Court rules Mike Rothenberg must fork over more than $31 million to settle SEC allegations

Mike Rothenberg, the once high-flying VC bent on bringing the party to Silicon Valley, must now pay a whopping $31.4 million to settle a California federal court ruling in favor of Security and Exchange Commission allegations.

TechCrunch deemed Rothenberg a ‘virtual gatsby’ back in 2016, when we first broke the news about the downfall of his venture capital firm, Rothenberg Ventures. It seemed he took it as a compliment, changing his instagram handle to @virtualgatsby. Indeed, the name seemed appropriate for a man who seemingly lived a party boy lifestyle and spent lavishly to woo startup founders — including going on Napa Valley wine tours, holding an annual ‘founder field day’ where he rented out the whole San Francisco Giants’ baseball stadium and spending unsparingly to executive produce a video for Coldplay.

But the party life came to a halt when top leadership jumped ship and the SEC started looking into the books. The SEC formally charged Rothenberg in August of 2018 for misappropriating millions of dollars of his investors’ capital and funneling that money into his own bank account. Rothenberg settled with the SEC at the time and, as part of the settlement, was barred from the brokerage and investment advisory business for five years.

Rothenberg was later caught up in several lawsuits, including one from Transcend VR for fraud and breach of contract, which ended in a settlement. Another suit between Rothenberg and his former CFO, David Haase, ended with Rothenberg being ordered to pay $166,000 in damages.

But there was more to come from the SEC, following a forensic audit in partnership with the firm Deloitte showing the misuse or misappropriation of $18.8 million in investor funding. Under that examination, Deloitte showed Rothenberg had used the money either personally, to float his flashy lifestyle, or for other extravagances such as building a race car team and a virtual reality studio. Rothenberg has now been ordered to pay back the $18.8 million he took from investors, another $9 million in civil penalties, plus $3.7 million in interest.

Neither the SEC nor Rothenberg have responded for comment. It’s also important to note none of the charges so far have been criminal but were handled in civil court, as the SEC does not handle criminal cases. 

Through all of it, Rothenberg never admitted any guilt for his actions and it is important to note that, because of this in admission of any wrongdoing, he will be able to practice again after the bar is lifted in five years. He’s also made some decent early investments in startups like Robinhood and many investor sources TechCrunch spoke to over the years seemed quite loyal to him as an investor, despite the charges, employee mass exodus and fund implosion that followed. 

And it seems this saga is not over yet. Rothenberg told MarketWatch in a recent interview that he thought the ruling was, “historically excessive and vindictively punitive,” that he planned to appeal it and would be suing Silicon Valley Bank, which Rothenberg used to funnel several investments, over the matter. 

Rothenberg Ventures already filed suit against Silicon Valley Bank in August of 2018, the same day the SEC filed formal charges against Rothenberg himself. In that suit, Rothenberg alleged negligence, fraud and deceit on the part of the bank and sought a trial before jury. Silicon Valley Bank said it would defend against the case at the time.

We’ve reached out to Silicon Valley Bank and are waiting to hear back. The real question is, if Rothenberg were to come back to investing in Silicon Valley, would anyone still trust him? 

Mass surveillance for national security does conflict with EU privacy rights, court advisor suggests

Mass surveillance regimes in the UK, Belgium and France which require bulk collection of digital data for a national security purpose may be at least partially in breach of fundamental privacy rights of European Union citizens, per the opinion of an influential advisor to Europe’s top court issued today.

Advocate general Campos Sánchez-Bordona’s (non-legally binding) opinion, which pertains to four references to the Court of Justice of the European Union (CJEU), takes the view that EU law covering the privacy of electronic communications applies in principle when providers of digital services are required by national laws to retain subscriber data for national security purposes.

A number of cases related to EU states’ surveillance powers and citizens’ privacy rights are dealt with in the opinion, including legal challenges brought by rights advocacy group Privacy International to bulk collection powers enshrined in the UK’s Investigatory Powers Act; and a La Quadrature du Net (and others’) challenge to a 2015 French decree related to specialized intelligence services.

At stake is a now familiar argument: Privacy groups contend that states’ bulk data collection and retention regimes have overreached the law, becoming so indiscriminately intrusive as to breach fundamental EU privacy rights — while states counter-claim they must collect and retain citizens’ data in bulk in order to fight national security threats such as terrorism.

Hence, in recent years, we’ve seen attempts by certain EU Member States to create national frameworks which effectively rubberstamp swingeing surveillance powers — that then, in turn, invite legal challenge under EU law.

The AG opinion holds with previous case law from the CJEU — specifically the Tele2 Sverige and Watson judgments — that “general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate”, as the press release puts it.

