Online diploma mills, which require little or no coursework to complete a degree have recently garnered much attention within the online education realm. Websites which offer questionable diplomas for hundreds of dollars target vulnerable consumers seeking a degree to improve their life prospects, while simultaneously casting a shadow over legitimate online educational institutions which offer accredited programs and a complete educational experience including coursework, teacher interaction, and grading. In the latest crackdown on online diploma mills, the Federal Trade Commission obtained a temporary restraining order against Diversified Educational Resources, LLC and Motivational Management & Development Services, Ltd., companies which generated millions of dollars by selling worthless high school diplomas to thousands of consumers.
According to the allegations of the FTC’s complaint, the defendants have been operating purported online education sites since 2006, under the names Jefferson High School Online and Enterprise High School Online. The FTC alleges that the websites misleadingly represent that these are accredited schools by saying that the defendants “[p]rovide a respected and recognized high school diploma equivalency program,” that students completing the program will be “high school graduates,” and that the schools are registered with the Florida Department of Education. While the latter statement is technically true, the websites do not reveal that registering with Florida’s School Choice Program does not mean that the programs are accredited but rather, according to the complaint, registration is merely a “ministerial act, based solely on their own self-reported answers to Florida’s annual private school survey” which the Florida Department of Education does not verify. The truth of the accreditation status can only be found buried in dense paragraphs of text, in which the defendants note that they are “actively pursuing accreditation options” although they have not applied for any yet.
Consumers paid $200 to $300 to register on the websites. Those fees did not entitle them to any coursework, education, or test preparation. Rather, customers were immediately prompted to take a “test,” which was nearly impossible to fail because the websites provided hints to ensure that customers passed. After passing the test, customers received diplomas bearing the name “Jefferson High School Online” or “Enterprise High School Online.”
The “diplomas” that the defendants issued to customers were useless, according to the FTC. Many customers learned that their diplomas were invalid after unsuccessfully attempting to use them to apply to jobs, enroll in college, or join the military. Further, unsatisfied customers who sought a refund were refused, according to the FTC. Through this scam, the complaint says, the defendants collected over $11 million since 2009 without providing a real education product or service.
The U.S. District Court for the Southern District of Florida issued a temporary restraining order and asset freeze in response to these allegations, suspending the domain names and prohibiting any material misrepresentations regarding online education. The case remains pending in the Southern District of Florida and the defendants’ responsive pleadings are due in October.
The fact is that social media has connected us to each other in ways which seemed unimaginable only a few decades ago. Take for example the progression of social activism through online fundraising. Over the course of two short months the ALS Ice Bucket Challenge (“IBC”) went viral with millions of videos being posted by people drenching themselves in ice water in order to spread awareness and raise money for the research and treatment of ALS. To date, the total amount of donations made to the ALS Association through the IBC is an unprecedented $114 million. The Association’s FAQs webpage regarding the IBC indicates that this amount is almost five times its annual overall budget.
The ALS Ice Bucket Challenge is also a good example of the online phenomenon of crowdfunding, where numerous individuals and groups pitch in to fund a project, cause or idea. Simply put, crowdfunding is fundraising through social media. There are several popular crowdfunding websites, however one of the most well-known sites is Kickstarter.com, which was launched in 2009, and boasts the facilitation of $1 billion in contributions by seven million backers who have so far funded 69,000 “creative projects” through the site. However, as is common when dealing with new technology, there are often unanticipated legal aspects of such innovation which can be problematic.
Earlier this year, the first crowdfunding consumer protection lawsuit was filed in the state of Washington (State of Washington v. Altius Management, LLC; Edward J. Polchlopek III (No. 14-2-12425-SEA)). In late 2012, defendant Ed Nash, as he is known, and his company Altius Management, were successfully funded through a Kickstarter campaign to produce a limited-edition playing card game called Asylum. According to the campaign page, backers exceeded Nash’s goal of raising $15,000, giving more than $25,000 in total for the promise of the card game to be made. In addition, many of those who funded Nash’s campaign expected certain perks for contributing, referred to by Kickstarter as “rewards,” as was detailed in his campaign’s backer pledge amounts, which included multiple card decks and custom artwork according to varying contribution levels. However, two years later the card game has not been produced, backers have received no rewards or refunds and there has been no communication from Nash regarding the status of the Asylum project since July 2013.
With this being the first case of its kind, there is no precedent to see exactly how these proceedings will develop or how this case will affect Kickstarter and other crowdfunding websites. We suspect it will proceed like many of the other cases we write about in the internet space. One thing is certain, whether they are made online or in person, people don’t like broken promises.
