FTC Beat
Archive for the ‘Internet Law’ Category
Dec 28
2015

Amazon Pursued Fake Reviews In 2015, What Will It Pursue In 2016?

iStock_000042320828_Small

In 2015, Amazon filed suit against over 1,000 unnamed individuals for allegedly offering to sell fake online reviews (positive or negative) on Fiverr.com (“Fiverr”). The unnamed defendants offer to provide 5-star reviews and some defendants even encourage sellers to provide their own text to use in the review. In order to avoid detection, defendants offer to submit reviews from multiple IP addresses, utilize multiple Amazon accounts, and to complete a Verified Review (which means the reviewed has purchased the product, even though they don’t always require the actual product to be shipped for review). In short, the allegations are that these reviews for sale violate Amazon’s Customer Review Guidelines (which prohibit paid reviews), Fiverr’s own Terms of Service (which requires compliance with third party guidelines), and deceptively provides false reviews to consumers (which violates consumer protection laws).

Interestingly, Amazon did not name Fiverr as a party to the complaint. Instead, Amazon went after the individual sellers and indeed explicitly stated in the complaint that “Amazon will amend this complaint to allege their true names and capacities when ascertained.”

In contrast to Amazon’s approach, the Metallica Plaintiffs in a previously filed case against Napster, sued Napster directly and not the individual users (and eventually obtained their desired result).  Indeed, Amazon has not always omitted operators from its case captions. Last April, Amazon filed a similar lawsuit against a number of companies that operated websites to promote the sale of Amazon reviews. That lawsuit contained very similar allegations to this recent suit against individuals and alleged selling positive reviews, offering a Verified Review, a slow posting of reviews to avoid detection by Amazon, etc. Similar as well to the Napster case, the first Amazon lawsuit also yielded a successful result because the websites targeted in that case were all closed down.

So why is Amazon now going after the individual sellers? And why did Amazon omit Fiverr in this lawsuit?

One possible explanation is that Amazon, like Napster, first attempted to take down the providers (i.e. the website owners) that enabled the fraudulent review process. While that was successful, Amazon likely realized that it was insufficient because the individual reviewers would easily migrate to sites like Fiverr to continue their activities. So, Amazon was forced to file suit against the individual users.

At the same time, Amazon did not include Fiverr as a named defendant because it is more likely to get Fiverr’s cooperation in providing the identities of the unnamed defendants, and, because Fiverr is a legitimate global online marketplace offering tasks and services- in sharp contrast to the defendants in the prior Amazon lawsuit that operated sites and companies for the sole purpose of providing fraudulent Amazon reviews (and further antagonized Amazon by utilizing the Amazon logo on their sites). Additionally, as noted in the current Amazon complaint, Fiverr itself prohibits paid reviews and has tried to prevent them- again in sharp contrast to the companies in the first Amazon lawsuit, whose entire business was selling Amazon reviews.

Or it may be that Amazon has embarked on a process to stop paid reviews and these are the first steps in that ongoing process. As noted in this complaint against the Fiverr sellers, the lawsuit is “the next step in a long-term effort to ensure these providers of fraudulent reviews do not offer their illicit services through other channels.” Thus, Amazon may have simply first pursued the enablers (i.e. the company websites dedicated to fraudulent reviews) and then it pursued the individual reviewers on Fiverr.

The extent to which Amazon will continue to pursue questionable reviews remains to be seen. In 2015, Amazon limited its lawsuits regarding fraudulent reviewers to paid reviewers. In 2016, we may see an assault on the groups of independent people who exchange positive reviews on Amazon (i.e. each party agrees to submit a positive review of the other’s product). This type of arrangement also violates Amazon terms and poses similar concerns to the reliance of consumers on Amazon reviews. Amazon may also question whether this prohibited practice merits attention.

Dec 23
2015

Will The Floodgates Open As Consumer Backlash To Spam Unleashes?

