TechLaw

The small body of law pertaining to hyperlinks grew a little last week with a military appellate court's decision that the act of distributing a hyperlink to an online source of child pornography did not subject the defendant to criminal liability for distributing the child pornography available at that address.

The court's decision was interesting for its discussion of the differences between transmitting a computer file and transmitting a pointer to that file's location, and whether different legal consequences should attach to these scenarios. Hyperlinks are valuable currency on the Web 2.0 Internet. I came away from this case with the sense that the criminal code, at least some portions of it, has yet to recognize this fact.

The decision was a close one, a 3-2 vote, where the majority based its ruling on the plain language of the statute. Child pornography is a visual depiction of a minor engaging in sexually explicit conduct. A "visual depiction," as defined by 18 U.S.C. 2256(5), "includes ... data stored on a computer disk or by electronic means which is capable of conversion into a visual image[.]"

The defendant was alleged to have transmitted to an undercover law enforcement agent a hyperlink pointing to a Yahoo! Briefcase server containing images of child pornography. The court rejected the government's argument that a hyperlink to child pornography meets the statutory definition of a "visual depiction" of child pornography. "The data contained in a hyperlink is not capable of conversion into any type of visual image," it said. The court said that a hyperlink was a shortcut to a particular location on the Internet--not child pornography itself or data capable of conversion into child pornography.

Two dissenters argued that there is little difference--a few extra mouseclicks, at most--between the distribution of a hyperlink to child pornography and distribution of the child pornography itself. They relied on language in Universal City Studios Inc. v. Corley, No. 00-9185 (2d Cir., Nov. 28, 2001), a copyright infringement case, in which the Second Circuit found infringement liability because the hyperlinks published by the defendant had the "functional capacity" to deliver infringing content instantaneously to an Internet user's computer. Building on Corley, the dissenters would have affirmed the defendant's conviction. "The recipient's ability to access and use images transmitted by hyperlink is functionally indistinguishable from the ability to access and use images transmitted as individually saved files," they wrote.

The case is United States v. Navrestad, No. 07-0199 (C.A.A.F., May 14, 2008).

It is really tough to get a class arbitration waiver upheld in California. Maybe impossible. When the Ninth Circuit, in Shroyer v. New Cingular Wireless Services Inc., 498 F.3d 976 (9th Cir. 2007), held that the class arbitration waiver in Cingular (now AT&T)'s wireless terms of service was unconscionable, the company decided to "improve" the class arbitration waiver language rather than eliminate it.

AT&T added to the AT&T Mobility terms of service several incentives for plaintiffs to engage in individual arbitration. Chief among them:

If a person prevails on the merits at arbitration, and receives an award: (1) equal to or less than the greater of (a) $5,000 or (b) the maximum jurisdictional dollar amount for small claims actions in the county containing the person’s billing address; and (2) greater than AT&T’s last written offer prior to selecting an arbitrator; then AT&T will pay the greater of (1) or (2) instead of the award, and pay the person’s attorney double their fees and reimburse them for reasonable costs.

This isn't good enough, according to the court's decision in Steiner v. Apple Computer Inc., No. 07-4486 (N.D. Cal., March 12, 2008). The plaintiff sought class treatment of his claim that Apple unlawfully failed to disclose substantial expenses iPhone users would incur when replacing batteries on the device. The court ruled that, after Shroyer, AT&T needed to demonstrate that the individual arbitration remedy available under the terms of service "functions as well as a class action would, such that it has not insulated itself from hundreds of thousands, if not millions of iPhone users seeking recovery of the hidden $114.95 in annual battery-changing and related charges."

The court held that the benefits of pursuing individual arbitration were illusory in many instances; in any event, it said, the relevant inquiry is a comparison between the outcomes for all iPhone consumers under the arbitration agreement and under a class action suit. "In this regard, AT&T has not presented any evidence that all iPhone consumers would recover more, on average, if the Court let the Arbitration Agreement stand rather than allowing the Steiners' class action to proceed."

The court was not concerned with whether the plaintiff would receive a fair hearing on his claim. Rather, the inquiry was whether all iPhone users would do better in a class action. On the subject of attorneys' fees, the court wrote that reasonable attorneys' fees in arbitration were not be an adequate incentive to seek redress because what attracts attorneys to class actions is the prospect of lucrative attorneys' fees.

