Google must negotiate to pay for French news, appeals court confirms

Google’s appeal against an order by France’s competition watchdog to negotiate with publishers for reuse of snippets of their content has failed.

As we reported in April, the French authority was acting on a new ‘neighbouring right’ for news which was transposed into national law following a pan-EU copyright reform agreed last year.

The Paris court slap-down leaves little legal wiggle room for the tech giant when it comes to shelling out for reusing French publishers’ content.

France’s competition authority already ruled it can’t unilaterally withdraw the snippets shown in its Google News aggregator (and elsewhere on its search service) — as it did when the national law came into force, seeking to evade payment.

Reached for comment on the appeal court decision, a Google spokesperson sent us this statement: “As we announced yesterday, our priority remains to reach an agreement with the French publishers and press agencies. We appealed to get legal clarity on some parts of the order, and we will now review the decision of the Paris Court of Appeal.”

The company also told us it had appealed the interim measures ruling because it had concerns about aspects of the order that it found contradictory and confusing, adding that it continues to have significant concerns with respect to how publisher rights are being interpreted in the country. Although it also reiterated that the legal process is separate to its ongoing negotiations with French publishers which it said it continues to focus on.

A report by Reuters yesterday suggested Google is poised to strike a deal with French publishers.

Earlier this month the tech giant announced a $1BN licensing fees fund, which it has called the Google News Showcase, that it said would be paid to news publishers “to create and curate high-quality content” for new story panels to appear on Google News. It added that it would begin making payments in Germany and Brazil, expanding to other markets.

However that (Google PR) initiative is separate to the payment terms it will have to negotiate with French publishers as a result of a legal requirement for reuse of protected content.

The screw is also tightening on Google’s freebie reuse of news in Australia which is closing in on its own legally binding payment framework — triggering a warning from the tech giant that local access to its ‘free’ services may be at risk.

Standing by developers through Google v. Oracle

The Supreme Court will hear arguments tomorrow in Google v. Oracle. This case raises a fundamental question for software developers and the open-source community: Whether copyright may prevent developers from using software’s functional interfaces — known as APIs — to advance innovation in software. The court should say no — free and open APIs protect innovation, competition and job mobility for software developers in America.

When we use an interface, we don’t need to understand (or care) about how the function on the other side of the interface is performed. It just works. When you sit down at your computer, the QWERTY keyboard allows you to rapidly put words on the screen. When you submit an online payment to a vendor, you are certain the funds will appear in the vendor’s account. It just works.

In the software world, interfaces between software programs are called “application programming interfaces” or APIs. APIs date back to the 1950s and allow developers to write programs that reuse other program functionality without knowing how that functionality is performed. If your program needs to sort a list, you could have it use a sorting program’s API to sort the list for your program. It just works.

Developers have historically used software interfaces free of copyright concerns, and this freedom has accelerated innovation, software interoperation and developer job mobility. Developers using existing APIs save time and effort, allowing those savings to be refocused on new ideas. Developers can also reimplement APIs from one software platform to others, enabling innovation to flow freely across software platforms.

Importantly, reusing APIs gives developers job portability, since knowledge of one set of APIs is more applicable cross-industry. The upcoming Google v. Oracle decision could change this, harming developers, open-source software and the entire software industry.

Google v. Oracle and the platform API bargain

Google v. Oracle is the culmination of a decade-long dispute. Back in 2010, Oracle sued Google, arguing that Google’s Android operating system infringed Oracle’s rights in Java. After ten years, the dispute now boils down to whether Google’s reuse of Java APIs in Android was copyright infringement.

Prior to this case, most everyone assumed that copyright did not cover the use of functional software like APIs. Under that assumption, competing platforms’ API reimplementation allowed developers to build new yet familiar things according to the API bargain: Everyone could use the API to build applications and platforms that interoperate with each other. Adhering to the API made things “just work.”

But if the Google v. Oracle decision indicates that API reimplementation requires copyright permission, the bargain falls apart. Nothing “just works” unless platform makers say so; they now dictate rules for interoperability — charging developers huge prices for the platform or stopping rival, compatible platforms from being built.

Free and open APIs are essential for modern developers

If APIs are not free and open, platform creators can stop competing platforms from using compatible APIs. This lack of competition blocks platform innovation and harms developers who cannot as easily transfer their skills from project to project, job to job.