In this health-conscious age, consumers are always on the lookout for new products which will improve wellness and quality of life. Marketers attuned to this trend may be tempted to increase sales by extolling the virtues of their products, even if health claims are unsubstantiated by scientific testing. A recent FTC case, however, demonstrates the price that advertisers pay for overstating health claims.
The FTC filed a case against TriVita Inc., a dietary supplement company, for its marketing of the Nopalea cactus juice drink. The beverage was widely advertised in television infomercials and online as an “anti-inflammatory wellness drink.” Nopalea includes juice from the nopal cactus, also known as the “prickly pear.” TriVita’s “Chief Science Officer” stated that the nopal cactus is proven to reduce inflammation, which he linked to Alzheimer’s disease, allergies, diabetes, and heart disease. TriVita sold each 32-ounce bottle of Nopalea for $39.99, plus shipping and handling.
According to the FTC’s complaint, the Nopalea infomercial was one of the most frequently aired commercials in the United States. The ads stated that the juice would relieve pain, reduce swelling in joints and muscles, and improve breathing. Infomercials featured “customer testimonials” in which individuals stated that Nopalea helped relieve them of symptoms of a wide variety of conditions, including inflammation, chronic pain, respiratory conditions, and skin conditions. However, the FTC alleged that these individuals were paid for their endorsements, a fact not sufficiently disclosed in the advertisements. When customers called the toll-free number advertised, sales representatives told customers that Nopalea would make them “pain-free,” according to the FTC’s complaint. The health representations had not been substantiated with scientific studies at the time they were made.
The FTC filed its complaint and request for permanent injunction on July 10, 2014. On July 11, the FTC filed a stipulated settlement order in which TriVita agreed to forfeit $3.5 million to the FTC. The order prohibits the defendants from marketing Nopal cactus products using unsubstantiated or misleading health claims, and from using paid endorsers unless any material connection between the individual and the company is clearly and prominently disclosed.
The multi-million dollar settlement in this case should serve as a warning to marketers who are tempted to overstate health claims in order to generate traffic and sales. The FTC takes health claims seriously and reviews health-related ads with extra scrutiny, so specific claims should only be made when supported by solid, scientific proof, and any paid testimonials should be clearly disclosed. As the cactus juice company learned, failure to comply with these standards will lead to a prickly situation.
Career Education Corporation, like a host of other for-profit education companies, has found itself spinning on the courthouse revolving door. The latest legal challenge for CEC: a False Claims Act suit filed in federal court in New Jersey on May 16. The lawsuit alleges that CEC defrauded the federal government by (1) falsifying job placement statistics to exaggerate the number of graduates working in their fields of study, (2) misrepresenting accreditation status of some of its programs to remain eligible for federal funding, (3) admitting students who did not have high school diplomas or GEDs, could not speak English, or were mentally handicapped, and (4) paying bonuses to admissions staff based on enrollment numbers. Many of these allegations are familiar to CEC as well as others in the industry. Unfortunately CEC – like many other for-profit education companies – just can’t seem to free itself from the yoke of enforcement agencies and plaintiffs’ attorneys.
Last August, CEC entered a settlement agreement with the New York Attorney General’s office following an investigation into allegations of inflated job placement rates and allegations of inadequate disclosures regarding accreditation status. That agreement cost CEC $10.25 million and imposed significant reporting requirements.
The allegation of inappropriate incentive compensation for college recruiters is a popular basis for lawsuits against the for-profit education industry. In May, the Department of Justice filed a False Claims Act suit against Stevens-Henager College, Inc. for allegedly illegally compensating recruiters. These suits follow similar False Claims Act suits filed against the University of Phoenix (which settled in 2009 for a whopping $67.5 million, plus $11 million in attorneys’ fees) and Oakland City University (which settled in 2007 for $5.3 million) for their incentive compensation structures. There is also a pending False Claims Act case against Education Management Corporation with claims that largely mirror those faced by CEC.
Unfortunately for CEC and its fellow for-profit educators, settling with one entity does not necessarily mean freedom from future suits by other regulators or supposed whistleblowers. The more common scenario follows the camel under the tent: once an investigation is initiated – and publicly announced – follow-on actions ensue. The host of False Claims Act cases against the industry is a perfect example.
