4Chan.org Suffers DDOS Attack

4Chan.org, a series of image boards known for controversial content, has been shut down by a distributed denial of service attack.
I know what you’re thinking: What else is new? Hackers and others who can’t stand its messages have frequently targeted the image forums on 4Chan.org. But as a fan of 4Chan, it saddens me to see such a funny (though oftentimes off-color) collective go offline again – yet I know that this won’t be the last time it happens.

A DDOS attack occurs when one party targets a Web site and excessively floods the site’s server(s) to the point that regular and new visitors cannot access it.

The culprit, according to MikeAbundo.com, is Joe Biaso, a 16-year-old hacker. Known as “pacifico,” Biaso posted a video that shows him taunting 4Channers to try and telephone him and e-mail him.

“Have your fun, haven’t gotten much lately,” Biaso said in the video.

Suspecting Biaso as the one responsible for the attacks, 4Chan members have posted personal information about Biaso on the Internet, including his address.

A blog run by 4Chan creator Christopher Poole announced that the mega-image site was down because of the DDOS attack. The 4Chan status blog noted that the DDOS attack was ongoing.

“Remember kids: DDOS is cruise control for cool,” the most recent blog post read.

The DDOS attack was first reported on Monday, July 21. As of today 4Chan.org is still out of service.

4Chan has faced DDOS attacks in the past. In December 2007, the site suffered a DDOS attack on a smaller scale and returned online within a few hours.

4Chan has also made headlines through its members known as “Anonymous.” Early this year, members of Anonymous protested worldwide against the Church of Scientology, after learning that a video of Tom Cruise endorsing the church had been pulled from YouTube because of copyright issues.

Media outlet Fox News also reported on Anonymous’ activities, calling them “hackers on steroids.”

Established in October 2003, 4Chan is a collective of images posted by individuals from all over the world, sometimes establishing what are known as “memes.” Memes, also known as “Internet phenomena,” are sometimes catchy and outrageous phrases that are tagged to a photo (oftentimes edited via means like Photoshop).

Some memes include “Divide By Zero,” a calculation that would certainly bring about fantastic destruction and chaos. Another famous meme is the “O RLY” meme, which abbreviates the phrase “Oh, really?” and often tags a photo of a white owl.

The Tagged.com Spam Cases: New York and Texas Attorney General Actions Show the Effectiveness of States’ Retained Powers to Regulate Spam

The enactment of the Federal CAN-SPAM Act preempted many State laws that attempted to prohibit marketers from sending mass commercial emails. However, CAN-SPAM did leave one key area of enforcement open to the states. The State may still enforce laws restricting commercial emails to the extent that such laws prohibit “falsity or deception.” 15 U.S.C. § 7707(b)(1). However, this exception is proving about as narrow as the Grand Canyon.

The latest examples of State enforcement of spam are the actions by the New York and Texas Attorneys General against Tagged, Inc., which were both resolved in the past week. See Attorney General of New York, Internet Bureau, In the matter of: Tagged, Inc., Assurance of Discontinuance (Nov. 6, 2009), Texas v. Tagged, Inc., Travis County District Court, No. D-1-GV-09-002032, Agreed Final Judgment and Permanent Injunction (Nov 9, 2009).

Tagged, which was founded by serial Internet entrepreneur Greg Tseng, has been reported to be the third-largest social networking site in the world by Hitwise. While its market share traffic is still a fraction of that enjoyed by Facebook and MySpace, according to Hitwise, it is in a major growth phase, and has increased its share by 47% from September 2008 to September 2009. Id.

However, according to the statements made by the New York and Texas AG’s, much of this growth was due to Tagged’s deceptive marketing and spamming practices. These practices allegedly included the following:

• Tagged allegedly accessed the email address books of visitors, without clear and conspicuous disclosure that this was occurring, or obtaining permission. Tagged then used these contacts to initiate a campaign to sign up additional members.

