2004 Cyberlaw Sample Answer

Eric Goldman




This was another tough exam, following on last year’s very tough exam.  I think this exam was a little easier than last year’s, and the performance reflected it.  There were fewer “total misses” than last year.  On the other hand, there were few “standout” papers, leaving most of you solidly in the middle, and the grading distribution reflects that.  There were 2 As, 2 ABs, 13Bs, 3 BCs and 2 Cs.


While this is a tough exam, I don’t think this exam was too hard to master.  Unlike prior years, I think students could have identified and discussed virtually all of the points in this sample answer.  Of course none of you did, but I’m interested in your reactions to this statement.  After you review this sample answer, let me know if you think any of the points were not realistically achievable by a student.


To my great delight, EVERYONE typed their exam, which made my life much easier, and 17 of you returned the exam by email.  This class sets a new benchmark for computer savviness!


QUESTION 1  (mean of 1,469 words; maximum of 2,246 and minimum of 384)


Contract Formation


Uploading Users


With respect to uploading users, BMN uses a strong contract formation process.  The uploader cannot submit any data without seeing the call to action, the call to action language is strong, and the requirement that uploaders check the box is an extra unambiguous manifestation of assent.  This is a quintessential mandatory non-leaky clickthrough, and this should work to form a contract with every uploader.


Some of you were concerned about the fact that the actual terms were hyperlinked instead of being displayed on the upload page.  Others parroted that BMN should use a mandatory-non-leaky clickthrough and then determined that the process didn’t qualify as such because the terms weren’t on the page.   While putting the terms on the page would be a nice touch, I don’t think their location at a hyperlink has any negative effect in this context.  The requirement is just that the terms be reasonably available for review.


Searching Users


In contrast, BMN does a very weak job forming a contract with the searching users, so weak that it probably fails in most or all cases.  BMN uses two principal ways to form a contract.


First, BMN has a “terms of use” link on every page.  This language is very weak—there’s no call to action.  Further, the presentation is inauspicious: at the bottom of the page, below the fold for some users, and in small lettering with non-descript coloring.  This is a lot like the Ticketmaster case where TM’s initial presentation of its user agreement did not work.  BMN could make an argument that the presentation was still enough that users would see the words “term of use,” and that language is enough to put them on inquiry notice, but I don’t think the precedents support that.


Second, the terms of use say that users agree to the terms by using the site.  We saw this type of language in the Specht case, and it failed because users don’t see it and there’s no unambiguous manifestation of assent.


Contract Amendment


The terms of use say that BMN can update at any time without notice and users should check back for changes.  As we discussed in class, I think few courts will tolerate this type of broad amendment process, especially without giving users meaningful notice.  Therefore, I think amendments made in reliance of this language have a high probability of failing.


Uploader Liability


Breach of Contract


Uploaders breach their contract with 1234, which says that they may not disclose/share their passwords—and that’s exactly what those users do by posting the U/P combo to BMN.  (Note this also creates an argument that uploaders misappropriate a trade secret from 1234, but I took that out of the question).  Uploaders also breach paragraphs 4 and 5(3) of the BMN contract.




On the surface, there’s an argument that uploaders traffic in devices that circumvent technological protection measures.  However, there was a recent case (we didn’t discuss in class) saying that passwords are not protected under the DMCA.


Contributory/Vicarious Copyright Infringement


An argument can be made that uploaders take legal responsibility for copyright infringement committed by searching users.  I’ll deal with this argument when I discuss BMN’s liability.


Searching User’s Liability


There is a key fact here that I wanted you to focus on: 1234’s user agreement says that users may not browse/access the website except as permitted by 1234’s agreement.  Let’s consider how that fact shapes our analysis.


Breach of Contract


In all likelihood, 1234 does not have a contract with the searching user.  The searching user, by definition, bypasses the contract formation process.  One might argue that under the Register.com apple analogy, those users might end up being subject to contract terms if they repeatedly visit and see the terms somewhere along the way.  However, absent such legal contortions, the searching user isn’t contractually bound to the 1234 contract limit on browsing/access.