Part of the problem is the nature of False Claims Act cases. These suits, which are brought on behalf of the federal government by private plaintiffs (known as “relators”), are intended to help root out fraud against the government. Whistleblower relators are given incentive to file claims as they can receive significant compensation should the lawsuit succeed (or settle). For instance, the whistleblowers in the U. Phoenix settlement received $19 million in compensation; the whistleblower in the Oakland City U. settlement received $1.4 million.
The concept of False Claims Act cases seems laudable – the government cannot possibly keep track of all fraudulent claims it pays out to government contractors and other recipients of federal funds; having private actors with personal knowledge come forward to help address the problem should save the government significant sums. But the host of False Claims Act cases against the for-profit education industry defendants has produced little new or damnable information. When False Claims Act cases are brought after the news of alleged problems breaks, or after an investigation is launched, the benefit to the government is substantially diminished. The lawsuits become more about economic opportunity for enterprising litigators and relators.
Herbalife Hit with Civil Investigative Demand – Is the FTC Finally Turning up the Heat on Multi-Level Marketers?
For many, the announcement two weeks ago that the Federal Trade Commission has commenced a formal investigation into Herbalife was not terribly interesting. After all, nutritional supplement company Herbalife has been the focus of intermittent media attention since December 2012 when Wall Street hedge fund manager Bill Ackman claimed that it was an illegal pyramid scheme, and its business practices have already drawn the scrutiny of the Securities and Exchange Commission.
On the other hand, because the FTC focuses on deceptive trade practices, its investigation into Herbalife– and the allegation that it constitutes a pyramid scheme – may offer a valuable opportunity for the FTC to clarify its rules on what constitutes a pyramid scheme and what a multi-level marketing (MLM) company can or must do to protect itself from the accusation.
The MLM industry has been an established networking sales model for several decades. The FTC defines “multi-level marketing” as networking that uses individuals to sell products by word of mouth or direct sales where distributors typically earn commissions not only for their own sales, but for sales made by the people they recruit. MLM has become increasingly popular in recent years – and for good reason given that it has become extremely profitable: A 2012 study reported the MLM industry was worth approximately $30 billion.
The sole FTC guidelines for MLM arose from litigation in 1979 when the FTC accused the MLM Amway of operating an illegal pyramid scheme. (Amway ultimately prevailed four years later.) The case gave rise to what is known as the “Amway Safeguard Rules”– a set of rules relating to distributors that Amway had in place that protected itself from the FTC accusation that the company was a pyramid scheme. As described in the administrative law judge’s decision, these three critical criteria provided an “umbrella of legal protection”:
1. Amway required its representatives to engage in retail selling, under the “ten retail customer police,” which appeared in the agreement that representatives signed upon enrollment. This rule required that representatives make 10 sales to retain customers as a qualification for eligibility to receive commission and bonuses on sales/purchases made by other representatives in their personal sales organization.
2. Amway required its representatives to sell a minimum of 70 % of previously purchased products before placing a new order. (Amays’ rules recognize “personal use” for purposes of the 70% rule.)
3. Amway had an official “buy-back” policy for unsold, unopened inventory. This policy had some reasonable restrictions, including a specified maximum length of time since the item was originally purchased by the representative and that the item was still current in the company’s product offerings to consumers. The policy also included a minimal “restocking” fee. (Buy-back policies are significant especially for protection of representatives who choose to terminate their affiliation with a company, and do not want to be “stuck” with unsold inventory.)
By adhering to these rules, MLM companies gain some protection from pyramid scheme accusations. And, aside from a staff advisory opinion in 2004, the FTC has offered little or no further guidance on what it perceives as a pyramid scheme and what companies can or must do to show that their businesses are legitimate and legal.
Will the FTC use the Herbalife investigation to provide greater guidance for MLM companies? To do so would be in the interests of MLM companies, the regulators themselves, and those in the financial services industry who have taken great interest – and large financial positions – in MLM companies.
After the FTC secured a $163MM judgment against Kristy Ross in the US District Court of Maryland, the 4th Circuit affirmed, and so ends the FTC’s six-year “scareware” enforcement action. From beginning to end, this odyssey has been quite colorful, to say the least. The nine-figure judgment against Ross is no exception.
Originally, there were eight codefendants: Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and five of the companies’ officers and directors, including Ms. Ross. The case was based on FTC allegations that their massive “scareware” scheme was deceptive in violation of Section 5 of the FTC Act. Specifically, the FTC alleged that the defendants falsely warned consumers that (imaginary) scans of their computers detected security or privacy issues (e.g., viruses, spyware, system errors, and pornography). After receiving the fraudulent security alerts, the consumers were prompted to purchase the Defendants’ software to remedy the (imaginary) problems. More than one million consumers purchased the scareware – of them, roughly three thousand filed complaints with the FTC.
