This article appeared in the April/May edition of Web Host Industry Review magazine. Click here for a free subscription.
May 2, 2005 -- (WEB HOST INDUSTRY REVIEW) -- There is not one distinct body of law that governs Web hosts’ rights and responsibilities. Nor is there one government agency charged with policing the Internet. This issue is relatively unique to the Internet, since the laws and regulations that actually – or may – apply come from many areas. Confronted with what appears to be a thicket of unconnected laws, it is understandable that many Web hosts’ legal compliance efforts are muddled, contradictory, or non-existent.
In the past, responses to Internet problems have come from legislative bodies, whether state legislatures or the US Congress. In recent years the Federal Trade Commission has taken an increasingly prominent role in responding to these problems. In some cases, such as with CAN-Spam, the response has been congressionally mandated. In others it has been based on the FTC’s jurisdiction over unfair and deceptive trade practices.
Web hosts are affected both by issues that fall within the explicit jurisdiction of the FTC – such as CAN-Spam – and those on which the FTC has taken a lead role – such as privacy protection. For insight into the extent and direction of the FTC’s influence, I spoke with Stephen Cohen and Laura Mazzarella, attorneys with the FTC. It is important to note, that neither Mr. Cohen’s nor Ms. Mazzarella’s comments, nor any conclusions I might make, necessarily represent the views of the FTC or indicate that the FTC would, or would not, take action in a particular case.
General (Section 5) Authority Over Deceptive Trade Practices: Privacy and Security
The FTC has the authority to prosecute companies and individuals who engage in deceptive trade practices under Section 5 of the FTC Act. A “bait and switch” scheme would be an example of such a practice. In a Web host’s case, that might mean stating that you “never share personal information under any circumstances” in your privacy policy, and then selling customer lists to marketing partners.
Privacy
Privacy has been a focus of the FTC for several years. While privacy might seem like an easy issue to address, the number of enforcement actions initiated by the FTC suggests that a fair number of companies have found it complex. Until recently, businesses were not legally required to have privacy policies. And, though it is arguable that some actually should have one, most businesses believe that their customers want them to have a privacy policy. Once created, your privacy policy is a contractual commitment.
For hosts, privacy is a troublesome issue. Most hosts incorporate new features into their products as they move up the value chain. As tools such as shopping carts are added, more information moves from the end user to the customer, and then out to vendors. Sometimes that information is processed, and returend to the end user. Is the host responsible for any of this information?
Mazzarella’s answer is yes. She points to the case of Cartmanager, a plug-in shopping cart software that can be used by hosting customers. End users were not informed that the licensor of Cartmanager captured and sold the data it processed. This created a conflict between the actual use of the data and the privacy policies of each of the links in the chain — the bandwidth provider, host, and the Web site. A host whose privacy policy says “we never share personal information with anyone” and has licensed the Cartmanager software may have been responsible for the fact that the vendor’s actions contradicted its policy. Regarding the matter, Lydia Parnes, acting director of the FTC’s Bureau of consumer protection said, “companies and service providers must make sure that their privacy policies are in sync…[a] service provider cannot secretly collect and rent consumers’ personal information, contrary to a merchant’s privacy policy. At the same time, merchants have an obligation to know what their service providers are doing with consumers’ personal information.”
Parnes says it is no longer acceptable for hosts to do business with third party providers without determining whether the policies of these providers correspond with their own. If you are making representations to consumers about your policies, says Mazzarella, you may be responsible for any activities of your vendors that contradict those policies.
This creates a real compliance maze for hosts. Even small hosts can have five or six bandwidth contracts, a similar number of basic software licenses and customers whose policies they have not seen. Hosts interested in applying best practices, will take the time to review their privacy policies, as well as those of their vendors, to ensure that they are in sync.
This synching of policies and other information is important beyond the privacy context. But hosts’ privacy policies deserve immediate attention. Mazzarella suggests stepping back and imagining what an ordinary reasonable person would think the host is doing with the information. It stands to reason that those individuals would look to a host for information about privacy policies, since it is in a good position to gather this information.
