II. LEGAL ASPECTS OF INTERNET-RELATED SERVICES

A. A Litigator's Perspective of Frequently Drafted Contract Provisions: Noncompetition, Non-Disclosure, Work-For-Hire and Licensing

1.Noncompetition Agreements

a.Introduction

In today's high-tech digital environment, employers constantly seek new and innovative ways to keep highly-skilled employees. Because companies can spend upwards of millions of dollars training their personnel in various specialized technological fields, it is not surprising that these companies want to protect their investment and keep competitors from pillaging their workforce. One of the most common ways to keep workers from bolting to another competitor is the tried and true method of making key employees sign non-compete agreements either separately or as part of the original employment agreement.

A non-compete agreement typically forbids an employee from going to work either for a competitor or starting his or her own business in competition with the original employer when the employee departs. Because non-compete agreements limit an employee's ability to earn a living once he or she is no longer working for the original employer, courts often are called upon to decide "whether the particular restraint is reasonable on the specific facts." [1] This reasonableness test involves a three-part inquiry into (1) the scope of the activity prohibited, (2) the duration of the non-compete clause, and (3) the geographical limitation imposed on the departing employee. Digital technologies have affected the latter two inquiries.

b. Reasonableness in the Internet Age

Although the analysis of what is reasonable regarding the scope of prohibited activities does not change significantly in the Internet context (i.e., the prohibited activity or job must be similar to that which the employee held with his original employer), the Internet revolution is rapidly altering the analysis of time and territorial limits under the reasonableness inquiry. [2] In a nutshell, the breathtaking pace of technological progress has shortened what is deemed reasonable as to durational limits, while the Internet's global reach has expanded what is acceptable for geographical limitations.

For example, in EarthWeb, Inc. v. Schlack, 71 F. Supp. 2d 299 (S.D.N.Y. 1999), the court refused to enforce a non-competition agreement that lasted one year. EarthWeb, an Internet company that "provides online products and services to business professionals in the information technology industry," hired Schlack as its Vice President for Worldwide Content. Id. at 302-03. During his 11 months on the job, Schlack "was responsible for the content of all of EarthWeb's websites." Id. at 303. When Schlack took a job with another Internet company, EarthWeb attempted to enforce the non-compete agreement Schlack had signed upon his employment with EarthWeb.

Even if Schlack's new job responsibilities fell within the parameters of the non-compete agreement, the court found "that the one-year duration of EarthWeb's restrictive covenant is too long given the dynamic nature of this industry[.]" Id. at 313. Poignantly, the court noted that "[w]hen measured against the IT industry in the internet environment, a one-year hiatus from the workforce is several generations, if not an eternity." Id. at 316. Still, this inquiry is fact-sensitive and not all courts necessarily agree on what is reasonable. National Bus. Servs. v. Wright, 2 F. Supp. 2d 701, 708 (E.D. Pa. 1998) (one-year time period upheld where employee, who was heavily involved in Internet sales and "participated in quarterly Internet management meetings where [original employer's] long-range technical and marketing plans were discussed," joined a competing company; "A one-year term, although admittedly a long time in this industry, seems necessary to protect [the company's] confidential information.").

While the pace of innovation is shrinking the durational prong of reasonableness, the Internet's ability to connect people instantly around the world has broadened the territorial prong. Traditionally, courts were loathe to enforce non-compete agreements with nationwide or global reach. However, Intelus Corp. v. Barton, 7 F. Supp. 2d 635 (D. Md. 1998), upheld a six-month non-competition agreement that contained no geographical boundaries whatsoever. Barton, a product specialist for Intelus (a company that developed computer software programs for health care organizations), went to work for a direct competitor. Despite the lack of any geographic limitations, the court granted a preliminary injunction against Barton, noting that "Intelus competes for clients on a national, if not global basis. Competition unlimited by geography can be expected where the nature of the business concerns computer software and the ability to process information." Id. at 641. Considering the "broad nature of the market in which Intelus operates, a restrictive covenant limited to a narrow geographic area would render the restriction meaningless." Id. at 641-42.

Similarly, the con-compete agreement enforced in Wright, 2 F. Supp. 2d at 708 (referenced above), encompassed all 50 states. The court declared that "[t]ransactions involving the Internet, unlike traditional 'sales territory' cases, are not limited by state boundaries." Id. Accord: West Publ'g Corp. v. Stanley, No. 03-5832, 2004 U.S. Dist. LEXIS 448, at *32-33 (D. Minn. Jan. 7, 2004) (court granted preliminary injunction when Stanley, the co-founder of FindLaw, left the employment of Internet data broker West, which had previously acquired Findlaw, to start up a competing Internet venture; "Although there is no geographic limitation on the provision, this is nonetheless reasonable in light of the national, and indeed international, nature of the internet business."); Vais Arms, Inc. v. Vais, 383 F.3d 287, 295 (5th Cir. 2004) (nationwide territorial limit of con-compete agreement upheld as former employee "advertised his muzzle brakes via nationally-distributed trade publications, mail order catalogues, and, importantly, the Internet").

2.Nondisclosure and Confidentiality Agreements

a.Introduction

In the information age, it is no secret that breakthroughs occur overnight as advancements in high-tech equipment and programming appear on a daily basis. However, to encourage such innovation, companies often must disclose secret information to their employees or when doing business with other companies. To protect these secrets, nondisclosure agreements ("NDAs") have become routine provisions in contracts related to the Internet and computer industries.

NDAs can be one-way (when only one party is divulging secret information) or mutual (when both parties are sharing confidential data with each other). Although such NDAs can be created orally and can even be implied through the parties' conduct, it is best when parties who want to keep their proprietary information secret (and be able to enforce the NDA if the need arises) articulate what is to be kept confidential in a written agreement.

Common provisions in an NDA include a definition of the scope of confidential information (what categories of information constitute secret information), what duties the parties owe each other (e.g., obligations to return or destroy confidential information when a project is completed), exclusions from confidentiality (what does not have to be kept secret), and time limitations (how long the information must be kept secret). Because the contract arrangements are matters of state law, many NDAs also include choice-of-law and arbitration clauses in case disputes arise. [3]

b. Protecting Trade Secrets in the Internet Age

One of the fundamental goals of requiring employees and business partners to sign nondisclosure agreements is to protect valuable trade secrets. Trade secrets, by definition, must be confidential. Essentially, a trade secret is any information that gives a company a competitive advantage in the relevant marketplace and derives its value from not being generally known. This information can include anything from high‑tech inventions to computer programming codes. Despite the Internet's many wonders -- and unfortunately for companies trying to protect proprietary information -- it is not exactly conducive to keeping secrets.

In Religious Tech. Ctr. v. Lerma, 908 F. Supp. 1362 (E.D. Va. 1995), the Church of Scientology sued to keep certain works authored by L. Ron Hubbard confidential, claiming that the documents were trade secrets. The court rejected this argument. Not only had the documents previously been filed unsealed in a related case and publicly available for 28 months, but, "[o]f even more significance," posited the court, "is the undisputed fact that these documents were posted on the internet[.]" Id. at 1368. Because the documents were "potentially available to the millions of Internet users around the world," the court found that "posting works to the Internet makes them 'generally known' at least to the relevant people interested in the news group." Id. (internal quotation and citation omitted). "Once a trade secret is posted on the Internet, it is effectively part of the public domain, impossible to retrieve." Id. Although this case sets forth a rigid rule in its pronouncement, it reflects a growing trend.

The much-publicized California case of DVD Copy Control Ass'n, Inc. v. Bunner, 116 Cal. App. 4th 241 (Cal. Ct. App. 2004), presented a similar problem. The DVD industry utilized a content scrambling system ("CSS") that prevented DVD's from being copied. Despite the industry's efforts to maintain this trade secret, reverse engineering led to a descrambling code ("DeCSS") that "appeared on the Internet sometime in October 1999 and rapidly spread to other Web sites." Id. at 246. By the time the suit was filed, DeCSS (which incorporated trade secret information) had been "displayed on or linked to at least 118 Web pages[.]" Id. at 248. The trial court had earlier sided with the DVD industry and granted a preliminary injunction, explaining "that trade secret status should not be deemed destroyed merely because the information was posted on the Internet, because, [t]o hold otherwise would do nothing less than encourage misappropriaters [sic] of trade secrets to post the fruits of their wrongdoing on the Internet as quickly as possible and as widely as possible thereby destroying a trade secret forever." Id. at 249.

Although the appellate court was sensitive to the trial court's concerns, it overturned the preliminary injunction and ruled that CSS was no longer a trade secret. However, it is noteworthy that the appellate court did not take the same hard-line stance as did the court in Lerma, noting that "[p]ublication on the Internet does not necessarily destroy the secret if the publication is sufficiently obscure or transient or otherwise limited so that it does not become generally known to . . . potential competitors." Id. at 251. Still, the court could not "ignore the fact that the allegedly proprietary information may have been distributed to a worldwide audience of millions" and that the descrambler's "initial publication was quickly and widely republished to an eager audience so that DeCSS and the trade secrets it contained rapidly became available to anyone interested in obtaining them." Id. at 252-53. As these cases demonstrate, the bell of Internet confidentiality cannot easily be unrung. Cf. Hoechst Diafoil Co. v. Nan Ya Plastics Corp., 174 F.3d 411 (4th Cir 1999) (inadvertently filed documents still retained their status as trade secrets even though they were in a public court file; court contrasted the documents at issue with those in Lerma and found the key difference to be that the Lerma documents were both available in a court file and, more importantly, were also published on the Internet, stripping them of trade secret status).

3. The Work-for-Hire Doctrine

a.Introduction

Intellectual property is often a company's most valuable asset. Much of this valuable material resides on a company's website. However, many companies have been burned in recent years when, much to their surprise (and chagrin), they found out that they really did not own the copyright to the content of their website. Why? Careless drafting of their web development agreement, if one existed at all.

Although often realized too late in the game to avoid expensive and time‑consuming litigation, the web "developer and the client often have divergent interests in the wide variety of intellectual property created through the website development process."[4] For example, the client wants to own as much of the content on the website as possible so that its competitors cannot use the technology or programming for their own gain. On the other hand, developers want to maintain ownership of programming codes so that the codes can be recycled and reused in future web development projects.

b. Work-for-Hire Doctrine

The Copyright Act of 1976 states that the original author of a work is initially vested with copyright ownership.[5] Thus, absent any contrary arrangement, the web developer, who created the website, is given copyright protection. However, a major exception to the rule comes directly from the Copyright Act and is known as the "work‑for-hire" doctrine.

The 1976 Act defines a work made for hire as either (1) a work prepared by an employee in the scope of his employment, or (2) a work specially ordered or commissioned and which falls into one of nine specifically enumerated categories (laid out below) and which the parties have expressly agreed in writing was a work-for-hire.[6] When these requirements are satisfied, the employer or the commissioning party is treated as the original author and vested with copyright protection.[7]

When a work is created by an employee within the scope of employment, it is automatically deemed a work-for-hire and does not have to fall within the nine specific categories and no written agreement is needed. Still, it is a much better practice to articulate these rights in the employee's original employment contract. The tricky questions in this context concern agency principles, including whether the employee was working within the scope of employment and whether a party is an employee or an independent contractor.[8]

When a company hires an independent contractor to develop or create a work, the work -for-hire doctrine is implicated only when there is a written agreement and the work falls into one of the following categories:

(1) a translation, (2) a contribution to a motion picture or other audiovisual work, (3) a contribution to a collective work (such as a magazine), (4) as an atlas, (5) as a compilation, (6) as an instructional text, (7) as a test, (8) as answer material for a test, (9) or a supplementary work.[9]

The relevant categories in a web development agreement are audiovisual works and collective works, because "[i]t is likely that both of these works may cover a large amount of website content."[10]

Retaining ownership of website content and programming code is especially important if the site owner wants to move the site either in-house or to a different web hosting company. With this possibility in mind, the website purchaser will often want to combine work-for-hire provisions in the web development agreement with a clause in which the developer assigns any remaining content ownership rights to the purchaser as a kind of "catchall" provision. Otherwise, web developers and the companies that hire them are left to haggle over potentially costly exclusive or non‑exclusive licenses, which do not affect ownership, but rather allow the licensee to use copyrighted material on a limited basis.

B. What Clients Need to Know Regarding International Outsourcing

1. Definition and Overview of Outsourcing

Most business and legal professionals probably have heard the word "outsourcing" and have some idea of what it means. For purposes of this section, outsourcing is defined as "the delegation of non-core operations or jobs from internal production to an external entity ...that specializes in that operation."[11] "Outsourcing ...is characterized by expertise not inherent to the core of the client organization."[12] "Many companies look to employ expert organizations in the areas targeted for outsourcing," including information technology, human resources, facilities and real estate management, accounting, manufacturing, and engineering; additionally, many companies outsource customer support and call center functions.[13]

2. International Outsourcing

International outsourcing, also known as "offshore outsourcing" or "global sourcing," often "takes the shape of Business Process Outsourcing, where whole business processes (such as support and development) are outsourced. The client is usually free to choose who provides the outsourced business processes, while stock markets press the company to do more for less. This requires that managers search out the cheapest sources they can find."[14]

The "dot-com crash" in the early part of this decade and the recession following September 11, 2001, provided the impetus for the recent wave of international outsourcing, and "the enabling factor has been the global electronic network that allows digital data to be accessed and shipped instantly, from and to anywhere in the world."[15] As investors became hesitant to invest in high-tech companies after the dot-com crash, many companies "looked for less expensive avenues of development and support. For the United States, India seemed like a perfect resource for these needs since many nationals spoke English .... A company can hire an engineer in India, for example, for $10,000 a year whereas an equally qualified engineer in the U.S. could cost $60,000‑$90,000 a year."[16]

"Countries that offer high-quality, yet cheaper labor include China, India, Russia and other eastern Europe and Asian countries. A much higher turn out of qualified engineers than their western counterparts in the recent past has aided these countries in providing a high-quality labor force."[17] Aside from India, which mainly provides services in the programming and IT sectors and has become a major part of the recent international outsourcing wave, the following countries, among others, have become players in the international outsourcing game: China (programming), the Philippines (data entry and customer support), Romania (programming and IT), and Russia (programming and R&D).[18]

The following criteria are generally used to determine whether or not a particular job can be outsourced internationally:

1. The job does not require direct customer interaction;

2. The job can be telework;

3. The work has a high information content;

4. The work is easy to set up;

5. There is a high wage difference between the original and offshore countries; and

6. The work is repeatable.^{^[19]}

The practice of international outsourcing has been met with mixed results. Some companies reported problems with communication barriers, attrition and high foreign personnel turnover, and problems with asking for one thing and being delivered another.[20] There is even a company in California that "specializes in fixing jobs that were botched due to offshoring."[21] On the other hand, other companies "report favorable results. One company said that the low cost of his Indian development team allows him to hire higher-paid American lead developers."[22] Some of the major U.S. companies doing international outsourcing include Microsoft, Cisco Systems, IBM, Novell, and Hewlett-Packard.[23]

A December 2004 study by the Milken Institute Review focused on what happens to a U.S. dollar when a company moves a service job to India. The study found that both countries benefitted:

"The receiving economy (India) captures 33 cents, in the form of wages paid to local workers, profits earned by local outsourcing providers and their suppliers, and taxes collected from second- and third-tier suppliers to the outsourcing companies. But the gains to the U.S. economy are much larger. The most obvious source of value is the cost savings enjoyed by U.S. companies. Thus, far from being bad for the United States, offshoring creates net value for the economy to the tune of $1.12 to $1.14 for every dollar that goes abroad."[24]

3. Freelancing on the Internet

a. Freelancer Websites

With the rise of both the Internet and outsourcing in the last decade, Internet freelancing has become a popular form of outsourcing, "particularly for software developers from countries with low average salaries, such as Bulgaria, China, India, or Romania."[25] Several websites, such as www.rentacoder.com, "have become bustling marketplaces for farming out software development projects to foreign freelancers at rates generally considered rock-bottom by American or Western standards." These websites "typically provide a convenient central forum for posting job requests, rating and documented history to judge potential buyers and sellers, an escro system to protect participants from fraud, and arbitration in the event of disagreements between the coder and the buyer. The system for setting prices is usually organized as some kind of an auction."[26] As one commentator noted, "[w]eb sites such as www.rentacoder.com have made overseas outsourcing available to the masses just as EBay has globalized the garage sale."[27]

b. Coders

While there are some coders from the U.S., England, and other high-wage countries, most coders are from India and Eastern Europe:

"Coders vary from individual freelancers, sometimes college students working in their spare time, to small software companies with teams of developers. The rates commanded by the coders generally depend on the scope of the project, e.g. a rough estimate of the time it would take to complete, their history of past work done when contracted through the website, as well as on financial limitations of the buyers."[28]

Cultural differences filter through to coders and their respective approaches to programming. For example, many Indian coders "are hesitant to suggest alternative ways of approaching a problem unless specifically asked to do so."[29] Therefore, a company that is satisfied with its approach to a problem will benefit from Indian coders because there will not be any time wasted trying to convince the coder that the business's approach is the right approach. On the other hand, Western programmers can be "far more opinionated," and often must be convinced that the business's way of thinking is the right way; western programmers may benefit a company unsure of its approach or a company that may think its approach is wrong because Western programmers are "more likely to point out viable alternatives early in the process" than their Indian counterparts.[30]

c. Compared to Offshore Outsourcing

Internet freelancing "can be thought of as a small business variant of the wider business practice of offshoring. Whereas larger corporations may set up their own subsidiaries in cheaper rates countries, small businesses as well as individual developers, whether employees or themselves freelancers, find it convenient to look for opportunities to get projects done through Internet freelancing sites." Internet freelancing can be one of the most effective uses of outsourcing because it can be done from anywhere in the world and the transactions costs are extremely low. As of 2004, the typical price for a project was several hundred U.S. dollars, which allows not only large corporations to take advantage of freelancing, but also small companies and individuals.[31]

4. What Clients Need to Know Regarding International Outsourcing

The purpose of this section is not to analyze all of the potential dos and don'ts with regard to international outsourcing in general because that in itself could fill an entire seminar. Rather, the purpose of this section is to analyze what clients should know about some international outsourcing issues as they relate specifically to Internet‑related services.

a. Licensing Issues with Internet Freelancing

As noted above, Internet freelancing is becoming more and more popular and feasible. It is important to keep in mind that large corporations are not the only entities that can use freelance internet services. Because of the relative low cost of these services (a few hundred dollars), individuals and small companies can take advantage of freelancing. However, "[i]nternet freelancing raises many issues for businesses involved in outsourcing some of their work. Protection of intellectual property is one major issue."[32]

(1) Single-Use Licenses and Non-Disclosure Agreements

One type of traditional license is a non-disclosure agreement or a single‑use license. With this type of license, the licensee agrees to keep all of the source code confidential and agrees not to use the code after completion of the project. Non‑disclosure agreements and single-use licenses are devices that would work well when dealing with domestic freelancers because, in the event that the licensee breaches the agreement or infringes on the licensor's copyright, the licensor can file suit in the United States. However, "[t]here is probably little realistic recourse for an American company in the event that [a] coder from India would publish or resell the code developed for them."[33] "Generally, an entity or worker doing business in a country is subject to the laws of that country unless exempted by a treaty."[34] An American company, particularly a small business, may not have the resources to pursue a suit halfway across the world, under the laws of a foreign jurisdiction.

(2) Open Outsourcing

A particular kind of outsourcing called "open outsourcing" may help sidestep this issue in certain situations. Open outsourcing combines outsourcing with open source software, which is software that, through the use of licenses less restrictive than traditional copyright law or single-use licenses, allows a programmer to reuse and make improvements to software source code.

"Open outsourcing makes open source technology more accessible to businesses and individuals by employing an inexpensive international labor force of programmers, often on a contractual piecework basis. Small businesses may not be technical enough to efficiently utilize open source resources in-house or large enough to hire a full time technician. Larger businesses with IT staff may lack technicians with specific skills or knowledge. Open outsourcing also reduces some of the risks associated with outsourcing by making the resulting code publicly available through open source licensing."[35]

The complexities of licensing can be an issue. A business can overcome this issue "by choosing ahead of time a compatible set of open source licenses [it is] willing to work with, then not using source from incompatibly licensed projects."

"The licenses with the most restrictive anti-commercialization clauses such as the GPL [discussed below] tend to also be those with the most available source code, so there is a trade off that must be weighed in selecting the kind of license to use. The most restrictive type of licenses do not typically present problems for end users of in-house software, but may present significant challenges if the software is for resale, especially if it is used within a larger proprietary system. There are entire books dedicated to the issues of open source licensing issues."[36]

Additionally, templates for different types of open source licenses can be found at the Open Source Initiative's website, www.opensource.org.

As will be discussed below, open outsourcing is not a perfect fit for every type of project. However, before discussing the benefits and challenges of open outsourcing, it is important to know the basics of open source licenses. Two of the most popular licenses are the GNU General Public License, commonly known as the GPL, and the Berkeley Software Distribution License, commonly known as the BSD License.

