Big Brother isn’t just watching. A single mother in upstate New York was surprised to find that she had a Facebook page in her name, complete with photos of her, her son, and her niece. She hadn’t actually set up the page. It turned out that she was being investigated as a bit player in a federal drug investigation and that the Drug Enforcement Administration had created the page in her name, without her permission. The page, which has since been taken down, used the woman’s real name as well as photos from her cell phone, which had been seized by the DEA. The DEA even went so far as to send and accept friend requests for the woman. The woman was sentenced to probation and has sued the DEA agent who put up the page. Facebook says impersonating someone to set up a page is a clear violation of its terms of service.

Transparency vs. security. Twitter and other technology and communications companies frequently receive requests from the U.S. government for user data that the government asserts it needs for national security purposes. In the interest of transparency, these companies wish to disclose how many such requests they have received, if any, in a given span of time. The government wants to restrict the dissemination of this information and, earlier this year, it reached a settlement on the issue with Google, Microsoft, LinkedIn, Facebook, and Yahoo. Twitter did not reach any such settlement and it has now sued the government in U.S. District Court in California, claiming that the government restrictions violate the First Amendment. The government argues that the more is known about its sources and methods in collecting national security data, the less secure the nation will be. This should be an interesting First Amendment case.

In the city there’s a thousand things. There’s been a lot of talk about “the Internet of things.” Google now wants to bring the Internet of things directly to city dwellers. What about Zipcars that broadcast when they’re available, or bus stops that communicate with your mobile device about the next bus arrival? As part of its “Physical Web” initiative, Google is seeking to bring these and similar features to the urban environment. The idea is to interconnect seemingly unconnected physical objects that city dwellers encounter on a daily basis. As a Google designer says, “Just tap and use.”

Operators of social media platforms and other websites must manage a large number of risks arising from their interactions with users. In an effort to maintain a degree of predictability and mitigate some of those risks, website operators routinely present users with terms of use or terms of service (“Website Terms”) that purport to govern access to and use of the relevant website and include provisions designed to protect the website operators, such as disclaimers, limitations of liability and favorable dispute resolution provisions. But are such Website Terms enforceable against users and do they actually provide the protection that website operators seek? The answer may well depend on how the Website Terms are implemented.

Clickwrap vs. Browsewrap

Website Terms typically come in two flavors: “clickwrap” terms, where users are required to accept by taking some affirmative action such as checking a box or clicking an “I accept” button before using the website, and “browsewrap” terms that are provided to users through a link (often, but not always, at the bottom of the page) and purport to bind users even without any affirmative manifestation of acceptance. In determining whether Website Terms are enforceable against users, courts focus on whether users had notice of the terms and actually agreed to be bound by them. Not surprisingly, therefore, courts tend to look more favorably on clickwrap implementations as compared to browsewrap terms.

For example, in Fteja v. Facebook, Inc. (S.D.N.Y. 2012), the plaintiff claimed that Facebook disabled his Facebook account without justification and for discriminatory reasons, causing emotional distress and harming his reputation. Facebook moved to transfer the case to federal court in Northern California based on the forum selection clause in the Facebook terms of use, but the plaintiff claimed that he had never agreed to the terms of use. The court concluded that the plaintiff was bound by the Facebook terms, however, because he had checked a box indicating his acceptance when he registered for Facebook.

In contrast, Barnes & Noble had less luck enforcing its terms of use in Nguyen v. Barnes & Noble, Inc. (9th Cir. August 18, 2014). In Nguyen, the plaintiff ordered a tablet from Barnes & Noble at a discounted price but Barnes & Noble canceled his order. The plaintiff sued and Barnes & Noble moved to compel arbitration based on an arbitration clause included in its website’s browsewrap terms of use. The court held that Barnes & Noble’s terms could not bind the plaintiff, despite being presented through a “conspicuous” link during the checkout process, because Barnes & Noble did not prompt users to affirmatively assent to the terms.

Continue Reading Implementing and Enforcing Online Terms of Use

First we had social media platforms, but recently a variety of “anti-social” media platforms have emerged—well, anti-social in a sense. For years, social media platforms have encouraged (or even, in some cases, required) us to use our real identities, with the aim of building friendships and networks in the online world. But these new social media apps (such as “Secret,” “Whisper,” “Yik Yak”) are designed specifically to enable users to share posts anonymously. The types of “secrets” disclosed on these apps vary enormously—from teenage angst, fantasies and gossip, to the experiences of soldiers and survivors of abuse.

With these apps, one might say that we have gone full circle back to the early days of the Internet when anonymous posts on message boards were standard. Even Mark Zuckerberg, who in 2010 stated that he believed the social norms on privacy had changed, now apparently sees some merit in anonymity. In January 2014, when discussing certain new Facebook apps that can be accessed with anonymous sign-in, he stated, “If you’re always under the pressure of real identity, I think that is somewhat of a burden.”

People sometimes complain that much of social media is fake, with users presenting themselves in the best possible light. Some argue that these apps are different because they encourage authenticity by allowing people to say what they really think without worrying about damage to their digital reputation or posts coming back to haunt them. Fans of the apps also talk of their voyeuristic and addictive nature. And media outlets have even started using anonymous posts as news sources (sometimes to their dismay when the posts turn out to be false).

Whether these apps have longevity or are just a short-term fad remains to be seen. It is clear, however, that users should not be lulled into a false sense of security simply because these apps purport to be anonymous. Such apps present risks similar to any other social media platform. Indeed, these purportedly anonymous platforms may even be riskier than traditional social media platforms because anonymity may create an environment where users feel free to behave recklessly.

The truth is that “anonymous” doesn’t necessarily mean anonymous. Even if users are not required to provide any form of contact details to use an anonymous app, the app is very likely to collect certain information that will help identify the user (e.g., the unique digital ID of the user’s phone, location information, etc.). Therefore, it may not be very difficult to trace a user if required (e.g., by subpoena/court order). Indeed Secret’s Terms of Service state, “We may share information about you … in response to a request for information if we believe disclosure is in accordance with any applicable law, regulation or legal process, or as otherwise required by any applicable law, regulation or legal process.” Also, it is worth noting that the extent to which a user can maintain anonymity from other users will depend on how the app works. With Secret, a user’s posts are shown to the user’s network of phone contacts, and so, depending on what information a user posts, it may not take much for those contacts to figure out who posted a particular secret.