Anti spam filter vector concept in flat style

Every e-mail user receives them, some days in numbers hitting the triple digit mark – those targeted, often annoying and unsolicited e-mails that clog our inboxes, originating from any of a multitude of establishments, including retailers, service establishments, and even our own social media.  Regulation over unwanted e-mails has been limited mostly to the federal Can Spam Act of 2003, which doesn’t prohibit the deluge of e-mails, but rather protects against misleading and deceptive ones and requires the sender to comply with certain requirements, including offering a clear opt-out. A private consumer has limited retribution to enforce the Act, however, and must rely on the FTC, as well as other government entities and Internet service providers, to bring suit to stop the unwanted e-mails. It seems that consumers in recent years are ever more fed up and frustrated with “spam” messages and desire change.  However, as evidenced by a recent class action lawsuit by certain LinkedIn members against the social media giant, consumers may utilize other legal maneuvers to get relief from new marketing tactics employing spam.

LinkedIn is often referred to as the “Facebook of the Professional World.”  With over 300 million+ users, LinkedIn has become the world’s largest professional network since it launched in 2003.  One feature of the network allows a member to import his or her e-mail contacts list and send invitations to connect with others on LinkedIn.  A user is prompted by LinkedIn to click an “Add Connections” link, which then allows LinkedIn to import the list from external e-mail accounts.  LinkedIn uses this feature to grow its number of members.

According to the class action lawsuit filed against LinkedIn, if a connection invitation was not accepted within a certain period of time, up to two “reminder’ spam e-mail messages would be sent to the prospects, without the LinkedIn member’s consent to do so. In Perkins v. LinkedIn Corp., the federal district court in the Northern District of California determined that the motion to dismiss filed by LinkedIn would be granted in part and denied in part, thereby allowing the suit to move forward.  In its partial denial of the motion to dismiss, the court reasoned that although the members consented to importing their contacts and sending the invitation to connect, they did not consent to sending the reminder messages on their behalf.  In her Order, Judge Lucy Koh explains,

“Nothing in LinkedIn’s disclosures alerts users to the possibility that their contacts will receive not just one invitation, but three. In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘We will not . . . email anyone without your permission,’ LinkedIn may have actively led users astray.”

(Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss with Leave to Amend *30).  The plaintiffs also contended that LinkedIn members did not consent to the use of their names and likenesses in the reminder e-mails and were embarrassed and felt that the unwanted e-mails sent to personal contacts affected their professional reputations.

Following the court’s Order, the parties agreed to settle the suit.  The settlement requires the social media giant to pay at least $13 million, as well as  $2.25 million in legal fees, to LinkedIn members who had accounts between Sept. 17, 2011 and Oct. 31, 2014 and sent e-mails through the Add Connections feature. Although LinkedIn did not admit any wrongdoing in the settlement, it agreed to revise its disclosures and clarify that the reminder e-mails would be sent as part of the “Add Connections” service. LinkedIn also indicated its intent to provide an option to cancel the connection invitation, and thereby the reminders, by the end of the calendar year.

Interestingly, with perhaps the fear of a lawsuit on the horizon, Mark Zuckerberg preemptively announced at a recent town hall meeting held in Delhi, India, that Facebook will be reducing the number of invitations it sends to outside contacts of players of the game Candy Crush Saga. Facebook often sends the invitations to contacts who have never used a game and never played games on Facebook, suggesting that they join their friends in a Candy Crush Saga game.  Zuckerberg noted that reducing the number of invitations received was the most upvoted question in an online thread, and he has promised to reduce the number of these unwanted requests.  After the recent LinkedIn settlement, we advise Mr. Zuckerberg to take action swiftly or we may see other unhappy consumers following suit. . . .  with their own suit!

These developments should offer welcomed relief for consumers and our busy delete buttons. However, this may be the tip of the iceberg with regard to the use of the courts and unwanted e-mails. Is the broad Can-Spam Act sufficient to deter spammers? Does the Can-Spam Act do enough to filter out unwanted e-mails? New scenarios have arisen since the enactment of the Act in 2003 and consumers seem to desire more regulation to deter the deluge of e-mails. If swift action isn’t taken by Congress and other regulators, it seems that consumers may take to the courts to set precedent in this ever-changing arena.

posted in:
Internet Law
Nov 03
2015

Highlights And Takeaways from the October 30th FTC Lead Generation Workshop

Leads button pointing  high position with two fingers, blue and grey tones, Conceptual image for increasing sales lead.

Exploiting consumers and exploiting consumer data were popular themes in the FTC’s October 30th workshop on lead generation, “Follow the Lead.” The day-long workshop explored the mechanics of lead generation and its role in the online marketplace. With a focus on the lending and education spaces, panelists discussed the many layers of marketing involved in lead generation—and importantly—how those many layers can add confusion to how consumer data gets collected, sold, used … and misused.