CFAA and Trespass to Chattels


However, does this language have any consequence under the CFAA?  As we discussed in class, the standard for delimiting access under the CFAA is less than the standard for forming a contract.  In other words, while the searching user may not be bound to the language contractually, the language may still be enough to make the user’s access “unauthorized” for purposes of the CFAA. 


In particular, let’s focus on 1030(a)(5), which applies when a person intentionally accesses protected computer without authorization and causes damage.  With the language in 1234’s contract, we have an unauthorized access.  The intent seems pretty clear—it’s hard to argue around the reasons why BMN exists and why users use it.  So the user could be on the hook for a CFAA violation if 1234 can show “damage,” in this case losses of $5,000 per year.  Nominally, any single user isn’t likely to cause that much damage just by reading news on the site, although 1234 surely could find a way to gross up its damages to clear the threshold.


In contrast, 1234 would have a much harder time showing a trespass by chattels because of the damage requirement.  Under the Hamidi case, the language in 1234’s contract doesn’t seem particularly relevant; the key issue is whether the searching user causes damage to 1234’s computer system.  While theoretically possible, most users would not cause this damage just through ordinary browsing.  As a result, these facts may illustrate how a user can violate the CFAA without violating trespass to chattels.




Recall that I took the position that ordinary web browsing is a prima facie case of copyright infringement, but we don’t see much litigation over it because it is either fair use or subject to an implied license.  What about here?


Let’s assume that a browsing 1234 downloads copyrighted works to his or her RAM.  While news stories may be subject to thin copyrights because some of them are factual in nature, most news stories are protectable by some type of copyright. 


Notice that the 1234 contract destroys any argument that the searching user has an implied license to browse—it expressly states otherwise.  As a result, the searching user’s next best argument is fair use:


On balance, the fair use factors are (as usual) unpredictable.  However, we shouldn’t lose sight of the equitable nature of fair use, and courts aren’t going to be sympathetic to the anarchism implicit in a searching user’s bypass of 1234’s registration process.  As a result, there’s a non-trivial chance that searching users commit copyright infringement when they browse 1234’s site.




To the extent that password protection is a technological protection measure, then using an illegitimate password could constitute a 1201 circumvention.  (Note the recent case mentioned above didn’t buy this argument).


BMN’s Liability


For Uploader’s Breach of Contract


The basis of 1234’s breach of contract claim against an uploader is that the uploader publicly disseminated information.  Stated this way, BME should be insulated from liability under 47 USC 230.


Some of you didn’t use 47 USC 230 at all in your answer to Q1.  While this wasn’t fatal, I was definitely disappointed!


For Searching User’s CFAA/Trespass Violation


The CFAA has a criminal aspect to it, and federal criminal laws are not preempted by 230.  We believe that BMN must have some scienter to take joint responsibility for the user’s criminal violation of the CFAA, but we don’t know how much scienter or scienter of what.


Otherwise, it is tempting to dismiss BMN’s liability for the searching user’s CFAA/trespass on 47 USC 230.  However, these claims do not directly rest on BMN’s publication of content but instead rest on the user’s behavior based on content obtained from BMN.  So 47 USC 230 may not technically apply.  I’ll take the position that if 230 doesn’t apply, then it would be difficult to construct a chain of causation that puts BMN on the hook for the user’s behavior.  In other words, if 230 doesn’t preempt the claims, then the user may be so far outside the purview of BMN that BMN lacks the requisite degree of scienter/involvement for liability.


For Copyrights in U/P Combinations


It seems a little silly to think of usernames and passwords as being protected by copyright law, but recall that the Ticketmaster court had to consider if URLs are copyrightable.  Of course if the uploader creates the username and password combination, then the uploader can’t sue for copyright infringement after providing the combination to BMN (in an omitted portion of the BMN terms of use, BMN does get a license).  However, we can’t ignore the possibility that uploaders didn’t create the U/P combos themselves but instead stole them from somewhere else.  Under that situation, uploaders and BMN could be liable for copyright infringement if the U/P combo is copyrightable.


