemplary, incidental or consequential damages and limited Heartland's liability to correct any data in which errors had been caused by Heartland; (2) negligence, with prejudice, based on the economic loss doctrine; (3) misrepresentation, with leave to amend to address factually concrete and veriable statements, rather than mere puery, made prior to, rather than after the security breach, to the extent relied upon by plaintis; (4) implied contract, with prejudice, because “it is unreasonable to rely on a representation when . . . a nancial arrangement exists to provide compensation if circumstances later prove the representation false”; (5) misrepresentation based on a theory of nondisclosure, with leave to amend, but only for veriable factual statements that were actionable misrepresentations, and on which plaintis relied; and (6) unfair competition claims asserted under the laws of 23 states, with leave to amend under California, Colorado, Illinois and Texas law (and denying defendant's motion to dismiss plaintis' claim under the Florida Deceptive and Unfair Trade Practices Act)), rev'd in part sub nom. Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) (holding that the economic loss doctrine did not bar issuer banks' negligence claims under New Jersey law and does not bar tort recovery in every case where the plainti suers economic harm without any attendant physical harm because (1) the Issuer Banks constituted an “identiable class,” Heartland had reason to foresee that the Issuer Banks would be the entities to suer economic losses were Heartland negligent, and Heartland would not be exposed to “boundless liability,” but rather to the reasonable amount of loss from a limited number of entities; and (2) in the absence of a tort remedy, the Issuer Banks would be left with no remedy for Heartland's alleged negligence, defying “notions of fairness, common sense and morality”); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 525–32 (N.D. Ill. 2011) (dismissing plaintis' negligence and negligence per se claims under the economic loss doctrine which bars tort claims based solely on economic losses; dismissing plaintis' Stored Com- munications Act claim; dismissing plaintis' Illinois Consumer Fraud and Deceptive Business Practices Act claim based on deceptive practices because plaintis could not identify a specic communication that allegedly failed to disclose that the defendant had allegedly failed to implement adequate security measures, but allowing the claim to the extent based on unfair practices in allegedly failing to comply with Visa's Global Mandate and PCI Security requirements and actual losses in the form of unauthorized bank account withdrawals, not merely an increased risk of future identity theft and costs of credit monitoring services, which do not satisfy the injury requirement; and denying plaintis' motion to dismiss claims under the Illinois Personal Information Protection Act (based on the alleged failure to provide timely notice of the security breach) and for breach of implied contract); In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., M.D.L. No. 09-2146, Civil Action No. H-10-171, 2011 WL 1232352 (S.D. Tex. Mar. 31, 2011) (dismissing with prejudice nancial institution plaintis' claims against credit card

27-134 Internet, Network and Data Security 27.07

processor defendants for negligence, based on the economic loss doctrine, and dismissing without prejudice claims for breach of contract (alleging third party beneciary status), breach of duciary duty and vicarious liability); Hammond v. Bank of N.Y. Mellon Corp., No. 08–6060, 2010 WL 2643307, at *4, *7 (S.D.N.Y. June 25, 2010) (nding no standing and, in the alternative, granting summary judgment on plainti's claims for negligence, breach of duciary duty, implied contract (based on the absence of any direct relationship between the individuals whose data was released and the defendant) and state consumer protection violations based on, among other things, the absence of any injury, in a case where a company owned by the defendant allegedly lost computer backup tapes that contained the payment card data of 12.5 million people); Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009) (holding that a job applicant whose personal information had been stored on a laptop of the defendant's that had been stolen had standing to sue but granting summary judgment for the defendant where the risk of future identity theft did not rise to the level of harm necessary to support plainti's negligence claim, which under California law must be appreciable, non-speculative, and present; breach of contract claim, which requires a showing of appreciable and actual harm; unfair competition claim, where an actual loss of money or property must be shown; or claim for invasion of privacy under the Califor- nia constitution, which may not be premised on the mere risk of an invasion or accidental or negligent conduct by a defendant), a'd mem., 380 F. App'x 689 (9th Cir. 2010); Cherny v. Emigrant Bank, 604 F. Supp. 2d 605 (S.D.N.Y. 2009) (dismissing plainti's negligent misrepresentation claim under the economic loss doctrine and dismissing claims for violations of N.Y. Gen. Bus. L. § 349, breach of duciary duty and breach of contract for the alleged disclosure of plainti's email address and the potential dissemination of certain personal information from his bank account with the defendant bank for failure to plead actual injury or damages because “the release of potentially sensitive information alone, without evidence of misuse, is insucient to cause damage to a plainti . . . , the risk of some undened future harm is too speculative to constitute a compensable injury” and the receipt of spam by itself does not constitute a sucient injury); Pinero v. Jackson Hewitt Tax Service Inc., 594 F. Supp. 2d 710 (E.D. La. 2009) (holding that the mere possibility that personal information was at increased risk did not constitute an actual injury sucient to state claims for fraud, breach of contract (based on emotional harm), negligence, or a violation of the Louisiana Database Se- curity Breach Notication Law (because disposal of tax records in paper form in a public dumpster, which were not burned, shredded or pulver- ized, did not involve computerized data) but holding that the plainti had stated a claim for invasion of privacy and had alleged sucient harm to state a claim under the Louisiana Unfair Trade Practices Act (but had not alleged sucient particularity to state a claim under that statute)); McLoughlin v. People's United Bank, Inc., No. Civ A 308CV-00944 VLB, 2009 WL 2843269 (D. Conn. Aug 31, 2009) (dismissing plainti's claims for negligence and breach of duciary duty); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273 (S.D.N.Y. 2008) (holding that plainti had standing to sue his employer's pension consultant, seeking to recover the costs of multi-year credit monitoring and identity theft insur-

