Information Technology and the Law

In reading U.S. v. Thomas, I found some similarities to the first subject covered in the first topic of this class, jurisdiction in internet cases. Some of the discussion generated was whether someone who posts something on their website (Drudge case) that is accessible to anyone, can be held liable in any state or location through which the information passes or is viewed. We also talked about a case in which jurisdiction was found in a state that was neither destination nor source, but the location of AOL servers, through which email had passed. As I recall, there was quite a bit of discussion as to whether the sender of the email should be held liable for damages in any jurisdiction through which the email passes. It seems to me that it would place an undue burden on the administrator of such a site or the sender of such an email to research and obtain knowledge of the laws of every possible venue through which their information passes. For this reason, I find part of the decision in the Thomas case troubling. We can ask the same sort of question we have discussed in class before, should the Thomases be required to have knowledge of the laws and community standards of every state in the United States? It seems to me that the person who should know about the community standards is the person who requests such material and causes it to enter the place where the particular community standards are upheld. While it is true that the AABBS owners required registration and verification and that they had control over who gained access to the site or not, it seems unpractical for them to have to have knowledge of the standards of every community from which the users originated.

This decision creates problems, especially now that the internet has advanced so much since 1996, because it means that a business such as the AABBS can be brought to trial under the standards of the most conservative community simply because the digital information was routed through that community. The effect of a decision like this is very likely to have a negative effect on the speech of internet users because now the courts would be able to hold them accountable under the standards of the most conservative community. Businesses and users of the internet all over the world would be forced into abiding by the standards of this one such community. They might be more reluctant to post articles, sell items or services, or engage in any kind of communication on the internet for fear of prosecution and a huge fine or jail time. I think the decision in U.S. v. Thomas creates a dangerous precedent for later cases and has a very detrimental effect on the rights of free speech.

There was an interesting article in the BBC news last week that I want to do my posting on in honor of CompuServe v. Cyber Promotions. The article is on a man who got 9 years for sending mass junk emails from false email addresses, violating Congress’s CAN-SPAM Act. The CAN-SPAM Act requires commercial electronic message senders to allow the recipients the option of opting out of receiving the messages. Because Jeremy Jaynes sent the emails with falsified routing information, people couldn’t opt out of receiving his emails. He is appealing on jurisdictional grounds saying that he an out-of-state resident being charged under a Virginia law making it illegal to falsify sender information. The AOL servers his emails went through are located in Virginia. This case draws in many of the topics we have been discussing including jurisdiction, trespass to chattels (although I’m not sure if that was at issue in this case), and liability.

The most interesting part of this case is the sentencing. Jaynes earned up to $750K sending spam each month. On a good year, that means that he was earning $9 million harassing people. If we use punishment as a means of rectifying a wrong, it seems that community service would be an equitable route. Perhaps a punishment similar to that of the defendant in U.S. v. Morris which required networking computers in schools would be fair. If he had to do the equivalent time in minimum wage of the money he made sending emails that violated the Virginia law, it’d take more than a few times a lifetime just to pay off one year’s worth of spam that he sent. Nevertheless, it seems far more productive than sending him to prison. If the statute uses jail time as a deterrent to sending spam, it seems that unless policing is very strict, the incentive to earn a 7-digit income may be more than the fear of getting caught, depending on the costs and benefits for each individual.

Another question in my mind regards his appeal on jurisdictional grounds. The problem of responsibility for another jurisdiction’s laws is growing. The simplest way to make the laws accessible to people who don’t know that they might be operating in another jurisdiction would be to post them on sites (such as the AOL home page), or to put them in the terms of usage in a contract. However, then we encounter the burden of making people read those documents and being responsible for them. The burden of knowing the laws must not be too great because then they would be unreasonable for the average user, but they must not be so low as to allow a $9 million/year spammer off the hook for harassing customers and not allowing them a way out. Perhaps a two-tier structure with a summary of the terms of usage and jurisdictional information linked to a page with the legal jargon would be best to address the needs of users and of service providers in the case of spam?

