As Liam noted in his blog, I’m at Webhostingday.  This is my first hosting event outside the U.S.  As the title above suggests  - the question I’m getting the most is “why are you here?” or with a bit more meat:  “what use are you to hosts and other internet infrastructure providers who are outside of the U.S.?”

Sidestepping the jurisdictional issues (I’m a member of the bars of the District of Columbia and State of New Mexico), this question goes to the fundamental issue facing all hosts, and the Internet in general:  who’s law applies?

Let me answer that in a typical lawyer fashion:  it depends.  Let’s say I’m representing a company in Ohio.  They have a disgruntled customer in Maine.  I’m going to argue that Ohio law applies, since that’s where my client is based.  Let’s say there’s the same set of facts, however the customer in Maine has money in a bank we’re trying to get.  I’m going to argue that Maine law applies.  U.S. law supports both arguments, particularly in the business to consumer context.

In the international context, the arguments are relatively similar, except it’s much more difficult to get courts of one nation to apply the laws of another.  This is VERY true of U.S. courts, who will almost never apply the laws of a foreign jurisdiction, or, for that matter, even cede that a foreign court may have come to a more reasonable decision.

However the Internet is global, and my clients, and the attendees at Webhostingday, have clients all over the world.  So, to make the example above more complicated, how does a datacenter in Cologne leasing space to my client in Ohio, deal with my client’s problem customer in Maine?

The answer that applies 75% of the time is by using a common contract.  In the hosting industry, along with many other Internet industries, a consensus has developed about what is, and what isn’t, acceptable in contracts.  Except in their extreme forms, most hosting contracts (at least those that I’ve written) can be distilled down to very basic principles.  These principles have wide application in almost every country that has accepted the principle of doing business by contract.  By creating contracts that hew to these principles, it is much more likely that they will be enforced by courts from the U.S. to Uruguay.

So what about the other 25%.  The other 25% tends to involve issues, such as privacy, reseller and redistribution rights, and price floors, on which many countries disagree.  As companies move up the value chain, and create more varied products and services, their ability to sell over the internet with a standard contract that applies to all customers regardless of country, decreases.  In that case, typically my clients will engage me to prepare a standard contract, and we’ll work with attorneys in targeted countries, or geographic areas, to create a specific contract.

So that, I think, is the general answer to “what can you do for non-U.S.” hosts.  As to other reasons why I’m here:  I’ve done several transactions in the past year where, thanks to the weak dollar, my clients were either acquiring a company in the U.S., or being acquired by a company in the E.U.;  I have clients in the E.U. who have encouraged me to come; and finally, to Liam’s point in a recent blog entry, I’ve always wanted to ride roller coasters as much as I desired without waiting in line.  Just don’t tell my daughter.

One of the most frequent concerns I hear from clients and non-clients alike, involves questions about the enforceability of different types of contracts, and contract negotiations.  A recent decision in the U.S. District Court for the Western District of Virginia reinforces the general trend that contracts negotiated electronically, and often signed that way as well, can be enforced.  It also reinforces the point of law that e-mail communication is as authoritative as a letter.

This dispute involves a contract that was negotiated by e-mail.  One of the negotiating parties suggested a change to the contract after the initial contract had been signed.  One of these provisions, an arbitration clause, was the subject to the dispute.    While the parties disagreed on the series of events, they did agree that the other party signed the initial contract, replied by e-mail to a proposed modification, and then signed the “new” contract.  The e-mail reply stated:   “[m]y answer is yes to both.  Please make the necessary changes and additions and forward the same to me in two signed copies.  I will then sign them both and return one completed contract to you.”

The parties disputed whether there was actual agreement about the second version of the contract – even though it was fully executed.  The court held that the response in the e-mail was sufficient to demonstrate that the parties agreed to the new terms, even if one party had not actually read the agreement, or misunderstood what he was agreeing to.

This case is important for two reasons.  The first is to further strengthen the current trend of allowing contract consent by e-mail (and, by extrapolation, other electronic means).  The second is to point out that in spite of its informal nature, e-mail will likely be considered by a court to have the same evidentiary status as a letter or other formal method of communication.  It bears repeating that communication by e-mail should be treated with the same care as communication by letter or fax.

