Wednesday, May 01, 2019

hijacking another's webpage for competing service is bad


Spy Dialer, Inc. v. Reya LLC, 2019 WL 1873296, No. ED CV 18-1178 FMO (SHKx) (C.D. Cal Mar. 18, 2019)

The parties compete in the market for reverse phone lookups.  When a user accessed plaintiff’s Spydialer.com, malicious computer code allegedly inserted through ads placed by Reya would cause the user’s browser to automatically scroll down to the bottom of the webpage, where defendant’s ad was located. The user’s cursor would then be placed in a search box located within the ad, instead of in the search box for the Spy Dialer website. The ad’s search box was designed to look similar to Spy Dialer’s search box. The malicious code allegedly prevented users from scrolling back up the page to Spy Dialer’s search box. Users who typed a phone number into the advertisement’s search box were redirected to defendant’s website.

When Spy Dialer reached out to defendant, a manager claimed that the malicious code was the result of a “coding error.” Spy Dialer complained to Google, which conducted an investigation, concluded that defendant’s ads “constituted a fraudulent business practice,” and banned the ads from further use.  The ads allegedly caused Spy Dialer’s website to lose “ranking in Google’s search engine results” and led to lower traffic and resulting lower ad revenue.

CFAA: Defendant had limited authorization to access Spy Dialer’s computers, because it submitted ads to platforms which would then place the advertisements on Spy Dialer’s website. But it allegedly  exceeded the scope of this authorization by causing the ads with malicious code to be placed on plaintiff’s site. However, the complaint failed to plead that defendant obtained or altered information on plaintiff’s computers that it wasn’t authorized to obtain or alter. For example, there was no allegation that defendant continued to place ads on plaintiff’s website even after permission had been revoked. “[M]erely submitting advertisements through Google Ad Services[] does not state a CFAA violation.”

ECPA: 18 U.S.C. § 2511 provides a private right of action against “any person who ... intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication[.]” Here, when a visitor attempted to use Spy Dialer’s website, defendant’s malicious ad would force the visitor’s browser to automatically scroll to the bottom of the webpage. Even if the user realized what was happening, the malicious code allegedly prevented them from scrolling back up to the top of the webpage to use plaintiff’s own search box. This “captured” and “redirected” traffic intended for Spy Dialer’s website (is that the same as interception?).  And it was plausibly alleged to be intentional, in that the code was sufficiently “sophisticated” that it could not have come about through mistake or error.

California Penal Code § 502 creates liability against an individual who “[k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.” “Just as plaintiff’s CFAA claim fails … so too must those aspects of plaintiff’s § 502 claim which depend on defendant having accessed plaintiff’s computers.” But 502(c)(3) prohibits individuals from “[k]nowingly and without permission us[ing] or caus[ing] to be used computer services.” Subsection (c)(5) creates liability against a person who “[k]nowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.” Subsection (c)(8) bars “[k]nowingly introduc[ing] any computer contaminant into any computer, computer system, or computer network.”

None of those provisions required access to Spy Dialer’s computers, so those claims survived.

Lanham Act claim: based on defendant’s use of spydialer.org (as opposed to plaintiff’s spydialer.com)—easily survives, as does an ACPA claim.

However, a false advertising claim under California Business & Professions Code § 17500 failed. That law makes it unlawful for any person to “induce the public to enter into any obligation” by making “any statement ... which is untrue or misleading, and which is known, or which by the exercise of reasonable care should be known, to be untrue or misleading.” The use of the domain name “Spydialer.org” was not an actionable “statement” in connection with the ad or the domain name.  This seems inconsistent with the ordinary meaning of “statement”—when I wear a nametag labeled “Prof. Tushnet,” I’m stating my name—but there are apparently cases so holding. Sensible Foods, LLC v. World Gourmet, Inc., 2012 WL 566304, *7 (N.D. Cal. 2012) (rejecting false advertising claim after concluding that a heart symbol “is not a statement”); Parent v. MillerCoors LLC, 2015 WL 6455752, *7 (S.D. Cal. 2015) (“MillerCoors’ use of the BMBC trade name on the label is not a ‘statement[.]’ ”).

But state law unfair competition claims survived under § 17200, since the “ultimate test for unfair competition is exactly the same as for trademark infringement.”

However, there was no actionable conversion of web traffic.  In the Ninth Circuit, “First, there must be an interest capable of precise definition; second, it must be capable of exclusive possession or control; and third, the putative owner must have established a legitimate claim to exclusivity.” Though web traffic is “an interest capable of precise definition,” in that web traffic consists of the number of Internet users who accessed a particular website within a given time frame, it is not “capable of exclusive possession or control.” Unlike domain names, “web traffic is distinctively ephemeral. Indeed, even the parties that posted non-malicious banner advertisements on Spydialer.com were no doubt hoping to redirect a portion of plaintiff’s web traffic from plaintiff’s website to theirs.”

Fraud claims also failed because there was no allegation that the plaintiff reasonably relied on the ad, as opposed to third parties.  A negligence claim survived, though, based on defendant’s denial of intentional conduct.



No comments: