A recent case filed by Dell against a number of domain tasters and their registrars attempts to hold the registrars liable for infringing some of Dell’s intellectual property.  The claims that are relevant to domain name registrars allege that at least 3 registrars created a chain of registrars who took advantage of the ICANN 5 day redemption period to profit off Dell’s trademarks.  Dell alleges that these registrars allowed domain tasters to redeem domain names at one registrar and subsequently register it at an affiliated registrar.  This would preserve the taster’s interest in the domain name, and allow the affiliated registrars to share in any click through revenue created by the registration of the name.

Without going into the technical legal arguments raised by this case, a suit against domain name registrars has serious implications for hosts and other internet infrastructure providers.  Dell’s arguments are very similar to copyright infringement claims made in the early days of the web:  that those who facilitated the infringement of the copyrighted work were liable as third parties since they facilitated the infringement, and profited from it through the fees they collected.  While the facts in Dell’s case are pretty sensational (a chain of registrars profiting off a nuance in ICANN rules), the case shows that transparent attempts to exploit legal loopholes, are often only temporarily successful.  In this case, setting up a chain of (allegedly) related registrars to profit off of a registered trademark merited a swift response from Dell.

So what does this mean for hosts and other Internet infrastructure providers?  The first lesson is that the doctrine of third party liability for intellectual property infringement is alive and well.  This means that you need to remain aware and vigilant about your business activities.  This vigilance is important particularly in the area of trademarks, where, unlike copyrights, there is no “safe harbor” for businesses who are simply links in the chain of bad acts of customers or third parties.  A second lesson relates to Domaining.  While initially a suspect business, domaining has become a legitimate part of the Internet.  Hosts and other Internet infrastructure providers need to be aware that registering domain names involves a different risk assessment than other business efforts.  Because domainers tend to be very creative in their business, and business creativity often requires a higher level of legal analysis, those who provide business services to domainers need to examine whether the processes and procedures they have put into place effectively isolate the risk that these new customers may pose to their business.  

I frequently debate the utility of new technologies with third parties and my clients.  Those of you who’ve seen Isabel Wang and my Punch and Judy presentations know that we both have pretty strong views of the place that cutting edge technology plays in business.  While some of my thoughts on the incorporation of new technology into business are based on liability and contract concerns associated for “not ready for prime time” technology, they’re also based on a healthy dose of skepticism about the utility of all this stuff.  As a lawyer, I tend to need less connectivity rather than more – it’s tough to read an 80 page contract with IM chirping away and friends telling me all day long what they’re doing.  However a number of things have occurred this past year that have made me think about the relationship between lawyers and new technology.

The first was a post on Isabel’s blog in which she evangelizes the business utility of facebook and twitter.  My thought about twitter has been “you’ve got to be kidding me?  What are you doing?  I’ve had more insightful conversations with a carrot!  Besides, I can just see someone in tech support posting:  ‘patching X customer’s server.’”  The second is a debate on FlyerTalk in which members of the Continental board mused about the potential legal issues associated with flight crews buying pizza for stranded passengers.  Many people took the position that if a passenger got sick from eating the pizza, Continental would be sued.  Finally, I’ve spent some time this week figuring out how to IM with my clients during contract negotiations since so many of them have walled off IM devices.  The most frequent reason I hear for doing this is that someone read somewhere that there were liability issues associated with giving employees unfettered access to IM.

It’s that issue, fear, that I think drives most lawyers to recommend to their clients to kill or significantly rein in technology.  Let’s look at my last anecdote – that IM may lead to accidental disclosure of confidential information.  I’ve heard many attorneys spout this rationale for advising their clients to wall off IM.  But how true is it?  I’ve used IM for over 7 years to communicate with my clients, often with several different conversations going at once, and maybe one or two with friends chirping away as well.  Not once have I told client X what client Y was doing, or one of my friends that the other hated his guts.

Fear that causes lawyers to avoid, or kill, new uses of technology.  First, we’re trained (and like it or not, paid) to spot all the possible problems that issues may present our clients.  In the case of new technology, that may result in one of two outcomes:  the number of problem issues spotted by the attorney becomes so overwhelming, that the client simply abandons the technology fearing that any potential upside will be overtaken by liability issues; second, the lawyer fails to identify ways that the client may mitigate any liability, or work around it.  This second reason seems to stall or kill many projects.

