Aba section of Intellectual Property Law


Privacy and the First Amendment in Ecommerce



Download 419.52 Kb.
Page4/7
Date05.05.2018
Size419.52 Kb.
#48098
1   2   3   4   5   6   7

Privacy and the First Amendment in Ecommerce. In Doe v. Cahill,10 the Delaware Supreme Court authored the first state supreme court case to address the issue of identifying anonymous speakers in libel actions brought by public officials. Appellee Patrick Cahill alleged that John Doe No. 1 had defamed Cahill in his position as Smyrna city councilman on an Internet blog hosted by a Delaware newspaper. Cahill and co-appellee Julia Cahill determined that Comcast Corp. owned the IP number associated with the anonymous blogger. Upon being required to disclose Doe’s identity, Comcast, as required by federal law, notified Doe, who filed an emergency motion to prevent Comcast from disclosing the identity. The trial court judge denied the motion and used a “good faith” standard for determining whether to compel disclosure: the Cahills must demonstrate they had a good faith, legitimate reason to bring the case; the information must be material to the disposition of the case; and the information must be available nowhere else. Doe filed an interlocutory appeal, claiming that the trial court had used an inappropriate standard for disclosure.

The Delaware Supreme Court adopted a summary judgment standard based on a New Jersey appellate court’s test. Fearful that too lenient a standard would chill anonymous speech, the court said that the summary judgment standard—which requires plaintiffs to support their defamation claims with facts sufficient to overcome a summary judgment—strikes the appropriate balance between a plaintiff’s right to protect reputation and the anonymous speech rights of the defendant. Thus, the plaintiff must make a prima facie case for each element of the defamation claim over which the plaintiff has control. Moreover, the court said, the plaintiff must make reasonable efforts to inform the anonymous defendant that he/she is the subject of a subpoena or court order, allow the defendant time to respond, and, in the case of online defamation actions, post a message notifying the anonymous defendant about the discovery notice on the same board in which the alleged defamation appeared. The summary judgment and notification requirements, the court said, do not unduly burden a plaintiff with a legitimate claim while offering protection against trivial or silly claims.

Applying the summary judgment standard to the Cahills’ claim, the Supreme Court found that the statements were clearly opinion and that a reasonable reader would not interpret Doe’s comments on the blog to be factual statements about Cahill. Cahill had thus failed to make a prima facie case for the defamation element of his libel suit and therefore failed the summary judgment test. The court also suggested in dictum that the Cahills had a powerful extra-judicial tool with which to combat the alleged defamation: they could post corrections, clarifications and competing opinions on the same message board where the original messages appeared, thereby mitigating any damages suffered to reputation.

In re Does 1-1011 called upon the Texas Court of Appeals to address online anonymity in Texas libel cases. Essent PRMC, a hospital, filed suit against ten John Does for libel, alleging that they had anonymously posted libelous statements about the hospital on a blog. Essent asked the trial court to order the bloggers’ ISP, SuddenLink Communications, not a party to the suit, to reveal the identities of the Does. Essent based its claim for identification on the Cable Communications Policy Act of 1984 (CCPA), which contains rules for subscriber disclosure. The Does filed for a writ of mandamus to order the trial court to withdraw the order.

At issue was whether the disclosure requirements of CCPA, which clearly apply to governmental agencies seeking disclosure of subscriber information upon clear and convincing evidence of reasonable suspicion of criminal activity, also apply to private companies under a valid court order. Courts have split on this interpretation. The appeals court agreed that the statute could be interpreted as applying to a private company under court order but noted that the CCPA statute itself was not the appropriate vehicle by which to obtain the order; that must be done under other state or federal procedures, which the trial court did not use. Nor did the trial court use other procedural processes in place for discovery, and in fact, “entirely failed to apply the rules of discovery.” Mandamus is an appropriate remedy, and the appeals court ordered the trial court to vacate the order.