Instead the recommendation is for “limited and discriminate retention” — with also “limited access to that data”.

“The Advocate General maintains that the fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law, under which power and strength are subject to the limits of the law and, in particular, to a legal order that finds in the defence of fundamental rights the reason and purpose of its existence,” runs the PR in a particularly elegant passage summarizing the opinion.

The French legislation is deemed to fail on a number of fronts, including for imposing “general and indiscriminate” data retention obligations, and for failing to include provisions to notify data subjects that their information is being processed by a state authority where such notifications are possible without jeopardizing its action.

Belgian legislation also falls foul of EU law, per the opinion, for imposing a “general and indiscriminate” obligation on digital service providers to retain data — with the AG also flagging that its objectives are problematically broad (“not only the fight against terrorism and serious crime, but also defence of the territory, public security, the investigation, detection and prosecution of less serious offences”).

The UK’s bulk surveillance regime is similarly seen by the AG to fail the core “general and indiscriminate collection” test.

There’s a slight carve out for national legislation that’s incompatible with EU law being, in Sánchez-Bordona’s view, permitted to maintain its effects “on an exceptional and temporary basis”. But only if such a situation is justified by what is described as “overriding considerations relating to threats to public security or national security that cannot be addressed by other means or other alternatives, but only for as long as is strictly necessary to correct the incompatibility with EU law”.

If the court follows the opinion it’s possible states might seek to interpret such an exceptional provision as a degree of wiggle room to keep unlawful regimes running further past their legal sell-by-date.

Similarly, there could be questions over what exactly constitutes “limited” and “discriminate” data collection and retention — which could encourage states to push a ‘maximal’ interpretation of where the legal line lies.

Nonetheless, privacy advocates are viewing the opinion as a positive sign for the defence of fundamental rights.

In a statement welcoming the opinion, Privacy International dubbed it “a win for privacy”. “We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed,” said legal director, Caroline Wilson Palow. “If the Court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in.”

The CJEU will issue its ruling at a later date — typically between three to six months after an AG opinion.

The opinion comes at a key time given European Commission lawmakers are set to rethink a plan to update the ePrivacy Directive, which deals with the privacy of electronic communications, after Member States failed to reach agreement last year over an earlier proposal for an ePrivacy Regulation — so the AG’s view will likely feed into that process.

The opinion may also have an impact on other legislative processes — such as the talks on the EU e-evidence package and negotiations on various international agreements on cross-border access to e-evidence — according to Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo.

“It is worth noting that, under Article 4(2) of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Yet, the advocate general’s opinion suggests that this provision does not exclude that EU data protection rules may have direct implications for national security,” Tosoni also pointed out. 

“Should the Court decide to follow the opinion… ‘metadata’ such as traffic and location data will remain subject to a high level of protection in the European Union, even when they are accessed for national security purposes.  This would require several Member States — including Belgium, France, the UK and others — to amend their domestic legislation.”

US patents hit record 333,530 granted in 2019; IBM, Samsung (not the FAANGs) lead the pack

We may have moved on from a nearly-daily cycle of news involving tech giants sparring in courts over intellectual property infringement, but patents continue to be a major cornerstone of how companies and people measure their progress and create moats around the work that they have done in hopes of building that into profitable enterprises in the future. IFI Claims, a company that tracks patent activity in the US, released its annual tally of IP work today underscoring that theme: it noted that 2019 saw a new high-watermark of 333,530 patents granted by the US Patent and Trademark Office.

The figures are notable for a few reasons. One is that this is the most patents ever granted in a single year; and the second that this represents a 15% jump on a year before. The high overall number speaks to the enduring interest in safeguarding IP, while the 15% jump has to do with the fact that patent numbers actually dipped last year (down 3.5%) while the number that were filed and still in application form (not granted) was bigger than ever. If we can draw something from that, it might be that filers and the USPTO were both taking a little more time to file and process, not a reduction in the use of patents altogether.

But patents do not tell the whole story in another very important regard.

Namely, the world’s most valuable, and most high profile tech companies are not always the ones that rank the highest in patents filed.

Consider the so-called FAANG group, Facebook, Apple, Amazon, Netflix and Google: Facebook is at number-36 (one of the fastest movers but still not top 10) with 989 patents; Apple is at number-seven with 2,490 patents; Amazon is at number-nine with 2,427 patents; Netflix doesn’t make the top 50 at all; and the Android, search and advertising behemoth Google is merely at slot 15 with 2,102 patents (and no special mention for growth).

Indeed, the fact that one of the oldest tech companies, IBM, is also the biggest patent filer almost seems ironic in that regard.