MySQL, Oracle’s popular database, reimplemented mSQL’s APIs so third-party applications for mSQL could be “ported easily” to MySQL. If copyright had restricted reimplementation of those APIs, adoption of MySQL, reusability of old mSQL programs and the expansion achieved by the “LAMP” stack would have been stifled, and the whole ecosystem would be poorer for it. This and other examples of API reimplementation — IBM’s BIOS, Windows and WINE, UNIX and Linux, Windows and WSL, .NET and Mono, have driven perhaps the most amazing innovation in human history, with open-source software becoming critical digital infrastructure for the world.

Similarly, a copyright block on API-compatible implementations puts developers at the mercy of platform makers say so — both for their skills and their programs. Once a program is written for a given set of APIs, that program is locked-in to the platform unless those APIs can also be used on other software platforms. And once a developer learns skills for how to use a given API, it’s much easier to reuse than retrain on APIs for another platform. If the platform creator decides to charge outrageous fees, or end platform support, the developer is stuck. For nondevelopers, imagine this: The QWERTY layout is copyrighted and the copyright owner decided to charge $1,000 dollars per keyboard. You would have a choice: Retrain your hands or pay up.

All software used by anyone was created by developers. We should give developers the right to freely reimplement APIs, as developer ability to shift applications and skills between software ecosystems benefits everyone — we all get better software to accomplish more.

I hope that the Supreme Court’s decision will pay heed to what developer experience has shown: Free and open APIs promote freedom, competition, innovation and collaboration in tech.

Facebook sues two companies engaged in data scraping operations

Facebook today says it has filed a lawsuit in the U.S. against two companies that had engaged in an international “data scraping” operation. The operation extended across Facebook properties, including both Facebook and Instagram, as well as other large websites and services, including Twitter, Amazon, LinkedIn and YouTube. The companies, which gathered the data of Facebook users for “marketing intelligence” purposes, did so in violation of Facebook’s Terms of Service, says Facebook.

The businesses named in the lawsuit are Israeli-based BrandTotal Ltd. and Unimania Inc., a business incorporated in Delaware.

According to BrandTotal’s website, its company offers a real-time competitive intelligence platform that’s designed to give media, insights and analytics teams visibility into their competition’s social media strategy and paid campaigns. These insights would allow its customers to analyze and shift their budget allocation to target new opportunities, monitor trends and threats from emerging brands, optimize their ads and messaging and more.

Meanwhile, Unimania operated apps claimed to offer users the ability to access social networks in different ways. For example, Unimania offered apps that let you view Facebook via a mobile-web interface or alongside other social networks like Twitter. Another app let you view Instagram Stories anonymously, it claimed.

However, Facebook’s lawsuit is largely focused on two browser extensions offered by the companies: Unimania’s “Ads Feed” and BrandTotal’s “UpVoice.”

The former allowed users to save the ads they saw on Facebook for later reference. But as the extension’s page discloses, doing so would opt users into a panel that informed the advertising decisions of Unimania’s corporate customers. UpVote, on the other hand, rewarded users with gift cards for using top social networking and shopping sites and sharing their opinions about the online campaigns run by big brands.

Facebook says these extensions operated in violation of its protections against scraping and its terms of service. When users installed the extensions and visited Facebook websites, the extensions installed automated programs to scrape their name, user ID, gender, date of birth, relationship status, location information and other information related to their accounts. The data was then sent to a server shared by BrandTotal and Unimania.

Facebook lawsuit vs BrandTotal Ltd. and Unimania Inc. by TechCrunch on Scribd

Data scrapers exist in part to collect as much information as they can through any means possible using automated tools, like bots and scripts. Cambridge Analytica infamously scraped millions of Facebook profiles in the run-up to the 2016 presidential election in order to target undecided voters. Other data scraping operations use bots to monitor concert or event ticket prices in order to undercut competitors. Scraped data can also be used for marketing and advertising, or simply sold on to others.

In the wake of the Cambridge Analytica scandal, Facebook has begun to pursue legal action against various developers that break its terms of service.

Most cases involving data scraping are litigated under the Computer Fraud and Abuse Act, written in the 1980s to prosecute computer hacking cases. Anyone who accesses a computer “without authorization” can face hefty fines or even prison time.