Noting the lack of Texas precedent in online anonymity in libel cases, the appeals court suggested in dictum that in the light of the protections accorded to anonymous speech and the high level of protection of Internet speech, the standard used in a 2005 Delaware Supreme Court case, Doe v. Cahill,12 would be appropriate: “[B]efore a defamation plaintiff can obtain the identity of an anonymous defendant through the compulsory discovery process he must support his defamation claim with facts sufficient to defeat a summary judgment motion.”13

In re Zyprexa Litigation14 addressed web distribution of discovery documents previously sealed by the court. Pharmaceutical company Eli Lilly released millions of documents in response to over 30,000 suits by plaintiffs who were prescribed the anti-psychotic drug Zyprexa. Plaintiffs alleged that they became obese and diabetic as a result of insufficient warnings from Lilly. Many documents were sealed under court order. A New York Times reporter conspired with an expert witness to circumvent the court order, resulting in documents being dispersed to many organizations, including the Times, which published several articles summarizing and discussing the documents. The court ordered the return of the documents and issued an injunction against their further dispersal—not including the Times but including specific websites that had already published the documents. District judge Jack Weinstein denied Lilly’s request for this injunction against the websites, noting that “[p]rohibiting five of the internet’s millions of websites from posting the documents will not substantially lower the risk of harm posed to Lilly.” The court’s equitable discretion is better used against those individuals who have been ordered to return documents but have not done so rather than trying to enforce an injunction over the entire Web. Moreover, the court said, “it would constitute a dubious manifestation of public policy” should it attempt to enjoin the websites.
Committee Vote
Voting members

In favor of report15

Ashton, Mark

Emmert, Steven

Horbaczewski, Henry

Klipper, Michael

Larson, Brian

Moeller, Kari

Walthall, Howard

Wittow, Mark
Opposed to report
Abstaining
Not heard from

Vast majority of committee’s members


Non-voting members

Law students
Associate members

Belmas, Genelle (contributed to report and voted to approve, but vote not counted by virtue of associate member status)


COMMITTEE 711 — ONLINE SECURITY & E-PRIVACY

Robert Mark Field and Michael A. Parks, Co-Chairs
Scope of committee: All aspects of online security and e-privacy but excluding issues within the scope of Committee 710.
In its second year, Committee 711 does not have any proposed resolutions. Committee 711 has planned a Continuing Legal Education seminar titled “Data Breach Notification: Roundtable Discussion of US, EU and APEC Approaches and Related Policy Considerations” for the ABA Section of International Law’s 2008 Fall Meeting, September 23rd – 27th, 2008 in Brussels Belgium. In addition, Committee 711 submits the following report. This report consists of a Report of the Subcommittee on Spyware and an Update to credit security legislation enacted since last year’s report.
REPORT OF THE

SUBCOMMITTEE ON SPYWARE
Renard Francois (co-chair)

Mo Syed (co-chair)

Elizabeth Bowles

Thomas A. Rust

David E. Blau

Christina D. Frangiosa

Steven Emmert

Behnam Dayanim


The Subcommittee on Spyware has met repeatedly to discuss Section policy concerning the issue of spyware legislation. We set out to try to arrive at a proposed committee resolution on this issue. However, on March 14, 2008 , a majority of the subcommittee decided that there was not enough consensus on the issues to propose a resolution. As such the subcommittee decided to present the Section with a report highlighting areas that need to be analyzed more fully and assessed for their impact.
Discussion.

I. DEFINITION OF SPYWARE
Critical to any legislation purporting to regulate spyware is the definition of the term itself. Obviously, anti-spyware legislation cannot regulate programs that fall without the definition of “spyware,” nor can any program that fits within that definition be exempted from the legislation’s reach. The generally accepted popular definition of spyware is “a broad category of malicious software intended to intercept or take partial control of a computer’s operation without the user’s informed consent.” This software then resides on a user’s computer without the user’s knowledge and often collects information about the user or the computer’s use that is then sent to the software’s creator or to third parties.
State legislation usually defines “spyware” to include computer programs that are installed on the user’s computer without the user’s knowledge and/or consent and that cause certain, defined, results (i.e. changing settings, “hijacking” homepages, collecting personally identifiable information, keystroke logging, monitoring surfing habits in order to deliver advertisements, creating zombies). See Utah Code Ann. 13-39-101, et. seq and Cal. Code Ann. 32-22947 et. seq. Current proposed Federal legislation takes a similar tack – requiring consent and defining spyware by the ultimate result of the software. See H.R. 4661 (the Internet Spyware (I-SPY) Act) and H.R. 2929 (the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT).
Critics of this method of definition argue that by including specific results that the software must produce in order to be in violation of the acts, software that is yet to be invented that nonetheless would produce an undesirable result is excluded from the definition. These advocates argue that the definition of spyware should rest entirely on the quality of the consent given to installation of the program regardless of the software’s purpose. (Arguably, under this construct, a consumer could consent to have her computer turned into a zombie.)
Many marketers argue that the definition of spyware should expressly exclude certain types of programs that collect only marketing data. These marketers assert that marketing data is not personally-identifiable, is harmless to the consumer, and allows marketers to provide desired information on goods and services the consumer may want to obtain.
A third group of stakeholders in the debate, including many consumer advocacy organizations, argue that cookies, both session and tracking, should be excluded from the definition of spyware. Because tracking cookies are lines of code invisibly installed on the user’s computer without consent, are sometimes “permanent” (in that they continue to reside on the computer once the consumer has logged out of that particular session), and track user’s paths through websites, they fall within many definitions of spyware unless specifically exempted. Many privacy and consumer advocates accept the use of cookies as creating a better and more-enjoyable Internet experience (for example, Amazon.com greets visitors by name when they return to the site), and virtually all companies and marketers use them to provide much-needed data on website usage. However, many pieces of anti-spyware legislation unintentionally include tracking cookies in their definition of spyware. Such legislation would require all website owners to provide notice and obtain consent from website visitors when cookies are used.
The Anti-Spyware Coalition (“ASC”), a consortium of consumer groups, ISPs and software companies (including some adware vendors), has stated the following with respect to “spyware and other potentially unwanted technologies” –