As with previous years — the last 27, to be exact — IBM has continued to hold on to the top spot for patents granted, with 9,262 in total for the year. Samsung Electronics, at 6,469, is a distant second.

These numbers, again, don’t tell the whole story: IFI Claims notes that Samsung ranks number-one when you consider all active patent “families”, which might get filed across a number of divisions (for example a Samsung Electronics subsidiary filing separately) and count the overall number of patents to date (versus those filed this year). In this regard, Samsung stands at 76,638, with IBM the distant number-two at 37,304 patent families.

Part of this can be explained when you consider their businesses: Samsung makes a huge range of consumer and enterprise products. IBM, on the other hand, essentially moved out of the consumer electronics market years ago and these days mostly focuses on enterprise and B2B and far less hardware. That means a much smaller priority placed on that kind of R&D, and subsequent range of families.

Two other areas that are worth tracking are biggest movers and technology trends.

In the first of these, it’s very interesting to see a car company rising to the top. Kia jumped 58 places and is now at number-41 (921 patents) — notable when you think about how cars are the next “hardware” and that we are entering a pretty exciting phase of connected vehicles, self-driving and alternative energy to propel them.

Others rounding out fastest-growing were Hewlett Packard Enterprise, up 28 places to number-48 (794 patents); Facebook, up 22 places to number-36 (989 patents); Micron Technology, up nine places to number-25 (1,268), Huawei, up six places to number-10 (2,418), BOE Technology, up four places to number-13 (2,177), and Microsoft, up three places to number-4 (3,081 patents).

In terms of technology trends, IFI looks over a period of five years, where there is now a strong current of medical and biotechnology innovation running through the list right now, with hybrid plant creation topping the list of trending technology, followed by CRISPR gene-editing technology, and then medicinal preparations (led by cancer therapies). “Tech” in the computer processor sense only starts at number-four with dashboards and other car-related tech; with quantum computing, 3-D printing and flying vehicle tech all also featuring.

Indeed, if you have wondered if we are in a fallow period of innovation in mobile, internet and straight computer technology… look no further than this list to prove out that thought.

Unsurprisingly, US companies account for 49% of U.S. patents granted in 2019 up from 46 percent a year before. Japan accounts for 16% to be the second-largest, with South Korea at 7% (Samsung carrying a big part of that, I’m guessing), and China passing Germany to be at number-four with 5%.

  1. International Business Machines Corp 9262
  2. Samsung Electronics Co Ltd 6469
  3. Canon Inc 3548
  4. Microsoft Technology Licensing LLC 3081
  5. Intel Corp 3020
  6. LG Electronics Inc 2805
  7. Apple Inc 2490
  8. Ford Global Technologies LLC 2468
  9. Amazon Technologies Inc 2427
  10. Huawei Technologies Co Ltd 2418
  11. Qualcomm Inc 2348
  12. Taiwan Semiconductor Manufacturing Co TSMC Ltd 2331
  13. BOE Technology Group Co Ltd 2177
  14. Sony Corp 2142
  15. Google LLC 2102
  16. Toyota Motor Corp 2034
  17. Samsung Display Co Ltd 1946
  18. General Electric Co 1818
  19. Telefonaktiebolaget LM Ericsson AB 1607
  20. Hyundai Motor Co 1504
  21. Panasonic Intellectual Property Management Co Ltd 1387
  22. Boeing Co 1383
  23. Seiko Epson Corp 1345
  24. GM Global Technology Operations LLC 1285
  25. Micron Technology Inc 1268
  26. United Technologies Corp 1252
  27. Mitsubishi Electric Corp 1244
  28. Toshiba Corp 1170
  29. AT&T Intellectual Property I LP 1158
  30. Robert Bosch GmbH 1107
  31. Honda Motor Co Ltd 1080
  32. Denso Corp 1052
  33. Cisco Technology Inc 1050
  34. Halliburton Energy Services Inc 1020
  35. Fujitsu Ltd 1008
  36. Facebook Inc 989
  37. Ricoh Co Ltd 980
  38. Koninklijke Philips NV 973
  39. EMC IP Holding Co LLC 926
  40. NEC Corp 923
  41. Kia Motors Corp 921
  42. Texas Instruments Inc 894
  43. LG Display Co Ltd 865
  44. Oracle International Corp 847
  45. Murata Manufacturing Co Ltd 842
  46. Sharp Corp 819
  47. SK Hynix Inc 798
  48. Hewlett Packard Enterprise Development LP 794
  49. Fujifilm Corp 791
  50. LG Chem Ltd 791

Airbnb is a platform not an estate agent, says Europe’s top court

Airbnb will be breathing a sigh of relief today: Europe’s top court has judged it to be an online platform which merely connects people looking for short term accommodation, rather than a full-blown estate agent.