Panelists of the five workshop sessions hailed from industry, government, advocacy groups, and research institutions. They offered insights into both the vulnerabilities and opportunities flowing from the extensive “behind the scenes” market of lead generation. But unsurprisingly, the benefits of lead generation were overshadowed largely by attendant concerns: why is so much consumer data collected, what is done with it, and are consumers aware of how their personal information is being traded and used?

The workshop included two “case study” panels on lending and education. For the panel on lead generation in lending, Tim Madsen of PartnerWeekly provided an overview of how the “ping tree” model works. Connecting prospective borrowers with lenders through a reverse auction of borrower leads, the “ping tree” model may be an efficient way of matching borrowers and lenders. However, Pam Dixon, Executive Director of World Privacy Forum, highlighted her concerns that lenders are receiving consumer data that would otherwise be protected under the Equal Credit Opportunity Act and therefore that the online process is circumventing important consumer protection laws. For instance, the online lending process may require certain personal information from borrowers in order filter fraudulent requests. But that personal information (e.g., gender or marital status) otherwise could not be part of the loan application process. Dixon felt the disclosure of protected information was one that needed to be addressed from both a technical and a policy standpoint. And it is an issue she raised on subsequent panels during the conference, indicating a possible pressure point for future regulatory action.

The panel on lead generation in education was highly charged, due to the controversial nature of marketing higher education and due to the negative attention on for-profit education. Despite many people’s assumption that online marketing in education is largely a tool of the for-profit education industry, Amy Sheridan, CEO of Blue Phoenix Media, provided some surprising statistics: state and private institutions represent roughly forty percent of her business in the education vertical. Even renowned schools like Harvard and Yale are employing lead generation to gain students in their programs.

But given the extensive access to federal funds through higher education, consumer advocates highlighted concerns over students being preyed upon by unscrupulous educators. Jeff Appel, Deputy Undersecretary of Education at the Department of Education, attributed the problem in part to the lack of underwriting in federal student loans. [Query: Wouldn’t it make sense to add underwriting to the federal student loan process? Statistically, private student loan repayment fares much better thanks to this preliminary screening.]

In support of responsible advertising for educational programs, Jonathan Gillman, CEO of Omniangle Technologies, identified the need for clear guidance on appropriate marketing tactics, which may better address problems than resorting to law enforcement. He pointed out the adverse consequences of clamping down on educators’ online advertising: educators are now afraid to advertise online and that space is being filled by affiliates who are more apt to cross the line into deceptive advertising.

Appel provided some general guidance for schools working with lead generators. Schools should (1) monitor how lead generators are representing programs and ensure their ads are not deceptive, (2) make sure payment for advertising does not implicate regulations against incentive-based compensation, and (3) be aware that the actions of lead generators may come under the Education Department’s purview if they are providing additional assistance (e.g., processing student applications).

Both Appel and consumer advocates seemed to agree, though, that laws and regulations already in place were sufficient to address consumer protection concerns in the education marketing space. It is only a matter of having the resources to enforce those laws and regulations. Appel also suggested that state regulators could curb issues by better screening schools.

Throughout the day and across the panels, FTC representatives turned to the concept of “remnant information,” i.e. consumer information that is longer being used. FTC attorney Katherine Worthman asked panelists various questions about what ultimately happens to this information. R. Michael Waller, another FTC attorney and panelist, noted his concern that companies have an economic interest in maintaining and possibly selling remnant information, and that such information is increasingly vulnerable to fraudsters. These FTC attorneys thus pressed about policies on consumer data retention. Aaron Rieke of Upturn supported the FTC concerns and noted that nothing in the company privacy policies (that he’s reviewed) prevents the sale of consumer data:  “privacy policies are shockingly permissive when you look at how much information is being provided.”

Another popular issue was whether and to what extent disclosures to consumers are sufficient: are consumers aware of how their information is being traded? The general consensus among panelists was that consumers remained ignorant to the sale and use of the personal information they provide online.

Upshot from the workshop: Lead generators, and the companies using them, should be aware of the growing interest by federal regulators in (1) how consumer data is being collected, retained, and sold and (2) the extent to which people up and down the online marketing supply chain are vetting the buyers and sellers of consumer data. Other takeaways from the conference: Companies should ensure their data collection and retention policies comply with applicable state and federal law. Finally, it is important for companies to ensure their practices comply with both their policies and their disclosures.