          In this previous post a question was raised over who should be responsible to prevent trespass. I wanted to pose a similar question for the CompuServe v. Cyber Promotions case and for electronic spam in general. In this case, the server of the spam recipients is suing the spammer. CompuServe complained that it was losing customers and its resources were being used by the spamming. From the complaints CompuServe received it is clear that the actual end-recipients of the e-mails did not want to receive this content. CompuServe had some legitimate complaints. Also, people should have a right to, upon request, stop receiving unsolicited spam. However I would argue that CompuServe should not be the plaintiffs in this case nor should Intel. The fundamental question is whether e-mail service providers should be allowed to search through the content of an e-mail to decide whether or not to deliver it to the end-user.
          As Dan Burk argues, any action by CompuServe will unavoidably turn into content filtering. CompuServe is upset because its customers are upset. However, as Burk suggests, had the spam contained content that the end-recipients wanted then CompuServe would have had no objections. Burk used the example of a certificate for $100 in eCash. If CompuServe had tried to sue Cyber Promotions over that their customers would have been furious. In the other case that Burk mentioned, Intel v. Hamidi, Intel was also angered by the content of the e-mails rather than the quantities. Had Burk sent e-mails describing how wonderful it was to work at Intel then he would have been encouraged instead of sued.
           The most obvious analogy to e-mail is snail mail. Imagine if the United States Postal service decided to sue you for sending mail to people telling them that they should stop sending mail through the Postal service. Dan Burk presents another example. He explains that FedEx cannot sue a creditor for sending a message through its service that resulted in the recipient boycotting FedEx. It is against the law for anyone to open or examine someone else’s mail so neither FedEx not the US Postal service should be able to sue because they should never have learned the contents of the mail. They also are unable to filter mail for the same reasons. It is up to the recipient of the mail to decide what to do with all the mail received. If a recipient does not want to receive unsolicited e-mail from a party they can contact that party and request the party stop sending mail.
          Ideally, electronic mail should work the same way. If an individual does not want to receive spam from a party they should be the one to sue that party if the e-mail continues after the individual asks the party to stop. There is even the large potential for enormous class action lawsuits against spammers. Likewise, these individuals should also be the ones to control what e-mail gets filtered by the system. If Intel or CompuServe wants to provide an optional service to filter content upon request from its customers this would be appropriate. However, if the filters fail because the spammer is going to extraordinary measures to circumvent the filtering technology it should be up to the individual to sue. CompuServe or Intel might help coordinate the lawsuit on behalf of its customers but it should not be the main plaintiff.
          There are some significant differences between e-mail and snail mail that do complicate this analogy a little. The most important distinction is it is far easier to send mass e-mail in bulk. An e-mail spammer does not need to go through the trouble of printing out thousands or even millions of pamphlets to send out. They also do not need to pay for postage as they would with regular mail. Worse yet, they do not even need to have an actual address to send an e-mail to. With some relatively simple algorithms they can create a list of potential e-mail addresses and send out an e-mail to each one. Chances are many of them will be real and some recipients might even respond. It is also very easy to create new and fake addresses. Every e-mail sent can appear to come from a different random e-mail address even though in reality they are all originating from the same source. E-mail spam can also be sent out instantaneously at any time. In general sending spam through e-mail is far easier and cheaper than sending spam through snail mail. Thus, there is an ongoing arms race between spammers and filters.
         Despite the can-spam act and attempts by filters spam is more widespread than ever. From personal experience, I know it is often easier to simply create a new e-mail address after a while then to deal with all the spam. This is exactly what CompuServe was afraid of when they filed their lawsuit against Wallace. Certainly spam is a serious problem and companies like CompuServe have a legitimate grievance. However, the other important question we must answer is what privacy rights should e-mail users have and what rights should e-mail providers have? Many of the issues we’ve previously discussed surface again. There is the potential for EULAs stating that e-mail providers have the right to filter one’s e-mail for spam or simply for content. As has already become the case, much of spam is now originating overseas which makes the can-spam act very difficult to enforce. One can even make the argument that e-mail providers would not even need to violate the privacy of a confidential e-mail because no human eyes ever see the e-mail. However, to return to the snail mail analogy one last time, if the US postal service decided to begin filtering mail to eliminate unsolicited advertisements by having a computer examine each piece of mail many people would probably object. Perhaps the same should be true of e-mail as well.

In determining jurisdiction, one of the many factors that a court must consider is whether a website is active or passive. While the exact specifications of active vs. passive have yet to be set, the courts seem to follow a general trend. In the Bensusan case which was cited in Cybersell, Inc. vs. Cybersell, Inc., the district found that personal jurisdiction did not hold in New York because the website in question was a passive website. It contained only contact, event, and ticket information about “The Blue Note” jazz club in Missouri. The site did not allow users to purchase tickets online. All contact between a user and the club had to be initiated by the user and could not be initiated using the website. (pg. 3) In the Mink v. AAAA Development LLC case cited in GTE v. Bell South, the court found that the AAAA website was passive because it did not allow for transactions to take place using the website. Similar to the Bensusan case, the website posted information about good and services, address and telephone number, and email address. (pg. 3) From these two specific cases and others which I have read, it seems that the courts categorize a website as one which posts information about goods and services and provides contact information, but does not allow for transactions to be carried out on-line using the website.