Pub. 12/2015 27-135 27.07 E-Commerce and Internet Law third party vendor responsible for a security breach, consumer contracts rarely provide such assurances and ance, following the theft of a laptop containing his personal information from the consultant's oce, and denying defendant's motion to dismiss his breach of contract claim premised on being a third party beneciary of a contract between his employer and the consultant, but dismissing claims for negligence and breach of duciary duty under New York law because the plainti lacked a basis for a serious concern over the misuse of his personal information and New York would not likely recognize mitigation costs as damages without a rational basis for plaintis' fear of misuse of personal information); Melancon v. Louisiana Oce of Student Fin. Assis- tance, 567 F. Supp. 2d 873 (E.D. La. 2008) (granting summary judgment for Iron Mountain in a security breach putative class action suit arising out of the loss of backup data from an Iron Mountain truck because the mere possibility that personal student nancial aid information may have been at increased risk did not constitute an actual injury sucient to maintain a claim for negligence); Shafran v. Harley–Davidson, Inc., No. 07 C 1365, 2008 WL 763177 (S.D.N.Y. Mar. 24, 2008) (dismissing claims for negligence, breach of warranty, unjust enrichment, breach of duciary duty, violation of N.Y. Gen. Bus. Law § 349, violation of N.Y. Gen. Bus. Laws §§ 350, 350-a and 350e, fraudulent misrepresentation, negligent misrepresentation, prima facie tort, and breach of contract, in a putative class action suit based on the loss of personal information of 60,000 Harley Davidson owners whose information had been stored on a lost laptop, because under New York law, the time and money that could be spent to guard against identity theft does not constitute an existing compensable injury; noting that “[c]ourts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy.”); Ponder v. Pzer, Inc., 522 F. Supp. 2d 793, 797–98 (M.D. La. 2007) (dismissing a putative class action suit alleging that a nine week delay in providing notice that personal information on 17,000 current and former employees had been compromised when an employee installed le sharing software on his company-issued laptop violated Louisiana's Database Se- curity Breach Notication Law because the plainti could only allege emotional harm in the form of fear and apprehension of fraud, loss of money and identity theft, but no “actual damage” within the meaning of Louisi- ana law); Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006) (dismissing claims under the Michigan Consumer Protection Act and for breach of contract arising out of a security breach because “[t]here is no existing Michigan statutory or case law authority to support plainti's position that the purchase of credit monitoring constitutes either actual damages or a cognizable loss.”); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1020–21 (D. Minn. 2006) (granting summary judgment for the defendant on plaintis' claims for negligence and breach of contract in a security breach case arising out of the theft of a Wells Fargo computer on which their personal information had been stored, where the plaintis could not show any present injury or reasonably certain future injury and the court rejected plaintis' contention that they had suered damage as a result of the time and money they had spent to monitor their credit).

27-136 Internet, Network and Data Security 27.07 individuals usually are not intended beneciaries of corporate security contracts with outside vendors.99 Negligence claims likewise typically fail based on the economic loss doctrine, which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage. Breach of duciary duty claims also often fail in the absence of a duciary obligation. Breach of contract, breach of implied contract and unfair competition claims likewise may fail where there has been no economic loss. Claims based on delay in providing notication also may fail in the absence of any actual injury proximately caused by the alleged delay.100 State security statutes also may provide defenses. For example, in In re Sony Gaming Networks and Customer Data Security Breach Litigation,101 the court dismissed negligence claims brought by California residents against a company that experienced a security breach because California's security breach notication law, Cal. Civil Code § 1798.84(d) provides that “[u]nless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the ac-

99 See, e.g., Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (holding that an account holder was not a third party beneciary of a data condentiality provision of the clearing broker's contract with its customers). 100 See, e.g., In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (dismissing plaintis' claim for alleged delay in providing consumer notice where there was no traceable harm); In re Barnes & Noble Pin Pad Litig., 12-CV-8617, 2013 WL 4759855 (N.D. Ill. Sept. 3, 2013) (rejecting the argument that the delay or inadequacy of breach notication increased plaintis' risk of injury). 101 In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F. Supp. 2d 942, 973 (S.D. Cal. 2012).