Accordingly, users of anonymous apps need to think carefully about what they post just as they would when using any social media platform. For example, users should be careful to avoid posting:

  • Information that could cause them to breach a court order or be in contempt of court
  • Information that could breach regulatory rules, e.g., in terms of insider trading or market abuse
  • Information that is classed as confidential or a trade secret
  • Information that breaches a third party’s intellectual property rights
  • Defamatory statements
  • Statements that could be considered threatening, abusive, discriminatory or in breach of applicable laws
  • Information that would be a breach of their terms of employment or otherwise constitute misconduct
  • Anything that violates the app’s terms of use

Using anonymous apps as a vehicle for whistleblowing is particularly problematic. Whisper’s editor-in-chief, Neetzan Zimmerman, has publicly advocated such use of Whisper, stating, “We’re talking about whistleblowing, exposing secrets at corporations … on the government level.” But many countries, including the U.K. and U.S., have specific whistleblower laws in place to protect employees, and companies may also have formal whistleblowing policies that prescribe how employees should report issues. An employee who blows the whistle using an anonymous app rather than through the proper channels may not be able to take advantage of the protection provided by such laws and policies if a disciplinary action is brought against the employee based on such action.

Companies will need to consider these new types of apps when formulating social media policies and educating their employees on social media use. But it’s not just an employee issue. As with other social media platforms, organizations need to be aware of the risks to the company of any criticism or attack via such an app (e.g., from a disgruntled user or competitor) and put in place appropriate monitoring and crisis management procedures to deal with such events.

That said, anonymous apps pose opportunities as well as risks, particularly in terms of targeting consumers who don’t use the more traditional social networks. Indeed, in February 2014, Gap Inc. claimed to be behind the first marketing post on Secret. Gap’s post asking, “This is the first Fortune 500 company to post on Secret. Guess who?” drew a lot of attention … and a few correct guesses.

Contractual provisions giving a website operator the unilateral right to change its end user terms of service are ubiquitous and appear in the online terms of many major social media sites and other websites, including Facebook, Twitter, Instagram and Google. Although amendments to terms of service quite often cause consumers to complain, litigation regarding such changes is relatively rare. A recent decision from the U.S. District Court in the Northern District of Ohio, however, challenges the enforceability of unilateral amendments to online terms of service in at least some circumstances.

In Discount Drug Mart, Inc. v. Devos, Ltd. d/b/a Guaranteed Returns, Discount Drug Mart, a distributor of pharmaceuticals, sued Guaranteed Returns, a company that processes pharmaceutical product returns, for Guaranteed Returns’ failure to remit credits due under a written distribution agreement between the parties. Guaranteed Returns pointed to the forum selection clause on its website, which it argued required the parties to bring suit in either Nassau or Suffolk County in the State of New York. This provision appeared in Guaranteed Returns’ online “standard terms and conditions,” which Guaranteed Returns claimed were incorporated into the parties’ written distribution agreement.

The court held otherwise, citing the Sixth Circuit case Int’l Ass’n of Machinists and Aerospace Workers v. ISP Chemicals, Inc. and stating that “[i]ncorporation by reference is proper where the underlying contract makes clear reference to a separate document, the identity of the separate document may be ascertained, and incorporation of the document will not result in surprise or hardship.” The court also pointed out that Guaranteed Returns’ purported right to change its standard terms and conditions unilaterally could result in Discount Drug Mart being subject to surprise or hardship. Further, the court noted that there was no evidence that the forum selection clause had been included in the standard terms and conditions at the time the distribution agreement was signed (and Guaranteed Returns did nothing to try to prove this fact). Thus, the court concluded that the standard terms and conditions were not properly incorporated into the distribution agreement (although the court ended up finding in favor of Guaranteed Returns on other grounds).

It is difficult to say what, if any, precedential force Discount Drug Mart will have. Putting aside the facts that the case was brought in the Northern District of Ohio and was ultimately dismissed on grounds unrelated to this holding, the underlying background of the case was nuanced. First, although the court stated in dicta that “one party to a contract may not modify an agreement without the assent of the other party,” a statement that could be interpreted to mean that unilateral amendment of contracts is never permitted, the holding itself was limited to situations in which terms and conditions are incorporated by reference. That said, even this limited holding may be relevant to many website operators in the social media world, as the larger social media sites often use a network of contracts that reference each other (for example, Facebook’s “Platform Policies” requires developers to agree to the company’s “Statement of Rights and Responsibilities,” which are “requirements for anybody who uses Facebook” and which can be unilaterally modified by Facebook).

Second, the Discount Drug Mart court did not elaborate on the “surprise or hardship” standard, so it is possible that unilateral changes to end user terms would be upheld if the website operator gave proper notice to its end users of such changes in order to avoid causing surprise or hardship. The leading social media platforms currently have different approaches to providing notice of changes to their online terms of use. For example, Facebook provides seven days’ notice (although “notice” here includes posting on Facebook’s site governance page); Twitter will notify users of changes to its terms of service via an “@Twitter” update or through email (but only for changes that Twitter deems to be material in its sole discretion); and Instagram notifies users of its changes to its terms of use by posting them on Instagram. A court could find that notification of changes using one or more of these methods is sufficient to avoid subjecting an end user to surprise or hardship.

Finally, the court seemed to give weight to the lack of any evidence that the forum selection clause was included in Guaranteed Returns’ standard terms and conditions at the time that the parties entered into the distribution agreement. Today, however, most Internet service providers include “last modified” dates in their terms of use. Recording version dates and keeping copies of older terms of use could help a website operator show that a particular provision existed in terms of use at the time that the parties entered into an agreement referencing such terms (although these practices could also provide evidence to the contrary).

Discount Drug Mart is not the first decision to challenge a company’s right to unilaterally modify its online terms and conditions. In the 2007 case Douglas v. Talk America, the Ninth Circuit Court of Appeals held that Talk America could not enforce an arbitration clause against an individual who had initially accepted the applicable terms of service prior to Talk America’s unilateral addition of the arbitration clause. Although Talk America posted the amended terms online, the court noted that the individual’s assent to the new terms could only be inferred “after [the individual] received proper notice of the proposed changes.” Discount Drug Mart seems consistent with this decision to the extent that the case suggests that failure to provide adequate notice to end users of changes to online terms may invalidate such changes.