So how does a host, who would like to use many different and potentially untested products deal with this?  The first is to recognize that there is no such thing as a litigation proof strategy or product.  People sue for many reasons, and occasionally for no reason.  You need to be comfortable with the fact that, particularly with new technology, your lawyer isn’t going to be able to assure you that there is no, or even little, risk with a new product.  Second, it’s going to be impossible for your lawyer to quantify every element of risk.  This is particularly true with uses of new technology:  there’s simply nothing to benchmark your risk against.  Also, pressed to the wall, your lawyer is likely to become very conservative.

Finally, you may need to press your lawyer to identify solutions.  Don’t simply engage your lawyer to issue spot for you, engage him as a full member of your team.  If your lawyer sees the full picture, it’s more likely that he’ll be able to identify solutions to the issues he’s raised.  You may also need to encourage him to find new solutions.  Many lawyers are used to being simply asked to issue spot, not help with solving the issues.  However, most lawyers will leap at the opportunity to help make things work – it’s simply more fun. 

Is Awareness a lawyer’s dream?  This afternoon, I met with David Carter a founder and the CTO of Awareness.  Awareness provides social media tools to businesses.  These tools allow corporations to create blogs, wikis and use other networking tools that have been found to facilitate business communication and community.  From a lawyer’s perspective, Awareness “gets it.”

One of the criticisms leveled at lawyers is that if our clients did what we recommended, employees would still be writing memos on notebook paper and sending them down to the steno pool for transcription.  In some ways that criticism is warranted when a client wants to incorporate technology that doesn’t facilitate compliance with the law.  While a particular item of technology, like a blog, might move your business forward, the real world, like liability for a defamatory post, often intervenes.  Awareness’ products seem embrace technology, and the productivity promised by it, while allowing compliance related efforts to take place in the background.

Awareness’ products incorporate permissioning, versioning and filtering out of the box.  These tools are crucial for businesses who seek to utilize office 2.0 tools, but who also understand the theory of litigation prevention (as opposed to litigation attraction).   Permissioning  is a great way for larger companies to embrace these technologies without sacrificing controls put in place to deal with real world issues.  For example, while free and open communication is a great thing, I think even the most diehard technology evangelist would agree that human resources’ wiki shouldn’t be open.  So business faces a choice:  deny HR a wiki, create a totally separate system for HR, or abandon wikis altogether.  A set of permission based wikis may solve this problem.

Versioning is another great tool.  Companies often need to know when and where a document, blog or wiki was updated.  This might help in understanding why a particular contract provision was worded the way it was or where a trouble ticket got mishandled.  The latter is a nice way to pre-empt litigation.  Imagine if you were using a wiki to problem solve a server crash that caused other problems.  By referring to prior versions of your wiki, you could effectively communicate with your customer about how things went wrong, and why.  This type of communication is often the single best way of keeping that customer from calling their lawyer, and increasing your legal costs as a result.

I also really like this version of filtering.  Filtering has VERY negative connotations.  When people, including myself, think of filtering, we tend to think of very heavy handed, and honestly, very lawyer driven, filtering systems that end up forcing people to communicate using vague and tortured language.  However properly implemented, filtering can be an effective business communication tool.  For example, you might want to create an internal corporate blog.  To make the blog effective you put few or no restrictions on what can be discussed.  You could use filtering to leverage your internal blog.  By setting up rules, certain content from your internal blog could be posted to your public blog.  Not only does this save you time and money, it makes your external blog more authentic, and might result in more market acceptance.

So, overall, my conversation with Mr. Carter was pretty exciting.  It’s interesting to see technology embraced and adapted in ways that acknowledge real world issues and the way corporate environments need to be structured to deal with business today.

 

The office2.0 conference began yesterday with a cocktail party.  At the party, I met a doctor from CNMRI who is using technology in two interesting ways.  He’s using Twitter so his staff can figure out what tasks each of them are engaged in throughout the day – this allows them to focus more on patients, and less on locating each other.  The second is a project to build a web based statewide health information network in the State of Delaware.  This will let doctors and patients share medical records across the web.