For Searching User’s Copyright Violation


Having established above that searching users may commit copyright infringement by browsing and that the standard defenses (implied license and fair use) may not apply, we can now turn to the question of whether BMN or an uploader has contributory or vicarious liability for the browsing.


Contributory Infringement


BMN represents the same kind of animal as Napster, Grokster and Aimster in that BMN knows that its users use it solely to engage in bad behavior.  BMN differs from the other three, however, because there may be no legitimate use of BMN, ever.  While BMN’s terms of use contemplate that the only people who will upload U/P combos are owners/authorized representatives of websites with registration processes, if those owners/representatives really didn’t care if users register, they would remove the registration.  In other words, we know that no websites are seeding the BMN database with U/P combos.  As a result, we know that all target websites should object to BMN, and there’s no legitimate use by a searching user of any U/P combo they find on the website.


Based on this, BMN warrants even less favorable equitable consideration than Napster and Aimster did.  In other words, we might be even less charitable about BMN’s knowledge.  Sure, BMN doesn’t “know” if a U/P combination is authorized or what searching users are going to do with the combinations, but BMN knows, and we know they know.  In Posner’s lingo, this is not a situation with mixed legitimate/illegitimate uses—this is pure 100% illegitimate, and BMN knows this.


However, BMN differs from Napster, Grokster and Aimster in the role it plays in the copyright infringement.  Recall that all three technologies were “end-to-end” solutions, consisting of software plus search lists.  BMN, on the other hand, is just a search list.  What users choose to do with the U/P combination after getting the information is completely out of BMN’s hands.  On this basis, we might argue that BMN resembles Grokster, in that if BMN shuts down, users can keep infringing with the U/P combos they got.  On the other hand, shutting down BMN would stop new infringements from occurring, while shutting down Grokster wouldn’t.


Also note the specific definition of contributory infringement includes “inducing” infringing activity.  Most of our discussion in class focused on “material contribution,” but perhaps BMN’s exhortations constitute an inducement irrespective of any contributing role BMN plays.


I think we are likely to be even less charitable to uploading users.  Do they know about infringing activity that takes place after they post their U/P combos?  I think it’s hard to argue otherwise.  What about material contribution?  At minimum we have “but for” causation, but we could argue their role is even more involved than that.


Vicarious Infringement


Direct Financial Benefit.  As far as I could tell, BMN derived no financial benefit from the website.  However, the passwords acted as a draw to customers, and perhaps that would suffice.  (However, note that in Napster that copyrighted works were the draw, not a proxy for copyrighted works like here).  As for uploading users, I can’t really construct a theory of how they derive any financial benefit from their submissions, so I think they drop out of vicarious infringement on that basis.


Right and Ability to Supervise Infringing Activities.  BMN can, in theory, control and patrol their premises, but the actual infringement takes place outside their system.  This again distinguishes BMN from end-to-end solutions like Napster/Aimster/Grokster.  It wouldn’t surprise me if the courts extended the locus of infringements to include the U/P combos (just like the Napster/Aimster courts extended the locus of infringement to include song title and IP address), but I think the more precise reading of vicarious copyright infringement would say that BMN cannot supervise the infringing activities.


Safe Harbors.


512(a) would be a complete defense, but it should not be available.  As we discussed in class, websites have an extremely difficult time qualifying for this safe harbor based on the narrow definition of “service provider” in the statute, which applies to IAPs and very few others.


512(c) should not apply because it covers hosting infringing content.  As we discussed, the U/P combos aren’t the infringing content; they are just the key to getting it.


512(d) could in theory apply, as it covers search engines and other information location tools.  However, because it excludes contributory and vicarious infringement, and there’s no way for referrers to be directly infringing, we think 512(d) covers a null set.


Conclusion on Copyright Infringement.