Pub. 12/2015 27-137 27.07 E-Commerce and Internet Law curate information, respectively.”102 The court reasoned that claims by California residents were barred because plainti's Complaint only alleged “that Sony either knew or should have known that its security measures were inadequate, and failed to inform Plaintis of the breach in a timely fashion, [and] none of Plaintis current allegations assert[ed] willful, intentional, or reckless conduct on behalf of Sony.”103 In Sony, among other rulings, the court also dismissed plaintis' claim for bailment, holding that personal information could not be construed as property that was somehow “delivered” to Sony and expected to be returned, and because the information was stolen as a result of a criminal intrusion of Sony's Network.104 On the other hand, plaintis have had some success getting past motions to dismiss on some state law claims, including state statutory claims, as underscored by the Sony case itself. In a later opinion in Sony, the court allowed Cal- ifornia Legal Remedies Act and California statutory unfair competition and false advertising law claims to go forward based on the allegations that Sony misrepresented that it would take “reasonable steps” to secure plainti's information and that Sony Online Services used “industry-standard encryption to prevent unauthorized access to sensitive nancial information” and allegedly omitted to disclose that it did not have reasonable and adequate safeguards in place to protect consumers' condential information, allegedly failed to immediately notify California residents that the intrusion had occurred and allegedly omitted material facts regarding the security of its network, including the fact that Sony allegedly failed to install and maintain rewalls and use industry-standard encryption. The court also allowed plainti to proceed with claims for declaratory and injunctive relief under the Florida Deceptive and Unfair Trade Practices Act, injunctive and declaratory relief under Michi- gan law and claims under Missouri and New Hampshire law and allowed claims for injunctive relief under California's se-

102 In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F. Supp. 2d 942, 973 (S.D. Cal. 2012) (quoting the statute); see generally supra § 26.13[6][D] (analyzing the statute). 103 In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F. Supp. 2d 942, 973 (S.D. Cal. 2012). 104 In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F. Supp. 2d 942, 974–75 (S.D. Cal. 2012).

27-138 Internet, Network and Data Security 27.07 curity breach notication law, Cal. Civil Code § 1789.84(e) (but not damages under section 1789.84(b)) and partial performance and breach of the implied duty of good faith and fair dealing,105 even as the court dismissed multiple other claims for negligence, negligent misrepresentation/omission, unjust enrichment and state consumer protection laws. Where a security breach has led to identity theft, unauthorized charges or other injury, a plainti will be more likely to be able to state a claim.106 For example, in Anderson

105 In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942, 985–92 (S.D. Cal. 2014) 106 See, e.g., Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011) (reversing dismissal of negligence and implied contract claims in a case where the plaintis alleged actual misuse of credit card data from others subject to the breach such that they faced a real risk of identity theft, not merely one that was hypothetical); In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489 (1st Cir. 2009) (reversing the lower court's dismissal of plaintis' unfair trade practices claim under Massachusetts law based on a company's lack of security measures and FTC unfairness criteria (supra § 27.06), where the company's conduct allegedly was systematically reckless and aggravated by a failure to give prompt notice when lapses were discovered internally, which allegedly caused widespread and serious harm to other companies and consumers; and arming the denial of defendant's motion to dismiss plaintis' negligent misrepresentation claim arising from the implied representation that the defendant would comply with MasterCard and VISA's security regulations, albeit with signicant skepticism about the ultimate merits of that claim, in an opinion that also armed the lower court's dismissal of plaintis' claims for negligence and breach of contract); Stollenwerk v. Tri–West Health Care Alliance, 254 F. App'x 664, 666–68 (9th Cir. 2007) (reversing summary judgment on claims for damages for credit monitoring services under Arizona law against a plainti who had presented evidence showing a causal relationship between the theft of data and instances of identity theft, while arming summary judgment against two other plaintis, all of whose names, addresses and Social Security numbers had been stored on defendant's stolen computer servers); Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (holding that victims of identity theft had stated claims for negligence, breach of duciary duty, breach of contract, breach of implied contract, and unjust enrichment/ restitution, in a suit arising out of the disclosure of sensitive information of 1.2 million current and former AvMed members (including protected health information, Social Security numbers, names, addresses and phone numbers) when two laptops containing unencrypted data were stolen from the company's Gainesville, Florida oce); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 525–35 (N.D. Ill. 2011) (following Hannaford in denying defendant's motion to dismiss plaintis' claim for breach of an implied contract which obligated the defendant to take reasonable measures to protect plaintis' nancial information and notify plaintis of a security breach within a reasonable amount of time, in a putative class

Pub. 12/2015 27-139 27.07 E-Commerce and Internet Law v. Hannaford Brothers Co.,107 the First Circuit armed dismissal of claims for breach of duciary duty, breach of implied warranty, strict liability, failure to notify customers of a data breach and unfair competition, but reversed dismissal of negligence and implied contract claims brought by customers of a national grocery chain whose credit card information was taken, and in some cases used for unauthorized charges, when hackers gained access to up to 4.2 million credit and debit card numbers, expiration dates and security codes (but not customer names) between December 7, 2007 and March 10, 2008. The court held that a jury could reasonably nd an implied contract between Hannaford and its customers that Hannaford would not use credit card data “for other people's purchases, would not sell the data to others, and would take reasonable measures to protect the information.”108 The court explained that: When a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only. Ordinarily, a customer does not expect—and certainly does not intend—the merchant to allow unauthorized third-parties to access that data. A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to eectuate the contract.109 With respect to plaintis' negligence and implied contract action suit arising out of a security breach based on skimming credit card information and PIN numbers from PIN pads in defendant's stores; denying defendant's motion to dismiss plaintis' claim under the Illinois Personal Information Protection Act for allegedly failing to timely notify aected consumers; denying defendant's motion to dismiss plaintis' Illi- nois Consumer Fraud and Deceptive Business Practices Act claim to the extent based on unfairness in allegedly failing to comply with Visa's Global Mandate and PCI Security requirements and premised on actual losses in the form of unreimbursed bank account withdrawals and fees, but dismissing the claim to the extent based on deceptiveness or merely the increased risk of future identity theft and costs of credit monitoring services or reimbursed withdrawals or fees, which would not satisfy the statute's injury requirement; and dismissing Stored Communications Act, negligence and negligence per se claims); Pinero v. Jackson Hewitt Tax Service Inc., 594 F. Supp. 2d 710 (E.D. La. 2009) (holding that the plainti had stated a claim for invasion of privacy but dismissing other claims because the mere possibility that personal information was at increased risk did not constitute an actual injury to support plainti's other claims). 107 Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011). 108 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 159 (1st Cir. 2011). 109 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 159 (1st Cir. 2011); see also In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518,