As interesting as these new applications of technology are, they rang two alarms for me:  privacy and HIPAA.  As I’ve noted in both my columns and on this blog, I believe that privacy is likely to emerge as a regulatory and litigation issue in the next year.  The use of Twitter in a medical capacity has significant privacy implications.  While I was unable to access Twitter to review its contract, I would assume that it has provisions similar to the contracts of most internet infrastructure providers which basically say that the provider has no liability for anything and does not guarantee the security of its network.  So where does that leave the doctor when Twitter accidentally discloses that one of the doctor’s patients is in exam room 3 being treated for a STD, and the doctor is sued when the patient’s wife finds out?  Twitter may have some liability depending on what its privacy policy says.  As I often point out, privacy policies are contracts between companies, their customers, and often third parties.  As a result, they should be reviewed with the same level of scrutiny.

HIPAA is also a big issue.  I inquired whether the doctor had sent Twitter a Business Associate Agreements (BAA) and how these agreements would function in the context of a networked medical records system in which each doctor had their own ISP and likely host who was connected to other hosts and bandwidth providers. 

BAAs are main legal issue for web hosts and other internet infrastructure providers under HIPAA.  BAA’s impose additional contractual obligations on third parties based on a health care provider’s obligations under HIPAA.  In essence you are contractually obligated to follow the terms of the BAA.  HIPAA itself does not contain a form BAA.  As a result, businesses are free to create their own BAAs as long as they conform to the bare minimum required by the statute.  As might be expected, some businesses have been using BAAs to back door contractual provisions that they were unsuccessful at getting in their initial negotiation.  The most common provisions I see are privacy warranties and SLA carve outs, neither of which are required by HIPAA.  Hosts and other internet infrastructure providers need to pay close attention to BAAs they receive to make sure that they are only contractually obligating themselves to things they can actually do.

This morning, I moderated a session at HostingCon on metrics that matter.  The participants really ground down into the metrics that they used, and that they thought would be important from a marketing perspective.  From a legal perspective, one of the issues I highlighted was identifying customers who are important, and why.  Like it or not, when you’re making legal decisions, often times the decision, and what choice you make among various legal options, will depend on what the customer is worth to you.  While no lawyer is going to advise you to do something illegal simply because the customer makes you a lot of money, most legal dilemmas are capable of resolution in more than one way.  So if you don’t know how valuable a customer is to you, you are missing a valuable tool you can use to choose between legal options.  Indeed, I’ve worked with a number of hosts who have created “VIP abuse” provisions of their abuse policies. 

Sounds like a great customer retention method to me.  However, to avoid tripping your company up legally, you’re going to need to know more than how much the customer gave you last month.  You’ll need more metrics on support, business, lifetime of customers and things that will help your decision making process, this will give you the information you need to differentiate between customers.

The 9th Circuit, has held that the Communications Decency Act protects interactive service providers from claims based on state intellectual property laws. The court defined "state intellectual property laws" to mean any laws that conflict with federal intellectual property laws. So basically, those state laws that regulate copyright, trademark, patent, and other areas in which Congress has passed laws, are within the CDA.

This decision is important for hosts for two reasons. The first is that it reinforces the interpretation that when Congress passed the CDA, it intended to protect hosts, and other interactive computer services, from claims based on state law where Congress had spoken. As a result, it's a bit easier to create effective compliance strategies. Second, because it removes a claim that creative content owners have been using as a way of getting around the DMCA. Properly implemented DMCA compliance plans are the most effective way hosts have to protect themselves against allegations that they are responsible for infringement taking place on their servers. Without such a plan, hosts remain potentially liable for contributory infringement, which may carry treble damages.

The Illinois Appellate Court recently determined that a website with an interactive calendar function was not sufficiently interactive as to establish the jurisdiction of an Illinois court over a Missouri company. In Howard v. Missouri Bone and Joint Center, the court refused to adopt the Zippo test for internet jurisdiction. As noted in previous posts, the Zippo test is a sliding scale that increases a court's ability to claim jurisdiction based on how interactive a web site is. In this case, the court determined that basically all websites are advertising. Because simple advertising has not been determined to convey jurisdiction on Illinois courts, a simple internet site, even one that is interactive, is not enough to convey jurisdiction. In Illinois, at least, there has to be a significantly greater amount of contact for a court to have jurisdiction.

This case illustrates the difficulty, and lack of clarity, in this area. As I've noted recently in my speeches, web hosts always want to know "where can I be sued?" The answer is, as it often must be with the law, "it depends."

