With all the concern about online theft, why do we trust online merchants
      at all? For that matter, why do we trust people we've met on facebook,
      etc?
      
      Why we trust online sites:
    
    
      Overall, it seems that lack of bad past experience has the most to do with
      why we trust. (Also, it doesn't appear to take much experience for many
      people to feel comfortable with something.)
      
      What about personal sites? (Not necessarily dating, but those too.) How do
      we form online friendships (eg at discussion sites)? What about forming
      new friends on Facebook? What makes us think people aren't completely
      deceiving us? What about in face-to-face
      settings? Is that any different????
    
Some foreign governments have in the past expressed the concern that
      Windows must have some sort of
      back-door access mechanism accessible to the CIA. 
    
      Trusting
            software: how do we do this? What responsibility do
        vendors have?
        
          Should there be an obligation for software to
      work on our behalf?
          Should there be some sort of "fiduciary obligation"?
          How much can you count on trusting your email software,
      or trusting your browser?
      
      The organization Stopbadware.org is
      devoted to identifying (and defining) "badware" on your computer. One of
      their hardest jobs has been figuring out just what "badware" is. Here's
      an earlier definition:
    
What about DRM? What about Windows?
What about Android apps? Both free and paid?
In recent years, Stopbadware has shifted its emphasis from locally
      installed software to websites that download malware, through
      vulnerabilities involving javascript or the browser or some other
      component; in fact, they largely serve as a clearinghouse for information
      about bad sites.
    
The biggest problem stopbadware.org has is figuring
        out what qualfies. You'd think this would be easy.
    
 Most is spyware or viruses or some inappropriate "control" software (eg
      Sony's "rootkit", below)
      
      An older stopbadware.org definition:
    1.  If the application acts deceptively or
      irreversibly.
         2. If the application engages in potentially objectionable
      behavior without:
    
Here is their current list, from http://stopbadware.org/guidelines/software, of things software must not do:
Stopbadware used to publish "alerts". RealPlayer (arguably a legitimate product) had been here (Spr 2008?)
Do these things make it badware?
KaZaa had been here in (Spr 2008?)
Spyware Striker Pro (Spring 2009)
              (ironically, this is NOT "fake"
      spyware-removal software!)
    
Compare all this with the modern phone app:
Can we trust apps to limit themselves to the data they actually need to function? The answer is a resounding NO.
    
With all the concern about online theft, why do we trust online merchants
      at all? For that matter, why do we trust people we've met on facebook,
      etc?
      
      Technological issues & trust: can we at least trust that we're talking
      to the person we think we're
      talking to?
      
      Old-style PGP (Pretty Good Privacy) trust:
      You need to VERIFY people's public keys (that the key matches the person).
      Otherwise you can get a bad key, write to them using it, and be victim of
      a man-in-the-middle attack.
      
      (public key crypto: each person has a public key and a private key. If
      someone encrypts a message to you with your public key, you can decrypt it
      with your private key. Similarly, if you encrypt something with your
      private key, anyone can decrypt it with your public key, and
        in the process verify that it was encrypted with your private key.
      That last bit means that the message can act as your DIGITAL SIGNATURE.)
      
      How can we be able to TRUST our keys?
      
      Alice needs Bob's key.
    
      SSL certificates (TLS certificates)
      SSL = secure socket layer, old name
      TLS = transport-layer security, new name
      
      Any pair of entities can negotiate a session key:
    
You're guaranteed a random key provided the other side does not see your bits before choosing theirs. There are protocols to enforce that (eg exchanging encrypted bits and then exchanging special keys to decrypt them)
 BUT: how do you know you're not about to give your credit card to a bad
      guy with whom you've just created a session key?
      
    
      What does this have to do with TRUST?
      
      Do you trust the CAs listed in your browser? Huh? Have you even heard
      of any of them? 
      
      Firefox 2013: Edit => Preferences => Advanced => Encryption =>
      View Certs
 Of course, one of the real
      reasons we trust online commerce -- that we have relatively few bad
      experiences -- is related to all
      this encryption in that it makes it much harder for bad guys to eavesdrop.
      (The most likely location for bad guys, btw, is either in your house or on
      the servers at the other end.)
      
    
      Note this is powerless against phishing attacks. Although the new Extended
      Valuation SSL Certs might help. Might.
      
    
      Back to why we trust online vendors:
    
    
      Overall, it seems that lack of bad past experience has the most to do with
      why we trust. This seems to be the case
        with face-to-face and brick-and-mortar relationships just as much as
        with online situations. 
      
      What about personal sites? (Not necessarily dating, but those too.) How do
      we form online friendships (eg at discussion sites)? What makes us think
      people aren't completely deceiving us? What about in face-to-face
      settings? Is that any different????
    