 

May 20
2015

Yelp Fights for the Right to Complain Anonymously

Presentation1

In e-commerce, user reviews can make or break a business.  Review sites such as Yelp are a double edged sword for merchants and service providers: on one hand satisfied customers can generate buzz about the company and bring in new customers, and on the other hand dissatisfied customers can use it as a very public platform to air their grievances and discourage new business.

Review sites such as Yelp maintain policies protecting users’ anonymity, a major source of frustration among business owners.  By remaining anonymous, users can make potentially defamatory statements and leave the businesses with little recourse to hold the individuals accountable. A recent ruling by the Virginia Supreme Court has demonstrated the long and tortured road that businesses must take to challenge the anonymity of these unnamed users.

In 2012 a small Virginia company, Hadeed Carpet Cleaning Inc., brought suit against unnamed Doe defendants for allegedly defamatory statements published about Hadeed on the Yelp review website. According to Hadeed, a number of negative reviews did not match up to records of the company’s existing customers, and therefore the company suspected that the false statements were published by individuals who had never used the company’s services.  The Circuit Court for the City of Alexandria, Virginia, issued a subpoena to Yelp requiring it to provide identifying information about the anonymous users.  Yelp refused to comply, and the Circuit Court held Yelp in contempt.

Yelp appealed, arguing that the court’s order violated the First Amendment by forcing the company to identify the anonymous users. In January 2014 the Court of Appeals upheld the Circuit Court’s order, applying a six-prong procedure Virginia’s “unmasking statute,” which provides that the court may issue a subpoena to unveil the identity of an individual speaking anonymously over the internet where (1) notice of the subpoena was served on the anonymous speaker through his internet service provider, (2) the plaintiff has a legitimate, good faith basis to contend that communications may be tortious or illegal, (3) other efforts to identify the speaker have been fruitless, (4) the identity of the communicator is important, (5) there is no pending motion challenging the viability of the lawsuit, and (6) the entity to whom the subpoena is addressed is likely to have responsive information.

The Court of Appeals noted that Hadeed had followed the proper procedure in requesting the subpoena. The court found that the company’s evidence that the reviews did not match customer records was sufficient to establish they were not published by actual customers of the company, and were therefore likely to be false.

Yelp appealed the Circuit Court decision to Virginia’s Supreme Court.  Last month, the Virginia Supreme Court issued an anticlimactic ruling dismissing the case on jurisdictional grounds, stating that the case should have been brought in California where Yelp is headquartered and where the responsive records are located.

If Hadeed chooses to resume the case in California, if will face a somewhat higher burden in obtaining the names of the users.  Notably, Virginia is the only state in the country to have enacted an unmasking statute.  In most states, the courts will no issue a subpoena until the plaintiff has established a prima facie case for defamation—significantly more than the “legitimate, good faith basis” used in Virginia.

Nov 07
2014

Report from an Energized Brand Activation Association Marketing Law Conference

Group Of Multi-Ethnic People Social Networking

Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago.  Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal Trade Commission (“FTC”) and other agencies are watching and enforcing. Other key “take aways” from the conference are that sweepstakes, contests, and other promotions remain hugely popular via mobile devices and social networks.

Digital Rules

Advertisers representing top brand names made clear that companies must reach consumers through various digital devices.  Smartphones, tablets, and wearable technologies each represent ways to advertise a product or service.  Today’s consumers, especially younger consumers, rely extensively mobile devices. Many actually welcome behavioral and other advertising.  Consumers in the U.S. and abroad have shown receptiveness to “flash sales,” instant coupons and other deals, including those geared to their geo-location.

Emerging Privacy and Consumer Protection Trends

While advertisers interact with consumers and many consumers welcome offers and information, regulators’ and individuals’ concerns with the privacy of personal information dominate the landscape.  Almost a year after the notorious Target data breach, and with the holiday shopping season approaching, all stakeholders are understandably cautious about how to utilize various methods of marketing while securing consumer information.  Even assuming a network is secure, the FTC, state attorney generals, foreign regulators, consumer advocacy groups and consumers want to know how personal data is being collected, utilized and shared.  In the consumer protection context, the FTC actively enforces the Federal Trade Commission Act’s prohibition on “deceptive acts and practices,” requiring that advertisers have substantiation for product claims.