How a host aggregates and disseminates this information is important. If it is impossible to totally sync its policies with those of all of its vendors, it will have to inform customers, and their end users, of discrepancies in a way that helps to insulate them from liability. It may not be enough to post vendor policies on a special page, if end users are so unsophisticated that special methods are required. In the B-to-C context in particular, it appears that hosts can no longer place responsibility for guarding personal information on the consumer.
Security
Recent security leaks at Choicepoint and Lexis/Nexis, and the almost immediate summoning of their CEOs to the hill for hearings, indicate that security is among the most pressing Internet problems facing the nation. The Choicepoint and Lexis/Nexis matters show companies failing to take basic and fundamental measures to guard against security breaches – the equivalent of leaving a door unlocked. Many hosts have a similar mindset – focusing on the number of locks on the door, rather than making sure they don’t become unlocked over time. Sloppy security practices are a target for enforcement.
In a recent redesign of its Web site, Tower Records introduced a security hole that would allow a user to view any other user’s order history. The FTC’s statement about the issue illustrates some of the possible legal responsibilities hosts could face in similar situations.
Howard Beales, the former director of the FTC’s Bureau of consumer protection said, “Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities. Just as consumers remodeling their homes would make sure that the doors still have locks, companies should make sure that sensitive data is still protected.”
It is easy to find examples of how this issue could arise for Web hosts. The interfaces they use to deal with their domain name resellers, the control panels they choose and their customer service interfaces each provide an opportunity for a security hole to appear.
These vulnerabilities present a big target for litigation. In the hacking context, an argument could be made that the host is a victim too. But in this case, the host would be a culpable party, if not the bad actor itself. Hosts should shift some of their security focus from areas such as hacking to more basic security and process control schemes. This could involve creating change control processes, training staff on quality control, and testing new products and designs in different ways.
Spam
While the FTC has had jurisdiction over false and deceptive spam, Congress has given it additional jurisdiction over issues related to spam that might not be within the FTC’s “Section 5” authority. Spam issues have become important in relation to the FTC in two ways. First, it represents the trend within Congress to vest enforcement and regulatory authority with the FTC. How the FTC interprets this responsibility, and how it acts, will set a precedent for how it will approach other Internet issues. Second, once the most egregious cases have been resolved by the FTC, precedent created and rules interpreted, companies will be expected to understand the new rules of the road. Knowing what those rules are — or what the FTC reasonably believes they may be –will help hosts minimize their liability.
Stephen Cohen identifies two scenarios in which spam could create legal concern for hosts: a host simply collecting Spam complaints and doing nothing may have liability under Section 6 of CAN-Spam; and a host with a high volume of Spam complaints in relation to its customer base has evidence of a Spam problem. Its liability may depend on how it deals with this evidence.
Section 6 liability is set out in 6(b)(2)(B)(i) and (ii) of CAN-Spam. This may impose liability on third party service providers who have actual knowledge that Spam is being sent and are receiving economic benefit from it. The prosecution’s argument would be that a host received 100 complaints that a particular customer was spamming, but did nothing to investigate. The spammer paid the Web host $9.95 a month.
Prior to talking with Cohen, I had only seen this interpretation of Section 6 in marketing materials seeking to sell CAN-Spam compliance materials. But Cohen says the FTC has begun to receive evidence that third party service providers, including hosts, are ignoring complaints that their customers are spamming. Given Congress’ intent in passing CAN-Spam, it is easy to understand why the FTC would look to this section for enforcement authority.
Addressing this potential liability involves adopting a positive compliance standard, based on a proactive response to issues. Basic steps might include monitoring abuse mailboxes, requiring customers to respond to spam complaints and creating a CAN-Spam compliance policy that is available to customers. More sophisticated strategies, particularly for hosts whose volume of Spam complaints is disproportionate to their number of customers, might include analyzing sign-up trends and blocking credit cards issued in certain countries (or sign-up IP addresses) and working directly with the FTC to identify ways in which corporate procedures can be improved.