(a) The GNU General Public License

The GPL, originally written in 1989 for the GNU Project, a project formulated to create a complete free software operating system, is the most popular open source license.[37] The GPL grants the recipients of a computer program certain rights, which it refers to as "freedoms":

1. The freedom to run the program, for any purpose;

2. The freedom to study how the program works, and modify it. (Access to the source code is a precondition for this.);

3. The freedom to redistribute copies; and

4. The freedom to improve the program, and release the improvements to the public. (Access to the source code is a precondition for this.)[38]

To ensure that these freedoms are preserved in derivative works and copies, the GPL uses a mechanism called "copyleft," which will be explained in more detail below. In brief, copyleft is a legal mechanism that requires derivative works of GPL-licensed programs to be licensed under the GPL.[39]

(b) Interplay With Copyright Law

Programmers who do not agree to the GPL's terms or who do not abide by the terms "do not have permission, under copyright law, to copy or distribute GPL licensed software or derivative works." Refusing to agree to the terms of the GPL does not mean that the rules of the GPL do not apply and that the programmer may use the software however he or she pleases. The default is copyright law, not the public domain:

"The GPL simply requires that all copies and derivative works of GPL licensed software also be licensed under the GPL. If an entity distributes copies or derivative works of GPL licensed software without following the terms of the GPL, that may constitute copyright infringement, and the copyright holders of the GPL licensed software may be entitled to monetary damages, and can get a court to issue an injunction to stop further distribution of the software. The GPL can not force other copyright owners to do anything with code they own. If someone releases code or a binary program that is a copy or a derivative work of GPL licensed software without licensing it under the GPL they could be sued for copyright infringement."[40]

Like any license, the GPL is not without enforcement problems. However, as more and more programmers become familiar with the GPL and its requirements, the more likely it will be that the programmers understand its benefits and abide by its terms.[41]

(c) Rights Granted Under the GPL

The terms and conditions of the GPL are available to anybody receiving a copy of a GPL-licensed work. Any licensee accepting the terms and conditions is then given permission to modify the work, copy the work, and redistribute the work or any derivative version. "The licensee is allowed to charge a fee for this service, or do this free of charge. This latter point distinguishes the GPL from software licenses that prohibit commercial redistribution."[42] The creator of the GPL felt that "free software should not place restrictions on commercial use"; therefore, "the GPL explicitly states that [GPL-licensed] works may be (re)sold . ...[and] that a distributor may not impose 'further restrictions on the rights granted by the GPL'"; this restriction "forbids the distribution of the software under a non-disclosure agreement or contract. Distributors under the GPL also grant a license for any of their patents practiced by the software, to practice those patents in GPL software."[43]

(d) The Copyleft

The GPL does not allow a licensee free reign with regard to distribution rights.

"[Any] distributed copies, including [any] modifications, must also be licensed under the terms of the GPL. This requirement is known as copyleft, and it gets its legal teeth from the fact that the program is copyrighted. Because it is copyrighted, a licensee has no right to modify or redistribute it (barring fair use), except under the terms of the copyleft. One is only required to accept the terms of the GPL if one wishes to exercise rights normally restricted by copyright law, such as redistribution. Conversely, if one distributes copies of the work without abiding by the terms of the GPL (for instance, by keeping the source code secret), [he or she] can be sued by the original author under copyright law. The copyleft thus uses copyright law to accomplish the opposite of its usual purpose: instead of imposing restrictions, it grants rights to other people, in a way that ensures the rights cannot subsequently be taken away."[44]

The GPL "also ensures that unlimited redistribution rights are not granted, should any legal flaw ...be found in the copyleft statement. Many distributors of [GPL-licensed] programs bundle the source code with the executables."[45]

One can also satisfy the copyleft by providing a written offer to provide the source code on a physical medium (such as a CD) upon request. Many GPL-licensed programs are distributed over the Internet, and the source code is made available over a file transfer protocol ("FTP"), which, for Internet distribution, complies with the GPL.[46]

It is important to remember that the copyleft only applies when someone wants to redistribute a program; anyone is permitted to make private modified versions, without any obligation to divulge the modifications, provided the modified software is not distributed to anyone else. Also, the copyleft only applies to the software and not to its output, unless the output is itself a derivative work of the program.[47]

(e) Potential Problems with the GPL

"The GPL is clear in requiring that all derivative works of GPLed code must themselves be GPLed. However, it is not clear whether an executable that dynamically links to a GPL library should be considered a derivative work." Many common free software licenses are "GPL-compatible," meaning "their code can be combined with a [GPL-licensed] program without conflict," with the GPL then applying to the new combination as a whole. "However, some open source software licenses are not GPL-compatible. Many [commentators] have strongly advocated that open source software developers use only GPL-compatible licenses, because doing otherwise makes it difficult to reuse software in larger wholes."[48]

(3) The BSD License

The BSD License was developed in 1982 at the University of California --Berkeley. "This license has few restrictions on it compared to other licenses such as the GNU General Public License or even the default restrictions provided by copyright, putting it relatively closer to the public domain."[49]

In contrast to the GPL, "BSD-style licenses allow for derivative works to be redistributed as proprietary software."[50] "The BSD License allows commercial use, and for the software released under the license to be incorporated into commercial products. Works based on the material may even be released under a proprietary license. Some notable examples of this are the use of BSD networking code in Microsoft products, and the use of numerous FreeBSD components in Mac OS X."[51]

The original BSD License contained four clauses. It allowed redistribution and use in source and binary forms, with or without modification, provided that the following four conditions were met:

1. Redistributions of source code had to retain the copyright notice of the original work, the list of conditions in the BSD License, and a limitation of liability disclaimer that followed the list of conditions;

2. Redistributions in binary form had to retain the copyright notice of the original work, the list of conditions in the BSD License, and a limitation of liability disclaimer that followed the list of conditions in the redistribution's documentation or other materials provided with the distribution;

3. Any advertising materials mentioning features or use of the software had to display an acknowledgement that said: "This product includes software developed by [NAME OF COMPANY OR INDIVIDUAL] and its contributors"; and

4. Neither the name of the [COMPANY OR INDIVIDUAL] nor the names of its contributors could be used to endorse or promote products derived from the original software without specific prior written permission.[52]

In 1999, the third clause, regarding advertising, was removed from the official BSD License.[53]

b. Benefits of Open Outsourcing

Due to the number of international programmers, many of whom speak English very well, available over the Internet and the relative ease of hiring them, the price of custom software has dropped, sometimes to the point where end users of the software can afford custom programming, whether for personal, internal, or proprietary use.[54] About 75% of all software produced is for in-house consumption, and not for resale, meaning that there is a lot of this kind of programming being done; depending on the type of work, typical piecework third-world programming rates range from 5% to 20% of first-world programming consultant's salaries.[55]

This affordability greatly reduces the barriers to entry for small businesses and even individuals wishing to benefit from custom software:

"By using the facilities of websites like RentACoder, [small businesses] can hire programmers to solve their business problems. By allowing the coders to use open source software as part of the solution, they can greatly reduce the cost of the development of their solutions. By allowing the programmers to keep the solution thus developed in open source such patrons support the open source movement and make a larger body of programs available to the developers due to the licensing terms of the most popular open source license, the GPL."[56]

Open outsourcing can also ameliorate some of the risks of outsourcing. If a programmer can start with a program that solves a good percentage of his or her client's problem, then he or she will not have to spend as much time and effort solving the problem:

"By allowing a programmer to use open source on a project (and thus implicitly giving him permission to keep, reuse and redistribute the resultant code, including submitting it back to the original project) programs can be written for a fraction of the price of developing proprietary code from scratch. Even at just a few dollars an hour programming time, time passing is not free because of opportunity cost, and getting the code more quickly means [a return on investment] will occur that much faster."[57]

Additionally, the use of open source "makes it easier to switch programmers in midstream should the original programmer prove unable to complete the task." Id. Since open source code is publicly available, it is more likely that multiple programmers will be familiar with the code, which would not be the case with proprietary code, where "the time it takes a programmer to familiarize himself with a set of code is non-trivial." Id.

Another benefit to the open source approach also relates to the availability of open source code. It is likely that a programmer will use a client's code again in the future. Therefore, if a bug is found during that future development, the programmer is likely to make the fix available to the client, particularly if there is a maintenance agreement in place between the programmer and client. Id. On the other hand, a programmer working on proprietary code would not get a chance to look at the code after the completion of the project, except as the client hired him or her to do so. Id. "In addition, if the code is properly submitted to the core open source project, other programmers will look at it and may fix bugs or even make further improvements. While this is by no means guaranteed, the chances of it happening are far greater in open source than the zero chance of it happening in proprietary code." Id.

(1) Challenges of Open Outsourcing

It is important to remember that open outsourcing is not the best solution for every project.

"Open outsourcing, in particular, is most suited to solving problems that are very well defined and which are natural extensions of existing open source projects. Small projects are much more likely to be successful than larger projects, although projects that are too small require a lot of managerial overhead for the amount of code produced. Of course, open outsourcing is totally unsuited to the development of proprietary closed software."

Id.

"The projects typically posted on freelancer websites would optimally not represent the core competency of the buyer company." Wikipedia, Freelancing

"Rather, they would constitute the more mundane and labor-intensive tasks that are much easier to describe accurately in writing than to implement in a complete and polished manner. Perhaps, it is no coincidence, then, that a good deal of the projects posted... have to do with programming custom web applications. Even if the source code of such programs, such as a PHP script for an online store, were leaked by the coder, it would probably have little value to others, and such a leak would hardly hurt the buyer in any way."

Id. Projects with particularly sensitive source code are not well-suited for open outsourcing. In those cases, traditional single-use licenses amy be more apporpriate

Payment to the programmer and delivery of code is a potential problem. A special escrow service can help ensure that a business gets its code and the programmers get paid for successfully completing a project. Wikipedia, Open outsourcing.

One of the challenges is communicating the necessary specifications for a particular project. The more accurately a business can specify up front exactly what it wants, the more likely it is to get what it wants in the end. Id.

Another challenge with open outsourcing, as well as international outsourcing in general, is negotiating realistic deadlines and sticking to those deadlines. One solution is to tie payment to the on-time completion of the project. Also, if a company's development need is particularly time critical, the company can hire two independent programmers to develop the same code at the same time. Id. This option would increase management overhead and double the cost, but the relative inexpensiveness of international programmers may make hiring two programmers viable. Furthermore, hiring two programmers to develop the same code reduces the risk that the software will not be delivered on schedule. Id. If both finish on time, then the company will have its choice of the better solution. Id.

A proper understanding of open source licenses and compliance with open source licenses is one of the challenges facing open outsourcing. Id. "One of the greatest challenges to successful open outsourcing (as a movement) is making sure that programmers in the third world, as well as their Western patrons are aware of their responsibility to resubmit code changes and evolution to the original sources under the most common license, the [GPL]." Id. The solution to this problem is simply the passage of time. As more work for pay is done involving open source code, third-world programmers will become more familiar with open source licensing requirements, resulting in "a greater number of submissions back to the original core code groups developing these projects." Id.

"Businesspeople are, by and large, willing to pay a small price for improvements to usability, documentation and functionality necessary to their business. The key to making open outsourcing successful is making sure that the source developed by outsourcing programmers makes its way back to the core development team for reintegration into the original project. Another key is for small business people to become aware of the benefits of this approach. If [a] small business is creating and distributing proprietary software, this approach may not work for [that business's] main product line. For all other small businesses with business processes to automate, open outsourcing opens up an entirely new world of possibilities for greater efficiency. With supporting infrastructure open to the world, small business owners can benefit from bugs being found and repaired in their mission critical applications, for free. This is a major benefit to open outsourcing that many small business owners just [would not] be aware of."

Anderson, Open Outsourcing.

c. Real World Example of Open Outsourcing

The previously mentioned website, Rent-A-Coder, provides a real world example of open outsourcing in action. "[T]here are hundreds of web site developers being hired on Rent-A-Coder using open source Perl scripts to create and configure proprietary web sites for web site owners who are generally non-technical. Estimates from Rent-A-Coder are that approximately 70% of all code buyers on their site are non‑technical." Wikipedia, Open outsourcing. Even Rent-A-Coder is not free from the challenges that face open outsouring. "It is believed that little of the code currently generated on Rent-A-Coder works its way back into the open source projects the original code came from, despite the fact that much of the code is licensed under the GPL, which usually requires such code modifications be made public." Id.

5. Other Legal Issues With International Outsourcing

In addition to issues involving intellectual property licensing, "offshore outsourcing may involve issues relating to privacy, labor rights, ...immigration, environmental protection, taxation, export controls, and national security." Justin Kent Holcombe, Solutions for Regulating Offshore Outsourcing in the Service Sector: Using the Law, Market, International Mechanisms, and Collective Organization as Building Blocks, 7 U. Pa. J. Lab. & Emp. L. 539, 549 (2005). In the arena of the outsourcing of internet-related services, labor rights, taxation, and export control are issues.

With any outsourcing, a company should examine whether movement of jobs will run afoul of a collective bargaining agreement.

"Offshoring of work arguably covered by collective bargaining agreements can entail special obligations depending on the terms of the agreement. Though U.S. labor laws are among those to which the non-extraterritorial presumption generally applies, the assignment abroad of work claimed under a U.S. collective bargaining agreement can present complex choice of law and contract interpretation questions. These issues are in addition to the statutory questions of whether sourced entities are independent contractors or whether they instead have legal relations with the sourcing entity that exposes them to contractual liability, economic pressure, or an obligation to bargain with the union whose members previously performed the work."

Thomas J. Manley & Scott M. Hobby, Globalization of Work: Offshore Outsourcing in the IT Age, 18 Emory Int'l L. Rev. 401, 417 (2004) (footnotes omitted). See also, Mack Trucks, Inc. v. Int'l Union, United Auto., 856 F.2d 579, 591 n. 14 (3d Cir. 1988) (outlining elements of collective bargaining agreement, part of which prevented the company from outsourcing for the term of the agreement); Holcombe, supra, at 584-596 (discussing unionization as it relates to international outsourcing).

Taxation and export regulation issues may arise as well:

"Offshoring is often enabled by the transfer of valuable information to the offshore site. Such information and training enables the remote workers to produce results of comparable value previously produced by internal employees. When such transfer includes protected materials, as confidential documents and trade secrets, protected by non-disclosure agreements, then intellectual property has been transferred or exported. The documentation and valuation of such exports is quite difficult, but should be considered since it comprises items that may be regulated or taxable."

Offshoring, http://en.wikipedia.org/wiki/Offshoring (last visited July 7, 2005). Accord: H.Ward Classen, Fundamentals of Software Licensing, 37 IDEA 1, 9 (1996) ("The failure to limit the use of the software to a particular country or geographic site may also give rise to a number of export issues. For example, licensing software to a Mexican company which has a subsidiary or affiliate in Cuba would violate the Trading with the Enemy Act if such software was used in Cuba.").

C. Website Hosting Agreements: How Hosting Works and What to Look for in a Host

1. Introduction to Web Hosting

After a web site has been designed, it must be connected to the Internet. Some web site owners may decide to run the site themselves. However, many owners choose to have a third party, called a web host, operate the web site. There are thousands of hosting services in this market.[58] Most web site designers also provide hosting services.[59]

When a web site is ready to be viewed on the Internet, the web host places the web site on a server, a computer that is designed to run web sites.[60] A hosting service basically rents space to a web site owner. A host may operate thousands of web sites at a time.[61]

The characteristics of individual websites will command different hosting services. Therefore, a site owner needs to find a host that will best fulfill the owner's needs. Some core considerations are discussed below. This section also addresses both the need to reduce the terms of the hosting relationship to a written web hosting agreement and litigation that may result from a failure to do so.

2. What to Look For in a Host

A company's web site is a valuable asset that is entrusted to the care of a hosting service. If a hosting service does not live up to its end of the bargain, a company that uses the site to conduct business may be financially harmed. Accordingly, performance issues are important qualities to look for in a host, including the available bandwidth, "uptime" and response time to problems.

a. Bandwidth

Bandwidth "refers to how much data is sent and retrieved from one source to another through the Internet."[62] Hosting services provide different amounts of bandwidth depending on their network connections.[63] Further, "[w]hile connection speeds vary and many high-speed options are available, the minimum acceptable connection for a webserver containing multiple websites is a 'T1' line."[64] "While a server may have a certain amount of bandwidth available at any one time, this bandwidth is shared by all websites hosted on the server, and often by every other server at the developer's location."[65] Larger and more popular sites will take up more bandwidth and leave little for remaining web sites.[66] One web site explains the "traffic" on bandwidth as follows:

"A very simple analogy to use to understand bandwidth and traffic is to think of highways and cars. Bandwidth is the number of lanes on the highway and traffic is the number of cars on the highway. If you are the only car on a highway, you can travel very quickly. If you are stuck in the middle of rush hour, you may travel very slowly since all of the lanes are being used up."[67]

One example of traffic in dealing with bandwidth occurs when an individual transfers an MP3 song from a web site to his or her computer. Depending on the network connection and bandwidth available, the transfer may be quick or could be slower if there are other people trying to download the same MP3 at the same time.[68]

When a web site owner is considering whether a certain hosting service is appropriate, the amount of bandwidth available from the service is crucial. Hosting services cap bandwidth at a monthly limit depending upon how much money the owner is willing to pay for the services.[69] If the web site exceeds the monthly allotment of bandwidth, the hosting service may charge an additional fee or shut down the web site.[70] As such, it becomes obvious that "competition for . . . bandwidth resources can be fierce."[71]

b. "Uptime"

Another important factor to consider when choosing a hosting service is the service's ability to keep web sites running on-line. "All Web hosting providers brag about their uptime."[72] "With e-business becoming one of the fastest growing markets in the industry, a Web hosting provider that cannot keep to its promises can spell trouble for businesses of all sizes."[73]

A web site owner and a host may agree that the web site will be operational for a specified period of time each day or month as a term of the hosting service.[74] The hosting service may warrant that the web site will operate continuously except for scheduled maintenance sessions.[75]

Another way to avoid web site down time is to have "mirror sites." The hosting service would back up the entire site on a daily basis onto a server with a different network connection.[76] Therefore, if the original server goes down, the website will continue to operate.[77] Yet another means to avoid losses would be for the service to send back-up tapes to the client in the event the entire web hosting network operations center is destroyed.[78]

c. Problem Response Time

Another characteristic of hosting services closely related to "uptime" is problem response time. The web site owner must decide the level of customer support that is needed to deal with web site problems.[79] Larger hosting services may provide 24‑hour support, while smaller services may not be available on weekends or after business hours.[80]

3. The Importance of Web Hosting Agreements

As discussed above, web hosts may provide a variety of services to web site owners. "Unlike some other types of agreements and technology transactions, the interests of parties in Web site hosting agreements often are not terribly dissimilar."[81] Regardless, the parties should reduce all aspects of their relationship to a written agreement.

a. Provisions of a Web Site Hosting Agreement

The following subjects should be addressed in most web hosting agreements. Of course, the specific terms of each agreement will vary depending on the hosting services provided.

