Justia Internet Law Opinion Summaries

Paige Thompson committed a significant data breach, hacking into Amazon Web Services (AWS) customers' accounts, stealing data from at least 30 entities, and causing tens of millions of dollars in damage. She also used the stolen credentials to mine cryptocurrency, further increasing the financial impact on the victims. Thompson was arrested after she revealed her activities to a cybersecurity professional, leading to an FBI investigation.The United States District Court for the Western District of Washington calculated Thompson's sentencing range under the Federal Sentencing Guidelines to be 168 to 210 months of imprisonment. However, the court granted a substantial downward variance, sentencing her to time served (approximately 100 days) and five years of probation. The court emphasized Thompson's personal history, including her transgender identity, autism, and past trauma, as significant factors in its decision.The United States Court of Appeals for the Ninth Circuit reviewed the case and found that the district court overemphasized Thompson's personal story and failed to properly weigh several of the 18 U.S.C. § 3553(a) factors. The appellate court held that the district court's findings regarding Thompson's lack of malicious intent, her remorse, and the seriousness of her actions were clearly erroneous and not supported by the record. The Ninth Circuit also noted that the district court did not adequately consider the need for general and specific deterrence or the risk of unwarranted sentencing disparities.The Ninth Circuit vacated Thompson's sentence and remanded the case for resentencing, instructing the district court to properly weigh all relevant factors and provide a more substantial justification for any variance from the Guidelines. View "USA V. THOMPSON" on Justia Law

Joseph Sullivan, the former Chief Security Officer for Uber Technologies, was convicted of obstruction of justice and misprision of a felony. The case arose from Sullivan's efforts to cover up a significant data breach at Uber while the company was under investigation by the Federal Trade Commission (FTC) for its data security practices. The breach involved hackers accessing and downloading sensitive information from Uber's servers. Sullivan and his team tracked down the hackers and had them sign a non-disclosure agreement (NDA) in exchange for a payment, recharacterizing the hack as part of Uber's Bug Bounty Program.The United States District Court for the Northern District of California presided over the trial, where a jury found Sullivan guilty. Sullivan appealed, challenging the jury instructions, the sufficiency of the evidence, and an evidentiary ruling. He argued that the district court erred in rejecting his proposed jury instructions regarding the "nexus" requirement for the obstruction charge and the "duty to disclose" instruction. He also contended that the evidence was insufficient to support his misprision conviction and that the court improperly admitted a guilty plea agreement signed by one of the hackers.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's decisions. The court held that Ninth Circuit precedent foreclosed Sullivan's argument regarding the "nexus" instruction and that the district court did not err in rejecting it. The court also found that the omission of the "duty to disclose" instruction was proper, as the theories of liability under Section 1505 and Section 2(b) were conjunctive. The court concluded that the evidence was sufficient to support Sullivan's misprision conviction and that the district court did not abuse its discretion in admitting the hacker's guilty plea agreement. The Ninth Circuit affirmed Sullivan's conviction. View "USA V. SULLIVAN" on Justia Law

A cyberattack on California Pizza Kitchen, Inc. (CPK) in September 2021 compromised the personal information of over 100,000 former and current employees. This led to multiple class action lawsuits against CPK, alleging negligence and other claims. The consolidated plaintiffs reached a settlement with CPK, offering cash payments and credit monitoring services to class members, with CPK required to make payments only to those who submitted valid claims. The settlement's monetary value was estimated at around $950,000, while the attorneys sought $800,000 in fees.The United States District Court for the Central District of California approved the settlement but reserved judgment on the attorneys' fees until after the claims process concluded. The consolidated plaintiffs reported a final claims rate of 1.8%, with the maximum monetary value of the claims being around $950,000. Despite expressing concerns about the scope of attorneys' fees, the district court ultimately awarded the full $800,000 in fees and costs.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's approval of the class settlement, finding that the district court had properly applied the heightened standard to review the settlement for collusion and had not abused its discretion in finding the settlement fair, reasonable, and adequate. However, the Ninth Circuit reversed the fee award, noting that the district court had not adequately assessed the actual value of the settlement and compared it to the fees requested. The case was remanded for the district court to determine the settlement's actual value to class members and award reasonable and proportionate attorneys' fees. View "IN RE: CALIFORNIA PIZZA KITCHEN DATA BREACH LITIGATION" on Justia Law