27-140 Internet, Network and Data Security 27.07 claims, the First Circuit distinguished between those claims that sought to recover mitigation costs and those that did not. Holding that Maine law allowed recovery of reasonably foreseeable damages, including the costs and harms incurred during a reasonable eort to mitigate (as judged at the time the decision to mitigate was made), the court held that a jury could nd that the purchase of identity theft insurance and the cost for replacement credit cards was reasonable.110 The appellate panel emphasized that this case involved “a large-scale criminal operation conducted over three months and the deliberate taking of credit and debit card information by sophisticated thieves intending to use the information to their nancial advantage.”111 Unlike cases based on inadvertently misplaced or lost data, Anderson v. Hannaford Brothers Co. involved actual misuse by thieves with apparent expertise who used the data they stole to run up thousands of improper charges across the globe such that “card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.”112 The court noted that the fact that many banks and credit card issuers immediately

531–32 (N.D. Ill. 2011) (following Hannaford in denying defendant's motion to dismiss plaintis' claim for breach of an implied contract obligating the defendant to take reasonable measures to protect plaintis' nancial information and notify plaintis of a security breach within a reasonable amount of time, in a putative class action suit arising out of a security breach based on skimming credit card information and PIN numbers from PIN pads in defendant's stores). 110 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 162–65 (1st Cir. 2011). 111 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 164 (1st Cir. 2011). 112 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 164 (1st Cir. 2011). The court noted that most data breach cases involve data that was simply lost or misplaced, rather than stolen, where no known misuse had occurred, and where courts therefore had not allowed recovery of damages, including credit monitoring costs. See id. at 166 n.11. The panel also emphasized that, unlike in Hannaford, even prior cases where thieves actually accessed plaintis' data held by defendants—Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007) (where hackers breached a bank website and stole the personal and nancial data of tens of thousands of the bank's customers) and Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d 775, 777 (W.D. Mich. 2006) (where hackers accessed “the numbers and names associated with approximately 1,438,281 credit and debit cards and 96,385 checking account numbers and drivers' license numbers” that were on le with a national shoe retailer)—had not involved allegations that any member of the putative class already had been a victim of identity theft as a result of the breach. See Anderson v.

Pub. 12/2015 27-141 27.07 E-Commerce and Internet Law replaced compromised cards with new ones evidenced the reasonableness of replacing cards to mitigate damage, while the fact that other nancial institutions did not issue replacement cards did not make it unreasonable for cardholders to take steps on their own to protect themselves.113 On the other hand, the appellate panel agreed with the district court that non-mitigation costs—such as fees for pre- authorization changes, the loss of reward points and the loss of reward point earning opportunities—were not recoverable because their connection to the harm alleged was too attenuated and the charges were incurred as a result of third parties' unpredictable responses to the cancellation of plaintis' credit or debit cards.114 In contrast to plaintis' negligence and implied contract claims, the First Circuit armed dismissal of plaintis' unfair competition claim premised on Hannaford's failure to disclose the data theft promptly and possibly a failure to maintain reasonable security.115 The court's holding, however, turned on the narrow nature of Maine's unfair competition law, which has been construed to require a showing that a plainti suered a substantial loss of money or property as a result of an allegedly unlawful act.116 On remand, the lower court denied plaintis' motion for class certication, nding that common questions of law and

Hannaford Brothers Co., 659 F.3d 151, 166 (1st Cir. 2011). 113 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 164 (1st Cir. 2011). The panel explained: It was foreseeable, on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data. It is true that the only plaintis to allege having to pay a replacement card fee, Cyndi Fear and Thomas Fear, do not allege that they experienced any unauthorized charges to their account, but the test for mitigation is not hindsight. Similarly, it was foreseeable that a customer who had experienced unauthorized charges to her account, such as plainti Lori Valburn, would reasonably purchase insurance to protect against the consequences of data misuse. Anderson v. Hannaford Brothers Co., 659 F.3d 151, 164–65 (1st Cir. 2011). 114 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 167 (1st Cir. 2011). 115 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 159 (1st Cir. 2011). 116 Anderson v. Hannaford Brothers Co., 659 F.3d 151, 160 (1st Cir. 2011), citing McKinnon v. Honeywell Int'l, Inc., 977 A.2d 420, 427 (Me. 2009).