It is hard to imagine any class arbitration waiver that could withstand this sort of inquiry. The main purpose of an arbitration clause is to minimize exposure to litigation. After Shroyer, it appears, the fact a consumer will be able to receive a fair hearing in an individual arbitration proceeding does not save a class arbitration waiver from a finding of unconscionability. In cases like Shroyer and now Steiner, where the plaintiff alleges that the defendant has engaged in a fraudulent scheme by taking a little money from thousands or millions of consumers, any attempt to minimize liability via arbitration will be suspect.

Imagine you're on a flight from Seattle to New York. Your eyes wander over to the laptop screen of the passenger sitting next to you. Imagine (you have quite an imagination) your brief glimpse of the screen reveals the details of one software company's not-yet-public offer to purchase a leading online property. Assume this information is very valuable. Have you, in that moment, violated the Computer Fraud and Abuse Act?

Possibly. There are quite a few ways to violate the CFAA, but a garden variety violation requires proof that the defendant "accessed" a "protected computer" without authorization or in excess of authorized access and thereby obtained information (a criminal offense under 18 U.S.C. 1030(a)(2)(C)) or "anything of value" (a criminal offense under 18 U.S.C. 1030(a)(4) if done with intent to defraud) or caused damage and loss of at least $5,000 (a civil offense under 18 U.S.C. 1030(g)).

Thanks to the Internet, nearly every computer is a "protected computer." The hard part of the analysis is deciding whether you have "accessed" your flight companion's laptop and whether that access was unauthorized. The statute is no help here. Congress failed to define either "access" or "authorization" in the CFAA (though it did define "computer").

My dictionary defines the verb "access" as "to gain or have access to; esp., to retrieve data from, or add data to, a database [branch officials can access the central database]." With this definition in mind, it's certainly plausible to argue that your glance "accessed" that laptop.

Which brings us to the final inquiry: Was your access of the laptop unauthorized? Certainly the laptop owner did not want you to read that top-secret, super-valuable information he was so carelessly perusing. Is that enough to establish a lack of authorization? Is there a requirement that the laptop's owner first inform you that you do not have permission to read over his shoulder? Would it matter if you were a former employee at the laptop owner's company and thus you knew immediately that you did not have permission to read the information on the screen? Would it matter if you had signed a confidentiality agreement while working at the company?

There really are no solid answers to these questions. Congress' decision to add a civil remedy to the CFAA in 1994 and its later decision to drape CFAA liability over the entire Internet by extending the CFAA to any computer used in interstate commerce have combined to create a vast new expanse of computer fraud liability that laywers and courts are only now beginning to explore. And while there are several murky corners of the CFAA (such as what constitutes damage and/or loss), the area receiving the most attention right now is the idea of which kinds of computer accesses are "unauthorized" or "exceeds authorized access."

Several courts have given an expansive reading to these terms, commonly in cases in which access is initially authorized or conditionally authorized, but the information taken is later put to an unauthorized use. Here are a few leading cases supporting a broad reading of unauthorized access.

In America Online Inc. v. LCGM Inc., 46 F. Supp.2d 444 (E.D. Va. 1998), a court held that an AOL user who harvested e-mail addresses of other AOL users made an unauthorized access of AOL's computer network because such use violated the AOL terms of use, which he had assented to via a mouseclick.

In EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2003), the court held that the a datamining tool to collect publicly available pricing information was unauthorized because it violated a confidentiality agreement signed by the defendant, a former employee of the plaintiff.

In Register.com v. Verio, 126 F. Supp.2d 238 (S.D.N.Y. 2000), the court held that a competitor's use of repeated database queries, in violation of Web site terms of use, and after objection by Web site owner, was unauthorized under the CFAA.

In International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006), the court imported common law agency principles to conclude that an employee's otherwise-authorized use of the employer's computer network becomes unauthorized when the employee acts against the interests of the employer.

Citrin is a controversial decision, and some courts have rejected it. Nevertheless, Citrin gets you into court with a plausible (decisive in the Seventh Circuit) argument that your company was the victim of federal computer fraud when employees take valuable information on their way out the door.

These cases have generated a lot of interest from companies who incur business losses when employees depart to work for competitors. The tactical advantages of a CFAA cause of action against departing employees are discussed by technology law experts here and here. The availability of a federal forum, the ability to protect information that does not qualify for copyright or trade secret protection, and the availability of injunctive relief, are just three reasons for increasing interest in the CFAA's civil remedies.

Later this week, on May 23, ALI-ABA is conducting an online seminar on civil uses of the CFAA in these situations.