The scope of the specific services provided by the web host should be identified.[82] The scope of services may include "security measures and performance levels to which the provider's software and hardware must conform [in order] to ensure that the site's content is properly translated, adequately and safely stored and quickly accessible to a number of simultaneous users."[83] The web host may also be required to provide software for the web site, including software to process on-line transactions, telecommunications software, security software and web site analysis software.[84]

The parties also should define the web host's obligations to update and modify the site.[85] As technical developments continue, the information and technology on a web site must be updated.[86] The parties may agree that the host will provide the web site owner with the tools to update or modify the web site. The host may also seek to limit its obligations concerning updates.[87]

A web site hosting agreement should address performance issues. As discussed above, "[w]hether a Web site will be operational within specified performance criteria is a key issue in hosting agreements."[88] Web site owners are concerned about whether the growth of the Internet will cause their site to malfunction because of heavy traffic. Web hosts will want to limit liability on performance issues concerning events over which they have no control. The agreement "should include minimum performance criteria within specified volume ranges in key areas - uptime, scheduled maintenance, and server response time."[89] The agreement should specify when the web site will be available, as well as scheduled down time for maintenance. The parties also may negotiate remedies for system failures.[90]

As with web development agreements, site owners may have to disclose a certain amount of confidential information to hosts, including customer data. In order to prevent a host from improperly using this information, the agreement should specify what information is to remain confidential.[91] Web hosts may want access to customer information for internal tracking, monitoring, and marketing purposes. "It is advisable to include language in the agreement that defines the information obtained from customers and delineates the permissible uses of it. Such a clause should protect confidential information and specify the purposes for which the hosting services provider may contact customers."[92]

Issues concerning termination and transfer of the web site should be addressed in the agreement. "The Web site owner should have relative flexibility to terminate the agreement for any reason. Upon termination, the hosting service should be obligated to use reasonable efforts to transfer the site to a successor hosting service."[93] The agreement also should require the web host to return any information provided to it by the owner, along with the content of the web site.[94]

Both parties to a web hosting agreement will want the other party to agree to certain warranties. Web site owners should have the host warrant that it will update the site with new technology, the web site will be available through the web host's server and to timely respond to problems.[95] The web host also should warrant that materials within the site comply with federal and state laws including, for example, procedures the host has in place regarding notification of possible copyright infringement.[96] Conversely, the host should require the web site owner to warrant that the owner has authority to enter the agreement, the content of the web site does not infringe on third-party rights, including intellectual property, privacy and publicity rights, and that the owner obtained permission to use links to other web sites.[97]

Finally, the agreement should address liability for breach of the agreement. Most parties attempt to limit liability to the amount of fees paid to the web host under the agreement.[98] Both parties may seek to have the other indemnify it for any infringements on third-party rights.[99]

b. Litigation Issues Concerning Web Hosting Agreements

Courts have addressed disputes where the owner and host failed to specify the terms of their relationship in a web hosting agreement. For example, in MomsWin, LLC v. Lutes,[100] the defendants (web developer and host) entered into an oral agreement with the plaintiff-web site owner to develop and host a site for the plaintiff. The owner designed the content of the site, and the defendants converted the content so that it could be read on the Internet.[101]

The parties orally agreed that information contained in the site was proprietary, trade-secret information that was not to be relayed to third parties without the owner's consent.[102] Despite this oral agreement, the defendants negotiated with third parties to reproduce and to distribute the web site. Moreover, the defendants attempted to copyright the web sites. The host also demanded that the owner pay more money for developing and hosting the web site, or else the defendant would cease hosting the site.[103]

The owner sued the developer and host seeking a declaration concerning the copyright ownership of the web site, that the owners were the sole owners of confidential, proprietary and trade secret information provided to the defendants, and that, under the parties' agreement, the information could not be disclosed to third parties.[104] The court denied the owner's motion for summary judgment on all of these issues.[105]

This decision resulted from the lack of a written agreement. The parties did not reduce issues concerning copyright protection to writing. Further, since no written agreement existed, there were issues of fact as to whether certain information was a trade secret.[106] Finally, the court could not determine as a matter of law whether the host's threat to pull the site off the Internet constituted a breach of contract because the terms of the agreement had not been established.[107]

D. Search Engine Placement and Marketing Services

1. Introduction

With the continued increase of commerce on the Internet, it is critical for businesses to market their web sites to gain maximum visibility. Search engines provide businesses this opportunity.[108] "[A]ttention from searchers can translate into money, either directly through revenue models that pay based on the number of visitors [to the web site] (such as banner advertisements which pay per impression) or indirectly because some web visitors may choose to transact with the web publisher or those the web publisher promotes."[109]

The use of search engines for marketing has become a competitive business. Most major search engines, including Google, AltaVista, and Excite, display the top ten or twenty hits on the first web page out of thousands or millions of search results.[110] Therefore, it is important for a business to appear on this first page of results to achieve more exposure to searchers.[111]

"[A]n entire industry of 'search engine optimizers' has emerged to help web publishers maximize their positioning under search engines' various rules."[112] These companies are supposed to be familiar with the best ways to market web sites through search engines. Important marketing techniques include keyword placement, timing on submitting web pages to search engines, as well as other marketing campaigns extending beyond search engines.

While most of these service providers pride themselves on using proper techniques to increase their clients' search engine rankings, there can be legal ramifications, including, among other issues, if a publisher unlawfully uses the trademark of another in the metatags of its website.

2. How Search Engines Function

Search engines allow people to sift through the wealth of information available on the Internet.[113] "When a keyword is entered, the search engine processes it through a self-created index of web sites to generate a (sometimes long) list relating to the entered keyword."[114] Search engines look for keywords in the web site's domain name,[115] the text in the web page, and in metatags.[116] "The more often a term appears in the metatags and in the text of the web page, the more likely it is that the webpage will be 'hit' in a search for that keyword and the higher on the list of 'hits' the web page will appear."[117]

"Each search engine uses its own algorithm to arrange indexed materials in sequence, so the list of web sites that any particular set of keywords will bring up may differ depending on the search engine used."[118] Search engines typically do not disclose the exact formula that they use to rank web sites.^{^[119]} However, major search engines will look at the frequency and location of keywords. If a keyword appears often on the web page, then there is a greater chance the search engine will find it. Likewise, if a keyword appears near the top of the web page in the headline or in the first few paragraphs of text, then the search engine may find that word to be more relevant.^{^[120]}

The secrecy of search engines' algorithms for rankings and the competitive nature of search engine placement have led web publishers to employ various methods to obtain higher rankings in search results. Some publishers will use a wide range of keywords to try to manipulate the results.^{^[121]} "Publishers will try to get search providers to associate their website with the keywords being used by desired searchers."^{^[122]} However, some publishers will fill their web site with keywords that are not relevant to its content.^{^[123]} "These practices are variously called keyword stuffing (or word stuffing or cyberstuffing) keyword loading, spamdexing, keyword repetition and search engine spamming."[124] Some search engines will expel a web site from its index if publishers engage in these practices.[125]

3. Litigation Issues Concerning the Use of Another's Trademark in Metatags

The competition for increased search engines rankings has carried over into the courts. Disputes may arise if the publisher of a web site includes the trademark of another within the metatags of their site.[126] The following cases serve as a guide for businesses, including search engine placement services, to determine which keywords to include in metatags.

In the seminal case, Brookfield Communications, the Ninth Circuit addressed the issue of whether West Coast Entertainment, Inc.'s ("West Coast") use of Brookfield Communications, Inc.'s ("Brookfield") trademark and domain name in the metatags of West Coast's web site constituted trademark infringement.[127] In this case, Brookfield gathered and sold information about the entertainment industry through, among other means, computer software sold under the MovieBuff registered trademark.[128] West Coast was a large video rental store chain.[129]

Brookfield attempted to register the domain name "moviebuff.com" but found out that West Court had already registered the same domain name. West Coast intended to launch an entertainment database similar to Brookfield's MovieBuff.[130] After West Coast ignored Brookfield's cease and desist letter, Brookfield sued for trademark infringement under the Lanham Act, among other claims.[131]

Brookfield moved to preliminary enjoin West Coast from using "MovieBuff" and "moviebuff.com"[132] in the metatags of its website at "westcoastvideo.com."[133] The court recognized that "[a]lthough entering 'MovieBuff' into a search engine is likely to bring up a list including 'westcoastvideo.com' if West Coast has included that term in its metatags, the resulting confusion is not as great as where West Coast uses the 'moviebuff.com' domain name."[134] If someone used the search term "MovieBuff" both Brookfield's and West Coast's web site would likely be in the results. The user could then choose the appropriate web site off the list, and even if the user chose West Coast's web site, he or she would know that it belonged to West Coast since its web page included its own name.[135] Despite the lack of the likelihood of confusion concerning whether consumers would be confused as to whether they were purchasing from West Coast instead of Brookfield, the court held that the use of Brookfield's trademark constituted unlawful infringement.

The court held that West Coast's use of "movibuff.com" in its metatags constituted "initial interest confusion" and reversed the district court's denial of the preliminary injunction.[136] The court defined this type of infringement as "the use of another's trademark in a manner calculated 'to capture initial consumer attention, even though no actual sale is finally completed as a result of the confusion.'"[137] "Web surfers looking for Brookfield's 'MovieBuff' products who are taken by a search engine to 'westcoastvideo.com' will find a database similar enough to 'MovieBuff' such that a sizeable number of consumers who were originally looking for Brookfield's product will simply decide to utilize West Coast's offerings instead."[138] The court made the following analogy:

"Using another's trademark in one's metatags is much like posting a sign with another's trademark in front of one's store. Suppose West Coast's competitor (let's call it 'Blockbuster') puts up a billboard on a highway reading 'West Coast Video: 2 miles ahead at Exit 7' where West Coast is really located at Exit 8 but Blockbuster is located at Exit 7. Customers looking for West Coast's store will pull of at Exit 7 and drive around looking for it. Unable to locate West Coast, but seeing the Blockbuster store right by the highway entrance, they may simply rent there. Even customers who prefer West Coast may find it not worth the trouble to continue searching for West Coast since there is a Blockbuster right there. Customers are not confused in the narrow sense: they are fully aware that they are purchasing from Blockbuster and they have no reason to believe that Blockbuster is related to, or in any way sponsored by, West Coast. Nevertheless, the fact that there is only initial consumer confusion does not alter the fact that Blockbuster would be misappropriating West Coast's acquired goodwill."[139]

The Brookfield Communications court's "billboard" analogy for initial consumer confusion has been criticized as being inapplicable to Internet search engines. One commentator "maintain[ed] that the court's analogy over-emphasizes the costs involved in getting off at the wrong 'cyber-exit' compared with a real highway exit. 'It just takes a few mouse clicks and a couple seconds to 'go back' on the Internet.'"[140] Another commentator criticized the court's reasoning because "the analogy makes an apples-to-oranges comparison":

"In the search engine context, keyword metatags act as a trigger to cause the display of filtering content, but the search never sees the text contained in the keyword metatags. In the billboard analogy, the billboard is the filtering content. Therefore, keyword metatags and billboards do not perform the same search function."[141]

Despite criticisms of its reasoning, the Brookfield Communications decision serves as a warning to web site publishers and search engine placement services concerning the use of other's trademark in metatags. Other courts have addressed this issue:

" Playboy Enters., Inc. v. Welles, 279 F.3d 796, 803-04 (9th Cir. 2002) (holding that the defendant's placement of the plaintiff's "playboy" and "playmate" trademarks in the metatags of her web site were not infringing under the fair use doctrine).

" Promatek Indus., LTD v. Equitrac Corp., 300 F.3d 808, 812-13 (7th Cir. 2002) (holding that initial consumer confusion existed where the defendant used the plaintiff's "Copitrak" trademark in the metatags of its web site).

" Eli Lilly & Co. v. Natural Answers, Inc., 233 F.3d 456, 465 (7th Cir. 2000) (holding that the defendant infringed upon the plaintiff's PROZACthorn trademark, in part, because the defendant intended to confuse and mislead consumers when it used "Prozac" in the metatags of its website).

" Bihari v. Gross, 119 F. Supp. 2d 309, 319-21 (S.D.N.Y. 1999) (holding that there was neither a likelihood of confusion nor a likelihood of initial consumer confusion were the defendant used "Bihari Interiors" in its metatags, where the web site in question was not a competitor of Bihari Interiors and did not use the keywords to trick users into thinking that they were visiting Bihari Interiors website or that it was sponsored by Bihari Interiors).

" Nilton Corp. v. Radiation Monitoring Devices, Inc., 27 F. Supp. 2d 102, 104 (D. Mass. 1998) (holding that trademark infringement occurred where the defendant copied the plaintiff's metatags and HTML code in order to take advantage of the plaintiff's goodwill and to divert customers to the defendant's web sites).

E. Assessing and Selecting Security-Related Services

1. Information Security Is a Necessary Component of any Computer Infrastructure

The phrase "information security" has been referred to as an "umbrella concept," which encompasses the security and protection of information "assets."[142] It also encompasses a variety of "disciplines" in the information arena, including security management practices, physical security, personnel security, computer security, "logical" or network security, telecommunications security and operations security.[143]

However, "information security" should not be confused with "information privacy." Information privacy refers to the protection of an individual's nonpublic personal information in a computer system by (1) limiting the amount and type of information collected, (2) notifying the individual of the uses to which that information will be put, (3) obtaining consent to use or disclose that information, (4) allowing that individual to review or update that information, and (5) providing a remedy for the failure to properly protect that information.[144]

The types of information security attacks are numerous and potentially costly to any business that collects, uses or discloses personal information. These attacks include:

" Hacking

" Employee misuse

" Third-party misuse (contractors, vendors, service providers)

" State-sponsored and industrial espionage

" Terrorism

" Malicious code (viruses, worms, Trojan horses, malicious scripts)

" Social engineering

" Physical security breaches ("dumpster diving")

" Spoofing

" Non-human forces (natural disasters, accidents, disruption of electrical service).[145]

Thus, a well-developed, comprehensive security program is essential when dealing with a network connected to the Internet. A recent analysis shows that security incidents have steadily increased over the last fifteen years. In 1990, there were 252 reported incidents. That figure increased to 2,412 in 1995, 21,756 in 2000, and 82,094 in 2002.[146]

Although in the past, the federal government has not regulated the physical security of a company's computer infrastructure, there are several laws, such as the Fair Credit Reporting Act (15 U.S.C. D 1681, et seq.) and the Gramm-Leach-Bliley Act (15 U.S.C. D 6801, et seq.), that regulate a company's collection, use and disclosure of personal information. Furthermore, as discussed below at DII.B.1, the Federal Trade Commission has taken an interest in the recent security breaches; the Commission has started to mandate information security procedures under the authority granted to it to enforce D 5 of the Federal Trade Commission Act (15 U.S.C. D 45). Indeed, "[t]he current role of the federal government in regulating private sector computer systems is primarily derived form its interest to protect the privacy of individually identifiable information held on private computer systems or to improve the oversight of financial reporting by the private sector. Security of a company's or an individual's computer system or the Internet as a whole [is] not the policy objective."[147]

2. Information Security Practices

A number of industry-recognized "best practices" have been identified when compiling an information security program. However, such best practices are not to be considered a comprehensive list of all that is required to implement a security program. "It is not possible to build a definitive list of best practices, because security needs differ from industry to industry and organization to organization and because security technology changes rapidly."[148]

"Internet best practices are not formal requirements, but 'the distilled, accumulated knowledge of experienced system administrators.' Simply put, following best practices shows that your local network administrators and management have learned from the mistakes of other system administrators. Best practices are often arrived at by hard experience. Following the best practice does not immunize your network from problems, but does insulate your local network from many of the pitfalls, vulnerabilities and security risks experienced by more experienced administrators who have already trod the same path."[149]

The following list demonstrates a number of these practices:[150]

" Assess Security Needs: Conduct a risk assessment of the current security system and potential security vulnerabilities. Regular audits of the system should be conducted periodically.

" Create a Point of Accountability: Name a security officer. This individual can be the Legal Department's compliance officer. Nonetheless, it is important to provide a face to go along with the company's security policies and procedures.

" Create a Usage Policy: Determine the role of each person involved in the business; detail the expectations of each employee and third‑party (vendor, contractor, etc.) involved in the computer infrastructure or exposed to any personal information.

" Implement a Physical Security System: Develop a comprehensive security plan to protect against physical invasion. The procedures to be implemented in this category include properly shredding documents, providing identification badges to all employees and visitors that must be worn at all times, providing security locks on all doors leading to protected information or systems, and maintaining security guards at all building access points.

" Implement Authentication Processes: Develop standards to determine that a system user is who he or she claims to be. These processes can involve certification of a user's identity and independent background checks to verify a user's representations.

" Regularly Update the System: A comprehensive security program cannot simply be installed and forgotten. It must be continuously monitored and updated as new practices are developed or as technology changes the way the system infrastructure operates.

F. Understanding Digital Signature Laws

"Digital signatures and public key cryptography work as follows: The individual signing the message will have two keys (very large prime numbers), a private and a public key. The recipient must know the sender's public key, but not the private key. A message (in this case, a signature) is encrypted by the sending party using his private key. The recipient receives the encrypted message and is able to decode it into a readable signature using the sender's public key."[151]

As explained in Deborah L. Morgan, Digital Signatures: Will Government Registration of Users Mean that Anonymity in Transactions on the Internet Is Forever Lost?, 2004 U. Ill. L. Rev. 1003, 1014-15 (2004):

"Digital signatures provide businesses with a method of authenticating a user based on verification through other entities. Digital signatures became a viable option with the encryption capabilities provided by asymmetric cryptography. This encryption technique provides each user with a key pair, including both public and private encryption keys. In contrast, symmetric cryptography uses only one key to both encrypt and decrypt the message. Unlike symmetric key encryption, which poses a risk that the single key will be lost or intercepted, asymmetric encryption allows for only the user's public key to be used for encryption. The private encryption key remains secure with the user.

This encryption, however, does not provide all that is necessary for a recipient to be assured of the sender's identity. A digital signature is 'an item of data accompanying a communication used to authenticate its sender and to ensure its integrity.' The 'hash function,' which is the mathematical processing of a message or content, puts out 'a relatively small piece of data [called the message digest] that is unique to the message.' Therefore, if any changes are made to the message, the output - or message digest - of the hash function will be different. Digital signature software creates the digital signature by using the hash function to generate its output and then encrypting that output with the sender's private key. That data becomes the digital signature. The recipient then uses the same hash function to get the message digest and uses the sender's public key to decrypt the message. Now the recipient can verify that the proper sender sent the message, but still needs to authenticate that the sender has an acceptable real-world identity."

The digital signature allows one of the most secure method of "signing" a contract electronically, and are used mainly in the banking industry for electronic fund transfers.[152] Utah was the first state to allow use of electronic signatures, which was enacted in 1995.[153] However, the certification required made the Act of very little benefit to businesses.[154] To avoid the inconsistencies in the state statutes, the Uniform Electronic Transactions Act ("UETA") was promulgated in the late 1990s.

However, states were slow to adopt UETA. Therefore, Congress enacted the Electronic Signatures in Global and National Commerce Act ("E-Sign"), codified at 15 U.S.C. D7001. E-Sign was designed to facilitate interstate e-commerce through uniformity.[155] E-Sign provides that, "with respect to any transaction in or affecting interstate or foreign commerce--(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation." 15 U.S.C. D7001(a). The law is "technology neutral," like the UETA, because it does not require any particular technology to be used to create the electronic signature.[156]

E-Sign preempts state law unless that law is consistent with the UETA or does not give greater legal preference to one type of technology.[157]

G. Voice-Over-Internet-Protocol (VoIP)

1. Introduction to Voice-Over-Internet-Protocol

Voice-Over-Internet-Protocol, also known as VoIP or Internet Voice, is a technology that allows individuals to make telephone calls using a broadband Internet connection instead of a traditional phone line.[158] Some VoIP services may only allow callers to call others using the same service, while other services allow callers to call anyone who has a telephone number, including local, long distance, mobile, and international numbers. Also, while some services only work over a computer or a special VoIP phone, other services allow use of a traditional phone through an adapter.[159]

VoIP technology converts a voice signal from a telephone into a digital signal that travels over the Internet then converts it back at the other end to allow a caller to speak to anyone with a regular phone number; the call goes through the local telephone company to a VoIP provider, and then over the Internet to the called party's local telephone company for the completion of the call.[160] Aside from using a traditional telephone hooked up to an adapter that runs through a high-speed Internet connection, another way to use VoIP is with a microphone headset plugged into a computer; with the latter, the number is placed using the keyboard and is routed through a cable modem.[161]

a. Advantages of VoIP

VoIP has several advantages over traditional phone service:[162]

1. Because VoIP is digital, it may offer features and services that are not available with a traditional phone line. Some popular plans include unlimited local calls and unlimited long distance calls within the U.S. for a flat monthly fee, while other plans include unlimited (or extremely discounted) international calls.

2. For those individuals with a broadband internet connection and a computer microphone, it may be possible to make telephone calls without paying for a phone line.

3. Many VoIP plans offer "a la carte" phone services, usually provided at an expense by traditional phone companies, at no extra charge. Such services include caller ID, call waiting, call forwarding, and conference calling.

4. Some VoIP plans allow a caller to use VoIP service at any location, as long as there is a high speed Internet connection available. In that case, it would work the same from a home or from a business.

b. Disadvantages of VoIP

There are also some disadvantages to using VoIP, as opposed to traditional phone service:^{^[163]}

1. Some VoIP services do not work during power outages and the service provider may not offer backup power.

2. Not all VoIP services connect directly to emergency services through 911. The FCC recently ordered all VoIP service providers to provide enhanced 911 capabilities as a standard feature of service. However, 911 service may not be available during power outages if the service provider does not offer backup power.

3. Some VoIP providers may not offer directory assistance or white page listings.

4. VoIP is only available to those individuals with a high-speed internet connection.

2. The Legal Aspects of Voice-Over-Internet-Protocol

Regulation is the most prominent issue regarding VoIP. In the last several years, both the FCC and federal courts have ruled that VoIP is an interstate matter. Therefore, the FCC has jurisdiction over VoIP, and states may not group VoIP with regular telephone service companies for regulatory purposes.

Additionally, the FCC has kept VoIP free of heavy regulation. The following statement appears on the FCC's VoIP website:

"The Federal Communications Commission (FCC) has worked to create an environment promoting competition and innovation to benefit consumers. Historically, the FCC has not regulated the Internet or the services provided over it. On February 12, 2004, the FCC found that an entirely Internet-based VoIP service was an unregulated information service. On the same day, the FCC began a broader proceeding to examine what its role should be in this new environment of increased consumer choice and what it can best do to meet its role of safeguarding the public interest."[164]

FCC Chairman Michael Powell "has indicated that the FCC has no intention of setting rules for VoIP service--not yet, anyway. Powell has said that he would like to see the FCC exercise a 'light touch' on any regulation of VoIP. The FCC used that same 'light touch' back in the early 1990s in the areas of the Internet and cellular phone service. Proponents of non-regulation argue that this hands-off approach has allowed for the rapid growth, advanced technology and competitive rates that consumers enjoy today from both industries."[165]

State regulatory agencies have had little success in courts asserting a right to regulate VoIP services as they do telephone services. The most notable case as of yet came out of Minnesota. In 2003, "the Minnesota Public Utilities Commission (MPUC) filed a complaint against VoIP provider Vonage alleging, among other things, that Vonage had failed to obtain the proper licensing required to provide telephone service in Minnesota. The MPUC ordered Vonage to comply with the Minnesota statutes and rules regarding the offering of telephone services."[166]

When Vonage appealed to the U.S. District Court for the District of Minnesota, seeking a preliminary injunction against the MPUC, the District Court agreed with Vonage, holding the following:

"Vonage is an information service provider. In its role as an interpreter of legislative intent, the court applies federal law demonstrating Congress's desire that information services such as those provided by Vonage must not be regulated by state law enforced by the MPUC. State regulation would effectively decimate Congress's mandate that the Internet remain unfettered by regulation. The court therefore grants Vonage's request for injunctive relief."[167]

The MPUC appealed to the Eighth Circuit Court of Appeals. Vonage Holdings Corp. v. Minn. Pub. Util. Comm'n, 394 F.3d 568 (8th Cir. 2004). In the time between the MPUC's appeal and when the Eighth Circuit came to a decision, the FCC released a Memorandum Opinion and Order in which it specifically preempted the MPUC's ability to apply traditional telephone regulation to Vonage's VoIP services. Vonage: In re Vonage Holdings Corp. Petition for Declaratory Ruling Concerning an Order of the Minn. Pub. Util. Comm'n, 19 FCC Rec. 22404 (Nov. 12, 2004). In its Memorandum Opinion and Order, the FCC stated:

"We conclude that DigitalVoice [Vonage's VoIP service] cannot be separated into interstate and intrastate communications for compliance with Minnesota's requirements without negating valid federal policies and rules. In so doing, we ...mak[e] clear that this Commission, not the state commissions, has the responsibility and obligation to decide whether certain regulations apply to DigitalVoice and other IP-enabled services having the same capabilities. For such services, comparable regulationsof other states must likewise yield to important federal objectives. Similarly, to the extent that other VoIP services are not the same as Vonage's but share similar basic characteristics, we believe it highly unlikely that the Commission would fail to preempt state regulation of those services to the same extent."

Id. at 22404-22405 (footnotes omitted). The Eighth Circuit upheld both the District Court's ruling and the FCC order, thus preventing the MPUC from regulating Vonage's VoIP service. Vonage, 394 F.3d at 569.

The Ohio Public Utilities Commission has ruled in accordance with the FCC's mandate, refusing to require a VoIP company to apply for a certificate before operating VoIP phone service in Ohio.[168] The most recent VoIP regulation by the FCC involves 911 services, which were often not available for VoIP customers. The FCC has required VoIP providers to supply enhanced 911 capabilities to all customers as a standard feature of service, rather than as an optional enhancement.[169]

National Business Institute -- Digital Technology and the Law
By Ronald I. Raether

III. LIABILITY ARISING OUT OF ON-LINE ACTIVITY

A. Federal and State Laws and Uniform Acts

1. Can Spam Act

a. The Can-Spam Act of 2003 Regulates the Transmission of Unsolicited Commercial E-Mails

One can be liable for online activity if one sends advertisements via electronic mail messages ("e-mails")[170] to persons that one does not have a prior business relationship with if those e-mails do not comply with the Controlling the Assault of Non‑Solicited Pornography and Marketing Act (the "CAN-SPAM Act of 2003" or the "Act"), 15 U.S.C. D D7701-7713. The CAN-SPAM Act of 2003 regulates the distribution of unsolicited commercial e-mail ("UCE"), which is commonly known as "spam." Senate Rep. No. 108-102, at 1-2 (2003); White Buffalo Ventures, LLC v. Univ. of Texas at Austin, No.A-03-CA-296-SS, 2004 U.S. Dist. Lexis 19152, at *2 (W.D. Texas March 22, 2004). The Act defines commercial electronic mail message as any "electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." 15 U.S.C. D7702(2)(A). This definition does not include e-mails derived from a transaction or a relationship. Id. at D7702(2)(B). According to the Act:

"The term 'transactional or relationship message' means an electronic mail message the primary purpose of which is--

(i) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender;

(ii) to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient;

(iii) to provide--

(I) notification concerning a change in the terms or features of:

(II) notification of a change in the recipient's standing or status with respect to; or

(III) at regular periodic intervals, account balance information or other type of account statement with respect to, a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender;

(iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or

(v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender."

Id. at D7702(17).[171] In essence, these types of e-mails are considered solicited; in contrast, commercial e-mails are considered unsolicited.

Congress enacted the Act because it found that e-mail was an important means of communication and commerce, and the plethora of unsolicited commercial e‑mail increased the cost and decreased the efficiency, convenience, reliability, and usefulness of e-mail for consumers; Internet Service Providers ("ISP"); businesses; and educational and non-profit institutions. Id. at7701(a)(1)‑(a)(6). Moreover, it found that most UCEs were fraudulent or deceptive, and some were of a nature that recipients found vulgar or pornographic. Id. at D7701(a)(2); 7701(a)(5). Congress also found that many senders[172] deceive or mislead recipients about the source of content of their e-mails by including "misleading information in the messages' subject lines in order to induce the recipients to view the messages." Id. at D7701(a)(8). Congress found that largely, senders did not provide a "simple and reliable" method for recipients to demand that senders not send them future e-mails or that senders refused to comply with requests from recipients to not send e-mail. Id. at D7701(9). In addition, Congress found that senders obtain recipients' e-mail addresses without the recipients' permission: "many senders of bulk unsolicited commercial electronic mail use computer programs to gather large numbers of electronic mail addresses on an automated basis from Internet websites or online services where users must post their addresses in order to make full use of the website or service." Id. at D7701(10).[173] Finally, Congress found that national legislation was necessary because state legislation on UCE was disparate and not an effective means to control e-mail because "an electronic mail address does not specify a geographic location." Id. at D7701(11).

b. The Can-Spam Act of 2003 has Nine Requirements

(1) E-mail Messages Cannot Contain Materially False or Misleading Header Information

Senders must accurately identify themselves and from where they are sending their message. The Act prohibits senders of commercial e-mail messages and transactional or relationship messages from sending messages to protected computers that contain, or are accompanied by, materially false or misleading header information. 15 U.S.C. D7704(1). A protected computer is a computer "used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." 18 U.S.C. D1030(e)(2)(B).[174] The Act defines header information as "the source, destination, and routing information attached to an electronic mail message, including the originating domain name and originating electronic mail address, and any other information that appears in the line identifying or purporting to identify, a person initiating the message." 15 U.S.C. D7702(8).[175] Materiality in this context includes:

"the alteration or concealment of header information in a manner that would impair the ability of an Internet access service processing the message on behalf of a recipient, a person alleging a violation of this section, or a law enforcement agency to identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation, or the ability of a recipient of the message to respond to a person who initiated the electronic message."

15 U.S.C. D7704(a)(6).

There are three categories of materially false or misleading headers: (1)if the originating e-mail address, domain name, or Internet Protocol address is technically accurate, but was obtained by false or fraudulent pretenses or representations, id. at D7704(a)(1)(A); (2)a "from line" that does not accurately identify the person who sent the message, id. at D7704(a)(1)(B); [176] (3)a header that does not accurately identify the protected computer it was initiated from, sent by a person who knowingly uses another protected computer to disguise the origins of the message, id. at D7704(a)(1)(C).

(2) UCE Senders Are Prohibited From Writing Deceptive Subject Lines About the Contents or Subject Matter of Their Messages

The Act prohibits senders from sending UCE with deceptive subject headings. 15U.S.C. D7704(a)(2). In order to be liable under 15 U.S.C. D7704(a)(2), the sender must have "actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that a subject heading of the message would likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message (consistent with the criteria used in enforcement of Section 5 of the Federal Trade Commission Act (15 U.S.C. 45))." 15U.S.C. D7704(a)(2).

(3) All UCE Must Include An Opt-out Method

The Act requires UCE senders to "clearly and conspicuously" display a return e‑mail address or another Internet-based response mechanism in the UCE that will be viable for at least 30 days after the communication is sent that recipients can use to request that the sender not send future e-mails.[177] 15 U.S.C. D7704(a)(3)(A). A sender is not liable if the return e-mail address or other mechanism is temporarily unable to receive messages or process requests due to a "technical problem beyond the control of the sender if the problem is corrected within a reasonable time period." Id. at D7704(a)(3)(C). The sender must honor the recipient's request to stop sending e-mails in ten business days. Id. at D7704(a)(4)(A)(i). Once the recipient has opted-out, the sender cannot help another entity send e-mail to that address, or have another entity send e-mail to that address on the sender's behalf. 15 U.S.C. D7704(a)(4)(A)(ii); Federal Trade Commission ("FTC"), Facts for Business, "The CAN-SPAM Act: Requirements for Commercial Emailers." Neither can it sell or transfer those e-mail addresses in a mailing list or any other form. 15 U.S.C. D7704(a)(4)(A)(iv); FTC, "The CAN-SPAM Act." However, the sender can give an opted-out e-mail address to another entity in order for that entity to comply with the Act. 15 U.S.C. D7704(a)(4)(A)(iv); FTC, "The CAN‑SPAM Act." The scienter required for a person working on behalf of the sender is "actual knowledge, or knowledge fairly implied on the basis of objective circumstances" that the UCE would violate the recipient's request. 15 U.S.C. D7704(a)(4)(A)(iii). The sender may create a "menu" of choices to allow a recipient to choose to opt-out of certain types of messages, but one of the menu choices must be to end any commercial messages from the sender. 15 U.S.C. D7704(a)(3)(B); FTC "The CAN-SPAM Act."

(4) The UCE Must Identify Itself as an Advertisement or Solicitation

A sender must provide clear, conspicuous notice in the UCE that the message is an advertisement or solicitation. 15 U.S.C. D7704(a)(5)(A)(i). However, if the recipient has previously given affirmative consent[178] to receive of the message, then the message does not need to include the advertisement or solicitation identification. 15U.S.C. D7704(a)(5)(B).

(5) The UCE Must Include the Sender's Valid Postal Address

A sender must provide its valid physical postal address in the message. 15U.S.C. D7704(5)(A)(iii).

(6) Senders May Not Use Harvesting or Dictionary Attacks to Collect E‑mail Addresses

Senders will be liable if they use harvesting or dictionary attacks[179] to gather e‑mail addresses to send UCE to. 15 U.S.C. D7704(b)(A). These are considered aggravated violations. Id. In order to be liable, the sender's scienter must be "actual knowledge, or knowledge fairly implied on the basis of objective circumstances" that the e-mail addresses were obtained through harvesting or via a dictionary attack. Id. at D7704(b)(1)(A).

(7) Senders Cannot Create Multiple E-Mail Accounts For the Purpose of Sending E‑mails That Violate The Act

It is an aggravated offense to "use scripts or other automated means to register for multiple electronic mail accounts or online user accounts" in order to send e‑mails that violate the Act. Id. at D7704(b)(2).

(8) Senders Can Incur Liability From Relaying and Retransmitting UCE

It is an aggravated offense to relay or retransmit a UCE to a protected computer or computer network that the sender did not have authorization to access. Id. at D7704(b)(3).

(9) Sexually Oriented E-mails Must Contain Warning Labels in the Subject Headings

If prior consent was not given, in addition to the other requirements for UCEs, e‑mails that contain sexually oriented material must contain the phrase "SEXUALLY-EXPLICIT" in capital letters in the first nineteen characters of the subject heading. 15 U.S.C. D7704(d)(1)(A), D7704(d)(2); Rules Implementing the CAN-SPAM Act of 2003, 16 CFR D316.4(a)(1), D316.4(b). The Act defines sexually oriented material as "any material that depicts sexually explicit conduct (as the term is defined in Section 2256 of Title 18, United States Code), unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters." Id. at D7704(d)(4).[180]

If the content of the message is "initially viewable by the recipient" once the recipient opens the message, the e-mail must contain the phrase "sexually explicit" in a "clear and conspicuous manner" in all capital letters. 16CFR D316.4(a)(2). Also the e-mail should contain a "clear and conspicuous statement that to avoid viewing the sexually oriented material, a recipient should delete the e-mail message" without following activation instructions. Id. at316.4(a)(2)(vi). The e‑mail should contain instructions on how to access the sexually oriented material." Id.

The penalty for knowingly violating 15 U.S.C. D7704(d)(1) is five years imprisonment or a fine under United States Code Title 18, or both. 15 U.S.C. D7704(d)(5).

c. Entities That Can Initiate Lawsuits Under The Can‑Spam Act Of2003

Private individuals cannot sue under the CAN-SPAM Act of 2003. The FTC can file a civil lawsuit under its authority under Section 18 of the Federal Trade Commission Act, 15 U.S.C. 41 et seq., 15 U.S.C. D 7706(a). The FTC accepts e-mails from consumers who think they have received a deceptive e-mail, which the FTC uses to pursue law enforcement actions against people who send deceptive e-mail. FTC, http://www.ftc.gov/spam/ "Introduction."

The Department of Justice has the power to pursue criminal sanctions against violators. The following list of federal agencies also have the power to bring an enforcement action against violators:

1. Office of the Comptroller of the Currency, id. at D7706(b)(1)(A);

2. the Federal Reserve Board, id. at D7706(b)(1)(B);

3. the Federal Deposit Insurance Corporation, id. at D7706(b)(1)(C);

4. the Office of Thrift Supervision, id. at D7706(b)(1)(D);

5. the Department of Transportation, id. at D7706(b)(7);

6. the Department of Agriculture, id. at D7706(8);

7. the Farm Credit Administration, id. at D7706(9);

8. the Securities and Exchange Commission, id. at D7706(b)(3);

9. Board of the National Credit Union Administration, id. at D7706(b)(2); and

10. the Federal Communications Commission, id. at D7706(b)(10).

The FTC and the Federal Communications Commission does not have to prove state of mind to enforce compliance through an order to cease and desists or an injunction. Id. at D7706(e).

State attorney generals can sue in parens patriae for aggrieved citizens of their state in a federal district court of appropriate jurisdiction to: (1)obtain injunctive relief ; (2)or recover actual or statutory damages, whichever is greater. Id. at D7706(f)(1). A state attorney general does not have to prove state of mind to obtain injunctive relief. Id. at D7706(f)(2). Statutory damages are determined by multiplying the number of violations by up to $250. Id. at D77069(f)(3)(A).[181] Statutory damages cannot exceed $2,000,000 unless the violation is for a false or misleading subject heading. Id. at D7706(f)(3)(B). Damages can be increased if the defendant knowingly and willfully committed the violation or if he committed an aggravated form of the offense as described in 15 USC D7704(b). Damages can be reduced if: (1)at the time the violation occurred the defendant had "commercially reasonable practices and procedures designed to effectively prevent such violations;" or (2)"the violation occurred despite commercially reasonably efforts to maintain compliance" by implementing commercially reasonable practices and procedures. Id. at D7706(f)(3)(D). Attorneys' fees are appropriate in some cases. Id. at D7706(f)(5). A state attorney general can sue for a specific violation under any of the regulation provisions of 15 U.S.C. D7704(a) or (d), or for a pattern or practice of violations under 15U.S.C. D 7704(a). Id. at D7706(f)(1).

Generally, the knowledge level for a civil action to recover monetary damages is "actual knowledge, or knowledge fairly implied on the basis of objective circumstances, of the act or omission that constitutes the violation." Id. at D7706(f)(9).

Companies that provide Internet access, Internet Service Providers ("ISP"), can also sue if it is adversely affected by a violation or if there is a pattern or practice of violation of 15 U.S.C. D7704(a). 15 U.S.C. D7706(g); See White Buffalo Ventures, LLC v. University of Texas at Austin, No.A-03-CA-296-SS, 2004 U.S. Dist. LEXIS, at13 (W.D. Tex. March 22, 2004) (holding that the CAN SPAM Act of 2003 does not preempt a university, as a Internet service provider, from regulating employees, faculty, and students' access to spam). The ISP can seek injunctive relief or monetary damages in an amount equal to the greater of: (1)actual damages or (2)statutory damages. 15 U.S.C. D7706(g)(1). Statutory damages are calculated by multiplying the number of violations by the appropriate multiplier: (1) up to $100 for each D7704(a)(1); (2)up to $25 for any other violation in D7704. Id. at D7706(g)(3)(A). With the exception of a violation of D7704(a)(1), where there is a $1,000,000 cap on damages. Id. at D7706(g)(3)(B). As with actions brought by state attorney generals, ISP actions can have their damages decreased or enhanced based on special circumstances, and attorneys' fees can be rewarded. Id. at D7706(g)(3)(C)-(D); D7706(g)(4).

Under the Act, you cannot allow another person or entity to do your illegal e‑mailing for you; you will be held liable if you knowingly allow yourself to be promoted by false or misleading information. Id. at D7705(a). The standard for liability is as follows:

"(1)knows, or should have known in the ordinary course of that person's trade or business, that the goods, products, property, or services sold, offered for sale, leased or offered for lease, or otherwise made available through that trade or business were being promoted in such a message;

(2) received or expected to receive an economic benefit from such promotion; and

(3) took no reasonable action--

(A) to prevent the transmission; or

(B) to detect the transmission and report it to the Commission."

Id. at D 7705(a). A third party can be liable for another's violation of the Act if that third party:

"provides goods, products, property, or services to another person that violates subsection (a) if that third party--

(A) owns, or has a greater than 50 percent ownership or economic interest in, the trade
or business of the person that violated subsection (a); or

(B) (i) has actual knowledge that goods, products, property, or services are promoted in a commercial electronic mail message the transmission of which is in violation of section 5(a)(1) [15 USC D7704(a)(1)]; and

(ii) receives, or expects to receive, economic benefit from such promotion."

Id. at D7705(b)(2).

d. The Do Not E-Mail List Proposed In The Can-Spam Act Of 2003 Did Not Come to Fruition

Congress ordered the FTC to submit a report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Energy and Commerce that detailed a plan for establishing a Do Not E-mail list, that was to contain e‑mails that companies could not e-mail with solicitations, similar to the National Do Not Call list. 15 U.S.C. D7708. See FTC, "National Do Not Email Registry: A Report to Congress," June 2004, p. i, accessed at http://www.ftc.gov/reports/dneregistry/report.pdf ("In essence, Section9 of the CAN‑SPAM Act asks the Commission to determine whether and how the success of the National Do Not Call registry can be replicated in the context of spam"). In its report, the FTC concluded that "under present conditions, a National Do Not Email Registry in any form would not have any beneficial impact on the spam problem." FTC, "National Do Not Email Registry" at p.37. The FTC determined that "spammers would most likely use a Registry as a mechanism for verifying the validity of e-mail addresses and, without authentification, the Commission would be largely powerless to identify those responsible for misusing the Registry." Id. at i. The FTC further determined that "a Registry-type solution to spam would raise serious security, privacy, and enforcement difficulties" especially because it would give pedophiles easier access to children's e-mail addresses. Id. Instead of a National Do Not E-mail list, the FTC recommended that the private market develop an "authentification standard" to authenticate the origin of e‑mails so that their origin cannot be falsified, and to aid law enforcement and ISPs identify spammers. Id. ati‑ii, 37. Spammers currently operate under a shroud of anonymity[182], which an authentification standard would remove. Id. at 1. The FTC proposed that a National Do Not E-mail list idea be revisited after the development of an authentification standard. Id. at ii.

e. The Litigator's Perspective

Because the CAN-SPAM Act of 2003 became effective January 1, 2004, there are a limited number of cases where the Act has been used as a cause of action.[183]

The Federal Trade Commission has been the most vigilant (of the federal agencies granted with the ability to enforce the Act) enforcer. The following is a list of some of the important FTC decisions: FTC v. Harry, No.04C 4790, 2004 U.S. Dist. LEXIS 15588, *8-9 (N.D. Ill. July 27, 2004) (granting a temporary restraining order against a health products distribution company for initiating the transmission of UCE that: (1)contained false or misleading header information; (2)failed to include a clear and conspicuous notice of the opportunity to decline to receive further UCE from the sender; and (3)failed to include a valid physical postal address of the sender); FTC v. Bryant, No.3:04-cv-897-J-32MMH, 2004 U.S. Dist. LEXIS 23315, *10-11 (M.D. Florida Oct. 4, 2004) (preliminarily restraining and enjoining defendant from sending commercial e-mail or transaction or relationship message that contain materially false or misleading header information or misleading subject headings); FTC v. Phoenix Avator, LLC, No.04 C 2897, 2004 U.S. Dist. LEXIS 14717 (N.D. Ill. July 29, 2004) (preliminarily enjoining the defendants from, among other things, initiating commercial electronic e-mails that contain false or misleading header violation, failing to include a clear and conspicuous opt-out notice, and failings to include sender's valid physical postal address); FTC v. Global Web, 04 C 3022, 2004 U.S. Dist. LEXIS 15648 (N.D. Ill. Aug. 9, 2004) (holding defendant in contempt for failing to adhere to stipulated preliminary injunction. FTC alleged that the defendant (1)disguised their routing information; (2)failed to include an opt-out method; (3)failed to provide a physical postal address in the e-mail).