These are technologies implemented in ways that impair users’ control over:



  • Material changes that affect their user experience, privacy, or system security

  • Use of their system resources, including what programs are installed on their computers

  • Collection, use, and distribution of their personal or otherwise sensitive information

These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.

The ASC created a table of the types of potentially malicious software along with each type of software’s pros and cons. The ASC noted that “with proper notice, consent, and control some of these same technologies can provide important benefits.”


Ultimately, the definition of spyware may hinge on whether or not installation of the program occurs only following the user’s adequately informed notice and consent. Programs installed with adequate notice and informed consent, regardless of purpose, may be exempted from the definition of spyware, whereas programs installed without the user’s consent, regardless of purpose, may be included within that definition.

II. FEDERAL SPYWARE LAWS
1. The Wiretap Act

In 1968 Congress passed the Wiretap Act,16 the first of two major federal laws affecting spyware. The Wiretap Act contains two titles, each known by separate names, that cooperate to prohibit access to communications while in transit between two parties, and while in storage. Communications as defined in the Act may be wire, oral, or electronic. Wire communications include aural transfers over a wire, such as telephone conversations.17 Oral communications include those utterances that are not wire communications and for which a person has an actual and reasonable expectation of privacy.18 Electronic communications include electronic transfers of data and signals that are not wire or oral communications.19


Title I of the Wiretap Act is also known as the Electronic Communications Privacy Act (ECPA),20 and generally prohibits interception and disclosure of transient wire, oral, or electronic communications. The ECPA prohibits the use of intercepted wire or oral communications as evidence in court, but contains no such exclusionary rule for electronic communications.21 The ECPA contains exceptions allowing law enforcement officers to obtain warrants to intercept these communications, for example by tapping a wire.22 Any person whose communications were unlawfully intercepted may recover damages in a civil action.23
Title II of the Wiretap Act is the Stored Wire and Electronic Communications and Transactional Records Act (also known as the “Stored Communications Act,” or SCA),24 and generally prohibits unauthorized access to wire and electronic communications while they are in electronic storage at “a facility through which an electronic communication service is provided.”25 This phrase has been generally understood to mean an Internet Service Provider, although courts are split on whether this includes a user’s computer.26 There are exceptions to the Act’s prohibition to allow the ISP and user to obtain access to a stored communication of that user.27 There are also exceptions to allow an ISP to make mandatory disclosures pursuant to a warrant,28 and to allow the ISP to preserve backups of data pursuant to a warrant.29 The SCA allows for a private right of action.30
2. The Computer Fraud and Abuse Act

In 1984 Congress passed the Computer Fraud and Abuse Act,31 which criminalizes a wide range of unauthorized computer-related activities. These activities include: obtaining bank or credit card records or credit reports;32 accessing a computer with intent to defraud and obtaining anything of value (other than mere use of the computer valued at less than $5,000 per year);33 intentionally or recklessly causing at least $5,000 damage to a computer within a year;34 or trafficking in passwords.35 The Act does not preempt State laws.36 The Secret Service, and in some cases the FBI, may investigate these offenses.37 Additionally, the Act provides for a private right of action, however recovery may not include punitive damages, and includes only economic damages to a user’s computer.38


Bills in Congress

The Senate is currently considering several bills that would address the problem of spyware. These include the House’s Securely Protect Yourself Against Cyber Trespass Act (SPY Act) and the Senate’s Counter Spy Act, the Internet Spyware Prevention Act of 2007 (I-SPY Act), and the Anti-Phishing Consumer Protection Act of 2008 (APCPA). Also, the Senate is considering the Identity Theft Enforcement and Restitution Act,39 which would amend the Computer Fraud and Abuse Act to eliminate the $5,000 per year threshold for violations and add a forfeiture penalty for computer equipment used in violations.