Finally, there is the case of Lori Drew, a Missouri woman who has been indicted for violating the CFAA's criminal provisions, arising from her alleged use of the MySpace.com Web site in violation of its terms of service. This prosecution holds out the possibility that a CFAA criminal prosecution for "unauthorized" accesses could include any violation of a Web site's terms of use. Hard to imagine.

Daniel J. Solove at Concurring Opinions and Orin Kerr at the Volokh Conspiracy have commentaries on the case here and here.

Francis Gurry has been nominated to be the next Director General of World Intellectual Property Organization, according to an announcement released today by that organization. Gurry, presently WIPO's Deputy Director General, will have to be officially appointed by the WIPO General Assembly this fall.

Gurry should be well-known to cyberlaw attorneys, having lobbied hard for the creation of ICANN's Uniform Domain Name Dispute Resolution Policy, a quick-justice remedy against cybersquatters, way back in 1999. While at WIPO, Gurry built WIPO's Arbitration and Mediation Center into the leading provider of UDRP dispute resolution services.

Earlier this year I blogged about a Vermont divorce court's recognition of the fact that the First Amendment places limits on a court's ability to enjoin divorcing couples' ability to write nasty things about each other on the Internet. The court recognized the issue, but did not decide it, given the court's limited subject-matter jurisdiction.

Yesterday a California appellate court weighed in with a fuller analysis in another case involving a trial court's decision to enjoin a spouse from posting on the Internet allegedly defamatory remarks about her husband.

A couple lessons can be drawn from the California court's opinion. The First Amendment does not allow for injunctions against future, unspecified defamatory statements. However, a narrowly tailored injunction to protect privacy interests -- such as a real threat of personal harm -- is possible if the interest is sufficiently compelling.

Alleged Defamatory Remarks: Injunction Was Prior Restraint

Following a hearing, the trial court issued an order enjoining the wife (and her mother) "from publishing false and defamatory statements and/or confidential personal information about [the husband] on the internet. ..."

Two distinct types of information are implicated here: allegedly defamatory statements about the husband, and statements that allegedly violated the husband's privacy rights. The court's analysis was different for each type.

The appellate court concluded that the decision to enjoin the wife's allegedly defamatory Internet speech was an unconstitutional prior restraint. California courts applying the First Amendment to defamation claims have concluded that an injunction is constitutional only to the extent it prohibits a person from repeating statements that have been determined during a trial to be defamatory. Here, whether or not the wife's prior online publications were defamatory had yet to be determined, and the injunction was broader than a mere ban on repeating what the husband alleged the wife to have previously posted online. This aspect of the trial court's order also suffered from constitutional vagueness and overbreadth flaws, the court said, because it "fails to adequately delineate which of [the wife's] future comments might violate the injunction and lead to contempt of court."

Alleged Invasion of Privacy: Balancing Test Required

Taking up the portion of the trial court's injunction forbidding the wife from posting online "confidential personal information," the court ruled that a balancing test was required, an inquiry that weighed the husband's privacy interests against the wife's free speech constitutional rights. Relevant factors here included whether the husband is a public figure, the nature of the information involved, whether the information is of legitimate public concern, the extent of harm caused by online publication of the information, and the strength of the private and governmental interest in preventing its publication.

The first problem with the trial court's order was that it failed to define "confidential personal information." Without a clear definition, it is impossible to assess the extent of the husband's privacy interests and difficult for the wife to determine what information she was prohibited from placing on the Internet, the court said.

The husband claimed that the wife would, if permitted, post his telephone number, address, and social security number on the Internet. The husband argued that, because he is a deputy sheriff, posting this information would jeopardize his safety. And the court agreed, ruling that a court would be "fully justified" in enjoining the publication of this kind of information on the Internet:

We agree that a court would be fully justified in issuing an order preventing a party from putting this type of identifying information about another person on the Internet, particularly where, as here, that person is a law enforcement officer. To the extent that [the husband] seeks such an order and supports this request for evidence, the court would be justified in immediately ordering that this type of information be kept private. Such a restriction does not involve information that has any public value and would serve the significant public interest of protecting the safety of a law enforcement officer.

However, the court noted, the trial court's injunction was not limited to this kind of information. Any injunction prohibiting the online publication of any "confidential personal information" is vague, overbroad, and not narrowly tailored, the court said. On remand, the trial court should determine exactly which information the husband wants to keep private, and then engage in a balancing test to determine whether there is a compelling reason that the information be kept private. Information contained in court files is not necessarily exempt from disclosure, the court cautioned; in fact, it said, there is a presumption that this information is a matter of public record. Personal safety could be a compelling reason, the court suggested, but any order protecting this interest must be narrowly tailored so it does not interfere with the wife's First Amendment rights.

