E-Commerce and Technology Law Issues For Managers A Guest Lecture for MIS Students Spring 2006 By Professor Nancy King Assistant Professor of Business Law, OSU

Preview of Topics: Privacy and Data Protection laws: PII, privacy tort law, anti-spyware and other statutes Spam regulation: Can-Spam. Why e-businesses are in global commerce - impact. Cyber Crime: hacking, unauthorized access, identity theft. Cybersquatting: domain name/trademark disputes. Copyright –primary and secondary copyright infringement (Grokster et al.); digital rights management (DMCA). Jurisdiction of the courts over online businesses – the impact of choosing passive vs. interactive websites.

Privacy and Data Protection What is personally identifying information (PII)? Why/how do businesses collect and process PII? What are the privacy/data protection concerns of “data subjects” related to the above? How do U.S. businesses “manage” PII in light of the data subjects’ concerns about privacy and data protection? What laws apply to the collection and processing of PII in the U.S.? Do U.S. businesses need to be concerned about other countries’ laws related to the collection and processing of PII?

Civil Tort Liability - Privacy How can common law torts be used in the U.S. by data subjects to recover damages from businesses that negligently handle their PII? Theft of patients’ health care records from back seat of a Providence Health Center employee’s car. Theft of MasterCharge and other credit card holders’ PII due to data breaches related to data in transport or third-party processing of payment data.

Selected US Data Protection Laws Children’s Online Privacy Protection Act requires websites to get parental consent before collecting personally identifying information from children 13 or younger. See Federal Trade Commission at www.ftc.gov. Graham-Leach-Bliley Act – requires notice and “opt-out” consent before financial businesses may sell or share consumers’ financial information. HIPAA – protects the privacy of health care information by medical providers and insurers. ADA – limits access and requires employers to protect the confidentiality of disability-related information.

Adware and Spyware What is spyware? What is adware? How does the use of adware and spyware relate to the issues of data protection and privacy?

Spyware Spyware is any software that is downloaded onto a person’s computer without their knowledge that takes control of the user’s computer and/or Internet connections. It may be acquired in a software program that is purchased or available for free. It frequently accompanies free screen saver programs or peer to peer software masquerading as a music file, etc. The spyware program may be on a disk or other media, downloaded from the Internet, or downloaded when opening an attachment to an e-mail message. Opening an email with a virus program attached may install spyware without the user’s knowledge.

Tasks Spyware Can Do Collect information about a computer user’s activities and transmit it to another person. keylogging to record all keystrokes by user. some of the information may be PII. Cause pop-up ads to appear (in this context it is also ”adware”). Redirect a Web browser to a site different from the one the user intended to visit. Change the user’s home page, e.g., add toolbars.

When is Adware not Spyware? WhenU.com, a company that produces software that creates popup ads, argues that its software is not spyware. WhenU’s software is often bundled with software that users obtain for free (free-ware) or software developers that offer users a choice between paying for the software or obtaining it for free (if they agree to receive ads from WhenU). To download WhenU’s software the user is notified the program is about to be installed and must affirmatively consent to a license agreement to download the software, but may decline to do so. Is this adware but not spyware? Why?

What Threats are Posed by Spyware? Are They the Same for Adware? Data security? Online privacy and data protection? Network and computer performance? Growth of e-commerce?

Are Laws Needed to Protect Makers of Anti-spyware Programs? Today there are dozens of anti-spyware programs that are available online or in stores. These programs detect, flag and remove the intrusive programs that plage an estimated 90% of users. Adware makers have threatend makers of anti-spyware programs with lawsuits claiming that removing their adware programs amounts to interference with their business. Example: Hotbar, an adware maker in New York threatened Symantec ( a California based security firm that makes anti-spyware) with lawsuits five times in 2005. Symantec sued for a court order to clarify that it is lawful for it’s software to flag Hotbar’s programs as adware. Will new anti-spyware legislation help or harm this market based solution to adware and spyware?