The ruling may make it harder for the ‘home sharing’ platform to be forced to comply with local property regulations — at least under current regional rules governing ecommerce platforms.

The judgement by the Court of Justice of the European Union (CJEU) today follows a complaint made by a French tourism association, AHTOP, which had argued Airbnb should hold a professional estate agent licence. And, that by not having one, the platform giant was in breach of a piece of French legislation known as the ‘Hoguet Law’.

However the court disagreed — siding with Airbnb’s argument that its business must be classified as an ‘information society service’ under EU Directive 2000/31 on electronic commerce.

Commenting on the ruling in a statement, Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo, told us: “The Court’s finding that online platforms that facilitate the provision of short-term accommodation services, such as Airbnb, qualify as providers of ‘information society services’ entails strict limitations on the ability to introduce or enforce restrictive measures on similar services by a Member State other than that in whose territory the relevant service provider is established.”

“The Court’s judgment suggests that the enforcement of restrictive measures against a provider of ‘information society services’ may only occur on a very exceptional basis, subject to strict substantive and procedural conditions, including prior specific notification to the European Commission,” he added.

It’s a ruling that Uber may well look enviously at — given, in the case of its ride-hailing platform, the CJEU reached a very different conclusion a couple of years ago, finding Uber to be a transportation service not merely a tech platform.

In the Airbnb case the court points to differences vs the Uber ruling, noting that an online intermediation service may be classed otherwise if the intermediation service forms an integral part of an overall service whose main component is a service coming under another legal classification.

“In the present case, the Court found that an intermediation service such as that provided by Airbnb Ireland satisfied those conditions, and the nature of the links between the intermediation service and the provision of accommodation did not justify departing from the classification of that intermediation service as an ‘information society service’ and thus the application of Directive 2000/31 to that service,” it writes in a press release on the judgement.

Factors which informed that judgement include that Airbnb’s service is “not aimed only at providing immediate accommodation services, but rather it consists essentially of providing a tool for presenting and finding accommodation for rent, thereby facilitating the conclusion of future rental agreements”; that the platform is “in no way indispensable to the provision of accommodation services, since the guests and hosts have a number of other channels in that respect, some of which are long-standing”; and it found nothing indicate Airbnb sets or caps the amount of the rents charged by the hosts using its platform.

“[U]nlike the intermediation services at issue in the judgments in Asociación Profesional Elite Taxi and Uber France, neither that intermediation service nor the ancillary services offered by Airbnb Ireland make it possible to establish the existence of a decisive influence exercised by that company over the accommodation services to which its activity relates, with regard both to determining the rental price charged and selecting the hosts or accommodation for rent on its platform,” the CJEU adds in its press release.

The court also found fault with France for failing to notify the European Commission of the licensing requirement it was placing on Airbnb.

Reached for comment on the CJEU judgement Airbnb suggested the outcome does not mean governments in Europe are unable to apply regulations to its platform — saying that it wants to keep working with the European Commission to ensure there are fair and proportionate rules for how Member States can apply local regulations to online platforms.

“We welcome this judgment and want to move forward and continue working with cities on clear rules that put local families and communities at the heart of sustainable 21st century travel,” the company said in a statement. “We want to be good partners to everyone and already we have worked with more than 500 governments and authorities to help hosts share their homes, follow the rules and pay tax.”

The new European Commission has signalled it intends to upgrade safety and liability rules around online platforms — via a forthcoming Digital Services Act which looks set to amend the current ecommerce rules. So it’s possible tighter regulations could be coming down the pipe for platforms in the next few years. Hence Airbnb being keen to work with the Commission on any resetting of the rules.

Elon Musk found not liable in case brought against him by British diver

After a three-day trial, Elon Musk was found not liable for defamation in a federal court today in Los Angeles, where Musk reportedly owns a cluster of six homes as well as oversees the operations of both SpaceX and Tesla.

British diver Vernon Unsworth had brought the suit against Musk in the fall of 2018 after Musk tweeted that Unsworth was a “pedo guy,” meaning a pedophile. Why: after Musk and his employees developed what they called a mini-submarine or escape pod to save a children’s soccer team from a flooded cave in Thailand in July of 2018, Unsworth — a stranger to Musk and an experienced diver with knowledge of the cave — called the production a “PR stunt” when asked about the effort in an interview with CNN.

Musk could “stick his submarine where it hurts,” Unsworth told the reporter.

Soon after, Musk hit the “tweet” button, publishing the now-infamous insult.