A decision in the Northern District in the U.S. District Court of Texas in 2009, Harris v. Blockbuster Inc., went further than the Douglas court by holding an arbitration clause in Blockbuster’s online terms of use rendered the terms of use illusory and unenforceable. The court’s holding was based on the fact that Blockbuster could, in theory, unilaterally modify the arbitration provisions and apply those modified provisions to earlier disputes. Harris cited the Fifth Circuit case, Morrison v. Amway Corp., in which the court had held an arbitration clause in online terms of use to be illusory under Texas law when defendant Amway attempted to apply arbitration terms that been had modified after the plaintiff had agreed to Amway’s standard terms. Although limited to the Northern District of Texas (for now), the implications of Harris could be troubling to online service providers, as the case suggests that if a company includes language allowing it to make unilateral changes to its terms by simply posting the revised terms on its website, those terms could be deemed invalid. In fact, at least one legal scholar has suggested that companies should not include such language in their online terms. For more on Harris, see our client alert here.

Discount Drug Mart does not necessarily provide any clear guidelines that online service providers must follow for their online terms to be valid and enforceable. Because the court based its holdings on specific factual circumstances and provided little insight into its reasoning, it is unclear at this point whether other courts will follow this opinion and impose limitations on companies’ rights to unilaterally change their online terms of service under different circumstances. However, given the legal precedent on the subject, it will likely behoove companies that incorporate their online terms into other documents to consider re-evaluating their amendment and notification practices to minimize any chance of subjecting end users to “surprise or hardship.”

Following our post on U.S. lawsuits concerning the ownership of LinkedIn and Twitter accounts, we report on a recent United Kingdom High Court ruling that considered who was entitled to operate four LinkedIn Groups, and other UK cases that have addressed related issues.

Before we describe the High Court’s ruling, it is important to provide a bit of background.  As with other social media services, opening a LinkedIn account requires an individual to enter into a contract with LinkedIn.  LinkedIn’s User Agreement prohibits account holders from transferring their accounts to another party.  Strictly speaking, then, the question is less one of, “Who owns a given LinkedIn account?” than the equally important question of who owns or controls the contacts accumulated by that account:  are those contacts the confidential information of the account holder’s employer, or are they the property of the account holder himself or herself?  And what about LinkedIn Groups, described on LinkedIn as “a place for professionals in the same industry or with similar interests to share content, find answers, post and view jobs, make business contacts, and establish themselves as industry experts”?  Does an employer have any proprietary interest in a LinkedIn Group that was set up and operated by an employee in connection with his or her employment, once that employee leaves the company?

Before third-party networks such as LinkedIn existed, the position in the UK with regard to the ownership of company contact lists and databases was relatively straightforward:  materials created during the course of employment are owned by the employer and are the employer’s confidential information.  However, in the social media context, the position is not so clear-cut.  If employees are encouraged to use LinkedIn in connection with their employment and so accumulate contacts, can the employer prevent employees from using those contacts when their employment terminates?

Although there is not, as yet, any definitive UK legal authority on the issue, two cases now give an indication of the position that the UK courts will likely take on this issue.

First, back in 2008, in the UK High Court case of Hays v Ions, Mark Ions, a former employee of recruitment company Hays, was ordered to hand over details of contacts that he had migrated from his work email address book to his personal LinkedIn account.  Hays had alleged that Ions transferred the contacts while working at Hays with a view to their subsequent use in connection with his own rival business.  Ions argued that Hays had encouraged his use of LinkedIn to connect with clients and that, once the Hays contacts accepted his own LinkedIn invite, those contacts ceased to constitute Hays’ confidential information because the information was then accessible to others on LinkedIn.  The court did not accept Ions’ argument and noted that, even if Ions had had permission to use client email addresses to connect with clients, it was unlikely that this extended to the use of such information outside his employment with Hays.

Despite ordering the disclosure of the Hays contacts and all emails and documentation relating to such contacts and any business obtained from them, the judge in that case held that Ions was not required to disclose all of his LinkedIn contacts to Hays because those contacts could include many persons who had no contact with Hays.  This suggests that the judge accepted that the entire LinkedIn account, although originally operated by Ions in the course of his employment, was not material proprietary to Hays, his employer.

We now have a second court ruling in the UK relating to the ownership of LinkedIn accounts.  In July 2013, the UK High Court considered who was entitled to operate four LinkedIn Groups that had been set up by an ex-employee when that employee left the company.  In Whitmar Publications Ltd v Gamage, Wright, Crawley and Earth Island Publishing Ltd, three employees had resigned from Whitmar to work for Earth Island, a rival publishing company that the employees had set up a few months earlier.  Whitmar alleged that the defendants had taken steps to compete against Whitmar while still employed by the company, in that they had misused Whitmar’s confidential information, infringed its database rights and breached their terms of employment.  Concerning the LinkedIn Groups at issue, Whitmar claimed that although the Groups had been managed by Ms. Wright—one of the former Whitmar employees—on behalf of Whitmar as part of her employment, the defendants had used them for the benefit of their rival business while still employed by Whitmar.  Whitmar sought an interim injunction to prevent the defendants from using, exploiting or divulging to any third party any of the information contained in these LinkedIn Groups.  Given that this was an emergency application, the court made a preliminary assessment of the evidence only.

The court agreed that Whitmar had a strong case that the defendants had been actively competing against Whitmar while still employed by it, in breach of the terms of their employment.  Further, the court rejected Wright’s claim that the LinkedIn Groups were personal to her and merely a hobby; Wright was responsible for dealing with the LinkedIn Groups as part of her employment duties at Whitmar, and the Groups operated for Whitmar’s benefit and promoted its business, as evidenced by the fact that Wright had used Whitmar’s computers to carry out her work on the LinkedIn Groups.  The judge also agreed that information contained within the LinkedIn Groups appeared to have been used as the source of the email addresses used to publicize an Earth Island launch event.

Ultimately, the court granted an order requiring the defendants to facilitate the exclusive access, management and control of the LinkedIn Groups to Whitmar, ordering the defendants not to access or do anything that would prevent Whitmar from accessing the Groups, and preventing the defendants from using, exploiting or divulging to any third party any of the information contained in the Groups.  In effect, the judge decided that Whitmar had a good chance of succeeding at full trial based on the available evidence.