An example of a case brought by a ISP is Microsoft Corp. v. Neoburst.net, LLC, No.C-03-00718 RMW, 2004 U.S. Dist. LEXIS 18733 (N.D. Cal. Aug. 30, 2004) (permanently enjoining defendants from, among other things, violating the CAN-SPAM Act, including: (1)"obtaining, compiling, selling, harvesting, mining, trafficking in, or trading, or directing, aiding," or conspiring with others to do the aforementioned for the sending or delivery or any unsolicited bulk or unsolicited commercial electronic communication; or (2)"selling, offering for sale, or distribute any software that allows the user to knowingly send unsolicited bulk or unsolicited commercial electronic communications"). ISPs give the CAN-SPAM Act of 2003 mixed reviews:

"According to one ISP that has sued numerous spammers, litigation costs can range from $100,000 or less (when the spammer is easily identifiable)to more than $2 million (when the spammer mounts an aggressive defense). Not surprisingly, some ISPs believe that lawsuits against spammers are an expensive and often fruitless way to stop spam. Instead, these ISPs expend the bulk of their anti-spam resources improving their filtering technologies."

FTC, "National Do Not Email Registry," atp. 25.

Some companies that send UCE try to use the Act offensively. In one instance, a plaintiff that was in the business of sending UCE, argued that the Act entitled it to e-mail addresses that defendant, an anti-spamming company, obtained from the e‑mail address holders in order to create reports on alleged spam incidents. Optinrealbig.com, LLC v. Ironport Sys., Inc., 323 F.Supp. 2d 1037, 1050 (N.D. Cal. 2004) (denying plaintiff's motion for a preliminary injunction and holding that it was the plaintiff's sole responsibility to comply with the Act and prevent violations). The court rejected plaintiff's argument that it was entitled to the e-mail address to assist it in verifying whether the complainer opted-out of future e-mails, and if so whether plaintiff complied with request. Id. In several other cases, plaintiffs who sent UCE argued that the particular UCE state regulation at issue was preempted by the Act based on 15 U.S.C. D7707(b).[184] Commonwealth of Virginia v. Jaynes, 65 Va. Cir. 355, 369-370 (Va. Ct. App. 2004) (rejecting defendant's argument that CAN-SPAM Act of 2003 preempted a Virginia statute that prohibited the falsification or forging of transmission or other routing information in the transmission of unsolicited bulk electronic mail because it could be "harmonized" with the Act and it "prohibit[ed] falsity or deception in any portion of a commercial electronic mail message or information attached thereto," a noted exception in the Act); White Buffalo, No.A-03-CA-296-SS, 2004 U.S. Dist. LEXIS 19152 (W.D. Tex. March 22, 2004) (holding that state university's anti-solicitation policy was not preempted by the CAN-SPAM Act of 2003 because the: (1)regulation "cannot be said to be specific to electronic mail since it regulates all forms of solicitation;" (2)"even though the UT ITS[185] anti-spam policy obviously relates to commercial electronic mail, it is not clear an ITS policy is a 'statute, regulation, or rule of a State or political subdivision of a State' and therefore preempted [by] D7707(b)(1); (3)"even if [it] were, however, UT is certainly a provider of Internet access service to its students, if not to its employees and faculty, and as such, is expressly authorized under the statute to implement policies declining to transmit, route, relay, handle or store spam.").

The first CAN-SPAM Act of 2003 lawsuit filed by a state attorney general resulted in settlement. Hiawatha Bray, Spammer to Pay $25,000 Settlement Mass. Lawsuit Was the First by a State Under U.S. E-mail Law, The Boston Globe D3 (Oct. 8, 2004). The Massachusetts Attorney General sued William C. Carson under the Act for: (1)sending UCE without the advertisement or solicitation label; (2)falsifying the originating e-mail address; (3)failing to provide an opt-out mechanism for recipients. Id. In the settlement agreement, the defendant agreed to stop violating the Act, and pay $25,000. Id.

2. Digital Millennium Copyright Act

a. Explanation of the Act

President Clinton signed the Digital Millennium Copyright Act (the "DMCA") into law on October 28, 1998. The DMCA extended the reach of copyright in the United States, while attempting to limit the liability of Internet Service Providers ("ISP") from copyright infringement by their users.

The DMCA consists of five titles. Title I contains the DMCA's anti‑circumvention provisions. 17 U.S.C. D 1201 et seq. Title II consists of the Online Copyright Infringement Liability Implementation Act 17 U.S.C. D 512 et seq., referred to as the DMCA takedown provisions. In this past term, the United States Supreme Court declined to hear two important cases interpreting these provisions of the DMCA.

(1) Anti-Circumvention

The DMCA anti-circumvention provisions contain three major prohibitions and several statutory exceptions. Section 1201(a)(1)(A) prohibits the circumvention of a technological measure that effectively controls access to a work protected by copyright. Section 1201(a)(2) prohibits the trafficking in access control circumvention devices which fall into the three categories contained in D D1201(a)(2)(A)‑(C). Sections 1201(a)(3)(A)-(B) define "'circumvent[ing] a technological measure'" and a technological measure that "'effectively controls access to a work.'" Section 1201(b)(1) prohibits the trafficking of devices that circumvent copy control as described in D D 1201(b)(1)(A)-(C) of the DMCA.

The DMCA contains a number of selectively applicable exceptions to the anti-circumvention provisions. 17 U.S.C. D D 1201(d)-(g). These include exceptions for nonprofit organizations, for reverse engineering purposes, and for encryption research. Id.

Copyright holders such as the Motion Picture Association of America ("MPAA") and the Recording Industry Association of America ("RIAA") support the anti-circumvention provisions of the DMCA as necessary to prevent copyright infringement in the digital era:

"'It's easy to assert you feel chilled, but I don't see any evidence to support that,' says Fritz Attaway, general counsel for the MPAA. And the record industry is resisting efforts by equipment makers and academics to modify the DMCA. RIAA Senior Vice-President Mitch Glazier says softening the act would give pirates a blatant right to hack."[186]

Opponents say the anti-circumvention provisions create serious chilling effects:

"Critics of the entertainment industry are especially alarmed by assaults on generic technologies, such as peer-to-peer computing. 'The popular view is that I must protect the absolute interests of the copyright holder,' says Gregory M. Papadopoulos, chief technology officer at Sun Microsystems Inc. 'That's scary because I know it will slam innovation. If I can't have someone throw together the next great video system for my home because everything is going to be locked down in copyrights, then [breakthroughs by] kids in the garage won't happen.'''[187]

Recently, the United States Supreme Court declined to hear a case involving the anti-circumvention provisions of the DMCA. In Lexmark Int'l, Inc. v. Static Control Components, Inc., 387 F.3d 522 (6th Cir. 2004), cert. denied, 545 U.S. ___, ___ S. Ct. ___ (2005), the Court of Appeals vacated and remanded the trial court's grant of a preliminary injunction to Lexmark. Lexmark had tried to use the anti-circumvention provisions of the DMCA to stop Static Control Components ("SCC"), a competitor, from making cheaper, refurbished toner cartridges that could be used in Lexmark's printers. The Sixth Circuit rejected Lexmark's claim that SCC's toner cartridge microchip was a device used to circumvent a technological measure. The Court held that "[a]nyone who buys a Lexmark printer may read the literal code of the Printer Engine Program directly from the printer memory, with or without the benefit of the authentication sequence, and the data from the program may be translated into readable source code after which copies may be freely distributed." Id. at 546. The Court concluded that "it is not the SCC chip that permits access to the Printer Engine Program but the consumer's purchase of the printer." Id. at 550.

The anti-circumvention provisions of the DMCA mandate that the accused device circumvent a technological measure, and that that measure effectively control access to the protected work. After Lexmark, leaving open some routes of access to the underlying work could negate the "control" and "effectiveness" requirements of the DMCA.

(2) Takedown Provisions

Under Title II of the DMCA, a copyright holder can send a "takedown" notice to an ISP, requesting that copyrighted material be removed from a website. 17U.S.C. D 512 et seq. Section 512(c) defines the takedown notice procedures. Section 512(f) provides that an ISP receiving a false notice can sue for damages and attorney's fees, but only if the sender "knowingly materially misrepresents" that the material is infringing. Sections 512(a)-(e) provide five safe harbors for an ISP. The safe harbors are: (1) if an ISP does nothing more than transmit, route, or provide connections for infringing material; (2) if an ISP "system caches" by providing intermediate and temporary storage under certain circumstances; (3) if the material resides on the ISP's system or network at the direction of others; (4) if an ISP merely links users to online locations containing infringing material; and (5) if the ISP is a nonprofit educational institution. Id.

Recently, the United States Supreme Court declined to hear a case involving the takedown provisions of the DMCA. In Rossi v. Motion Picture Ass'n of Am., Inc., 391 F.3d 1000 (9th Cir. 2004), cert. denied, 545 U.S. ___, 125 S. Ct. 1977 (2005), the Court of Appeals affirmed the trial court's grant of summary judgment in favor of the MPAA. The case involved the internetmovies.com website owned by the plaintiff Rossi. The website offered memberships, and contained such language as "'Join to download full length movies online now!'" Id. at 1002. After viewing the website, the MPAA followed the takedown provisions of the DMCA and sent notices to Rossi and his ISP "informing them of the asserted infringement." Id. Rossi sued, claiming that the MPAA did not have a "'good faith belief' under [Section] 512(c)(3)(A)(v) that Rossi was illegally infringing the MPAA's copyrights." Id. at 1003. Rossi claimed that the MPAA was required to "conduct a reasonable investigation into the allegedly offending website," by actually attempting to download movies from the website. Id. The Court held that the "good faith belief" requirement in the DMCA was a subjective, rather than objective, standard. The Court concluded that "[g]iven the explicit nature of the statements on Rossi's website, the district court properly found that no issue of material fact existed as to MPAA's 'good faith belief' that Rossi's website was infringing upon its copyrighted materials." Id. at 1006.

(3) Use of Subpoenas

Section 512(h) of the DMCA permits a copyright owner to "request the clerk of any United States district court to issue a subpoena to [an ISP] for identification of an alleged infringer" prior to filing suit.

In Charter Communs., Inc., Subpoena Enforcement Matter v. Charter Communs., Inc., 393 F.3d 771 (8th Cir. 2005), the Court of Appeals held that copyright owners may not use subpoenas under the DMCA when the ISP is acting as a mere conduit providing only Internet transmission and routing services between or among customer-owned personal computers. Charter Communications is an ISP. The trial court granted subpoenas to the RIAA, after the RIAA discovered the Internet Protocol addresses and user names of ninety-three Charter subscribers it suspected of trading copyrighted music files. Id. at 774. The trial court denied Charter's motions to quash the subpoenas. The Court of Appeals reversed, holding that the safe harbor provision in Section 512(a) of the DMCA applied to Charter because it "acted solely as a conduit for the transmission of material by others (its subscribers using P2P file-sharing software to exchange files stored on their personal computers . . . .)." Id. at 777.

The practical effect of the decision in Charter and similar cases has been that copyright owners such as the RIAA use John Doe lawsuits rather than the DMCA subpoena process to obtain the identities of suspected infringers.[188] The copyright owners identify the suspected infringers by the Internet Protocol address of the computer sharing the file. The copyright owners then file motions requiring the ISPs that own the addresses to identify the customers.[189]

3. The Lanham Act: Federal Trademark Dilution Act

Owners of "famous" trademarks now have protections against dilution that are not available to owners of less well-known trade names: the Federal Trademark Dilution Act of 1995 ("FTDA").[190] The FTDA amended the Lanham Trademark Act to provide a cause of action for the dilution of famous trademarks. The FTDA was passed in part because traditional trademark actions were not successful in the fight against cybersquatters.[191] "Cybersquatting" is the use by one person of another's mark as an Internet domain name.[192]

The FTDA permits an action against a person using the mark of a "famous" company "based on the theory that the use of such a famous mark necessarily rides on the coattails of the goodwill associated with the mark and lessens the ability of the mark to distinguish the original trademark owner's goods."[193] Until that time, federal trademark law had not recognized a dilution theory of liability.[194]

The FTDA is codified at 15 U.S.C. 1125(c), which in relevant part provides:

"(c) Remedies for dilution of famous marks.

(1) The owner of a famous mark shall be entitled, subject to the principles of equity and upon such terms as the court deems reasonable, to an injunction against another person's commercial use in commerce of a mark or trade name, if such use begins after the mark has become famous and causes dilution of the distinctive quality of the mark, and to obtain such other relief as is provided in this subsection. In determining whether a mark is distinctive and famous, a court may consider factors such as, but not limited to--

(A) the degree of inherent or acquired distinctiveness of the mark;

(B) the duration and extent of use of the mark in connection with the goods or services with which the mark is used;

(D) the geographical extent of the trading area in which the mark is used;

(E) the channels of trade for the goods or services with which the mark is used;

(F) the degree of recognition of the mark in the trading areas and channels of trade used by the marks' owner and the person against whom the injunction is sought;

(G) the nature and extent of use of the same or similar marks by third parties; and

(H) whether the mark was registered under the Act of March 3, 1881, or the Act of February 20, 1905, or on the principal register."[195]

15 U.S.C. D 1127 defines "dilution" as "the lessening of the capacity of a famous mark to identify and distinguish goods or services, regardless of the presence or absence of -- (1)competition between the owner of the famous mark and other parties, or (2) likelihood of confusion, mistake, or deception."

Before the United States Supreme Court's decision in Moseley v. V Secret Catalogue, Inc., 123 S. Ct. 1115, 1118-19 (2003), the federal circuits split on what constituted the applicable standard of proof when actual injury to the economic value of a famous mark was displayed and plaintiff wanted to recover under the FTDA.[196] Moseley ruled that actual dilution is the standard to be used.[197]

Moseley was the Court's first chance to review the FTDA. In that case the owners of the Victoria's Secret trademark sued the owners of an adult novelty store called Victor's Secret. Id. at 422-23. The district court had ruled for the trademark owners. The Supreme Court reversed. Although the Victoria's Secret mark was unquestionably famous, the Court held that actual dilution was not shown. Id. at 433-34. The means of proving actual dilution, however, remain unclear: "[i]t may well be, however, that direct evidence of dilution such as consumer surveys will not be necessary if actual dilution can reliably be proven through circumstantial evidence -- the obvious case is one where the junior and senior marks are identical." Id. at 434.

4. Uniform Real Property Electronic Recording Act

In 2002, the National Conference of Commissioners on Uniform State Laws ("NCCUSL") appointed a drafting committee to draft a Uniform Real Property Electronic Recording Act ("URPERA").[198] The drafters completed their work in 2004.[199] URPERA "will create legislation authorizing land records officials to begin accepting and storing records in electronic form."[200] However, a new uniform act must be considered at two annual meetings by all of the commissioners before it can be approved; only then is it officially promulgated for consideration by the states.[201]

As the prefatory notes of the official version of the Act state:

"The Uniform Real Property Electronic Recording Act was drafted to remove any doubt about the authority of the recorder to receive and record documents and information in electronic form. Its fundamental principle is that any requirements of state law describing or requiring that a document be an original, on paper, or in writing are satisfied by a document in electronic form. Furthermore, any requirement that the document contain a signature or acknowledgment is satisfied by an electronic signature or acknowledgement. The act specifically authorizes a recorder, at the recorder's option, to accept electronic documents for recording and to index and store those documents."

To date, URPERA has been adopted by Arizona, Delaware and Texas. The following states are considering version of URPERA: California, Connecticut, District of Columbia, New Mexico, North Carolina and Virginia.

5. The Children's On-Line Privacy Protection Act

a. COPPA is Designed to Protect the Privacy of Children

The Children's Online Privacy Protection Act of 1998 ("COPPA") was the first federal law to address Internet privacy concerns.[202] It generally limits the data collection and sharing policies of operators of an Internet sites directed to children. However, COPPA has been criticized in its practical effect because it applies only to Internet sites specifically directed to children or where the operator has "actual knowledge" that it is collecting information from children, and is primarily a disclosure law that relies upon individual, usually parental, monitoring for success.[203]

COPPA lays out a number of definitions that provide the framework of the prohibitions and obligations mandated by the law.[204] A "child" is any person under 13years of age. An "operator" is any person who operates an Internet site for commercial purposes and who collects or maintains personal information about the users of or visitors to that site. The term "disclosure" also is limited to relate only to children; it is the release of personal information collected from a child for any purpose, and making publicly available personal information collected from a child by an Internet site directed to children or with actual knowledge that such information was collected from a child. Finally, the phrase "verifiable parental consent is defined as any reasonable effort to provide notice to the parent of a child of the collection, use and disclosure practices, for authorization of those practices. Although COPPA does not mandate any particular method to obtain parental consent, the FTC has ruled that consent can be provided expressly on consent forms, through the use of a credit card, through a toll-free number, or via e-mail with an electronic signature. [205]

b. COPPA Prohibits Certain Conduct by an Internet Operator Relating to a Child's Personal Information

COPPA prohibits an operator of an internet site or online service directed to children, or an operator with actual knowledge that it has collected personal information from a child, to collect personal information in violation of the FTC's regulations.[206] In general, an operator of an Internet site or online service directed to children, or the operator of an internet site or online service that has actual knowledge that it has collected personal information from a child, must provide notice of what the operator collects, how it is used, and how it is disclosed. In addition, the operator must obtain verifiable parental consent for the collection, use or disclosure of that information. Furthermore, an operator must provide, upon request of a parent, a description of the information collected, the opportunity to refuse further use or maintenance of that information, and a means that is reasonable for the parent to obtain that information. Finally, the operator must establish and maintain reasonable procedures to protect that information.

But COPPA provides a number of exceptions that limit the restrictions mandated by the statutory scheme. Verifiable parental consent is not required (1) to respond to a specific request from the child, (2) to request parental consent or to provide notice if such information is not maintained following a denial of consent, (3) to respond more than once to a specific request from a child if the information is not used to re‑contact the child other than to provide notice to the parent or in such circumstances as the Commission may determine are appropriate, (4) for the safety of the child if the operator uses reasonable efforts to provide parental notice, the purposes for which the information will be used, and an opportunity for the parent to request no further use and that it not be maintained in retrievable form, or (5) to protect the security or integrity of the internet site, to take precautions against liability, upon court order, or for law enforcement purposes.[207] In addition, the statute provides a safe harbor provision, allowing compliance whenever an operator follows a set of self-regulatory guidelines approved by the FTC.[208]

Although there is no private cause of action under COPPA, the Attorney General of any state may bring an action for injunctive or monetary damages.[209] However, in general the FTC has the authority to enforce the statute.[210]

c. Compliance Procedures

The FTC has been fairly aggressive in enforcing COPPA compliance, perhaps in part because the FTC tends to view children as a particularly vulnerable and suspect audience.[211] Many of the alleged violations that the FTC has investigated appear to have resulted from inadvertent errors by marketers; however, intentions mean nothing under COPPA as good faith and good intentions provide no defense.[212]

Although COPPA is not so onerous as to prevent operation of an Internet site directed to children, there are a number of measures that should be implemented to ensure compliance with this statutory structure. First, every Internet site should post and abide by an Internet privacy policy, which should describe among other things the information collected, how that information will be used, how that information may be disclosed, what entities might obtain that information, and the purposes for which those entities might use that information. If an Internet site is meant to be used by adults only, then a condition of use (whether posted in the privacy policy or provided as part of a click-through menu when entering the site) should specifically outline the minimum age (at least over 13) for using the site. Overall, however, an operator should approach with caution an instance in which personal information from a child is being collected for future use or distribution.