It is probably even easier to classify websites which are highly active. These websites allow users to execute transactions on-line and an exchange of money and goods and services takes place. The problem comes in trying to classify websites which are in between the two extremes. In Blumenthal v. Drudge and AOL, the court classified Matt Drudge’s website to be interactive enough to warrant personal jurisdiction in the District of Columbia. According to the judge, “The Drudge Report’s web site allows browsers, including District of Columbia residents, to directly e-mail defendant Drudge, thus allowing an exchange of information between the browser’s computer and Drudge’s host computer.” (pg. 25) In the Maritz, Inc. v. Cybergold, Inc. case cited in Blumenthal v. Drudge, the court warranted personal jurisdiction because Cybergold, Inc.’s website allowed users to add their email addresses to a mailing list. In both of these cases, no transactions of money were taking place, only the exchange of information. (pg. 23)

I believe that thus far, the courts have made the right decisions with respect to jurisdiction and website activity. I believe that the distinction should be made that a site which is not passive, is interactive and can warrant jurisdiction if level of activity in the forum state is high enough. Passive websites would be classified as websites which post contact information, but do not allow exchange of information or other transactions on the website itself. Once a websites allows user to sign up for a mailing list or post their own information or opinion on the website or allows monetary transactions, it becomes interactive.

As we discussed “interactivity” of a website in class, the EULA came up as a contract that generally makes sure that jurisdiction is spelled out prior to any transactions / interactions. These are most obvious in software packages that require you to click the “I Accept” button prior to installing or running the program for the first time. This is many times helpful in reducing the whole ambiguity of jurisdiction, but as we discussed those website that don’t require you to explicitly agree to their EULA might be more dubious in protecting their claims to jurisdiction. However, as we discussed this, I began to wonder about EULAs that are designed to settle jurisdiction issues on sites which legality of information could be a bit fuzzy.

Most notably I am thinking of the newest crop of sites that are BitTorrent trackers. These sites are primarily designed to keep tabs on different Torrents as they move through cyberspace. Of the different sites I have come in contact with, many require you to sign up for their forums or register at their site in order to search the torrents they are tracking. In fact, I have even seen some which go so far as to encourage a small PayPal donation in order to expedite the “registration process.” Now, most of the files being tracked by BitTorrent are very large, which is why the swarms approach to P2P is especially helpful, and I’ve seen sites dedicated to tracking upwards of thousands of torrents which encompassed everything from ripped DVD movies to Xbox and PlayStation console games. Obviously the file swapping is illegal, but none of these sites contain any piece of the files, only the necessary information to figure out who else on the internet has which pieces of the files. And, in fact, one could search another P2P network (FastTrak, Gnutella2) for any of these .torrent files and never get the actual torrent from the originating website.

In this case I’m sure these EULAs are saying that the server tracking the torrents are in non-extradite countries and that a particular country’s laws are such that the dissemination of such information contained within the torrents is not considered “illegal.” Give then that the population of the internet is predominantly American, it would seem that some Americans are accessing these sites. Our readings did not touch on how this issue would be dealt with, but I assume that nationally there are some “long arm” laws? These EULAs, I’m sure, would claim jurisdiction in the country where the site is hosted, as well as claim that the user is responsible for all consequences of the uses of the hosted “information” (eg. torrents), but how would this hold up in an American federal court. And, again, I’m assuming here that this would be a federal case considering the nature of BitTorrent requiring tens and hundreds of users being scattered geographically over the ‘net to distribute the movie, software, music, etc. As I hypothesized above, illegal is illegal and I’m sure the US Gov’t would find ways to punish the site host, admin, or users. However, this seems to be heading to a bigger issue that we may or may not address: is the nature of the Internet for the information to be “free” (here for more, and here too)?

Three of the cases that we reviewed pertaining to jurisdiction on the Internet hinged on the concept of “interactive” websites as opposed to “passive” websites. The scheme embraced by the courts classifies internet sites on a continuum ranging from the completely “passive”—describing those sites that simply post static information or advertisements—to the completely interactive—describing those sites that enable users to purchase goods and services online, making use of their personal information. Somewhere between these two extremes lie the sites that collect user data without facilitating the exchange of money for services. Of course, the question of interactivity (or not) is only significant because jurisdiction can possibly attach in the user’s locale if the website in question is indeed interactive.