An underage user of the Grindr application, John Doe, filed a lawsuit against Grindr Inc. and Grindr LLC, alleging that the app facilitated his sexual exploitation by adult men. Doe claimed that Grindr's design and operation allowed him to be matched with adults despite being a minor, leading to his rape by four men, three of whom were later convicted. Doe's lawsuit included state law claims for defective design, defective manufacturing, negligence, failure to warn, and negligent misrepresentation, as well as a federal claim under the Trafficking Victims Protection Reauthorization Act (TVPRA).The United States District Court for the Central District of California dismissed Doe's claims, ruling that Section 230 of the Communications Decency Act (CDA) provided Grindr with immunity from liability for the state law claims. The court also found that Doe failed to state a plausible claim under the TVPRA, as he did not sufficiently allege that Grindr knowingly participated in or benefitted from sex trafficking.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's dismissal. The Ninth Circuit held that Section 230 barred Doe's state law claims because they implicated Grindr's role as a publisher of third-party content. The court also agreed that Doe failed to state a plausible TVPRA claim, as he did not allege that Grindr had actual knowledge of or actively participated in sex trafficking. Consequently, Doe could not invoke the statutory exception to Section 230 immunity under the Allow States and Victims to Fight Online Sex Trafficking Act of 2018. The Ninth Circuit affirmed the district court's dismissal of Doe's claims in their entirety. View "DOE V. GRINDR INC." on Justia Law

A claim of genericness or "genericide," where the public appropriates a trademark and uses it as a generic name for particular types of goods or services irrespective of its source, must be made with regard to a particular type of good or service.Plaintiffs petitioned for cancellation of the GOOGLE trademark under the Lanham Act, 15 U.S.C. 1064(3), based on the ground that it is generic. The Ninth Circuit affirmed the grant of summary judgment in favor of Google, Inc., holding that plaintiffs failed to recognize that a claim of genericide must always relate to a particular type of good or service, and that plaintiffs erroneously assumed that verb use automatically constitutes generic use; the district court correctly framed its inquiry as whether the primary significance of the word "google" to the relevant public was as a generic name for internet search engines or as a mark identifying the Google search engine in particular; the assumption that a majority of the public uses the verb "google" in a generic and indiscriminate sense, on its own, could not support a jury finding of genericide under the primary significance test; and plaintiffs have failed to present sufficient evidence in this case to support a jury finding that the relevant public primarily understands the word "google" as a generic name for internet search engines and not as a mark identifying the Google search engine in particular. View "Elliott v. Google, Inc." on Justia Law

Mavrix filed suit against LiveJournal for posting 20 of its copyrighted photographs online. The district court granted summary judgment for LiveJournal, holding that the Digital Millennium Copyright Act's (DMCA), 17 U.S.C. 512(c), safe harbor protected LiveJournal from liability because Mavrix's photographs were posted at the direction of the user. In this case, when users submitted Mavrix's photographs to LiveJournal, LiveJournal posted the photographs after a team of volunteer moderators led by a LiveJournal employee reviewed and approved them. The court disagreed with the district court and concluded that the common law of agency does apply to this analysis and that there were genuine factual disputes regarding whether the moderators were LiveJournal's agents. Therefore, the court reversed and remanded for trial. The court addressed the remaining issues that the district court addressed because these issues may be contested on remand. On remand, the district court must determine whether LiveJournal met the section 512(c) safe harbor threshold requirement by showing that the photographs were posted at the direction of the user, then LiveJournal must show that it lacked actual or red flag knowledge of the infringements and that it did not financially benefit from infringements that it had the right and ability to control. View "Mavrix Photographs, LLC v. LiveJournal, Inc." on Justia Law

