Apparently companies like Fox, Virgin Mobile, Microsoft, and HBO think nothing of violating the express copyright statements on sites like Flicker in which users have reserved certain copyright rights, and prohibited commercial use of their images.  In the case of Fox, the use of the image directly contradicted an express statement of copyright ownership at the bottom of the owner’s blog.

So what do I make of this?  First, it reinforces my impression that the Internet Intellectual Property debate (if there still is such a thing) continues to favor Big Intellectual Property.  As evidence of this point, you really need go no further than the fact that spokesmen for Fox, Virgin Mobile and Microsoft were all “unavailable for comment.”  Hmm.  If any of those companies were truly remorseful, I suspect they may have made a spokesman available to the Post.  Clearly, when Fox steals an image from a blog, it’s not a big deal.  However when you download the new season of Fox’s 24, the FBI needs to be involved.

Let me make one thing clear:  I don’t believe that Intellectual property infringement is acceptable for any reason.  However, my day-to-day experience with this issue leads me to believe that Big IP feels that there are no limits to their power.  Not a week goes by when, in my capacity as DMCA agent for some of my clients, a DMCA notice is withdrawn because someone from Big IP shot first, and asked questions later.  Who is the victim in that case?  Certainly not the copyright owner.  It’s the site owner whose site goes down for a couple of days while they try to straighten the dispute out with the IP owner, or their representatives, who, in many cases, have zero interest in moving quickly.

What should be done?  When sending a DMCA take down notice, copyright owners should be required to make a good faith effort to ensure that their statements are accurate, and should be liable for the statements made by their representatives.  The DMCA should be clarified so that the “penalty of perjury statement” applies to both the “good faith” statement of illegality *and* the statement of authorization.  While many courts have held that this is the case, most copyright owners and their representatives assert that it only applies to the statement of authorization. 

Making these changes would go a long way to reinforcing for Big IP that their actions, both as copyright owners, and as users, have implications.

As interesting as these new applications of technology are, they rang two alarms for me:  privacy and HIPAA.  As I’ve noted in both my columns and on this blog, I believe that privacy is likely to emerge as a regulatory and litigation issue in the next year.  The use of Twitter in a medical capacity has significant privacy implications.  While I was unable to access Twitter to review its contract, I would assume that it has provisions similar to the contracts of most internet infrastructure providers which basically say that the provider has no liability for anything and does not guarantee the security of its network.  So where does that leave the doctor when Twitter accidentally discloses that one of the doctor’s patients is in exam room 3 being treated for a STD, and the doctor is sued when the patient’s wife finds out?  Twitter may have some liability depending on what its privacy policy says.  As I often point out, privacy policies are contracts between companies, their customers, and often third parties.  As a result, they should be reviewed with the same level of scrutiny.

HIPAA is also a big issue.  I inquired whether the doctor had sent Twitter a Business Associate Agreements (BAA) and how these agreements would function in the context of a networked medical records system in which each doctor had their own ISP and likely host who was connected to other hosts and bandwidth providers. 

BAAs are main legal issue for web hosts and other internet infrastructure providers under HIPAA.  BAA’s impose additional contractual obligations on third parties based on a health care provider’s obligations under HIPAA.  In essence you are contractually obligated to follow the terms of the BAA.  HIPAA itself does not contain a form BAA.  As a result, businesses are free to create their own BAAs as long as they conform to the bare minimum required by the statute.  As might be expected, some businesses have been using BAAs to back door contractual provisions that they were unsuccessful at getting in their initial negotiation.  The most common provisions I see are privacy warranties and SLA carve outs, neither of which are required by HIPAA.  Hosts and other internet infrastructure providers need to pay close attention to BAAs they receive to make sure that they are only contractually obligating themselves to things they can actually do.

The troubling provision states:

Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 10 years, or both.

What is troublesome about this provision is the use of the phrase "knows or has reason to believe facilitates access to, or the possession of, child pornography." So what is "knowledge" or "reason to believe?" Criminal statutes are generally interpreted relatively conservatively, and whether an individual or entity actually has the requisite level of knowledge will depend on the circumstances. However, given the fact that enforcement of child pornography laws is a particular priority, it is not unreasonable to expect that a prosecutor might allege a host had knowledge, or reason to believe, it was hosting child pornography, based simply on a domain name, or a directory's file structure.

The second provision creates a records retention requirement. The Act directs the Attorney General to "issue regulations" governing retention of records. At a minimum, the regulations must require that the contact information, and user id or telephone number with which the id was associated, be kept for a period of time. As the Act is currently drafted, this provision only applies to ISPs. Given the statements made by Attorney General Gonzales, and various law enforcement officials, that they have had difficulty securing this information from web hosts this provision is likely to be expanded. If that is the case, hosts may be required to invest in expensive systems and infrastructure to capture and store this data.

According to the Act, to be covered by the safe harbor, the internet service provider must believe that the information they are providing to the FTC relates to "a possible unfair or deceptive act or practice" or is relevant to "assets subject to recovery by [the FTC] including assets located in foreign jurisdictions." This provides internet service providers a way of disclosing information to the FTC when they become aware of that type of activity taking place using their servers.

One thing that is unclear in the Act is the scope of the term "Internet Service Provider." Past Acts have included a reference to a well known statute that includes the activities of web hosts within the definition of ISP. This statute does not include such a reference. It is possible, then, that a court may determine that a host does not fall within the definition of ISP. However given the nature of the statute, intent of Congress, and all other legislation with a similar goal, it's hard to imagine that a court would take a strict line on this issue.

Like most legislation with "safe harbors," it is important that you understand the parameters of what information is within the safe harbor, and what information is not. A scattershot approach to disclosure is likely to take you out to the relevant safe harbor and possibly expose you to liability to the owner of the information. In particular, you should have policies in place to govern what information is transmitted outside your company, no matter what safe harbor may be available to you.

On a side note - kudos to the Hill staffers who keep coming up with catchy acronyms for these laws. With an acronym like USA SAFE WEB Act, I can't imagine that it is not a full time job.

This issue is important to web hosts since e-mail, and particularly the ability to market by e-mail, is a key selling point for hosting services. Tighter restrictions, such as an "opt-in" approach, may decrease the utility of e-mail as a marketing technique, and also lead to higher compliance costs for hosts. However these issues should be balanced with the costs that hosts currently face configuring their networks to deal with the spam they receive, and also working with customers to understand how anti-spam technology operates and that technology's potential effects on their businesses.

Virginia's proposal should be seen in light of recent publicity about the capture of Darren Bates at a Philadelphia library while he was updating his MySpace page. Its clear that both law enforcement and politicians see providers of Internet Infrastructure services, particularly web hosts, as an effective source of information and behavior control. Currently, to avoid liability, web hosts should have a written procedure in place for dealing with subpoenas and law enforcement requests. Its clear that in the future, hosts will have other significant responsibilities.