Since the judgment in the first phase of the case, the parties have entered into an out-of-court settlement that, according to Whitmar’s website, means that the ex-employees will not enter into or fulfill any contract with a number of Whitmar clients or customers until December 20, 2013.  The ex-employees have also returned control of a number of Linked-In Groups to Whitmar.  Unfortunately for legal purists, but maybe happily for the parties, as a result of the settlement we won’t now get to know how the court would have ultimately ruled at full trial.

It is also worth noting that, in 2012, a UK employment tribunal case, Flexman v BG Group, raised an altogether different issue related to an employee’s use of LinkedIn: can an employee in the UK be dismissed for using LinkedIn to search for job opportunities?

In the first case of its kind, the tribunal ruled that John Flexman, an HR manager at BG Group, had been constructively dismissed following a dispute concerning his LinkedIn account.  BG Group had claimed that Flexman breached its social media policies by uploading his CV to LinkedIn and ticking the “career opportunities” box on his LinkedIn profile.  It also accused Flexman of breaching confidentiality by stating on his CV that he was assisting the company in reducing its “attrition rate.”  As a result, the company had ordered Flexman to remove any mention of BG Group from Flexman’s LinkedIn profile, other than his job titles and the dates he had worked there.  Flexman refused and demanded to know the source of the complaint.  After a dispute arose, Flexman faced an internal disciplinary hearing, with risk of dismissal, and Flexman eventually resigned and claimed constructive dismissal.  The tribunal upheld Flexman’s claim of constructive dismissal due to unacceptable delays in the company’s dealing of the case and the company’s failure to address a grievance related to the incident.  Unfortunately, the tribunal did not specifically address whether merely uploading a CV and ticking the career opportunities box was, indeed, a disciplinary matter.

As with the U.S. lawsuits we described in our earlier post on Socially Aware, these UK cases highlight the need for organizations to have clear social media policies in place in order for employees to understand what is expected of them when using business-related social media accounts.

If you want to use those pictures you found on Twitter, beware. A federal judge in New York recently held that taking photos from Twitter to use for a commercial purpose infringes the photographer’s copyrights. On January 14, 2013, Judge Alison Nathan ruled that Agence France Presse (AFP), which provides subscribers with access to photos though an international wire and databank, and the Washington Post (“the Post”) infringed Daniel Morel’s copyrights to photos he posted on Twitter.

In January 2010, freelance photographer Daniel Morel uploaded to his TwitPic account a number of photos he took in Haiti in the immediate aftermath of the earthquake. An individual named Lisandro Suero took those photos from Morel’s Twitter account, reposted them to his own Twitter account, and tweeted that he had exclusive photos of the earthquake. AFP got the photos from Suero’s Twitter page, attributed the photos to Suero, and began distributing them to users of its wire and databank services. Getty Images (“Getty”) received the photos through AFP’s wire service. The Post received the photos from Getty. Getty and the Post published the photos on their websites, with captions that attributed them to Suero.

When Morel’s exclusive agent found out that AFP, Getty and the Post were using his photos, his agent complained. While at least some efforts were made by AFP, Getty and the Post to address Morel’s agent’s complaint, those efforts in most respects fell far short of what is required under the law.

In March 2010, AFP sought a declaratory judgment that it did not infringe Morel’s copyrights, and Morel counterclaimed for copyright infringement against AFP, Getty and the Post. During the course of the case, Morel moved for summary judgment on his copyright infringement counterclaim. In response, the defendants argued that pursuant to the Twitter Terms of Service (TOS), Morel provided them a license to use the photos by his very act of tweeting the photos.

Judge Nathan disagreed. Judge Nathan found that the Twitter TOS provides that users generally retain their rights to the content they post—with the exception of the license granted to Twitter and its partners. Twitter’s “Guidelines for Third Party Use of Tweets in Broadcast or Other Offline Media” further underscored that, while the Twitter TOS permit users to retweet posts, the Twitter TOS was not intended to let the “world-at-large” remove content from Twitter and commercially distribute it. Rebroadcasting tweets in their entirety is now a news program staple and actively encouraged by Twitter. Twitter’s TOS, however, do not permit media outlets to rip copyrighted material out of tweets and use it for some other purpose. Because AFP and the Post put forward no defense other than their license defense, Judge Nathan granted Morel’s motion for summary judgment and found them both liable for copyright infringement.

Unlike AFP and the Post, Getty argued that it was entitled to the benefit of the safe-harbor provisions of the Digital Millennium Copyright Act (DMCA) that protect service providers from liability for copyright infringement. Judge Nathan held, however, that genuine issues of fact existed as to whether Getty could take advantage of the DMCA safe harbor, noting that companies like Getty that are in the business of selling copyrighted material may not be shielded from copyright liability under the DMCA’s safe harbor. Thus, it remains to be seen whether Getty will also be found liable for copyright infringement.

In one bright spot for AFP and Getty, Judge Nathan granted summary judgment in their favor on the proper method for calculating statutory damages under the Copyright Act, which can result in awards of up to $150,000 per work infringed. Morel claimed that he was entitled to a statutory damage award “in the tens or hundreds of millions of dollars” against AFP and Getty. Morel argued that, because AFP and Getty distributed the photos to many of their subscribers, each downstream infringement by one of their subscribers would entitle him to an additional statutory damages award. Judge Nathan disagreed and held that any award of statutory damages against AFP and Getty could not be multiplied based on the number of infringers with whom they may be jointly and severally liable.

This decision clarifies that Twitter users do not lose ownership rights to their content by posting it to Twitter. Although you may have the right to retweet or publish tweets in their entirety, you don’t have the right to take someone else’s content and use it for commercial gain.

2012 was a momentous year for social media law. We’ve combed through the court decisions, the legislative initiatives, the regulatory actions and the corporate trends to identify what we believe to be the ten most significant social media law developments of the past year–here they are, in no particular order:

Bland v. Roberts – A Facebook “like” is not constitutionally protected speech

Former employees of the Hampton Sheriff’s Office in Virginia who were fired by Sheriff B.J. Roberts, sued claiming they were fired for having supported an opposing candidate in a local election. Two of the plaintiffs had “liked” the opposing candidate’s Facebook page, which they claimed was an act of constitutionally protected speech. A federal district court in Virginia, however, ruled that a Facebook “like” “…is insufficient speech to merit constitutional protection”; according to the court, “liking” involves no actual statement, and constitutionally protected speech could not be inferred from “one click of a button.”