Plaintiff, the developer of the computer code for the original John Madden Football game for the Apple II computer, filed a diversity action against EA, seeking contract damages in the form of unpaid royalties for Sega Madden and Super Nintendo Madden. The court concluded that the district court properly granted judgment as a matter of law (JMOL) to EA under the "intrinsic test" because the jury had no evidence of Apple II Madden or Sega Madden as a whole to enable it to make a subjective comparison. In this case, plaintiff's claims rest on the contention that the source code of the Sega Madden games infringed on the source code for Apple II Madden. But, none of the source code was in evidence. The jury therefore could not compare the works to determine substantial similarity. The court rejected plaintiff's argument that EA’s post-verdict Rule 50(b) motion for JMOL regarding the intrinsic test should not have been considered. The court also concluded that the district court did not err in dismissing the Super Nintendo derivative work claims where the Apple II and Super Nintendo processors have different instruction sizes and data word sizes; the court agreed with the district court that the jury could not have determined plaintiff's damages from the alleged breach to a reasonable certainty; and even if the district court erred, there was no harm because plaintiff's failure to introduce any source code precluded a finding that Super Nintendo Madden was a Derivative Work. Finally, the court concluded that the district court correctly dismissed the claim that EA used development aids to create non-derivative works because the claim is unsubstantiated. Accordingly, the court affirmed the judgment. View "Antonick v. Electronic Arts, Inc." on Justia Law

Plaintiff, owner of a locksmith business, filed suit against Yelp, alleging that Yelp is responsible for causing a review from another site to appear on its page, providing a star-rating function that transforms user reviews into Yelp’s own content, and “caus[ing] [the statements] to appear” as a promotion on Google’s search engine. Section 230 of the Communications Decency Act (CDA), 47 U.S.C. 230(c), “immunizes providers of interactive computer services against liability arising from content created by third parties.” In this case, the threadbare allegations of fabrication of statements are implausible on their face and are insufficient to avoid immunity under the CDA. The court also concluded that Yelp’s rating system, which is based on rating inputs from third parties and which reduces this information into a single, aggregate metric is user-generated data. Nor do plaintiff's arguments that Yelp can be held liable for “republishing” the same content as advertisements or promotions on Google survive close scrutiny. The court concluded that, just as Yelp is immune from liability under the CDA for posting user-generated content on its own website, Yelp is not liable for disseminating the same content in essentially the same format to a search engine, as this action does not change the origin of the third-party content. The court noted that proliferation and dissemination of content does not equal creation or development of content. View "Kimzey v. Yelp!" on Justia Law

Facebook filed suit against Power over a promotional campaign where Power accessed Facebook users’ data and initiated form emails and other electronic messages promoting its website. The court concluded that Power did not violate the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), 15 U.S.C. 7706(g)(1), because neither e-mails nor internal messages sent through Power’s promotional campaign were materially misleading. Therefore, the court reversed the district court's judgment as to this claim and remanded for entry of judgment for defendants. The court held that a defendant can run afoul of the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U.S.C. 1030(a)(2)(C), when he or she has no permission to access a computer or when such permission has been revoked explicitly. The court also held that a violation of the terms of use of a website - without more - cannot be the basis for liability under the CFAA. In this case, after receiving the cease and desist letter from Facebook, Power intentionally accessed Facebook’s computers knowing that it was not authorized to do so, making Power liable under the CFAA. Therefore, the court affirmed in part the holding of the district court with respect to the CFAA. The court also affirmed in part the district court’s holding that Power violated California Penal Code section 502 where Power knowingly accessed and without permission took, copied, and made use of Facebook’s data; affirmed the district court’s holding that Power's CEO, Steven Vachani, is personally liable for Power’s actions; and affirmed the discovery sanctions imposed against Power for non-compliance during a Rule 30(b)(6) deposition. However, the court vacated the injunction and the award of damages, remanding the case to the district court to reconsider appropriate remedies. View "Facebook, Inc. v. Vachani" on Justia Law

Telesocial, a San Francisco start-up, entered into a non-disclosure agreement (NDA) regarding a possible agreement to acquire Telesocial's software application named "Call Friends." This dispute stems from Telesocial's allegations that Orange violated federal and state laws by stealing Telesocial's technology to create its own product called "Party Call." Orange and its employees seek a writ of mandamus under 28 U.S.C. 1651 directing the district court to vacate its order denying Orange’s motion to dismiss, and direct an entry of judgment dismissing Telesocial’s First Amended Complaint (FAC). The court applied the Bauman v. United States factors and concluded that the district court did not commit clear legal error in determining that the NDA did not cover the claims at issue; Orange has the ability on direct appeal to attain the relief it desires; Orange will not be prejudiced in a way that is not correctable on appeal; and the district court’s decision does not raise a novel issue that affects the international business community. Accordingly, the court denied Orange’s petition for writ of mandamus. View "Orange, S.A. v. USDC for the Northern Dist. of CA, San Francisco" on Justia Law