6. ID Fraud Statute: 18 U.S.C. D 1028

a. The ID Fraud Statute Regulates Activity in Connection with Identification Documents, Authentication Features, Document-Making Implements, and Other Information

The Identity Theft and Assumption Deterrence Act of 1998 ("ID Fraud Statute"), 18 U.S.C. D1028, regulates (1) identification documents,[213] (2) false identification documents,[214] (3) document-making implements,[215] (4) authentication features,[216] and (5) false authentication features.[217] 18 U.S.C. D 1028(a). Under the ID Fraud Statute, it is a federal offense to knowingly transfer or possess stolen identification documents. 18 U.S.C. D 1028(a). The definition of "identification documents" has been held not to be vague or overbroad, and includes -- but is not limited to -- documents such as Social Security cards,[218] incomplete documents,[219] domestic driver's licenses,[220] military identification cards,[221] and United States Government identification cards.[222]

However, in U.S. v. Gros, 824 F.2d 1487 (1987), the court held that six blank social security cards -- which did not contain a name or social security number -- were not "identification documents" as defined by 18 U.S.C. D 1028. Gros, 824 F.2d at 1491 ("In the instant case, the record is clear that the six blank cards are not identification documentsas defined in 18 USC [ D 1028] (d)(1). . . . Nor do the documents appear to be identification documents . . . since they are blank on the back and have a liberty bell on them that has never appeared on social security cards.") (citations omitted). Moreover, it also has been held that laminates are not "identification documents" under 18 U.S.C. D1028. U.S. v. Coello, 899 F. Supp. 1240, 1243 (S.D.N.Y. 1995). In Coello, defendant possessed a bag containing (1) a bundle of clear, blank laminates; (2) a bundle of laminates imprinted with gold immigration seals by the Department of Justice; and (3) a bundle of laminates imprinted with an outline of the United States. Id. at 1242. The seals and laminates were used by the Immigration and Naturalization Service for temporary resident cards for agricultural workers. Id. The court ruled that the items were not identification documents under D 1028 because they would not have been complete identification documents if they had been assembled. Id. at 1243. According to the court, however, the laminates did constitute document-making implements. Id. at 1244. Thus, there is great debate as to what constitutes an "identification document" under the ID Fraud Statute.

Regardless of the legal battles over definitions, the ID Fraud Statute specifically prohibits an individual from:

1. "knowingly and without lawful authority produc[ing] an identification document or false identification document;

2. knowingly transfer[ing] an identification document or a false identification document knowing that such document was stolen or produced without lawful authority;

3. knowingly possess[ing] with intent to use unlawfully or transfer unlawfully five or more identification documents (other than those issued lawfully for the use of the possession) or false identification documents;

4. knowingly possess[ing] an identification document (other than one issued lawfully for the use of the possession) or a false identification document, with the intent such document be used to defraud the United States;

5. knowingly produc[ing], transfer[ing], or possess[ing] a document-making implement with the intent such document-making implement will be used in the production of a false identification document or another document-making implement which will be so used;

6. knowingly possess[ing] an identification document that is or appears to be an identification document of the United States which is stolen or produced without lawful authority knowing that such document was stolen or produced without such authority;

7. knowingly transfer[ing] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law; or

8. knowingly traffic[ing] in false authentication features for use in false identification documents, document-making implements, or means of identification."

18 U.S.C. D 1028(a). Under the ID Fraud Statute, the term "produce" includes "alter, authenticate, or assemble," 18 U.S.C. D 1028(d)(9), and the term "transfer" means "placing . . . [an] identification document, false identification document, or document-making implement on an online location where it is available to others." 18 U.S.C. D1028(d)(10).

Although section (a) seems broad, the scope of the ID Fraud Statute is limited. For example, since it does not regulate conduct necessarily committed in connection with the admission or exclusion of aliens, the ID Fraud Statute is not considered immigration law. U.S. v. Pineda-Garcia, 164 F.3d 1233, 1235 (9th Cir. 1999) ("Section 1028 criminalizes the fraudulent use of all false identification documents, not just those related to immigration. Thus, it does not cover conduct necessarily committed in connection with the admission or exclusion of aliens."). In addition, the ID Fraud Statute is criminal in nature and does not provide a private right of action. Garay v. U.S. Bancorp, 303 F. Supp. 2d 299, 302 (E.D.N.Y. 2004).

b. The Penalties for Violating the ID Fraud Statute

The punishment for violating the ID Fraud Statute varies depending upon which section of the statute is violated. For example, courts may impose a fine or imprisonment for not more than 15 years, or both, if the offense is: (1) "the production or transfer of an identification document, authentication feature, or false identification document" issued by the United States, such as "a birth certificate, or a driver's license or personal identification card," 18 U.S.C. D 1028(b)(1)(A); (2) "the production or transfer of more than five identification documents, authentication features, or false identification documents," 18 U.S.C. D 1028(b)(1)(B); (3) "an offense under paragraph (5) of such subsection," 18 U.S.C. D 1028(b)(1)(C); or (4) "an offense under paragraph (7) of such subsection . . . ." 18 U.S.C. D 1028(b)(1)(D).

If the offense is "any other production, transfer, or use of . . . an identification document, authentication feature, or a false identification document," or "an offense under paragraph (3) or (7) of such subsection," then courts may impose a fine or imprisonment for not more than 5 years, or both. 18 U.S.C. D 1028(b)(2). Courts can impose a fine or imprisonment for not more than 20 years, or both, if the offense is committed (a) "to facilitate a drug trafficking crime," (b) "in connection with a crime of violence," or (c) "after a prior conviction under this section becomes final." 18 U.S.C. D1028(b)(3). A fine and/or imprisonment for not more than 30 years can be imposed "if the offense is committed to facilitate an act of domestic terrorism . . . or an act of international terrorism." 18 U.S.C. D 1028(b)(4). In any other case, courts may fine and/or imprison an individual for not more than 1 year. 18 U.S.C. D 1028(b)(6).

There is also a forfeiture requirement for any offense of the statute. 18U.S.C. D1028(b)(5) ("in the case of any offense under subsection (a), forfeiture to the United States of any personal property used or intended to be used to commit the offense"). Under the statute, courts must order "the forfeiture and destruction or other disposition of all illicit authentication features, identification documents, document‑making implements, or means of identification." 18 U.S.C. D 1028(h).

c. Conspiracy Under 18 U.S.C. D 1028

Under 18 U.S.C. D 1028(f), "[a]ny person who attempts or conspires to commit any offense under this section shall be subject to the same penalties as those prescribed for the offense, the commission of which was the object of the attempt or conspiracy." Under the ID Fraud Statute, a seller and buyer are not considered a "group" and, thus, are not guilty of conspiracy if they did not have a common aim. U.S. v. Shi, 317 F.3d 715, 718 (7th Cir. 2003). In Shi, the court reversed a conspiracy conviction under 18 U.S.C. D 1028(f) where defendant attempted to obtain $100 from another individual in exchange for a forged document. Id. at 717‑718. A conspiracy does not exist without the defendants seeking joint possession of a common object. Id. at 717 (citations omitted). Thus, acting at arm's length rather than cooperatively to gain a better deal does not constitute a conspiracy under the ID Fraud Statute. Id.

Courts view the ID Fraud Statute as an effective tool for deterring the illegal use of identification documents, authentication features, and document-making implements. Moreover, courts are not afraid to impose harsh punishments on individuals who violate the statute. To obtain a conviction, however, the government must meet the elements of the statute, especially in the context of conspiracy charges.

7. Intellectual Property Protection and Courts Amendment Act

In December 2004, President Bush signed into law the Intellectual Property Protection and Courts Amendment Act of 2004 ("IPPCAA"). Public Law 108‑482 (Dec. 23, 2004). The law is also known as the Anti-counterfeiting Amendments Act of 2004.[223]

IPPCAA is designed to prevent and punish counterfeiting of copyrighted copies and phonorecords. Section 102 prohibits the trafficking in counterfeit components by punishing anyone who knowingly traffics in a counterfeit label or illicit label affixed to a phonorecord, computer program, motion picture and similar works. The Software &Information Industry Association ("SIIA") applauded this Act: "Software and information publishers are seriously hurt when pirates traffic in illicit packaging, labels and other documentation in order to defraud consumers into thinking that what they are purchasing is legit . . . . [IPPCAA] fills an important gap in the law to enable copyright owners to combat these unscrupulous practices."[224]

Title II of IPPCAA, entitled the Fraudulent Online Identity Sanctions Act, creates a rebuttable presumption that an individual who knowingly provides materially false contact information to a domain name registrar, domain name registry, or other domain name registration authority in registering, maintaining, or renewing a domain name used in connection with the violation. The Act then provides for enhanced sentencing whenever "a defendant who is convicted of a felony offense . . . knowingly falsely registered a domain name and knowingly used that domain name in the course of that offense."

IPPCAA is a new law, and no caselaw has yet developed from its enactment. It seems likely that software companies, the motion picture industry and related fields will use the protections of these amendments to prosecute and seek damages against individuals who violate its provisions.

8. The Driver's Privacy Protection Act (18 U.S.C. D 2721, etseq.)

a. The DPPA Regulates the Disclosure of Personal Information in Motor Vehicle Records

Although the DPPA, codified at 18 U.S.C. D 2721 through D 2725, resides in only five short sections, it has spawned a wealth of litigation and unanswered questions ripe for challenge. Prior to the introduction of the DPPA, an individual's personal information found in motor vehicle records could be accessed by anyone. However, Congress began to take a serious look at the availability of this information after 1989, when actress Rebecca Schaeffer was shot by a stalker who obtained her information from her motor vehicle records.[225] Other criminal have been committed as well, such as an incident in Iowa in which a group of teenagers looked up the personal information of drivers' of expensive cars in order to break into and rob their homes.[226] The DPPA was designed to prevent these crimes.[227]

The DPPA applies to a motor vehicle record, which is defined as "any record that pertains to a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles."[228] Personal information is any information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, excluding information on vehicular accidents, driving violations, and driver's status.[229] A subset of personal information is defined as "highly restricted personal information, and includes an individual's photograph or image, a social security number, and medical or disability information.[230]

b. Disclosure of Personal Information in Motor Vehicle Records is Limited to Certain Express Permissible Uses

The DPPA provides that "[a] State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity: (1) personal information . . . except as provided in subsection (b) . . . or (2) highly restricted personal information . . . without the express consent of the person to whom such information applies, except uses permitted in subsections (b)(1), (b)(4), (b)(6), and (b)(9)."[231] The DPPA also makes it "unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title," or "for any person to make false representation to obtain any personal information from an individual's motor vehicle record."[232]

However, the DPPA provides exceptions that permit the disclosure of personal information in certain cases.[233] According to the statute, the disclosure of personal information from a motor vehicle record is permissible:

1. for use by government agencies, including courts or law enforcement agencies, in carrying out their functions, and by private persons or entities acting on behalf of the agencies.

2. for use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non‑owner records from the original owner records of motor vehicle manufacturers.

3. for use in the normal course of business by a legitimate business, but only to verify the accuracy of personal information submitted by the individual to the business; and if the information submitted is not or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.

4. for use in connection with any civil, criminal, administrative, or arbitral proceeding, including service of process, investigation in anticipation of litigation, the execution or enforcement of judgments and orders, or pursuant to court order.

5. for use in research activities, and for use in producing statistical reports, as long as the personal information is not published, redisclosed, or used to contact individuals.

6. for use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.

7. for use in providing notice to the owners of towed or impounded vehicles.

8. for use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.

9. for use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49 [49 USCS D D 31301 etseq.].

10. for use in connection with the operation of private toll transportation facilities.

11. for any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains.

12. for bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains.

13. for use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.

14. for any other use specifically authorized under the law of the State that holds the record, if such use is related to the operation of a motor vehicle or public safety.[234]

As a result, the DPPA formulates a strict list of exceptions that Congress has deemed acceptable for use. Congress did not expressly preempt state action in this field, and nearly every state has enacted some version of the DPPA. Care must be taken when dealing in personal information from motor vehicle records, as some states have restricted the uses to which such information may be put. For example, New Mexico does not provide exceptions corresponding to (b)(4) and (b)(8) above, and severely restricts the operation of the use under (b)(3).[235] A person should refrain from accessing information in New Mexico motor vehicle records for these purposes. Similarly, a data provider should not grant access to this information to any person certifying that it will put this information to use for one of these purposes. Consequently, although a user may not run afoul of the federal DPPA, it may find itself in violation of the state version.

Similarly, some state statutes have granted uses in addition to those mandated by the DPPA. For example, certain states have altered the (b)(7) use above by permitted that use for other types of vehicles than those listed in the federal DPPA.[236] Care must be taken because it is currently unresolved whether an entity that is using DPPA information for this use is, while complying with the state law, running afoul of the federal law.

The DPPA provides both criminal and civil penalties for violations. A person whose information was improperly obtained, disclosed, or used may recover (1)actual damages, but not less than liquidated damages of $2,500, (2)punitive damages upon proof of willful or reckless disregard for the law, (3) reasonable attorneys' fees and other litigation costs, and (4) injunctive relief.[237]

c. Compliance Procedures

For entities in the business of collecting or disclosing personal information as defined in the DPPA, the statutory scheme does not clearly define what is or is not required to comply. Section 2721(c) provides the duties of what are called "authorized recipients" of personal information.[238] These authorized recipients may resell or redisclose personal information only for a use permitted under subsection (b) above, except that those authorized recipients under subsection (b)(11) may resell or redisclose for any purpose and those under subsection (b)(12) may resell or redisclose for a (b)(12) purpose.

The only express compliance directives provided to authorized recipients is that they must "keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request." 18 U.S.C. D 2721(c). The DPPA does not mandate any specific method of data collection or retention. In addition, the DPPA does not specify what information is necessary to properly identify each person or entity that receives such information. As a result, information as basic as a person's or an entity's name and the permissible use should be sufficient to satisfy the DPPA's record-keeping requirement.

There are, however, unsettled compliance questions regarding the DPPA. For example, because the DPPA is set up to protect personal information in motor vehicle records, questions remain whether the following is necessary to truly comply with the statute:

(1) Whether a data provider must perform any sort of due diligence to verify the identity of a potential customer who will be accessing personal information from motor vehicle records, or whether a statement from the customer certifying that the information will be put to specific, DPPA-approved uses, and no others, will suffice.

(2) If any verification is necessary, what process is adequate.

(3) Whether a data provider must do anything in particular to protect its data from hackers, and, if so, whether that provider can be held liable for violations of its systems by hackers.

(4) Whether the DPPA permits data providers to aggregate and provide in bulk their information database. On this point, two opposing cases may provide the arguments that will dictate future actions in this area.

The Iowa Supreme Court interpreted the federal and Iowa DPPAs to prohibit pure resellers of motor vehicle information.[239] Locate.Plus.com was a business that obtained motor vehicle records from various states, reformatted and encoded the records with various levels of security to prevent misuse, and sold this information to law enforcement agencies and private investigation firms for uses permitted under the DPPA.[240] When the Iowa Department of Transportation refused Locate.Plus.com's request for the state's motor vehicle records, because the Department believed that the company was not an "authorized recipient" under the DPPA or state law, Locate.Plus.com challenged the agency's decision.

According to the Iowa Supreme Court, the DPPA prohibits "disclosure to a nonuser, who only seeks the information to redisclose it [to a third party] for use under a permitted purpose."[241] The Court ruled that Congress intended "that the person or entity requesting disclosure of the personal information [in motor vehicle records] also be the person or entity that will use the information for the statutory purpose." Id. The Court concluded that "Congress would have specifically identified reformatting information as an authorized use if it intended to permit disclosure of the information for that purpose."[242] "[A]ny other interpretation would render the statute impractical, and essentially render the state incapable of performing its gatekeeping function under the statute."[243] As a result, according to the Iowa Supreme Court the federal and Iowa DPPA statutes bar pure resellers from obtaining Iowa motor vehicle information.

Russell v. ChoicePoint Sevs., Inc., 302 F. Supp. 2d 654 (E.D. La. 2004), rendered an opposite conclusion. There the court held that the DPPA permits pure resellers of personal information. The plaintiffs in Russell alleged that the defendant had violated the DPPA when it obtained motor vehicle records from Louisiana for the purpose of resale to customers. The court granted the defendant's motion to dismiss with prejudice the plaintiffs' DPPA claims based solely on the obtainment of records. The court held that "[t]he plain language of the DPPA permits entities . . . to obtain drivers' personal information from [Departments of Motor Vehicles] and subsequently resell that information to third parties with a permissible use." Id. at __.[244]

These two decisions are the leading cases on the obtainment issue. Nether case was appealed to the Supreme Court, so that body has not yet had the opportunity to rule on the potential liability of resellers of personal information under the DPPA.

(5) Whether a plaintiff must show actual damages to be able to recover the statutory, liquidated damages provided by the DPPA. The DPPA permits a civil cause of action (18 U.S.C. D 2724) for both injunctive and monetary relief. Section 2724(b)(1) provides that a plaintiff may recover "actual damages, but not more than liquidated damages in the amount of $2,500." The issue in this case is whether a plaintiff must show some actual damages to be entitled to the liquidated damages amount, or whether the liquidated damages provision sets the floor beneath which the damages award may not fall.

Another split, this time by two district courts, has left the damages issues unresolved. Kehoe v. Fidelity Fed. Bank & Trust, No. 03-80593, 2004 U.S. Dist. LEXIS 11464, at *19 (S.D. Fla. June 14, 2004), held that "a plaintiff must prove some actual damages to qualify for a minimum liquidated damages award of $ 2,500 under the DPPA." Kehoe detailed its reasoning by resorting to consideration of a recent Supreme Court case,[245] textual analysis of the DPPA, application of the rule of the last antecedent, examination of the text of other privacy statutes, and examination of the purpose of the phrase "liquidated damages" in the DPPA.

Pichler v. UNITE (Union of Needletrades, Industrial & Textile Employees AFL-CIO), No. 04-2841, 2005 U.S. Dist. LEXIS 10334 (May 31, 2005), expressly declined to follow Kehoe, and instead ruled that a plaintiff need not show actual damages to obtain the liquidated damages provided by the DPPA. In particular, Pichler noted that Kehoe "misinterprets the significance of Doe to the DPPA, misapplies the rule of the last antecedent, overlooks other similarly phrased statutes (while inappropriately focusing on differently phrased statutes), and misunderstands the common law pedigree of the phrase 'liquidated damages.'" Id. at *46.

Once again, the Supreme Court has yet to rule on this issue. Oral argument in Kehoe occurred in June 2005. As of the writing of this section, the defendant has filed no appeal in Pichler.

(6) Whether a defendant is liable for a DPPA violation only when it knowingly provides personal information for a use not permitted by the DPPA. The court in Pichler also confronted this issue, which may loom large in future DPPA litigation. Pichler held that the "knowingly" mental state for violations of the DPPA applied only to obtaining, disclosing or using personal information, and thus a plaintiff need not show that a defendant "knew that the obtaining, disclosure, or use was impermissible."[246] According to the court, a contrary interpretation would allow every defendant "at least one free bite at the violation-of-privacy apple. After all, anyone could claim that he did not 'know' his purpose to be impermissible until a court interpreted the DPPA to proscribe that purpose. Even after such a ruling, a defendant could manufacture a slightly different purpose for his conduct and then claim ignorance of whether the DPPA prohibited the new purpose. A plaintiff could recover only if the defendant repeatedly violated her privacy and lacked sufficient creativity to conjure up some conceivable purpose that no court had yet considered."[247] This issue too remains unresolved, and is likely a prime battlefield for future litigation.

B. Recent Caselaw: What You Need to Know to Guide Clients

1. Failure to Secure Website

The hottest area of the law of privacy today concerns the securing and protection of personal information on Internet sites. "Personal information" is an extremely broad term that is subject to multiple definitions through various statutory and regulatory schemes. However, in general it can be thought of as any information that identifies a person. This information includes a first or last name, a physical address, an e-mail address, a telephone number and, especially, a social security number.

The Federal Trade Commission has taken an active role in ensuring that companies handling personal information of consumers safeguard that information. In a September 22, 2004, prepared statement before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, U.S. House of Representatives on Protecting Information Security and Preventing Identity Theft, Commissioner Orson Swindle stated:

"The Federal Trade Commission has a broad mandate to protect consumers from unfair and deceptive practices. As part of its mission, the commission has given a special emphasis to efforts to protect the privacy and security of consumer information. These efforts include educating companies about the importance of using reasonable and appropriate procedures to safeguard consumers' personal information, supplemented by law enforcement in appropriate cases when companies fail to take steps. In addition, as the federal government's central repository for identity theft complaints, the Commission play a significant role in referring complaints about identity theft to appropriate law enforcement authorities, providing victim assistance and consumer education, and working with businesses to mitigate harm in the event of a security breach."

In other recent testimony before Congress, FTC Chairperson Deborah Platt Majoras advised Congress to extend security protections for sensitive consumer data and to require companies that possess such data to notify consumers when they discover security breaches that could lead to identity theft.[248] Currently, laws relating to the security of personal information concern information maintained by credit bureaus, those who use credit reports, and business that engage in financial-related activities: "The Commission's Safeguards Rule requires financial institutions to implement reasonable physical, technical, and procedural safeguards to protect customer information . . . . It does not cover many other entities that may also collect, maintain and transfer or sell sensitive consumer information." [249]

a. Failure to Secure Internet Site

The FTC's authority to police a company's Internet security springs from D5 of the Federal Trade Commission Act, codified at 15 U.S.C. D 45. Pursuant to that section:

"(a) Declaration of unlawfulness; power to prohibit unfair practices; inapplicability to foreign trade

(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

(2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce."

