The question of what effect an employee's disloyalty has on authorization to access an employer's computer has arisen in numerous cases in which employers have added civil claims under the CFAA in actions brought against employees alleged to have misappropriated of trade secrets. A typical scenario in which such a claim would be made is where, before departing for a new job, the employee is alleged to have copied or transmitted an employer's computer files for the benefit of a new employer.

Often, what is at stake in such cases is the employer's ability to maintain an action in federal court. A dispute over misappropriation of trade secrets is likely to involve only state law issues, and unless there is diversity of the parties, there is no basis for jurisdiction in a federal court. But, of course, federal courts have jurisdiction over a CFAA claim, and the trade secret misappropriation claims are then swept into federal court along with the CFAA claim as pendent state law claims.

The Seventh Circuit opinion in International Airport Centers v. Citrin is the ruling that is cited by employers seeking to press CFAA claims in such cases. In that case the circuit, in an opinion written by Judge Posner, ruled that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby becomes unauthorized to access the employer's computer, at least for the purpose of furthering an act of disloyalty to the employer. In LVRC Holdings, LLC v Brekka, the Ninth Circuit ruled to the contrary, finding that under the plain meaning of the language of the CFAA, acts of disloyalty on the part of an employee do not render the employee's access to the employer's computer unauthorized within the meaning of the statute.

In LVRC, the Ninth Circuit panel concluded that under the ordinary, contemporary, common meaning of the statutory terms, an employer gives an employee 'authorization' to access a computer when the employer gives the employee permission to use it. The court found that there is no statutory language to support the contention that authorization terminates when an employee determines to act contrary to the interest of an employer. The court looked to the term "exceeds authorized access," and concluded that the definition of that term made it clear that Congress had no intent to include in the statute any implicit, rather than explicit, limitation on the term authorization. It is an employer's act of allowing or terminating an employer's authorization to access a computer that determines whether the employee's access is authorized within the meaning of the statute, not the employee's disloyal act. The court reasoned:

Section 1030(e)(6) provides: the term exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. 18 U.S.C. 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has exceed[ed] authorized access. On the other hand, a person who uses a computer without authorization has no rights, limited or otherwise, to access the computer in question. In other words, for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or without authorization.

The Ninth Circuit rejected the Seventh Circuit's reasoning in International Airport Centers, LLC v. Citrin, concluding that relying on whether an employee's mental state changed from loyal employee to disloyal competitor to determine whether the statute had been violated would be problematic in the criminal law context. The statute should be interpreted consistently in civil and criminal contexts, the court reasoned. Relying on the employee's mental state with respect to disloyalty to determine whether the statute had been violated would run afoul of the proscription against interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants.

In this respect, the ruling echoes (but does not cite) the recent district court opinion in United States v. Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009) (the MySpace "cyberbullying" criminal prosecution). There, the court dismissed a misdemeanor charge of violating the CFAA that was predicated on a user's alleged violation of the MySpace Terms of Service, finding that it would run afoul of the void for vagueness doctrine because individuals of 'common intelligence' arguably would not be on notice that a breach of the terms of a service contract could become a crime under the CFAA.

And conversely, the Ninth Circuit ruling appears to contradict the recent opinion in United States v. Nosal, 2009 U.S. Dist. LEXIS 31423 (N.D. Cal. Apr. 13, 2009), in which the district court declined to dismiss an indictment charging a violation of 18 U.S.C. 1030(a)(4). The indictment alleged that the statute was violated when a former employee accessed an employer''s computer network to copy proprietary information for use in a competitive enterprise. The court found that the statutory element of intent to defraud in subsection 1030(a)(4) could be found in the employee''s knowing access of electronic records for uses outside their intended purpose. The court in Nosal also rejected the defendant''s argument that because subsection 1030(a)(4) had never been addressed in the criminal context the indictment should be dismissed under the rule of lenity. Citing International Airport Centers, LLC v. Citrin and a number of opinions following it, the court found that there was ample authority in civil cases construing this section to conclude that the CFAA was violated by the 'access to the employer's confidential and proprietary information to advance his own competitive enterprise.

No doubt more will be heard on this issue in the Ninth Circuit, and other courts as well. And eventually, perhaps, the U.S. Supreme Court.

United States v. Drew, 2:08-cr-00582-GW (C.D. Cal. Aug. 28, 2009)

Almost 2 months ago, the judge presiding over the Lori Drew trial orally announced that he intended to rule in favor of Drew, but it was a little hard to decipher his statements without a written ruling. On Friday, the judge issued his written ruling, which indicates that he granted Drew's FRCP 29(c) motion for a post-verdict acquittal. I haven't seen any announcement of the prosecution's response and whether they plan to appeal. This ruling also has no direct bearing on any civil claims against Drew. Nevertheless, for now, Lori Drew has been fully acquitted of the criminal charges brought against her.

The Holding

While the written opinion clears up the judge's exact disposition of Drew's status, it is hardly a clear prcis on the legal issues. The judge ultimately grants the acquittal because a Computer Fraud & Abuse Act (CFAA) prosecution based on negative behavioral restrictions in an online user agreement is void-for-vagueness. I think this makes a lot of sense because the negative behavioral restrictions are effectively incorporated into the criminal statute but lack the degree of drafting precision we require from criminal prohibitions. The judge gives a good example of such an imprecise restriction by citing a MySpace user agreement prohibition against posting in band and filmmaker profiles...sexually suggestive imagery or any other unfair...[c]ontent intended to draw traffic to the profile. The judge rightly asks what the terms "sexually suggestive imagery" and "unfair content" mean when incorporated into a criminal CFAA prosecution. If we aren't sure, that sounds like a valid basis for a void-for-vagueness dismissal.

Having said that, given this ruling, I still can't understand why the judge let this case go to the jury in the first place. I believe the judge's ruling was independent of the jury verdict and does not rely on any of the jury findings, so why did he wait until after the jury verdict to make a ruling that he could have made pre-trial? His delay was not costless. The jury verdict against Drew remains a public rebuke of Drew even though it's been wiped away, and the judge could have saved everyone a lot of time and money by cutting to the chase earlier.

The Dicta

The judge's actual void-for-vagueness discussion of Drew's situation starts on page 25 of a 32 page opinion. What's going on in the previous 25 pages? The remainder of the opinion apparently explains how the government may have successfully proven the elements of its case, but I found the discussion gratuitous, meandering and confusing. Some of it could also be pernicious. For example, consider this oh-no quote from FN 22:

As a visitor to the MySpace website and being initially limited to the public areas of the site, one is bound by MySpace's browsewrap agreement. If one wishes further access into the site for purposes of creating a profile and contacting MySpace members (as Drew and the co-conspirators did), one would have to affirmatively acknowledge and assent to the terms of service by checking the designated box, thereby triggering the clickwrap agreement.

Read that first sentence again. WHAT??? Did the court just say that every visitor is bound to MySpace's browsewrap just by visiting the website? Uh, I don't think so, or at least I hope not. Whoa.

Another oddity: on page 9, the opinion says "According to Sung, MySpace owns the data contained in the profiles and the other content on the website." (Sung is MySpace's VP of Customer Care). The court slyly quotes the applicable provision in the user agreement which clearly points out that MySpace only takes a non-exclusive license to user data, not ownership. So what could this reference to ownership possibly mean?

Implications of the Ruling

Although I wish the judge had been more careful and laconic in his drafting, this opinion is still a good jurisprudential development. This opinion erects a significant hurdle for future CFAA criminal prosecutions for breaches of user agreements because they will face the same void-for-vagueness challenge that was dispositive here.

I'm less clear how this opinion might affect civil CFAA lawsuits for using third party servers in excess of a user agreement. As the case recounts, a number of cases already accept those claims, and I think this judge's dicta simply adds to those cases. So, for example, if MySpace wanted to sue Drew civilly under a CFAA theory for the behavior at issue with her criminal prosecution, I don't think this opinion would stand in the way. In fact, I think MySpace would cite it favorably. Then again, I doubt MySpace will be suing Drew; MySpace has been conspicuously low-profile about a crime purportedly committed against it.

I do not expect this ruling will defuse any debates over cyberbullying and how to deter it using legal means. If anything, the fact that Lori Drew walks is more likely to pour gasoline on the fire of state legislators who think they can solve the problem through their brilliant statutory drafting. They are wrong, of course, and they can do plenty of harm by trying (see, e.g., the broad and dangerous law that Texas just passed). Unfortunately, I expect more anti-cyberbullying legislative efforts, for better or (mostly) for worse.

Even though the judge corrected a judicial system error, I continue to believe that we as cyberlawyers need to mitigate the problems we create by putting extensive and ambiguous negative behavioral restrictions into our online user agreements. As I've explained before, I think best practices now move most negative behavioral restrictions into a non-binding statement of community norms and expectations.

So Cassetica sued in federal court, alleging a number of causes of action, including violations of the Computer Fraud and Abuse Act, 18 USC 1030 et seq. (CFAA). CSC moved to dismiss pursuant to FRCP 12(b)(6) for failure to state a claim. The court granted the motion, finding that Cassetica did not plead either damage or loss as required by the CFAA.

What the CFAA requires

Interpreting the CFAA differently that at least one other judge in the Northern District of Illinois has (cf. Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008)), Judge Kendall held that Cassetica was required to plead either damage or loss as such terms are defined in the CFAA. (In Garelli Wong, the court held that both damage and loss must be pled.)

Under the CFAA, damage is defined as any impairment to the integrity or availability of data, a program, a system, or information. Loss is defined as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

Insufficient damage allegations

The bare allegations of damage in the complaint were not enough. The court found that Cassetica did not allege any facts that would plausibly suggest that the software downloads authorized or not caused a diminution in the computers or usability of [Cassetica's] computerized data. The court went on to observe that [c]ritically absent from the Complaint are allegations that CSC's downloads resulted in lost data, the inability to offer downloads to its customers, or that the downloads affected the availability of the software.

Insufficient loss allegations

Cassetica's complaint also failed to plead loss. The allegations primarily dealt with the lost fees Cassetica would have received had the alleged unauthorized downloading not taken place. Because Cassetica did not allege that it lost revenues as a result of an interruption in service caused by CSC, its claim for lost revenue fell outside the CFAA's definition of loss.

Download picture courtesy Flickr user soren_nb under this Creative Commons license.

The essence of the dispute is that Power Ventures, instead of developing its interface through the Facebook Connect developer program, created a Facebook user account and accessed Facebook content through that account. Facebook alleged that the creation and use of that account was in violation of the Facebook Terms of Use. Facebook Complaint 24, 41. The complaint also alleges that Power Ventures used the interface that it created to induce Facebook users to share their usernames and passwords, and then utilized that information to access Facebook servers via its interface in a manner that violated the Facebook ToU.

The complaint alleges that the ToU prohibits a variety of activities, including, among other things, solicitation of passwords or personally identifying information for commercial or unlawful purposes; using or attempting to use the account of another user or creating a false identity; using automated scripts; impersonating another person or entity; sending junk mail or spam; harvesting e-mail addresses; registering for more than one account; and using Facebook's website for commercial use without the express permission of Facebook. The ToU also provides that the limited license granted to access and use the site terminates when the site is used other than as specifically authorized herein.

The copyright claim alleges that in violation of the ToU, Power Ventures used its account to access and copy the Facebook Web site, including the Facebook home page for which Facebook has obtained a copyright registration. Complaint 31, 70. Judge Fogel concluded that the allegations of the complaint made out a sufficient claim of copyright infringement because Power Ventures need only access and copy one page to commit copyright infringement. The court also found that the ToU prohibited downloading, scraping or distributing content from the Facebook Web site content except that belonging to the user, and that in any event, using automated methods, i.e., data mining, robots, scraping, or similar data gathering or extraction methods to access any content were also prohibited by the ToU. Thus, the court found that the allegation that Power Ventures accessed Facebook via automated means constituted made out a claim of direct copyright infringement, while the allegation that Facebook users utilized the Power.com interface to access their own profile pages made out claim of secondary copyright infringement.

Judge Fogel also declined to dismiss Facebook's claim that the use of automated scripts to access Facebook copyrighted content bypassed specific technical measures designed to block such access and thus violated the DMCA. The trademark infringement claims were sustained based upon the inclusion in the complaint of a screenshot illustrating the use of the Facebook mark on an e-mail sent by Power Ventures to Facebook users. The court did order Facebook to file a short statement clarifying the basis for its California unfair competition claim.

The complaint also alleges a federal CAN-SPAM claim stemming from the transmission of e-mails to other Facebook users encouraging them to use the Power.com interface. According to the opinion, Power Ventures abandoned its challenge to the sufficiency of the CAN-SPAM claim, as well as its challenge to the sufficiency of the complaint under the CFAA. The CFAA claim also is grounded on the allegation that Power Ventures's access to Facebook's computers was unauthorized because it was in violation of the Facebook ToU.

The court's refusal to dismiss Facebook's claims demonstrates that careful drafting of a Web site terms of use is essential to obtaining legal redress for unauthorized access, particularly unauthorized access by competitors and others for commercial purposes. Access that violates the clear proscriptions of a ToU can form the basis for a multiplicity of legal claims, thereby maximizing the chances of a successful challenge to unwanted access.

Bridal Expo produces the Bridal Extravaganza Show in Houston, one of the largest bridal shows in the US. Hundreds of exhibitors and thousands of prospective brides attend; the show has been in business for 25 years and keeps databases of attendees and potential clients. Defendant Wedding Showcase scheduled the Houston Wedding Showcase for Feb. 2009, a few weeks after the Bridal Extravaganza at the same location. The individual defendants van Florestein and Moore, were key to creating the Wedding Showcase and are former Bridal Expo employeesshow manager and assistant. They left Bridal Expo in July 2008, but not before Moore downloaded Bridal Expo's databases and other information.

Defendants used Bridal Expo's database to mail ads to vendors for Wedding Showcase's November 2008 seminar. They used Google to advertise the Wedding Showcase as Houston's #1 Bridal Show, and mailed a brochure to vendors using quotations attributed to our vendors and our brides that actually came from other bridal shows on the East Coast, produced by another company.

In an earlier state court suit, Bridal Expo brought claims for trade secret misappropriation, unfair competition, and related torts. The judge denied a TRO and after a hearing also denied a temporary injunction. Bridal Expo nonsuited the state case and sued in federal court, using the same claims along with a Lanham Act false advertising claim and a Computer Fraud and Abuse Act claim.

On the state claims, the district court refused to disturb the state court's ruling on the temporary injunction. All the elements of collateral estoppel were present, though this of course only affected the availability of temporary relief, not a final adjudication on the merits. Given that only a month had passed since the state court denial, and that plaintiffs had held a successful bridal show in the interim (thus suggesting lack of harm), the court found no reason to revisit the state court's decision.

On the false advertising claim, plaintiffs argued that Houston's #1 Bridal Show was literally false, since Bridal Extravaganza is, in fact, the largest bridal show in Houston by any number of measures, and that the statement wasn't puffery because it was unambiguous and needed no additional context to give it meaning. Also, they argued that the brochures were literally false because defendants have yet to produce a bridal show in Houston.

Defendants called the Google ads puffery, and argued that the use of our in the brochures referred to the principals of Wedding Showcase, who have produced many shows. Moreover, the brochures mentioned several times that the Houston Wedding Showcase is a new show.

The court held, based on Pizza Hut, that the Google ads were too ambiguous to be actionable, and were the kind of bald assertion or general statement of superiority on which no reasonable consumer would rely. See also In re Century 21-RE/MAX Real Estate Advertising Claims Litigation, 882 F .Supp. 915, 923 (C.D.Cal.1994) (holding that # 1 was too vague to be actionable and declared ... # 1 in the United States and the World" was puffery, because it was opinion and made no reference to what was #1). Anyway, defendants stopped running the ad.

As for the brochure, plaintiffs argued that the our statements were literally false, and also that the brochure made literally false claims that van Florestein and another defenant had a combined 25 years of experience. Moreover, they argued that, by scheduling their show shortly after Bridal Extravaganza at the same location, defendants were trying to confuse customers into thinking their show was the Bridal Extravaganza.

On this record, the court found no literal falsity. Our could readily, in context, refer to the show's owners, one of whom ran the shows on the East Coast from which the our statements came. The brochure explained that the Houston Wedding Showcase would be a new show with a long history. Likewise, more than 25 years of combined experience could refer to the sum of the two principals' individual experience, not 25 years each. The court concluded that it was unlikely that a sophisticated vendor audience, familiar with the Houston wedding market, would be misled into thinking that the quoted brides and vendors were from Houston.

The evidence of confusion between the shows was that one of plaintiff's employees heard from one vendor at the Bridal Extravaganza that he was confused about who was running the Wedding Showcase, but there was no evidence of any connection to the brochure, and this was insufficient to claim confusion overall, though this might be an issue for a jury.

The CFAA claim was based on 18 U.S.C. 1030(a)(4), creating liability for a person who knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . For a civil claim, there are extra requirements; here, the key was loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value. Loss includes costs of responding to an offense and conducting a damage assessment. Here, the claimed loss was the confidential trade secrets.

Defendants argued that their access wasn't without authorization and didn't exceed their authorization. Van Florestein and Moore accessed their work computers and took files to which they were allowed access as employees. They argued that there's a difference between access to computers and use or disclosure of information obtained through that access.

There's a split over the meaning of authorization. Some courts say that using files to harm the employer violates the CFAA even if the employee technically has authorization to access the files in the scope of her duties. Contrary to that, other courts have noted that, when Congress wanted to prohibit things like communication and delivery, it listed them. If Congress wanted to reach all wrongdoers who access information they then use to the detriment of their employers, it could have omitted the statute's words of limitation altogether. Despite the conclusions of other courts, the district court determined that, given those statutory construction arguments and the rule of lenity (since the CFAA is also a criminal statute), authorization is not exceeded just because the employee breaches her duty of loyalty to an employer.

Here, the files were copied/downloaded on the defendants' last day of employment. They hadn't signed a confidentiality agreement or any other agreement restricting access to the files they'd been working on at Bridal Expo. It was within the nature of their relationship to use their computers and access the files at issue. Indeed, a key Bridal Expo employee saw them using the computer on their final day and didn't complain, even though it was after they'd turned in their keys.

Thus, the court found plaintiffs were unlikely to succeed on the merits. Moreover, even had there been a likelihood of success, a preliminary injunction would have been unwarranted, based on the Fifth Circuit's hesitance to grant injunctive relief against the use of information obtained through a past violation of the CFAA, where there was no potential for ongoing access.

The court stated, somewhat confusingly, that it would be willing to revisit the issue if defendants were continuing to use the vendor email list to advertiseeven if there's no likelihood of success on the merits? And then the court said that even if it had found likely success on the merits, it wouldn't have entered an injunction, because plaintiffs hadn't shown irreparable harmthat successful show they'd conducted since defendants entered the marketand defendants would suffer great harm if they couldn't produce their show: they'd have to cancel contracts, unwind arrangements on short notice, and pay cancellation fees. About that email list: It's unusual in a written opinion for a court to signal so overtly that, though it thinks there's no legal basis for some behavior, it nonetheless expects a party to engage in that behavior, but that seems to be what happened here.

According to news reports (WSJ Law Blog, LA Times, AP), the jury has declared Lori Drew guilty of "three misdemeanor counts of accessing a computer without authorization." I would like to parse the actual jury verdict form to make sure we understand what the jury actually said. For now, some preliminary observations.

First, the jury verdict is not the last step in the process. For example, the judge could still dismiss the case notwithstanding the jury verdict. Personally, I think it was a mistake for the judge to let this case go to the jury; overturning a jury ruling is always a dangerous move for a trial judge, and it would be especially awkward here for the judge to kick the case out now given the high emotions and heavy press coverage for this case. There could be a retrial (especially on the fourth charge, which resulted in a hung jury). It is also possible the jury verdict could be reversed on appeal. Finally, if none of those occur, a sentence that didn't include jail time would still be a travesty but would still have let the people have their vengeance while reducing the injustice to Drew. So it's hard to assess the meaning of the jury verdict because it's only 1 chapter in a longer story.

Second, I am even more convinced that it was a travesty of justice for the government to bring this case at all. The facts elicited at trial demonstrated the illogic of the government's argument that Lori Drew made unauthorized uses of MySpace's servers, including the facts that:

* Lori Drew did not create the MySpace account at issue (Grills, the babysitter, did--but she got government immunity for testifying against Drew)
* Lori Drew did not click OK to the MySpace user agreement (Grills did)
* Lori Drew did not send the final fateful message (Grills did)
* some of the messages at issue were not even sent through the MySpace network (they were sent through AOL)

These facts severely undercut the government's theories about the Computer Fraud & Abuse Act. They should also frighten each of us who may have broken an online user agreement, intentionally or not, at some point in our lives, by showing how easy it could be to violate the CFAA. The tenuousness of the law's application to the facts reinforced that the real trial was over Lori Drew's moral culpability for Meier's death...though that wasn't supposed to be on trial.

Third, regardless of how this case turns out, I remain frustrated by how pro-regulatory forces are using Meier's death--a tragic but highly anomalous situation--as grist for their pro-regulatory agendas. In particular, the push to legally prohibit "cyberbullying" baffles me. I don't even understand the term, but I do know that we cannot legislate people being nice to each other, online or off, and we don't even try in most offline circumstances. Further, as the expansive interpretation of the CFAA highlights, restrictions against "cyberbullying" could chill many socially beneficial and protected activities. So, I hope we can resist the pro-regulatory temptations. Ironically, a guilty verdict for Lori Drew might have that salutary effect by showing that existing laws can punish "bad" actors, even if legal justice is being denied to Lori Drew in the process.

UPDATES: More coverage: NYT; NYT #2 (news analysis), Christopher Soghoian (pointing out examples of egregious user agreements that convert many site users into criminals).

Private investigators are stressing about this ruling.

eBay

* Universal Grading Service v. eBay, Inc. More fallout from the National Numismatic v. eBay case--another lawsuit alleging antitrust and defamation because eBay designated some coin rating services as preferred and impliedly devalued others.

* Windsor Auctions v. eBay has been refiled in a new jurisdiction.

* Mehmet v. Paypal, Inc., 2008 WL 3495541 (N.D. Cal. Aug. 12, 2008). Upholding the consequential damages waiver in PayPal's user agreement.

* A company's failure in the marketplace can drive up the value of its collectibles on eBay.

Google

* Stelor Productions, Inc. v. Google, Inc., 2008 WL 4218107 (S.D. Fla. Sept. 15, 2008). In the lawsuit alleging that Google causes reverse confusion of Googles.com [warning: annoying music ahead], the plaintiff doesn't get to depose Sergey or Larry yet. Rose Hagan, Google's long-time chief trademark counsel, is the lucky substitute.

* Lots of rhetoric in the Google/Yahoo ad syndication deal. Google's advocacy website. Google Chief Economist Hal Varian explains why the deal won't raise ad prices in the auction. Randall Stross weighs in.

* Google has changed course and now allows religious groups to advertise on the keyword abortion.

* Kubit v. Google Groups, 2:2008cv00738 (M.D. Fla. complaint filed Sept. 29, 2008):

I then would like to sue Google Groups for not removing the posts when I repeatedly asked them to for 2 years. I believe I am entitled to at least a small amount of compensation for the emotional distress and lost business income that has resulted from them allowing these posts to remain on their Google Groups, even though I offered them VERY solid proof that I do not have HIV. If they had stopped the posts when they first occurred, they would not have proliferated to hundreds of websites. I became suicidal for a period of time after the posts started. I incurred a lot of emotional pain and fear because of the posts and had to seek psychiatric and psychological help to get my life back together. I still suffer from fears of dating, living a public business life and trusting others.

Yes, this is a pro se complaint. Yes, it is preempted by 47 USC 230.

Marketing/Advertising

* NebuAd is dead (1, 2). Even so, the lure of intermediaries aggregating deep data about consumers for commercial purposes will never die.

* Is Gator/Claria dead?

* The EU passed a non-binding resolution against sexual stereotypes in advertising.

* Celebrity branded merchandise run amok.

Miscellaneous

* Valleywag: "The 5 most laughable terms of service on the Net." For more laughs, see Mark Lemley's Terms of Use paper.

* Murakowski v. University of Delaware, 2008 WL 4104087 (D. Del. Sept. 4, 2008). This reminded me a lot of the Jake Baker case from the mid-1990s.

* The Virginia Supreme Court reversed itself on the Jaynes anti-spam prosecution, and Jaynes walks. Does Virginia routinely pass unconstitutional laws?

* Becker v. Toca, 2008 WL 4443050 (E.D. La. Sept. 26, 2008). Ex-wife's alleged delivery of "Infostealer" program to grab passwords from ex-husband could violate the ECPA, SCA and CFAA.

* Interesting article on ESPN's exclusive distribution and bundling agreements with Internet access providers.

* Funniest law firm names.

* Silly? Horrifying? A sign of the apocalypse?

• does CAN-SPAM apply to unauthorized text messages (there's some grey area here, my gut feeling is that it does)?
• does CAN-SPAM preempt IL law (e.g., Mummagraphics)?
• does CAN-SPAM prohibit the conduct at issue - is there anything misleading about the messages? CAN-SPAM only requires that the messages be accurate and the sender honor opt-out requests - can MySpace argue that it need not have a mechanism in place for people to refuse to receive messages at all (a global opt-out)?
• Section 230 - is MySpace just a conduit?