As has been widely reported, three of the nation’s largest, ISPs have entered into an agreement with New York’s Attorney General Cuomo in which they will begin blocking certain sites alleged to contain child pornography.  While it’s unclear why these ISPs agreed to cooperate (although given A.G. Cuomo’s past law enforcement efforts, it’s certainly easy to assume that a certain amount of arm twisting was involved) the way this agreement will be implemented is quite illuminating. 

The press release issued by the A.G.’s office makes for interesting reading.  It appears that the State of New York will begin building a library of objectionable images and assign these images hash values.  This will allow the State to identify images across multiple networks without having to re-identify them.  The ISPs will also use lists of illegal images compiled by the National Center for Missing and Exploited Children (NCMEC) to administer the program and remove data.  In addition, in the release, we learn that the A.G.’s office “uncovered” a “major source” of the content, “known as news groups.” 

What is missing from the release is how these programs will be administered.  Predictably, this minor issue was not included in the press release, nor in reporting by major news outlets.  However, reporters from “Mashable” did some digging and found that each of the ISPs were going to approach the issue differently:  TimeWarner is blocking all USENET access; Sprint the alt* hierarchy; and Verizon different newsgroups on a case-by-case basis.

So what does this mean in a broad context?  In general, I believe it reflects a dangerous trend of placing law enforcement tools in the hands of private, or quasi-private, entities.  Make no mistake, child pornography is illegal.  As I point out in almost every presentation I make, U.S. child pornography laws are “strict liability:”  you violate the law when you view the content, no matter how noble your intentions.  However law enforcement tools exist to combat this material.  Agreements such as this reflect the thin wedge of private Internet censorship.

When I read this warning flags shot up all around.  Other entities are already trying to implement similar schemes for other types of content.  Indeed, the RIAA, MPAA, NAB, and similar organizations are currently lobbying Congress to rewrite Intellectual Property laws to require certain types of content screening.  Last year former U.S. Attorney General Alberto Gonzales embarked on a campaign to eradicate all pornography on the Internet.  Taken together, these events should alarm hosts and other Internet Infrastructure providers.

Hosts sit at a particularly unique point in the Internet Infrastructure.  Because such a substantial amount of Internet traffic must ping their servers, it is incredibly easy to use this fact to control content.  This fact already results in hosts receiving a significantly higher number of criminal and civil warrants and subpoenas.  Hosts simply have the information. Moving the policing of illegal and objectionable content from law enforcement and requiring private entities to assume this task is likely to sharply increase the cost of doing business and significantly raise the risk profile of hosts.

While we all take great pains to make it clear that child pornography is objectionable, and its content irredeemable, the simple fact is that this agreement results in two major ISPs blocking access to a part of the Internet that is of great utility for other uses.  Similarly the organizations representing copyright holders have argued that P2P networks should be shut down because they can function as conduits for piracy.  It is not a far stretch to speculate about a future in which new methods of content dissemination are studied not for their effectiveness in moving Internet traffic, but for their potential to offend.  A chilling development indeed.

A recent report from the U.S. Department of Justice has highlighted deficiencies in the F.B.I.'s use of national security letters. The wide ranging report, required under the USA Patriot Act, included a detailed breakdown of how the letters have been used, and in particular, contained information about how a number of recipients provided data to the F.B.I. that was protected by the Electronic Communications Privacy Act. In particular, the report noted that at least 19 recipients of the letters had disclosed almost all information they had about a target, or had disclosed information that exceeded the time limits provided in the ECPA.

Under the ECPA recipients of national security letters may not be sued by their customers for disclosing the information set out in the letter. However, This safe harbor appears only to apply to the information set out in the letters. As a result, it seems conceivable that if a host discloses more information than is requested in a letter, and that damages a customer, the host may not be immune from liability under the ECPA. Provisions of federal law provide for civil suits against entities who disclose confidential customer information outside the scope of a warrant or subpoena. Indeed, AT&T is the subject of a class action suit filed in based on the NSA's interception of voice traffic.

The fact that this issue is getting so much attention illustrates the need to spend time reviewing subpoenas and warrants. Now, more than ever, hosting companies should make sure that they do more than simply rip a customer's site to a DVD, and ship off the credit card information and IP logs to law enforcement.

Representative Lamar Smith recently introduced the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act (SAFETY Act). The SAFETY Act has one provision that is particularly troubling for web hosts, and another that has the potential to create a great deal of work and expense.

The troubling provision states:

Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 10 years, or both.

What is troublesome about this provision is the use of the phrase "knows or has reason to believe facilitates access to, or the possession of, child pornography." So what is "knowledge" or "reason to believe?" Criminal statutes are generally interpreted relatively conservatively, and whether an individual or entity actually has the requisite level of knowledge will depend on the circumstances. However, given the fact that enforcement of child pornography laws is a particular priority, it is not unreasonable to expect that a prosecutor might allege a host had knowledge, or reason to believe, it was hosting child pornography, based simply on a domain name, or a directory's file structure.