Several cases over the last few years highlight the power of the FTC and demonstrate its focus on preventing or punishing security breaches resulting in the disclosure of personal information:

" BJ's Wholesale Club; Agreed in June 2005 to implement a comprehensive security program and to submit to audits by an independent third party security professional every other year for the next 20 years. An individual obtain personal information from the systems of the Massachusetts company, which operates warehouses and gas stations in 16 states, and used that information to make fraudulent purchases totaling several million dollars. The complaint charged that BJ's (1) failed to encrypt personal information when it was transmitted or stored; (2) created unnecessary risks to that personal information by storing it for up to 30 days even when it was no longer needed; (3) stored the information in files that were easily accessed by commonly known default user IDs and passwords; (4) failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and (5) failed to use measures sufficient to detect unauthorized access.[250]

" Petco Animal Supplies, Inc.: Agreed to establish and maintain a comprehensive information security program, to obtain biennial audits of its security program by an independent third party, and to permit the FTC to monitor compliance via certain record-keeping obligations. Petco had promised on its Internet site that it protected personal information; however, its site was vulnerable to common hacker attacks. Petco also failed to encrypt its personal information. As a result, a hacker access credit card information from the Petco site.[251]

" Tower Records: Agreed to implement a security program and to obtain audits of its security protocols every two years by a third‑party security professional. Despite promises of protection for personal information, Tower allegedly permitted a security breach when it redesigned its Internet site, allowing access to order history records, names, billing addresses and telephone numbers.[252]

" Guess, Inc.: Agreed to implement a comprehensive information security program for all of its Internet sites. The web site was vulnerable to commonly known hacker attacks, despite statements assuring customers that their information would be protected. In one case, a visitor to the web site obtained credit card numbers stored in the company's databases.[253]

" Microsoft Corp.: Agreed to implement a comprehensive security program following alleged false representations concerning the security of personal information collected on its Internet site. As the press release discussing the action noted: "Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law. Even absent known security breaches, we will not wait to act."[254]

" Eli Lilly & Co.: Agreed to implement security measures to protect personal information. The company disclosed e-mail addresses of nearly 700 of its subscribers to its Prozac Reminder Service.[255]

b. Alterations to Internet Privacy Policies

The FTC also has policed alterations to Internet privacy policies that change a company's obligations toward handling personal information. Section 5 of the FTC Act (15 U.S.C. D 45(a)) declares unlawful any "unfair or deceptive acts or practices in or affecting commerce." "To establish that an act or practice is deceptive under Section 5(a), the FTC must demonstrate 'a material representation, omission, or practice that is likely to mislead consumers acting reasonably in the circumstances.'" Federal Trade Commission v. Verity Int'l, Ltd., 335 F. Supp. 2d 479, 495 (S.D.N.Y. 2004).

The typical example of the FTC's position on changes to privacy policies governing the collection of information from users of Internet sites may be found in a May 24, 2001, letter ("Amazon Letter") from the FTC to Junkbusters Corp. and the Electronic Privacy Information Center ("EPIC"), which had requested the FTC to investigate Amazon.com for alleged violations of its privacy policy.[256] Junkbusters and EPIC thought that Amazon.com was selling information collected from users of its Internet site in contravention of a prior privacy policy that had promised not to do so. Amazon Letter, p. 1. The FTC declined to proceed against Amazon.com because Amazon.com had assured the FTC that it was not selling user information, and would not do so in the future notwithstanding the revised privacy policy. Id. at 2. However, in discussing potential changes to that policy in the future, the FTC stated: "We would expect that in the event of a material change to its stated privacy practices, Amazon would provide adequate notice to customers as well as a mechanism to obtain consumers' consent to the change with respect to information already collected from them." Id. (emphasis added).

Users who supply information to an Internet site (like Amazon.com) to purchase goods or services from the site arguably have an expectation that the policies governing the use of that information will be followed.[257] Thus, the FTC's belief that Amazon.com, in the above example, should obtain "consent" to change its privacy policy should apply only to users who affirmatively supplied that information themselves.

The caselaw developed so far deals with the disclosure of user information by the Internet company that collected the information directly from the user, much like the Amazon.com situation described above. The cases generally deal with class certification issues addressing the claims only as an aside.

However, a consistent theme in the caselaw is that the complaining party will bring both federal statutory and state law claims regarding the disclosure of the users' information. The complaining party typically brings a Wiretap Act and an Electronic Communications Privacy Act claim along with state consumer protection and breach of contract claims. In all of the class certification cases, the federal statutory claims were dismissed based on the fact that the Internet company that collected the information did not fit the statutory elements of the Wiretap Act or fit one of the exceptions set forth in the Electronic Communications Privacy Act that permit disclosure of information. Having dismissed the federal statutory claim, the court would then typically dismiss the state law claims based on lack of jurisdiction.

Two cases that are instructive are In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) and Dyer v. Northwest Airlines Corps., 334 F. Supp. 2d 1196 (D.N.D. 2004). Doubleclick "amended its privacy policy by removing its assurance that information gathered from users online would not be associated with their personally identifiable information." 154 F. Supp. 2d at 505. This change in policy would have allowed Doubleclick to combine its user database with that of a company that it had acquired. Id. The plaintiffs brought federal Electronic Communications Privacy Act, Wiretap Act, Computer Fraud and Abuse Act, state invasion of privacy, unjust enrichment, trespass and statutory claims. Id. at 500. Doubleclick determined that none of the federal statutes had been violated. Id. at 526. Specifically, "the [legislative] histories of these statutes reveal specific Congressional goals -- [punishing hacking, preventing wiretapping, securing operations of service providers] -- that are carefully embodied in these criminal statutes and their corresponding civil rights of action." Id. Once the federal claims were dismissed for failure to state a claim, Doubleclick dismissed the state law claims based on a lack of jurisdiction. Id.

Dyer addressed Northwest Airlines' disclosure of personal information in response to a request by NASA for system-wide passenger data. The disclosure was in violation of Northwest Airlines' privacy policy. 334 F. Supp. 2d at 1199. The complaining parties brought an Electronic Communications Privacy Act claim and a breach of contract claim. Id. at 1198. The court in Dyer determined that Northwest did not fit the statutory definition of an electronic communications service and, therefore, the Electronic Communications Privacy Act claim failed. Id. at 1198-99.

Dyer also ruled that the "breach of contract claim fail[ed] as a matter of law." Id. at 1200. "[B]road statements of company policy do not generally give rise to contract claims." Id. at 1200. In addition, "nowhere in the complaint are the Plaintiffs alleged to have ever logged onto Northwest Airlines' website and accessed, read, understood, actually relied upon, or otherwise considered Northwest Airlines' privacy policy." Id. "Finally, even if the privacy policy was sufficiently definite and the Plaintiffs had alleged they did read the policy prior to providing personal information to Northwest Airlines, the Plaintiffs have failed to allege any contractual damages arising out of the alleged breach." Id.

A complaining party may have difficulty prosecuting either a Wiretap or Electronic Communications Privacy Act claim against a company for a change in the Data Privacy Policy. In addition, unless actual damages are suffered, a breach of contract claim should not be successful.[258] Of more concern is the likelihood that a state consumer protection statute would provide a basis for relief for the complaining party. Such a claim would be based upon a consumer's reliance on the current privacy policy and the consumer's reliance on that policy to protect the personal information.

The Privacy Law Primer[259] is a recent publication summarizing current major privacy issues. It includes a section summarizing the issues surrounding changes to a company's privacy policy. It recognizes that there are no laws directly on point governing a company's changes to the terms of a privacy policy, but suggests that such changes are analogous to the treatment of personal information "in connection with a bankruptcy, merger, asset transfer or other similar business transaction." Id., D I(I). "This analogy is appropriate because both situations involve the provision of information under the terms of one privacy policy and then a subsequent change in the treatment of that information." Id.

The Privacy Law Primer ( D I(I)) suggests that notice and an opportunity to opt-out (and maybe an affirmative opt-in) are sufficient to permit a privacy policy change. However, these suggestions again apply to customer's who provide the information themselves while using the Internet site that collects the information.[260]

At the very least then notice of the pending privacy policy change should be sufficient to alter a privacy policy. No authority dictates specific language, but it is probably wise, based on the settlement of the Juno case (discussed in The Privacy law Primer at D I(I)(4)), to provide at least a 30-day period before the new policy takes effect. That notice also should be clear and expressed in simple, easy-to-understand language.

The FTC has taken an aggressive stance against companies that maintain and disclose personal information. With the recent revelations of security breaches by several information providers, the FTC has dedicated itself anew to investigating and pursuing known violations of Internet security that compromises personal information of the public. These actions are sure to continue in the immediate future. Congress has taken up the cry as well, and several bills are pending to restructure the manner in which information may be stored or disclosed. The future will likely provide a host of information regulatory schemes.

2. The Vices of Gambling and Alcohol

a. Internet Gambling -- Legal and Growing

Cyberspace law has seen rapid and continuing development in the area of online gambling. Michael L. Rustad & Thomas H. Koenig, Rebooting Cybertort Law, 80Wash. L. Rev. 335, 347-48 (May 2005). Simply put, internet gambling refers to "the placing of real money bets using one's personal computer via the Internet." Pearson Liddell, Jr. and Stevie Watson, Internet Gambling: On a Roll?, 28 Seton Hall legis. J. 315, 316 (2004) ("Gambling Article"). The world's first online casino, Internet Casinos, Inc., entered Cyberspace on August 18, 1994; today the number of online gambling sites has grown to an estimated 1,200 to 2,000, all of which are based in foreign jurisdictions that authorize such gambling. Id. at 317. Online gambling is expected to be a multi‑billion dollar industry within a few years. Id.

Congress sought to regulate gambling over telephone lines through the Interstate Wire Act ("Wire Act"), codified at 18 U.S.C. D 1084, and the Interstate and Foreign Travel or Transportation in Aid of Racketeering Enterprises Act ("Travel Act"), codified at 18 U.S.C. D1952. Gambling Article, p. 321. The Wire Act, however, applies only to sports-related gambling, and may not apply to wireless Internet transmissions. Id. Accord: Beau Thompson, Internet Gambling, 2 N.C. J.L. & Tech. 81, 91-92 (2001). The Travel Act also may not apply to wireless transmissions.

It seems plain, however, that online gambling is here to stay. Efforts to limit or curb it have failed. For example, legislative efforts to regulate Internet gambling have met with little success. Gambling Acticle, pp. 323-26. In addition, the courts have made it clear that persons may not avoid gambling debts incurred over the Internet.

The courts have rejected the use of the Racketeer Influenced and Corrupt Organizations Act ("RICO") to combat online gambling. In re Mastercard Int'l Internet Gambling Litig., 313 F.3d 257, 259 (5th Cir. 2002), rejected the plaintiffs attempts to use RICO to avoid debts they incurred when they used their credit cards to buy "chips" to gamble on online casinos. They claimed that the credit card companies operated a "worldwide gambling enterprise" that facilitated illegal Internet gambling through the use of credit cards because "the available of credit and the ability to gamble are inseparable." Id. at 260.

The district court had found (and the appellate court affirmed) that the plaintiffs had failed to show a pattern of racketeering activity or the collection of an unlawful debt, a prerequisite to maintaining a RICO claim. Id. at 261. The problem with the plaintiffs' theory is that the credit card purchases of the "chips" took place before any gambling occurred. In addition, the plaintiffs could not assert violations of the Wire Act, the Mail Fraud Act or the Wire Fraud Act. 18 U.S.C. D D 1084, 1341, 1343. The Wire Act concerns gambling on sporting events, and the plaintiffs did not so gamble. Id. at 262. The mail fraud and wire acts were inapplicable because the Defendants made no misrepresentations that the plaintiffs relied upon, a necessary predicate to a RICO violation in those circumstances. Id. at 263. In fact, the actions of the credit card companies did not relate to gambling activities because the credit card transactions occurred prior to the gambling. In re Mastercard Int'l Inc. Litig., Nos. 00MD-1321, 00‑1322 Section "K" (5), 2003 U.S. Dist. LEXIS 13534, at *11-12 (E.D. La. July 30, 2003).

In Pinto v. Bank One Corp., No. 02 Civ. 8477 (NRB), 2003 U.S. Dist. LEXIS 9348, at *1-2 (S.D.N.Y. June 4, 2003), plaintiffs brought suit against credit card companies alleging that the cash advances of the credit card companies that enabled them to gamble on Internet gambling sites, were illegal loans under state law that prohibited gambling. The defendants removed the case to federal court under the Edge Act (12U.S.C. D 632), which grants federal jurisdiction to all suits arising out of transactions involving international or foreign banking. Id. at *3. Because the gambling at issue involved off-shore gambling sites, and because the transactions at issued were processed by or passed through foreign banks, the suit arose out of transactions involving foreign banks under the Edge Act. The plaintiffs' motion to remand was denied.

b. Wine Producers Pop Their Corks Over United States Supreme Court's Granholm Decision

Recently, wine aficionados locating an attractive vintage on an Internet site offered by an out-of-state retailer usually were prohibited from purchasing that wine because many state laws prevented the importation of out-of-state wine. The Supreme Court's Granholm v. Heald Decision: What It Means for Interstate Wine Shipping, Mondaq Business Briefing (June 24, 2005) ("Granholm Article"). The source of this prohibition can be traced to the 21st Amendment, one purpose of which was "to allow States to maintain an effective and uniform system for controlling liquor by regulating its transportation, importation, and use." This language allowed states to pass regulations controlling the interstate shipment of liquor, which many did on terms that favored in‑state liquor industries. Id.

The world of wine suddenly changed with Granholm v. Heald, 125 S. Ct. 1885 (2005). Out-of-state wineries brought suit against Michigan and New York, which both had laws permitting in-state wineries to ship wine directly to consumers, but prevented out-of-state wineries from doing the same. The laws were challenged because direct wine shipment has increasingly become a major source of revenue, particularly for smaller wineries. Id. at 806. According to the Federal Trade Commission, such laws posed "the single largest regulatory barrier to expanded e-commerce in wine." Id. at 1893.

The Court held that the "object and design of the Michigan and New York statutes is to grant in-state wineries a competitive advantage over wineries located beyond the States' borders." Id. at 1891. The Court rule that those laws discriminated against interstate commerce in violation of the Commerce Clause of Article I, D 8, cl. 3 of the United States Constitution. Reiterating a rule called "essential to the foundations of the Union, the Court noted that, "in all but the narrowest circumstances, state laws violate the Commerce Clause if they mandate 'differential treatment of in-state and out-of-state economic interests that benefits the former and burdens the latter.'" Id. at 1895 (quoting Oregon Waste Sys., Inc. v. Department of Envir. Quality of Ore., 511 U.S. 93, 99, 114 S. Ct. 1345 (1994)).[261]

"State laws that discriminate against interstate commerce face 'a virtually per se rule of invalidity.'" Id. at 1897 (quoting Philadelphia v. New Jersey, 437 U.S. 617, 624, 98 S. Ct. 2531 (1978)). Not even the 21st Amendment provided an adequate defense against blatantly discriminatory laws. As a result, the Court struck them down.

Following Granholm, states must determine whether they will permit all liquor industries to ship their products to in-state customers, or whether they will ban liquor shipments entirely. Granholm Article (discussing recent state proposals to respond to Granholm). New York's legislature is currently working on a bill that would permit all wineries to ship directly to New York customers, as long as they comply with the licensing requirements in place for in-state shipping. Id. Indiana, on the other hand, has made in-state wine shipments misdemeanors.

Ohio recently announced that it had settled a lawsuit challenging its laws regulating out-of-state wine shipments.[262] The agreement strikes the state's restrictions governing the amount of wine consumers can receive from out-of-state wine producers and eliminates a rule that prohibited consumers from importing wine available in-state.[263] The agreement also revised forms Ohioans are required to fill out before having wine shipped in from outside the state.[264] Such news may be heralded by Ohio wine fans.[265]

3. Jurisdiction in a Virtual Environment

Since its inception, the Internet has offered consumers a means of purchasing goods and services, and has provided businesses with a means to conduct transactions in a quick, cost‑effective and efficient manner. While Internet sales continue to make up a small percentage of overall sales in the U.S., such sales have continued to grow over the years that this means of transacting business has been offered.[266] As the Internet has grown, so has the number of disputes between parties to transactions carried over in cyber space. However, for a state to adjudicate a legal dispute relating to an Internet transaction, or for a state to tax a transaction occurring over the Internet, the state must exercise personal jurisdiction satisfying both state and federal due process clauses.[267]

"Where a federal court's subject matter jurisdiction over a case stems from the existence of a federal question, personal jurisdiction over a defendant exists [1] 'if the defendant is amenable to service of process under the [forum] state's long-arm statute and [2] if the exercise of personal jurisdiction would not deny the defendant[] due process.'" Bird v. Parsons, 289 F.3d 865, 871 (6th Cir. 2002) (quoting Michigan Coalition of Radioactive Material Users, Inc. v. Griepentrog, 954 F.2d 1174, 1176 (6th Cir. 1992)) (second and fourth alterations in original). Accord: Graphic Controls Corp. v. Utah Med. Prods., Inc., 149 F.3d 1382, 1385 (Fed. Cir. 1998).[268]

The Sixth Circuit has not been consistent in determining the reach of Ohio's long‑arm statute. For example, the court has recognized that "Ohio's long-arm statute is not coterminus with federal constitutional limits." Bird, 289 F.3d at 871. Accord: Calphalon Corp. v. Rowlette, 228 F.3d 718, 721 (6th Cir. 2000) ("the Ohio Supreme Court has ruled that the Ohio long-arm statute does not extend to the constitutional limits of the Due Process Clause") (citing Goldstein v. Christiansen, 70Ohio St. 3d 232, 238, 638 N.E. 2d 541, 545 n.1 (1994) (per curiam)). At the same time, however, the Sixth Circuit repeatedly has collapsed the two‑step analysis into a single due process examination. Bird, 289 F.3d at 871-72 ("Nevertheless, in evaluating whether personal jurisdiction is proper under Ohio's long-arm statute, we have consistently focused on whether there are sufficient minimum contacts between the non‑resident defendant and the forum state so as not to offend 'traditional notions of fair play and substantial justice.'") (citation omitted).[269]

As recently stated by Judge Beckwith in Logan Farms v. HBH, Inc., 282 F. Supp. 2d 776, 785 (S.D. Ohio 2003):

"The dichotomy or bifurcation of the jurisdictional analysis becomes problematic in application because Federal Circuit law holds that Ohio's long-arm statute does not reach the limits of the Due Process Clause, Hildebrand v. Steck Mfg. Co., 279 F.3d 1351, 1354 (Fed. Cir. 2002), while the Sixth Circuit, in holdings which are confusing enough in themselves, has stated both that 'it is settled Ohio law that the transacting business clause of that statute was meant to extend to the limits of due process,' Compuserve, Inc. v. Patterson, 89 F.3d 1257, 1262 (6th Cir. 1996), and that 'We have recognized that Ohio's long-arm statute is not coterminus with federal constitutional limits.' Bird v. Parsons, 289 F.3d 865, 871 (6th Cir. 2002). Thus, because of the differing standards, it is possible to have different outcomes on the question of personal jurisdiction, based on the same set of facts, depending on the claim at hand."

This jurisdictional issue has caused no end of problems for the courts as they confront due process concerns relating to the physical presence of individuals or their actions in a state. However, the issue becomes particularly problematic in the Cyberspace environment. The basic jurisdictional issue can be posed as such:

"Internet users are not located at a single position[;] instead users are located throughout the world simultaneously. The Internet spans the planet without one party realizing where the other is located. This disjuncture may require courts to adjudicate controversies between parties where one person may have little geographical connection with the forum jurisdiction, and indeed, where one person may not even have known into which forum that person's communication traveled or was received."[270]

It is therefore useful, and has been a consistent practice of the courts, to consider jurisdictional views on the Internet as a continuum or sliding scale. At the most extreme ends of the continuum are those views the prohibit jurisdiction in all cases (which has never been adopted by any court) and those views permitting jurisdiction in all cases (which also has never been adopted). In other words, at one end, known as "virtual presence," a person who places a message on the Internet is "present" in all locations where the signal could be received.[271] Thus, a person who merely establishes an Internet site is present in every jurisdiction in the United States simultaneously. The other end, known as the "cyberspace model," maintains that the Internet is separate from the physical world and thus subject to no geographic jurisdiction; in other words, information on the Internet exists only in cyberspace and, without more, no state can exercise jurisdiction.[272]

This theoretical view of personal jurisdiction was provided some practical application in Zippo Manufacturing Company v. Zippo.com, Inc., 952 F. Supp. 1119, 1124 (W.D. Pa. 1997):

"The likelihood that personal jurisdiction can be constitutionally exercised is directly proportionate to the nature and quality of commercial activity that an entity conducts over the Internet. This sliding scale is consistent with well developed personal jurisdiction principals. At one end of the spectrum are situations where a defendant clearly does business over the Internet. If the defendant enters into contracts with residents of a foreign jurisdiction that involve the knowing and repeated transmission of computer files over the Internet, personal jurisdiction is proper. At the opposite end are situations where a defendant has simply posted information on an Internet Web site which is accessible to users in foreign jurisdictions. A passive Web site that does little more than make information available to those who are interested in it is not grounds for the exercise [of] personal jurisdiction. The middle ground is occupied by interactive Web sites where a user can exchange information with the host computer. In these cases, the exercise of jurisdiction is determined by examining the level of interactivity and commercial nature of the exchange of information that occurs on the Web site."