Unsworth brought the suit after Musk doubled down on his accusation, describing Unsworth as a “child rapist” in August 2018 emails to Buzzfeed. He claimed in court this week that since “being branded a pedophile” by Musk, he has felt “vulnerable and sometimes, when I’m in the U.K., I feel isolated.”

Unsworth — who in addition to being a diver is a financial consultant who divides his time between England and Thailand — was seeking damages from Musk to the tune of $190 million, including actual, assumed, and punitive damages. Indeed, this week, his team tried to make the point that what he was seeking is a pittance for Musk, who was told to estimate his own net worth during the trial and guessed it to be roughly $20 billion, based on his Tesla and SpaceX holdings.

During the trial, Musk apologized repeatedly for the “pedo guy” tweet, saying that what he’d really meant was “creepy old man.” Musk’s attorney also defended Musk’s temper, telling Unworth at one point: “Do you believe Mr Musk is so cold-hearted that he was sending over this sub with no regard for the children’s lives? . . . Are you willing to apologize to Mr Musk for saying that it was just a PR stunt?”

Unsworth declined, saying his insult was “to the tube and not Mr. Musk personally.”

In the end, the court decided Musk’s outburst wasn’t meant as a statement of fact.

CNBC notes in a separate report that the verdict could “set a precedent where free speech online, libel and slander are concerned” as among the first court cases brought by a private individual over a tweet.

Whether it emboldens Musk is another question. Musk is an avid user of Twitter and this isn’t the first time tweets have landed him in hot water.

A tweet-related battle with the Securities and Exchange Commission last year ultimately cost Musk $20 million and his role as chairman of Tesla for at least three years.

As part of the settlement, Musk also agreed to a condition stipulating that he get pre-approval before sending social media posts containing information that is “material” to Tesla investors. In April of this year, the two sides struck an updated deal that narrowed the scope of what Musk can’t tweet about without first receiving outside approval.

Unsworth had reportedly fought not to cry during the trial, saying he was “effectively given a life sentence with no parole.” He said, “It feels very raw. I feel humiliated, ashamed, dirtied.”

Unsworth was among the rescuers who ultimately led the young soccer team to safety. He received an honorable mention from the Thai government along with 186 other people. Among them: Elon Musk.

Dutch court orders Facebook to ban celebrity crypto scam ads after another lawsuit

A Dutch court has ruled that Facebook can be required to use filter technologies to identify and pre-emptively take down fake ads linked to crypto currency scams that carry the image of a media personality, John de Mol, and other well known celebrities.

The Dutch celerity filed a lawsuit against Facebook in April over the misappropriation of his and other celebrities’ likeness to shill Bitcoin scams via fake ads run on its platform.

In an immediately enforceable preliminary judgement today the court has ordered Facebook to remove all offending ads within five days, and provide data on the accounts running them within a week.

Per the judgement, victims of the crypto scams had reported a total of €1.7 million (~$1.8M) in damages to the Dutch government at the time of the court summons.

The case is similar to a legal action instigated by UK consumer advice personality, Martin Lewis, last year, when he announced defamation proceedings against Facebook — also for misuse of his image in fake ads for crypto scams.

Lewis withdrew the suit at the start of this year after Facebook agreed to apply new measures to tackle the problem: Namely a scam ads report button. It also agreed to provide funding to a UK consumer advice organization to set up a scam advice service.

In the de Mol case the lawsuit was allowed to run its course — resulting in today’s preliminary judgement against Facebook. It’s not yet clear whether the company will appeal but in the wake of the ruling Facebook has said it will bring the scam ads report button to the Dutch market early next month.

In court, the platform giant sought to argue that it could not more proactively remove the Bitcoin scam ads containing celebrity images on the grounds that doing so would breach EU law against general monitoring conditions being placed on Internet platforms.

However the court rejected that argument, citing a recent ruling by Europe’s top court related to platform obligations to remove hate speech, also concluding that the specificity of the requested measures could not be classified as ‘general obligations of supervision’.

It also rejected arguments by Facebook’s lawyers that restricting the fake scam ads would be restricting the freedom of expression of a natural person, or the right to be freely informed — pointing out that the ‘expressions’ involved are aimed at commercial gain, as well as including fraudulent practices.

Facebook also sought to argue it is already doing all it can to identify and take down the fake scam ads — saying too that its screening processes are not perfect. But the court said there’s no requirement for 100% effectiveness for additional proactive measures to be ordered. Its ruling further notes a striking reduction in fake scam ads using de Mol’s image since the lawsuit was announced

Facebook’s argument that it’s just a neutral platform was also rejected, with the court pointing out that its core business is advertising.

It also took the view that requiring Facebook to apply technically complicated measures and extra effort, including in terms of manpower and costs, to more effectively remove offending scam ads is not unreasonable in this context.