The Spy Act40 and Counter Spy Act,41 like the Computer Fraud and Abuse Act before them, attempt to address a comprehensive range of unauthorized computer-related activities. These activities include: using a computer as a spam relay (zombie) or as part of a denial of service attack (botnet); hijacking a computer’s browser or network connection to incur charges; creating browser advertising spam or uncloseable windows; altering a browser’s homepage, default connection, bookmarks, or security settings; logging keystrokes to obtain personal information; using false webpages to obtain personal information (phishing); installing software that ignores ‘do not install’ instructions or automatically re-activates or re-installs itself after being uninstalled; misrepresenting software as being required to secure a computer; misrepresenting the identity of a software provider; inducing the disclosure of personal information by fraud or without consent; disabling anti-virus or other security software; installing software for the purpose of inducing a user to do any of these things;42 collecting, without consent, personally identifying information or network usage information (with an exception for ads shown by the site doing the collecting, if the information is kept private);43 hiding installation files using misleading or random file or directory names, or installing files in a system folder to avoid detection; requiring that a particular third party website be accessed, or an access code obtained from a third party, in order to disable software;44 and installing adware that conceals its operation from a user.45 In both bills, the FTC and various other federal and state agencies may bring an action, but neither bill provides for a private right of action.46 Further, these bills would preempt State laws on these matters.47
The I-SPY Act48 would add a new section 18 U.S.C. 1030A, which defines offenses for loading a computer program onto a computer without authorization, then intentionally using that program to commit a Federal crime; and obtaining or transmitting personal information, or impairing the security of a computer, with intent to defraud, injure, or damage a user’s computer.49 This Act would also preempt State law, unlike the Computer Fraud and Abuse Act.50 However, the Act makes no changes to the existing private right of action under the existing Computer Fraud and Abuse Act.

Finally, the Congress is also considering the Anti-Phishing Consumer Protection Act.51 This Act would add offenses directed specifically to phishing, cybersquatting, and deceptive or misleading domain names.52 A state agency, attorney general, or other official may bring a civil action “as parens patriae” on behalf of its citizens, but there is no private right of action.53 The FTC, affected ISPs and trademark holders, the SEC, and certain federal reserve banks, providers of State insurance, and the Secretaries of Transportation and Agriculture could also bring suit in various situations.54 This Act would also preempt state law.55




  1. SPYWARE: FEDERAL REGULATORY ACTIONS

The Federal Trade Commission and the United States Department of Justice argue that federal, anti-spyware statute is not warranted because current statutes, such as the Federal Trade Commission Act (“FTC Act”)56 and the Computer Fraud and Abuse Act of 1984.57 provide federal law enforcement with sufficient authority to sue those create, use, or distribute spyware. Currently, certain federal statutes have been used to prosecute persons and businesses who have used spyware to defraud consumers, surreptitiously obtain information from consumers, or to impair the performance of a consumer’s computer. This section will show how the Federal Trade Commission is using its authority under the Federal Trade Commission Act to prosecute those who use spyware to deceive consumers or to engage in unfair business practices. Additionally, this section will also show how the Department of Justice is using two statutes in particular to prosecute those using spyware for illegal purposes. Both of these agencies have been extremely aggressive in recent years in investigating and litigating spyware cases.