This case explored the increasingly-important intersection of free speech and social media, with the court finding that a “like” was insufficient to warrant constitutional protection. The decision has provoked much criticism, and it will be interesting to see whether other courts will follow the Bland court’s lead or take a different approach.

New York v. Harris – Twitter required to turn over user’s information and tweets

In early 2012, the New York City District Attorney’s Office subpoenaed Twitter to produce information and tweets related to the account of Malcolm Harris, an Occupy Wall Street protester who was arrested while protesting on the Brooklyn Bridge. Harris first sought to quash the subpoena, but the court denied the motion, finding that Harris had no proprietary interest in the tweets and therefore did not have standing to quash the subpoena. Twitter then filed a motion to quash, but the court also denied its motion, finding that Harris had no reasonable expectation of privacy in his tweets, and that, for the majority of the information sought, no search warrant was required.

This case set an important precedent for production of information related to social media accounts in criminal suits. Under the Harris court’s ruling, in certain circumstances, a criminal defendant has no ability to challenge a subpoena that seeks certain social media account information and posts.

The National Labor Relations Board (NLRB) issued its third guidance document on workplace social media policies

The NLRB issued guidance regarding its interpretation of the National Labor Relations Act (NLRA) and its application to employer social media policies. In its guidance document, the NLRB stated that certain types of provisions should not be included in social media policies, including: prohibitions on disclosure of confidential information where there are no carve-outs for discussion of an employer’s labor policies and its treatment of employees; prohibitions on disclosures of an individual’s personal information via social media where such prohibitions could be construed as limiting an employee’s ability to discuss wages and working conditions; discouragements of “friending” and sending unsolicited messages to one’s co-workers; and prohibitions on comments regarding pending legal matters to the degree such prohibitions might restrict employees from discussing potential claims against their employer.

The NLRB’s third guidance document illustrates the growing importance of social media policies in the workplace. With social media becoming an ever-increasing means of expression, employers must take care to craft social media policies that do not hinder their employees’ rights. If your company has not updated its social media policy in the past year, it is likely to be outdated.

Fteja v. Facebook, Inc. and Twitter, Inc. v. Skootle Corp. – Courts ruled that the forum selection clauses in Facebook’s and Twitter’s terms of service are enforceable

In the Fteja case, a New York federal court held that a forum selection clause contained in Facebook’s Statement of Rights and Responsibilities (its “Terms”) was enforceable. Facebook sought to transfer a suit filed against it from a New York federal court to one in Northern California, citing the forum selection clause in the Terms. The court found that the plaintiff’s clicking of the “I accept” button when registering for Facebook constituted his assent to the Terms even though he may not have actually reviewed the Terms, which were made available via hyperlink during registration.

In the Skootle case, Twitter brought suit in the Northern District of California against various defendants for their spamming activities on Twitter’s service. One defendant, Garland Harris, who was a resident of Florida, brought a motion to dismiss, claiming lack of personal jurisdiction and improper venue. The court denied Harris’s motion, finding that the forum selection clause in Twitter’s terms of service applied. The court, however, specifically noted that it was not finding that forum selection clauses in “clickwrap” agreements are generally enforceable, but rather “only that on the allegations in this case, it is not unreasonable to enforce the clause here.”

Fteja and Skootle highlight that potentially burdensome provisions in online agreements may be enforceable even as to consumers; in both cases, a consumer seeking to pursue or defend a claim against a social media platform provider was required to do so in the provider’s forum. Both consumers and businesses need to be mindful of what they are agreeing to when signing up for online services.

Six states passed legislation regarding employers’ access to employee/applicant social media accounts

California, Delaware, Illinois, Maryland, Michigan and New Jersey enacted legislation that prohibits an employer from requesting or requiring an employee or applicant to disclose a user name or password for his or her personal social media account.

Such legislation will likely become more prevalent in 2013; Texas has a similar proposed bill, and California has a proposed bill that would expand its current protections for private employees to also include public employees.

Facebook goes public

Facebook raised over $16 billion in its initial public offering, which was one of the most highly anticipated IPOs in recent history and the largest tech IPO in U.S. history. Facebook’s peak share price during the first day of trading hit $45 per share, but with a rocky first few months fell to approximately $18—sparking shareholder lawsuits. By the end of 2012, however, Facebook had rebounded to over $26 per share.

Facebook’s IPO was not only a big event for Facebook and its investors, but also for other social media services and technology startups generally. Many viewed, and continue to view, Facebook’s success or failure as a bellwether for the viability of social media and technology startup valuations.

Employer-employee litigation over ownership of social media accounts

2012 saw the settlement of one case, and continued litigation in two other cases, all involving the ownership of business-related social media accounts maintained by current or former employees.

In the settled case of PhoneDog LLC v. Noah Kravitz, employer sued employee after the employee left the company but retained a Twitter account (and its 17,000 followers) that he had maintained while working for the employer. The terms of the settlement are confidential, but news reports indicated that the settlement allowed the employee to keep the account and its followers.

In two other pending cases, Eagle v. Edcomm and Maremont v. Susan Fredman Design Group LTD, social media accounts originally created by employees were later altered or used by the employer without the employees’ consent.

These cases are reminders that, with the growing prevalence of business-related social media, employers need to create clear policies regarding the treatment of work-related social media accounts.

California’s Attorney General went after companies whose mobile apps allegedly did not have adequate privacy policies

Starting in late October 2012, California’s Attorney General gave notice to developers of approximately 100 mobile apps that they were in violation of California’s Online Privacy Protection Act (OPPA), a law that, among other things, requires developers of mobile apps that collect personally identifiable information to “conspicuously post” a privacy policy. Then, in December 2012, California’s Attorney General filed its first suit under OPPA against Delta, for failing to have a privacy policy that specifically mentioned one of its mobile apps and for failing to have a privacy policy that was sufficiently accessible to consumers of that app.

Privacy policies for mobile applications continue to become more important as the use of apps becomes more widespread. California’s OPPA has led the charge, but other states and the federal government may follow. In September, for instance, Representative Ed Markey of Massachusetts introduced The Mobile Device Privacy Act in the U.S. House of Representatives, which in some ways would have similar notice requirements as California’s OPPA.