      Trusting
            software part 2: how do we do this? What responsibility
        do vendors have?
      
      
      We've seen that people form trust relationships based on a fairly limited
      set of positive experiences (though a limited set of negatives, as well).
      Sometimes it seems that software has a lot to live up to, in that we trust
      it because we don't see bad
      experiences, but it is so easy for software to take advantage of us.
    
 The images issue has been around for almost a decade; many email vendors
      (and many freemail providers) have been reluctant to support
      image-blocking until ~2006 or later. (There may be legitimate reasons for
      that: it may be perceived as a hard-to-understand option.)
      
      Browsers: browsers do all sorts of identification of themselves when they
      connect. Some of that is important; some is questionable. Most browsers do
      not leak "private" information, though they do leak the browser and OS you
      are using. Furthermore, this is hard to change!
      
      Try http://www.jms1.net/ie.shtml,
      with internet explorer. (Actually, go to jms1.net,
      and you get redirected to the linked site if you're using IE. At one point
      there was a page on the site that would simply make IE die.)
    
IE's ActiveX security model is debatable; ActiveX is an approach to
      security where you trust any signed
      software. What signing authorities do you trust to look out for your
      interests here? Java, on the other hand, trusts any source, but runs the
      software in a "sandbox" where it supposedly can't damage your machine
      (though recently discovered vulnerabilities make it essential to upgrade
      your core Java regularly). Note that, in the real world, Java controls are
      rarely used; instead, websites run Javascript
      on your machine. While Javascript has some of the sandbox features of
      Java, it can still have a very negative effect on your browser.
    
 Many browser plugins do leak
      some degree of private information. When you register a plugin, you
      connect some personal information to that plugin. Also, some plugins
      contact the mothership at regular intervals.
      
      See http://spywareremove.com/remove-BrowserPlugins
      
      SEVERAL media players (plugin or otherwise) may do some checking of
      licenses or with the mothership before allowing play. Perhaps most players
      from media companies behave this way.
      
      
      What about compatibility lock-in?
      
    
      To what extent should your OS be required to act on your behalf?
      Palladium (aka Next-Generation Secure Computing Base): 
          locks you out of lots of things.
          Trusted side: can't be reached by debuggers or viruses
          Problem: machine now is autonomous; vendor has complete
      control. Do you trust your vendor?
          Software updates, file compatibility, 
    
From Windows Internals by
      Russinovich & Salomon:   
    
In the Windows security model, any process running with a token containing the debug privilege (such as an administrator�s account) can request any access right that it desires to any other process running on the machine...
This logical behavior (which helps ensure that administrators will always have full control of the running code on the system) clashes with the system behavior for digital rights management requirements imposed by the media industry on computer operating systems that need to support playback of advanced, high-quality digital content such as BluRay and HD-DVD media. To support reliable and protected playback of such content, Windows uses protected processes. These processes exist alongside normal Windows processes, but they add significant constraints to the access rights that other processes on the system (even when running with administrative privileges) can request.
Will all software vendors eventually request that their applications be
      protected? It would sure put a damper on reverse-engineering!
    
 The following Sony case has the rights of users front and center.
      Sony introduced their "XCP" music-CD copy-protection scheme in 2005. It
      installed a private CD driver AND a hidden "r00tkit" (so named by Mark
      Russinovich, then of sysinternals.com) that conceals itself and hides some
      registry keys.
      
      Is this legit?
      
      How does it compare with Palladium (secure-computing platform)?
      
      Users do click on a license
      agreement. Were they sufficiently warned? (The software was apparently
      installed before the EULA came
      up; and in any event clearly the EULA did not explain just what was going
      on.)
      
      Note from Mark Russinovich, via wikipedia:
    
     
      There is now a virus/worm out that takes advantage of the sony kit.
      
      Sony issued an uninstall utility that didn't actually uninstall the
      software, but did make it visible. However, users had to supply an email
      address, which by Sony's privacy policy was eligible for spamming.
      
      This or a later removal kit allegedly ADDED a bad ActiveX control.
      Jurisdiction
            online
      
      Jurisdictional issues apply to both criminal and civil law. Oddly,
      criminal law is more ambiguous; we will start with civil law. For online
      shopping, one of the first questions is where did the sale take place?
      Here are some legal theories that have been applied (eg in the LICRA/Yahoo
      case):
 
      The following are the traditional three rules for a US court deciding it
      has "personal jurisdiction" in a lawsuit:
    
      eHarmony lawsuits
The California dating/matching company eHarmony was sued for alleged
      discrimination against homosexuals
      
          New Jersey lawsuit by Eric McKinley, 2005
          California lawsuit by Linda Carlson, 2007
      
      How does jurisdiction apply? Should it have applied in New Jersey?
      Is the fact that users must enter their address the deciding factor?
trademarks
      libel/defamation
      criminal law
      
    
      laws governing sales: the seller can sue in his home state. This is more
      or less universal.
          