• It sent invitation email messages to visitor contacts that falsely stated that a person who had signed up on Tagged had sent photos to the recipient that could be viewed on Tagged. According to the New York AG, “In reality . . . Tagged generated the email invitation automatically without regard to whether the person had ever uploaded photographs to Tagged.com or intended to share them with her contacts.”

• Even though the invitation emails were generated by Tagged, Tagged inputted the name and email address of the person who had registered at Tagged in the “from” field of each email. If the registrant had uploaded a photo, the invitation emails also included this photo.

• The invitation message body included a box for the recipient to click “yes” or “no” in response to whether she wanted to view the photos. The message also said “Please respond or [name] may think you said no :(” — despite the fact that the registrant had nothing to do with the sending of the invitation email. The purpose of this was to play on the emotions of the recipient, falsely suggesting that their friend’s feelings might be hurt if they did not visit the Tagged site and view the photos.

Golan v. Holder: Colorado Federal Court Finds that Federal Law Restoring Expired

A number of press reports have given the impression that the Colorado District Court’s ruling in Golan v. Holder (fn1) means that that Federal laws reviving expired copyrights violate First Amendment protections on free speech. The actual ruling is far narrower.

In 1993, Congress enacted 17 U.S.C. Section 104A, to permit foreign authors whose copyrights had fallen into the public domain for technical reasons (such as by failing to renew the copyright with the U.S. Copyright Office) to restore their copyrights. Section 104A solely permitted “restoration” of copyright protection for works from “a nation other than the United States.” (fn2) Section 104A was added after the United States joined the Berne Convention for the Protection of Literary and Artistic Works — a treaty first enacted in 1886, but not joined by the U.S. until 1988. Article 18 of the Convention requires member nations to provide copyright protections to works by foreign authors so long as the term of protection in the country of origin has not expired as to the work.

The plaintiffs were U.S. artists who used works by foreign artists that had been in the public domain before 1994, such as Sergei Prokofiev’s “Peter and the Wolf.” The plaintiffs claimed that after Section 104A was enacted, they were subjected to higher performance fees, sheet music rentals and other royalties. In some cases, these costs were prohibitive. (fn3)

The Golan case was the brainchild of Stanford Law professor, founder and co-director of the Center for Internet and Society and Director of the Fair Use Project, Lawrence Lessig. The original complaint claimed that Section 104A shrunk the public domain and thereby violated the limitations on congressional power inherent in the Copyright Clause, and violated First Amendment rights to free expression. The Colorado District Court originally rejected these claims. However, on appeal, the Tenth Circuit found that a legitimate First Amendment claim existed and remanded the case for First Amendment analysis.

The basis for the Tenth Circuit’s ruling was the U.S. Supreme Court ruling in Eldred v. Ashcroft (fn4), in which the Supreme Court stated that a Congressional act modifying copyright law might be subject to First Amendment scrutiny if it “altered the traditional contours of copyright protection.” (fn5) While the Tenth Circuit could not find federal authority that explained the phrase “traditional contours”, it concluded that the traditional contours of copyright protection included the principle that “works in the public domain remain there.” (fn6) It based this on the notion that the general sequence is that copyrighted works has always progressed from “1) creation; 2) to copyright; 3) to the public domain” and that Section 104A changed this sequence. (fn7)

Tort Liability from Data Thefts: The Race is to the Swift

A thief breaks into the corporate headquarters of your digital media company and steals a laptop. He uses the laptop to gain access to your customers’ files, and gleans sensitive information, including their drivers license data, social security numbers and bank account data. Can you be liable to customers for this theft? The answer, at present, is theoretically “yes”, but in many cases, “no” — if you take the right steps.

Many states have statutes protecting personal information of consumers. For example, the California Civil Code requires businesses to: (i) destroy personal information when it is no longer to be retained by the business; (ii) “implement and maintain reasonable security procedures” to protect personal information from unauthorized access; (iii) disclose any breach of security which has caused disclosure of personal information, and (iv) disclose any personal information provided to third parties on the consumer’s request. (Fn 1) The Civil Code provides that a customer may sue to recover damages, as well as injunctive relief, for any violation of these rules. (Fn 2)

So if a thief steals your customer data, and your failure to meet these standards causes your customers to suffer losses — yes — you can be found liable.

