Citysearch Click Fraud Class Action Certified — but Proving Meaningful Damages May Remain a Problem for Plaintiffs

The recent certification of a national class action in the Citysearch click fraud case represents a major victory – at least for the plaintiffs’ counsel. But whether adjudication of the case will produce significant recoveries for the plaintiffs is an open question.

The Citysearch click fraud class action (Menagerie Productions v. Citysearch, C.D. Cal., No. 2:08-cv-04263) was brought on behalf of some 10,000 advertisers on Citysearch.com websites. Citysearch operates dozens of websites that provide information about restaurants, shops, hotels and other services in individual cities around the U.S. For example, at dallas.citysearch.com, Citysearch provides information geared towards the DFW metroplex.

To earn revenue through these sites, Citysearch sells advertising. Much of this advertising is “pay-for-click”, in which advertisers only pay when visitors clicked on their ads. The complaint claims that Citysearch entered into a standard form advertising agreement for these ads which claimed that: “We connect you to customers. You pay only for results.” In its FAQ page for the agreement, Citysearch also stated as follow:

Q: How do I know that clicks to my website are legitimate?
A: Citysearch proactively researches and develops processes, policies, and technologies to identify invalid click activity with respect to our customers’ advertising. Citysearch employs advanced security filters and blocks out clicks from spiders and robots.

The two named plaintiffs, Menagerie and Redwolf, claimed that despite paying up to $1,900 in advertising fees for pay-for-click ads over a period of several months, they received no new customers. There are many legitimate reasons that an ad campaign may not generate identifiable new revenue. However, the complaint alleged that the plaintiffs’ failure to generate new customers was because of click-fraud. In click fraud, an on-line media source that is party to a click-through ad contract inflates the number of ad clicks to fraudulently increase its ad revenues.

The plaintiffs allege that Citysearch failed to track fraudulent clicks originating with its employees and “partner sites” and failed to inform advertisers that it did not employ methods to track fraudulent clicks — but nevertheless charged customers for invalid clicks. The plaintiffs also allege that Citysearch falsely claims that customers will not be charged for invalid clicks, even though it knows or should know that these claims are false. The plaintiffs seek to recover the advertising fees they paid under breach of contract theories, as well as under California’s unfair competition law.

To qualify as a class action, the named plaintiffs must meet two sets of requirements: First, they must first meet four requirements in Federal Rule of Civil Procedure 23(a) that test whether the class is sufficient numerous and whether the claims brought by the named plaintiffs adequately represent the rest of the plaintiffs in the class. The main dispute here centered on whether the claims by the named plaintiffs were typical of all of Citysearch’s 10,000 pay-for-click advertisers.

Citysearch argued that the plaintiffs had presented no evidence that they were charged for fraudulent clicks, and hence, had no actual injury. In response, the plaintiffs presented a report from their expert which identified two clicks received by named plaintiff Redwolf within the same second on the same day. The plaintiffs also presented evidence that Citysearch had charged Redwolf for both clicks. The second named plaintiff, Menagerie Productions presented similar evidence.

Unfortunately for the public, the documents that contain this evidence were filed under seal – so it is not possible to analyze the general prevalence of such possibly invalid double clicks. The impression from the Court’s ruling is that the prevalence of even potentially invalid clicks was not extensive. Nevertheless, even though the evidence appears scant, the Court held that the two named plaintiffs had presented sufficient evidence they had suffered an actual injury – both had paid for invalid clicks that Citysearch had failed to detect.

The Court further held that even if some of the representations made by Citysearch to pay-for-click advertisers differed, the typicality requirement was met: “plaintiffs’ claims are based on an alleged common course of conduct by Citysearch to (1) charge it advertisers for invalid clicks, and (2) make material omissions regarding the existence and quality of its click filters.”

To qualify as a class action, the named plaintiffs must also show that the proposed class fits into one of several categories of cases specified in FRCP 23(b) that test whether certifying the case as a class action would make for efficient adjudication. Here, the named plaintiffs attempted to fit the case into FRCP 23(b)(2) which requires a showing that interests of all of the parties would best be served by settling their differences in single action. To do this, the named plaintiffs needed to show that the issues common to the class predominated over issues unique to class members, and that the proposed class was a superior method of adjudicating the matter.