 

My first conference at this fall’s ISPCON dealt with leveraging social marketing.  This session, led by the always entertaining Peter Radizeski.  Peter talked about how companies are encouraging their employees to blog on company blogs, and develop applications to deploy on the blog.  Peter wondered aloud about who would own the employees content and applications.  The basic answer is that the company does.  Generally speaking, a company owns products developed by employees using corporate resources on company time.

When things get interesting is when you create a “community” in which people use your blog, or your resources to develop apps and other types of content or products.  Who owns that?  Does the company that hosts your blog?  Do you?  Does the developer?  Unless you’d like to invite the courts to figure this out, the answer is it will depend on your contract.  Without a contract, it’s likely that ownership will be, at best, shared, at worst, for you, owned completely by the developer.  So unless you’re simply trying to create a community (which, I agree with Isabel, is a good thing), you need to create a contract that defines who owns what.

As noted in my previous blog entries, I found the Office 2.0 conference fascinating.  The most exciting conversation I had was with Eric Hoffert of ShareMethods.  Eric and I chatted briefly about “OpenSAM.”  OpenSAM is a “set of recommendations” of standards and techniques for integrating SaaS applications.  While talking about this, Eric mentioned that there was a significant legal issue associated with mashups like this.  Eric envisions a time when your customers will be able to choose from a list of services offered by different vendors in a mashup.  So, for example, as a lawyer, I need word processing, a spreadsheet, presentation software, and e-mail.  So in a mashup, I’d choose these, and exclude services, say for databases.  However when I buy these products there will need to be a process in place so that each of the mashup participant’s various contract and legal needs are met.  However meeting these needs can’t involve a five day (at least) lag time while each of the parties lawyers hash out how to create a contract that protects everyone.  A customer isn’t going to wait 5 days for that – they’ll just move on.

The “buy it now” issue also came up this morning during Dan Golding’s presentation at the Hosting Transformation Summit.  Dan hammered home the point that the hosting world needs to move to a “buy it now” impulse purchase sales process.  So how do you create an ala carte / buy it now sales process and still protect yourself?

I think the answer is likely to be dynamic contracting.  In my mind this type of contracting process will initially look more like an algebraic equation than a typical contract.  Each party will supply its own set of variables and the end product will be the contract.  So, for example, your ability to provide a warranty may be less than X but greater than Y, with X being a complete warranty of fitness for a particular purpose with Y being no warranty at all.  Other partners in the mashup, or your “buy it now” process would have similar issues.  When a customer chose a particular service, a back end process would evaluate each of the parties warranty tolerances, produce a warranty clause that’s been previously agreed upon, and create carve outs for those members of the process whose tolerance is outside of the equation.  The customer would then be presented with a custom contract that was configured on the fly.

What a process like this would require determining which legal and liability issues are critical to you, and not insisting on your “standard” contract that reflects each and every nuance of your business, or those of your attorneys.  This could all be done before hand, and, because it’s likely to involve sets of standard contract terms, it may actually be cheaper to do than drafting, creating and negotiating custom agreements.

The office2.0 conference began yesterday with a cocktail party.  At the party, I met a doctor from CNMRI who is using technology in two interesting ways.  He’s using Twitter so his staff can figure out what tasks each of them are engaged in throughout the day – this allows them to focus more on patients, and less on locating each other.  The second is a project to build a web based statewide health information network in the State of Delaware.  This will let doctors and patients share medical records across the web.

As interesting as these new applications of technology are, they rang two alarms for me:  privacy and HIPAA.  As I’ve noted in both my columns and on this blog, I believe that privacy is likely to emerge as a regulatory and litigation issue in the next year.  The use of Twitter in a medical capacity has significant privacy implications.  While I was unable to access Twitter to review its contract, I would assume that it has provisions similar to the contracts of most internet infrastructure providers which basically say that the provider has no liability for anything and does not guarantee the security of its network.  So where does that leave the doctor when Twitter accidentally discloses that one of the doctor’s patients is in exam room 3 being treated for a STD, and the doctor is sued when the patient’s wife finds out?  Twitter may have some liability depending on what its privacy policy says.  As I often point out, privacy policies are contracts between companies, their customers, and often third parties.  As a result, they should be reviewed with the same level of scrutiny.