But, while these laws have been on the books for about five years, they do not seem to have resulted in a lot of large judgments. There are no reported appellate cases directly dealing with any of them and few unreported court orders mention them.

One reason for this may be the sheer economics of consumer rights litigation. Most consumer rights cases involve small dollars. Because the plaintiff generally must bear his own attorneys fees, few cases hold the promise of a sufficiently large recovery to warrant paying the fees to win the case. This is why the real action in consumer rights cases is in consumer class actions. Combining thousands or millions of cases together can yield sufficient damages to justify the attorney time expended. In addition, bringing a case as a class action may give plaintiffs an argument that they are also entitled to an attorney fee award under state statutes awarding fees for actions taken in the public interest or in defense of civil rights. (Fn 3)

However, even data theft cases brought as class actions have faced significant hurdles. This is mainly because the lead plaintiffs have often been unable to allege actual injuries resulting from the cyber security breach.

Will Cloud Computing Create a Thunderstorm?: Loophole Permits Private Emails and other Digital Data Stored by Third Parties to Be Divulged to the Public without Stored Communications Act Liability

As data storage moves from equipment controlled by its authors into the “cloud” — storage on equipment controlled by third parties — there is an increased risk that unauthorized third parties will access this data and use it for nefarious purposes. The Stored Communications Act (“SCA”, 18 U.S.C. § 2701 et seq.) is widely thought to provide protection from disclosure for emails and other private data that are in such electronic storage. However, a less-known loophole in the SCA can permit stored information to be accessed without the author’s permission and then divulged to competitors, to adversaries, to strangers, or to the general public, without liability under the SCA.

The SCA provides that any person who intentionally accesses stored electronic communications without authorization or beyond the scope of his authorization is subject to civil and criminal penalties. 18 U.S.C. § 2701(a), (b). However, there are two important exceptions to this protection:

Even if an author of a communication has not authorized a third party to access that communication, the SCA provides that this unauthorized third party is immune from liability if he/she was authorized to gain access by the provider of the electronic communications service –such as the ISP or the business the operates the network. The SCA further provides that an unauthorized third party is also immune if he/she has been given permission to access the communication by a user of the service on which the communication is stored — such as a member of a private website, such as a MySpace page.

This means that even if the author has not consented for anyone except for the recipients to access his/her private emails, a lot of people could still be looking at them, copying them and doing who knows whatelse to them — with SCA-immunity.

That sounds bad enough. However, the next section in the SCA — Section 2702 — opens the door to unauthorized disclosure even wider.

Zango, Inc. v. Kaspersky Lab, Inc.: The Ninth Circuit Gets to the Right Destination But By the Wrong Route

The Ninth Circuit’s recent ruling in Zango, Inc. v. Kaspersky Lab, Inc. is one of the few that directly deal with the provisions in the Communications Decency Act that provide immunity from suit for the screening activities of internet service providers. The relevant section, 47 U.S.C. § 230(c)(2), provides as follows:

“No provider or user of an interactive computer service shall be held liable on account of —

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to make available to information content providers or others the technical means to restrict access to material described in paragraph [A].”

The plaintiff in the case, Zango, Inc., is a now-defunct Internet entertainment company that provided access to a catalog of online videos, games and music to users who agreed to view advertisements while surfing the internet. The defendant, Kaspersky Lab, Inc., is still live and kicking, and is a Moscow-based firm which bills itself as “a leading anti-virus software and Internet Security software solution for your home computer or business.”

According to the court, Kaspersky’s software classified Zango as “adware,” a type of malware. Once installed on a user’s computer, adware monitors a user’s browsing habits and causes “pop-up” ads to appear throughout the browsing session. Adware can open up links with websites that themselves contain malware that can infect a personal computer. Kaspersky’s software disabled key features of Zango’s software and through a series of routines, ultimately blocked the use of Zango.