Update: The Citizens Media Law Blog also has a comment and more background information about the case.

The case is Evans v. Evans, No. D051144 (Calif. Ct.App., May 12, 2008).

A decade ago, back when the commercial Internet was young, cases about jurisdiction were all over the map. Predicting which sorts of online activities would subject a person or a business to the jurisdiction of a foreign court was a hazardous occupation.

Leading pre-2000 cases tended to take a broad view of what the Due Process Clause permitted in the way of "haling" an out-of-state miscreant into court to answer a local resident's complaint. Cases like Panavision Int'l L.P. v. Toeppen, 141 F.3d 1316 (9th Cir. 1998), which held that the assertion of jurisdiction over an out-of-state cybersquatter comported with federal due process, and Inset Systems Inc. v. Instruction Set Inc., 937 F. Supp. 161 (D. Conn. 1996), which held that merely operating a Web site accessible to forum residents and having a toll-free telephone number (Imagine that. A telephone number has jurisdictional significance.), drew skeptical reviews from cyberlaw specialists. If these cases were correct, a Web site operator could be sued any place that had Internet connectivity.

Things look different today. Courts have become more sophisticated when deciding jurisdiction challenges. Rarely will the mere accessibility of a Web site in the forum be enough to support jurisdiction. Nor will a blog post or two be sufficient to force the poster to defend a libel action in the post subject's home state. And nearly all courts analyzing e-commerce transactions have ruled the a single sale or two into the forum does not amount to "doing business in" or "purposeful availment of" the forum state.

Courts tend to make a determined effort to assess the quality and nature of a Web site's contacts, frequently borrowing from the "interactivity" test created in Zippo Mfg. Co. v. Zippo Dot Com Inc., 952 F. Supp. 1119 (W.D. Pa. 1997). Broad language used by the U.S. Supreme Court in Calder v. Jones, 465 U.S. 783 (1984), cited by many online plaintiffs for the proposition that jurisdiction is proper wherever the "effects" of the alleged libel are felt, has been whittled down to size by repeated judicial insistence that the defamatory online publication must have been "expressly aimed" at the forum state. Not aimed at the plaintiff. Aimed at the forum. The Fourth Circuit's opinion in Young v. New Haven Advocate, 293 F.3d 707, 711 (4th Cir. 2002), is a good example. In Young, the court held that the Due Process Clause did not permit a Virginia court to exercise jurisdiction over a state resident's libel claim against two newspapers based in Connecticut. The "effects" of the alleged libel may have been felt in Virginia where the plaintiff resided, the court said, but the defendants' Web sites were not targeted and focused on Virginia readers.

I doubt that the Ninth Circuit would decide Toeppen the same way today, even though the court has passed up several opportunities to repudiate that case. I can't remember the last time a court even mentioned let alone followed Inset Systems.

Here are several other examples of what seem to me to be correct, defensible outcomes in jurisdiction disputes:

In Malone v. Berry, No. 07ap128 (Ohio Ct.App. Dec. 6, 2007), the court held that a single eBay sale of a motor vehicle could not constitutionally support the assertion of jurisdiction by a court in the state where the plaintiff resided.

In Marschke v. Wratislaw, No. 07SD125 (S.D., Dec. 5, 2007), the South Dakota Supreme Court reached the same conclusion: a single eBay sale to a forum resident was not a constitutionally permissible basis for a state court to assert jurisdiction over the out-of-state seller.

Other cases make the same point: Shamsuddin v. Vitamin Research Prods., 346 F. Supp.2d 804 (D. Md. 2004), Machulsky v. Hall, 210 F. Supp.2d 531 (D. N.J. 2002). But see Crummey v. Morgan, No. 2007 CW 0087 (La. Ct.App., Aug. 8, 2007), in which the court cited the interactivity of the eBay Web site to conclude that the defendants had purposely availed themselves of the forum where the plaintiff resided.

Similarly, in the defamation area, blog postings and other online comments are rarely found to support jurisdiction in the forum where the allegedly defamed plaintiff resides.

In Ajax Enter. Inc. v. Szymonak Law Firm, No. 05-5903 (D. N.J., April 10, 2008), the court rejected an argument based on the Calder "effects test," ruling that because the defendants did not expressly aim their Web-published remarks at New Jersey, New Jersey courts could not constitutionally assert jurisdiction over them.

