As has been widely reported, three of the nation’s largest, ISPs have entered into an agreement with New York’s Attorney General Cuomo in which they will begin blocking certain sites alleged to contain child pornography.  While it’s unclear why these ISPs agreed to cooperate (although given A.G. Cuomo’s past law enforcement efforts, it’s certainly easy to assume that a certain amount of arm twisting was involved) the way this agreement will be implemented is quite illuminating. 

The press release issued by the A.G.’s office makes for interesting reading.  It appears that the State of New York will begin building a library of objectionable images and assign these images hash values.  This will allow the State to identify images across multiple networks without having to re-identify them.  The ISPs will also use lists of illegal images compiled by the National Center for Missing and Exploited Children (NCMEC) to administer the program and remove data.  In addition, in the release, we learn that the A.G.’s office “uncovered” a “major source” of the content, “known as news groups.” 

What is missing from the release is how these programs will be administered.  Predictably, this minor issue was not included in the press release, nor in reporting by major news outlets.  However, reporters from “Mashable” did some digging and found that each of the ISPs were going to approach the issue differently:  TimeWarner is blocking all USENET access; Sprint the alt* hierarchy; and Verizon different newsgroups on a case-by-case basis.

So what does this mean in a broad context?  In general, I believe it reflects a dangerous trend of placing law enforcement tools in the hands of private, or quasi-private, entities.  Make no mistake, child pornography is illegal.  As I point out in almost every presentation I make, U.S. child pornography laws are “strict liability:”  you violate the law when you view the content, no matter how noble your intentions.  However law enforcement tools exist to combat this material.  Agreements such as this reflect the thin wedge of private Internet censorship.

When I read this warning flags shot up all around.  Other entities are already trying to implement similar schemes for other types of content.  Indeed, the RIAA, MPAA, NAB, and similar organizations are currently lobbying Congress to rewrite Intellectual Property laws to require certain types of content screening.  Last year former U.S. Attorney General Alberto Gonzales embarked on a campaign to eradicate all pornography on the Internet.  Taken together, these events should alarm hosts and other Internet Infrastructure providers.

Hosts sit at a particularly unique point in the Internet Infrastructure.  Because such a substantial amount of Internet traffic must ping their servers, it is incredibly easy to use this fact to control content.  This fact already results in hosts receiving a significantly higher number of criminal and civil warrants and subpoenas.  Hosts simply have the information. Moving the policing of illegal and objectionable content from law enforcement and requiring private entities to assume this task is likely to sharply increase the cost of doing business and significantly raise the risk profile of hosts.

While we all take great pains to make it clear that child pornography is objectionable, and its content irredeemable, the simple fact is that this agreement results in two major ISPs blocking access to a part of the Internet that is of great utility for other uses.  Similarly the organizations representing copyright holders have argued that P2P networks should be shut down because they can function as conduits for piracy.  It is not a far stretch to speculate about a future in which new methods of content dissemination are studied not for their effectiveness in moving Internet traffic, but for their potential to offend.  A chilling development indeed.

I’ve come across a couple of news stories lately that cover an interesting turn of events for copyright owners.  Apparently, a number of vociferous members of the copyright police don’t believe in the saying “what’s good for the goose is good for the gander.”  This article from the Washington Post essentially sums up the issue:  companies seem to have run out of “real people” for their ads, so they’re “borrowing” images from sources like Flickr and personal blogs.  Indeed, in Fox’s case, not only did they borrow the image, they altered it to fit their commercial needs.

Apparently companies like Fox, Virgin Mobile, Microsoft, and HBO think nothing of violating the express copyright statements on sites like Flicker in which users have reserved certain copyright rights, and prohibited commercial use of their images.  In the case of Fox, the use of the image directly contradicted an express statement of copyright ownership at the bottom of the owner’s blog.