Zango sued Kaspersky, seeking an injunction against its blocking activities. In defense, Kaspersky invoked the protection of §230(c)(2)(B), cited above.

The Ninth Circuit concluded that Kaspersky was “plainly immunized” by the Communications Decency Act. This conclusion was based on its analysis of §230(c)(2)(B) and two related definition sections: § 230(f)(2) which defines the term “interactive computer service” to mean any “information service, system, or access software provider that provides or enables computer access by multiple users to a computer server . . . “; and § 230(f)(4) which defines the term “access software provider” to include providers of software that filter content.

Combining these three sections, the Court concluded that a provider of filtering software or services may not be held liable for any action taken to make its filtering software available “so long as the provider enables access by multiple users to a computer service.” The Court then noted that Kaspersky “provides or enables computer access by multiple users to a “computer server” by providing its customers with online access to its update servers.”

Court Case Teaches Two Lessons in Domain Name Management

From the Ninth Circuit Court of Appeals (and Eric Goldman’s always-excellent blog ) comes a cautionary tale of how not to handle a domain name.

First, don’t let an individual register your company domain name in his or her personal name. In DSPT Int’l v. Nahum,  the Founder of DSPT Int’l (”DSPT”), a clothing importer and distributor, brought in a Partner to help evolve the brand. Partner’s brother handled the Web site design and then registered the domain in Partner’s (but not the company’s) name. This became a problem for the company when Partner left to go to work for a competitor – and partner had the ability to (and, in fact, did) shut down DSPT’s heavily trafficked site.

Second, don’t hold the domain hostage in order to lever up your position in a business dispute. Here, Partner alleged that Founder and the company owed him several thousand dollars in commissions. Founder disagreed. Soon after Partner left, as the court noted, DSPT’s Web site “mysteriously disappeared.”

DSPT sued Partner, alleging, among other things, that Partner had violated the Anticybersquatting Consumer Protection Act (”ACPA” — which is part of the federal Lanham Act). At trial, partner testified that “he would transfer the domain to DSPT after [Partner] and DSPT were able to resolve the ‘monetary issues regarding [Partner’s] commisions.’” A jury found that Partner had violated ACPA and awarded DSPT $152,000 for lost sales and other damages. Partner appealed, seeking to overturn the jury verdict.

The question on appeal was whether Partner’s decision to hold the domain and Web site hostage constituted “registration or use”  with “a bad faith intent to profit from plaintiff’s mark” under ACPA. Partner argued his conduct was not prohibited by ACPA — that “he used DSPT’s mark to gain leverage over DSPT in bargaining for money he claimed he was owed, not to sell under DSPT’s mark or sell the mark to DSPT.”

The appeals court  affirmed the trial court  and ruled that Partner had violated ACPA. The court noted that while ACPA “was intended to prevent cybersquatters from registering well-known brand names as internet domain names in order to make the trademark owners buy the ability to do business under their own names,” the statute was, nevertheless, ”written more broadly than what may have been the political catalyst that got it passed.” As a result, the court ruled that “[i]t is bad faith to hold a domain name for ransom where the holder uses it to get money from the owner of the trademark rather than to sell goods.”

U.S. v. Kilbride: 9th Circuit’s Holding that Internet Obscenity Laws Should Be Governed by a National Standard Rests on Shaky Grounds

Digital media law: The 9th Circuit has done it again. In its ruling last week in U.S. v. Kilbride, the 9th Circuit announced that “a national community standard must be applied in regulating obscene speech on the Internet, including obscenity disseminated by email.” (Case Nos. 07-10528, 07-10534, October 28, 2009). The 9th Circuit stated that its holding followed the view expressed by a majority of U.S. Supreme Court Justices in Ashcroft v ACLU, 535 U.S. 564 (2002) that application of a national community standard in Internet obscenity cases would not “generate serious constitutional concerns.”

