You recall the Ninth Circuit’s Doe v. ModelMayhem (Doe #14 v. Internet Brands) ruling from earlier this year. It held that a website couldn’t invoke Section 230 against a claim that the site should have warned its users about potential risks of offline harm. Internet Brands requested another rehearing by the panel or a rehearing en banc, and the Ninth Circuit declined the request earlier this week. I’m not sure if the defense will now appeal to the U.S. Supreme Court or challenge the lawsuit on its (lack of) merits back in the district court.
Many experts still think that it’s almost impossible for plaintiffs to prove that websites owe a special duty to their users, in which case failure-to-warn claims will fail on prima facie elements. If that’s where we’re headed, Section 230 is an appropriate and more efficient way of achieving the same outcome (see Doe v. MySpace). There are a virtually infinite number of potential risks that a website could warn users about, and plaintiffs can always find *something* that wasn’t disclosed. Meanwhile, websites will feel more pressure to further lard up user agreements with progressively less meaningful disclosures on the chance they might dissuade future failure-to-warn cases. If you think online user agreements are already too long and filled with too many irrelevant disclosures, you ain’t seen nothing yet.
Some failure-to-warn cases are already in the court system, and the ModelMayhem ruling gave new life to those cases. Today’s ruling is one of those cases.
A US federal appeals court says the maker of an online spying tool can be sued on accusations of wiretapping. The federal lawsuit was brought by a man whose e-mail and instant messages to a woman were captured by the husband of the woman. That husband used that data as a “battering ram” as part of his 2010 divorce proceedings.
It’s the second time in a week that a federal court has ruled in a wiretapping case—in favor of a person whose online communications were intercepted without consent. The other ruling was against Google. A judge ruled that a person not using Gmail who sent e-mail to another person using Gmail had not consented to Gmail’s automatic scanning of the e-mail for marketing purposes. Hence, Google could be sued (PDF) for alleged wiretapping violations.
For the moment, the two outcomes are a major victory for privacy. But the reasoning in the lawsuit against the makers of the WebWatcher spy program could have ramifications far beyond the privacy context—and it places liability on the producers of spyware tools.
Plaintiff said he was not aware of the terms and never clicked on the terms when he ordered or when he received the email. The court says that enforceability of so-called “browsewrap” agreements is something yet to be addressed by California appellate courts. (!) It looks to Specht and Nguyen, from the Second and Ninth Circuits respectively. The key question under those cases is whether the presentation of the website (the user experience) would put a reasonable consumer on inquiry notice. One way to do this is to include a hyperlink in close proximity to where the user must take action. (See Fagerstrom.) Even assuming proximity of the hyperlink to where the user must take action, courts finding these contracts enforceable have typically required something to advise the users to click on the terms. ProFlowers failed that test here. The court says:
Case citation: Long v. Provide Commerce, Inc., B257910 (Cal. Ct. App. Mar. 17, 2016) [pdf].
Amy Abeloff & Robert B. Milligan
On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA). In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.
Millions of websites used in e-commerce and other sensitive industries are vulnerable to remote take-over hacks made possible by a critical vulnerability that has affected the Joomla content management system for almost two years.
The SQL-injection vulnerability was patched by Joomla on Thursday with the release of version 3.4.5. The vulnerability, which allows attackers to execute malicious code on servers running Joomla, was first introduced in version 3.2 released in early November 2013. Joomla is used by an estimated 2.8 million websites.
“Because the vulnerability is found in a core module that doesn’t require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable,” Asaf Orpani, a researcher inside Trustwave’s Spiderlabs, wrote in a blog post. The vulnerability, and two closely related security flaws, have been cataloged as CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858.