BMN is less in the chain of causation than Napster/Aimster/Grokster because its system never touches copyrighted works.  On the other hand, it is more noxious because we don’t believe there’s any possibility of legitimate uses.  As a result, I think BMN has a serious risk of contributory copyright infringement for inducing or facilitating bad browsing.  I think there’s also some risk of vicarious copyright infringement, although the doctrine fits less well.  In any case, I think the 512 safe harbors will not be helpful (surprise!).


Effect of BMN’s User Agreement


I think the user agreement is worthless as a risk management tool.  First, the likely plaintiffs—1234 or other target websites—are not bound to the contract and its exculpatory language.  This differs from the release in the Grace case, where the plaintiff had agreed to the contract containing the release.  Paragraph 2 is a classic statement of non-responsibility—this is a wish, not a release.  Paragraph 3 does contain a “waiver” (which I’ll interpret as a release) but only for searching users’ exposure to objectionable content.  Paragraph 4 gives BMN some rights to go after uploading users, but (1) it doesn’t know who they are, and (2) we all know that they are deadbeat anarchists.  Paragraph 5 basically revisits the same ground as paragraph 4, and doesn’t really add anything useful.


Conclusion on Question 1


In doing my research on this question, I came across a quote from one of the biggest brands in Cyberlaw opining that Bugmenot was perfectly legal.  I trust everyone in this class knows better.  Just based on the material we discussed in class, Bugmenot has significant legal risk.  The liability for trade secret misappropriation makes that risk even worse.  But ultimately Bugmenot has zero chance of surviving legal scrutiny based on the application of statutes I excluded from the question, such as 18 USC 1029, which specifically prohibit the distribution of passwords. 


So we know where this leaves us.  Bugmenot is a cute little site that is completely illegal.  The fact that it is still in existence offers us no useful insight about its legality.  You’ve heard me say it many times already: just because someone else is doing it doesn’t make it right.  I hope you’ve learned the legal principles to analyze this more rigorously than that.


QUESTION 2 (mean of 482 words; maximum of 747 words and minimum of 96 words)


This is an easy and a tough question.  It’s easy because it’s a middle-of-the-road fact pattern.  It’s tough because if you analyzed every applicable doctrine thoroughly, you’d run out of time and words.  So this question required you to keep your analysis high-level and to prioritize.


I spotted four possible plaintiffs: Cheney, Factcheck.org, Georgesoros.com, and the misdirected users. 




Cheney really doesn’t have any good claims here.  He could try to argue defamation, but NA doesn’t make any factual statements itself about Cheney.  Cheney could try to argue that Georgesoros.com makes defamatory statements about Cheney, but that claim should be easily preempted by 47 USC 230.  (The defamation claim might fail for other reasons too, such as truth, the First Amendment heightened scienter requirements, statements of opinion instead of fact, etc.).  Cheney might also try to argue that NA’s association of the factcheck.com domain with georgesoros.com puts him in a false light; again, assuming that he could make a plausible cause of action, it should be preempted by 47 USC 230.


I’ve been thinking for a while about recourse that Cheney could have for this situation, and I keep coming up dry.  Ultimately, I think he’s SOL.  Watch what you say on live TV.  Whoops!



Let’s assume that Factcheck.org has priority over NA.  If so, NA could be portrayed as a typosquatter on factcheck.org.  NA may have chose this name because searchers, like Cheney, unconsciously add .com instead of .org to domain names, giving NA a source of traffic to make money from.  Their profile as a typosquatting might be reinforced by the fact that they never built a real website at the domain but instead just created a place to deliver advertising.


Factcheck.org’s right to stop NA’s behavior depends on Factcheck.org’s trademark rights.  As a project of the University of Pennsylvania, it’s not clear that they have ever used factcheck.org to identify and distinguish goods and services in commerce.  Therefore, it’s possible factcheck.org is not a trademark, in which case factcheck.org has no rights to stop NA.


If factcheck.org has trademark rights in the term and has priority, then we would consider trademark infringement, dilution, ACPA and the UDRP.