Another recent case, Internet Solutions Corp. v. Marshall, No. 07-cv-1740 (M.D. Fla., April 8, 2008), the court found no purposeful availment of the forum where the defendant authored several unflattering blog posts about the forum-based defendant. Here again, the court rejected an argument based on the Calder "effects test." All that the plaintiff had demonstrated was that the blog posts were accessible everywhere, the court said. That fact "does not amount to purposeful availment" of the forum.

Which leads me to Kauffman Racing Equipment v. Roberts, No. 07-CA-14 (Ohio Ct. App., April 18, 2008). In Kauffman, the defendant, a Virginia resident, believed that the plaintiff had sold him a defective engine block. He made four disparaging comments on Internet Web sites about the plaintiff, and the plaintiff responded by suing for defamation and intentional interference with business relationships. The trial court dismissed the case for lack of jurisdiction, but the court of appeals reversed in what was the weakest attempt at getting a jurisdiction issue right that I have witnessed in many years. The court, motivated by a poorly disguised dislike of the defendant, ignored a decade's worth of judicial effort in this area, misused the mostly irrelevant cases it did cite, and in the process sowed uncertainty in an area of the law that has been developing nicely.

The court's opening notes are sour: "The development of the law concerning the permissible scope of personal jurisdiction based on Internet use is in its infant stages. The cases are scant." The court is just plain wrong here. Cases on Internet jurisdiction are legion. BNA's Electronic Commerce & Law Report, which I edit, has summarized nearly 100 online jurisdiction cases since January 2007. Looking all the way back to 1997, I count over 400 online jurisdiction cases. In terms of cases decided, online jurisdiction is the richest source of judicial lawmaking in the entire field of cyberlaw. No other cyberlaw topic has received as much judicial attention.

In any event, the Kauffman court apparently believed that the caselaw was scant. It cited barely a speck of it, and what was cited was either misused or treated in a superficial, impressionistic manner. Surprisingly, the court fails to mention a single online defamation case. Calder is mentioned but not discussed; no mention is made of the dozens of cases that have attempted to apply Calder to online communications. Instead, the court lifted fragments from a handful of older cases involving interstate commercial activity. Young? Never heard of it.

The U.S. Supreme Court's decision in Burger King Corp. v. Rudzewicz, 471 U.S. 462 (1985), a case involving one of world's largest restaurant chains, with over 3,000 outlets in all 50 states at the time, is cited by Kauffman for the proposition that "when an entity intentionally reaches beyond its boundaries to conduct business with foreign residents, the exercise of specific jurisdiction is proper." The Burger King quote is followed by this non sequitur from Zippo: "Different results should not be reached simply because business is conducted over the Internet."

Mind you, Kauffman has nothing to do with conducting business over the Internet. No matter. This court isn't going to reason from these cases anyhow. It is done with case analysis and is ready to rule:

The Internet knows no state boundaries. The Internet has also become accessible at virtually every coffee shop in the world. A non-resident who avails himself of the expansive reach of the Internet should not be able to use his non-residency as a shield against defending tortious activity against a plaintiff harmed in a different state. ... ... Ohio is the focal point both of the defamation and of the harm suffered. Jurisdiction over Roberts is, therefore, proper in Ohio based upon the "effects" of his Virginia conduct in Ohio. ... Today, thanks to the accessibility of the Internet, the barriers to generating publicity are slight, and the ethical standards regarding the acceptability of certain discourse have been lowered. As the ability to do harm has grown, so must the law's ability to protect the innocent.

You almost never see an unadorned "effects" test anymore. An "effects" analysis always leads to the conclusion that jurisdiction is proper wherever the plaintiff resides. Which means that, for all intents and purposes, it is an argument for jurisdiction in every forum that has an Internet connection. We're back to Inset Systems, and almost nobody believes that that was the right outcome.

Clearly, the Kauffman court's motivation was to bring justice to lawless cyberspace. But decisions like this also bring needless uncertainty to the Internet. Attorneys ought to be able to say with confidence that a couple blog postings or a single eBay sale will not subject the speaker or seller to jurisdiction in any forum where the plaintiff resides. Courts and attorneys ought to have a workable analysis for deciding jurisdiction issues for online communications and online business transactions. Sure, an Ohio court will not be able to mete out justice to the defendant in Kauffman. But a whole lot of other online speakers will suffer too, because they will have to deal with desperate arguments for jurisdiction bootstrapped by this decision.