But because the law doesn’t specifically define what “authorized” access is and what isn’t, tech giants have seen mixed results in their efforts to shut down data scrapers.

LinkedIn lost its high-profile case against HiQ Labs in 2019 after an appeals court ruled that the scraper was only collecting data that was publicly available from the internet. Internet rights groups like the Electronic Frontier Foundation lauded the decision, arguing that internet users should not face legal threats “simply for accessing publicly available information in a way that publishers object to.”

Facebook’s latest legal case is slightly different because the company is accusing BrandTotal of scraping Facebook profile data that wasn’t inherently public. Facebook says the accused data scraper used a browser extension installed on users’ computers to gain access to their Facebook profile data.

In March 2019, it took action against two Ukrainian developers who were harvesting data using quiz apps and browser extensions to scrape profile information and people’s friends lists, Facebook says. A court in California recently recommended a judgement in Facebook’s favor in the case. A separate case around scraping filed last year against a marketing partner, Stackla, also came back in Facebook’s favor.

This year, Facebook filed lawsuits against companies and individuals engaged in both scraping and fake engagement services.

Facebook isn’t just cracking down on data scraping businesses to protect user privacy, however. It’s because failing to do so can lead to large fines. Facebook at the beginning of this year was ordered to pay out over half a billion dollars to settle a class action lawsuit that alleged systemic violation of an Illinois privacy law. Last year, it settled with the FTC over privacy lapses and had to pay a $5 billion penalty. As governments work to further regulation of online privacy and data violations, fines like this could add up.

The company says legal action isn’t the only way it’s working to stop data scraping. It has also invested in technical teams and tools to monitor and detect suspicious activity and the use of unauthorized automation for scraping, it says.

Uber wins latest London licence appeal

Uber has won its appeal against having its licence to operate withdrawn in London.

In today’s judgement the court decided it was satisfied with process improvements made by the ride-hailing company, including around its communication with the city’s transport regulator.

However it’s still not clear how long Uber will be granted a licence for — with the judge wanting to hear more evidence before taking a decision.

We’ve reached out to Uber and TfL for comment.

The ride-sharing giant has faced a multi-year battle to have its licence reinstated after TfL, the city’s transport regulator, took the shock decision not to issue a renewal in 2017 — citing safety concerns and deeming the company not “fit and proper” to hold a private hire operator licence.

It won a provisional appeal back in 2018 — when a UK court granted it a 15-month licence to give it time to continue working on meeting TfL’s requirements. However last November the regulator once again denied a full licence renewal — raising a range of new safety issues.

Despite that Uber has been able to continue operating in London throughout the legal process — but with ongoing uncertainty over the future of its licence. Now it will be hoping this is in the past.

In the appeal, Uber’s key argument was it is now “fit and proper” to hold a licence — claiming it’s listened to the regulator’s concerns and learnt from errors, making major changes to address issues related to passenger safety.

For example Uber pointed to improvements in its governance and document review systems, including a freeze on drivers who had not taken a trip for an extended period; real-time driver ID verification; and new scrutiny teams and processes; as well as the launch of ‘Programme Zero’ — which aims to prevent all breaches of licence conditions.

It also argued system flaws were not widespread — claiming only 24 of the 45,000 drivers using the app had exploited its system to its knowledge.

It also argued it now cooperates effectively and proactively with TfL and police forces, denying it conceals any failures. Furthermore, it claimed denying its licence would have a “profound effect” on groups at risk of street harassment — such as women and ethnic minorities, as well as disabled people.

It’s certainly fair to say the Uber of 2020 has travelled some distance from the company whose toxic internal culture included developing proprietary software to try to thwart regulatory oversight and eventually led to a major change of guard of its senior management.

However it’s interesting the court has taken the step of choosing to debate what length of licence Uber should receive. So while it’s a win for Uber, there are still some watchful caveats.

Offering commentary on today’s ruling, Anna McCaffrey, a senior counsel for the law firm Taylor Wessing, highlighted this element of the judgement. “The Magistrates Court agreed that Uber had made improvements and addressed TfL safety concerns. However, the fact that the length of extension is up for debate, rather than securing Uber’s preferred five year licence, demonstrates that Uber will have to work hard to continue to prove to TfL and the Court that it has really changed. If not, Uber is likely to find itself back in Court facing the same battle next year,” she noted in a statement.