Two Significant Forces – the FTC and California’s Attorney General

Top representatives from the FTC and the California Attorney General presented at the conference.  Both representatives asserted their agencies remain active in enforcing their consumer protection and privacy laws, especially as to certain areas.  Jessica Rich, Director, Bureau of Consumer Protection at the FTC, discussed the agency’s focus on advertising substantiation, particularly as to claims involving disease prevention and cure, weight loss, and learning enrichment (such as the “Your Baby Can Read “ case).

On the privacy side, Ms. Rich also noted the FTC’s specialized role in enforcing the Children’s Online Privacy Protection Act (“COPPA”).  The FTC’s recent action against Yelp demonstrates that the FTC will not hesitate to enforce COPPA even where a website is not a child-focused website, per se. If a website or online service (such as a mobile app) collects personal information from children under 13, it must comply with COPPA’s notice and consent requirements. The agency is also exploring the privacy and consumer protection concerns associated with interconnected devices, known as “the Internet of Things.”

The representative from the California Attorney General’s office noted that California has a keen interest in mobile apps, as demonstrated by its action against Delta for allegedly failing to have a privacy policy available through its mobile app.  California is also gearing up for its “Eraser Law,” set to go in effect on January 1, 2015. This law provides an opportunity for young people under 18 to “erase” embarrassing or damaging content they posted online, including on social media.

Promotions – Sweepstakes, Contests, Games

While some may think sweepstakes and contests are outdated, the opposite is true. Companies are utilizing mobile and social networks to engage with consumers through promotions.  Facebook and Pinterest-based sweepstakes and contests continue to grow in popularity. Advertisers also increasingly look to “text-based” offerings.

These promotions can generate great marketing visibility and grow consumer relationships. However, advertisers need to be aware of many legal minefields.  First and foremost is the federal Telephone Consumer Protection Act (“TCPA”), which requires prior express “written” consent for advertisements sent to mobile phones via text or calls utilizing an autodialer or prerecorded message.  Plaintiffs’ lawyers continue to file hundreds of TCPA class actions based on texts without consent.  Second, the social networks have their own policies. For instance, Facebook now bars advertisers from requiring consumers to “like” a company Facebook page in order to participate in a promotion.

Take Aways

BAA conference sessions were packed – many standing room only.  The popularity of programs about comparative advertising, native advertising, sweepstakes and contests, and enforcement trends demonstrates that advertisers are finding innovative ways to reach consumers across devices. These marketing initiatives face a host of federal, state, and international laws and regulations, as well as restrictions imposed by social networks and providers.  It’s an exciting and complex juncture in global marketing.

Sep 19
2014

Broken Promises: A Glimpse at the Dark Side of Crowdfunding

Vector crowdfunding concept in flat style

The fact is that social media has connected us to each other in ways which seemed unimaginable only a few decades ago.  Take for example the progression of social activism through online fundraising.  Over the course of two short months the ALS Ice Bucket Challenge (“IBC”) went viral with millions of videos being posted by people drenching themselves in ice water in order to spread awareness and raise money for the research and treatment of ALS.  To date, the total amount of donations made to the ALS Association through the IBC is an unprecedented $114 million.  The Association’s FAQs webpage regarding the IBC indicates that this amount is almost five times its annual overall budget.

The ALS Ice Bucket Challenge is also a good example of the online phenomenon of crowdfunding, where numerous individuals and groups pitch in to fund a project, cause or idea.  Simply put, crowdfunding is fundraising through social media.  There are several popular crowdfunding websites, however one of the most well-known sites is Kickstarter.com, which was launched in 2009, and boasts the facilitation of $1 billion in contributions by seven million backers who have so far funded 69,000 “creative projects” through the site.  However, as is common when dealing with new technology, there are often unanticipated legal aspects of such innovation which can be problematic.

Earlier this year, the first crowdfunding consumer protection lawsuit was filed in the state of Washington (State of Washington v. Altius Management, LLC; Edward J. Polchlopek III (No. 14-2-12425-SEA)).  In late 2012, defendant Ed Nash, as he is known, and his company Altius Management, were successfully funded through a Kickstarter campaign to produce a limited-edition playing card game called Asylum.  According to the campaign page, backers exceeded Nash’s goal of raising $15,000, giving more than $25,000 in total for the promise of the card game to be made.  In addition, many of those who funded Nash’s campaign expected certain perks for contributing, referred to by Kickstarter as “rewards,” as was detailed in his campaign’s backer pledge amounts, which included multiple card decks and custom artwork according to varying contribution levels.  However, two years later the card game has not been produced, backers have received no rewards or refunds and there has been no communication from Nash regarding the status of the Asylum project since July 2013.