Changes to Instagram’s online terms of service and privacy policy created user backlash

In mid-December 2012, Instagram released an updated version of its online terms of service and privacy policy (collectively, “Terms”). The updated Terms would have allowed Instagram to use a user’s likeness and photographs in advertisements without compensation. There was a strong backlash from users over the updated Terms, which ultimately led to Instagram apologizing to its users for the advertisement-related changes, and reverting to its previous language regarding advertisements.

Instagram’s changes to its Terms, and subsequent reversal, are reminders of how monetizing social media services is often a difficult balancing act. Although social media services need to figure out how they can be profitable, they also need to pay attention to their users’ concerns.

The defeat of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA)

Two bills, SOPA and PIPA—which were introduced in the U.S. House of Representatives and U.S. Senate, respectively, in late 2011—would have given additional tools to the U.S. Attorney General and intellectual property rights holders to combat online intellectual property infringement. A strong outcry, however, arose against the bills from various Internet, technology and social media companies. The opponents of the bills, who claimed the proposed legislation threatened free speech and innovation, engaged in various protests that included “blacking out” websites for a day.  These protests ultimately resulted in the defeat of these bills in January 2012.

The opposition to and subsequent defeat of SOPA and PIPA demonstrated the power of Internet and social media services to shape the national debate and sway lawmakers. With prominent social media services such as Facebook, YouTube, Twitter, LinkedIn and Tumblr opposed to the bills, significant public and, ultimately, congressional opposition followed.  Now that we’ve witnessed the power that these services wield when acting in unison, it will be interesting to see what issues unite them in the future.

Website operators often take for granted the enforceability of their websites’ terms of service. In a recent order issued in a case from the Central District of California, Nguyen v. Barnes & Noble, Inc., Judge Josephine Tucker reminds us that such presumptions are not necessarily correct: terms of service that do not require an affirmative manifestation of assent from a website user may not always be upheld in court.

Many website operators, particularly Internet retailers and operators of ecommerce sites, use “clickwrap” (or “clickthrough”) agreements to govern use of their sites. With clickwrap agreements, the website operator typically presents its standard terms of use and then requires the user to click an “Accept” or “I Agree” button. By clicking the button, users affirmatively manifest their intent to be bound by the terms. Other website operators use “browsewrap” agreements—terms of agreement that are usually accessible through a hyperlink at the bottom of a web page. Although, as a practical matter, few people actually read them, browsewraps are also widely used.

Both clickwraps and browsewraps are contracts of adhesion in legal parlance. That is, they are contracts that are offered on a “take it or leave it” basis with no opportunity for negotiation. A user who does not wish to be bound by the proffered terms can click “Do Not Accept” or, for a browsewrap, simply leave the website. On the other hand, a user who is willing to be bound can indicate such assent by clicking “I Accept” or by continuing to browse the website. Reasonable people may disagree regarding whether these actions truly manifest a user’s assent to be bound by the relevant contract terms, but courts have frequently upheld the enforceability of both clickwrap and browsewrap terms of use (subject, of course, to the unconscionability concerns raised by any contract of adhesion). As discussed in the remainder of this article, however, browsewrap terms of use often encounter a greater degree of scrutiny from courts due to the lack of any affirmative acceptance by users.

The enforceability of browsewrap terms of use has been held to depend on whether a website user has knowledge—either actual or constructive—of the applicable terms, because users cannot agree to be bound by terms unless they know what those terms are. Courts considering browsewrap enforceability issues often grapple with the question of whether the defendant was given notice of the applicable terms sufficient to impute such knowledge. For example, in Register.com, Inc. v. Verio, Inc., the court determined that numerous and repeated queries by an automated software program were sufficient to show that Verio knew of, and was bound by, Register.com’s terms (although Verio had also admitted that it had actual knowledge of the terms). On the other hand, in Ticketmaster Corp. v. Tickets.com, Inc., on the other hand, the court held that a small link to terms of use that was visible only if the user scrolled down to the bottom of the web page was insufficient to establish notice. But, three years later, the same court (in the same case, no less) ruled that more prominent notice on the site’s home page was adequate notice. While a court’s determination of sufficient notice may vary in each case, it is clear that the more readily available and conspicuous browsewrap terms of use are, the more likely it is that a court will find that the user knew of, and was bound by, the terms.

That brings us to Nguyen v. Barnes & Noble, Inc. In Nguyen, the plaintiff’s claims arose from a Barnes & Noble promotion that offered computer tablets at a discounted price. Although Nguyen submitted an order to purchase a tablet at the promotional price, Barnes & Noble canceled his order the next day, citing an oversale of its tablet inventory. As a result, Nguyen alleged that he was “forced to rely on substitute tablet technology, which he subsequently purchased . . . [at] considerable expense.” In April 2012, Nguyen filed suit, alleging various consumer protection violations, including false advertising, unfair competition, and breach of contract, under California and New York law. Barnes & Noble then moved to compel arbitration based on an arbitration clause included in its website’s browsewrap terms of use. The question before the court was whether, given the existing facts, the arbitration clause was enforceable against Nguyen.

The court ultimately held that the arbitration clause was not enforceable because the terms of use agreement itself was not enforceable. According to Judge Tucker, Barnes & Noble’s website terms of use could not bind Nguyen because Barnes & Noble “did not position any notice even of the existence of its ‘Terms of Use’ in a location where website users would necessarily see it, and certainly did not give notice that those Terms of Use applied, except within the Terms of Use” (emphasis in original). Due to this lack of adequate notice, Nguyen did not know and, in Tucker’s view, should not necessarily have known of Barnes & Noble’s terms of use. Because Nguyen did not have knowledge of the terms, he could not be bound by them. Therefore, Barnes & Noble could not compel arbitration in its dispute with Nguyen.

In light of Nguyen and the other cases discussed above, website operators should consider using clickwraps that require affirmative acceptance where possible, rather than relying on browsewraps to enforce their terms of use. A simple click can be the difference between an agreement’s being found enforceable or not. For ecommerce sites or any site that requires registration prior to use, clickwraps are relatively easy to implement—for example, at the point of purchase or when the user registers—without negatively affecting the user experience. Best practices for clickwraps include presenting terms of service before payment, allowing for easy reading of all terms, allowing users to print or save a copy of the terms, offering a prominent option to decline the terms, providing an easy way for users to find the terms on the site at any time after payment or registration, and giving users notice of (and requiring users to accept) any updates and changes to the terms of use.