The Court had little difficulty in finding that common issues of fact and law predominated for the breach of contract claims – because the claim arose from a standard form contract to which all of Citysearch’s pay-for-click advertisers had agreed. The Court also found that common issues predominated for the breach of the covenant of good faith and fair dealing claim – because the focus would be on whether the procedures Citysearch employed to identify click fraud were objectively reasonable.

The Court had a little more trouble with the UCL claims. California’s UCL statute permits claims against any “unlawful, unfair or fraudulent business act or practice.” Cal. Bus & Prof. Code § 17200. Here, the plaintiffs claimed that Citysearch’s advertising practices were both unfair and fraudulent. However, the Court found that common issues of law and fact would only predominate as to the fraudulent practices claims.

The Court held that to recover for fraudulent business practices under the UCL, a plaintiff does not need to establish the common-law elements of fraud, such as proof of deception, reliance and injury. Rather, UCL fraud is governed by a “reasonable consumer” test, which only requires that plaintiffs show that members of the public are likely to be deceived” [citing Williams v. Gerber Products Co., 523 F.3d 934, 938 (9th Cir. 2008)]. Because the UCL claim arose from Citysearch’s common course of conduct to all class members and the “reasonable consumer” standard would be used to adjudicate this claim, the predominance standard was met.

On the other hand, that Court found that to recover for unfair business practices under the UCL, “a plaintiff’s individual expectations about the business practice are relevant to determining the extent of its harm.” The need to examine the expectations of each plaintiff in the expected 10,000 member class made this claim unsuitable for resolution via a class action.

To show that a class action was a superior method of resolving the claims of all litigants, the plaintiffs also needed to show that they had a plausible method for calculating damages. The plaintiffs claimed that their expert would be able to identify fraudulent clicks (defined as clicks as having no probability of creating value) by merely examining the Citysearch click logs. Accordingly, the plaintiffs proposed a three-step method to calculate damages: (1) the plaintiffs’ expert would establish categories of clicks that were “objectively” invalid and that Citysearch should have filtered out, (2) he would examine Citysearch’s click logs to identify the invalid clicks for which each member of the plaintiff class was charged, and (3) the damages incurred by each plaintiff would be computed as a matter of simple math.

Citysearch claimed that this was bosh – because “it is impossible . . . to measure the subjective intent of the users who click on an online advertisement” merely from examining click logs.

The Court found that to satisfy FRCP 23 requirements, the plaintiffs’ damages methodology only had to be plausible – a low standard that she found they had met. Ultimately, in ruling issued on November 8, 2009, the Court certified a class action of “All persons or entities in the United States who entered into form contracts for pay-for-click advertising through Citysearch.com, paid money for this advertising service, and experienced click fraud by reason of double clicks or Citysearch’s failure to apply automatic filters to traffic from its syndication partners up through March 23, 2007.”

The latest action in this case is that on November 25, 2009, Citysearch filed a notice of appeal of the class certification ruling. This appeal may indicate that Citysearch believes it is at risk of significant damages. However, the evidence that has filtered from the court records suggests that this risk may be moderate.

The plaintiffs’ primary damages will be recovery of the dollars they spent on clicks that the court finds were invalid. However, the two named plaintiffs seem to have only been able to show that they paid for one invalid double-click each. It seems to me that if there had evidence of pervasive invalid clicks, this evidence would have made it into the court’s ruling. Moreover, according to Citysearch’s papers, over 90% of its on-line advertisers renew or extend their pay-for-click contracts – suggesting that they are satisfied with the results and that the prevalence of invalid clicks may be low. If this is the case, the plaintiffs’ victory here could be pyrrhic.

What is more frustrating for online media businesses like Citysearch is that the precision in determining an advertiser’s ROI from its advertising dollars sought in this suit is only possible in Internet media. Broadcast media traditionally have only been able to use surveys (which is what “ratings” really are) that constitute only an educated guess at viewership of advertising.