HIPAA is also a big issue.  I inquired whether the doctor had sent Twitter a Business Associate Agreements (BAA) and how these agreements would function in the context of a networked medical records system in which each doctor had their own ISP and likely host who was connected to other hosts and bandwidth providers. 

BAAs are main legal issue for web hosts and other internet infrastructure providers under HIPAA.  BAA’s impose additional contractual obligations on third parties based on a health care provider’s obligations under HIPAA.  In essence you are contractually obligated to follow the terms of the BAA.  HIPAA itself does not contain a form BAA.  As a result, businesses are free to create their own BAAs as long as they conform to the bare minimum required by the statute.  As might be expected, some businesses have been using BAAs to back door contractual provisions that they were unsuccessful at getting in their initial negotiation.  The most common provisions I see are privacy warranties and SLA carve outs, neither of which are required by HIPAA.  Hosts and other internet infrastructure providers need to pay close attention to BAAs they receive to make sure that they are only contractually obligating themselves to things they can actually do.

I downloaded the beta version of Joost to take a look at the license terms that a commercial P2P might use. Joost allows you to watch high quality video for free, in return for watching a commercial or two. Joost uses P2P technology to distribute the video, but locks it up so that it can't be further distributed. I thought two things would be interesting from a legal perspective: how the company protects the content, and how it protects itself from claims that its P2P technology has harmed the user's computer.

The answer to the first question is pretty straight forward - the software used to display videos prevents users from saving the videos to their personal computers. While I didn't look into this in detail, I assume it involves at a minimum some sort of encryption technology. Accordingly, the license agreement prohibits you from taking measures to defeat the copy protection features of the software. Nor are you allowed to reverse engineer it. Terms of this type are fairly common in distribution licenses.

The answer to the second question is interesting. The license specifically disclaims any obligation to protect the contents of user's computers, since, naturally, the resources of your computer will be used to further distribute the content. However, Joost has undertaken an obligation to take measures to protect the privacy of data on a user's computer, and the integrity of their system. Although you agree to release Joost from liability or damages should the software transmit private data, be used by another user to access your personal data, or damage your computer, the fact that they have agreed to take measures to prevent this is instructive.

What this indicates to me is that users of the technology remain wary of how the technology might be used by others. Indeed the fact that this provision is in the license agreement which, I've been told, no one reads, rather than in an FAQ where it would be more prominent, shows how important this reassurance must be to users.

This type of reassurance reminds me of the time when hosts were encouraged to post their "cookie policies" on their websites to reassure privacy sensitive customers. For hosts, it serves as an example of the fact that this technology is not fully accepted by the general public. This fact may make courts less likely to accept the typical, "we're not liable for anything, in any amount, at any time" contract language. As a result, hosts may need to be prepared to make assertions similar to those made by Joost.

A magistrate judge in Texas has granted summary judgment in a case involving unfair and deceptive on-line terms and conditions. In FTC v. Think All Publishing, the FTC alleged that Think All buried relevant terms and conditions in various contractual documents to which customers were required to agree. The end result of these terms and conditions was to require customers to purchase software from ThinkAll when they were promised free software. The marketing pitch - free software - was negated by the legalese - users paid for software not returned within a short period of time.

The FTC brought its enforcement action pursuant to its authority to prosecute unfair and deceptive trade practices. The key issue in this case was that the interaction between the various terms and conditions set out on the website and on the product packages. The end contract was so confusing that consumers could not reasonably be expected to understand that they were signing up for products they had to pay for.

Understanding this issue is crucial for web hosts and is particularly important to reinforce with your marketing department. I would question the legality of marketing promotions that are so complicated and convoluted that creating them requires several paragraphs of legalese to make them work, or make money.

Based on this case, it seems clear that companies should resist the temptation to create a complicated set of contractual conditions where various terms and conditions in one place are contradicted or superseded in another. A clear set of customer expectations and obligations really should eliminate a substantial amount of liability simply because your customers are clear on what they're getting, how much they are going to pay for it, and the limits of your obligations.