The second provision creates a records retention requirement. The Act directs the Attorney General to "issue regulations" governing retention of records. At a minimum, the regulations must require that the contact information, and user id or telephone number with which the id was associated, be kept for a period of time. As the Act is currently drafted, this provision only applies to ISPs. Given the statements made by Attorney General Gonzales, and various law enforcement officials, that they have had difficulty securing this information from web hosts this provision is likely to be expanded. If that is the case, hosts may be required to invest in expensive systems and infrastructure to capture and store this data.

Sony BMG recently settled lawsuits brought by the attorneys general of Texas and California over copy protection software embedded in certain Sony BMG music CDs. As has been widely reported, key legal issues raised by the attorneys general centered around the fact that the anti-piracy software was not disclosed, and contained features other than those strictly necessary to defeat piracy. Other claims were made based on statutes limiting computer intrusion .

The Sony BMG debacle offers great lessons for hosting companies. Because hosting companies control the channel between customer and vendor, they face requests to engage in activities that are either not disclosed, or opaque to the customer. Often the solution to any "legal issues" raised by these activities, is to create a click wrap contract that, while disclosing the activity, does so in such a convoluted or legalistic way, that a reasonable person would be unable to understand what they were agreeing to. Indeed, one of the defenses raised by Sony BMG, was the fact that consumers had expressly agreed to the installation of the copy protection root kit. Hosting companies would be well advised to think carefully about marketing and other business scenarios that involve distributing software, or selling information, to third parties when the third party seeks to disguise its participation in the transaction.

The second important lesson in this is the continued vitality of federal and state statutes governing computer transactions. In addition to the federal "computer fraud and abuse act" linked above, Sony BMG ran afoul of the thicket of state statutes that have been enacted to curtail computer fraud, spyware and unfair business practices. While these statutes differ slightly from state-to-state, all have the same general goal: preventing companies from engaging in acts that are unconscionable, misrepresent the purpose of a transaction, or are simply misleading. Hosting companies embarking on new and innovative product launches, would be well advised to review state statutes governing consumer protection, and distribution of malicious software, prior to going live.

Regardless of the fact that Sony BMG settled this matter, hosting companies have been given a good idea of the kinds of legal actions that may be brought against them for the release of defective software and failure to adequately disclose the true nature of their activities.

In an effort to protect minors on social networking sites, both the State of Virginia, and the U.S. Congress, have proposed requiring that registered sex offenders provide their e-mail addresses, IM names, and other indicia of electronic life, to the government. This concept, like previous attempts to require labeling of websites, is further indication that the Internet is moving from its relatively unregulated state, to one in which companies will have increasing responsibility for facilitating compliance with various law enforcement and societal priorites.

Virginia's proposal should be seen in light of recent publicity about the capture of Darren Bates at a Philadelphia library while he was updating his MySpace page. Its clear that both law enforcement and politicians see providers of Internet Infrastructure services, particularly web hosts, as an effective source of information and behavior control. Currently, to avoid liability, web hosts should have a written procedure in place for dealing with subpoenas and law enforcement requests. Its clear that in the future, hosts will have other significant responsibilities.

The FTC recently held a three day conference on dealing with the spread of advertising messages to multiple media. While the FTC continues its preference for self regulation, it is clear that that preference is fraying around the edges. What seems clear is that the FTC believes marketing pitches are getting more aggressive and overreaching. A big issue is tracking consumer behavior over multiple devices, and using this information to target ads. While this activity isn't illegal, per se, how that information is used can create significant legal issues. Hosts need to examine what the technology they sell to customers will do, and what legal liability they have for their customer's use of this technology; what your privacy policy says; and your customer's and their end user's privacy expectation. The key issue for me is that some consumers are always going to want to be anonymous. When looking at these new marketing pitches, and technologies, you should try to allow customers to "opt out."

Last week the U.S. joined the Council of Europe Convention on Cybercrime. The Convention was ratified by the Council of Europe in 2001 and covers a lot of ground. In the U.S., there has been a lot of debate about whether the Convention will lead to an increase in requests from foreign law enforcement entities for data from U.S. companies. What I find interesting in the Convention, is that it contains a significant number of data retention and requirements for "expedited" production of electronic data. As I noted in my July 2006 column in the WHIR, and in my last post, there is a great deal of legislative and law enforcement activity taking place around information collection. This area, more than any other compliance area, should be followed closely by hosts (and other Internet infrastructure providers). It is highly likely that in the very near future, you will be required to keep session ids, IP logs and other information for a fixed period of time. Keep this in mind over the next year as you're structuring and configuring your network as well as acquiring new hardware.