Each project “creator” who signs up their campaign on Kickstarter is required to agree to the site’s Terms of Use, which includes language stating that the creator must fulfill all rewards promised to backers or issue refunds.  If the creator fails to deliver on both of these fronts, Kickstarter advises them that they may be open to litigation by backers.  Now, the Washington State Attorney General’s Office wants Nash to pay for breaking his promise to these backers under the state’s Consumer Protection Act (“CPA”) [RCW Chapter 19.86].  The filed lawsuit seeks up to $2,000 per violation of the CPA in civil penalties for restitution to the backers, and also includes all state costs and attorneys fees.

With this being the first case of its kind, there is no precedent to see exactly how these proceedings will develop or how this case will affect Kickstarter and other crowdfunding websites.  We suspect it will proceed like many of the other cases we write about in the internet space.  One thing is certain, whether they are made online or in person, people don’t like broken promises.

Jan 08
2014

New Year Brings New Plans by the FTC to Take Down Deceptive Weight Loss Advertisers

New year, new resolutions.  Yesterday, the FTC announced a resolution of its own: to undertake a nationwide enforcement effort to protect consumers against deceptive weight loss claims.  Dubbed “Operation Failed Resolution,” the FTC’s latest enforcement effort seeks to protect consumers who face a barrage of “opportunistic marketers” promising quick ways to shed pounds. According to the FTC, these marketing tactics cause millions of dollars of consumer injuries and encourage people to postpone important changes to diet and exercise.

To announce this new initiative, the FTC held a press conference in which it identified four significant enforcement actions: (1) Sensa – a flavored powder that claims to cause weight loss when sprinkled on food; (2) L’Occitane Inc.– a skin cream that promised to shave inches off consumers’ bodies; (3) HCG Diet Direct – a product based on the human chorionic gonadotropin hormone; and (4) LeanSpa – a dietary supplement. Collectively, these four enforcement actions total $44 million in potential recovery for consumers.

All four enforcement actions shared one common thread – claims of quick and easy weight loss that were not supported by evidence.  Many of the ads in question touted substantial weight loss without diet or exercise simply by using the product alone.  Although some of these marketers cited clinical studies that supported their claims, the FTC said that the so-called “independent” studies were largely fabricated. The FTC also took issue with consumer endorsements, which failed to disclose that the consumers were paid for their testimonials or that the consumers were related to the owner.  The FTC also scrutinized so-called physician endorsements.  According to the FTC, marketers failed to disclose that their endorsers were compensated to the tune of $1,000-$5,000 and free trips.

Yesterday’s press conference is not the first time that the FTC has taken action against deceptive weight loss claims.  In 2011, we reported on 10 lawsuits filed by the FTC against marketers behind the ubiquitous “1 Tip for a Tiny Belly” ads, which the FTC claimed were a scheme by marketers of diet and weight loss products to grab consumer credit card information and pile on additional, unapproved charges.

Although deceptive weight loss claims are not a new phenomenon, the FTC announced yesterday that it is taking a new approach to cracking down on these types of ads. The FTC is now encouraging media outlets that run these ads to conduct a “gut check” and turn down spots with bogus claims. Yesterday’s press conference was a call to action for both consumers and media outlets to help the FTC track down deceptive weight loss marketers, which can mean only one thing – more widespread enforcement efforts against marketers of dietary supplements. The FTC does not comment on non-public investigations and would not comment on whether these enforcement efforts would result in criminal enforcement from other agencies. One thing is for certain, however: If you make a claim about your weight loss product, you’d better be able to back it up.

Dec 19
2013

Botnet ZeroAccess Hit With Complaint by Microsoft, but Will This Slow the Malware Industry Down?

ZeroAccess is one of the world’s largest botnets – a network of computers infected with malware to trigger online fraud.  Recently, after having eluded investigators for months, ZeroAccess was disrupted by Microsoft and law enforcement agencies.