She also pointed out that a decision is still pending from the Supreme Court to “finally settle” the question as to whether Uber’s drivers are workers or self-employed — another long-running legal saga for Uber in the UK.

It is also now facing fresh legal challenges related to its algorithmic management of drivers. So there’s still plenty of work for its lawyers.

The App Drivers and Couriers Union (ADCU), meanwhile, offered a cautious welcome of the court’s decision to grant Uber’s licence renewal — given how many of its members are picking up jobs via the platform.

However the union also called for the major of London to break up what it dubbed Uber’s “monopoly” by imposing limits on the numbers of drivers who can register on its platform. In a statement, ADCU president, Yaseen Aslam, argued: “The reduced scale will give both Uber and Transport for London the breathing space necessary to ensure all compliance obligations -– including worker rights — are met in future.”

YouTube hit with UK class action style suit seeking $3BN+ for ‘unlawful’ use of kids’ data

Another class action style lawsuit has been lodged against a tech giant in the UK alleging violations of privacy and seeking major damages. The latest representative action, filed against Google-owned YouTube, accuses the platform of routinely breaking UK and European data protection laws by unlawfully targeting up to five million under-13-year-olds with addictive programming and harvests their data for advertisers.

UK and EU law contain specific protections for children’s data, limiting the age at which minors can legally consent to their data being processed — in the case of the UK’s Data Protection Act to aged 13.

The suit is being brought by international law firm Hausfeld and Foxglove, a tech justice non-profit, which says they’re seeking damages from YouTube of more than £2.5BN (~$3.2BN).

Per the firms, it’s the first such representative litigation brought against a tech giant on behalf of children and among the largest such cases to date. (Last month a similar class style action was filed against Oracle in the UK alleging breaches of Europe’s General Data Protection Regulation (GDPR) related to cookie tracking.)

If the case succeeds, they say millions of British households whose kids watch YouTube may be owed “hundreds of pounds” in damages.

Duncan McCann, a researcher on the digital economy and father of three children all under 13 who watch YouTube and have their data collected and ads targeted at them by Google, is serving as representative claimant in the case.

Commenting in a statement, McCann said: “My kids love YouTube, and I want them to be able to use it. But it isn’t ‘free’ — we’re paying for it with our private lives and our kids’ mental health. I try to be relatively conscious of what’s happening with my kids’ data online but even so it’s just impossible to combat Google’s lure and influence, which comes from its surveillance power. There’s a massive power imbalance between us and them, and it needs to be fixed.”

“The [YouTube] website has no user practical age requirements and makes no adequate attempt to limit usage by youngsters,” notes Hausfeld in a press release about the lawsuit.

While a Foxglove release about the suit points to YouTube pitch materials intended for toy makers Mattel and Hasbro (and made public via an earlier FTC suit against Google) — in which it says the platform described itself as “the new Saturday morning cartoons”, “the number one website visited regularly by kids”, “today’s leader in reaching children age 6-11 against top TV channels”, and “unanimously voted as the favorite website of kids 2-12”.

Reached for comment, a YouTube spokesperson sent us this statement: “We don’t comment on pending litigation. YouTube is not for children under the age of 13. We launched the YouTube Kids app as a dedicated destination for kids and are always working to better protect kids and families on YouTube.”

The tech giant maintains that YouTube is not for under 13s — pointing to the existence of YouTube Kids, a dedicated kids’ app it launched in 2015 to offer what it called a “safer and easier” space for children to discover “family-focused content”, to back up the claim.

Although the company has never claimed that no children under 13 use YouTube. And last year the FTC agreed a $170M settlement with Google to end an investigation by the regulator and the New York Attorney General into alleged collection of children’s personal information by YouTube without the consent of their parents.

The rise in class action style lawsuits being filed in the UK seeking damages for breaches of data protection law follow a notable appeals court decision, just under a year ago, also against Google.

In that case the appeals court unblocked a class-action style lawsuit against the tech giant related to bypassing iOS privacy settings to track iPhone users.

In the US, Google paid $22.5M to the FTC back in 2012 to settle the same charge, and later paid a smaller sum to settle a number of US class action lawsuits. The UK case, meanwhile, continues.

