dropbox – Techdirt (original) (raw)

Wisconsin Court Says Warrants Are Needed To Search Dropbox Accounts, Even If They Belong To Cops

from the seems-obvious dept

If you want access to content and communications, it seems pretty obvious you should get a warrant. There are plenty of warrant exceptions, but rooting around in things pretty much everyone believes have an expectation of privacy — whether it’s their house, their phones, or their online document storage services — generally requires a warrant.

Cloud storage is no different. Just because it’s not physically in the possession of investigation targets or suspected criminals doesn’t mean they don’t have a reasonable expectation of privacy in the contents of their accounts.

There’s not much court precedent dealing with this particular issue, though. Fourth Amendment expert Orin Kerr suggests this may have something to do with corporate policies governing users’ content.

It’s surprising how little caselaw there is on this. That’s partly because lawyers for Internet providers generally require a warrant before they’ll turn over account contents, and investigators can’t practically sue the providers over that if they disagree (it takes too long).

First off: good for service providers! Demanding a warrant even when there’s a dearth of supporting case law is a good first step. It deters fishing expeditions and discourages law enforcement from wading into untested legal waters too often.

Second, pushback like this forces law enforcement to tacitly admit they too believe warrants should be used to obtain content from third party services. If they firmly believed warrant exceptions (like the Third Party Doctrine) applied, they’d perform their own pushback, especially in cases (like this one) where time doesn’t appear to be of the essence.

Of course, doing this runs the risk of generating precedent that works against law enforcement’s warrant-optional desires. That’s what has happened here. Unsurprisingly, it took someone who knows how to work the system to get this established by a Wisconsin appeals court [PDF]: a cop.

Detective Sergeant Steven Bowers was charged with misconduct in office after sharing confidential sheriff’s department files with the producers of the “Cold Justice” TV show. Bowers used his Taylor County email address to create the account — a fact that apparently led investigators to believe no warrant was needed to access the contents of Sgt. Bowers’ account.

They were wrong. The lower court suppressed the evidence, ruling that the warrantless search violated the Fourth Amendment. The Appeals Court comes to the same conclusion — one that makes it clear the expectation of privacy still applies to the contents of online storage services, even if the account was activated using a government provided email account.

The route taken to achieve this Fourth Amendment violation was, however, made much, much easier by Sgt. Bowers’ decision to use a government email account, rather than one of his own.

Bowers had used his county e-mail address to set up his Account, although he paid for it with his own funds. Lind testified that on March 2, 2017, she performed a password reset on Bowers’ Account, which then “e-mailed a link to [Bowers’ county] e-mail address.” Given that she had access to Bowers’ county e-mail account through her role in IT, she then entered his e-mail account and used that link to change Bowers’ Account password, effectively severing Bowers’ access to his Account. Lind then personally accessed Bowers’ Account “with the [district attorney] and [Daniels] present.” According to Lind, the search of Bowers’ Account revealed both that the Murder 3 file was in the Account and that Bowers had shared the case file with individuals outside the department.

So, yeah… OpSec is still hit and miss when it comes to rookie leakers. Bowers should have known utilizing his government email account gave him less than exclusive control of it. That much was made clear by the county’s clickwrap, which informed Bowers his account was “exclusively owned” by the government he worked for.

Even so, it was still his personal Dropbox account that was accessed. The lower court first said Bowers had no expectation of privacy in this account because he had no expectation of privacy in his government email account. It rolled that decision back after taking a second look at the situation after Bowers reminded the court this search involved the contents of a Dropbox account he personally paid for, rather than one provided to him by the county government.

The Appeals Court affirms: this was a search under the Fourth Amendment. And, as such, a warrant was needed. The fact that the department was able to avoid interacting with Dropbox and utilized a government email address to reset the password to gain access doesn’t change the calculus of the Fourth Amendment issues.

[T]he department seized control of Bowers’ private Account located on servers outside the department by using Bowers’ county-owned e-mail address to change his Dropbox password. It then accessed and searched the information in his Account. The department did not receive the evidence from a third party, and it did not simply obtain specific files from Bowers’ Account. The department seized and searched at least portions of, if not all of, Bowers’ Account. Accordingly, the third-party doctrine cases that the State relies upon are inapt under the circumstances of this case. We agree with Bowers that the Court’s decisions in Miller and Smith do not clearly control the department’s actions here, as the department did much more than obtain access to metadata or Dropbox’s business records.

The State focuses on the fact that Bowers created this Account with his county-owned e-mail address. Apart from using that e-mail address, however, Bowers created the Account on his own. Bowers paid for the Account with his own money, and the Account was password protected. The department did not search its own devices to access the information in Bowers’ Account; it used the internet as a tool to access the outside server on which the Account was located.

Even if some of that might apply if the court were willing to fully oblige the terrible Third Party Doctrine arguments the state presented, it still wouldn’t matter. There’s an expectation of privacy in online storage accounts — something that can’t be undone simply because the government claims there isn’t.

Here, we conclude that society is willing to recognize that a user has a legitimate expectation of privacy in his or her Dropbox account. According to Dropbox, it boasts over 700 million users on its platform, and it specifically tells its users that “[w]ith Dropbox, your files belong to you, not us, so you can be sure we’re not reselling your data.” Dropbox, https://www.dropbox.com (last visited Dec. 13, 2022). By using a password that is not shared, these users expect their cloud-storage accounts to remain private unless the user shares the files with others, even if the information is stored by a third party. See Johnson, supra, at 886 & n.126 (“This is the equivalent of renting a safety deposit box, locking it, and trusting the bank not to break the lock.”).

Thus, under the totality of the circumstances and when considering the Dumstrey factors, we conclude that Bowers had a reasonable expectation of privacy in his Account. Law enforcement seized Bowers’ Account and searched it without a warrant, thereby violating Bowers’ Fourth Amendment rights.

Rights are for the people. The government doesn’t have any. It has powers, and that’s what these rights constrain. What ultimately matters in terms of the “reasonableness” of privacy expectations is what the public believes is reasonable. That the government believes otherwise doesn’t matter. Not in this case, at least.

Filed Under: 4th amendment, cloud storage, police, steven bowers, taylor county, wisconsin
Companies: dropbox

Content Moderation Case Study: Using Hashes And Scanning To Stop Cloud Storage From Being Used For Infringement (2014)

from the cloud-storage-scanning dept

Summary: Since the rise of the internet, the recording industry has been particularly concerned about how the internet can and will be used to share infringing content. Over time, the focus of that concern has shifted as the technology (as well as copyright laws) have shifted. In the early 2000s, most of the concern was around file sharing applications, services and sites, such as Napster, Limewire, and The Pirate Bay. However, after 2010, much of the emphasis switched to so-called ?cyberlockers.?

Unlike file sharing apps, that involved person-to-person sharing directly from their own computers via intermediary technologies, a cyberlocker was more of a hard drive on the internet. The issue was that some would store large quantities of music files, and then make them available for unlicensed downloading.

While some cyberlockers were built directly around this use-case, at the same time, cloud storage companies were trying to build legitimate businesses, allowing consumers and businesses to store their own files in the cloud, rather than on their own hard drive. However, technologically, there is little to distinguish a cloud storage service from a cyberlocker, and as the entertainment industry became more vocal about the issue, some services started to change their policies.

Dropbox is one of the most well-known cloud storage companies. Wishing to avoid facing comparisons to cyberlockers built off of the sharing of infringing works, the company put in place a system to make it more difficult to use the service for sharing works in an infringing manner, while still allowing the service to be useful for storing personal files.

Specifically, if Dropbox received a DMCA takedown notice for a specific file, the company would create a hash (a computer generated identifier that would be the same for all identical files), and then if you shared any file from your Dropbox to someone else (such as by creating a shareable link), Dropbox would create a hash and check it against the database of hashes of files that had previously received DMCA takedown notices.

This got some attention in 2014 when a user on Twitter highlighted that he had been blocked from sharing a file because of this, raising concerns that Dropbox was looking at everyone?s files.

Dropbox quickly clarified that it is not scanning every file, nor was it looking at everyone?s files. Rather it was using an automated process to check files that were being shared and see if they matched files that had previously been subject to a DMCA takedown notice:

?There have been some questions around how we handle copyright notices. We sometimes receive DMCA notices to remove links on copyright grounds. When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes. We don?t look at the files in your private folders and are committed to keeping your stuff safe.?

Decisions to be made by Dropbox:

Questions and policy implications to consider:

Resolution: Dropbox has continued to use a similar setup, and for the most part has avoided being compared to traditional cyberlockers. Since 2014, the issue of DMCA takedowns leading to future blocking of files has not received all that much attention either. There have been a few articles and forum discussions about how it works, with some users looking for workarounds, but for the most part this technological setup appears to have prevented Dropbox from being considered a cyberlocker-style site for infringing file sharing.

Originally published on the Trust & Safety Foundation website.

Filed Under: cloud storage, copyright, cyberlockers, dmca, hashes, private storage, takedowns
Companies: dropbox

NC, Or Not NC: Why Suing The Sons Of Confederate Veterans In N.D.Cal For Violating The DMCA Makes Sense

from the that-is-the-question dept

In Mike’s piece about Greg Doucette’s lawsuit against the Sons of Confederate Veterans for abusing the DMCA, he suggests that the lawsuit might not belong in the Northern District of California. I thought it worth exploring why it might very much belong here, because those reasons may apply to most other DMCA Section 512(f) jurisprudence as well.

Mike is right that there are many things to consider in deciding where to bring a legal fight. Neutral ground, especially on issues as sensitive locally as those raised by this case, can indeed be desirable because it will help allow for clear focus on the legal questions. And in this regard Northern California is a better choice than North Carolina.

But there are also legal considerations. When I first read Marc Randazza’s demand letter on behalf of Doucette, I worried that he would have to file any such lawsuit in Northern California. Which is in the Ninth Circuit, which is the sole circuit that has thus far interpreted Section 512(f) of the DMCA. And which, in doing so, basically inserted its own language into the statute when it decided that a takedown notice sender only had to have a subjective “good faith belief” that the targeted material was infringing. Which represents a substantial decrease in the amount of good faith a takedown notice sender would need to have in order to be able to send their deletion demands with impunity. Which has thus severely defanged the DMCA’s 512(f) provision, which was supposed to impose a deterring penalty on those who send invalid ones. And which has therefore now opened the door to a torrent of unmeritorious and abusive takedown demands, of which the Songs of Confederate Veterans demand was just one more. I therefore hoped that if any lawsuit should follow that it be filed elsewhere, where a new court could look at the statute with fresh eyes and ignore the Ninth Circuit’s statutory modifications. But I wasn’t sure it could be.

Forum choice isn’t exactly a science. It can sometimes be the most heavily litigated aspect of a case. And there also may not always even be just one right answer. But there are some general rules to help figure out whether a forum choice is appropriate, and one of them relates to where the harm occurred. On the one hand, the Sons of Confederate Veterans were likely located in North Carolina when they dispatched their takedown notice. But that takedown notice was dispatched to a company with corporate headquarters in Northern California, and it was at that company where the decision to abide by the takedown demand and remove the material Doucette had published was made.

And where, arguably, it needed to be made. Because a DMCA takedown notice isn’t really an attack against allegedly infringing content. It’s an attack against the 512(c) safe harbor that Internet platforms depend on to not get obliterated by crippling copyright litigation. Greg Doucette’s speech was victimized by the takedown demand, but the takedown demand itself was the Sons of Confederate Veterans actually throwing down the gauntlet at Dropbox, demanding satisfaction. Like any 512(c) takedown notice it essentially was a declaration to the platform, “Take this content down, or we may sue you for it.” And all the harm that then flowed to Doucette was due to Dropbox, a company headquartered in Northern California, yielding to this threat.

We may wish that Dropbox had resisted this facially unmeritorious demand. From time to time platforms can and do resist bogus takedown demands. But by and large it is simply not possible to pick and choose which to ignore. There are simply too many takedown demands, and the stakes are too enormous if the platform should get the call wrong.

Which is why having a provision like 512(f) as part of the DMCA was so important. Because the platforms cannot effectively filter out the abusive takedown notices, we need the senders to do it themselves. We need the fear of expensive sanction needs to be plausible enough to make a takedown notice sender think twice before sending a wrongful one. Unfortunately, following the Rossi and Lenz v. Universal cases, the decision to send garbage takedown demands is now virtually costless.

But maybe it won’t be here. It’s quite possible that this takedown notice, which zeroed in on a textbook-example of First Amendment-protected speech exemplifying exactly why the public interest demands we protect it, failed to meet even the flimsy Ninth Circuit standard of “subjective” good faith. It’s possible that adjudicating this case, in N.D. Cal and maybe eventually the Ninth Circuit at large, could turn out to provide a precedential example that helps revive at least some of the potency 512(f) was supposed to have. True, it won’t be able to incite the sort of circuit split that attracts the Supreme Court review needed to resolve the issue once and for all, as it unfortunately [refused](NC, or not NC: why suing the Sons of Confederate Veterans in N.D.Cal for violating the DMCA makes sense) to do in the Lenz case. But given the number of Internet platforms availing themselves of the 512(c) safe harbor who are located here, in this district and this circuit, this is where we need to see the courts finally start recognizing and punishing the harm on protected speech that these meritless takedown demands inflict.

Filed Under: 512f, 9th circuit, dmca, dmca 512, greg doucette, jurisdiction, marc randazza, north carolina, northern california, venue
Companies: dropbox

Lawyer Asks Racists To Use Sketchy Millions They Got From UNC To Fund Scholarships For Black Students To Avoid Lawsuit For Bogus Takedown

from the unleash-the-kraken-who-says-fuck-a-lot dept

Last week we wrote about the sketchy, sketchy deal in which UNC gave some racists $2.5 million to settle a lawsuit that was filed after the agreement was made, and settled moments later. More and more details keep coming out, making the whole situation look even sketchier (and even less legal). However, for our purposes, we’re focused on the copyright angle of this story. As you’ll recall, the lawyer who tracked down many of the details, T. Greg Doucette, also got his hands on a letter from the racist group, the Sons of Confederate Veterans, explaining the whole deal, including them admitting flat out that they didn’t have standing to sue, and any lawsuit would be thrown out almost immediately. That is, unless you’ve set it up so that the University has already agreed to give you millions of dollars. Doucette posted the letter to his Dropbox account, where he had posted other documents regarding this mess.

Then, the Sons of Confederate Veterans sent a DMCA takedown notice over the letter, and Doucette’s Dropbox is (as I type this) still limited. However, late last week, Doucette hired lawyers Marc Randazza and Jay Wolman to send quite a letter to the Sons of Confederate Veterans, arguing that the DMCA takedown was a violation of 512(f) of the DMCA. The initial letter (linked here and embedded below) was sent to lawyer Boyd Sturges, who represented the Sons of Confederate Veterans in their “negotiations” with UNC. However, I’ve been told that Sturges refused to accept the letter, claiming he had nothing to do with this aspect, and so a second (though, nearly identical) letter has been sent directly to R. Kevin Stone, the “Commander” of the Sons of Confederate Veterans.

We’ll jump straight to the punchline. After spending a few pages in typical Randazza-style flowery language explaining just how bullshit the takedown was (and just how sketchy the UNC deal was), Doucette (via Randazza) say that they will go to court to argue that the takedown violates Section 512(f) unless the following happens:

Should your client wish to avoid litigation, Mr. Doucette proposes the following: the $2.5 million your client did or will receive from UNC will be, instead, diverted to a scholarship fund for African American students at UNC, or other similar use, subject to our client?s approval. And of course, the DMCA notice must be immediately withdrawn. If you accept this offer, our client shall commit to oblivion the feelings your client?s actions engendered.

That’s a bit attention grabbing — as is the rest of the letter. The argument for why a suit could work is included here:

Mr. Doucette used the letter to expose and criticize the fraud you perpetrated on the Court, including suborning Mr. Stone?s perjury. After all, it was a verified complaint, notarized by you. While this might make more shams less likely, again, this is not a ?market? for the original letter.

The misleading takedown notice was issued in bad faith, because it failed to consider Mr. Doucette?s fair use rights. See Lenz v. Universal Music Grp., 572 F. Supp. 2d 1150, 1154-55 (N.D. Cal. 2008) (?An allegation that a copyright owner acted in bad faith by issuing a takedown notice without proper consideration of the fair use doctrine ? is sufficient to state a misrepresentation claim pursuant to ? 512(f) of the DMCA.”) Your client clearly made such a material misrepresentation, and my client will not allow it to go unpunished.

The NCSCV is liable to Mr. Doucette for his damages and attorneys? fees under Section 512(f) of the DMCA. Mr. Doucette is prepared to file suit for this, as well as for a declaration of non-infringement and any other causes of action he may have, which are still being evaluated. Mr. Doucette is considering a lawsuit not out of bitterness or vindictive feelings, but because it seems that the NCSCV has tried to wrest from him his dearest rights. This will not stand, man.

Unlike your client?s other most recent litigation, this suit will be real. Important principles are at stake, and Mr. Doucette is a man of principle.

While all of the above is accurate, what also remains unfortunately true is that DMCA 512(f) remains mostly toothless. The one useful 512(f) case, the Lenz case cited in the above section, still ended badly for the person targeted with the bad DMCA notice. While the court says you have to consider fair use, it more or less set up the rule that as long as the issuer of the DMCA briefly considers fair use before issuing the DMCA notice anyway, it’s not going to matter.

So even if this did go to court, I’m not at all confident that Doucette/Randazza would win. This is why, if anything, 512(f) should be strengthened, to stop the bogus use of these kinds of censorial takedowns. So, while the letter is amusing, and a fun read, I’d be surprised if it actually results in anything significant.

Filed Under: 512f, censorship, copyright, dmca, greg doucette, marc randazza, scholarship, sons of confederate veterans
Companies: dropbox, unc

from the bad-news dept

The American Law Institute, among other things, publishes various “Restatements” of law, which it describes as follows:

Restatements are primarily addressed to courts and aim at clear formulations of common law and its statutory elements, and reflect the law as it presently stands or might appropriately be stated by a court. Although Restatements aspire toward the precision of statutory language, they are also intended to reflect the flexibility and capacity for development and growth of the common law. That is why they are phrased in the descriptive terms of a judge announcing the law to be applied in a given case rather than in the mandatory terms of a statute.

Courts frequently rely on these “Restatements” to better understand the state of the law today, including how various courts have ruled on the law (so-called “common law.”) For that reason, the Restatement process can get fairly controversial (including an ongoing controversy over the Copyright Restatement, which legacy copyright insiders are falsely claiming is somehow biased against legacy copyright companies). Leaving that particular controversy aside, it does appear that the ALI itself may need a refresher course on how copyright works, because it’s currently abusing copyright law to try to prevent open discussion about another controversial Restatement.

ALI’s proposed Restatement of the Law of Consumer Contracts has similarly been beset by vociferous criticism from a variety of different parties. There’s a vote pending on the latest draft next week, on May 21st at the ALI’s annual meeting. Georgetown law professor Adam Levitin posted a draft of the proposed Restatement on Dropbox so that his followers could read it and understand what was in it prior to the vote.

Apparently, the ALI had other thoughts in mind and, after first threatening Levitin, it issued a DMCA takedown to Dropbox to remove the file. It did this after first emailing Levitin and demanding he take it down and then (falsely) insisting that “fair use is excerpts” and saying that it relies on its copyright “to pay the light bill.”

After Levitin told them he believed it was fair use, ALI went ballistic. As described by Public Citizen’s Paul Levy:

Unfortunately, ALI upped the ante in ways both petty and effective. First, the petty: without any notice or due process, it disabled Levitin?s access to the ALI web site. ALI?s bylaws allow ALI officials to suspend members only for non-payment of dues; members can only be suspended for good cause or for extended nonparticipation in ALI work, and then only by action of the full ALI Council. When the suspension was challenged, ALI restored his web site access fairly promptly.

But then there’s the second bit:

But its more effective response was to serve a DMCA takedown notice on Dropbox. As a result, I cannot link to the Dropbox so that readers of this blog post can judge the controversy for themselves. Although we have served a counternotice, the delays associated with the DMCA notice and counternotice procedure mean that, unless ALI voluntarily drops its takedown complaint, the Tentative Draft will remain off Levitin?s account until after the Annual Meeting next week. As I have argued previously, the DMCA gives the copyright holder the equivalent of a TRO, without any notice and indeed without any independent judicial consideration. It is a statute that is ripe for change.

This is a key point that we have argued over for years. The notice-and-takedown provision of the DMCA raises serious 1st Amendment issues, in that it acts as a way to use the power of the state to silence speech without any judicial review. That would seem to be unconstitutional.

Levy also sent a letter to ALI explaining why it is wrong concerning its understanding of fair use and is making a big mistake in taking down this discussion draft. Levy goes through the four factors of fair use, which go way beyond a simple “is it an excerpt” test that ALI seems to think:

First, the purpose of his use falls squarely within the statutory definition of fair use, because the purpose of the posting is criticism: to identify the many substantive flaws in the Tentative Draft and the reasons given for its creation. Moreover, the posting is for entirely noncommercial purposes. In addition, the criticism relates to issues of intense public interest. “The scope of the fair use doctrine is wider when the use relates to issues of public concern.” National Rifle Ass’n v. Handgun Control Fedn. of Ohio, 15 F.3d 559, 562 (6th Cir. 1994), citing Consumers Union v. General Signal Corp., 724 F.2d 1044, 1050 (2d Cir. 1983). Hence, the first factor strongly favors a finding of fair use.

Second, the copyrighted work is a set of legal standards that are intended to guide judicial decision-making as “‘authoritative’ sources on the meaning” of the common law. See Code Rev. Comm. v. PublicResource. Org, Inc, 906 F.3d 1229, 1248 (11th Cir. 2018). Regardless of whether the Restatement is or is not copyrightable as a statement of “the law,” any copyright protection for this sort of work is fairly thin. Consequently, the second factor is at best neutral.

Turning to the third factor, in an email to Professor Levitin, you suggested that your main reason for contending that the online posting of the Tentative Draft is not fair use in that “fair use is excerpts.” That misperception is common, but incorrect. “‘[S]uch copying does not necessarily weigh against fair use’ where ‘copying the entirety of a work is . . . necessary to make a fair use.'” Stern v. Lavender, 319 F. Supp. 3d 650, 682 (S.D.N.Y. 2018), quoting Bill Graham Archives v. Dorling Kindersley Ltd, 448 F.3d 605, 613 (2d Cir. 2006). Rather, “the extent of permissible copying varies with the purpose and character of the use.” Cariou v. Prince, 714 F.3d 694, 710 (2d Cir. 2013), quoting Bill Graham Archives. Here, the purpose of the use is to rally opposition to the prospective adoption of the entire Tentative Draft, to explain why the draft as a whole is problematic, and to allow members to understand why they should vote no and why readers should be contacting members whom they know to urge them to vote no. Only the posting of the entire draft could properly serve that purpose; indeed, posting selected portions could lead to accusations that the “vote no” campaign was dishonestly portraying the document. Consequently, the third factor does not support a conclusion of infringement.

Finally, considering the fourth factor, because the use is noncommercial, ALI would have the burden of showing likelihood that the use will cut into sales. Assn. of Am. Med. Colleges v. Cuomo, 928 F.2d 519, 525 (2d Cir. 1991). Your emails to Professor Levitin suggest that your concern is that the easy availability of the Tentative Draft may cut into sales that provide the main revenue to support the ALI enterprise. But, so far as we are aware, ALI sells final Restatements and other final statements, but not Tentative Drafts. Looking through the Publications section of the ALI web site, https://www.ali.org/publications/, I did not find any Tentative Drafts listed for sale. Draft documents are apparently available on Hein Online and Westlaw, and perhaps ALI gets a cut of those fees; but at the present time, the latest version of the prospective restatement that can be found on Hein Online and Westlaw is the discussion draft from 2017. Posting the 2018 Tentative Draft will not cut into those sales. Again, Professor Levitin planned to take down his posting after next week’s vote. As a result, his action will not compete with sales of the final version, even if the Tentative Draft is approved without any changes.

And, of course, Levy notes that if the Restatement is voted down, then there won’t be anything for ALI to sell in the first place, so it won’t be creating an adverse impact there either.

So, yeah, perhaps ALI should spend some time reading the ALI’s proposed restatement on copyright as well, as I’d imagine there are a bunch of fair use cases that it seems wholly unfamiliar with.

But there’s a larger point in all of this. We’ve pointed out over and over again that copyright is frequently used for censorship purposes, and this seems like yet another clear example. This is not a product for sale. This is a discussion draft of an important issue that it would help for more ALI members to have access to as they decide how to vote. ALI’s decision to pull it down via a DMCA takedown is shameful… but effective in censoring the discussion of the draft Restatement.

Filed Under: adam levitan, censorship, consumer contracts, copyright, dmca, fair use, paul levy, restatement of the law of consumer contracts, restatements
Companies: ali, american law institute, dropbox

'Thru Dropbox' Trademark Registrant's 'Bad Faith' Litigation Results In $2 Million Fee Award To Dropbox

from the countersues-bull,-demands-horns dept

Thru, Inc. made a mess of its registered trademark by allowing it to lie dormant. It registered “Thru Dropbox” but made no attempt to challenge Dropbox’s application for the term “DROPBOX” in 2009. Instead, it sat back and watched as Dropbox grabbed market share. Five years after it filed its application, the trademark was awarded to Dropbox. Only then did Thru, Inc. act, so to speak. It acted like the horrified victim of Dropbox’s motion for declaratory judgment, one that would uncontestably award the “Dropbox” registration solely to the cloud storage service. Thru countersued, claiming infringement. Bad move.

During the lawsuit, discovery by Dropbox uncovered Thru Inc.’s master plan. Emails showed company officials actually referred to the “Thru Dropbox” trademark registration as a “lottery ticket” that would pay off as soon as Dropbox went public. As the court pointed out while handing bits and pieces of Thru’s thoroughly-chewed ass back to it, referring to a dormant trademark registration as a “lottery ticket” is like counting your yachts before you’ve purchased them. It demonstrates bad faith — the sort of thing that generally leads to lawsuit losses and hefty legal fee liability.

And here come the financial losses Thru clearly didn’t figure into its “lottery ticket” calculations. The presiding judge has awarded more than $2 million in legal fees to Dropbox. From the order [PDF]:

The Court awards 1,761,781.50infees,1,761,781.50 in fees, 1,761,781.50infees,419,610.41 in nontaxable costs, and $116,040.18 in taxable costs.

As the court points out multiple times in the order, everything Thru did reeks of bad faith. The “slow walk” of its trademark enforcement to coincide with Dropbox’s IPO. The references to the unenforced trademark as a golden ticket to unearned riches. The numerous false statements made during early depositions.

Of course, Thru Inc. had plenty of arguments left, especially now that it’s own money was on the line. But the court doesn’t have much sympathy for Thru’s financial hole of its own creation.

Thru… argues that such a large fee award would be unfair given that it spent 27% of its annual revenue “on a lawsuit it tried hard to avoid.” As noted above, the record clearly belies the claim that Thru tried hard to avoid this litigation, and a significant portion of the expense incurred by Dropbox came as a result of Thru?s bad faith litigation conduct.

Dropbox likely won’t see any of this until after the Ninth Circuit Appeals Court has disposed of the case. Thru Inc. immediately appealed the adverse ruling handed down last year, but I can’t imagine the Appeals Court is going to take a look at this and see that the trademark slow-walkers have somehow been screwed out of their IP “lottery ticket.” All it’s going to do is add more Dropbox billable hours Thru Inc. will have to pay for.

Filed Under: lottery ticket, trademark
Companies: dropbox, thru

Referring To Your Unenforced Trademark As A 'Lottery Ticket' Is A Great Way To End Up With Nothing

from the door-to-riches-blocked-with-timebar,-extra-la[t]ches dept

Trademark protection is use-it-or-lose-it. A company with a possibly-legitimate claim to the trademarked term “Dropbox” thought it could just sit idly by while another company put the term to use, hoping to capitalize on that company’s success later. In the end, the lack of enforcement efforts cost it its infringement claims. Here’s the backstory, from Tucker Chambers of DuetBlog. (h/t Rebecca Tushnet)

Dropbox filed a trademark application to register the DROPBOX mark in 2009, but was hit with a flurry of oppositions by other companies such as Officeware, the owner of the FilesAnywhere service, Yousendit, Inc. (which has changed its name to Hightail), and others. Dropbox was ultimately successful on those oppositions and obtained its trademark registration for DROPBOX in 2014. Thru did not file an opposition to Dropbox’s 2009 trademark application.

Last year, Dropbox filed a lawsuit against Thru, seeking declaratory relief that its use and registration of the DROPBOX trademark does not infringe upon Thru’s purported trademark rights. Thru counterclaimed for trademark infringement, alleging that it had priority to the DROPBOX mark based on use as early as May 2004, and that Dropbox did not start using its DROPBOX mark until 2008. Later in proceedings, Dropbox moved for summary judgment on Thru’s counterclaim. Dropbox argued that Thru’s claim was barred by the doctrine of laches because Thru unreasonably delayed in making its claim and this delay prejudiced Dropbox.

Thru’s product — and registered term — “Thru Dropbox” might have kept Dropbox from being called Dropbox. But rather than move forward when it first became aware of Dropbox’s entry into the market, Thru decided it might be more profitable to act as a trademark squatter.

Thru first tried to claim that it had no idea Dropbox was entering the market and remained unaware of this fact until 2011. It didn’t even start moving to enforce its trademark until three years after that. The court found this claim unbelievable considering both businesses were operating in the same file-sharing market and Dropbox, by 2011, already had 40 million users.

The court found Thru’s claims LITERALLY unbelievable once company emails discussing Dropbox were made public during discovery. The moral: if you refer to your trademark registration as a “lottery ticket” in corporate emails, you’re likely going to find out it isn’t a winning one. From the decision [PDF]:

In an interrogatory response verified by Thru CEO Lee Harrison, Thru stated that “Thru?s directors and management first became aware of Dropbox, Inc., and its use of DROPBOX in mid- 2011” and that “Thru?s directors and management is not aware of any employee that was aware of Dropbox, Inc. and its use of DROPBOX at any earlier date.” Ex. 40. Record evidence shows that this is not the case. On June 9, 2009, Thru?s Chief Technology Officer sent an email to the Harrison, as well as other officers, informing them about Dropbox, which offered another service “to sync the files across computers.” Ex. 42. On June 15, 2009, the CTO wrote again, asking “[a]re we ok with web-only write only dropbox or we will need [sic] something like getdropbox.com2 ? They are very prominent in Mac community.” Ex. 43.

In a sworn deposition, Harrison nonetheless insisted again that he had never heard of Dropbox before the summer of 2011, at which point Dropbox had 40 million users. When confronted with the CTO?s 2009 emails, however, Harrison conceded that his interrogatory response had been “false.” In light of this evidence, Harrison?s continued assertion that “[Dropbox] did not get [his] attention until 2011” is simply not credible.

The evidence on the record shows Thru was discussing Dropbox’s entry into the market as early as 2009. But it refused to move in opposition of Dropbox’s use of the term because Thru execs thought delaying this action might be the more profitable move. Thru sat on its hands for four years, hoping for a bigger payout.

Finally, and perhaps most significantly, the record belies Thru?s explanation for the reason behind its delay. Dropbox points to numerous documents that indicate that, in fact, Thru?s delay was a deliberate attempt to maximize the value of its claims by leveraging an anticipated initial public offering from Dropbox. Thru had been explicitly contemplating a lawsuit concerning its trademark rights at least since February 2012, when Harrison wrote in an email to an investor: “New development turns out we own the term Dropbox . . . Our IP attorney is talking to Dropbox?s attorney about buying the name from us . . . They raised 250M in October 2011 at 1B value. . . . An action could be had soon.” Ex. 47. Harrison repeatedly in emails described Thru?s claim as a “lottery ticket.” Ex. 54 (discussing whether “a portion of the staff [had] no skin in DB lottery ticket game”); Ex. 62 (“Dropbox will be a lottery ticket.”).

In October 2013 Harrison wrote that “My call is [Dropbox] want[s] us to file a lawsuit and treat us like [Officeware] so they can quietly dispose of this matter anytime they want to . . . **The best leverage we have is to sit tight and wait to the IPO announcement and be prepared to file suit that day and make as much noise as we can about it.” Ex. 51; see also Ex. 57 (“If we wanted to be the first to file we should have done that last year. Time is on our side not theirs. Slow walking this to [Dropbox?s pre-IPO] S1 filing is all that is important.**”). In his deposition, Harrison confirmed that he had felt that a pending IPO “was a leverage point,” that “it would be tough for them to file without clear title” to their trademark, and that accordingly Dropbox “would come to us eventually and settle with us.”

Yeah, you can’t “slow walk” your IP protection. Thru thought it could get a cut of those sweet, sweet IPO dollars. Instead, it’s on the receiving end of declaratory judgment, collecting a fat payment of $jack.

Filed Under: lottery ticket, trademark
Companies: dropbox, thru

Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach

from the more-'security-mediocre-practices'-from-the-biggest-name-in-ID-protectio dept

LifeLock has never been the brightest star in the identity fraud protection constellation. Its own CEO — with his mouth writing checks others would soon be cashing with his credentials — expressed his trust in LifeLock’s service by publishing his Social Security number, leading directly to 13 separate cases of (successful) identity theft.

Beyond that, LifeLock was barely a lock. It didn’t encrypt stored credentials and had a bad habit of ambulance-chasing reported security breaches in hopes of pressuring corporate victims into picking up a year’s worth of coverage for affected customers. This culminated in the FTC ordering it to pay a $12 million fine for its deceptive advertising, scare tactics, and inability to keep its customers’ ID info safe.

It’s LifeLock’s ambulance chasing that’s getting it into trouble again. Rather than verify the details of a recent breach, it began sending notices to customers informing them about possibly exposed info at entirely the wrong service.

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

This isn’t completely LifeLock’s fault. It did send out a false alarm and finger the wrong platform, but its information came from a third party: CSID. Brian Krebs approached the identity monitoring firm to determine how it had arrived at the wrong conclusion. It appears it’s turtles misinformation all the way down. CSID president of product and marketing Bryan Hjelm confirmed his company was suffering some “reputational concerns” after wrongly naming Dropbox, rather than Tumblr, as the source of the breach. But he still felt his company was doing a bang-up job in the ID protection department, despite utilizing questionable sources.

He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.

In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.

In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.

The problem with this bogus alert is that every step of it was automated. CSID admits it never checked out w0rm’s claim by manually verifying the data dump contained what w0rm said it contained. It simply generated its alert, which was then picked up by others, like LifeLock, that rely on it for breach identification/notification. The automation continued as LifeLock sent auto-generated messages to its customers. The only manual part of this process occurred at the end user level when Dropbox customers began altering their login credentials to protect themselves from a nonexistent breach. Meanwhile, the real breach went ignored.

It’s often said that humans are the weakest link in the security chain, but this incident shows that a little human intervention would have gone a long way towards heading off bogus breach notifications that made an unaffected company look like it was hiding something from its users.

Filed Under: security breach
Companies: dropbox, lifelock, tumblr

The White House Asks Silicon Valley What To Do To 'Disrupt' ISIS

from the not-that-kind-of-disruption... dept

As you may have heard, on Friday, a group of top White House officials, including Homeland Security director Jeh Johnson, FBI Director James Comey and NSA boss Admiral Michael Rogers, all came out to Silicon Valley to meet with tech execs to talk about how to “disrupt” groups like ISIS. On the tech side, a bunch of top execs came, including Apple CEO Tim Cook, Facebook COO Sheryl Sandberg, LinkedIn founder Reid Hoffman, Dropbox CEO Drew Houston and CloudFlare CEO Matthew Prince. The White House released a basic agenda publicly, though there was also apparently a more thorough briefing document that ran about 7 pages.

## U.S. Government Meeting with Technology Executives on Counterterrorism

I. Introductions

II. Setting the stage

> a. Purpose of Meeting

> b. Unclassified background on terrorist use of technology, including encryption

III. Core Discussion Areas

> a. How can we make it harder for terrorists to leveraging the internet to recruit, radicalize, and mobilize followers to violence? > > b. How can we help others to create, publish, and amplify alternative content that would undercut ISIL? > > c. In what ways can we use technology to help disrupt paths to radicalization to violence, identify recruitment patterns, and provide metrics to help measure our efforts to counter radicalization to violence? > > d. How can we make it harder for terrorists to use the internet to mobilize, facilitate, and operationalize attacks, and make it easier for law enforcement and the intelligence community to identify terrorist operatives and prevent attacks?

IV. Questions or other issues raised by Technology Companies

V. Next Steps

You will, of course, note the bit on encryption. According to some of the reports, while the meeting was really supposed to be more about anything but encryption (i.e. about figuring out ways to “counter” ISIS’s supposed social media success, which likely has been overblown anyway), Comey said that he would only participate if encryption was on the agenda.

The Intercept got its hands on the more detailed briefing and revealed the part about encryption:

In addition to using technology to recruit and radicalize, terrorists are using technology to mobilize supporters to attack and to plan, move money for, coordinate, and execute attacks. The roles played by terrorist leaders and attack plotters in this activity vary, ranging from providing general direction to small groups to undertake attacks of their own design wherever they are located to offering repeated and specific guidance on how to execute attacks. To avoid law enforcement and the intelligence community detecting their activities, terrorists are using encrypted forms of communications at various stages of attack plotting and execution. We expect terrorists will continue to use technology to mobilize, facilitate, and operationalize attacks, including using encrypted communications where law enforcement cannot obtain the content of the communication even with court authorization. We would be happy to provide classified briefings in which we could share additional information.

Key Questions: We are interested in exploring all options with you for how to deal with the growing threat of terrorists and other malicious actors using technology, including encrypted technology, to threaten our national security and public safety. We understand that there is no one-size-fits-all solution to address this problem and that each of you has very different products and services that work in different ways. Are there high-level principles we could agree on for working through these problems together? And are there technologies that could make it harder for terrorists to use the internet to mobilize, facilitate, and operationalize? Or easier for us to find them when they do? What are the potential downsides or unintended consequences we should be aware of when considering these kinds of technology-based approaches to counter terrorism?

==

A number of organizations in the government, as well as some in private industry and academia, have researched techniques to detect and measure radicalization. Some have suggested that a measurement of level of radicalization could provide insights to measure levels of radicalization to violence. While it is unclear whether radicalization is measureable or could be measured, such a measurement would be extremely useful to help shape and target counter-messaging and efforts focused on countering violent extremism. This type of approach requires consideration of First Amendment protections and privacy and civil liberties concerns, additional front-end research on specific drivers of radicalization and themes among violent extremist populations, careful design of intervention tools, dedicated technical expertise, and the ability to iteratively improve the tools based on experience in deploying them. Industry certainly has a lot of expertise in measuring resonance in order to see how effective and broad a messaging campaign reaches an audience. A partnership to determine if resonance can be measured for both ISIL and counter-ISIL content in order to guide and improve and more effectively counter the ISIL narrative could be beneficial.

==

The United States recognizes the need to empower credible non-governmental voices that would speak out against ISIL and terrorism more broadly both overseas and at home. However, there is a shortage of compelling credible alternative content; and this content is often not as effectively produced or distributed as pro-ISIL content and lacks the sensational quality that can capture the media?s attention. Content creation is made difficult by ISIL?s brutal rule and near total control of communications infrastructure in its territory in Iraq and Syria, which can make it dangerous for citizens to speak out or provide video or images. Further, many of the leading and credible voices that might counter ISIL lack the content-generation and social media prowess that would be required to counter ISIL online. There is also a need for more credible positive messaging and content that provides alternatives to young people concerned about many of the grievances ISIL highlights.

In parallel with ongoing U.S. Government efforts, we invite the private sector to consider ways to increase the availability alternative content. Beyond the tech sector, we have heard from other private sector actors, including advertising executives, who are interested in helping develop and amplify compelling counter-ISIL content; and we hope there are opportunities to bring together the best in tech, media, and marketing to work with credible non-government voices to address this shared challenge.

For what it’s worth, it appears (thankfully) that the majority of the meeting did not focus on the issue of encryption and (somewhat importantly) it was made clear to government officials that they’re doing a hell of a lot more harm than good in continuing to suggest that undermining encryption is a reasonable approach. Tim Cook apparently said that the government needs to come out publicly in favor of strong encryption, rather than its silly statements that suggest a desire to undermine it.

The real crux of the meeting, though, was looking at if there was “some other thing” that the tech industry could do to help in the fight against terrorism. This actually seems like a perfectly reasonable question to ask. But there are still reasonable concerns. First, pretty much all of these companies already have terms of service that forbid their use in the furtherance of criminal or terrorist activities. Second, they tend to already work with the government when such activity is discovered on the service. Third, in many cases, letting terrorist organizations use these platforms freely is one of the most effective ways to enable intelligence officials to find out what they’re doing.

If you look at the agenda above, it really feels as if the meeting was built on the wrong premise. It’s basically all about how do we stop bad people from using technology effectively. But that’s a fool’s errand, because technology doesn’t distinguish between good people and bad people.

Technology, for the most part, is about helping people do things better and more efficiently, not about stopping people from doing things. It’s too bad there wasn’t a focus on using today’s technology tools to enable more people to help out in the fight against terrorism and extremism. Instead, much of the focus is on “how do we make it harder for someone to do [x].”

From the reports that came out, the discussion was pretty high level, with ideas like “could Facebook adjust its algorithm that spots potentially suicidal users to also detect potentially radicalized members.” Having such discussions is fine, in theory. In fact, if anything, the oddest thing about this little “summit” is that it demonstrates just how wide the gulf has become between Silicon Valley and DC. In the past, discussions like this weren’t so crazy — and didn’t need press coverage.

But here’s the thing: the intelligence community totally poisoned the well here with its actions over the past decade and a half. For the past few months DC folks have been whining about how Silicon Valley is seeing this as an “us v. them” situation, but that’s only true because the NSA blew everything up, hacking into systems, lying to the public, abusing the secretive powers of National Security Letters, the FISA Court and Executive Order 12333. The government treated Silicon Valley as an adversary, and is now whining that Silicon Valley doesn’t want to help.

I’m quite certain that everyone in the room wants to do what they can to “stop ISIS” (“disrupt” is totally the wrong word here). And it would be great if there were ways to actually do that. But it can’t involve the usual way that the intelligence and law enforcement communities have focused on in the past decade and a half: violating privacy, exploiting systems and generally treating the public’s rights as collateral damage. And it can’t involve stomping on freedom of expression.

It’s fine if the two sides want to talk and see if they can come up with something useful, but as long as DC keeps thinking of Silicon Valley as creating “magic pixie dust” instead of innovation, it’s not going to be that useful.

Filed Under: admiral mike rogers, encryption, going dark, isis, james comey, jeh johnson, tim cook, white house
Companies: apple, cloudflare, dropbox, facebook, linkedin

Ireland Becoming The Key Spot In Fights Over Data Privacy: Both Concerning Governments And Tech Companies

from the this-is-the-big-fight dept

There’s a really big battle brewing concerning privacy protections online that involves some Silicon Valley tech companies, Ireland and the US government. And chances are this fight is going to get nasty. A few weeks ago, you might have heard that Twitter announced an interesting change in its privacy policy and terms of service, saying that all non-US users would technically now be managed under Twitter International Company, based in Dublin, Ireland. And, last week, Dropbox made a very similar announcement, noting that all non-North American users were now technically under Dropbox Ireland, while users in the US, Canada and Mexico remain under Dropbox in the US. Twitter’s new terms go into effect on May 18th, and Dropbox’s on June 1st (unless you’re opening a new account before then, and the new terms apply immediately).

Over the last decade, Ireland has become a popular destination for US tech firms to set up international operations, in part because of Ireland setting itself up as sort of a tax haven for tech firms via its “Double Irish” tax dodge. A bunch of tech companies have been criticized for this, though the response of “we’re following exactly what the law allows” is reasonable enough. Either way, that tax loophole is closing, though others may show up instead.

But this move doesn’t seem predicated by that. Instead, there are two related elements that may be at work here. First: Ireland is also seen as having some of the most company-friendly privacy laws in the EU, though those are also coming under some amount of scrutiny. But, at the same time, by claiming that users are now under the Irish company, it gives Twitter and Dropbox at least some power to try to say no to US government requests for information. So, depending on if you’re more afraid of government intrusions in your data than corporate intrusions (as I am), then these moves are probably good for your privacy.

Except… the US government still thinks that it can do whatever the hell it wants. First, in some ways, data inside the US has potentially more protections against the US government in a somewhat bizarre way. Whether you believe it or not, the NSA cannot “hack” its way into US computer systems. It can only use the various other processes it has to demand information from companies. Overseas, however, there are no such restrictions. The NSA has interpreted Executive Order 12333 to mean that it can hack into anything overseas, and this was the authority it used to break into the data centers of Google, Yahoo and likely more overseas (sneaking in via Level 3 and others).

But, that still requires hacking into stuff. If US tech companies believe they can successfully fend off such hacks, putting non-US users under Irish law does give them greater protection from the NSA. The NSA can no longer use its other authorities in the US to get the FISA Court to demand information (along with gag orders) from these companies. Or… maybe not. As we’ve been discussing, there’s an ongoing court battle between the US Justice Department and Microsoft, over whether or not the DOJ can issue a warrant demanding Microsoft hand over information stored in Ireland. Microsoft has resisted, but the courts have so far sided with the DOJ. Ireland recognizes this is an important fight, and has asked for the EU to come out in support of Microsoft’s position.

Meanwhile, with a new Attorney General in office, the DOJ has made it clear that it’s going to continue this course of action:

US prosecutors will continue to seek data stored in Ireland using a federal search warrant, despite leadership changes at the Justice Department.

A spokesperson confirmed in an email that the department’s position has “not changed,” two weeks after Loretta Lynch, the Obama administration’s choice to head up the federal agency, was confirmed by Congress as the new US attorney general.

This battle is going to be rather important for those other companies seeking to protect users under Irish law. Warrants aren’t supposed to apply outside of the US. But the DOJ (and the courts) have been simply making up new laws, in arguing that if it’s a US company, but the data is overseas, the warrant magically morphs into a quasi-warrant/subpoena hybrid. But that’s ridiculous. Warrants and subpoenas have different purposes and different protections — and the DOJ wants the best of both worlds. As Microsoft itself explained in one of its legal filings:

The Government’s interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this.

This fight is far from over — and with companies like Twitter and Dropbox now trying to shift more non-US users under Irish laws, the fight with Microsoft is going to become even more important.

And, that’s not even getting into the discussion of how all of this is, effectively, driving US businesses overseas. The US’s efforts to spy on everyone is, once again, harming the US economy, rather than helping it.

Filed Under: data protection, ireland, lawsuits, privacy, surveillance, terms of service
Companies: dropbox, microsoft, twitter