In 2007, MySpace was sued by the parents of a Texas girl who was assaulted by an adult after they exchanged information over the MySpace social networking site. The plaintiffs claimed that MySpace's failure to implement features that would have worked to prevent the assault, amounted to negligence, gross negligence, fraud and negligent misrepresentation. MySpace moved to dismiss the case arguing that they were immune from the suit under Section 230 of the Communications Decency Act (CDA), and that the fraud and negligent misrepresentation claims did not meet the standards set out in the Federal Rules of Civil Procedure. The U.S. District Court for the Western District of Texas agreed with MySpace and dismissed the suit.

This case is further affirmation for the Internet industry that the CDA insulates it from liability from the actions of its users. The Texas Court's decision provides a veritable treasure trove of examples of how and why Congress determined that Internet Communications Providers should be shielded from liability for their customer's use of their services. In particular, the Court acknowledges that the CDA shield is not limited to cases of defamation and libel, but extents to other causes of action, such as negligence and gross negligence.

The Court stated:

"Nothing on the face of the statute supports Plaintiffs' narrow interpretation that the CDA's immunity applies only to cases involving defamation and defamation-related claims."

further

"If MySpace had not published communications between Julie Doe and Solis, including personal contact information, Plaintiffs assert they never would have met and the sexual assault never would have occurred. No matter how artfully Plaintiffs seek to plead their claims, the Court views Plaintiffs' claims as directed toward MySpace in its publishing, editorial and/or screening capacities. Therefore, in accordance with the cases cited above, Defendants are entitled to immunity under the CDA."

This case is important to web hosts who seem to face almost unending claims that their customers are engaged in libel, defamation, negligence or other torts, and that their failure to take action, or failure to implement measures to screen this information, makes them liable for their customer's acts. Because this decision includes such a detailed history of the CDA and decisions interpreting it, the Court has given web hosts a powerful tool to cite when those nasty letters from attorneys arrive. Citing this case may prevent litigation from occurring in the first place.

So when are your customers, their end users, or other individuals responsible for their actions? I've been thinking about this concept for about a week now, ever since I was forwarded the statement below. The RPG.net poster is responding to a question in which someone asks about whether the person he's chatting with might be scamming him:

"Is she being held hostage by a Nigerian Prince who can make your [anatomy] grow ... while simultaneously updating your ebay account information?

Because if not, I'd totally pass."

This post makes an important ethical, and legal, point: common sense and personal responsibility are important parts of daily life, and, in particular doing business on the Internet. Unfortunately, I find that over the course of the last ten years, common "internet" sense has waned over time. Indeed, it seems that the Internet provides a convenient excuse for all sorts of moral and ethical lapses . It is amazing to me how many times I've had to handle disputes over accounts that have been compromised because an employee has disclosed a password to a colleague or even a competitor.

The issue of personal responsibility for actions has a pretty deep history in U.S. law. An individual's actions, or lack thereof, often forms either a defense, or a mitigating factor, in many different areas. In contract actions, for example, courts have often held that an individual's failure to take the actions required by the contract precluded a claim for breach of contract .

Defenses of common sense and personal responsibility haven't made their way into cases based on Internet services. However based on other areas of the law, it should be only a matter of time before someone who sues for one million dollars based on his failure to back up his data finds himself on the wrong end of a motion for dismissal.

Eli Lilly is being sued over its drug "Zyprexa." Some of the documents related to the litigation were leaked to the press. The documents were used by newspapers and other news organizations to report on the litigation, and analyze the claims made by the plaintiff. For a period of time, a wiki detailing the Zyprexa litigation linked to the New York Times article and other sites with the leaked documents.

Lilly secured a temporary restraining order against the New York Times and other organizations who were making the leaked documents available. While the temporary restraining order did not mention the wiki, attorneys for Lilly sent an e-mail to the host of the wiki demanding that the entire Zyprexa wiki be disabled for violation of the order, and for copyright infringement. Lilly secured an additional order naming the wiki specifically. Upon approval of that order, the wiki was subsequently edited to remove links to the leaked documents.

One of the contributors to the wiki has asked the court to restore the wiki links on the grounds that the wiki is a news organization, and can not be prohibited from disseminating news even if the news itself was procured illegally. The John Doe contributor is represented by the EFF

This litigation is important to web hosts since they seem to receive an unending stream of "nasty grams" from individuals and entities who feel that the web host's customers are behaving in an illegal or unethical manner. Hosts often hear from their customers that the alleged activity is in some way protected. While this litigation does not yet involve the host of the wiki, its resolution is likely to provide additional ammunition for either the nasty gram authors or their targets.