Trademark Infringement


The domain names factcheck.com and factcheck.org could very well confuse consumers.  However, it’s less clear that the websites would confuse consumers: one is a rich non-partisan site, the other just provides lots of (presumably junky) ads.  While this is not an easy case for the standard multi-factor likelihood of consumer confusion test, it’s exactly the kind of situation that courts have punished under initial interest confusion.




Factcheck.org is a weak name—it’s descriptive, so it needs to develop secondary meaning before it’s protectable.  As a result, we would be reluctant to characterize it as a famous mark until it really reached a wide degree of notoriety.  My guess is that we can’t go that far yet.  If factcheck.org is famous, then factcheck.com probably dilutes: it is a commercial use in commerce and either blurs (by creating a new definition in consumers’ heads) or tarnishing (perhaps by providing inferior services).  I think the redirection to georgesoros.com reinforces the blurring and tarnishment, especially by undercutting the perceived non-partisan status of factcheck.org.




The ACPA and UDRP were targeted at people like typosquatters, so assuming that factcheck.org meets the threshold trademark requirements, we should not have any difficulty finding that factcheck.com engaged in bad faith intent to profit or bad faith, respectively.  I think the redirection to georgesoros.com actually undercuts the ACPA/UDRP claims some because it’s not a profit-driven motive and provides a more socially laudable use of the domain (for political speech instead of advertising).  On the other hand, at least under the UDRP, factcheck.com’s stated motivations—to offload costly charges and tweak someone—could still meet the bad faith standards even if not for profit.  Note also that the domain was registered before Cheney’s gaffe, another sign that the registrants weren’t trying to capitalize on an anomaly.






Factcheck.com redirected the domain to avoid costly traffic, effectively outsourcing this expense to georgesoros.com.  In all likelihood, georgesoros.com was delighted to get the free traffic, but they did incur expenses involuntarily.  If georgesoros.com didn’t want this traffic, they could argue that NA consumed georgesoros.com’s valuable server and bandwidth resources.


The most logical statute to apply is 18 USC 1030(a)(5)(A), which restricts knowingly transmitting a program/info/code/command and intentionally damaging a protected computer without authorization.  Factcheck.com didn’t transmit anything directly—it’s not like they browsed georgesoros.com or sent a robot to access their site—but they caused all of their visitors to do so.  Assuming $5,000 of damage in a year (depending on volume, it could cost that amount in one night!), we could try to establish causation.


The trespass to chattels analysis looks similar.  Once again, factcheck.com didn’t trespass directly, but no doubt caused the traffic to access georgesoros.com.  To get trespass to chattels, however, georgesoros.com would need to show damage to their computer systems.  If they didn’t crash from the traffic, the common law claim may fail.


Copyright Infringement


In a sense, factcheck.com links to georgesoros.com.  This implicates the “is linking infringement?” discussion we had in class.  If browsing georgesoros.com’s website is infringement, then linking could be contributory infringement.


Misdirected Users


The users who were misdirected seemed to suffer somehow, but I couldn’t come up with any cause of action that they could bring.  Caveat surfer.


Comments on Student Answers


Some of you missed the TM issues altogether.  This definitely capped your upside.  Others missed the CFAA/trespass issues altogether, and this hurt too.


A few of you tried to characterize the redirected traffic as spam under CAN-SPAM.  This simply doesn’t work under the statutory definition.  Analogous thinking doesn’t work so well when there’s a statutory definition on point.




If you use a case or statute name, please spell it correctly.  I got too many Sprechts, Grocksters, Promatecks and DCMAs to count.  You definitely won’t impress clients with misstated citations.


A few of you used the term “Internet service provider” despite my many admonitions on that term.  This term is inherently ambiguous.


Be thoughtful before just adding the word “contributory” in front of a cause of action.  I have no idea what constitutes “contributory contract breach” (although I do know claims like interference with contract).


If you are going to argue contributory or vicarious copyright (or trademark) infringement, make sure you’ve properly identified and analyzed the direct infringer.  For example, on Q1, a number of you thought that uploading users or BMN might be contributory or vicariously liable, but then did not identify any copyright liability on the part of the searching user.