27-142 Internet, Network and Data Security 27.07 fact did not predominate.117 In Resnick v. AvMed, Inc.,118 the Eleventh Circuit held that victims of identity theft had stated claims for negligence, breach of duciary duty, breach of contract, breach of implied contract and unjust enrichment/restitution, in a suit arising out of the disclosure of sensitive information of 1.2 million current and former AvMed members (including protected health information, Social Security numbers, names, addresses and phone numbers) when two laptops containing unencrypted data were stolen from the company's Gaines- ville, Florida oce. The court held, however, that plaintis had not stated claims for negligence per se, because AvMed was not subject to the statute that plaintis' claim was premised upon, or breach of the covenant of good faith and fair dealing, which failed to allege a conscious and deliberate act which unfairly frustrates the agreed common purposes, as required by Florida law. In Resnick v. AvMed, ten months after the laptop theft, identity thieves opened Bank of America accounts in the name of one of the plaintis, activated and used credit cards for unauthorized purchases and sent a change of address notice to the U.S. postal service to delay plainti learning of the unauthorized accounts and charges. Fourteen months after the theft a third party opened and then overdrew an account with E*TRADE Financial in the name of another plainti. In ruling that plaintis stated claims for relief resulting from identity theft, the court held that plaintis adequately pled causation where plaintis alleged that they had taken substantial precautions to protect themselves from identity theft (including not transmitting unencrypted sensitive information over the Internet, storing documents containing sensitive information in a safe and secure location and destroying documents received by mail that included sensitive information) and that the information used to open unauthorized accounts was the same information stolen from AvMed. The court emphasized that for purposes of stating a claim, “a mere temporal connection is not sucient; Plain- tis' pleadings must indicate a logical connection between

117 See In re Hannaford Bros. Co. Customer Data Security Breach Litiga- tion, 293 F.R.D. 21 (D. Me. 2013). 118 Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012).

Pub. 12/2015 27-143 27.07 E-Commerce and Internet Law the two incidents.”119 The court also ruled that plaintis stated a claim for unjust enrichment, which under Florida law required a showing that (1) the plainti conferred a benet on the defendant, (2) the defendant had knowledge of the benet, (3) the defendant accepted or retained the benet conferred, and (4) the circumstances are such that it would be inequitable for the defendant to retain the benet without paying for it.120 In Resnick v. AvMed, Inc., plaintis alleged that they conferred a benet on AvMed in the form of monthly premiums that AvMed should not be permitted to retain because it allegedly failed to implement data management and security measures mandated by industry standards.121 Where claims proceed past a motion to dismiss, a central issue in a security breach case may be the reasonableness of a company's practices and procedures. In Patco Construction Co. v. People's United Bank,122 the First Circuit held that the defendant bank's security procedures were not commercially reasonable within the meaning of Maine's implementation of U.C.C. Article 4A, which governs wholesale wire transfers and commercial ACH transfers, generally between businesses and their nancial institutions.123 Patco was a suit brought over six fraudulent withdrawals, totaling $588,851.26, from Patco Construction Co.'s commercial bank account with the defendant. Under Article 4A, a bank receiving a payment ordinarily bears the risk of loss for any unauthorized funds transfer unless a bank can show that the payment order received is the authorized order of the person identied as sender if that person authorized the order or is otherwise bound by it under the law of agency124 (which typically cannot be shown when a payment order is transferred electronically) or pursuant to section 4-1202(2), if a bank

119 Resnick v. AvMed, Inc., 693 F.3d 1317, 1327 (11th Cir. 2012). 120 Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012). 121 Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012). 122 Patco Construction Co. v. People's United Bank, 684 F.3d 197 (1st Cir. 2012). 123 Consumer electronic payments, such as those made through direct wiring or use of a debit card, are governed by the Electronic Fund Transfer Act, 15 U.S.C.A. §§ 1693 et seq. “Article 4A does not apply to any funds transfer that is covered by the EFTA; the two are mutually exclusive.” Patco Construction Co. v. People's United Bank, 684 F.3d 197, 207 n.7 (1st Cir. 2012). 124 Me. Rev. Stat. Ann. tit. 11, § 4-1202(1).

27-144 Internet, Network and Data Security 27.07 and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be veried pursuant to a security procedure, and, among other things, “[t]he security procedure is a commercially reasonable method of providing security against unauthorized payment orders ....”125 The First Circuit held that the defendant had failed to employ commercially reasonable security when it lowered the dollar amount used to trigger secondary authentication measures to $1 without implementing additional security precautions. By doing so, the bank required users to answer challenge questions for essentially all electronic transactions, increasing the risk that these answers would be compromised by keyloggers or other malware. By increasing the risk of fraud through unauthorized use of compromised security answers, the court held that the defendant bank's security system failed to be commercially reasonable because it did not incorporate additional security measures, such as requiring tokens or other means of generating “one-time” passwords or monitoring high risk score transactions, using email alerts and inquiries or otherwise providing immediate notice to customers of high risk transactions. As the court explained, the bank substantially increase[d] the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular, and high dollar transfers. Then, when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers

125 Me. Rev. Stat. Ann. tit. 11, § 4-1202(2). Section 4-1202(2) allows a bank to shift the risk of loss to a commercial customer, whether or not a payment is authorized. That section provides: If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be veried pursuant to a security procedure, a payment order received by the receiving bank is eective as the order of the customer, whether or not authorized, if: (a) The security procedure is a commercially reasonable method of providing security against unauthorized payment orders; and (b) The bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner aording the bank a reasonable opportunity to act on it before the payment order is accepted. Id. § 4–1202(2).