The judgement orders Facebook to remove fake scam ads containing celebrity likenesses from Facebook and Instagram within five days of the order — with a penalty of €10k per day that Facebook fails to comply with the order, up to a maximum of €1M (~$1.1M).

The court order also requires that Facebook provides data to the affected celebrity on the accounts that had been misusing their likeness within seven days of the judgement, with a further penalty of €1k per day for failure to comply, up to a maximum of €100k.

Facebook has also been ordered to pay the case costs.

Responding to the judgement in a statement, a Facebook spokesperson told us:

We have just received the ruling and will now look at its implications. We will consider all legal actions, including appeal. Importantly, this ruling does not change our commitment to fighting these types of ads. We cannot stress enough that these types of ads have absolutely no place on Facebook and we remove them when we find them. We take this very seriously and will therefore make our scam ads reporting form available in the Netherlands in early December. This is an additional way to get feedback from people, which in turn helps train our machine learning models. It is in our interest to protect our users from fraudsters and when we find violators we will take action to stop their activity, up to and including taking legal action against them in court.

One legal expert describes the judgement as “pivotal“. Law professor Mireille Hildebrandt told us that it provides for as an alternative legal route for Facebook users to litigate and pursue collective enforcement of European personal data rights. Rather than suing for damages — which entails a high burden of proof.

Injunctions are faster and more effective, Hildebrandt added.

The judgement also raises questions around the burden of proof for demonstrating Facebook has removed scam ads with sufficient (increased) accuracy; and what specific additional measures it might deploy to improve its takedown rate.

Although the introduction of the ‘report scam ad button’ does provide one clear avenue for measuring takedown performance.

The button was finally rolled out to the UK market in July. And while Facebook has talked since the start of this year about ‘envisaging’ introducing it in other markets it hasn’t exactly been proactive in doing so — up til now, with this court order. 

Facebook sues OnlineNIC for domain name fraud associated with malicious activity

Facebook today announced it has filed suit in California against domain registrar OnlineNIC and its proxy service ID Shield for registering domain names that pretend to be associated with Facebook, like www-facebook-login.com or facebook-mails.com, for example. Facebook says these domains are intentionally designed to mislead and confuse end users, who believe they’re interacting with Facebook.

These fake domains are also often associated with malicious activity, like phishing.

While some who register such domains hope to eventually sell them back to Facebook at a marked-up price, earning a profit, others have worse intentions. And with the launch of Facebook’s own cryptocurrency, Libra, a number of new domain cybersquatters have emerged. Facebook was recently able to take down some of these, like facebooktoken.org and ico-facebook.org, one of which had already started collecting personal information from visitors by falsely touting a Facebook ICO.

Facebooks’ new lawsuit, however, focuses specifically on OnlineNIC, which Facebook says has a history of allowing cybersquatters to register domains with its privacy/proxy service, ID Shield. The suit alleges that the registered domains, like hackingfacebook.net, are being used for malicious activity, including “phishing and hosting websites that purported to sell hacking tools.”

The suit also references some 20 other domain names that are confusingly similar to Facebook and Instagram trademarks, it says.

Screen Shot 2019 10 31 at 1.27.38 PM

OnlineNIC has been sued before for allowing this sort of activity, including by Verizon, Yahoo, Microsoft and others. In the case of Verizon (disclosure: TechCrunch parent), OnlineNIC was found liable for registering more than 600 domain names similar to Verizon’s trademark, and the courts awarded $33.15 million in damages as a result, Facebook’s filing states.

Facebook is asking for a permanent injunction against OnlineNIC’s activity, as well as damages.

The company says it took this issue to the courts because OnlineNIC has not been responsive to its concerns. Facebook today proactively reports instances of abuse with domain name registrars and their privacy/proxy services, and often works with them to take down malicious domains. But the issue is widespread — there are tens of millions of domain names registered through these services today. Some of these businesses are not reputable, however. Some, like OnlineNIC, will not investigate or even respond to Facebook’s abuse reports.

The news of the lawsuit was previously reported by Cnet and other domain name news sources, based on courthouse filings.

Attorney David J. Steele, who previously won the $33 million judgement for Verizon, is representing Facebook in the case.

“By mentioning our apps and services in the domain names, OnlineNIC and ID Shield intended to make them appear legitimate and confuse people. This activity is known as cybersquatting and OnlineNIC has a history of this behavior,” writes Facebook, in an announcement. “This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy,” it says.

OnlineNIC has been asked for comment and we’ll update if it responds.

EU-US Privacy Shield passes third Commission ‘health check’ — but litigation looms

The third annual review of the EU-US Privacy Shield data transfer mechanism has once again been nodded through by Europe’s executive.