The Justices said no such thing. To the contrary, Justice Kennedy, whom the 9th Circuit includes in the majority supposedly agreeing with its holding, wrote that “it is neither realistic nor beyond constitutional doubt for Congress, in effect, to impose the community standards of Maine or Mississippi on Las Vegas and New York” through a national obscenity law. Ashcroft v. ACLU, 535 U.S. at 597. If the U.S. Supreme Court takes the appeal of Kilbride, the 9th Circuit’s ruling here could well be reversed.

The Kilbride case involves the appeal of the criminal convictions of two spammers, Jeffrey Kilbride and James Schaffer, who distributed two sexually explicit images via email throughout the U.S. The Defendants’ spam operation was enormous and generated some 662,000 complaints to the FTC from persons around the country.

The Defendants were ultimately charged with violations of two Federal obscenity laws — 18 U.S.C. § 1462 and 1465, which prohibit the importation into the U.S., and the transportation in interstate commerce, of “obscene, lewd, lascivious, or filthy” books, pictures and other media. Both statutes apply to distribution of materials via the Internet, and specifically include distribution via an “interactive computer service,” as defined by the Communications Decency Act. A conviction under Section 1465 has been upheld for images sent from a computer bulletin board in one state to a personal computer in another state. U.S. v. Thomas, 74 F.3d 701 (6th Cir. 1996).

Prior U.S. Supreme Court decisions have held that obscenity is to be determined by the standards of the local communityin which the publication was made. However in Kilbride, the Defendants were prosecuted for their national distribution of obscene materials. As part of its case, the government called eight witnesses from various parts of the country who had filed complaints with the FTC about the Defendants’ emails. These witnesses testified about the circumstances under which they had received the Defendants’ emails, their reaction and attitudes towards these images and their views on pornography generally. The government also introduced evidence regarding the 662,000 other complaints they had received about the images. For its part, the defense introduced evidence regarding community attitudes towards pornography drawn solely from Arizona — the judicial district where the case was prosecuted.

At the close of evidence, the jury was instructed that it should use the standards of the “community as a whole, that is to say by society at large, or people in general” in determining whether the images distributed by the Defendants were obscene. This community was “not defined by a precise geographic area”, so the jury could consider evidence of standards existing outside Arizona. They were also told that they could consider their “own experience and judgment” as well as the evidence presented in making this determination. The jury ultimately returned a verdict finding the Defendants guilty under the two statutes.

On appeal to the 9th Circuit, the Defendants argued that these instructions were improper, because they asked the jury to apply a global or societal standard for obscenity. The Defendants claimed that because the distribution of the emails was made nationally, the District Court should have instructed the jury to apply a “national” obscenity standard.

The 9th Circuit agreed that the Defendants had a point. It cited a 2002 plurality U.S. Supreme Court decision regarding the Child Online Protection Act (COPA), in which two Justices, O’Connor and Breyer, had stated that a “national standard” should be used for laws involving distribution of obscene material over the Internet. Ashcroft v. ACLU, 535 U.S. 564, 122 S.Ct. 1700 (2002). Justice O’Connor stated that community standards for obscenity vary greatly throughout the country. However, persons using the Internet to publish materials are unable to control the geographic location of their audience. As a result, requiring Internet publishers to hold to a “local community” standard for obscenity, would require them to adopt the most restrictive view of obscenity taken by any community in the country. In Justice O’Connor’s view, this would “potentially suppress an inordinate amount of expression.” Id. at 587.

Frustration for Consumers Seeking to Recover from a Retailer in a Maine Data Theft Case

Consumer suits against retailers for losses from data thefts face many hurdles to recovery. A recent illustration is the court’s dismissal of virtually all claims brought by customers of Hannaford, a supermarket chain based in Maine. In re Hannaford Bros. Co. Customer Data Security Breach Litigation, U.S. District Court, District of Maine, MDL Docket No. 2:08-MD-1954).

