> Indeed, in recognition of the fact that Ashley Madison data contains confidential information and constitutes stolen property, a Canadian court, the Ontario Superior Court of Justice, issued a restraining order requiring several websites and Internet service providers to immediately disable the Ashley Madison data, deeming it “offence-related property in respect of which order of forfeiture may be made under the [Ontario] Criminal Code.”
Since this suit is being filed in Arizona, will the Canadian ruling hold in this case? It seems as though the DMCA's safe harbor provision shields the defendants from liability in this case.
The complaint says they notified Amazon and GoDaddy, and apparently no take-down resulted, so I think DMCA does not apply. Also, it's questionable if searching for an email address in a stolen database is a DMCA issue, rather, the suit is alleging possession of stolen property.
Greyhatpro for example was trying to charge $149 for people to search the data according to a screenshot in the complaint. Now the site appears to provide searches for free.
There are a few sites which provide search tools for breaches which I think are pretty convenient. Breaches are so common it's good to keep a central record. Can a commercial service monitor a given email address and keep track of breaches affecting that address? The particular services named in the lawsuit are quite sketchy, but where do you draw the line?
> The complaint says they notified Amazon and GoDaddy, and apparently no take-down resulted, so I think DMCA does not apply.
I find that rather suspicious. If you file a proper DMCA request than the provider must, ASAP, take the content down - regardless of if the content is actually infringing. This is to protect their "safe harbor" status to make sure the government doesn't go after godaddy but rather the individual (rightfully so - godaddy doesn't and shouldn't control or monitor what users upload on their services). An example of it in use at github [1].
My sneaking suspicion is they either they didn't actually send a DMCA takedown request or they filed it improperly. Or perhaps the owners of the sites sent a counter-notice which puts godaddy in the clear and forces these individuals to sue the site owners (if they wish to have the content removed).
> Can a commercial service monitor a given email address and keep track of breaches affecting that address?
I think there is a difference between "here is a text box - enter your husband's email to check if he is a cheater" and "we will alert you privately if your email is ever leaked". I don't see any problems with the later.
> If you file a proper DMCA request than the provider must, ASAP, take the content down
You are very confused about the nature of DMCA. The provider that receives a DMCA copyright infringement notification is not mandated to do anything at all by the DMCA. Having complied with the notice however gives the provider immunity from a potential copyright infringement lawsuit from the copyright holder - that is the purpose of DMCA.
About 30% of DMCA notices are defective, and Google for example complies with less than 70% of the notices it receives.
> The provider that receives a DMCA copyright infringement notification is not mandated to do anything at all by the DMCA.
Ok sure they don't HAVE to do anything. But if they wish to maintain their safe harbor status [1] they must remove it when requested. Otherwise the copyright holder can, and probably will, go after them. Google et al can safely ignore some number of the notices because they are Google and can send a swarm of lawyers to defend themselves if they are taken to court. Many smaller companies don't have that luxury.
> 3) upon receiving notice from copyright owners or their agents, act expeditiously to remove the purported infringing material.
I don't know if you have noticed but Youtube and github employ a "take down now - ask questions later" policy for this very reason. You can file a counter-notice to get the content reinstated - but you better be sure you are in the right.
Oh and Google actually complied with 97% of requests between July and December 2011 [2].
According to the plaintiff's (not very detailed) theory of liability, possession or possibly knowing possession of "stolen property" (the leaked data) is all it should take, though there are some bits about inflicting emotional distress too. I'm not even sure what sort of property this is supposed to be, nor did they explain beyond their quoting of a Canadian case. For copyright, it's not really a creative work and we don't have 'database rights' like other countries do. It might have been a trade secret but it's not really secret any more. Patents and trademarks aren't even relevant, so unless there's something esoteric, I am not clear on how they can even make the 'property' part of 'stolen property' fit.
Also, I agree with you in that I doubt they could have filed a proper DMCA notice. They'd have to claim ownership of the dump itself, which they cannot. And if someone had tried that, it can actually trigger the infamous 'perjury' penalty clause because they don't own the dump. Yes, one could also 'misidentify' a work they really do own as being infringed upon by the dumps but that would never survive a counter-claim--presuming one was filed, a lot of people never challenge these because the next step up is an expensive federal copyright lawsuit. Also, they might have some difficulty explaining their 'good faith' belief the work was infringing if someone called them on it. Calling someone on it, of course requires it to actually go to that expensive courtroom, which is why it almost never seems to happen in spite of the parade of ridiculous DMCA notices. It's simply too expensive to fight over little things, at least for most normal people.
> Can a commercial service monitor a given email address and keep track of breaches affecting that address?
https://haveibeenpwned.com/ and https://pwnedlist.com/ are two services that provide notifications when an email appears in a large data breach, as well as the ability to search for your email in the leaked data.
Can Canadian rulings set precedent in American courts, or is this just a case of the claimants demonstrating how the issue has been handled in other countries for reference by the court?
Precedence is odd and many-faceted, and in a case like this, it would be done indeed to show how other courts have handled the situation. If a Canadian ruling can give a bit of relevant guidance, than it is something that would be put into a case to help bolster the cause. Conversely, neither the judge, nor jury, has to take the Canadian ruling into consideration at all, as it isn't binding. Pretty much it's just helpful advice for the court to keep in mind.
American courts are not bound to follow any Canadian rulings.
They can choose to cite anyone who agrees with them as support for their position, no matter who it is, though. So they can certainly write something saying "look, everyone else agrees with us too" but this is not at all the same as when they're trying to act according to the past decisions of the courts that supervise them.
In one case, they're just looking for people who agree. In the other case, it's more or less mandatory. Yes, they can try to avoid following the precedent if they want, but the judges who supervise them can overrule them if they're out of line.
Since this suit is being filed in Arizona, will the Canadian ruling hold in this case? It seems as though the DMCA's safe harbor provision shields the defendants from liability in this case.