Six Years After CAN-SPAM: Effective Spam Control Can Require Both Technical and Litigation Solutions

CAN-SPAM (15 U.S.C. § 7701-7713) was enacted in 2003 in response to a national hue and cry over spam. At the time, unsolicited commercial email was estimated to account for half of all electronic mail traffic. According to the Congressional “findings” in the preamble to the Act, the sheer quantity of spam was doing real damage to the internet, creating costs for storage, accessing, reviewing and discarding unwanted emails, and reducing the reliability and usefulness of electronic mail to the recipient. The findings further stated that “The growth in unsolicited commercial mail imposes significant monetary costs on providers of Internet access services, businesses and educational and nonprofit institutions that carry and receive such mail, as there is a finite volume of mail that such providers, businesses, and institutions can handle without further investment in infrastructure.” 15 U.S.C. § 7701(a).
Given these findings, one would think that CAN-SPAM would impose onerous penalties on spammers. Au contraire, mon frere! Instead of “canning” spam, the act became known as the “Yes, You CAN SPAM Act.” In fact, the Act does nothing to outlaw the sending of unsolicited emails per se.
Rather, the sending of unsolicited emails is permitted as long as a few basic rules are followed. In general: (i) the “from” and “subject matter” lines in the header must be accurate, relevant to the subject matter of the email and not misleading. A commercial advertiser must also provide its physical address, and a label must also be present if the email contains adult content; (ii) the email must contain an “opt-out” mechanism, that must be honored within 10 days; and (iii) the email must not be not sent to an email address obtained through “address harvesting” or a “dictionary attack” and must not be sent via automatically created email accounts or a computer network to which the sender has gained access without authorization.
Another important element of CAN-SPAM is that it provides that “any statute, regulation, or rule of a State . . . that expressly regulates the use of electronic mail to send commercial messages” is “superseded” — i.e., preempted. This means that states cannot enact laws that are expressly directed at preventing the sending of unsolicited email messages or at reducing the quantity of email messages that can be sent by a single person. In other words, CAN-SPAM means that the federal government has refused to prevent spamming per se and has declared that the states can’t do it either (unless the spam is accompanied by “falsity or deception”). The effect is that much of the job of preventing spam per se is in private hands.

U.S. SAFE WEB Act Used by FTC to Prevent U.S. Exporter from Pretending to Be U.K.-Based Site

Internet fraud update: Under the FTC Act, the Federal Trade Commission is empowered to prevent businesses from using unfair methods of competition or engaging in unfair or deceptive practices. 15 U.S.C. § 45(a)(2). However, under the version of the FTC Act that existed prior to 2006, the FTC did not have the authority to regulate such practices unless the business involved “commerce” (i.e. sales, shipments) within in the United States. (Fn1) This meant that a business that was solely engaged in the export of goods to countries outside the U.S. was not subject to the FTC’s jurisdiction.

With the rise of the Internet, it became easy for businesses to set up shop in the U.S., but limit their business solely to export to other countries, and thus avoid FTC prosecution for unfair and deceptive trade practices. Because the FTC’s ability to share information about U.S. residents with foreign prosecutors was also limited, this meant that a lot of bad behavior by exporters went unchecked. According to the FTC, this could have made the United States a “haven for fraud.”

In December 2006, Congress passed the U.S. SAFE WEB Act, which amended the FTC Act to fill these loopholes. The U.S. SAFE WEB Act permits the FTC to provide investigative assistance to foreign law enforcement agencies, including conducting investigations to collect information and evidence for these foreign agencies. 15 U.S.C. § 46(j). It also permits the FTC to share investigative materials, such as documents, written reports or answers to questions and transcripts of oral testimony with foreign law enforcement agencies. 15 U.S.C. § 57b-2(6).

In addition, the Act expanded the FTC’s jurisdictional reach to permit it to directly regulate acts involving foreign commerce that: (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct within the United States.

Since the law was signed, the FTC has reported using it in only one prior investigation which was concluded earlier this year. (For a discussion of this case, see our blog post of July 17, 2009). The FTC has recently announced the second use of the U.S. Safe Web Act in its regulatory action against Los Angeles-based Jaivin Karnani and his company Balls of Kryptonite, LLC. (“Karnani”).

According to the FTC’s complaint, Karnani operates two websites, www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, which sell consumer electronics, such as cameras, video game systems, and computer software exclusively to customers in the United Kingdom. (Fn2) By using the suffixes “co.uk”, stating prices in pounds sterling, referring to the “Royal Mail” and using U.K. addresses, the websites gave U.K. customers the impression that they were located in the U.K. and subject to U.K consumer protection laws.

The complaint also alleged that Karnani’s websites didn’t deliver what they promised. Customers were shipped goods with power chargers that were not compatible with U.K. power systems. Because the goods shipped were not manufactured for the U.K. or E.U. markets, customers did not receive manufacturer warranties. Goods were shipped slowly and customer complaints about this slowness were ignored. Customers were also charged high restocking fees.

Security Experts: Health Data Increasingly Being Sold on Black Market

Consumer health data are increasingly being sold on the black market as health care organizations become popular targets for hackers, NPR’s “all tech considered” reports.

Background

According to Symantec, a security firm, health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. There have been more than 270 public disclosures of large health data breaches — which firms are required to disclose — over the past two years, according to “all tech considered.”

Black Market for Health Data

Meanwhile, health data have increasingly been appearing on the black market, with such information often being more costly to purchase than certain financial data. While stolen credit card numbers tend to be sold for a few dollars or even quarters, a set of Medicare ID numbers for 10 beneficiaries found online by Greg Virign, CEO of the security company RedJack, was being sold for 22 bitcoins, or about $4,700.

Stolen health information available for purchase cannot be found through simple Google searches, and websites offering such data tend to have names that end with .su and .so, as opposed to .com or .org. Some sites for criminal sales feature online rating systems, similar to Yelp, that let the buyer know if the seller is “legit.”

Insufficient Cybersecurity Measures

Meanwhile, security experts say that the cybersecurity measures put in place by health care organizations are not sufficient to adequately combat cyberattacks.

According to “all tech considered,” companies that are subject to HIPAA tend to interpret HIPAA rules loosely.

Jeanie Larson, an expert on health care security, noted that many health care organizations “do not encrypt data within … their own networks.”

In addition, Orion Hindawi — co-founder and chief technical officer at Tanium, a computer network monitoring company — said that some health care organizations are not aware of how large their networks are, including how many computers they have.

The National Healthcare and Public Health Information Sharing and Analysis Center, an industry group Larson is a part of, is pushing for hospitals to invest in cybersecurity to a similar degree as banks. She said, “The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry’s just not there” (Shahani, “all tech considered,” NPR, 2/13).

Share With Litigants: Court Orders Social Network Posts Disclosed

A personal injury case in Suffolk County recently became New York’s testing ground for the disclosure of information posted on Facebook and MySpace.  In Romano v. Steelcase Inc. , the defendant demanded access to the private portions of the plaintiff’s social networking sites, including deleted information.  The defendant contended the information would refute plaintiff’s claims about the extent of her injuries.  The plaintiff opposed the defendant’s request on the ground the disclosure would violate her right to privacy.

Justice Jeffrey Arlen Spinner agreed with the defendant and granted the discovery motion.  Finding no New York precedent on this issue, the court cited case law from Colorado and Canada to support its decision.  In rejecting the plaintiff’s privacy claims, Justice Spinner observed that the very purpose of social networking sites is to share “personal information” with others.  Therefore, since the plaintiff “knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy.”

The court based its decision largely on the fact that the plaintiff voluntarily posted the information she was seeking to protect.  As most social networkers know, however, any of your “Friends” can post information about you (or photos of you) on their pages and there’s not much you can do to stop them.  Even if you convince them to remove the information, the history and deleted files are likely to be available.  It will be interesting to see how courts will treat the disclosure of information posted by third-parties and how privacy arguments will fare in those cases.