For other sites, including some social media sites, the story may differ. Many social media sites—for example, Pinterest, Twitter, and YouTube—allow users to access at least some content and functionality without registering. With sites such as these, there may be no real opportunity to obtain affirmative acceptance of terms of use without degrading the user experience, so a clickwrap is simply not a practical option. For operators of such websites, the most important lesson of Nguyen and the other cases discussed above is that the question of enforceability often turns on whether the user has sufficient notice of the terms of use. Thus, website operators can increase the likelihood that their terms of use will be enforced if links to such terms are prominently displayed, preferably “above the fold” so that a user will be able to see the link without scrolling down the page. As Nguyen and the other cases illustrate, an operator who places links to terms of use in a tiny font buried at the bottom of a page may be in for an unpleasant surprise if those terms ever need to be enforced.

As the Occupy Wall Street protests fade from memory, a related discovery battle between Twitter and the New York County District Attorney rages on.

Earlier this year, we discussed the District Attorney’s efforts to subpoena user information and tweets of criminal defendant Malcolm Harris, an Occupy Wall Street protester charged with disorderly conduct for allegedly occupying the roadway of the Brooklyn Bridge.  In a setback for Twitter, the Criminal Court of the City of New York recently denied Twitter’s motion to quash the District Attorney’s subpoena; Twitter has announced its decision to appeal the court’s decision.  In this article, we take a look at the court’s decision rejecting Twitter’s motion, and discuss key issues to be addressed on appeal.

As noted, the dispute emerges from the District Attorney’s criminal prosecution of Harris.  Believing that Harris had tweeted information inconsistent with his anticipated defense, the District Attorney sought from Twitter the user information and tweets associated with the account @destructuremal—the Twitter account allegedly used by Harris.  Harris filed a motion to quash, and Twitter refused to comply with the subpoena pending the results of Harris’s motion.

The court found that Harris lacked standing to quash the third-party subpoena on Twitter, because Harris had neither a proprietary interest nor a privacy interest in the user information or tweets associated with the @destructuremal account.  The court observed that no search warrant was required to obtain Harris’s tweets, as no Fourth Amendment privacy rights are implicated when information is sought from a third party, such as Twitter.  Rather, in a criminal case, the Stored Communications Act (SCA) permits the government to subpoena subscriber and session information directly from a social media site.  The court ordered Twitter to comply with the subpoena.

Twitter then filed its own motion to quash the subpoena.  Twitter argued that, under its Terms of Service, Harris in fact retained his rights to any content that he submitted, posted or displayed on or through the Twitter service; and that denying Harris’s standing to oppose the subpoena placed an undue burden on Twitter.  In a decision handed down on June 30, 2012, the court disagreed.  The court noted that the general rule in New York is that “only the recipient of a subpoena in a criminal case has standing to quash it,” and reiterated that Harris had no Fourth Amendment privacy right in his tweets.  Twitter has objected to the court’s decision, and, as noted, will be filing an appeal; a review of the court’s decision highlights key issues to be addressed on appeal.

No Privacy Violation

Proving a violation of the Fourth Amendment requires a showing of either (1) a physical intrusion onto personal property or (2) a violation of a reasonable expectation of privacy.  The court found that, due to Harris’s publication of his tweets to third parties, neither showing could be made here.

No Physical Intrusion

With regard to physical intrusion, the court stated simply that there had been no physical intrusion into Harris’s Twitter account.  Unlike the contents of someone’s home or car, the contents of Harris’s Twitter account had been “purposely broadcast to the entire world [and] into a server 3,000 miles away.”

No Reasonable Expectation of Privacy

With regard to any expectation of privacy, the court likened posting a tweet to screaming out of an open window.  According to the court, “If you post a tweet, just like if you scream it out the window, there is no reasonable expectation of privacy.  There is no proprietary interest in your tweets, which you have now gifted to the world.”  The court distinguished a tweet, however, from a “private” Internet dialogue, such as one conducted via private email, private direct message, or private chat.  Accessing relevant information from such private Internet dialogues “would require a warrant based on probable cause.”  A tweet, however, is not like an email sent to a single party, and “[t]here can be no reasonable expectation of privacy in a tweet sent around the world.”

A Tweet Is a “Public Posting”

The court based its decision on its finding that a tweet is a “public posting.”  In the court’s view, “It is the act of tweeting or disseminating communications to the public that controls.”  The court supported its finding by citing Twitter’s Privacy Policy, which states that “[o]ur Services are primarily designed to help you share information with the world.  Most of the information you provide us is information you are asking us to make public.”  As further evidence of the public nature of a tweet, the court also cited Twitter’s 2010 agreement with the Library of Congress, under which every public tweet since Twitter’s inception is to be archived; several Internet sites through which deleted tweets remain accessible; and a National Geographic Channel project that has collected tweets and intends to broadcast them into space this August.

The court likened the third-party recipient of a tweet to a witness on the street who overhears something screamed out of an open window.  As the court put it, “today, the street is an online, information superhighway, and the witness can be the third-party providers like Twitter, Facebook, Instagram, Pinterest, or the next hot social media application.”  A tweet, like a scream out the window, has been made public, and “[t]here is no reasonable expectation of privacy for tweets that the user has made public.”

No Undue Burden on Twitter

Twitter argued that denying standing to Harris placed an undue burden on Twitter, who was thereby forced to either comply with, or move to quash, each such subpoena seeking information of a Twitter user that it receives.  The court flatly disagreed, noting that “that burden is placed on every third-party respondent to a subpoena and cannot be used to create standing for a defendant where none exists.”

No Undue Burden Under the Stored Communications Act

A court issuing an order under Section 2703(d) of the SCA, “on a motion made promptly by the service provider,” may quash or modify the order if it finds that the information or records sought are “unusually voluminous” or if compliance with the order “otherwise would cause an undue burden” on the service provider.  In this case, the order requires Twitter to provide all user information associated with the @destructuremal Twitter account, including all tweets posted from it between September 15, 2011, and December 31, 2011.  The court declined to find that this order placed an undue burden on Twitter under the SCA, stating instead that “it does not take much to search and provide the data to the court.”