Earlier this month, armed with a court order and law enforcement help overseas, Microsoft took steps to cut off communication links to the European-based servers considered the mega-brain for an army of zombie computers known as ZeroAccess. Microsoft also took control of 49 domains associated with ZeroAccess.  Although Microsoft does not know precisely who is behind ZeroAccess, Microsoft’s civil suit against the operators of ZeroAccess may foreshadow future enforcement efforts against operators alleged to have illegally accessed and overtaken people’s computers.

ZeroAccess, also known as max++ and Sirefef, is a Trojan horse computer malware that affects Microsoft Windows operating systems.  It is used to download other malware on an infected machine and to form a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system.  Victims’ computers usually fall prey to ZeroAccess as the result of a drive-by download or from the installation of pirated software.   Essentially, ZeroAccess hijacks web search results and redirects users to potentially dangerous sites to steal their details.  It also generates fraudulent ad clicks on infected computers then claims payouts from duped advertisers.

The Microsoft lawsuit, originally filed under seal in Texas federal court, alleges, among other things,  violations of the Computer Fraud and Abuse Act  (“CFAA”) (18 U.S.C. §1030), the Electronic Communications Privacy Act (18 U.S.C. §2701), and various trademark violations under the Lanham Act (15 U.S.C. §1114 et seq.).  Microsoft secured an injunction blocking all communications between computers in the U.S. and 18 specific IP addresses that had been identified as being associated with the botnet.  The company also took control of 49 domains associated with ZeroAccess.  Microsoft took action against ZeroAccess in collaboration with Europol’s European Cybercrime Centre, the FBI, and other industry partners.  As Microsoft enacted the civil order obtained in its case, Europol coordinated law enforcement agency action in Germany, Latvia, Luxembourg, the Netherlands and Sweden to execute search warrants and seize servers associated with the fraudulent IP addresses operating within Europe.

The federal statutes on which Microsoft relied in its lawsuit may be broad enough to capture the gravamen of the complaint here.  For example, the CFAA was enacted in 1986 to protect computers that there was a compelling federal interest to protect, such as those owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA now prohibits accessing any computer without proper authorization or if it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing plaintiffs and prosecutors unfettered discretion by allowing claims based merely on violations of a website’s terms of service.  In those cases in which ZeroAccess has accessed a user’s computer entirely without permission, there will likely be no dispute about whether the CFAA applies; however, in any follow-on cases in which the authority to access the computer was less clear, Microsoft may have more difficulty in relying upon this statute.

According to Microsoft, more than 800,000 ZeroAccess-infected computers were active on the internet on any given day as of October of this year.  Although the latest action is expected to significantly disrupt ZeroAccess’ operation, Microsoft has not yet been able to identify the individuals behind the botnet, which is still very much intact. Microsoft’s attack is noteworthy in that it represents a rare instance of significant damage being done to a botnet that is controlled via a peer-to-peer system.  But ZeroAccess has come back to life once before after an attack on it, and it would not be surprising if it recovered from this attack as well.  Unless Microsoft or Europol can identify the “John Does 1-8”referenced in the complaint, this and other botnets will keep on operating without fear of reprisal.

The big question at this point is whether Microsoft’s actions will have an enduring impact beyond ZeroAccess.  Will Microsoft’s actions spur other private companies to take steps of their own to stop malicious software?  That answer remains to be seen.

Dec 16
2013

Parameters of CDA Immunity Being Tested by Appeals Court in Jones v. Dirty World Entertainment

The U.S. Court of Appeals for the Sixth Circuit is currently hearing an appeal of a district court decision, which if upheld would have enormous ramifications for freedom of speech and the online service provider safe harbor under the Communications Decency Act (CDA).

TheDirty.com is a website run by Nik Lamas-Richie. The site allows users to submit gossip about anyone or anything and the site currently features hundreds of thousands of comments on a wide range of topics and users can also freely post comments on stories that are published on the website. Lamas-Richie then selects some of the user posts, and sometimes adds a little commentary to the user submission, which he then posts to the site. Sarah Jones, a former Cincinnati Bengals cheerleader, was featured twice on TheDirty.com including allegations that she was promiscuous and that she had a sexually-transmitted disease.

Jones then sued TheDirty.com and Lamas-Richie alleging defamation, libel and invasion of privacy. The first trial resulted in a hung jury, but in the second trial in July a jury of eight women and two men in a Kentucky federal court awarded Jones $338,000 in damages.