So what do I make of this?  First, it reinforces my impression that the Internet Intellectual Property debate (if there still is such a thing) continues to favor Big Intellectual Property.  As evidence of this point, you really need go no further than the fact that spokesmen for Fox, Virgin Mobile and Microsoft were all “unavailable for comment.”  Hmm.  If any of those companies were truly remorseful, I suspect they may have made a spokesman available to the Post.  Clearly, when Fox steals an image from a blog, it’s not a big deal.  However when you download the new season of Fox’s 24, the FBI needs to be involved.

Let me make one thing clear:  I don’t believe that Intellectual property infringement is acceptable for any reason.  However, my day-to-day experience with this issue leads me to believe that Big IP feels that there are no limits to their power.  Not a week goes by when, in my capacity as DMCA agent for some of my clients, a DMCA notice is withdrawn because someone from Big IP shot first, and asked questions later.  Who is the victim in that case?  Certainly not the copyright owner.  It’s the site owner whose site goes down for a couple of days while they try to straighten the dispute out with the IP owner, or their representatives, who, in many cases, have zero interest in moving quickly.

What should be done?  When sending a DMCA take down notice, copyright owners should be required to make a good faith effort to ensure that their statements are accurate, and should be liable for the statements made by their representatives.  The DMCA should be clarified so that the “penalty of perjury statement” applies to both the “good faith” statement of illegality *and* the statement of authorization.  While many courts have held that this is the case, most copyright owners and their representatives assert that it only applies to the statement of authorization. 

Making these changes would go a long way to reinforcing for Big IP that their actions, both as copyright owners, and as users, have implications.

A recent case filed by Dell against a number of domain tasters and their registrars attempts to hold the registrars liable for infringing some of Dell’s intellectual property.  The claims that are relevant to domain name registrars allege that at least 3 registrars created a chain of registrars who took advantage of the ICANN 5 day redemption period to profit off Dell’s trademarks.  Dell alleges that these registrars allowed domain tasters to redeem domain names at one registrar and subsequently register it at an affiliated registrar.  This would preserve the taster’s interest in the domain name, and allow the affiliated registrars to share in any click through revenue created by the registration of the name.

Without going into the technical legal arguments raised by this case, a suit against domain name registrars has serious implications for hosts and other internet infrastructure providers.  Dell’s arguments are very similar to copyright infringement claims made in the early days of the web:  that those who facilitated the infringement of the copyrighted work were liable as third parties since they facilitated the infringement, and profited from it through the fees they collected.  While the facts in Dell’s case are pretty sensational (a chain of registrars profiting off a nuance in ICANN rules), the case shows that transparent attempts to exploit legal loopholes, are often only temporarily successful.  In this case, setting up a chain of (allegedly) related registrars to profit off of a registered trademark merited a swift response from Dell.

So what does this mean for hosts and other Internet infrastructure providers?  The first lesson is that the doctrine of third party liability for intellectual property infringement is alive and well.  This means that you need to remain aware and vigilant about your business activities.  This vigilance is important particularly in the area of trademarks, where, unlike copyrights, there is no “safe harbor” for businesses who are simply links in the chain of bad acts of customers or third parties.  A second lesson relates to Domaining.  While initially a suspect business, domaining has become a legitimate part of the Internet.  Hosts and other Internet infrastructure providers need to be aware that registering domain names involves a different risk assessment than other business efforts.  Because domainers tend to be very creative in their business, and business creativity often requires a higher level of legal analysis, those who provide business services to domainers need to examine whether the processes and procedures they have put into place effectively isolate the risk that these new customers may pose to their business.  

How do companies who market to SMBs, and are themselves SMBs, deal with legal issues?  One of the frequent complaints I get from my clients, is that legal compliance is expensive.  A host who charges $9.99 per month for a shared account has a hard time justifying some of the expenses associated with iron clad legal compliance.  Indeed, for many companies, a request for certification that they are PCI compliant is rejected simply because the company doesn’t have the resources to create a document that states that they are compliant, but doesn’t expose them to liability.