Ross was the only co-defendant remaining at trial, and the judgment was entered against her individually and as a member of Innovative Marketing, Inc. (IMI). Four of the eight original defendants settled with the FTC in February 2010. The same month, the trial court entered default judgments against the remaining three – IMI, Mr. Jain, and Mr. Sundin – for their failure to appear and participate in the litigation. Ross retained counsel but failed to file an answer, respond to the FTC’s discovery requests, or appear at trial. As such, the lone defendant Ross was tried in absentia. Though not explicitly expressed in the trial judge’s opinion, one can only imagine that the optics did not bode well for Ms. Ross at trial.
Before trial, the FTC moved for summary judgment. In her opposition, Ross argued that she was just an employee at IMI (not a “control person”) without requisite knowledge of the misconduct and that she could not therefore be held individually liable under the FTC Act. The court found there to be no issues of material fact with regard to whether the scareware scheme was deceptive in violation of the FTC Act. And a bench trial was ordered to determine the extent of Ross’ control over, participation in, and knowledge of IMI’s deceptive practices.
At trial, Judge Bennett found that Ross had actual knowledge of the marketing scheme, was fully aware of many of the complaints from customers, and was in charge of remedying the problems. The court issued a permanent injunction (as authorized by the FTC Act) and held her individually liable for the total amount of consumer injury (calculated by the FTC $163,167,539.95), finding that to be the proper measure for consumer redress.
On appeal, Ross asked the court to apply the SEC standard for individual liability, which essentially requires a showing of specific intent/subjective knowledge. The Fourth Circuit declined, finding that such a standard would leave the FTC “with a futile gesture of obtaining an order directed to the lifeless entity of a corporation, while exempting from its operation the living individuals who were responsible for the illegal practices in the first place.” The appeals court also rejected Ross’ arguments that district courts do not have authority to award consumer redress, noting that “[a] ruling in favor of Ross would forsake almost thirty years of federal appellate decisions and create a circuit split,” an outcome that it refused to countenance.
The factual and procedural history of this case are pretty outlandish, and it is not clear why Ross opted to take the FTC to the mat (in absentia) on case with so much weighing against her. Had she settled with the others back in 2010, maybe she would have only been on the hook for the gross revenues she received from the alleged scam. Then, almost certainly the FTC would have followed its common practice of suspending all but the amount she was able to pay. But, alas, she did not.
A California court ruled earlier this month that Overstock must pay a roughly $6.8 million penalty to settle claims that the retailer “routinely and systematically” made false and misleading claims about the prices of its products on its website. If upheld, this ruling could have significant effects on how companies use price comparisons in advertisements in the future.
A group of California District Attorneys sued Overstock in 2010 for $15 million, alleging that Overstock was deceptive in the way it determined and displayed price comparisons on its website. Overstock used a comparative advertising method based on price, which is commonly referred to as “advertised references prices” or “ARPs” that showed the price of a certain product on Overstock compared to the price of the same product from a different retailer. The lawsuit alleged that the ARPs that Overstock used were false or misleading because Overstock employees chose the highest price that they could find as an ARP or constructed ARPs using arbitrary formulas. The lawsuit alleged that as a result of Overstock’s method of constructing its ARPs, its savings comparisons were inflated.
A California state judge’s tentative ruling earlier this month levied civil penalties against Overstock of just over $6.8 million. The court dismissed some of the claims in the lawsuit, but found that Overstock’s pricing comparison violated the state’s laws on unfair competition and false advertising.
The court also issued an injunction that prohibits Overstock from comparison price advertising unless it is done in conformity with a lengthy set of court mandated practices outlined in the opinion. Among those requirements, the court ordered that Overstock explain its pricing more clearly on its website, including a disclosure of how it computes the price comparisons. The ruling also prohibits Overstock from setting average retail prices based on anything other than the actual retail price offered in the marketplace.
Overstock has said that they plan to appeal the court’s ruling by arguing that the court’s decision is misreading California law and is holding the company to a higher standard than other e-commerce sites. If this ruling is upheld, this could have a significant ripple effect on retail advertising for both online and brick-and-mortar businesses. Almost every state has a law regarding deceptive pricing in advertisement, and the Federal Trade Commission also has jurisdiction to pursue claims against deceptive advertising in price comparisons. Companies need to be aware if they are using comparative price advertising that those advertisements, and the formulas for determining the prices on those advertisements, will be scrutinized by government agencies.