This despite the EU parliament calling last year for the mechanism to be suspended.

The European Commission also issued US counterparts with a compliance deadline last December — saying the US must appoint a permanent ombudsperson to handle EU citizens’ complaints, as required by the arrangement, and do so by February.

This summer the US senate finally confirmed Keith Krach — under secretary of state for economic growth, energy, and the environment — in the ombudsperson role.

The Privacy Shield arrangement was struck between EU and US negotiators back in 2016 — as a rushed replacement for the prior Safe Harbor data transfer pact which in fall 2015 was struck down by Europe’s top court following a legal challenge after NSA whistleblower Edward Snowden revealed US government agencies were liberally helping themselves to digital data from Internet companies.

At heart is a fundamental legal clash between EU privacy rights and US national security priorities.

The intent for the Privacy Shield framework is to paper over those cracks by devising enough checks and balances that the Commission can claim it offers adequate protection for EU citizens personal data when taken to the US for processing, despite the lack of a commensurate, comprehensive data protection region. But critics have argued from the start that the mechanism is flawed.

Even so around 5,000 companies are now signed up to use Privacy Shield to certify transfers of personal data. So there would be major disruption to businesses were it to go the way of its predecessor — as has looked likely in recent years, since Donald Trump took office as US president.

The Commission remains a staunch defender of Privacy Shield, warts and all, preferring to support data-sharing business as usual than offer a pro-active defence of EU citizens’ privacy rights.

To date it has offered little in the way of objection about how the US has implemented Privacy Shield in these annual reviews, despite some glaring flaws and failures (for example the disgraced political data firm, Cambridge Analytica, was a signatory of the framework, even after the data misuse scandal blew up).

The Commission did lay down one deadline late last year, regarding the ongoing lack of a permanent ombudsperson. So it can now check that box.

It also notes approvingly today that the final two vacancies on the US’ Privacy and Civil Liberties Oversight Board have been filled, meaning it’s fully-staffed for the first time since 2016.

Commenting in a statement, commissioner for justice, consumers and gender equality, Věra Jourová, added: “With around 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning. We will continue the digital diplomacy dialogue with our U.S. counterparts to make the Shield stronger, including when it comes to oversight, enforcement and, in a longer-term, to increase convergence of our systems.”

Its press release characterizes US enforcement action related to the Privacy Shield as having “improved” — citing the Federal Trade Commission taking enforcement action in a grand total of seven cases.

It also says vaguely that “an increasing number” of EU individuals are making use of their rights under the Privacy Shield, claiming the relevant redress mechanisms are “functioning well”. (Critics have long suggested the opposite.)

The Commission is recommending further improvements too though, including that the US expand compliance checks such as concerning false claims of participation in the framework.

So presumably there’s a bunch of entirely fake compliance claims going unchecked, as well as actual compliance going under-checked…

“The Commission also expects the Federal Trade Commission to further step up its investigations into compliance with substantive requirements of the Privacy Shield and provide the Commission and the EU data protection authorities with information on ongoing investigations,” the EC adds.

All these annual Commission reviews are just fiddling around the edges, though. The real substantive test for Privacy Shield which will determine its long term survival is looming on the horizon — from a judgement expected from Europe’s top court next year.

In July a hearing took place on a key case that’s been dubbed Schrems II. This is a legal challenge which initially targeted Facebook’s use of another EU data transfer mechanism but has been broadened to include a series of legal questions over Privacy Shield — now with the Court of Justice of the European Union.

There is also a separate litigation directly targeting Privacy Shield that was brought by a French digital rights group which argues it’s incompatible with EU law on account of US government mass surveillance practices.

The Commission’s PR notes the pending litigation — writing that this “may also have an impact on the Privacy Shield”. “A hearing took place in July 2019 in case C-311/18 (Schrems II) and, once the Court’s judgement is issued, the Commission will assess its consequences for the Privacy Shield,” it adds.

So, tl;dr, today’s third annual review doesn’t mean Privacy Shield is out of the legal woods.

$35B face data lawsuit against Facebook will proceed

Facebook just lost a battle in its war to stop a $35 billion class action lawsuit regarding alleged misuse of facial recognition data in Illinois. Today it was denied its request for an en banc hearing before the full slate of ninth circuit judges that could have halted the case. Now the case will go to trial unless the Supreme Court intercedes.

