Virginia:

Conforms Virginia’s SPAM law to make it constitutional by addressing routing information, narrow the law to relate only to unsolicited commercial email. (HB 1)

Pennsylvania:

Amend unsolicited fax law to include emails sent by fax.  (HB 861)

Uses existing consumer protection laws to address spyware (S.B. 123)

New York:

Criminalize sending unsolicited, harassing, emails.  (A. 6597)

Unlawful use of spyware and malware.  (A. 3658 and S. 137); addition of criminal penalties for conduct similar to that in A. 3658 and S. 137. (A. 1758)

No software installations without the user’s actual, verifiable, consent.  (A. 1758)

Creates a Computer Spyware Consumer Protection Act.  (A. 6419)

Adds spyware to consumer protection laws.  (S. 4716)

Massachusetts:

Uses existing consumer protection laws to address spyware.  (H.B. 332 / 227)

West Virginia:

Uses existing consumer protection laws to address spyware.  (H.B. 3127)

Utah:

Includes spyware in prohibited internet content.  (S.B. 26)

Iowa:

Prohibits school officials from posting student photos on social networks.  (H.F. 518)

Illinois:

Requires parental consent for minor’s access to social networks.  (H.B. 1312)

The two posters of defamatory material were ordered to remove the material from several websites.  When they refused, the subjects of the defamation presented the websites with the injunction they received and asked the operators to remove the posts.  All but one, ripoffreport, complied.  The subjects of the defamatory statements sued ripoffreport on the grounds that the website had violated the injunction.  The U.S. District Court for the Northern District of Illinois held it could not compel a third party website to remove defamatory material based on an injunction against a user.

The defamed individuals argued that the hosting contract between ripoffreport and its user led to the conclusion that ripoffreport was “acting in concert” with its users.  In order for a third party to be bound by an injunction, the third party must be acting in concert with the subject of the injunction.

The argument that a host’s contract, or simply the provision of services to users, leads to the host’s “acting in concert” or “aiding and abetting” the customer is made frequently.  The argument, and variations of it, typically go as follows:  user signs a contract with host; user posts material that violates the law; host’s contract prohibits use of their services to violate the law; by continuing to provide services to the user in light of the violation, host is aiding and abetting, or acting in concert, with user;  therefore host should be liable.  In almost every case in which this argument has been made, courts have refused to accept this argument.  Courts typically demand substantially more evidence of actual collusion in order to hold hosts liable for their customer’s bad acts.

In this case, ripoffreport’s terms of service contained a statement that material posted on the site would never be removed, even at the customer’s request, and gave ripoffreport the exclusive right to use customer posts.  The defamed parties argued that these statements were sufficient evidence that ripoffreport was acting in concert with its users.

The defamed individuals believed that in light of ripoffreport’s statement in its contract that no material would ever be removed, the contractual requirement that users post only truthful information was unenforceable.  The court held that without evidence that ripoffreport actually intended to protect and aid users who posted defamatory material, the terms of the contract, by themselves, did not lead to the conclusion that the website was aiding and abetting its users in their defamatory conduct.  The court further held that there was no evidence that ripoffreport was in contact with the users, or otherwise acting in concert with them to avoid application of the injunction.

There are two lessons from this case for hosts.  The first is that courts have routinely refused to accept the argument that simply because a host provides services, or has a contract, with someone doesn’t mean that they are liable as a third party for their customer’s actions.  Second, is that courts do believe that a host may be liable if evidence is presented that the host did aid and abet the activity.  While there is not much case law out there in which a host was found to be liable, good practice is always to communicate things like injunctions to your users and respond in a timely basis to complaints about them.  It is not good practice to do nothing and rely only on the CDA or decisions like this.

The European Directive on Data Protection received a keynote address at this year’s HostingCon.  Recently I’ve received a number of inquiries about how companies can qualify to receive data subject to the directive under the U.S. Department of Commerce’s “Safe Harbor” program.  My view is that qualifying under the Safe Harbor program is essential for any hosting company setting their sights beyond a strictly North American client base.  Even more crucial is compliance with the Directive if you are providing cloud services.  It is also worth stating that ANY company with personnel in both the U.S. and Europe is likely REQUIRED to qualify for Safe Harbor Status.

As it relates to the Safe Harbor, the Directive is designed to protect individuals with respect to the "processing" of personal information.  The key issue to understand your obligations is to master the definition of “personal information.”  The Department of Commerce offers this method of defining “personal information:”

Personal information is defined as information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The Directive applies to all data you process.  The term “process” is very broad.  So simply copying personal information and putting it in a file is within the scope of the Directive.  The Directive covers processing of data whether that processing is done on-line, off line and regardless of whether the processing is manual or by hand.

The central issue to remember is that the Directive requires you to provide notice to individuals about how you will use, process and transfer their personally identifiable data, and give them the opportunity to view and correct it.  This often requires a shift in a U.S. company’s view that they own all the data they collect.  Further, you may only use the data for the purpose for which you it is collected, unless you specifically inform the individual.  This means you can’t collect sign up data and then sell it to your “trusted partners” for them to market their goods and services to the customer.

When you process data covered by the Directive you must:

• Appoint a "data controller" responsible for your data processing;

• The data controller must register with the Department of Commerce;

• You must notify the Department of Commerce before processing any data;

• You must provide customers with notice:

• About how you will process the data;

• The purpose of processing;

• Who you will collect data from;

• How you will transfer it to third parties; and

• How you will secure it.