The FTC has applied the prohibitions articulated in Section 5 of the FTC Act not only to spyware, but also to adware, malware, and other unwanted software. There is a difference between the FTC deception and unfairness authority under the statute. The FTC has used both to combat spyware. Although the FTC has not requested additional laws to fight spyware, the FTC has recommended to Congress that it be granted civil penalty authority to fine spyware developers.
The FTC has used this statute to sue those who have created and distributed spyware for violations of the FTC Act. FTC v. Seismic Entertainment demonstrates the first principle that the resources of a consumer’s computer are his or her own, and Internet businesses cannot use these resources without the consumer’s permission.58 The FTC alleged that Seismic Entertainment exploited known vulnerabilities in Internet Explorer to download spyware to consumers’ computers without their knowledge.59 According to the FTC, the spyware, among other things, hijacked consumers’ home pages, caused the display of an incessant stream of pop-up ads, allowed the secret installation of additional software programs, and caused computers to severely slow down or crash. Additionally, the FTC alleged that defendants used of “drive-by” tactics to download spyware in violation of Section 5 of the FTC Act. The FTC obtained a $4.1 million judgment; a final order that prohibits the Defendants from downloading software in the future without consumer authorization; and a $330,000 judgment against a second group of defendants who allegedly distributed the spyware. FTC v. Seismic Entertainment, Inc., No. 04-377-JD, 2004 U.S. Dist. LEXIS 22788 (D.N.H. Oct. 21, 2004).
In Seismic, the FTC sued, and obtained judgments against, the defendants who created the spyware but also the defendants who distributed the spyware to unwitting consumers. This highlights the breadth of the FTC Act and demonstrates how the FTC has used the FTC Act to pursue all those who have some responsibility in the creation and distribution of spyware. The FTC has also applied the FTC Act to instances other than the allegations described in Seismic. The FTC has sued companies that hire third parties who use adware in violation of the FTC Act.
In FTC v. Zango,60 the FTC alleges that Zango’s distributors – third-party affiliates who often contracted with numerous sub-affiliates – frequently offered consumers free content and software, such as screensavers, peer-to-peer file sharing software, games, and utilities, without disclosing that downloading them would result in installation of the adware.61 In other instances, Zango’s third-party distributors exploited security vulnerabilities in Web browsers to install the adware via “drive-by” downloads. As a result, millions of consumers received pop-up ads without knowing why, and had their Internet use monitored without their knowledge. The FTC charged that Zango’s failure to disclose that downloading the free content and software would result in installation of the adware was deceptive, and that its failure to provide consumers with a reasonable and effective means to identify, locate, and remove the adware from their computers was unfair, in violation of the FTC Act.
Second, the FTC has sued companies that have buried disclosures about spyware or critical information in the End User License Agreement for violating the well established requirements for clear and conspicuous disclosures. FTC sued Odysseus Marketing and its principal for advertising software that the company claimed would allow consumers to engage in peer-to-peer file sharing anonymously.62 According to the FTC’s complaint, the website’s claims of anonymity encouraged consumers to download their free software.63 The agency charged that the claims were bogus because the software did not make file-sharing anonymous and there actually was a cost to consumers because the “free” software was bundled with spyware. According to the Complaint, the spyware secretly downloaded dozens of other software programs, diminishing consumers’ computer performance and memory, and replaced or reformatted search engine results. The FTC alleged that Odysseus Marketing hid their disclosure in the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions” section of their website and deliberately made their software difficult to detect and impossible to remove using standard software utilities.