Romano v. Steelcase serves as yet another cautionary tale about posting information on the Internet.  Even if you delete a compromising photograph or status update, it could be disclosed to your adversary in litigation and used as evidence against you in a lawsuit. While Facebook members and Internet commenters have spent countless hours and immeasurable bandwidth debating Facebook’s privacy settings, in many ways that entire controversy is a red herring.  Nothing you post on a social networking site is truly private.

– Nicole  Hyland

Right wing cyber attacks on Healthcare.gov website confirmed

Right Wing Attacks on Healthcare.gov Site Confirmed

The House Homeland Security Committee recently posted a video on their YouTube account which highlights part of the committee’s question of Roberta Stempfley. Stempfley was acting assistant secretary of DHS’s Office of Cyber-Security and confirmed 16 attacks on the Affordable Care Act’s (ACA) website in 2013.

One successful attack Stempfley pointed to was designed to deny access to the site. Called a Distributed Denial of Service, or DDoS, this form of attacked is intended to make a network unavailable by repeatedly accessing servers and saturating them with more traffic than the site was designed for.

Right-wingers have distributed the link to the tools needed to perform the attacks. Informationweek, and other sites mentioned the tools had been circulated via social media.

Destroy Obama Care” was the name given to the attack by individuals calling themselves “right wing patriots.”

The message distributed said: “This program displays an alternative page of the ObamaCare website and has no virus, Trojans or cookies. The purpose is to overload the site so as to deny service and possibly crash the system.”

Some news sites have spoken about this attack, and Congress held hearings to discuss the attack. Despite the mainstream media being aware of the problem, they’re ignoring it as they continue to talk about the site not working.

Proposed HIPAA privacy rule on gun background checks open for comments

An advance notice of proposed rulemaking by the Office for Civil Rights Department of the Department of Health and Human Services titled “HIPAA Privacy Rule and the National Instant Criminal Background Check System” was published yesterday in the Federal Register.

Drafted following Executive Actions signed by President Barack Obama in January, the notice claims “Concerns have been raised that, in certain states, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule may be a barrier to States’ reporting the identities of individuals subject to the mental health prohibitor to the NICS.”

Absent from that summary explanation is an identification of who raised those concerns, how widespread they are, and if they reflect a political agenda driven by government officials and special interest groups.

“The Department … is issuing this Advance Notice … to solicit public comments on such barriers to reporting and ways in which these barriers can be addressed,” the notice states. “In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS by those HIPAA covered entities responsible for involuntary commitments or the formal adjudications that would subject individuals to the mental health prohibitor, or that are otherwise designated by the States to report to the NICS.

“In addition, we are soliciting comments on the best methods to disseminate information on relevant HIPAA policies to State level entities that originate or maintain information that may be reported to NICS,” the summary continues. “Finally, we are soliciting public input on whether there are ways to mitigate any unintended adverse consequences for individuals seeking needed mental health services that may be caused by creating express regulatory permission to report relevant information to NICS.

“The Department will use the information it receives to determine how best to address these issues,” it declares.

Gun Rights Examiner addressed this development on Monday, along with a “clarification” of the Attorney General’s powers “for purposes of permanent import controls” of defense articles and services. That report reminded readers of an ongoing action in New York, where it has been alleged the State Police are cross-referencing medical records with handgun owner permit lists in apparent partnership with the Department of Homeland Security.

The HHS Advance Notice invites public commentary, giving alternative ways for citizens to communicate their concerns, but perhaps the best way is to simply fill out their online form (via “Comment Now” button at Regulations.gov). Note that comments must be submitted on or before June 7. But that is only the first step concerned gun rights advocates must take.

As “Authorized Journalists”/“legitimate media” — who time and again demonstrate they are hardly disinterested players — will hardly be inclined to play government watchdog on this, it’s up to the same gun groups and online activists who mobilized in the face of the Senate gun threat to once more pick up a burden. That means spreading this news and getting others to follow suit, it means keeping up with developments as those with legal knowledge assess likely outcomes, and it means pressuring representatives in the legislature to provide oversight in the interests of rights, of separation of powers, and, just as a telling curiosity, of determining exactly where in the Constitution any of this has been delegated within the purview of Executive powers, that is, where any of this would be even remotely lawful under the federal system established by the Framers.

Originally posted on Examiner