While Europe has historically strong data protection laws, there has been — and still is — a lack of robust regulatory enforcement which is leaving a gap that litigation funders are increasingly willing to plug.

In the UK the challenge for those seeking damages for large scale violations is there’s no direct equivalent to a US class action. But last year’s appeals court ruling in the Safari bypass case has opened the door to representative actions.

The court also said damages could be sought for a breach of the law without needing to prove pecuniary loss or distress, establishing a route to redress for consumers that’s now being tested by several cases.

Facebook seeks fresh legal delay to block order to suspend its transatlantic data transfers

Facebook is firing up its lawyers to try to block EU regulators from forcing it to suspend transatlantic data transfers in the wake of a landmark ruling by Europe’s top court this summer.

The tech giant has applied to judges in Ireland to seek a judicial review of a preliminary suspension order, it has emerged.

Earlier this week Facebook confirmed it had received a preliminary order from its lead EU data regulator — Ireland’s Data Protection Commission (DPC) — ordering it to suspend transfers.

That’s the logical conclusion after the so-called Schrems II ruling which struck down a flagship EU-US data transfer arrangement on the grounds of US surveillance overreach — simultaneously casting doubt on the legality of alternative mechanisms for EU to US data transfers in cases where the data controller is subject to FISA 702 (as Facebook is).

Today The Currency reported that Dublin commercial law firm, Mason Hayes + Curran, filed papers with the Irish High Court yesterday, naming Ireland’s data protection commissioners as defendant in the judicial review action.

Facebook confirmed the application — sending us this statement: “A lack of safe, secure and legal international data transfers would have damaging consequences for the European economy. We urge regulators to adopt a pragmatic and proportionate approach until a sustainable long-term solution can be reached.”

In further remarks the company did not want directly quoted it told us it believes the preliminary order is premature as it said it expects further regulator guidance in the wake of the Schrems II ruling.

It’s not clear what further guidance Facebook is hankering for, nor what grounds it is claiming for seeking a judicial review of the DPC’s process. We asked it about this but it declined to offer any details. However the tech giant’s intent to (further) delay regulatory action which threats its business interests is crystal clear.

The original complaint against Facebook’s transatlantic data transfers dates all the way back to 2013.

 

Ireland’s legal system allows for ex parte applications for judicial review. So all Facebook had to do to file an application to the High Court to challenge the DPC’s preliminary order is a statement of grounds, a verifying affidavit and an ex parte docket (plus any relevant court fee). Oh and it had to be sure this paperwork was submitted on A4.

The DPC’s deputy commissioner, Graham Doyle, declined to comment on the latest twist in the neverending saga.

Facebook sues developers who violated terms to collect user data, sell fake ‘likes’

Facebook announced today it’s suing multiple developers in the U.S. and, for the first time, in the U.K., for violations of its policies. In the U.K., both Facebook Inc. and Facebook Ireland are suing MobiBurn, parent company OakSmart Technologies and its founder Fatih Haltas, in the High Court of Justice for failing to comply with Facebook’s audit request, after security researchers flagged the company’s technology for collecting data from Facebook users through its malicious software. Separately, Facebook Inc. and Instagram Inc. sued Nikolay Holper in federal court in San Francisco for operating a fake engagement service.

Facebook has been cracking down on malicious developers following the Cambridge Analytica scandal, which saw the personal data of 87 million Facebook users compromised. Since then, Facebook introduced more protections over how app developers could access data, as well as punitive actions. Earlier this year, Facebook also introduced new Platform Terms and Developer Policies that gave it permission to audit third-party apps by requesting either remote or physical access to developers’ systems, if need be, to ensure compliance.

According to Facebook’s announcement, MobiBurn failed to “fully comply” with Facebook’s audit request, where it was attempting to investigate the company’s use of a malicious Software Development Kit (SDK) to harvest user data.

News of MobiBurn’s activities first circulated in security research circles in late 2019. In November, both Facebook and Twitter announced that the personal data of hundreds of users may have been improperly accessed after they used their social accounts to log in to certain third-party apps that had malicious SDKs installed by MobiBurn and another company, One Audience. Facebook said it had issued cease and desist letters to those companies.

In MobiBurn’s case, it also took enforcement action, disabled its apps and requested its participation in an audit, as its policies now allow for. MobiBurn “failed to fully cooperate,” Facebook says.