In addition to the FTC’s ability to bring Section 5 cases like Seismic, the United States Department of Justice has statutory authority to prosecute distributors of spyware in cases where consumers’ privacy or security is compromised. The Computer Fraud and Abuse Act of 1984 prohibits the unauthorized acquisition of data from a protected computer that results in damage. 18 U.S.C. § 1030(a). The DOJ has been fairly successful in using the Computer Fraud and Abuse Act to go after the distributors of spyware. In United States v. Dinh, the DOJ alleged that the defendant violated the Computer Fraud and Abuse Act in two ways. First, defendant allegedly knowingly accessed a computer of another person without authorization by installing a series of keystroke-logging programs to remotely monitor the keystrokes of the computer user and identify computer accounts and passwords. Second, defendant violated the statute by allegedly engaging in a scheme to defraud an investor and committing mail and wire fraud. The defendant was sentenced to 13 months in prison.
In addition to this case, other cases illustrate that the DOJ has successfully used the Computer Fraud and Abuse Act to prosecute those who use keystroke loggers without the authorization of the computer user. In United States v. Jiang, the defendant was sentenced to 27 months in prison and ordered to pay approximately $200,000 in restitution for knowingly installing keystroke logging software to surreptitiously record the keystrokes on another person’s computer. Furthermore, United States v. Owusu involved a defendant who surreptitiously installed a keystroke logger program on public computers in order to record every keystroke made on those computers. According to the Department of Justice, the defendant used the information gathered with the keystroke logger to collected data to gain unauthorized access to users’ online accounts and university management systems. The defendant was sentenced to four years in prison.
The DOJ also has authority, under a variety of statutes that regulate communications, to pursue actions against entities that acquire information fraudulently, such as through the use of a keystroke logger program. Fraud and Related Activity in Connection with Access Devices, 18 U.S.C. § 1029, Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510-22, and Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11. To that end, the DOJ has used 18 U.S.C. § 2512 to prosecute those who create and market spyware programs.
In United States v. Perez-Melera, the federal government used § 2512 to prosecute a person who created a computer program that he could use to spy on others and monitor all activities on the computer, including emails sent and received, web sites visited, and passwords entered were intercepted, collected.
In prosecuting these cases, federal law enforcement has used its resources to confront unfair and deceptive practices and illustrated that certain spyware behaviors are illegal under existing law. In particular, the FTC has established three principles to guide its spyware enforcement efforts:64
• A consumer’s computer belongs to him or her, not to the software distributor. This means that no software maker should be able to gain access to or use the resources of a consumer’s computer without the consumer’s consent.
• Buried disclosures do not work. Communicating material terms about the functioning of a software program deep within an EULA does not meet high enough standards for adequate disclosure.
• Consumers must be able to uninstall or disable software that they do not want. If a software distributor places an unwanted program on a consumer’s computer, there should be a reasonably straightforward way for that program to be removed.
Through active and aggressive enforcement, federal law enforcement has clarified some of the issues idiosyncratic to spyware. This clarification, as illustrated in the three above-referenced guidelines, have guided federal enforcement, and can possibly do the same for federal, anti-spyware legislation. Although some states have anti-spyware laws, the law does not clarify the complex issues peculiar to spyware. “Some states have passed specific spyware statutes to help clarify these distinctions, but several of the states that have been most active in spyware enforcement have no such laws in place.”65
Federal officials at both the Federal Trade Commission and the Department of Justice believe that they have adequate authority under their existing criminal and civil statutes to take law enforcement action against those who disseminate spyware. Both the FTC and the DOJ have been active in their law enforcement against the creators and distributors of spyware by using the statutes that are at their disposal.