Pub. 12/2015 27-145 27.07 E-Commerce and Internet Law

before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable. We emphasize that it was these collective failures taken as a whole, rather than any single failure, which rendered Ocean Bank's security system commercially unreasonable.126 By contrast, in Choice Escrow & Land Title, LLC v. BancorpSouth Bank,127 the Eighth Circuit found a bank's security precautions to be reasonable where the bank (1) required customers, in order to be able to send wire transfers, to register a user id and password, (2) installed device authentication software called PassMark, which recorded the IP address and information about the computer used to rst access the system, and thereafter required users to verify their identity by answering “challenge questions” if they accessed the bank from an unrecognized computer, (3) allowed its customers to place dollar limits on the daily volume of wire transfer activity from their accounts, and (4) of- fered its customers a security measure called “dual control” which created a pending payment order, when a wire transfer order was received, that required a second authorized user to approve, before the order would be processed. Choice had declined to place dollar limits on daily transactions or use dual control. In November 2009, Choice received an email from one of its underwriters, describing a phishing scam, which it forwarded to BancorpSouth with a request that wires to foreign banks be limited. BancorpSouth responded two days later advising that it could not restrict foreign transfers but encouraging Choice to implement dual control on wires as the best way to deter fraud. Choice again declined to do so. Thereafter, a Choice employee was the victim of a phishing scam and contracted a virus that gave an unknown third party access to the employee's username and password and allowed the third party to mimic the computer's IP address and other characteristics, leading to an unauthorized transfer of $440,000 from Choice's account to a bank in Cypress. On appeal, the Eighth Circuit armed the lower court's entry of judgment for BancorpSouth, nding its security measures to be commercially reasonable within the

126 Patco Construction Co. v. People's United Bank, 684 F.3d 197, 210–11 (1st Cir. 2012). 127 Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014).

27-146 Internet, Network and Data Security 27.07 meaning of Article 4A, as adopted in Mississippi. Where claims are based on misrepresentations allegedly made about a company's security practices, a court will distinguish actionable statements of fact from mere puery. Puery has been described as “vague, highly subjective claims as opposed to specic, detailed factual assertions.”128 For example, in In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig.,129 the court dismissed the nancial institution plaintis' claims for fraud and misrepresentation against a credit and debit card processor whose computer systems had been compromised by hackers, with leave to amend to allege factually concrete and veriable statements, rather than mere puery, made prior to, rather than after the security breach, to the extent relied upon by plaintis. In so holding, the court explained the dif- ference between those statements contained in S.E.C. lings, made in analyst calls or posted on Heartland's website which were actionable and those which amounted to mere puery. The court held that Heartland's slogans—The Highest Stan- dards and The Most Trusted Transactions—were puery on which the nancial institution plaintis could not reasonably rely.130 The court similarly held that the following statements were not actionable representations: E that Heartland used “layers of state-of-the-art security, technology and techniques to safeguard sensitive credit and debit card account information”; E that it used the “state-of-the-art [Heartland] Ex- change”; and

128 In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 834 F. Supp. 2d 566, 591 (S.D. Tex. 2011) (quoting an earlier case), rev'd in part on other grounds sub nom. Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) (reversing the lower court's order dismissing plaintis' negligence claim); Haskell v. Time, Inc., 857 F. Supp. 1392, 1399 (E.D. Cal. 1994); see generally supra § 6.12[5][B] (analyzing pung in the context of Lanham Act false advertising claims). 129 In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 834 F. Supp. 2d 566 (S.D. Tex. 2011), rev'd in part on other grounds sub nom. Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) (reversing the lower court's order dismissing plaintis' negligence claim). 130 In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 834 F. Supp. 2d 566, 592 (S.D. Tex. 2011), rev'd in part on other grounds sub nom. Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) (reversing the lower court's order dismissing plaintis' negligence claim).

Pub. 12/2015 27-147 27.07 E-Commerce and Internet Law

E that its “success is the result of the combination of a superior long-term customer relationship sales model and the premier technology processing platform in the industry today.”131 The court claried that to the extent that Heartland's statements and conduct amounted to a guarantee of absolute data security, reliance would be unreasonable as a matter of law, given widespread knowledge of sophisticated hackers, data theft, software glitches and computer viruses.132 On the other hand, it found the following statements to be factual representations that were suciently denite, factually concrete and veriable to support a claim for negligent misrepresentation: E “We maintain current updates of network and operating system security releases and virus denitions, and have engaged a third party to regularly test our systems for vulnerability to unauthorized access.” E “We encrypt the cardholder numbers that are stored in our databases using triple-DES protocols, which represent the highest commercially available standard for encryption.” E Heartland's “Exchange has passed an independent verication process validating compliance with VISA requirements for data security.”133 Despite the prevalence of security breaches, the volume of

131 In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 834 F. Supp. 2d 566, 592 (S.D. Tex. 2011), rev'd in part on other grounds sub nom. Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) (reversing the lower court's order dismissing plaintis' negligence claim). 132 In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 834 F. Supp. 2d 566, 592 (S.D. Tex. 2011), rev'd in part on other grounds sub nom. Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) (reversing the lower court's order dismissing plaintis' negligence claim). 133 In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 834 F. Supp. 2d 566, 593–94 (S.D. Tex. 2011), rev'd in part on other grounds sub nom. Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) (reversing the lower court's order dismissing plaintis' negligence claim). The court also found the following statements to constitute representations about Heartland's privacy practices that, while not puery, were not relevant to the data breach at issue in the case: E “we have limited our use of consumer information solely to providing services to other businesses and nancial institutions,” and

27-148 Internet, Network and Data Security 27.07 security breach class action litigation has not been as large as one might expect. Indeed, despite the potential for more substantial economic harm when a security breach occurs, there has not been an explosion of security breach class action suits to rival the large number of data privacy suits led since 2010 over the alleged sharing of information with Internet advertisers and online behavioral advertising practices.134 There may be several explanations for this. First, when a security breach occurs, cases brought by consumers often settle if there genuinely has been a loss (even if litigation with insurers and third parties over liability may continue). In consumer cases, the amount of individual losses may be limited both because security breaches do not always result in actual nancial harm and because, when they do, federal law typically limits an individual consumer's risk of loss to $50 in the case of credit card fraud (and many credit card issuers often reimburse even that amount so that customers in fact incur no direct out of pocket costs). Class action settlements therefore may be focused on injunctive relief and cy pres awards, rather than large damage sums.135 Second, since security breaches often revolve around a common event, multiple cases may be more likely to be consolidated by the Multi-District Litigation (MDL) panel.136 By contrast, behavioral advertising privacy cases may involve similar alleged practices engaged in by multiple, unrelated companies or even entire industries, in somewhat dierent ways. Similar data privacy cases therefore typically

E “[w]e limit sharing of non-public personal information to that necessary to complete the transactions on behalf of the consumer and the merchant and to that permitted by federal and state laws.” Id. at 593. 134 See supra § 26.15 (analyzing data privacy putative class action suits). 135 See, e.g., In re Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 851 F. Supp. 2d 1040 (S.D. Tex. 2012) (certifying a settlement class in a suit by credit cardholders against a transaction processor whose computer systems had been compromised by hackers, alleging breach of contract, negligence, misrepresentation and state consumer protection law violations, and approving a settlement that included cy pres payments totaling $998,075 to third party organizations and $606,192.50 in attorneys' fees). 136 See, e.g., In re: Target Corp. Customer Data Security Breach Litig., 11 F. Supp. 3d 1338 (MDL 2014) (transferring to the District of Minnesota for coordinated or consolidated pretrial proceedings more than 33 separate actions pending in 18 districts and potential tag-along actions arising out of Target's 2013 security breach).

Pub. 12/2015 27-149 27.07 E-Commerce and Internet Law have been brought as separate putative class action suits against dierent companies (or a single technology company and some of its customers). A particular alleged practice therefore may spawn dozens of analogous lawsuits against dierent companies that do not end up being consolidated by the MDL Panel. Third, in data privacy cases, publicity about some large settlements reached before the defendants even were served or answered the complaint drew attention and interest on the part of the class action bar that may have made those cases seem more appealing, at least initially. In contrast to consumers, whose compensable injuries and risk of loss eectively are limited, commercial customers of companies that experience security breaches, such as the plainti in Patco, potentially bear the full risk of loss and are more motivated to sue (and have more substantial damage claims) than consumer plaintis. While breach cases where there has been an ascertainable, present loss may proceed, claims based merely on the potential risk of a future loss may or may not proceed past a motion to dismiss, depending on where suit is led. Some courts also have been more receptive to claims in security breach cases where real losses were experienced. For example, in Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc.,137 the Fifth Circuit held that the economic loss doctrine did not bar issuer banks' negligence claims under New Jersey law and does not bar tort recovery in every case where the plainti suers economic harm without any attendant physical harm where (1) plaintis, such as the Issuer Banks, constituted an “identiable class,” the defendant (in this case, Heartland) had reason to foresee that members of the identied class would be the entities to suer economic losses were the defendant negligent, and the defendant would not be exposed to “boundless liability,” but rather to the reasonable amount of loss from a limited number of entities; and (2) in the absence of a tort remedy, the plaintis, like the Issuer Banks in Heartland, would be left with no remedy at all for negligence, defying “notions of fairness, common sense and morality.” Contract limitations, while benecial to companies in se-

137 Lone Star National Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013).

27-150 Internet, Network and Data Security 27.07 curity breach litigation, may be more dicult to enforce against consumers. Marketing considerations may limit a company's ability to disclaim security obligations. Moreover, as a practical matter, it is unclear whether security obligations could ever be fully disclaimed in a consumer contract. The Federal Trade Commission has taken the position that a company's failure to maintain adequate security, even in the absence of armative representations, is an actionable violation of unfairness prong of section 5 of the Federal Trade Commission Act.138 The FTC or state Attorneys General could bring enforcement actions or otherwise seek to apply pres- sure on a company that purported to disclaim obligations. Some security law obligations likewise may not be waived. Since FTC Act violations are potentially actionable as violations of state unfair competition laws in some jurisdictions, a company's failure to adhere to implement reasonable security measures could be separately actionable regardless of what a company says about its practices. For example, California's notorious unfair competition statute, Cal. Bus. & Prof. Code § 17200, allows a private cause of action to be brought for violations of other statutes that do not expressly create independent causes of action139 (although only provided that the plainti has “suered injury in fact and has lost money or property”;140 as a result of the violation). While security breach class action suits may not have been as lucrative for plaintis' counsel as some might imagine— and even where a claim can be asserted a class may not be certied141—major security breaches have cost companies and their insurers substantial money.142 As security law and practice evolves, the risks of litigation increase. FTC enforcement actions have encouraged the development of security-related best practices, including the