Typically, cases involving claims like Jones’ against websites are quickly dismissed under the CDA, which provides websites immunity from third party content. TheDirty.com filed a pre-trial motion to dismiss the case on the basis that the suit was barred by the CDA that was rejected by the district court, which held that the CDA did not offer protection because “the very name of the site, the manner in which it is managed, and the personal comments of defendant Richie, the defendants have specifically encouraged development of what is offensive about the content of the site.” The court reasoned that since the site served to encourage the comments then it was not entitled to immunity under the CDA. The CDA typically immunizes providers of interactive computer services against liability arising from content created by third parties if the provider is not also responsible in whole or in part or the creation or development of the offending content.

In August, after the jury verdict, the judge wrote a supplemental opinion reiterating the views expressed in the earlier opinion. In particular Judge William Bertelsman said that because Richie “played a significant role in developing the offensive content such that he has no immunity under the CDA.”

Richie appealed the decision to the Sixth Circuit, arguing that the case should have been dismissed because the CDA immunizes liability for users’ comments. Congress enacted the CDA to encourage website owners to actively screen, review, and moderate third party posts and to allow website operators to have the ability to remove offensive content when necessary without fear of liability. Richie argued that under the CDA website operators are free to edit, alter, or modify user-created content without losing immunity, as long as their edits do not materially alter the content’s original meaning.

Four separate amicus briefs were filed with signatories that included many of the biggest names on the Internet including Facebook, Google, Amazon, Microsoft, Yahoo, Twitter and eBay. The briefs argue that the district court ruling wrongly interpreted the CDA and that the consequences of upholding the district court’s decision would be enormous. The amicus brief submitted on behalf of Google, Facebook and others states that aspects of the district court decision “significantly depart from the settled interpretation of [the CDA] and, if adopted by this Court, would not only contravene Congress’s policies as declared in the statute, but also introduce substantial uncertainty regarding a law that has been a pillar for the growth and success of America’s Internet industry.” \

This case will be closely watched because of the far reaching consequences it would have if the district court ruling imposing liability of the website is upheld. A ruling from the Sixth Circuit that affirmed the district court’s ruling could chill the operation of online businesses that are open for users to create content. There is a long line of cases that have held that conduct similar to TheDirty.com’s in this case is protected by the CDA, but a decision from the Sixth Circuit finding TheDirty.com liable would uproot the well-established jurisprudence under the CDA.

 

Nov 07
2013

New Job? Think Twice Before Announcing it via Social Media

A lawsuit filed in Massachusetts state court recently raised the issue of whether a former employee’s LinkedIn post announcing a new job could violate an anti-solicitation clause of a non-compete contract with the former employer.

In KNF&T Inc. v. Muller, staffing company KNF&T filed suit against its former vice president, Charlotte Muller, for violating a non-compete contract in a number of ways, one of which was a LinkedIn update which notified Ms. Muller’s 500+ contacts of her new job.  Among those contacts were Ms. Muller’s former clients at KNF&T.  KNF&T filed suit alleging that the update notification violated her one year non-compete contract by soliciting business from current KNF&T clients.

The court issued a narrow ruling stating that the posting did not violate the non-compete agreement because Ms. Muller’s new position in information technology recruiting did not directly compete with KNF&T’s work in recruiting administrative support specialists.

Since the court was able to resolve the case based on a differentiation in practice areas, it did not have to resolve the issue of whether a LinkedIn notification could violate the terms of a non-competition agreement.  Such a determination will always depend of the particular facts of the case, such as whether the new position directly competes with the former employer, whether the individual is connected with former clients on LinkedIn, and the content of the notification.

Employees subject to a non-competition agreement should exercise caution when using social media to announce a new position.  If they do make an announcement, they should consult the terms of their non-compete agreement to determine what could constitute a violation.  For instance, if the non-compete only prohibits solicitation of the former employer’s current clients, the employee should be sure to exclude any such clients from the notification by selecting which groups receive the message.  The time spent paring down the list of recipients is well worth avoiding a potential lawsuit.

Connect with Us Share

About Ifrah Law

Crime in the Suites is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, healthcare, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partner Michelle Cohen, and associates Rachel Hirsch, Jeff Hamlin, Steven Eichorn, David Yellin, and Nicole Kardell. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts