I suspect this lawsuit will fail. If I were feeling more cynical I would say that plaintiffs' counsel knew that and filed it to intimidate some of the mirror sites into shutting down.
In Bartnicki v. Vopper, SCOTUS held that a radio station had a 1A right to distribute stolen property--an illegally wiretapped conversation. Because the recording came to the station over the transom, the station was not involved in the illegal wiretapping itself, just like the Ashley Madison mirror sites today.
On the other hand, the Bartnicki court recognized that there were "important interests to be considered on both sides" and pointedly did not consider "domestic gossip or other information of purely private concern." In that case the illegally intercepted conversation was of public concern.
If this ever goes to SCOTUS (unlikely) I suspect it will favor the 1A arguments because of the unique nature of Ashley Madison. It's not a dating site for singles, but a service for "discreet married dating," after all, which necessarily implicates the other person in a marriage. And the current SCOTUS is probably more 1A-protective than it was in 2001.
Also all the allegations lodged against the mirror sites could be lodged against news organizations that are reporting on the data dump and naming names. So the plaintiffs will have to persuade courts to invent a new theory of liability that sweeps in mirror sites but not news organizations, a non-trivial task. How about a news organization that publishes hundreds of names?
One of the mirror sites, according to the picture in the complaint itself mentions use by investigators & journalists quite prominently. I was sort of surprised that the complaint would feature that, but they seem to have completely avoided any mention of free speech concerns at all, focusing on the 'stolen property' angle entirely.
They're attempting to sue AWS and Godaddy? When Viacom sued YouTube claiming YouTube was hosting copyright infringing material, YouTube won. I hope that Ashley Madison (represented by this Kronenberger Rosenfeld group) loses this case and has to pay full legal fees of all parties they're suing, which should be hefty.
So knowing absolutely nothing about the relevant laws of the claim, I went and looked up 18 U.S. Code § 2315. How do the claimants intend to demonstrate the value of the stolen goods exceed the $5,000 or more test required by the law?
More important, do they have to demonstrate that the value of the whole dump to be greater than $5,000 or just the value of their constituent component? I can imagine that the whole dump would pass the test, but tested individually, can their records really be worth that much?
In the acquisition space it's a common practice to get data valuations. I've seen individual customer records valued as high as $23 a record. Given the volume of customer data, even at the lowest possible, pennies on the dollar valuations it will easily exceed $5,000.
I think they also have to prove that these sites actually had their information and did provide it. Otherwise they're just assuming that their information was accessible because their information was part of the dump.
Likely though, since there are three claimants and three sites, I'd wager they all incidentally discovered their details (or maybe were made aware by an unhappy spouse) and that's how they know their details are actually accessible.
I may be wrong, but I believe the first dump only contained a month or so worth of transactions and the numbers were obfuscated. So likely not enough for credit fraud.
Even in the second dump, which contained the entire backlog of transactions, the numbers were scrubbed. The information is only a name, address, account type, and amount of transaction. All the card information has been scrubbed.
the sites whose publishers are being sued are: ashleymadisonpowersearch.com, adulterysearch.com, ashleymadisoninvestigations.com, greyhatpro.com, plus aws and godaddy
the first two now redirect to a suicide prevention hotline, but apparently charged for access, with suggested users individuals, PIs and investigators, journalists/media, and others
ashleymadisoninvestigations.com seemed to offer $14.99 spouse investigations
greyhatpro charged $150; as of 2015 0920 9pm pst it was allowing email searches for free
> Indeed, in recognition of the fact that Ashley Madison data contains confidential information and constitutes stolen property, a Canadian court, the Ontario Superior Court of Justice, issued a restraining order requiring several websites and Internet service providers to immediately disable the Ashley Madison data, deeming it “offence-related property in respect of which order of forfeiture may be made under the [Ontario] Criminal Code.”
Since this suit is being filed in Arizona, will the Canadian ruling hold in this case? It seems as though the DMCA's safe harbor provision shields the defendants from liability in this case.
The complaint says they notified Amazon and GoDaddy, and apparently no take-down resulted, so I think DMCA does not apply. Also, it's questionable if searching for an email address in a stolen database is a DMCA issue, rather, the suit is alleging possession of stolen property.
Greyhatpro for example was trying to charge $149 for people to search the data according to a screenshot in the complaint. Now the site appears to provide searches for free.
There are a few sites which provide search tools for breaches which I think are pretty convenient. Breaches are so common it's good to keep a central record. Can a commercial service monitor a given email address and keep track of breaches affecting that address? The particular services named in the lawsuit are quite sketchy, but where do you draw the line?
> The complaint says they notified Amazon and GoDaddy, and apparently no take-down resulted, so I think DMCA does not apply.
I find that rather suspicious. If you file a proper DMCA request than the provider must, ASAP, take the content down - regardless of if the content is actually infringing. This is to protect their "safe harbor" status to make sure the government doesn't go after godaddy but rather the individual (rightfully so - godaddy doesn't and shouldn't control or monitor what users upload on their services). An example of it in use at github [1].
My sneaking suspicion is they either they didn't actually send a DMCA takedown request or they filed it improperly. Or perhaps the owners of the sites sent a counter-notice which puts godaddy in the clear and forces these individuals to sue the site owners (if they wish to have the content removed).
> Can a commercial service monitor a given email address and keep track of breaches affecting that address?
I think there is a difference between "here is a text box - enter your husband's email to check if he is a cheater" and "we will alert you privately if your email is ever leaked". I don't see any problems with the later.
> If you file a proper DMCA request than the provider must, ASAP, take the content down
You are very confused about the nature of DMCA. The provider that receives a DMCA copyright infringement notification is not mandated to do anything at all by the DMCA. Having complied with the notice however gives the provider immunity from a potential copyright infringement lawsuit from the copyright holder - that is the purpose of DMCA.
About 30% of DMCA notices are defective, and Google for example complies with less than 70% of the notices it receives.
> The provider that receives a DMCA copyright infringement notification is not mandated to do anything at all by the DMCA.
Ok sure they don't HAVE to do anything. But if they wish to maintain their safe harbor status [1] they must remove it when requested. Otherwise the copyright holder can, and probably will, go after them. Google et al can safely ignore some number of the notices because they are Google and can send a swarm of lawyers to defend themselves if they are taken to court. Many smaller companies don't have that luxury.
> 3) upon receiving notice from copyright owners or their agents, act expeditiously to remove the purported infringing material.
I don't know if you have noticed but Youtube and github employ a "take down now - ask questions later" policy for this very reason. You can file a counter-notice to get the content reinstated - but you better be sure you are in the right.
Oh and Google actually complied with 97% of requests between July and December 2011 [2].
According to the plaintiff's (not very detailed) theory of liability, possession or possibly knowing possession of "stolen property" (the leaked data) is all it should take, though there are some bits about inflicting emotional distress too. I'm not even sure what sort of property this is supposed to be, nor did they explain beyond their quoting of a Canadian case. For copyright, it's not really a creative work and we don't have 'database rights' like other countries do. It might have been a trade secret but it's not really secret any more. Patents and trademarks aren't even relevant, so unless there's something esoteric, I am not clear on how they can even make the 'property' part of 'stolen property' fit.
Also, I agree with you in that I doubt they could have filed a proper DMCA notice. They'd have to claim ownership of the dump itself, which they cannot. And if someone had tried that, it can actually trigger the infamous 'perjury' penalty clause because they don't own the dump. Yes, one could also 'misidentify' a work they really do own as being infringed upon by the dumps but that would never survive a counter-claim--presuming one was filed, a lot of people never challenge these because the next step up is an expensive federal copyright lawsuit. Also, they might have some difficulty explaining their 'good faith' belief the work was infringing if someone called them on it. Calling someone on it, of course requires it to actually go to that expensive courtroom, which is why it almost never seems to happen in spite of the parade of ridiculous DMCA notices. It's simply too expensive to fight over little things, at least for most normal people.
> Can a commercial service monitor a given email address and keep track of breaches affecting that address?
https://haveibeenpwned.com/ and https://pwnedlist.com/ are two services that provide notifications when an email appears in a large data breach, as well as the ability to search for your email in the leaked data.
Can Canadian rulings set precedent in American courts, or is this just a case of the claimants demonstrating how the issue has been handled in other countries for reference by the court?
Precedence is odd and many-faceted, and in a case like this, it would be done indeed to show how other courts have handled the situation. If a Canadian ruling can give a bit of relevant guidance, than it is something that would be put into a case to help bolster the cause. Conversely, neither the judge, nor jury, has to take the Canadian ruling into consideration at all, as it isn't binding. Pretty much it's just helpful advice for the court to keep in mind.
American courts are not bound to follow any Canadian rulings.
They can choose to cite anyone who agrees with them as support for their position, no matter who it is, though. So they can certainly write something saying "look, everyone else agrees with us too" but this is not at all the same as when they're trying to act according to the past decisions of the courts that supervise them.
In one case, they're just looking for people who agree. In the other case, it's more or less mandatory. Yes, they can try to avoid following the precedent if they want, but the judges who supervise them can overrule them if they're out of line.
> Plaintiffs’ claims arise out of the recent theft of massive amounts of private consumer data, including private stored communications, from the adultery website and dating service known as “Ashley Madison” by anonymous hackers. Due to the salacious nature of Ashley Madison, this Internet crime has been widely reported in the media, both in the United States and internationally.
Is there a penalty for lawyers writing bullshit? The data was not stolen, it was copied and leaked. Also wtf is "Internet crime"
In Bartnicki v. Vopper, SCOTUS held that a radio station had a 1A right to distribute stolen property--an illegally wiretapped conversation. Because the recording came to the station over the transom, the station was not involved in the illegal wiretapping itself, just like the Ashley Madison mirror sites today.
On the other hand, the Bartnicki court recognized that there were "important interests to be considered on both sides" and pointedly did not consider "domestic gossip or other information of purely private concern." In that case the illegally intercepted conversation was of public concern.
If this ever goes to SCOTUS (unlikely) I suspect it will favor the 1A arguments because of the unique nature of Ashley Madison. It's not a dating site for singles, but a service for "discreet married dating," after all, which necessarily implicates the other person in a marriage. And the current SCOTUS is probably more 1A-protective than it was in 2001.
Also all the allegations lodged against the mirror sites could be lodged against news organizations that are reporting on the data dump and naming names. So the plaintiffs will have to persuade courts to invent a new theory of liability that sweeps in mirror sites but not news organizations, a non-trivial task. How about a news organization that publishes hundreds of names?