The challenge for the courts occurs when an interactive Internet site falls in the middle of this scale, which is where Internet jurisdiction become clouded.[273] Unfortunately, there is no clear cut rule regarding personal jurisdiction issues over the Internet. "The cases range along a continuum from holding that a Web site alone is never enough to establish personal jurisdiction, to holding that a Web site alone is always enough."[274]

At one end of the spectrum is Cadle Co. v. Schlichtmann, 123 Fed. Appx. 675 (6th Cir. 2005). Following a ten‑year legal battle between an Ohio‑based debt collector and an attorney, the attorney created a website, www.truthaboutcadle.com, to inform others of the allegedly unlawful activities of Cadle in Massachusetts, where the attorney lived.[275] In response, the debt collector sued the attorney in Ohio alleging among other things defamation.[276] According to the Court, "[w]hen the defendant's alleged contact with the forum state occurs via the internet, the plaintiff faces an initial hurdle in showing where this internet conduct took place for jurisdictional purposes."[277] The mere operation of an Internet site accessible to anyone over the Internet does not confer general jurisdiction, even if the site allows the defendant to conduct business with residents of that state. Nevertheless, an Internet site may justify specific jurisdiction if the operation of this site constitutes "purposeful availment," is the basis of the cause of action, and the exercise of jurisdiction is reasonable.[278] Purposeful availment can be shown by an Internet site that is interactive to a degree showing specifically intended interaction with residents of the state. Interactive Internet sites stand in opposition to "passive" sites, which are less likely to confer jurisdiction.[279] "If the website is 'semi‑interactive,' 'the exercise of jurisdiction is determined by examining the level of interactivity and commercial nature of the exchange of information that occurs.'"[280] The court very quickly noted that, because the debt collector failed to allege any interaction or exchange of information between the attorney and Ohio residents, personal jurisdiction could not exist.

The level of interactivity and the number of users of a website also plays a role in the jurisdictional analysis. In Trintec Indus., Inc. v. Pedre Promotional Prods., Inc., 395 F.3d 1275, 1281 (Fed. Cir. 2005), the Federal Circuit acknowledged that caselaw suggests that the availability and use of a "highly interactive, transaction‑oriented website" may support personal jurisdiction; however, the court questioned how frequently the interactive features were utilized and whether any residents in the forum state actually used the website to transact business. The court also recognized caselaw suggesting that "something additional beyond a website" is required to establish personal jurisdiction.[281]

It has been fairly well established that the operation of a clearly "passive" Internet site, such as one that merely makes available information, is not the type of "interactivity" that establishes personal jurisdiction. Jennings v. AC Hydraulic A/S, 383 F.3d 546, 549 (7th Cir. 2004). "The exercise of personal jurisdiction based on the maintenance of a passive website is impermissible because the defendant is not directing its business activities toward consumers in the forum state in particular." Id. at 549-50.[282] A contrary result would create "universal personal jurisdiction" across the country, because nearly every company maintains some sort of Internet site. Id. at 550. As the court noted, "although technological advances may alter the analysis of personal jurisdiction, those advances may not eviscerate the Constitutional limits." Id. (citing Hanson v. Denckla, 357 U.S. 235, 250-51, 78 S. Ct. 1228 (1958)).

Interestingly, the Sixth Circuit in Premium Balloon Accessories, Inc. v. Control Plastics, 113 Fed. Appx. 50, 51 (6th Cir. 2004), suggested that only a "fully interactive" site would provide jurisdiction. Premium Balloon concerned an Internet website that provided information about the defendant's products and permitted a user to download an order form; however, the site did not allow purchases. The Sixth Circuit held that this level of interactivity was insufficient to confer jurisdiction over the defendant.

O'Connor v. Shady Lane Hotel Co., No. 04-2436, 2005 U.S. Dist. LEXIS 7397, at *8-9 (E.D. Pa. Apr. 28, 2005), explained the distinction between an interactive and passive Internet site as follows:

"It is well-established that the mere existence of an internationally‑available website is insufficient to establish personal jurisdiction over an out‑of‑state defendant, unless two elements are satisfied. First, the website must be highly 'interactive' or allow customers the opportunity to enter directly into a contract with the defendant over the internet. Further, much like an in‑print advertising campaign, the website must either be 'central' to the defendant's business in the forum state or specifically target residents of the forum state."

Accord: Hlavac v. DGG Properties, No. 04-6112, 2005 U.S. Dist. LEXIS 6081, at *16(E.D. Pa. Apr. 8, 2005) ("Internet site allowing visitors to purchase gift certificates and providing an e‑mail link for reservations is insufficient to establish personal jurisdiction."

The expected rise in the use of the Internet for both business and personal use will continue to present such jurisdictional challenges for the courts. For litigators, the good news is that the cases are so varied and dependent upon the facts that colorable arguments for or against jurisdiction can be made in many cases where a fully interactive website does not exist. It seems that the courts are content to continue this ad hoc approach to settling the issue.

4. Employer Rights and Liabilities Related to the Internet and Emerging Digital Technologies

"The Information Age has radically altered the traditional legal and organizational framework of work by blurring the once clear boundaries between an employee's personal and professional lives."[283] Employment law is facing challenges when confronting the digital age. One of the greatest challenges is balancing an employer's authority to conduct its business in an efficient and cost-effective manner versus an employee's right to privacy in the workforce. In private life, people have a multitude of privacy expectations, including:

" The right to individual autonomy

" The right to be left alone

" The right to a private life

" The right to control information about oneself

" The right to limit accessibility

" The right to exclusive control of access to private realms

" The right to minimize intrusiveness

" The right to expect confidentiality

" The right to enjoy solitude

" The right to enjoy anonymity

" The right to enjoy reserve

" The right to secrecy^{^[284]}

Of course, no one believes that all, or even most, of these privacy expectations can be demanded in the workplace. For example, "the right to limit accessibility of oneself is subject to the realities of the workplace: [a]n employer may . . . legitimately limit the length of time employees close their office doors."[285] The law therefore struggles to find the proper balance to permit an employer to run its business without improperly infringing these privacy expectations.

One area in particular is employee surveillance. Employers today may find it in their interest to determine what their employees are doing in the workplace. This need to monitor of course clashes with an employee's expectation of privacy. After all, employees who are competently doing their work should have no fear that their employers are looking in on their day-to-day doings.

It is difficult today to gauge how often employers monitor their employees' activities.^{^[286]} However, employers have an interest, and in some cases the need, to keep an eye on employee affairs:

"Employers seek to monitor employee's computer activities for a variety of reasons: security concerns, employee efficiency and productivity, misuse of company resources for personal purposes, and uncovering wrongdoing. Because of the respondeat superior doctrine, employers clearly have an interest in limiting their liability for employee misconduct committed through the Internet or e-mail, including sexual harassment, defamation, copyright infringement, and discrimination."^{^[287]}

Traditionally, employees have met with little success in establishing a comprehensive privacy scheme in the workplace. The United States Constitution provides no protections for private-sector employees because it generally restricts only government intrusions into privacy; state constitutions also generally do not bar employee monitoring.^{^[288]}

If an employer warns an employee that e-mail and other communications may be subject to monitoring, then that employee usually has no expectation of privacy; in other words, the employers will face no liability for monitoring that employee's activities.^{^[289]}

The Electronic Communications Privacy Act of 1986 ("ECPA")^{^[290]} was meant to afford some privacy protections to electronic communications. The ECPA prohibits anyone, even an employer, from intentionally intercepting an electronic communication. However, there are a number of exceptions -- including consent and for business use in the ordinary course of business -- that an employer can use to circumvent the consequences of the ECPA, such that it is doubtful that an employer can sue an employer under the ECPA.^{^[291]} Although a few recent cases have permitted some suits to go forward, the ability of employers to adopt broad Internet and e-mail usage policies, which may require consent of the employee as a condition of employment, and the wide‑ranging scope of business uses, takes much of the bite out of the ECPA.^{^[292]} It is doubtful that the statutory scheme will have much impact on employment affairs in the future.

5. Liability Simply for Being There: CompuServe's Early Experience in Germany and the Current State of Law

With the rise of the use of the Internet in the mid-1990s, Western Europe took the lead in enforcing both civil and criminal actions to regulate the content of foreign Internet sites to ensure that these sites did not violate local laws prohibiting hate speech or discrimination.[293] The enforcement of these countries' laws, which restrict political discourse in certain circumstances, faced challenges from the fact that the Internet provides an abundant source of this "illegal" information -- from websites that deny the Holocaust to those that provide a never-ending stream of adult pornographic materials -- that is difficult to regulate.[294]

Germany faced this dilemma in the 1990s when it attempted to regulate hate speech and child pornography on the Internet. CompuServe Interactive Services found itself unwillingly in the center of Germany's early attempts at Internet regulation. In Germany, it is illegal to disseminate Nazi propaganda that denies the Holocaust occurred.[295] In an attempt to restrict the proliferation of the material on the Internet, Germany targeted Internet service providers ("ISP").[296] In 1997, German prosecutors indicted the general manager of CompuServe's German headquarters, charging him with illegally permitting German customers to access foreign websites that offered Nazi materials.[297] CompuServe's response could be both hailed as a victory against hatemongers or the death of free-speech rights in Cyberspace. Taking these threats of prosecution seriously, the company, which at the time was Germany's largest ISP, prohibited access to over 200 news groups to all customers worldwide.[298] Thus, Germany's attempts to regulate content on the Internet led to a ban on those materials to all individuals, even those outside of Germany.

In 1997, Germany revised its computer crime statutes to provide that "Internet service providers such as CompuServe can't be held liable for content they merely transmit."[299] However, that law did not prohibit charges from being filed against CompuServe executives in another matter in 1999. In that case, German prosecutors brought suit against the head of CompuServe's German subsidiary for illegally engaging in the distribution of child pornography, where that pornography was posted on the subsidiary's webservers located in Germany by customers of the company.[300] Although neither CompuServe nor its officers were tried, because CompuServe itself did not conduct business in Germany, the court exercised jurisdiction over the Swiss national who was at the time the head of CompuServe's German subsidiary, and who also was domiciled in Germany.[301] The prosecutors secured a conviction. However, on appeal, that conviction was overturned due to the recent German law that specifically exempted ISPs from liability if they have no reasonable mechanism to exclude illegal content from their servers.[302]

In November 2002, the Council of Europe adopted a new European Protocol that regulated Internet hate speech.[303] The area remains open for litigation concerning how those laws in Europe will be applied when U.S. laws do not recognize similar prohibitions.

6. International Legal Aspects of On-Line Activity

"The Internet has no respect for International boundaries; the rules governing conduct are informal; and rules cannot be enforced by a government on an Internet-wide basis."[304] There are many international issues involving Internet activity and Internet regulation. There are currently no uniform standards to deal with these issues. For example, personal jurisdiction on the Internet, as discussed above, is a mish‑mash of loose rules and factually-dependent circumstances. It has been suggested that "[w]e can hardly deal with international issues [concerning jurisdiction alone] on the Internet level and the legal impact on the people who engage in transaction on it, without first dealing with these issues among the states of this nation."[305]

Foreign nations usually assert jurisdiction over nonresidents when the exercise of such jurisdiction is "reasonable."[306] It has been held reasonable when a company regularly conducts business in the foreign nation, when a company regularly engages in an activity outside of the foreign country that has a substantial, direct and foreseeable effect within the foreign country, and when an activity that is the subject of court action is owned, possessed or used in the foreign country.[307] Once jurisdiction is established, the question of which law controls enters the picture. But providing general guidelines to define the potential issues involved in these types of situations is impossible because choice of law rules are "blurred and lack uniformity."[308]

Of course, various procedural factors exist that may make litigation in a foreign court more hospitable than U.S. courts. For example:

"First, as a general rule, class action lawsuits may not be filed under the laws of other countries. This is a significant procedural deterrent to the filing of a claim . . . . Second, contingent fees are not permitted in most countries outside of the United States. The absence of contingent fees means that those who seek to file legal claims . . . must pay their lawyers out-of-pocket as the case progresses, regardless of result. Third, many countries follow the 'English rule' with respect to the payment of attorneys' fees. Under this rule, the loser must pay the winner's legal fees. Such a rule is a substantial disincentive to the filing of frivolous lawsuits."[309]

154370.1

[1] Intelus Corp. v. Barton, 7 F. Supp. 2d 635, 641 (D. Md. 1998) (citation omitted).

[2] Since the enforceability of non-compete agreements is a matter of state law, the analysis varies from jurisdiction to jurisdiction. Nevertheless, the following analysis demonstrates general trends that can be seen emerging from the digital revolution.

[3] Richard Stim, Protect Your Trade Secrets with a Nondisclosure Agreement (available at www.score.org/prtoect_your_trade_secrets.html).

[4] Goeffrey George Gussis, Website Development Agreements: A Guide to Planning and Drafting, 76 Wash U. L. Q. 721, 741 (Summer 1998).

[8] See Holtzbrink Publ'g Holdings v. Vyne Communications, Inc., No. 97 Civ. 1082, 200 U.S. Dist LEXIS 5444, at *27-30 (S.D.N.Y. Apr. 26, 2000) (as there was no written agreement in place, summary judgment could not be granted because there was a material issue of fact as to whether the web developer was an employee, implicating the work-for-hire doctrine, or an independent contractor).

[10] Gussis at 742. Accord: iXL, Inc. v. AdOutlet.com, Inc., No. 01 C 0763, 2001 U.S. Dist LEXIS 3784, at *27-28 (N.D. Ill. Mar. 30, 2001) (source code imbedded in website was a work-for-hire because there was a written agreement and "the source code written for each section of the . . . web site constitutes a separate, independent work and is a contribution to the collective whole -- that is, the web site").

[11] Outsourcing, http://en.wikipedia.org/wiki/Outsourcing (last visited July 7, 2005) ("Wikipedia, Outsourcing").

[15] Offshore outsourcing, http://en.wikipedia.org/wiki/Offshore_outsourcing (last visited July 7, 2005) ("Wikipedia, Offshore outsourcing").

[24] Id. (quoting Milken Institute Review (Dec. 2004)).

[25] Freelancing on the Internet, http://en.wikipedia.org/wiki/Freelancing_on_the_Internet (last visited July 7, 2005) ("Wikipedia, Freelancing").

[27] Kelly L. Anderson, Open Outsourcing (2005), http://kelly.anderson.name/openoutsourcing/ (last visited July 12, 2005) ("Anderson, Open Outsourcing").

[29] Open outsourcing, http://en.wikipedia.org/wiki/Open_outsourcing (last visited July 12, 2005) ("Wikipedia, Open outsouring").

[34] Thomas J. Manley & Scott M. Hobby, Globalization of Work: Offshore Outsourcing in the IT Age, 18 Emory Int'l L. Rev. 401, 412 (2004) (footnote omitted).

[37] GNU General Public License, http://en.wikipedia.org/wiki/GPL (last visted July 12, 2005) ("Wikipedia, GPL").

[49] BSD license, http://en.wikipedia.org/wiki/BSD License (last visited July 12, 2005) ("Wikipedia, BSD").

[52] The BSD License, available at Open Source Initiative OSI - The BSD License: Licensing, http://www.opensource.org/licenses/bsd-license.php (last visited July 12, 2005).

[58] FindMyHosting, http://www.findmyhosting.com/webhosting-guide.htm (last viewed on July 17, 2005).

[59] Geoffrey George Gussis, Note: Website Development Agreements: A Guide to Planning and Drafting, 76 Wash. U. L. Q. 721, 732 (1998) ("Gussis").

[60] AllBusiness, http://www.allbusiness.com/articles/EBusiness/622-2804-2812.html (last viewed on July 6, 2005).

[61] FindMyHosting, http://www.findmyhosting.com/webhosting-guide.htm (last viewed on July 17, 2005).

[62] Bravenet, http://resources.bravenet.com/articles/administration/optimization/bandwidth_explained (last viewed on July 17, 2005).

[63] FindMyHosting, http://www.findmyhosting.com/bandwidth.htm (last viewed on July 17, 2005).

[67] FindMyHosting, http://www.findmyhosting.com/bandwidth.htm (last viewed on July 17, 2005).

[72] Hosting Standard, http://www.thehostingstandard.com/articles/article6.html (last visited on July 17, 2005).

[77] "Maintaining a website at more than one location is expensive especially for smaller businesses, and it also outstrips the technological resources for many website developers." Gussis at 735. A web hosting company called BlackSun Inc. recognizes the importance of uptime. One of its representatives stated: "We have placed redundancy in all of our server, network, cooling and power equipment to ensure that we are always exceeding the 99.99% uptime target." BlackSun has also built advanced security into its network, servers and data rooms and stays proactive with the latest security issues that are present in the industry." Hosting Standard, http://www.thehostingstandard.com/articles/article6_continue.html (last viewed on July 17, 2005).

[81] Millstein, Neuburger & Weingart, Doing Business on the Internet: Forms and Analysis, D 2.04[6], 2-27 (Law Journal Press 2005) ("Millstein").

[82] AllBusiness, http://www.allbusiness.com/articles/EBusiness/622-2804-2812.html (last viewed on July 6, 2005) ("AllBusiness").

NATIONAL BUSINESS INSTITUTE - DIGITAL TECHNOLOGY AND THE LAW

II. LEGAL ASPECTS OF INTERNET-RELATED SERVICES

A. A Litigator's Perspective of Frequently Drafted Contract Provisions: Noncompetition, Non-Disclosure, Work-For-Hire and Licensing

1.Noncompetition Agreements

a.Introduction

b. Reasonableness in the Internet Age

2.Nondisclosure and Confidentiality Agreements

a.Introduction

b. Protecting Trade Secrets in the Internet Age

3. The Work-for-Hire Doctrine

a.Introduction

b. Work-for-Hire Doctrine

B. What Clients Need to Know Regarding International Outsourcing

1. Definition and Overview of Outsourcing

2. International Outsourcing

3. Freelancing on the Internet

a. Freelancer Websites

b. Coders

c. Compared to Offshore Outsourcing

4. What Clients Need to Know Regarding International Outsourcing

a. Licensing Issues with Internet Freelancing

(1) Single-Use Licenses and Non-Disclosure Agreements

(2) Open Outsourcing

(a) The GNU General Public License

(b) Interplay With Copyright Law

(c) Rights Granted Under the GPL

(d) The Copyleft

(e) Potential Problems with the GPL

(3) The BSD License

b. Benefits of Open Outsourcing

(1) Challenges of Open Outsourcing

c. Real World Example of Open Outsourcing

5. Other Legal Issues With International Outsourcing

C. Website Hosting Agreements: How Hosting Works and What to Look for in a Host

1. Introduction to Web Hosting

2. What to Look For in a Host

a. Bandwidth

b. "Uptime"

c. Problem Response Time

3. The Importance of Web Hosting Agreements

a. Provisions of a Web Site Hosting Agreement

b. Litigation Issues Concerning Web Hosting Agreements

D. Search Engine Placement and Marketing Services

1. Introduction

2. How Search Engines Function

3. Litigation Issues Concerning the Use of Another's Trademark in Metatags

E. Assessing and Selecting Security-Related Services

1. Information Security Is a Necessary Component of any Computer Infrastructure

2. Information Security Practices

F. Understanding Digital Signature Laws

G. Voice-Over-Internet-Protocol (VoIP)

1. Introduction to Voice-Over-Internet-Protocol

a. Advantages of VoIP

b. Disadvantages of VoIP

2. The Legal Aspects of Voice-Over-Internet-Protocol

III. LIABILITY ARISING OUT OF ON-LINE ACTIVITY

A. Federal and State Laws and Uniform Acts

1. Can Spam Act

2. Digital Millennium Copyright Act

a. Explanation of the Act

(1) Anti-Circumvention

(2) Takedown Provisions

(3) Use of Subpoenas

3. The Lanham Act: Federal Trademark Dilution Act

4. Uniform Real Property Electronic Recording Act

5. The Children's On-Line Privacy Protection Act

a. COPPA is Designed to Protect the Privacy of Children

b. COPPA Prohibits Certain Conduct by an Internet Operator Relating to a Child's Personal Information

c. Compliance Procedures

6. ID Fraud Statute: 18 U.S.C. D 1028

a. The ID Fraud Statute Regulates Activity in Connection with Identification Documents, Authentication Features, Document-Making Implements, and Other Information

b. The Penalties for Violating the ID Fraud Statute

c. Conspiracy Under 18 U.S.C. D 1028

7. Intellectual Property Protection and Courts Amendment Act

8. The Driver's Privacy Protection Act (18 U.S.C. D 2721, etseq.)

a. The DPPA Regulates the Disclosure of Personal Information in Motor Vehicle Records

b. Disclosure of Personal Information in Motor Vehicle Records is Limited to Certain Express Permissible Uses

c. Compliance Procedures

B. Recent Caselaw: What You Need to Know to Guide Clients

1. Failure to Secure Website