One way of dealing with this issue is by providing information to your customers and letting them make their own decision:  “do-it-yourself” compliance.  This is one of the ways that Central Desktop keeps its compliance expenses down.  Central Desktop is an online collaboration vendor targeting the SMB market.  Like many companies, Central Desktop receives compliance requests on a pretty regular basis.  The company’s CEO, Isaac Garcia, said that these come in to Central Desktop about four or five times per month.  They usually take the form of requests for the company’s disaster recovery plan and security procedures.  Hosts and other internet infrastructure providers regularly receive similar requests.

One of the ways that Central Desktop responds to these requests is to publish a white paper describing its security procedures.   In addition to providing reassurance to customers, Central Desktop’s white paper serves to point out the differences between Central Desktop and its competitors.

Companies walk a fine line when they use white papers in this way.  On one hand, they are an effective technique to push compliance back to customers:  customers now have the information to determine whether you are compliant or not, and can make that determination themselves.  This avoids your having to go through the time and expense of demonstrating compliance, or, more likely having to make contractual representations and warranties.  However, it’s possible that your customers will interpret these documents as representations, or worse, as warranties.  After a security breach, I can certainly imagine a “nasty gram” from a lawyer quoting statements about security procedures from your white paper, and alleging that his client relied on the statements, and threatening to take action based on your breach of them.

While I’m a big fan of pushing compliance down to customers, how do you draft these documents so that’s the result?  The key in my mind is drafting white papers as white papers – rather than as marketing documents, or as documents designed side step issues you don’t want to contractually obligate yourself to do.  Doing this means you should think of white papers as primary research documents:  they should set out facts, but not make conclusions about them.  The conclusions need to be made by the readers.  In addition, while marketing can have a hand in drafting them, they should not simply be marketing pieces.  Typical marketing documents aren’t as effective at encouraging do-it-yourself compliance, and, in many cases, are easily misconstrued.

Is Awareness a lawyer’s dream?  This afternoon, I met with David Carter a founder and the CTO of Awareness.  Awareness provides social media tools to businesses.  These tools allow corporations to create blogs, wikis and use other networking tools that have been found to facilitate business communication and community.  From a lawyer’s perspective, Awareness “gets it.”

One of the criticisms leveled at lawyers is that if our clients did what we recommended, employees would still be writing memos on notebook paper and sending them down to the steno pool for transcription.  In some ways that criticism is warranted when a client wants to incorporate technology that doesn’t facilitate compliance with the law.  While a particular item of technology, like a blog, might move your business forward, the real world, like liability for a defamatory post, often intervenes.  Awareness’ products seem embrace technology, and the productivity promised by it, while allowing compliance related efforts to take place in the background.

Awareness’ products incorporate permissioning, versioning and filtering out of the box.  These tools are crucial for businesses who seek to utilize office 2.0 tools, but who also understand the theory of litigation prevention (as opposed to litigation attraction).   Permissioning  is a great way for larger companies to embrace these technologies without sacrificing controls put in place to deal with real world issues.  For example, while free and open communication is a great thing, I think even the most diehard technology evangelist would agree that human resources’ wiki shouldn’t be open.  So business faces a choice:  deny HR a wiki, create a totally separate system for HR, or abandon wikis altogether.  A set of permission based wikis may solve this problem.

Versioning is another great tool.  Companies often need to know when and where a document, blog or wiki was updated.  This might help in understanding why a particular contract provision was worded the way it was or where a trouble ticket got mishandled.  The latter is a nice way to pre-empt litigation.  Imagine if you were using a wiki to problem solve a server crash that caused other problems.  By referring to prior versions of your wiki, you could effectively communicate with your customer about how things went wrong, and why.  This type of communication is often the single best way of keeping that customer from calling their lawyer, and increasing your legal costs as a result.

I also really like this version of filtering.  Filtering has VERY negative connotations.  When people, including myself, think of filtering, we tend to think of very heavy handed, and honestly, very lawyer driven, filtering systems that end up forcing people to communicate using vague and tortured language.  However properly implemented, filtering can be an effective business communication tool.  For example, you might want to create an internal corporate blog.  To make the blog effective you put few or no restrictions on what can be discussed.  You could use filtering to leverage your internal blog.  By setting up rules, certain content from your internal blog could be posted to your public blog.  Not only does this save you time and money, it makes your external blog more authentic, and might result in more market acceptance.

So, overall, my conversation with Mr. Carter was pretty exciting.  It’s interesting to see technology embraced and adapted in ways that acknowledge real world issues and the way corporate environments need to be structured to deal with business today.

 

The office2.0 conference began yesterday with a cocktail party.  At the party, I met a doctor from CNMRI who is using technology in two interesting ways.  He’s using Twitter so his staff can figure out what tasks each of them are engaged in throughout the day – this allows them to focus more on patients, and less on locating each other.  The second is a project to build a web based statewide health information network in the State of Delaware.  This will let doctors and patients share medical records across the web.

As interesting as these new applications of technology are, they rang two alarms for me:  privacy and HIPAA.  As I’ve noted in both my columns and on this blog, I believe that privacy is likely to emerge as a regulatory and litigation issue in the next year.  The use of Twitter in a medical capacity has significant privacy implications.  While I was unable to access Twitter to review its contract, I would assume that it has provisions similar to the contracts of most internet infrastructure providers which basically say that the provider has no liability for anything and does not guarantee the security of its network.  So where does that leave the doctor when Twitter accidentally discloses that one of the doctor’s patients is in exam room 3 being treated for a STD, and the doctor is sued when the patient’s wife finds out?  Twitter may have some liability depending on what its privacy policy says.  As I often point out, privacy policies are contracts between companies, their customers, and often third parties.  As a result, they should be reviewed with the same level of scrutiny.

HIPAA is also a big issue.  I inquired whether the doctor had sent Twitter a Business Associate Agreements (BAA) and how these agreements would function in the context of a networked medical records system in which each doctor had their own ISP and likely host who was connected to other hosts and bandwidth providers. 

BAAs are main legal issue for web hosts and other internet infrastructure providers under HIPAA.  BAA’s impose additional contractual obligations on third parties based on a health care provider’s obligations under HIPAA.  In essence you are contractually obligated to follow the terms of the BAA.  HIPAA itself does not contain a form BAA.  As a result, businesses are free to create their own BAAs as long as they conform to the bare minimum required by the statute.  As might be expected, some businesses have been using BAAs to back door contractual provisions that they were unsuccessful at getting in their initial negotiation.  The most common provisions I see are privacy warranties and SLA carve outs, neither of which are required by HIPAA.  Hosts and other internet infrastructure providers need to pay close attention to BAAs they receive to make sure that they are only contractually obligating themselves to things they can actually do.

Yesterday I attended Michael Dodson’s HostingCon presentation entitled “Email Takes Center Stage for Managed Services.”  Michael  talked a bit about how regulatory issues affect e-mail services, and how figuring out how HIPPA, SOX and other laws that govern the way certain industries use e-mail might affect your services, could give you a marketing leg up.  I couldn’t agree more.  This morning, I attended today's keynote in which Chris Gladwin CTO and Chairman of the Board of CleverSafe talked about disbursed storage.  He also talked about the great opportunities for selling storage that have been created by new laws that require data to be kept for significant periods of time.

One of the goals of my practice has always been to give my clients advice that helps their bottom line.  I can’t think of a better way do that than to take a few hours to determine which laws might impact your customers.  To my knowledge, only one of my clients has fully embraced this proposition, and has been highly successful at it.  Another way of thinking about legal advice, is that you may be able to leverage the advice you get to bring your company into compliance by using that same advice to market to customers.  This could give you a great way of differentiating yourself.

As a side note, the technology that Cleversafe is using is TOTALLY cool!  If you haven't taken a look at it, you're missing some great stuff.

This morning I moderated HostingCon's Tuesday keynote:  the future of service delivery.  The initial title of this panel was the “control panel smack-down.”  Because the nature of the industry is quickly evolving, the panel was broadened to include other industry experts.  While no legal issues came up right in the keynote, what did occur to me was the issue of responsibility for data.  All of the panelists talked about different ways customers may use their resources and focused particularly on data storage. 