      But in consumer disputes, it is more likely the buyer
      with the grievance. Should the buyer always be allowed to sue in his or
      her home state? This subjects the seller to a potential maze of legal
      regulations.
Does it matter if the seller is a major retailer or a private individual?
    
Trademark scope
              The Blue Note Cafe was located
      in NYC
              The Blue Note, St Louis
      (actually Columbia, MO) was a club, sued for trademark infringement by
      Blue Note New York because they had a web site.
              The case: Bensusan Restaurant
      Corp v King, 937 F. Supp. 295 (SDNY 1996)
      The case was brought in federal district court, which decided there was a
      lack of jurisdiction. Before that, however, note that the Missouri club
      began using the name in 1980, and the NYC club did not register the
      trademark until 1985. Note that, generally
        speaking, in this sort of situation the Missouri club retains the
      right to continue to use the name locally,
      while non-local use is reserved to the federal trademark-holder. 
    
The district court did look at the "long-arm statute" of the "forum
      state", that is, New York. The New York law provides that 
    
The State-court interpretation of this was that the act had to be
      committed in New York State, and
      the federal court deferred to this interpretation.
    
Another part of the NY state law did provide for jurisdiction when the
      other party was outside the state. However, the law also
    
The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.
Blue Note St Louis had a mostly passive web site, although they did
      advertise tickets online, to performances at the club itself. These
      tickets had to be picked up at the
        Missouri box office; they were never mailed. Does
        this matter? Does it matter that the tickets were technically not
      sold over the internet, but instead you had to call a phone number?
      
      This case was decided on jurisdictional
      grounds: NY State did not have
      jurisdiction.
      The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.
This was a reasonable decision, but notice that it sure doesn't offer
      many guarantees that your website won't infringe on a trademark far far
      away.
                    
      
 Domain names
      
      Zippo v Zippo, 1997
    
See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
          zippo lighters v zippo.com
          trademark infringement was an issue under Pennsylvania
      state law, but the lawsuit was
      filed in federal district court.
          PA "long arm" statute
          
      zippo.com was a news service. They had email customers in PA, and two ISP
      customers.
          (1) the defendant must have sufficient "minimum
      contacts" with the forum state, 
          (2) the claim asserted against the defendant must arise
      out of those contacts, and 
          (3) the exercise of jurisdiction must be reasonable.
          
    
      The decision addressed the jurisdictional
      issue, plus others: Pennsylvania did
      have jurisdiction
      
      Note the gray area between a completely passive website, just an
      "electronic billboard", and "the knowing and repeated transmission of
      computer files over the Internet". Usually the latter means
      subscriber-specific information. 
    
But also consider whether zippo.com should expect to be hauled into court
      in every jurisdiction in which it has a customer, even
        for complaints unrelated to that customer. In this case, as the
      issue was the use of the trademarked name "Zippo", the jurisdiction based
      on other customers might be
      reasonable. 
    
The Zippo court developed the following three-part strategy for assessing
      long-arm internet jurisdiction:
    
The problem with this example is that nobody really knows what Case 2 should include.
What about google.com? Should Illinois courts have jurisdiction over
      issues involving google.com search? What about google+?
    
Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").
Suppose your bank makes an error. Where do you sue them? What if their
      only presence in your state is online? Consider the case Soma
        Medical v Standard Chartered Bank. SCB is located in Hong Kong.
      Soma is in Utah. Soma did banking with SCB online. Some money disappeared.
      Soma lost their lawsuit in Utah, because the court ruled that the fact
      that SCB had a website accessible in Utah did not give the State of Utah
      personal jurisdiction. [Michael Shamos]
    
NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions
      about whether US patent law extends to other countries. 
      
    
Butler v Beer Across America
      http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
      BAA is an Illinois company selling beer over the internet. Butler's minor
      son ordered beer, and it was delivered to him despite rules that required
      an adult signature. Butler sued BAA under an Alabama law that makes it
      illegal to sell alcohol to minors. In this case, Butler lost her bid to
      get Alabama jurisdiction, though the case was transferred by the Alabama
      court to Illinois. 
    
    
      Cybersquatting
    
This is somewhat related to trademark disputes, but an essential component is the claim that one party doesn't really want the trademark, but just wants to "extort" money from the other side.
See http://www.networksolutions.com/legal/dispute-policy.jsp
      
          Uniform Domain Name Dispute Resolution Policy -- ICANN
      
    
      
    
      
      There is also the AntiCybersquatting Consumer Protection Act.
      
      Some form of bad faith is usually necessary. But not always, if the effect
      is to resemble a famous trademark and if you have good lawyers. Sometimes
      the only "bad faith" or "intent to profit" is the offer of the domain
      holder to settle the case by selling the domain to the plaintiff.
      
      All this is really about trademarks, not about jurisdiction. But the
      "flat" namespace of the web makes all trademark disputes national, or even
      global. 
      
      
      vw.net: virtual works
          http://www.news.com/2100-1023-238287.html
          
      Peculiarity: vw.net, a one-man company with James Anderson as principle,
      offered to sell the name to volkswagen in 1998, and threatened to auction
      the name off if volkswagen did not buy. This triggers a presumption of
      domain-name squatting.
          
    
    
      See http://vwx.com. Oops, I guess not; that
      site is now for sale. At one point, it was about Anderson's side of the
      case.
          
      A possibly important point was that virtual works never used the
      abbreviation "vw" except in the domain name.
          
      They (vw.net) lost.
    
Is this about cybersquatting? Or is it about the (lack of) rights of the
      Little Guy to use their trademark in good faith?
    
      american.com: formerly owned by cisco,
      later a private 'zine (the airline is aa.com), and now a more serious
      magazine The American
      
      gateway 2000 v gateway.com
          gateway.com was a computer consulting firm, run by Alan
      Clegg. There was absolutely no evidence that Clegg foresaw that in the
      year 2000 the name gateway2000.com would become obsolete, and reserved
      gateway.com in anticipation of a domain sale.
          
      yahoo.com v yahooka.com [which see]
          Case was actually never filed
      state-law libel and
            jurisdiction
      
      A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del. April
      23, 1998), found that Delaware's long arm statute did NOT reach the
      defendant, who posted allegedly libelous and slanderous false statements
      about the plaintiff on his Internet site. The statute provided for
      jurisdiction over tortious activity outside of Delaware ONLY if defendant
      regularly conducted business in the state. The court found that access in
      Delaware to defendant's Internet posting did not constitute sufficient
      contact to support the exercise of personal jurisdiction.
           
      This case was decided on JURISDICTIONAL grounds: Delaware did not
      have jurisdiction
      
      Laws governing libel:
      
      Truth is a defense, but can be expensive to prove. If you say something
      false about a public figure, they have to prove actual malice. If you say
      something false about anyone else, all they have to prove is that you were
      negligent.
      
      We've seen Batzel v Cremers.
      
      Cremers lost on the jurisdiction
      issue. Should he have?
      
      Furthermore, what if the legal climate in the Netherlands was different
      for libel lawsuits? What if in the Netherlands the burden of proof lay
      with the plaintiff to prove something false, and Cremers was sued in a
      jurisdiction (eg England, which still has pro-plaintiff libel laws) where
      the burden of proof lay with the defendant?
      
    
Is a link to a defamatory site a form of defamation?  (It probably
      depends on the context)
       
      Is a link to "illegal" software forbidden? 
The injunction that 2600 Magazine may not link to deCSS still stands today.
      from wikipedia (http://en.wikipedia.org/wiki/Universal_v._Reimerdes)
In particular the Second Circuit ruled that linking on the Internet happened so fast that it could be restrained in ways that might not be constitutional for traditional media.
Also, apparently the defendants more or less admitted that they were
      providing links to deCSS for the
        purpose of making illegal DVD copies. Things might have been
      different had they linked for the
        purpose of research. 
    
While we're at it, contemplate 09
F9
          11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Is this a legal
      number?
      
Part of the issue with linking is that it can provide easy access to "forbidden" content such as circumvention software (deCSS) or copyrighted content (eg providing movie .torrents). For that part, providing the URL in "unlinked" form is probably also subject to regulation.
But the other part is conventional "deep links". These can be used to
      view a given page out of context, or to view a given page in a border
      provided by another page, or to avoid advertising. Should these kinds of
      links be subject to prohibition?
    
Is linking to a site a form of using that site without authorization?
      Possibly leading to a claim of trespass-of-chattels?
       
      What about linking to other sites? Here are some issues the other site
      might have:
Search engines do this kind of linking and framing constantly.
           
      For a while this was a serious issue, but it seems to be dying out. Lots
      of sites still have bizarre linking policies, though.
      
      http://dontlink.com; alas, active site
      work stopped in 2002.
      But see: http://www.americanexpress.com/shared/copyright/webrules.html,
      item 9, "Linked Internet Sites". Actually, this link is down as of Dec
      2009, but it still appears on the
        americanexpress.com page!!
    
Symantec has a different approach: http://www.symantec.com/about/profile/policies/legal.jsp#linking (2009)
      
Symantec permits anyone to link to
        Symantec's web site subject to the linker's compliance with the
        following terms and conditions: 
        A site that links to Symantec's web site:
Rules 1-8 are entirely reasonable.