From December 2007 through March 2008, “wrongdoers” (apparently a less malevolent class of miscreant than the “evildoers” faced by President Bush) gained access to Hannaford’s information technology systems. The thieves stole some 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers and other customer information. They were able to use this information to rack up an undisclosed amount of charges on customer accounts. Hannaford apparently discovered the security breach, but delayed before warning its customer, who continued to use their credit and debit cards for some time before the breach was closed.

The customers sued in the U.S. District Court in Maine and sought certification as a class action. They brought claims for breach of implied contract, breach of implied warranty, breach of fiduciary duty, breach of a Maine statute requiring disclosure to customers of a data security breach, strict liability, negligence, and unfair trade practices.

District Court Judge Hornby first analyzed the plaintiffs’ ability to recover under each of these causes of action, rejecting all but the breach of implied contract, negligence and unfair trade practice theories. The Court found that under Maine law, a contract includes “all such implied provisions as are indispensible to effectuate the intention of the parties.” When a customer gives a merchant his debit or credit card information, the parties assume that “the merchant will not use the card data for other people’s purchase, will not sell or give data to others, and will take reasonable measures to protect the information.” This duty supported both the breach of implied contract and negligence claims against the merchant.

The court also found that Hannaford could be subject to suit under Maine’s unfair competition law. The Maine statute appears to rather broad (broader than the California UCL) because it permits a consumer who purchases goods or services and “suffers any loss of money or property” as a result of an unfair or deceptive act to sue for “actual damages, restitution” and equitable relief. Here, the plaintiffs claimed that Hannaford failed to disclose the data breach for several months, which caused customers who continued to use plastic at the store to suffer data losses. The court concluded that Hannaford’s inaction justified a UCL claim.

Management Information Apply Only to Automatic, Computerized Copyright Management Systems

Among the anti-circumvention rules in the Digital Millennium Copyright Act (DMCA) are prohibitions against the removal or alteration of “copyright management information.” (17 USC §1202). While the popular understanding of the DMCA is that its provisions are specifically targeted to digital media, the definition of “copyright management information” appears very broad and includes:

• The title and other information identifying a work, including the information set forth in a notice of copyright.
• The name(s) and other identifying information of the author, owner and/or performer of the work.
• Terms and conditions for use of the work, and
• Identifying numbers or symbols referring to such information or links to such information.

At face value, nothing about these definitions appears to limit “copyright management information” to digital or other electronic information. However, the earliest District Court cases decided that Congress had intended to limit this provision to “automated copyright management systems functioning within a computer network environment.” IQ Group, Ltd. v. Wiesner Publishing, LLC, 409 F.Supp.2d 587, 596 (D. New Jersey 2006); Textile Secrets International, Inc. v. Ya-Ya Brand Inc., 524 F.Supp.2d 1184 (C.D. Cal. 2007). Among technological measures that these decisions indicated would qualify under this standard were electronic envelopes and digital watermarks. This interpretation was followed, without significant comment, in another recent Southern District of New York decision. See Silver v. Lavandeira, Southern District of New York, 08 Civ. 6522 (JSR) (January 7, 2009 Magistrate’s Report and Recommendation).

That early trend is meeting some resistance. In March 2007, a court in the Western District of Pennsylvania held that Section 1202(c) defines “copyright management information” broadly to include “any” of the information set forth in its defined categories, whether digital or not. McClatchey v. Associated Press, 2007 WL 776103 (W.D. Pa. 2007). This meant that cropping the title, author’s name and copyright notice on printouts of photographs could violate this provision of the DMCA. In February 2009, directly rejecting the IQ Group and Textile Secrets rulings, a court in the Southern District of New York stated that the phrase “the technological measures of automated systems” is not found in the statute. As such, it found that the statute could cover manual removal of copyright information. See Associated Press v. All Headline News Corp., Southern District of New York, 08 Civ. 323 (PKC) (February 17, 2009 Memorandum and Order).

It is too early to tell how this split will be resolved. If the broader view of the statute is accepted, it could substantially change the requirements even for fair use of copyrighted information. Under the statute removal or alteration of copyright information is prohibited “without the authority of the copyright owner or law” — without exception. Section 1202(b).