MobiBurn, in November, had responded that it didn’t collect, share or monetize data from Facebook. The company hasn’t yet responded to a request for comment today.

Facebook’s lawsuit alleges that MobiBurn paid third-party app developers to install its SDK into their apps. Once installed, MobiBurn collected information from the devices and requested data from Facebook, including the person’s name, time zone, email address and gender, explains Facebook, in its announcement of the lawsuit.

The suit is looking for an injunction against MobiBurn; the ability to audit the company’s systems; an account of the data it accessed, payments made to developers, and payments received; damages and other relief.

Facebook vs MobiBurn by TechCrunch on Scribd

Meanwhile, in the U.S. lawsuit, Facebook is taking on developer Nikolay Holper, who operated a fake engagement service. Facebook alleges Holoper used a network of bots and automation software to “distribute fake likes, comments, views and followers on Instagram.” Several different websites were used to sell the fake engagement service to Instagram users, the suit says.

Complaint and Exhibits-conformed by TechCrunch on Scribd

This is not the first time Facebook has cracked down on fake engagement services. Last year, it filed a U.S. lawsuit to shut down a follower-buying service in New Zealand. Instagram in 2019 also shut down the accounts of 17 fake engagement services that promise more followers to Instagram users.

Facebook had previously shut down the engagement service and formally warned the developer he was in violation, and sent a cease and desist letter.

While Facebook’s attempts to crack down on developers violating its terms of service, users have found other ways to inauthentically grow their follower base. Many Instagram users, for example, participate in “pods” where they systematically coordinate liking and commenting on each others’ posts as a way to game Instagram algorithms.

“Today’s actions are the latest in our efforts to protect people who use our services, hold those who abuse our platform accountable, and advance the state of the law around data misuse and privacy,” said Facebook, in a statement.

 

Instacart faces lawsuit from DC Attorney General over ‘deceptive’ service fees

Instacart is facing a lawsuit from Washington, D.C. Attorney General Karl A. Racine that alleges the company charged customers millions of dollars in “deceptive service fees” and failed to pay hundreds of thousands of dollars worth of sales tax. The suit seeks restitution for customers who paid those service fees, as well as back taxes and on interest on taxes owed to D.C.

The suit specifically alleges Instacart misled customers regarding the 10% service fee to think it was a tip for the delivery person from September 2016 to April 2018.

“Instacart tricked District consumers into believing they were tipping grocery delivery workers when, in fact, the company was charging them extra fees and pocketing the money,” Racine said in a statement. “Instacart used these deceptive fees to cover its operating costs while simultaneously failing to pay D.C. sales taxes. We filed suit to force Instacart to honor its legal obligations, pay D.C. the taxes it owes, and return millions of dollars to District consumers the company deceived.”

This is not the first time Instacart has faced legal issues over its service fees. In 2017, Instacart settled a $4.6 million suit regarding claims that the company misclassified its personal shoppers as independent contractors, and also failed to reimburse them for work expenses. As part of the settlement, Instacart was required to change the way it described a service fee, which many people mistakenly thought meant tip. Even when Instacart clarified the language, the suit alleges Instacart still buried the option to tip.

“In this respect, Instacart’s checkout design compounded
consumers’ tendency to confuse the service fee with a shopper tip,” the suit alleges.

This lawsuit comes as Instacart is facing uncertainty in California over the way it classifies some of its shoppers and delivery people. Despite a new law going into effect in January that clearly lays out what type of workers should and should not be classified as independent contractors, Instacart has yet to classify its workers as employees. Instead, Instacart, along with Uber, Lyft and DoorDash, are backing a ballot measure, Prop 22, that seeks to keep their workers classified as independent contractors.

TechCrunch has reached out to Instacart and will update this story if we hear back.

Apple contends Epic’s ban was a ‘self-inflicted’ prelude to gaming the App Store

Apple has filed legal documents opposing Epic’s attempt to have itself reinstated in the iOS App Store, after having been kicked out last week for flouting its rules. Apple characterizes the entire thing as a “carefully orchestrated, multi-faceted campaign” aimed at circumventing — perhaps permanently — the 30% cut it demands for the privilege of doing business on iOS.

Epic last week slyly introduced a way to make in-app purchases in its popular game Fortnite without going through Apple. This is plainly against the rules, and Apple soon kicked the game, and the company’s other accounts, off the App Store. Obviously having anticipated this, Epic then published a parody of Apple’s famous 1984 ad, filed a lawsuit and began executing what Apple describes quite accurately as “a carefully orchestrated, multi-faceted campaign.”

In fact, as Apple notes in its challenge, Epic CEO Tim Sweeney emailed ahead of time to let Apple know what his company had planned. From Apple’s filing:

Around 2am on August 13, Mr. Sweeney of Epic wrote to Apple stating its intent to breach Epic’s agreements:
“Epic will no longer adhere to Apple’s payment processing restrictions.”

This was after months of attempts at negotiations in which, according to declarations from Apple’s Phil Schiller, Epic attempted to coax a “side letter” from Apple granting Epic special dispensation. This contradicts claims by Sweeney that Epic never asked for a special deal. From Schiller’s declaration:

Specifically, on June 30, 2020, Epic’s CEO Tim Sweeney wrote my colleagues and me an email asking for a “side letter” from Apple that would create a special deal for only Epic that would fundamentally change the way in which Epic offers apps on Apple’s iOS platform.

In this email, Mr. Sweeney expressly acknowledged that his proposed changes would be in direct breach of multiple terms of the agreements between Epic and Apple. Mr. Sweeney acknowledged that Epic could not implement its proposal unless the agreements between Epic and Apple were modified.

One prong of Epic’s assault was a request for courts to grant a “temporary restraining order,” or TRO, a legal procedure for use in emergencies where a party’s actions are unlawful, a suit to show their illegality is pending and likely to succeed, and those actions should be proactively reversed because they will cause “irreparable harm.”

If Epic’s request were to be successful, Apple would be forced to reinstate Fortnite and allow its in-game store to operate outside of the App Store’s rules. As you might imagine, this would be disastrous for Apple — not only would its rules have been deliberately ignored, but a court would have placed its imprimatur on the idea that those rules may even be illegal. So it is essential that Apple slap down this particular legal challenge quickly and comprehensively.

Apple’s filing challenges the TRO request on several grounds. First, it contends that there is no real “emergency” or “irreparable harm” because the entire situation was concocted and voluntarily initiated by Epic:

Having decided that it would rather enjoy the benefits of the App Store without paying for them, Epic has breached its contracts with Apple, using its own customers and Apple’s users as leverage.

But the “emergency” is entirely of Epic’s own making…it knew full well what would happen and, in so doing, has knowingly and purposefully created the harm to game players and developers it now asks the Court to step in and remedy.

Epic’s complaint that Apple banned its Unreal Engine accounts as well as Fortnite related ones, Apple notes, is not unusual, considering the accounts share tax IDs, emails and so on. It’s the same “user,” for their purposes. Apple also says it gave Epic ample warning and opportunity to correct its actions before a ban took place. (Apple, after all, makes a great deal of money from the app as well.)

Apple also questions the likelihood of Epic’s main lawsuit (independent of the TRO request) succeeding on its merits — namely that Apple is exercising monopoly power in its rent-collecting on the App Store:

[Epic’s] logic would make monopolies of Microsoft, Sony and Nintendo, just to name a few.

Epic’s antitrust theories, like its orchestrated campaign, are a transparent veneer for its effort to co-opt for itself the benefits of the App Store without paying or complying with important requirements that are critical to protect user safety, security,
and privacy.

Lastly Apple notes that there is no benefit to the public interest to providing the TRO — unlike if, for example, Apple’s actions had prevented emergency calls from working or the like, and there was a serious safety concern:

All of that alleged injury for which Epic improperly seeks emergency relief could disappear tomorrow if Epic cured its breach…All of this can happen without any intervention of the Court or expenditure of judicial resources. And Epic would be free to pursue its primary lawsuit.

Although Apple eschews speculating further in its filings, one source close to the matter suggested that it is of paramount importance to that company to avoid the possibility of Epic or anyone else establishing their own independent app stores on iOS. A legal precedent would go a long way toward clearing the way for such a thing, so this is potentially an existential threat for Apple’s long-toothed but extremely profitable business model.

The conflict with Epic is only the latest in a series going back years in which companies challenged Apple’s right to control and profit from what amounts to a totally separate marketplace.

