"Sample
Answer"
Santa
Clara University School of Law/Cyberspace Law Spring 1998
Professor
Eric Goldman (ericgoldman@onebox.com)
This document describes some of the issues I was looking for in answers to this year’s final exam. This year, unlike others, this document contains a number of points that no one in the class raised, so this document was not used as a "checklist" to score exams. I gave 5 As, 10 Bs and no Cs.
GENERAL
There were 2 things that would have
improved answers generally.
First, this exam proved
particularly difficult to organize, especially the first question. With the
first question, many of you tried to distinguish between short-term and
long-term responses, but many of your short-term steps were often more
appropriate for the long-term steps, and vice versa. It would have been much
better to outline the answer upfront in a way that ensured you actually made
the points you wanted where you wanted. Better organization was generally the
difference between an A and a B on this exam.
Second, particularly on the first
question, many of you made assumptions about what OhBoy had or had not done
without making your assumptions explicit. It is crucial to state your
assumptions explicitly, especially when you need more information to make decisions.
QUESTION 1
This question was based on a real
life dispute between Onsale and eBay. See, e.g., http://www.microtimes.com/174/onsaleebay.html
and http://www.news.com/News/Item/0,4,16051,00.html.
There were numerous relevant pieces
of information missing here that would be helpful for an analysis of the
dispute. Among the things that we would want to know:
* Does OhBoy use a robot exclusion
header? Did the robot ignore this header?
* Does OhBoy use a user agreement?
Was it a mandatory click-through agreement or was it merely a link off the
homepage? What did the user agreement say? Did it have a contractual provision
that would have applied here? Did the robot "click" on this user
agreement? Did an AA employee at some point click on the agreement?
* Has OhBoy ever notified AA before
that its robots were not welcome?
* What was on the pages collected
by the robot—was it exclusively user content, or were there OhBoy proprietary
elements such as logos or other text that OhBoy could claim a copyright
interest in? Has OhBoy registered its copyright in one or more of these pages?
Short Term Issues
In the short run, OhBoy has some of
the following objectives:
* It wants to reinforce its
relationship with its customers
* It wants AA to stop using the
database of email addresses
* It wants to prevent AA from
sending further robot attacks
* It wants good PR
* It may—or may not—want to tweak
its competitor. Competitor-bashing is always a dicey affair, especially in
emerging Internet markets. If competitor-bashing causes potential customers to
be afraid of the entire Internet auction segment, OhBoy will actually lose
long-run value, even if it gains relative market share.
1. As
for reinforcing its relationship with customers, OhBoy needs to communicate
honestly and quickly. OhBoy will also want to describe the steps it is taking
to prevent future incidents.
2. As
for getting AA to stop using the database of email addresses, OhBoy will have
to negotiate with AA or cajole them. First, OhBoy can complain to AA’s ISP that
the ISP is harboring a spammer. AA’s spam may have breached its contract with
its ISP, and ISPs tend to be pretty responsive to complaints about spam. If
AA’s ISP is not responsive, it may be worth going to this company’s ISP or
further upstream—eventually, someone upstream will take a negative stand on
spam and apply pressure downstream.
In dealing with AA directly, OhBoy
can try to marshal evidence of its superior legal position.
A. Trespass. We do not have enough data to
know if OhBoy can assert that AA trespassed its computer resources. Under the CompuServe
v. Cyber Promo approach, we appear to have a facial claim that AA
trespassed on OhBoy’s server resources, presumably in ways that caused harm
(i.e., while the server was responding to AA’s robot, it was slower or unable
to respond to other legitimate requests). However, before trespass claim could
be brought, the CompuServe court suggested that a trespass plaintiff
must exercise reasonable self-help measures and provide notice that trespass
was not welcome. It is unclear whether or not OhBoy has done so. If in fact
OhBoy used robot exclusion headers that were ignored and OhBoy had clearly
announced anti-robot policies, it might be able to make a trespass claim now.
If not, it may need to initiate these steps as part of its long-term strategy
but cannot use trespass arguments very effectively against AA at the moment.
Note that the argument that all
robots are trespassing could have broad ramifications for the operation of the
Internet—especially since this is the way that most search engines build their
databases. Would this be good policy?
B. Copyright. We do not know what material
was copied by the robot’s operation, so we’re not sure if OhBoy or its users
are the likely plaintiffs. I assume for the moment that both OhBoy and user
content was copied, so both would have standing.
The email addresses are likely not
copyrightable (Feist), but the robot copied the entire page, not just
the email addresses. In fact, the robot may have effectively made a copy of the
entire OhBoy site, so we might be able to claim that all of our copyrighted
material on the site was copied.
It will be tough to prove damages
from the copyright infringement itself, but maybe the loss of server resources
is a recognizable damage under this claim, and if we have a registered
copyright on the website, we might be able to get statutory damages and
attorneys’ fees.
Of course, AA can argue that its
robot made only fair use or had an implied license. In some ways, the implied
license analysis is similar to the trespass analysis. AA will try to argue that
its robot did nothing different from what OhBoy’s ordinary users do when they
browse the site, but this argument becomes less plausible if the robot ignored
exclusion headers.
As for fair use, we had a
commercial use (against AA), published material (for AA), both fact and
non-fact (wash), 100% copying (against AA), and an uncertain effect on the
market (the copying itself did not diminish the market demand for OhBoy, but
the use of the uncopyrightable email addresses did have a negative effect on
market demand—a wash). So we’re not sure if the copyright claim is a strong
one.
Depending on how you feel about the
implied license/fair use argument, you might also assert that AA willfully
infringed OhBoy’s copyright, which would be a predicate condition for criminal copyright
claims.
C. Breach of Contract. We don’t have enough
facts on this claim, but AA’s behavior could be a breach of OhBoy’s user
agreement—either as entered into by an AA employee or as entered into by the
robot (if a robot can legally enter into a contract).
D. Computer Fraud and Abuse Act (18 USC
§1030). We didn’t discuss this much in class, but there are good arguments that
the robot violated this law, giving rise to both civil and criminal remedies.
E. Tortious Interference/Unfair
Competition. We didn’t discuss this in class, but you should note that there
are arguments that AA’s behavior constitutes tortious interference with
contract or interference with prospective economic advantage. There are
probably also colorable arguments under state unfair competition laws (which
are generally pretty easy to state a claim under).
F. Threaten a Class Action on Behalf of
OhBoy’s Users. While OhBoy will not have standing to enforce its users’ rights,
a class action—perhaps initiated by OhBoy—may be a meaningful threat. (Of
course, if OhBoy really wanted to tweak AA, it could encourage multiple OhBoy
users to bring suit individually throughout the country in their home
courts—which would be a big drain on AA’s legal resources). First, OhBoy’s
users could complain about copyright infringement, although this is likely to
be a weak claim. Second, OhBoy’s users or their ISPs could complain about
trespass of their resources. Third, AA may have violated one or more anti-spam
statutes (although at the moment none are effective, laws in Nevada and
Washington become effective this summer).
G. Trade Secret? Some of you thought there
may be a trade secret claim here, but the fact that the email addresses were
publicly available negates any trade secret claim OhBoy could make in its
customer email address lists.
H. Right of Privacy/Publicity? Some of you
claimed that users would have a right of privacy claim, and a couple of you
claimed they would have a right of publicity claim. Since users voluntarily
posted their emails on the web, there’s no basis to claim privacy in the
address. As for the right of publicity claim, it’s extremely weak to claim that
AA made a commercial use of a protected interest here.
3. To
prevent further robot attacks, AA must be on notice that its robots are not
welcome. A cease and desist letter ought to be sufficient to lay the groundwork
for a future trespass claim. Some of the self-help techniques described below
would also help.
4. As
for good PR, OhBoy can make press releases about its existing and perhaps news
and improved policies about spam, and it can couple the announcements with some
of the changes described below. If OhBoy wants to tweak its competitor, it will
likely get some press attention to do so as the reporters write up the press
releases.
Long Term
Among the steps that OhBoy could
take to make its future position stronger (under trespass, copyright or breach
of contract) or to technologically limit the chance of these events recurring:
* Use robot exclusion headers
* Block the IP address used by AA’s
robots. Of course, AA could merely use a different IP address in the future or
forge headers, but it would be a start.
* Use other anti-robot technology
(such as limiting the number of http pages that will be delivered to a single
IP address during a certain period of time).
* Send (automatically or manually)
a notice to every person who sends a robot to OhBoy’s site that robots are not
welcome.
* Place all pages containing email
addresses behind a password protected page and/or use usernames instead of
email addresses to identify people on the site. In fact, eBay did give people
usernames and then made the email addresses available in a password protected
searchable database (and then, only one address at a time). Not only does this
technologically limit the problem, it assures that all people trying to harvest
email addresses will be registered users who have clicked through the user
agreement.
* On all pages (both the home page
and others), provide a notice that says that robots are not welcome.
* In the user agreement, restrict
the use of robots and the use of other users’ email addresses.
* Ensure that each page of the site
contains OhBoy copyrightable material.
* Register the website with the copyright
office.
Some of you suggested putting the
entire site behind password protection. This is OK, but it’s not really
necessary if you are only trying to protect email addresses and it would
discourage new users.
Some of you suggested trying to
make the email addresses into a trade secret. Since the facts said that the
email addresses needed to be accessible to all users to permit user-to-user
communication, it is going to be difficult to assert trade secret protection in
email addresses when they are accessible to several hundred thousand of our
closest customers.
QUESTION 2
One of my hot button issues is that
there is a lot of bad information disseminated about cyberspace law. If you
pull up the full text of the article, you’ll see what I mean (sorry, I don’t
think it’s available on the web).
The first paragraph is absolutely
wrong. With respect to online libel liability for the AOLs of the world, the
distinction between "distributors" and "publishers" is not
pivotal—it’s IRRELEVANT! (Or, as one of your peers wittily observed: "It’s
passé, not pivotal!") As Zeran and Blumenthal clearly indicated,
publishers and distributors of third party defamatory content are treated
equally under 47 USC §230(c)—neither are liable for the defamation if they are
covered by the statute. The assertion that, if AOL was characterized as a
publisher, it would be legally responsible for third party defamatory content
is wrong—Zeran treated AOL as the publisher of the statements it, in its
editorial discretion, refused to remove, and still held AOL not liable.
The article snippets also raise a
related question—who are we talking about? The article uses, apparently
interchangeably, the terms "America Online", "Internet
providers" and "websites." In fact, 230(c) distinguishes between
"interactive computer services" and (presumably) everything else. The
article does not help us understand what is an ICS and whether or not
"Internet providers" or "websites" will be deemed ICSs like
AOL has been determined to be. This is just sloppy language on the reporter’s
part, but it makes a big legal difference.
The second paragraph is a bit of a
head scratcher. What is a "rigorous disclaimer"? Is it a part of the
user agreement, or is it non-legally binding notice just stuck somewhere on the
site? To the extent that it is the latter, why bother?
To the extent that the
"rigorous disclaimer" is part of a legally binding agreement, we need
to be clear about the purpose and benefit of such a "disclaimer." If
we are concerned about liability for defamation (note the article title!), such
a provision will be irrelevant—presumably the "Internet provider" is
not liable, regardless of the presence or absence of the disclaimer and
regardless of the degree of control over user content.
If we are concerned about other
types of liability for user-generated content, then it is OK to have a contract
provision that tells the user that we are taking the position of a passive
conduit of user information. But, let’s be honest, this is self-serving
language that will probably be ignored by a judge. The risk management strategy
must be carried through in practice in all of the sysop’s interactions with
user-generated content, so either the sysop behaves in practice like a passive
conduit or it does not. A "rigorous disclaimer" won’t persuade any
judge that the sysop behaved like a passive conduit if the facts are otherwise.
Therefore, with respect to the
third paragraph, it’s true that users may be liable for what they say—but is
this a useful observation that needs to be made to users, and does it change
CitySearch’s potential liability at all? And the statement that CitySearch is
"NOT" liable (presumably someone thinks the statement is more
effective because the "not" is capitalized) is not legally correct—in
certain circumstances CitySearch is liable for copyright and trademark
infringement and other non-speaker or publisher torts. So why bother with the
statement? And why did the article implicitly suggest that this statement is
part of cutting edge legal practices?
Some of you noted that I include
the following paragraph in my user agreements:
You are solely responsible for your information,
and we act as a passive conduit for your online distribution and publication of
your information. However, we reserve the right to take any action with respect
to such information we deem necessary or appropriate in our sole discretion if
we believe it may create liability for us or may cause us to lose (in whole or
in part) the services of our ISPs or other suppliers.
As I mentioned, the first sentence
is potentially self-serving, but if it is a correct statement of factually how
my client runs its business, it will be a helpful way to explain our risk
management policy to third parties. In particular, the first sentence is very
helpful in expediting the resolution of user-to-user disputes. The second
sentence sets out by contract a very narrow set of exceptions when the site
will not act as a passive conduit and will be removing user content from the
site. This proves very helpful to explain to users why the site is taking—or
not taking—action with user generated content. However, under no circumstances
do I advise my client to put this provision into their agreement and then stop
worrying about their risk management strategy, like the article suggests.
Indeed, consider if a site’s risk from user-generated content would increase if
we omitted my paragraph from the agreement altogether and were just silent on
these points.
Sysop liability analyses are very
complicated. Be wary of getting guidance from any source other than the
statutes and the cases.