Spam and the Law What is spam? Is unsolicited commercial e-mail the same as spam? What forms of spam are regulated by CAN-SPAM? What does it mean that CAN-SPAM requires “opt-out” provisions to be included in all commercial e-mail solicitations? Why are some forms of spam subject to criminal sanctions while other forms of spam are only civil violations? What is the difference?

The U.S. Approach The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003(15 United States Code Section 7701 et seq.). Summary: the act ”makes it legal to send unsolicited commercial email so long as the source and nature are not disguised, resources were not misappropriated to send it, and consumers have a meaningful way to avoid receiving future mailings” (Fingerman). Focus is fraud and misrepresentation, while avoiding prior restraints on protected speech.

Essentials of CAN-SPAM No false or misleading headers: e.g. no false IP addresses. Must comply with subject and pornography labeling: can’t mislead recipient about contents or subject matter of message; must use”SEXUALLY-EXPLICIT” label. No Resource misappropriation: can’t relay spam through another computer to conceal the spam’s origin -- may trigger treble damages and/or be a criminal act. Applies to even a single e-mail: no requirement for ”bulk” email. Dictionary attacks and automatic e-mail address harvesting may be criminal and/or trigger treble damages. Meaningful opt-out mechanisms: must include physical postal address for opt-out; no advance consent required from recipient for first spam e-mail; must honor opt-out within 10 business days; no official opt-out registers established in U.S.; need opt-in consent to send commercial email to a wireless device).

More about CAN-SPAM Vicarious liability: Third parties may be liable for spam sent by other people including a business that is promoted in an illegal e-mail Vendors who sell goods or services to spammers when they know illegal spam is being sent and they receive an economic benefit from it may be liable. Private e-mail policies are permitted by ISPs: These policies may extend beyond the law and enable ISPs to block more slippery forms of spam. This protects ISPs from civil liability for interference with senders’ business relationships that may result from application of the policy.

Federal CAN-SPAM Act Criminal penalties including fines and up to 5 years prison for serious spamming violations committed in furtherance of any felony or as a second offense. Examples of spamming felonies: Accessing a protected computer and sending spam without authorization with intent to mislead recipients about the origin of such messages. Materially falsifying header information in spam and intentionally initiating such messages (“Spoofed email addresses”).

CIVIL Remedies under CAN-SPAM Prohibits less-serious spamming acts: Using materially false or misleading information in spam messages (example: false or misleading email header, including the “from” line or the “subject” line). Failure to include a working return email address or other way to “opt-out” of receiving future email from the sender. Sending future spam after opt-out by recipient (10 business-day rule); Failure to include identifier of sender, opt-out, and a physical address in commercial email. Use of automated programs to generate email addresses. Nature of civil remedies: $250 per violation/$2 million limit.

Limitations of CAN-SPAM Only applies to commercial spam – does not regulate political or charitable spam. Preempts (supersedes) more restrictive state spam laws like California’s law requiring “ADV” in the subject line -- but allows states to provide more stringent laws to regulate false and deceptive spam and state tort laws continue to apply. Essentially allows commercial spammers at least “one freebie” – one spam message that is not false and deceptive sent to a consumer without advance permission.

FTC and CAN-SPAM Congress designated the FTC (Federal Trade Commission) to regulate CAN-SPAM under its authority to regulate “unfair or deceptive acts or practices.” The FTC has been active in bringing spammers to justice: Recovering substantial civil fines from spammers Recommending criminal prosecution of spammers that has resulted in successful prosecutions.

ISPs and CAN-SPAM Internet Service providers may sue spammers for damages caused by spammers (but no lawsuits under Can-Spam allowed for consumers). AOL, MSN and other ISPs have been actively pursuing spammers and have recovered millions of dollars in damages from spammers.

Criminal Charges for Spamming In April 2004 the DOJ charged the first four people for criminal violations of the CAN-SPAM act related to mass emails sent by the four to advertise fraudulent weight-loss products. Defendants are alleged to have disguised their identity as senders in the emails and to have delivered hundreds of thousands of email advertisements by bouncing the messages off unprotected computers.

SPAM Convictions 2004 – first felony convictions in the U.S. A Virginia man was convicted of spamming felonies and received nine years and a $7500 fine (in a three day period he sent tens of thousands of unsolicited email advertisements using false Internet addresses to America Online subscribers through an AOL server). 2005- a Florida man was sentenced to a year in jail and 6 years probation for sending millions of unsolicited email using a phone company’s Internet services.

Instant-Message Spam Spam sent to instant-message services advertising (“SPIM”). Instant messaging (IM) enables a sender to type words into a computer or other wireless device that immediately appear on recipients’ screens. First criminal case: a NY man was arrested in Feb. 2005 for sending 1.5 million spim ads for pornography and cheap mortgages. He was charged with violation of the federal Can-SPAM act and faces 18 years if convicted. Well known IM services: MYSpace, Friendster, and other web service firms that connect people with shared interests or mutual friends. AOL, Microsoft, and Yahoo Inc. all offer IM programs. SPIM can also spread viruses, overload servers.

EU and SPAM LAW 2002 EU E-Commerce Directive requires Member Countries (25) to pass consistent national laws to regulate SPAM by October, 2003. It is unlawful to send unsolicited email to an EU consumer unless the consumer has given explicit consent in advance (“opt-in”): applies to businesses, political organizations and non-profit organizations. Consumers also have the opportunity to “opt-out” via “opt-out registers” that are available in each Member State. Businesses must consult these registers regularly. U.S. businesses that send email solicitations to EU customers must comply with EU law.

EU and Data Protection Laws Residents of the EU have data protection rights. Businesses that collect or “process” the PII of consumers in the EU are required to give consumers proper notice and follow “fair information practices” (EU Privacy Directive and Member States’ laws). Businesses do not have the unlimited right to collect the PII of their customers or other consumers. The use, transfer outside the EU (even to a home office in the U.S.) and retention of PII is strictly regulated. These rules apply to any business (US or otherwise) that collects or uses PII of consumers who reside in the EU. Many other countries have data protection laws that are similar to those in the EU: Australia, Canada, etc.

Fair Information Practices for PII - EU Model Principles of Fair Information Practices: Collect only for legitimate purposes. Must be relevant. Must be accurate. Must be kept in a form that permits identification of data subjects for no longer than necessary for the purpose collected. May only process fairly and lawfully (processing includes internal and other uses). May need data subject’s express consent. Sometimes consent is not needed, but processing is only permitted if necessary to perform a contract or other legal obligation.

Fair Information Practices – EU Model Collection and processing of special categories of sensitive data are further restricted: Sensitive data is PII that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life. Generally collection and processing of sensitive PII is not allowed unless there is a strong justification.

Cyber Crime Cyber crime involves the use of computers in cyberspace to injure a person or property (the crime occurs online or in a virtual community): Hacking and other forms of unauthorized accessed to computer systems. Financial crimes (example: use of a computer to commit embezzlement or theft of intellectual property; online auction fraud). Identity theft. Theft, alteration, etc. of data. Denial of service attacks (DOS). Cyber stalking (find victim online, cause to have reasonable fear for safety of self or family). Deceptive spamming prohibited by federal law. Online obscenity – access or distribution of child pornography or adult obscene materials.

No Cheer for Duff Beer eBay Crime, CNN.COM (February 2, 2005)

Businesses Are Taking Action: Civil Liability for Computer Crime Civil laws in the U.S., including tort and intellectual property laws, may be used by businesses and individuals to recover damages (money) for computer crime or to get a temporary restraining order to stop undesired activity: Trespassing or Conversion Torts. Misappropriation of Trade Secrets. Trademark, Copyright or Patent Infringement. Defamation tort. Fraud, interference with a contractual relationship, etc. (torts).

Challenges in Prosecuting Cyber Crimes Where is the location of the “crime” when it occurs in cyberspace? Location of the offender raises jurisdictional issues. Identification of offenders and obtaining evidence is often difficult. But use of computer forensics is closing this gap. Criminal enforcement is also improving: FBI’s Cyber Action Teams EU’s Cyber Cops Cross-jurisdictional criminal enforcement efforts.

Hacking and Unauthorized Access of Computers State laws prohibit “hacking” and “unauthorized access” of computer facilities: use of one computer to break into another one without authorization is a crime even if nothing is taken. See Oregon statutes for examples. The Federal Computer Fraud and Abuse Act (CFAA) prohibits accessing a protected computer online without authorization and taking classified, restricted or protected data or otherwise causing damage.

Identity Theft See Oregon’s identity theft statute Most states make identity theft a crime.

Online Obscenity Child pornography meets the test for obscenity in the U.S. as well as other “patently offensive” sexual material that has no artistic, educational, etc. purpose. Adult pornography is more difficult to regulate in the U.S. due to First Amendment concerns: The law may not be overbroad so as to prohibit or unduly restrict adult access to First Amendment protected speech and expression in the form of non-obscene sexual material. Many other countries more harshly regulate online obscenity under their criminal laws: An online business must comply with those laws to advertise or sell online products and services in those countries.

Trademarks and the Internet Registration of domain names Domain names and trademarks Cybersquatting ICANN’s Uniform Domain Name Dispute Resolution Policy

Trademarks and Related Property A trademark is a distinctive mark, motto, device, or implement that a manufacturer stamps, prints or otherwise affixes to the goods it produces so that they may be identified on the market and their origin vouched for. Generic marks are not protected by trademark law because they are not distinctive. Phrase “You have Mail” is generic, because mail means email and does not refer to the email provider (AOL v. AT&T case).

Why register a trademark if “use” creates right? Notice Federal Trademark Law: The Lanham Trademark Act of 1946, Amended By the Federal Trademark Dilution Act of 1995. The owner of the trademark has the right to prevent others from using the mark or a substantially similar mark if it: 1) would confuse customers about the source of the product or, 2) if the owner has a famous mark, and it would “dilute” the value. Why register a trademark if “use” creates right? Notice

Microsoft All the following would be confusingly similar to the Microsoft mark and use of the mark would violate trademark law: Mike Crow Soft (sounds same, looks different). Macrosoft (looks same, sounds different). TinySoft (means same, sounds and looks different). MI (fanciful use of the words and letters) CRO SOFT (Source Elias, Trademark, Legal Care for Your Business & Product Name, 5th ed.)

Domain Name Disputes and U.S. Trademark Law Trademark: the word Microsoft when used in conjunction with Microsoft Company’s products and services. Domain Name: a website address: http://www.microsoft.com

Cybersquatting A modern legal dispute: cybersquatting takes place when a person registers a domain name that includes another company’s trademark. ICANN oversees the Internet domain name system and accredits companies to sell name registrations in top level domains (.com, .net, .org, etc.). Under ICANN registration agreement, the first person to register a domain name “owns” the domain name and takes responsibility for any trademark or other legal disputes that relate to the domain name. There are other remedies for cybersquatting such as suing for trademark infringement and/or filing a lawsuit under the federal Anticybersquatting Consumer Protection Act.

Online Dispute Resolution ODR is used to resolve disputes about ownership of domain names. For example, the person who registers a domain name agrees to ODR under ICANN’s (Internet Corporation for Assigned Names and Numbers) Uniform Dispute Resolution Policy. ICANN provides Rules for ODR of domain name disputes. An arbitrator or an arbitration panel decides the dispute. The arbitrator may order a domain name transferred or cancelled but may not award damages. Trademark holders may file lawsuits in court to recover damages and the online dispute resolution decision will not bar further recovery.

Online Dispute Resolution (ODR) Morgan Freeman, “Million Dollar Baby,” won the right to use his name which had common law trademark protection over a cybersquatting website owner. The cybersquatter registered Freeman’s name as part of a domain name registration. Cybersquatters often hope to make a profit by selling the domain name, etc.

Copyright Law – the Grokster Case The risk of a business model that includes providing file-sharing software to consumers. Primary vs. secondary copyright infringement. The “Inducement Theory” adopted by the U.S. Supreme Court in Grokster. Post-Grokster – its just too risky for U.S. companies to be in the businesses of enabling consumers to violate the rights of copyright holders (music, video, etc.) by providing free file-sharing software.

The Digital Millennium Copyright Act (DMCA) The DMCA creates civil and criminal prohibitions against tampering with copy protection, breaking encryption, etc. The DMCA does not add new exclusive rights to the rights of copyright owners. The DMCA applies to a variety of digital works.

Types of Copyrightable Works Literary works (computer code including source and object code; text on a website) Pictorials, graphics, and sculptures (design of a website, graphics on a computer game) Musical works (the lyrics of popular music) Motion pictures and A/V works (digital movies) Dramatic works Sound recordings (digital music) Pantomimes and choreography Architectural works (building blue prints)

Major Provisions of the DMCA Let’s Discuss Let’s Discuss Let’s Discuss Let’s Discuss Major Provisions of the DMCA Anti-circumvention rules (prohibits enabling cracking encryption codes) Anti-circumvention exceptions (includes copying for maintaining or repairing a computer) Copyright management information (makes it illegal to delete “© King.” Safe harbors for ISPs (generous protections from liability)

Jurisdictional Risk – a Potential Cost of E-Commerce E-Commerce businesses face increased risk of litigation costs if they have business facilities in only a few states, yet have interactive websites that are available nationally internationally. (Recent cases apply the Zippo Mfg. Co. v. Zippo Dot Com continuum of interactivity test to e-recruiting Web sites.) Whether a court in a particular state (federal or state courts are in all states) will find it has in personam jurisdiction over these businesses depends in part on whether the business uses interactive, as opposed to passive, Web technology for e-recruiting.

The Zippo “Sliding Scale Test” for Personal Jurisdiction Over Non-Resident Website Operators Yes Jurisdiction No Jurisdiction Maybe… Highly Interactive Site Middle Spectrum Site Passive Site

Recent Cases- In Personam Jurisdiction Found Tech Heads v. Desktop, 105 F. Supp.2d 1142 (D. Or. 2000). The federal court held the defendant employer, an e-recruiter located in Virginia, must defend a trademark infringement lawsuit in Oregon even though its only interaction with Oregon was through its website. The defendant employer maintained an interactive e-recruiting Web site that was used by an Oregon resident to submit a résumé (Middle-spectrum Web site). The plaintiff (an Oregon trademark holder) successfully argued the interactivity of the site plus the transaction with an Oregon resident was sufficient for personal jurisdiction over the Virginia company. This result made it more expensive for the defendant to fight this lawsuit as it had to come to Oregon, hire an attorney in Oregon, bring its witnesses to Oregon, etc.

Recent Cases--No In Personam Jurisdiction Found American Information Corp. v American Infometrics, Inc., 139 F. Supp.2d 696 (D. Md. 2001). A California business with a middle spectrum e-recruiting Web site successfully escaped litigating a trademark infringement lawsuit in Maryland where the plaintiff filed the lawsuit. The defendant e-recruiter maintained a middle spectrum Web site with interactive features that allowed users to submit a résumé online, but the plaintiff was unable to show that a Maryland resident had accessed the site to do so.

Other Cyberlaw Issues… Online trade secret theft. When online offers to sell interests in businesses, including stock, may violate federal and state securities laws. Business method patents for online business models that may give the owner of the patent a 20 year exclusive right to use an online selling method that has been patented. Amazon.com’s “one-click” check-out process to purchase an item on its site – is it patentable? Can Barnes And Noble use a similar check out process on its site?