From a normative standpoint, I believe that the courts reached equitable decisions in all three cases. In Cybersell, Inc. v. Cybersell, Inc., the court ruled that personal jurisdiction could not attach to the defendant, Cybersell Florida, because, among other reasons, Cybersell Florida’s website was not interactive: “The interactivity of its web page is limited to receiving the browser’s name and address and an indication of interest–signing up for the service is not an option, nor did anyone from Arizona do so. No money changed hands on the Internet from (or through) Arizona” (Cybersell, Inc. v. Cybersell, Inc., 130 F.3d 414, 9th Cir. 1997). So the court is using “interactivity” as one measure (among several) of determining the extent to which the defendant uses its website to target specific users. So it is sensible that personal jurisdiction does not attach in the Cybersell case, being that there is no evidence, online or otherwise, of Cybersell Florida attempting to do business in Arizona. In the GTE v. Bellsouth case, personal jurisdiction failed to attach for the same reason. Defendant Bellsouth’s website simply posts information which is not targeted to any venue in particular. Normatively, it is the right decision that personal jurisdiction should not hold.

The Blumenthal vs. Drudge case is fundamentally different is because Drudge’s website had the capability to record and store the personal information necessary to facilitate future contact between Drudge and the willing user. While this might not seem very “interactive” by today’s technological standards, the court is right to differentiate such a site from the sites featured in the two cases previously discussed—it enables the establishment of a business relationship between Drudge and user. This serves as evidence that Drudge’s website does in fact target specific users. Also it is important to remember that the mere “interactivity” of the site alone is not enough to make the case for personal jurisdiction. The court is smart in making “interactivity” one of several tests. It seems right that the status of Drudge’s website when combined with all the outside contacts that Drudge had in Washington make him eligible for personal jurisdiction. Today, I think that Drudge’s site would still pass the test for “interactivity.” The question is where on the continuum it would lie.

In Blumenthal v. Drudge, the court notes that in jurisdictional disputes involving the Web, the interactivity of the web site in question is one of the key factors in deciding whether the defendant’s contacts with a particular forum are sufficient for jurisdiction to apply. A website that passively provides information is regarded as reducing the operator’s vulnerability to outside jurisdiction, while any degree of interactivity increases the operator’s risk. The question of what constitutes interactivity, however, is left largely unresolved. I argue that interactivity is determined by two factors: first, the web site’s ability to tailor its content for individual users, and second, the amount of information that the web site stores about its visitors.

The same opinion also contains an excerpt from Zippo Mfg., Co., v. Zippo Dot Com, Inc., in which the court seems to imply that interactivity consists of a user’s exchange of information with the host computer. This definition is vague and clearly insufficient: the web is not in nature like television, where a viewer receives every channel all the time, whether he is currently watching it or not. Viewing even the simplest web site requires the user’s computer to send a request for the desired page to the host computer, which then responds by sending the requested information. Aside from this request/response interaction, however, simple web sites are otherwise completely passive: they store no information about the user (aside from possible simple diagnostic logs), and every user receives the same information in response to every request. In more advanced forms, web sites can:

- Respond to user requests with pages customized based on stored user preferences, predicted user location, time of day, random factors, or virtually any other criterion.

- Receive and store information from users, such as email addresses, website registration information, email list signups, or retail orders.

It is difficult to argue that the simplest form of website should weigh in favor of jurisdiction in any significant capacity. The proprietor of the web site has absolutely no expectation of knowing — or even being able to know — where his users come from, and very little capability to adjust his content appropriately even if he did. Furthermore, it is also clear that the proprietor has made no attempt to target any particular person or area with his site, as he lacks both the knowledge and the means to do so.

Sites that are capable of tailoring their appearance and content for different viewers should be held as greater evidence of culpability, however. The proprietor of such a site clearly intends to present different information to different visitors. Google is one example of such a site: when a user visits google.com, the website attempts to determine which country the user is accessing the site from, and displays a different front page depending on its guess. It would be difficult to argue that Google would be incapable of making reasonable efforts to avoid breaking the law in one particular forum without unduly hampering its ability to conduct business elsewhere.

Sites that collect information of any sort from their users have made the same crucial first step of attempting to discriminate between their users individually. A site that collects information from its users could theoretically collect information about their location as well. While such an act would not yield entirely reliable information, it would be hard to argue that such a site would not be capable of undertaking good faith efforts to tailor its efforts to different laws in different jurisdictions.

Web sites that implement a simple request/response model of user communication are not capable of tailoring their communication with different jurisdictions without substantial effort on the part of the web site proprietor. Any additional information collection, or any individual customization of the pages returned, indicates both a capablility and a willingness on the part of the web site proprietor to tailor his services for particular audiences, and so should increase the likelihood that jurisdiction will be found in a remote forum.