As the Federal Trade Commission (“FTC”) continues to flex its consumer protection muscles by bringing numerous administrative lawsuits, industry and members of Congress are questioning whether there is a level playing field that allows companies to properly defend themselves against FTC charges. Or, as some say, does the FTC have the “home court advantage” in its role as investigator and prosecutor, armed with very broad authority under Section 5 of the FTC Act –leaving many companies to decide simply to settle rather than face the Goliath FTC. However, some companies have been bucking that trend recently and challenging the FTC’s authority (particularly in the area of regulating data security and FTC officials’ impartiality.
As background, the FTC may begin an enforcement action if it has “reason” to believe that the FTC Act is being or has been violated. Section 5(a) of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC also enforces several other consumer protection statutes, including the Fair Credit Reporting Act, the Do-Not-Call Implementation Act of 2003, and the Children’s Online Privacy Protection Act.
Under Section 5(b) of the FTC Act, the FTC can challenge “unfair or deceptive acts or practices” or violations of certain other laws (such as those listed above) in an administrative adjudication. The way this works is the FTC issues a complaint putting forth its charges. Many companies faced with such complaints inevitably settle with the FTC, rather than endure an administrative trial. Those companies that contest the charges face a trial-type proceeding before an FTC administrative law judge. FTC staff counsel “prosecute” the complaint. The administrative law judge later issues an initial decision. Either party can appeal the initial decision to the full FTC for review.
Many observers, including the American Bar Association, have criticized this situation — where the FTC acts as both prosecutor and judge — as inherently unfair. After the FTC’s decision, the respondent organization (or individual)may appeal to a federal court of appeals. However, at this point, an extensive record has been made and this assumes an organization or individual has the resources to devote to a federal appeal. (In addition, the FTC can also bring consumer protection enforcement directly in court rather than through administrative litigation).
The FTC’s winning record in these administrative proceedings has many observers questioning the process and the FTC’s potential impartiality. House antitrust chairman Spencer Bachus (R-Ala.) called out the FTC’s apparent lack of impartiality and fairness, stating “ a company might wonder whether it is worth putting up a defense at all.”
Just a couple weeks ago, however, medical testing company LabMD went on the offense and sought the disqualification of an FTC Commissioner. Facing an administrative proceeding relating to its alleged failure to secure patient information data, LabMD moved to disqualify Commissioner Julie Brill from consideration of its case. LabMD claimed that the Commissioner made numerous statements at industry conferences prejudging its ongoing litigation. Specifically, LabMD claimed Brill stated LabMD that had violated the law, rather than indicating that LabMD was under investigation or in litigation. The FTC opposed the disqualification. However, Commissioner Brill voluntarily recused herself from the case on Christmas Eve to avoid “undue distraction” from the administrative litigation.
As the FTC litigates in several key areas – data privacy, financial services, credit repair, telemarketing – we expect administrative litigation will increase in 2014. While some companies will continue to settle to avoid continued litigation expenses and possible further detrimental outcomes, we think others will take the LabMD route and seek relief when they believe the processes are not transparent or the FTC is exceeding its authority.
New year, new resolutions. Yesterday, the FTC announced a resolution of its own: to undertake a nationwide enforcement effort to protect consumers against deceptive weight loss claims. Dubbed “Operation Failed Resolution,” the FTC’s latest enforcement effort seeks to protect consumers who face a barrage of “opportunistic marketers” promising quick ways to shed pounds. According to the FTC, these marketing tactics cause millions of dollars of consumer injuries and encourage people to postpone important changes to diet and exercise.
To announce this new initiative, the FTC held a press conference in which it identified four significant enforcement actions: (1) Sensa – a flavored powder that claims to cause weight loss when sprinkled on food; (2) L’Occitane Inc.– a skin cream that promised to shave inches off consumers’ bodies; (3) HCG Diet Direct – a product based on the human chorionic gonadotropin hormone; and (4) LeanSpa – a dietary supplement. Collectively, these four enforcement actions total $44 million in potential recovery for consumers.
All four enforcement actions shared one common thread – claims of quick and easy weight loss that were not supported by evidence. Many of the ads in question touted substantial weight loss without diet or exercise simply by using the product alone. Although some of these marketers cited clinical studies that supported their claims, the FTC said that the so-called “independent” studies were largely fabricated. The FTC also took issue with consumer endorsements, which failed to disclose that the consumers were paid for their testimonials or that the consumers were related to the owner. The FTC also scrutinized so-called physician endorsements. According to the FTC, marketers failed to disclose that their endorsers were compensated to the tune of $1,000-$5,000 and free trips.