Understanding that qualifying for the Safe Harbor requires you to shift how you treat personally identifiable information will allow you to approach the qualification process more efficiently, and provide additional information that will be required as the Department of Commerce reviews your policies and procedures.

I participated as a member of a group studying the benefits, risks and responsibilities associated with the use and provision of cloud computing services. The group was formed to provide advice to the European Network and Information Security Agency (ENISA). The group spent over nine months intensively looking at the cloud and identifying issues that are of importance to the cloud.

While the report focuses on cloud computing from a European perspective, the vast majority of the analysis and conclusions have general applicability. While I'll leave it to readers to apply the report to their own businesses, the key legal conclusion was that most legal issues associated with the cloud should be remedied in the parties contracts. For those interested in the conclusions of the legal team, they are at pages 43, 81 and Annex I of the report.

Cloud providers and users should be able to answer the following questions, and understand their repercussions, when engaging in a cloud based transaction:

1. In what country is the provider located?

2. Where is the provider’s infrastructure?

3. Will other providers be used?

4. Where will the data be physically located?

5. Should jurisdiction be split?

6. How will data be collected, processed, transferred?

7. What will happen to the data on termination?

Users of the cloud should do the following:

Focus on how the cloud services will be used, and whether the provider’s contract actually addresses these issues.

Evaluate the cloud structure, and determine whether you and your customers can place data on that provider’s cloud.

Understand data collection, processing and transfer and any legal and regulatory implications.

Determine whether the provider will notify you of security breaches and the how breach is defined.

As noted in a previous entry, the U.S. and its major trading partners are engaged in negotiations on a new treaty entitled the “Anti-Counterfeiting Trade Agreement” or ACTA. There is significant concern among Internet infrastructure providers about the terms of ACTA, particularly rumors that these providers will be subject to warrantless requests for information about their subscribers and EU like requirements that providers maintain connection and subscriber information for statutorily proscribed periods of time.  The U.S. government agency tasked with representing U.S. interests in the negotiation, the U.S. Trade Representative, or USTR, has not provided significant details on the course of negotiation and refused to release the draft texts of the ACTA citing “national security.”

A recent leak of the European Commission’s summary of negotiations indicates that the ACTA will contain a provision similar to the Digital Millennium Copyright Act in which users are given “three strikes” before their service must be terminated.  This document also suggests that the USTR is taking the lead in preparing this aspect of the ACTA.  There are several issues of interest to web hosts in the leaked document.

As an initial matter, it is clear that public interest uses of copyrighted information are taking a back seat to commercial interests in the negotiation.  By enclosing the words “freedom” in quotes in its reference to “supporters of internet ‘freedom,’” the Commission telegraphs the status accorded to these issues.  Further relegation of these issues to preambles in various section helps substantiate this conclusion.  This dismissal of a bona fide defense to copyright infringement is not only troubling on a Constitutional basis, but also on an operational basis for web hosts.  In my practice I’ve noticed a significant increase in the use of the DMCA as a tool to suppress controversial discussions and dissenting viewpoints, if only for the ten to fourteen days during which hosts are required to keep material identified in a DMCA notice suspended.  This increase creates an administrative and operational burden for hosts.

The inability of content users to interpose traditional defenses to copyright infringement has long been cited as one of the DMCA’s fundamental flaws.  Courts have so broadly interpreted the “good faith” belief standard imposed on entities alleging copyright infringement, that it has lost almost all meaning.  Indeed a brief review of recent cases did not find one case in which a court determined that a complainant failed to satisfy this standard.

This view is reinforced by a subsequent comment that the notice and take down provisions in the ACTA be “broad.”  Current DMCA notices look almost like check box forms.  It is difficult for me to imagine a revision to the DMCA that would give copyright holders broader notice and take down rights.  Indeed, if U.S. courts apply an even more liberal reading of the DMCA’s notice and take down provisions than currently, these provisions will have essentially no meaning.

It bears remembering that the six criteria required by the DMCA to be contained in the notice provisions of the DMCA have been interpreted by courts to really mean three criteria.  Basically, if a copyright owner signs his name, and copies the good faith and perjury statements into his DMCA notice, the notice is valid.  It is up to the host to clarify any unclear elements.  This broad interpretation of the notice requirements has led to presentation of DMCA notices that contain less detail than a political advertisement.  This issue has created a type of feedback loop in which hosts who seek clarification of DMCA notices solicit arguments from the copyright owners about the clarity of their notice, and risk falling outside the DMCA’s safe harbor by not responding to DMCA notice in an expeditious manner.

Second, the document discusses a requirement that there be “third party liability” and a new definition of “safe harbor.”  Currently hosts who comply with the DMCA are given “safe harbor” from liability for contributory and vicarious copyright infringement.  In the early years of the DMCA, copyright holders attempted to whittle this safe harbor down significantly.  A change in this standard would significantly change the ways hosts conduct business and narrow the clientele who would be give access to the Internet since hosts would limit their clientele to well established businesses in  traditional business categories.

To my knowledge, strict web hosting providers are not participating in any capacity in these negotiations.  I suggest that hosts pay close attention this new treaty and be prepared to take action if the protections afforded to them by the DMCA are further eroded.