Changing what you do with customer and third party data has real legal implications.  How many hosts out there even know who owns the data on their servers, what they can do with it, and their responsibility for handling it?  As hosts begin to market their services for off line back up, or, more reasonably, for outsourced exchange, their liability profile changes versus simply hosting brochure ware.  I won't comment on the general panel consensus that hosts need to stop marketing increased storage and bandwidth, except to say that I'll believe it when I see it.

Law Professor Eric Goldman has published a list of the best and worst Internet laws ever. Honestly, because Prof. Goldman could only come up with two good laws, its reasonable to say that our lawmakers have had a ridiculously hard time coming up with any legislation that has been beneficial. So how do some of the laws on his list work for web hosts? I'll focus on two laws: one good and one bad.

First off, the good news. The Communications Decency Act tops my list as the best news for web hosts. The CDA provides a "safe harbor" for businesses who are conduits for information. Basically, what the CDA does is apply the legal analysis used for telephone to providers of "ping, power and pipe." Just as a telephone company is not typically responsible for what its customers say over the telephone, so a provider of ping, power and pipe, is not typically liable for what its customers transmit using its facilities. Prior to the CDA, hosts used to face more frequent allegations that they were responsible for the content of their customers.

The second law is a bit of good news/bad news. The Digital Millennium Copyright Act or DMCA, was enacted to give copyright owners a quick and relatively painless way to police their copyrights. As a side benefit, it created a scheme to encourage Internet providers to comply with its provisions. If you comply with the statutory requirements of the DMCA, you will likely escape liability for contributory copyright infringement for your customer's copyright infringement. If you don't, you might be liable for treble damages under the law. Because of this carrot and stick approach, most hosts comply with the DMCA.

What the DMCA has unleashed is a virtual torrent of letters attempting to cajole web hosts into disabling websites. As noted in Prof. Goldman's article, and as I see on a daily basis, many of these notices are so poorly researched that the cost of compliance is extremely high. To begin with, many of the notices are simply computer generated letters based on buggy software that spiders the net looking for certain terms. The results are pasted into an often incoherent notice, and randomly sent to abuse@, admin@, legal@ and copyright@ e-mail addresses, without regard to the actual address designated by the host. Because these letters technically comply with the DMCA, hosts are required to process them. The resulting internal confusion, and questions generated by customers, drive up abuse costs significantly.

The DMCA has also created a class of notices that have nothing to do with copyright. Increasingly, owners of other types of intellectual property, particularly Trademark owners, are co-opting the phraseology of DMCA notices for their own infringement letters. The resulting letters are misleading at best, and often blatantly false. Indeed, some letters now come complete with asterisks and fine print that actually state that the notice is not made under the DMCA, I assume to avoid liability based on the "penalty of perjury" statement that must be included in a DMCA notice. Leave it to lawyers to use fine print to try to exempt themselves from a claim of perjury.

A recent report from the U.S. Department of Justice has highlighted deficiencies in the F.B.I.'s use of national security letters. The wide ranging report, required under the USA Patriot Act, included a detailed breakdown of how the letters have been used, and in particular, contained information about how a number of recipients provided data to the F.B.I. that was protected by the Electronic Communications Privacy Act. In particular, the report noted that at least 19 recipients of the letters had disclosed almost all information they had about a target, or had disclosed information that exceeded the time limits provided in the ECPA.

Under the ECPA recipients of national security letters may not be sued by their customers for disclosing the information set out in the letter. However, This safe harbor appears only to apply to the information set out in the letters. As a result, it seems conceivable that if a host discloses more information than is requested in a letter, and that damages a customer, the host may not be immune from liability under the ECPA. Provisions of federal law provide for civil suits against entities who disclose confidential customer information outside the scope of a warrant or subpoena. Indeed, AT&T is the subject of a class action suit filed in based on the NSA's interception of voice traffic.

The fact that this issue is getting so much attention illustrates the need to spend time reviewing subpoenas and warrants. Now, more than ever, hosting companies should make sure that they do more than simply rip a customer's site to a DVD, and ship off the credit card information and IP logs to law enforcement.