  1. SPYWARE: EXISTING STATE STATUTES

Starting in 2004, state legislatures began passing a variety of different kinds of anti-spyware legislation. Depending on how broadly “spyware” is defined, as many as 16 states now have laws that in some way address the problem.66 For the most part, these statutes approach the definition of “spyware” similarly. Rather than define spyware by what it is – i.e., a program placed on a protected computer without the computer owner’s knowledge – the statutes define spyware by what it does – i.e., a program that initiates any of a specific set of prohibited activities.67 This section provides an overview of those state laws and some of their significant features.


In 2004, California became one of the first states to pass a law specifically related to spyware.68 Since that time a number of states have passed laws that, with only minor variations, resemble California’s prohibition. Those states include Arizona, Arkansas, Georgia, Indiana, Iowa, Louisiana, New Hampshire, Rhode Island, Texas and Washington. In addition, a number of other states are currently considering bills that are modeled after the California spyware statute.
The California law and the many laws that have followed the California model focus on protecting consumers from spyware. They generally prohibit a person from causing computer software to be copied on to a computer without permission from or knowledge by an authorized user, if that software performs certain functions, including: (1) modifying certain settings, such as the browser’s home page, default search provider or bookmarks; (2) collecting personally identifying information, including information about websites the computer user visits, the user’s financial account numbers, passwords and the like; (3) preventing reasonable efforts to block the installations of software; (4) misrepresenting that software will be uninstalled or disabled by the computer user’s actions; (5) removing or disabling security, antispyware or antivirus software; or (6) taking control of a consumer’s computer by modifying security settings or causing damage to a computer.69 In addition to these prohibitions found in most of the state anti-spyware laws, some states have specifically outlawed other actions, such as denial of service attacks.70
Because of the way these laws define the prohibited conduct, the state legislatures following the California model have been forced to grapple with the fact that, read broadly, the prohibited conduct could restrict legitimate actions by Internet Service Providers (“ISPs”). Thus, the statutes expressly exclude from their purview certain activities such as interactions with a subscriber’s ISP for network or security purposes, diagnostic, technical support, repair updates and other, similar services.71
One of the other issues facing state legislatures is how these laws should be enforced. The California statute is silent as to whether it creates a private right of action. Some states expressly provide for a private right of action.72 Others only allow for prosecution by state prosecutors or state attorneys general.73 These prosecutions can be either for civil penalties74 or criminal.75 Some state legislatures also are grappling with the issue of how to measure damages in these cases – in some instances, allowing for treble damages or attorneys’ fees.76
Not all states with anti-spyware legislation have followed the California model. For example, Utah, which passed its law in 2004 – the same year as California – adopted a somewhat different approach.77 The Utah statute, along with a similar Alaska statute, not only protects consumers from spyware, but also expressly protects trademark holders by prohibiting software that makes certain types of unauthorized uses of another’s mark. Unlike the California statute, the Utah law defines spyware to include “software on the computer of a user who resides in the state that collects information about an Internet website at the time the Internet website is being viewed in the state, unless the Internet website is the Internet website of the person who provides the software; and uses the information collected contemporaneously to display a pop-up advertisement on the computer[.]”78 The Utah law prohibits causing pop-up advertisements to be shown on the computer screen by means of spyware, if the pop-up is displayed in response to a user accessing a specific mark or Internet address that is purchased or acquired by a person other than the mark owner or an authorized user of the mark. The statute also prohibits purchasing advertising that makes use of spyware, if the advertiser receives notice of the violation by the mark owner and fails to end its involvement.79
The Utah law has been the subject of interesting litigation. In 2004, an adware vendor sought a temporary restraining order and a preliminary injunction in Utah state court against the Utah law as unconstitutional under a principle of Constitutional law known as the “Dormant Commerce Clause.”80 The U.S. Constitution reserves to Congress the authority to “regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.”81 That provision has been construed by courts to include “a further, negative command, known as the dormant commerce clause,”82 in areas where Congress has not affirmatively regulated, in order to “create an area of trade free from interference by the States.”83
State laws are subject to two levels of scrutiny under this doctrine. Strict scrutiny is triggered if the state law discriminates on its face or in its effect directly in favor of in state commerce to the detriment of out-of-state commerce, and is generally struck down unless the state demonstrates a legitimate local purpose and an absence of nondiscriminatory alternatives.84 Conversely, “[w]here the statute regulates even-handedly to effectuate a legitimate local public interest, and its effects on interstate commerce are only incidental, it will be upheld unless the burden imposed on such commerce is clearly excessive in relation to the putative local benefits.”85
In the spyware challenge, the court granted a preliminary injunction, holding that the statute was likely unconstitutional. In response to that preliminary decision, the Utah legislature drafted amendments to the law in an effort to resolve the constitutional issue. To that end, the Utah and Alaska statutes expressly exclude pop-up advertisements if the software requests information about the user’s state of residence before displaying the pop-up, implements a reasonably reliable automated system to determine the geographic location of the user, does not encourage the user to indicate a residence outside of their states and does not display the pop-up to users in their respective states. The authors are unaware of any pop-up adware that would satisfy these statutory prescriptions, and the ability of these amendments to withstand similar Constitutional scrutiny remains untested.
Finally, other states have sought to address spyware not in a stand-alone spyware-specific statute, but within the context of larger computer crime laws. For example, Nevada’s computer crime statute now defines spyware as an unlawful “computer contaminant” which cannot be introduced into a computer, system or network. 86 Virginia also expanded the definitions in its existing computer crimes statutes to include activity that could encompass the use of spyware.87


  1. CONCLUSION

In conclusion, the Subcommittee agrees that the following areas need to be brought to the attention of the Section for further discussion and analysis:




  • Comparison of need and efficacy of statutory prohibitions versus regulation.

  • Enforcement vs. private right of action - analysis of the motivations and effectiveness of enforcement by regulatory bodies versus private actions by affected citizens against offenders.

  • Analysis of varying remedies available and their effectiveness (injunction, civil damages, criminal penalties, etc).

  • State law issues:

o perceived need for uniformity through preemptive federal law versus desire to allow states to fashion their own different and more restrictive standards.

  • Definition of spyware:

o is the key element consent?

o does “spyware” actually have to “spy” (e.g., monitor or report

on user activity), or does it include malware, fraudware, browser hijacks and the like?
UPDATE ON CREDIT SECURITY LEGISLATION SINCE 2007 REPORT



Download 419.52 Kb.

Share with your friends:
1   2   3   4   5   6   7




The database is protected by copyright ©ininet.org 2024
send message

    Main page