138 See supra § 27.06. 139 See, e.g., Kasky v. Nike, Inc., 27 Cal. 4th 939, 950, 119 Cal. Rptr. 2d 296 (2002); Stop Youth Addiction, Inc. v. Lucky Stores, Inc., 17 Cal. 4th 553, 561–67, 71 Cal. Rptr. 2d 731, 736–40 (1998). 140 Cal. Bus. & Prof. Code § 17200; see generally supra §§ 6.12[6], 25.04[3] (analyzing section 17200). 141 See, e.g., In re Hannaford Bros. Co. Customer Data Security Breach Litigation, 293 F.R.D. 21 (D. Me. 2013) (denying plaintis' motion for class certication). 142 Examples of the extent of liability incurred in connection with certain security breaches are set forth in section 27.01.

Pub. 12/2015 27-151 27.07 E-Commerce and Internet Law adoption of information security programs. In addition, particular statutes, such as the Massachusetts law armatively mandating information security programs,143 compel particular practices. Security breach notication statutes have created an even stronger incentive for businesses to address security concerns. Indeed, the requirement that companies notify consumers and in some cases state regulators of security breaches creates a tangible risk of litigation and regulatory enforcement actions—without any safe harbor to insulate businesses in the event a breach occurs despite best eorts to prevent one. Many of these statutes aord independent causes of action. Other state laws, such as Califor- nia Bus. & Prof. Code § 1798.81.5—which compels businesses that own or license personal information about California residents to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect it from unauthorized access, destruction, use, modication or disclosure—cannot be disclaimed and further invite potential litigation in the absence of any express denition of, or safe harbor for, what might be deemed reasonable. Signicantly, courts evaluating state law claims are not necessarily bound by the principle recognized by the FTC that “security breaches sometimes can happen when a company has taken every reasonable precaution.”144 Without specic guidelines—such as those applied to nancial institutions and covered health care entities under federal law—what constitutes adequate or reasonable conduct ultimately may present a fact question in litigation. The absence of safe harbors for businesses outside of the health care and nancial services industries means that even businesses that implement the latest security technologies and industry “best practices” may be forced to defend themselves in litigation if a security breach occurs. As the cases discussed in this section illustrate, whether a claim for a breach is viable may depend on whether consumers are injured, which companies cannot easily control, and whether risk of loss provisions are addressed in contracts with vendors, banks, insurers and others, which a company may be able to inuence, depending on its negotiating position and diligence in auditing its security-related agreements.

143 See supra § 27.04[6][E]. 144 See http://www.ftc.gov/opa/2003/11/cybersecurity.htm.

27-152 Internet, Network and Data Security 27.08[1]

A company may limit its risk of litigation by entering into contracts with binding arbitration provisions and class action waivers, at least to the extent that there is privity of contract with the plaintis in any putative class action suit. While class action waivers are not universally enforceable, a class action waiver that is part of a binding arbitration agreement is enforceable as a result of the U.S. Supreme Court's 2011 decision in AT&T Mobility LLC v. Concepcion.145 Even without a class action waiver, certication of a privacy or security-related class action may be dicult to obtain where users enter into agreements that provide for binding arbitration of disputes.146 Arbitration provisions are broadly enforceable and, if structured properly, should insulate a company from class action litigation brought by any person with whom there is privity of contract.147 Where a claim is premised on an interactive computer service provider's republication of information, rather than direct action by the defendant itself, claims against the provider may be preempted by the Communications Decency Act.148 Additional, potentially relevant class action decisions are considered in section 26.15, which analyzes privacy-related class action suits.

27.08 Analysis of State Security Breach Notication Statutes

27.08[1] Overview and Strategic Considerations Forty-seven states, the District of Columbia, Puerto Rico,

145 AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011); see generally supra § 22.05[2][M] (analyzing the decision and more recent cases construing it and providing drafting tips for preparing a strong and enforceable arbitration provision); see also supra § 21.03 (online contract formation). 146 See, e.g., In re RealNetworks, Inc. Privacy Litig., Civil No. 00 C 1366, 2000 WL 631341 (N.D. Ill. May 8, 2000) (denying an intervenor's motion for class certication where the court found that RealNetworks had entered into a contract with putative class members that provided for binding arbitration); see generally supra § 22.05[2][M] (analyzing the issue and discussing more recent case law). 147 See supra § 22.05[2][M][i] (analyzing AT&T Mobility LLC v. Concep- cion, 563 U.S. 333 (2011) and ways to maximize the enforceability of arbitration provisions). 148 47 U.S.C.A. § 230(c); supra § 37.05.

Pub. 12/2015 27-153



       

 

  

 



    

 