Warrant Required for Tweets in Electronic Storage for Less Than 180 Days

The only data associated with the @destructuremal account that the court did not order Twitter to produce were those tweets sent out from the account on December 31, 2011.  This is because, under the SCA, the court may compel either an Electronic Communications Service (ECS) or a Remote Computing Service (RCS) to disclose non-content information, and may compel an RCS to disclose its contents; but the court may only compel an ECS to disclose content that has been in electronic storage for more than 180 days.  At the time that the June 30, 2012 order was issued, the court did not have the proper authority under the SCA to order disclosure of tweets made on December 31, 2011.  The court, accordingly, modified its previous order with respect to the ECS content that was less than 180 days old—removing that portion of the order that would have required Twitter to produce tweets placed from the @destructuremal account on December 31, 2011.

What Next?

The Criminal Court of the City of New York ordered Twitter to disclose all non-content information, as well as all content information from September 15, 2011, to December 30, 2011.  As noted, Twitter has announced its intention to appeal, rather than to comply with, the decision.  Twitter will not have to turn over the December 31, 2011 tweets unless the government obtains a search warrant.  Will Twitter have to turn over the other @destructuremal tweets?  We’ll keep you posted.

In two recent decisions issued within a day of each other, two influential federal courts limited the scope of three important federal laws used to prosecute criminal conduct involving computers.  On April 10, 2012, the Ninth Circuit limited the scope of criminal liability for prosecutions under the Computer Fraud and Abuse Act, and on the following day the Second Circuit sharply limited the scope of the National Stolen Property Act and the Economic Espionage Act of 1996.  Together, these decisions indicate a reluctance to accept prosecutors’ expansive views of the reach of federal criminal laws with respect to computer usage, and the Ninth Circuit’s decision in particular may have far-reaching implications for the enforceability of website terms of service and employee policies in the civil context.

The Ninth Circuit’s decision was issued en banc in United States v. Nosal upholding the district court’s dismissal of David Nosal’s indictment for violations of the Computer Fraud and Abuse Act (“CFAA”).  Nosal had worked for an executive search firm and left to start a competing business.  He convinced several of his former colleagues to help him by accessing and then transferring to him source lists, names, and contact information from the firm’s confidential database.  The former colleagues were authorized to access the database, but the firm had a policy forbidding the disclosure of confidential information.  The government charged Nosal with violating 18 U.S.C. § 1030(a)(4) by aiding and abetting the former colleagues in “exceed[ing] authorized access” to the firm’s computers with intent to defraud the firm.

Nosal moved to dismiss the CFAA counts, arguing that the statute was meant to target hackers and not those who accessed a computer lawfully but then misused information obtained from such access.  The district court agreed, and the government appealed.  In a panel decision issued in 2011, the Ninth Circuit reversed the district court, holding that an employee “‘exceeds access’ under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.”  The en banc court found otherwise, holding that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” (Emphasis in original.)  To hold otherwise, the court reasoned, would make federal crimes out of “minor dalliances” like playing games or shopping online, if such activities were prohibited by an employer’s computer-use policy.  The court observed:  “Employer-employee and company-consumer relationships are traditionally governed by tort and contract law,” and to interpret the CFAA to apply to use restrictions “allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.”  This would implicate “[s]ignificant notice problems.”  Although the government argued that it would not prosecute minor violations of the law, the court found that “we shouldn’t have to live at the mercy of our local prosecutor.”

The Second Circuit’s decision in United States v. Aleynikov, issued on April 11, 2012, limits the reach of computer crime prosecutions under the National Stolen Property Act (“NSPA”) and the Economic Espionage Act of 1996 (“EEA”).  Sergei Aleynikov was convicted of violating both acts based on his theft and transfer of his company’s proprietary source code.  Aleynikov was a computer programmer at Goldman Sachs, where he developed source code for the company’s proprietary high-frequency trading (“HFT”) system.  Goldman’s policies bound Aleynikov to keep the firm’s proprietary information confidential and barred him from taking or using it when his employment ended.  Aleynikov accepted an offer from a new company that was looking to develop its own HFT system.  On his last day at Goldman, Aleynikov uploaded source code for Goldman’s HFT system to a server in Germany, which he then downloaded to his home computer for use at his new job. 

Aleynikov was sentenced to 97 months in prison.  He appealed, arguing that the district court should have dismissed his indictment for failure to state an offense.  The Second Circuit reversed his conviction on both counts, finding that his conduct did not constitute an offense under either statute.  (Aleynikov has also been charged with a criminal violation of the CFAA, but the district court had dismissed that charge on the ground that “authorized use of a computer in a manner that misappropriates information is not an offense” under the act.  This ruling predates the similar en banc Nosal decision discussed above, and the government did not appeal the ruling.)

The NSPA criminalizes transmittal of a stolen “good” in interstate or foreign commerce.  The Second Circuit held that source code is not a “good,” and therefore, “the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA.”  The court “decline[d] to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age.”  Significantly, the court noted that a different conclusion might apply if the stolen source code had been removed from Goldman’s premises on a tangible item, like a CD or flash drive, instead of having been stolen through uploading to an off-premises server.

The EEA prohibits the unauthorized downloading, uploading, transmitting, or conveying of trade secrets related to or included in a product that is produced for or placed in interstate or foreign commerce, with the intent to convert the trade secret, while intending or knowing that the offense will injure the owner of the trade secret.  On this count, the Second Circuit held that Goldman’s HFT system was neither “produced for” nor “placed in” interstate commerce because Goldman had no intention of selling or licensing the system and, in fact, “went to great lengths to maintain the secrecy of its system.” 

Although neither the NSPA nor EEA provides for a private right of action, we think it is possible the rationales of these decisions could influence civil litigation involving misuse of an employer’s computer system, including, in particular, civil litigation under the CFAA based on violations of website terms of service or employee policies.  For examples of previous such cases, see, e.g., Am. Online, Inc. v. LCGM, Inc. and EF Cultural Travel BV v. Explorica, Inc. In most of these cases, it appears that the defendant was authorized to access the website or system in question, but misappropriated the data on those websites or systems.  In addition to limiting criminal exposure, the Ninth Circuit’s interpretation of “exceeds authorized access” in Nosal may be construed to undermine this basis for a civil suit.  Watch these pages for further reports on these issues.