The suit alleges that Illinois citizens didn’t consent to having their uploaded photos scanned with facial recognition and weren’t informed of how long the data would be saved when the mapping started in 2011. Facebook could face $1000 to $5000 in penalties per user for 7 million people, which could sum to a maximum of $35 billion.

facebook facial recognition photo review

A three-judge panel of ninth circuit judges rejected Facebook’s motion to dismiss the case and its appeal of the class certification of the plaintiffs back in August. One of those judges said that it “seems likely” that the Facebook facial recognition data could be used to identify them in surveillance footage or even unlock a biometrically secured cell phone. Facebook had originally built the feature to power photo tag suggestions, asking users if it’s them or a particular friend in an untagged photo.

Nicholas Iovino spotted the announcement today that we’ve attained and embedded below. When asked for comment, a Facebook spokesperson responded “Facebook has always told people about its use of face recognition technology and given them control over whether it’s used for them. We are reviewing our options and will continue to defend ourselves vigorously.”

[Image Credit: Mike MacKenzie]

Additional reporting by Zack Whittaker

Former Tinder CEO strikes back against sexual misconduct accusations with defamation lawsuit

Former Tinder CEO Greg Blatt has filed a defamation lawsuit against Sean Rad and Rosette Pambakian, seeking at least $50 million in damages and accusing them of having “conspired to make false allegations of sexual harassment and sexual assault against Blatt with the specific intent to damage Blatt’s good name, personal and professional reputation, and credibility.”

In response, Rad and Pambakian’s attorney Orin Snyder described the suit as part of a campaign “to retaliate against and smear a victim of sexual assault and the person who reported it.”

Last year, Rad (Tinder’s co-founder and former CEO), Pambakian (its former vice president of marketing and communications) and other Tinder founders and executives filed a lawsuit against Tinder’s parent company Match Group and its majority shareholder IAC, accusing them of financial manipulation to lower the company’s valuation and stripping the plaintiffs of lucrative stock options.

The suit also accused Blatt (pictured above) of groping and sexually harassing Pambakian at the company’s 2016 holiday party, when Blatt was still Tinder’s CEO. In response to the suit, Match and IAC said the claims were meritless.

At the time, Pambakian was still employed at Tinder. She later dropped out of the suit due to an arbitration agreement, and was fired a few months after, leading her to claim that Match did this “in blatant retaliation for joining a group of colleagues and Tinder’s original founding members in a lawsuit against Match and IAC, standing up for our rights, calling out the company’s CEO Greg for sexual misconduct, and confronting the company about covering up what happened to me.”

Pambakian is now pursuing a separate suit against Blatt and Match Group, accusing them of wrongful termination and sexual assault.

Blatt’s new suit, however, claims:

Rad and Pambakian have attempted to weaponize an important social movement, undermining the plight of true victims of sexual abuse by making false accusations in cynical pursuit of a $2 billion windfall … Blatt is expected to be a key witness for IAC and Match in the Valuation Lawsuit. Damaging Blatt’s credibility and tarnishing his character are important elements of Pambakian’s and Rad’s litigation strategy in that action.

The suit also says that the encounter with Pambakian at the Tinder holiday party involved consensual flirting and kissing, but that they “never engaged in any further physical encounters” and made mutual apologies the following Monday.

According to the suit, Rad filed a complaint months later accusing Blatt of harassing Pambakian, and the complaint “was thoroughly investigated by in-house counsel and two outside law firms,” who concluded that there was no harassment or abuse.

The holiday party and Rad’s subsequent complaint are also discussed in a draft of Blatt’s resignation letter from Tinder (which has been obtained by TechCrunch and other publications), in which Blatt said that after joining a “female executive” and other Tinder employees in a hotel room, he “engaged in some snuggling and nuzzling (I can’t come up with words that better describe what I would call the most superficial of human contact) with the female executive.”

Blatt went on to describe his behavior as “really dumb,” while also insisting that “the snuggling and nuzzling was consensual.”

Blatt’s complaint includes an email that appears to be from Rad to his financial advisor, written shortly before Rad’s complaint, in which he wrote about Blatt: “Fuck him. We’re at war. We will destroy him.”

The suit also claims that Rad and the firm Bench Walk Advisors offered Pambakian millions of dollars for participating in the lawsuit. (Snyder told The Verge there were no upfront payments for participation: “The only payments were triggered by IAC/Match retaliating against plaintiffs by stripping away their hard-earned equity.”)

Here’s Snyder’s full statement in response to Blatt’s suit:

This is a new low for IAC/Match and their former CEO. They continue to retaliate against and smear a victim of sexual assault and the person who reported it. Their attacks are based on lies and documents that are taken out of context. When all of the evidence comes to light, it will be obvious what happened here. It’s shameful that these public companies are continuing to cover-up the truth.

And you can read the full suit below.

2019-10-3 Blatt Dkt 18 Firs… by TechCrunch on Scribd