Yesterday’s press conference is not the first time that the FTC has taken action against deceptive weight loss claims. In 2011, we reported on 10 lawsuits filed by the FTC against marketers behind the ubiquitous “1 Tip for a Tiny Belly” ads, which the FTC claimed were a scheme by marketers of diet and weight loss products to grab consumer credit card information and pile on additional, unapproved charges.
Although deceptive weight loss claims are not a new phenomenon, the FTC announced yesterday that it is taking a new approach to cracking down on these types of ads. The FTC is now encouraging media outlets that run these ads to conduct a “gut check” and turn down spots with bogus claims. Yesterday’s press conference was a call to action for both consumers and media outlets to help the FTC track down deceptive weight loss marketers, which can mean only one thing – more widespread enforcement efforts against marketers of dietary supplements. The FTC does not comment on non-public investigations and would not comment on whether these enforcement efforts would result in criminal enforcement from other agencies. One thing is for certain, however: If you make a claim about your weight loss product, you’d better be able to back it up.
ZeroAccess is one of the world’s largest botnets – a network of computers infected with malware to trigger online fraud. Recently, after having eluded investigators for months, ZeroAccess was disrupted by Microsoft and law enforcement agencies.
Earlier this month, armed with a court order and law enforcement help overseas, Microsoft took steps to cut off communication links to the European-based servers considered the mega-brain for an army of zombie computers known as ZeroAccess. Microsoft also took control of 49 domains associated with ZeroAccess. Although Microsoft does not know precisely who is behind ZeroAccess, Microsoft’s civil suit against the operators of ZeroAccess may foreshadow future enforcement efforts against operators alleged to have illegally accessed and overtaken people’s computers.
ZeroAccess, also known as max++ and Sirefef, is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine and to form a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system. Victims’ computers usually fall prey to ZeroAccess as the result of a drive-by download or from the installation of pirated software. Essentially, ZeroAccess hijacks web search results and redirects users to potentially dangerous sites to steal their details. It also generates fraudulent ad clicks on infected computers then claims payouts from duped advertisers.
The Microsoft lawsuit, originally filed under seal in Texas federal court, alleges, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”) (18 U.S.C. §1030), the Electronic Communications Privacy Act (18 U.S.C. §2701), and various trademark violations under the Lanham Act (15 U.S.C. §1114 et seq.). Microsoft secured an injunction blocking all communications between computers in the U.S. and 18 specific IP addresses that had been identified as being associated with the botnet. The company also took control of 49 domains associated with ZeroAccess. Microsoft took action against ZeroAccess in collaboration with Europol’s European Cybercrime Centre, the FBI, and other industry partners. As Microsoft enacted the civil order obtained in its case, Europol coordinated law enforcement agency action in Germany, Latvia, Luxembourg, the Netherlands and Sweden to execute search warrants and seize servers associated with the fraudulent IP addresses operating within Europe.
The federal statutes on which Microsoft relied in its lawsuit may be broad enough to capture the gravamen of the complaint here. For example, the CFAA was enacted in 1986 to protect computers that there was a compelling federal interest to protect, such as those owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA now prohibits accessing any computer without proper authorization or if it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing plaintiffs and prosecutors unfettered discretion by allowing claims based merely on violations of a website’s terms of service. In those cases in which ZeroAccess has accessed a user’s computer entirely without permission, there will likely be no dispute about whether the CFAA applies; however, in any follow-on cases in which the authority to access the computer was less clear, Microsoft may have more difficulty in relying upon this statute.
According to Microsoft, more than 800,000 ZeroAccess-infected computers were active on the internet on any given day as of October of this year. Although the latest action is expected to significantly disrupt ZeroAccess’ operation, Microsoft has not yet been able to identify the individuals behind the botnet, which is still very much intact. Microsoft’s attack is noteworthy in that it represents a rare instance of significant damage being done to a botnet that is controlled via a peer-to-peer system. But ZeroAccess has come back to life once before after an attack on it, and it would not be surprising if it recovered from this attack as well. Unless Microsoft or Europol can identify the “John Does 1-8”referenced in the complaint, this and other botnets will keep on operating without fear of reprisal.
The big question at this point is whether Microsoft’s actions will have an enduring impact beyond ZeroAccess. Will Microsoft’s actions spur other private companies to take steps of their own to stop malicious software? That answer remains to be seen.