So when are your customers, their end users, or other individuals responsible for their actions? I've been thinking about this concept for about a week now, ever since I was forwarded the statement below. The RPG.net poster is responding to a question in which someone asks about whether the person he's chatting with might be scamming him:

"Is she being held hostage by a Nigerian Prince who can make your [anatomy] grow ... while simultaneously updating your ebay account information?

Because if not, I'd totally pass."

This post makes an important ethical, and legal, point: common sense and personal responsibility are important parts of daily life, and, in particular doing business on the Internet. Unfortunately, I find that over the course of the last ten years, common "internet" sense has waned over time. Indeed, it seems that the Internet provides a convenient excuse for all sorts of moral and ethical lapses . It is amazing to me how many times I've had to handle disputes over accounts that have been compromised because an employee has disclosed a password to a colleague or even a competitor.

The issue of personal responsibility for actions has a pretty deep history in U.S. law. An individual's actions, or lack thereof, often forms either a defense, or a mitigating factor, in many different areas. In contract actions, for example, courts have often held that an individual's failure to take the actions required by the contract precluded a claim for breach of contract .

Defenses of common sense and personal responsibility haven't made their way into cases based on Internet services. However based on other areas of the law, it should be only a matter of time before someone who sues for one million dollars based on his failure to back up his data finds himself on the wrong end of a motion for dismissal.

Sony BMG recently settled lawsuits brought by the attorneys general of Texas and California over copy protection software embedded in certain Sony BMG music CDs. As has been widely reported, key legal issues raised by the attorneys general centered around the fact that the anti-piracy software was not disclosed, and contained features other than those strictly necessary to defeat piracy. Other claims were made based on statutes limiting computer intrusion .

The Sony BMG debacle offers great lessons for hosting companies. Because hosting companies control the channel between customer and vendor, they face requests to engage in activities that are either not disclosed, or opaque to the customer. Often the solution to any "legal issues" raised by these activities, is to create a click wrap contract that, while disclosing the activity, does so in such a convoluted or legalistic way, that a reasonable person would be unable to understand what they were agreeing to. Indeed, one of the defenses raised by Sony BMG, was the fact that consumers had expressly agreed to the installation of the copy protection root kit. Hosting companies would be well advised to think carefully about marketing and other business scenarios that involve distributing software, or selling information, to third parties when the third party seeks to disguise its participation in the transaction.

The second important lesson in this is the continued vitality of federal and state statutes governing computer transactions. In addition to the federal "computer fraud and abuse act" linked above, Sony BMG ran afoul of the thicket of state statutes that have been enacted to curtail computer fraud, spyware and unfair business practices. While these statutes differ slightly from state-to-state, all have the same general goal: preventing companies from engaging in acts that are unconscionable, misrepresent the purpose of a transaction, or are simply misleading. Hosting companies embarking on new and innovative product launches, would be well advised to review state statutes governing consumer protection, and distribution of malicious software, prior to going live.

Regardless of the fact that Sony BMG settled this matter, hosting companies have been given a good idea of the kinds of legal actions that may be brought against them for the release of defective software and failure to adequately disclose the true nature of their activities.

The final panel I attended at ISPCON was this panel on VPS services. One of the issues that came up was the issue of security risks associated with open source code. So, for example, what risks do you have for using open source VPS software as opposed to that offered by Virtuozzo. Using open source code requires users to update and maintain their software - an obligation that a software vendor usually assumes. Its likely that your customers assume that you are updating your software and ensuring its security. As a result if you are using open source VPS software, it is fair to assume that you will have an affirmative obligation to search out, design and implement security fixes to the open source code you do use.

An additional issue that came up was the issue of how "private" a site on a VPS server is, an how much bandwidth is allotted to that site. This is a key issue that needs to be clarified in your terms of service or marketing materials. If the bandwidth allocated to a particular site is limited by the structure of your VPS software, or the configuration of your network, this might need to be disclosed - particularly if the "virtual" aspect of a site is unclear. Certainly if you will charge for excess bandwidth, this fact must be set out.