Most recently Microsoft’s xCloud app was denied entry to the App Store because it amounted to a marketplace for games that Apple could not feasibly vet individually. Given this kind of functionality is very much the type of thing consumers want these days, the decision was not popular. Other developers, industries and platforms have challenged Apple on various fronts as well, to the point where the company has promised to create a formal process for challenging its rules.

But of course, even the rule-challenging process is bound by Apple’s rules.

You can read the full Apple filing below:

Epic v. Apple 4:20-cv-05640… by TechCrunch on Scribd

UK class action style claim filed over Marriott data breach

A class action style suit has been filed in the UK against hotel group Marriott International over a massive data breach that exposed the information of some 500 million guests around the world, including around 30 million residents of the European Union, between July 2014 and September 2018.

The representative legal action against Marriott has been filed by UK resident, Martin Bryant, on behalf of millions of hotel guests domiciled in England & Wales who made reservations at hotel brands globally within the Starwood Hotels group, which is now part of Marriott International.

Hackers gained access to the systems of the Starwood Hotels group, starting in 2014, where they were able to help themselves to information such as guests’ names; email and postal addresses; telephone numbers; gender and credit card data. Marriott International acquired the Starwood Hotels group in 2016 — but the breach went undiscovered until 2018.

Bryant is being represented by international law firm, Hausfeld, which specialises in group actions.

Commenting in a statement, Hausfeld partner, Michael Bywell, said: “Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”

“Personal data is increasingly critical as we live more of our lives online, but as consumers we don’t always realise the risks we are exposed to when our data is compromised through no fault of our own. I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly,” added Bryant in another supporting statement.

We’ve reached out to Marriott International for comment on the legal action.

A claim website for the action invites other eligible UK individuals to register their interest — and “hold Marriott to account for not securing your personal data”, as it puts it.

Here are the details of who is eligible to register their interest:

The ‘class’ of claimants on whose behalf the claim is brought includes all individuals who at any date prior to 10 September 2018 made a reservation online at a hotel operating under any of the following brands: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotel & Resorts, Four Points by Sheraton, Design Hotels. In addition, any other brand owned and/or operated by Marriott International Inc or Starwood Hotels and Resorts Worldwide LLC. The individuals must have been resident in England and Wales at some point during the relevant period prior to 10 September 2018 and are resident in England and Wales at the date the claim was issued. They must also have been at least 18 years old at the date the claim was issued.

The claim is being brought as a representative action under Rule 19.6 of the Civil Procedure Rules, per a press release, which also notes that everyone with the same interest as Bryant is included in the claimant class unless they opt out.

Those eligible to participate face no fees or costs, nor do affected guests face any financial risk from the litigation — which is being fully funded by Harbour Litigation Funding, a global litigation funder.

The suit is the latest sign that litigation funders are willing to take a punt on representative actions in the UK as a route to obtaining substantial damages for data issues. Another class action style suit was announced last week, alongside a class action in the Netherlands — targeting tracking cookies operated by data broker giants, Oracle and Salesforce.

Both lawsuits follow a landmark decision by a UK appeals court last year which allowed a class action-style suit against Google’s use between 2011 and 2012 of tracking cookies to override iPhone users’ privacy settings in Apple’s Safari browser to proceed, overturning an earlier court decision to toss the case.

The other unifying factor is the existence of Europe’s General Data Protection Regulation (GDPR) framework which has opened the door to major fines for data protection violations. So even if EU regulators continue to lack uniform vigour in enforcing data protection law, there’s a chance the region’s courts will do the job for them if more litigation funders see value in bringing cases to them to pursue class damages for privacy violations.

The dates of the Marriott data breach means it falls under GDPR — which came into force in May 2018.

The UK’s data watchdog, the ICO, proposed a $123M fine for the security failing in July last year — saying then that the hotel operator had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.

However it has yet to hand down a final decision. Asked when the Marriott decision will be finalized, an ICO spokeswoman told us the “regulatory process” has been extended until September 30. No additional detail was offered to explain the delay.

Here’s the regulator’s statement in full:

Under Schedule 16 of the Data Protection Act 2018, Marriott has agreed to an extension of the regulatory process until 30 September. We will not be commenting until the regulatory process has concluded.