Week 12: April 17 paper 4 / final Technology & Trust Jurisdiction Trusting software ======================================================================= Technological issues & trust: Old-style PGP (Pretty Good Privacy) trust: You need to verify people's public keys (that the key matches the person). Otherwise you can get a bad key, write to them using it, and be victim of a man-in-the-middle attack. How to do this: Alice needs Bob's key. 1. She can meet Bob at a key-signing party. Bob can give her his key hash. 2. She can ask Chuck. Chuck says Bob's online keyhash is legit. 3. She can decide NOT to trust Chuck, at least about Bob, and ask Dora instead. Dora has never met Bob, but got Bob's keyhash from Ernie, who has. 4. She can ask someone who has a large group of signed verifications of keys. Three of them are signed verifications of Bob's key. SSL certificates (TLS certificates) SSL = secure socket layer, old name TLS = transport-layer security, new name Any pair of entities can negotiate a session key: * each gets others public key * each chooses some bits at random, encrypts with others' public key * exchange these; other side decrypts * now pick one key, or xor them, or concatenate them, or whatever. BUT: how do you know you're not about to give your credit card to a bad guy with whom you've just created a session key? ask landsend.com for cert get it. It includes signatures by well-known CAs. It also includes DNS name. CHECK it by using known public key from one of the CAs. These keys are preinstalled in your browser. prevents man-in-the-middle attacks won't help if router or DNS is hacked their SSL server uses public-key encryption to sign something with the current date/time; replay isn't feasible either. What does this have to do with TRUST? Do you trust the CAs listed in your browser? Huh? ================================================== Note this is powerless against phishing attacks ================================================== ======================================================================= ======================================================================= Jurisdicton online jurisdictional issues: where did the sale take place? This one is big! lawsuit jurisdiction Traditional three rules: * PURPOSEFUL AVAILMENT: did defendant receive any benefit from the laws of the jurisdiction? If you're in South Dakota and you sell to someone in California, the laws of California would protect you if the buyer tried to cheat you. * where act was done * whether the defendant has a reasonable expectation of being subject to that jurisdiction ================== sales trademarks libel/defamation criminal law ================================== laws governing sale: seller can sue in his home state/country This is more or less universal. ================================== laws governing trademarks: Trademark scope blue note cafe: NYC The Blue Note, St Louis St Louis blue note won; NY agreed its court did NOT have jurisdiction. St Louis club had a purely passive web site, although it did sell online tickets. ****** Decided on JURISDICTIONAL grounds NY did *not* have jurisdiction Domain names zippo v zippo zippo lighters v zippo.com trademark infringement filed under PA *state* law PA "long arm" statute zippo.com had email customers in PA, and two ISP customers. (1) the defendant must have sufficient "minimum contacts" with the forum state, (2) the claim asserted against the defendant must arise out of those contacts, and (3) the exercise of jurisdiction must be reasonable. We find Dot Com's efforts to characterize its conduct as falling short of purposeful availment of doing business in Pennsylvania wholly unpersuasive. At oral argument, Defendant repeatedly characterized its actions as merely "operating a Web site" or "advertising." Dot Com also cites to a number of cases from this Circuit which, it claims, stand for the proposition that merely advertising in a forum, without more, is not a sufficient minimal contact. [FN7] This argument is misplaced. Dot Com has done more than advertise on the Internet in Pennsylvania. Defendant has sold passwords to approximately 3,000 subscribers in Pennsylvania and entered into seven contracts with Internet access providers to furnish its services to their customers in Pennsylvania. ****** Decided JURISDICTIONAL issue, plus others PA had jurisdiction ================================================== Cybersquatting: See www.networksolutions.com/legal/dispute-policy.jsp Uniform Domain Name Dispute Resolution Policy -- ICANN Evidence of Registration and Use in Bad Faith. For the purposes of Paragraph 4(a)(iii), the following circumstances, in particular but without limitation, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith: (i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or (ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or (iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or (iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant´s mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location. ======== Also AntiCybersquatting Consumer Protection Act. Some form of bad faith is usually necessary. But not always, if the effect is to resemble a famous trademark and if you have good lawyers. Sometimes the only "bad faith" or "intent to profit" is the offer of the domain holder to settle the case by selling the domain to the plaintiff. ****** All this is really about trademarks, not about jurisdiction vw.net: virtual works http://www.news.com/2100-1023-238287.html Peculiarity: vw.net offered to sell the name to volkswagen, and threatened to auction the name off if volkswagen did not buy. This triggers a presumption of domain-name squatting. "A federal appeals court in Virginia [2001] affirmed a lower court's ruling that online service provider Virtual Works Inc. violated the 1999 Anticybersquatting Consumer Protection Act when it registered the domain vw.net with the intent to sell it to Volkswagen of America." "Grimes' deposition reveals that when registering vw.net, he and Anderson specifically acknowledged that vw.net might be confused with Volkswagen by some Internet users," Wilkinson wrote. "They nevertheless decided to register the address for their own use, but left open the possibility of one day selling the site to Volkswagen 'for a lot of money'." See vwx.com Also, virtual works never used the abbreviation "vw" except in the domain name. They (vw.net) lost. american.com: cisco, now a private 'zine (the airline is aa.com) gateway 2000 v gateway.com gateway.com was a computer consulting firm, run by Alan Clegg. There was absolutely no evidence that Clegg foresaw that in the year 2000 the name gateway2000.com would become obsolete, and reserved gateway.com in anticipation of a domain sale. yahoo.com v yahooka.com [which see] Case was actually never filed ================================================================= state-law libel A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del. April 23, 1998), found that Delaware’s long arm statute did NOT reach the defendant, who posted allegedly libelous and slanderous false statements about the plaintiff on his Internet site. The statute provided for jurisdiction over tortious activity outside of Delaware ONLY if defendant regularly conducted business in the state. The court found that access in Delaware to defendant’s Internet posting did not constitute sufficient contact to support the exercise of personal jurisdiction. ****** Decided on JURISDICTIONAL grounds DE did *not* have jurisdiction Laws governing libel: Truth is a defense, but can be expensive to prove. If you say something false about a public figure, they have to prove actual malice. If you say something false about anyone else, all they have to prove is that you were negligent. We've seen Batzel v Cremers. Cremers *lost* on the jurisdiction issue. But what if the legal climate in the Netherlands was different for libel lawsuits? What if in the Netherlands the burden of proof lay with the plaintiff to prove something false, and Cremers was sued in a jurisdiction (eg England, in the McLibel era) where the burden of proof lay with the defendant? ======== There have been attacks on the Section 230 defense, but courts have been unwilling to date to allow exceptions, or to restrict coverage to "traditional ISPs" where there is no role in selection of the other material being republished. There is still some question though about what happens if you *do* select the material. Cremers played a very limited editorial role. What if you go looking for criticism of someone and simply quote all that? And what if you're a respected blogger and the original sources were just Usenet bigmouths? EFF: One court has limited Section 230 immunity to situations in which the originator "furnished it to the provider or user under circumstances in which a reasonable person...would conclude that the information was provided for publication on the Internet...." Be wary, too, of editing that changes the meaning. Simply deleting some statements that you thought were irrelevant but which the plaintiff thought were mitigating could get you in trouble! ======== Another famous case: Gutnick v Dow Jones WSJ (in Barrons) published something that Joseph Gutnick of Australia felt was defamatory. He sued. Austrailian High Court held that Existing principles of defamation law are that legal proceedings should be undertaken in the place where the communication is received, not where the communication is sent from. ! WSJ: Only five print copies of Barron's were distributed in Australia. There were 1700 subscribers to the online version that had Australian credit cards. ****** Decided on JURISDICTIONAL grounds, plus others ======== Zeran v AOL Zeran appeals, arguing that § 230 leaves intact liability for interactive computer service providers who possess *notice* of defamatory material posted through their services. Someone posted a fake ad for T-shirts with tasteless slogans related to the Oklahoma City bombing, listing Zeran's home number. For a while Zeran was getting hostile, threatening phone calls at the rate of 30 per hour. Publisher liability: liability even without knowledge of defamatory material's inclusion: Distributor liability: liability for knowingly distributing defamatory material Zeran argued that AOL had distributor liability once he notified them of the defamatory material. Zeran lost. In part because he "fails to understand the *practical* implications of notice liabililty in the interactive-computer-service context" ****** Section 230 case: expands rules to include "distributor" liability. ============================ Still to be resolved: what if I quote other defamatory speakers on my blog in order to "prove my point"? Batzel v Cremers doesn't entirely settle this; it's pretty much agreed Cremers did not *intend* to defame Batzel. There's also the distributor-liability issue left only partly settled in Zeran. Barrett v. Rosenthal, Nov. 20, 2006: california supreme court: Rosenthal posted statements on Internet newsgroups about two doctors who operated Web sites aimed at exposing fraud in alternative medicine. One of the doctors was accused of "stalking". From www.gannett.com/go/newswatch/2006/november/nw1130-3.htm In the case before the California Supreme Court, the doctor claimed that by warning Rosenthal that Bolen's article was defamatory, she "knew or had reason to know" that there was defamatory content in the publication. Under traditional distributor liability law, therefore, Rosenthal should therefore be responsible for the substance of Bolen's statements, the doctor claimed. The court rejected the doctor's interpretation, saying that the statute rejects the traditional distinction between publishers and distributors, and shields any provider or user who republishes information online. The court acknowledged that such "broad immunity for defamatory republications on the Internet has some troubling consequences," but it concluded that plaintiffs who allege "they were defamed in an Internet posting may only seek recovery from the original source of the statement." See also wikipedia article en.wikipedia.org/wiki/Barrett_v._Rosenthal ****** Section 230 case: affirms core ruling ================================================================================= ================================================================================= ================================================================================= ================================================================================= Criminal-related law (cases are all civil) France (LICRA) v Yahoo (This is a JURISDICTIONAL case that probably *should* be moved above, except that it's not about libel.) French courts decided they did have jurisdiction to hear the case. But Yahoo has no assets in France. Appellate US court, en banc, held that the US *might* have jurisdiction in the reverse case against LICRA (and UEJF). BUT the case was directed to be "dismissed without prejudice", as it's not yet ready to be decided. Yahoo was asking a US court to assert that France had no authority. The 9th circuit refused to do that. Yet. Judge William Fletcher: Yahoo! is necessarily arguing that it has a First Amendment right to violate French criminal law and to facilitate the violation of French criminal law by others. As we indicated above, the extent -- indeed the very existence -- of such an extraterritorial right under the First Amendment is uncertain. Part of the issue: Yahoo was not able to point to any speech of its own that was "chilled" by the french decision. Yahoo *did* adopt an anti-hate-speech policy. The court did *not* address the notion that the only way to restrict access in France would be to restrict access in the US. These issues led to the declaration of non-ripeness. ****** JURISDICTIONAL case that was left undecided ======== Jane Doe v MySpace: Jane Doe acting on behalf of Julie Doe, her minor daughter She was 13 when she created a myspace page, 14 when she went on a date with someone age 19 who then assaulted her. On the face of it, Doe claims that the suit is about MySpace failing to protect children, or for failing to do SOMETHING. But the court held that it's really about lack of liability for Julie Doe's posting. This isn't *libel* law at all. The court argued that: It is quite obvious that the underlying basis of Plaintiff's claims is that, through postings on MySpace, *** and Julie Doe met and exchanged personal information which eventually led to ... the sexual assault. Therefore the case *is* about publication, and therefore MySpace is immune under Section 230. ****** Section 230 case: applies to liability re physical harm, too. ======== Similar case (Doe v Bates): Yahoo was sued because someone posted child pornography on a yahoo group. (Note that Yahoo here *is* a traditional ISP). ================================================== Click-wrap agreements (formerly shrink-wrap agreements) ========================== Roger Grace v EBAY (2004) liability for libel and violation of the unfair competition law Court says "We conclude that section 230 provides no immunity against liability for a distributor of information who knew or had reason to know that the information was defamatory" but that EBay's terms-of-service agreement was enforceable and relieved it of liability. Sellers feedback: eBay asks people NOT to use defamatory or inflammatory language, but their policy is not to remove objectionable comments. Actually, Grace was the *buyer*, and posted some negative feedback on a seller, who reponded with: "Complaint: SHOULD BE BANNED FROM EBAY!!!! DISHONEST ALL THE WAY!!!!" eBay did eventually remove the comment. The court DID accept some limitation on Section 230 immunity. BUT the court dismissed the case because of the terms-of-service agreement, agreeing not to hold eBay liable. PS: eBay's provision for *buyer* reputation is a bit peculiar. Nobody is asked to trust buyers. Sellers are allowed to discriminate against buyers based on reputation, which _de facto_ may mean against buyers who have had the temerity to expose unscrupuous sellers and who were downrated as buyers as a result. ============================================================= =================== UCITA ================================== [UCITA is dead. Let's hope it stays that way.] In late 1990's, everyone agreed that 50 state interpretations of shrink-wrap licensing could be problematic. So, in keeping with past history of the UNIFORM COMMERCIAL CODE, a group decided to draft uniform legislation. They didn't involve many consumer representatives, which was a problem. UCITA and software license contracts: UCITA gave them force, but allowed them to be arbitrary, exempted publisher from liability PROVIDED the software wasn't open source [!] (That is, by default a software publisher has unlimited liability, but a click-wrap agreement (which the open-source people won't use) can be used to eliminate that). Ucita.org was bought by the opposition, but now even that's been abandoned. The UCITA law was often perceived as anti-consumer. Problem: no basis "bill of rights", no restrictions on terms that click-wrap could bind you to. UCITA allows remote-disabling of software, due to nonpayment or noncompliance with terms. But disabling for non-payment was usually considered in the context of software that required monthly payments. Click-wrap agreements not to say anything critical of the software, or not to publish anything about the software without consent of the vendor, are not uncommon. (MS does this with .net) Cute story: http://www.infoworld.com/articles/op/xml/00/11/27/001127opfoster.html But what *is* fair? What is it fair for users to have to agree to? won't make illegal copies? won't use on more than one machine? won't use Word to write articles critical of Bill Gates? won't write disparaging reviews of the software? will require reviews to be approved by vendor? won't use any ideas in any other software you develop? won't reverse-engineer? will allow spying? will allow "limited" spying? no liability for known defects? will allow remote disabling? won't allow use of software for life-support functions won't allow use of software for business purposes without business license? will tolerate "back door" access by vendor to users system? will the agreement allow you to sell/transfer your software? will the agreement allow terms to change? Microsoft .net eula no longer has a gag rule. See http://msdn2.microsoft.com/en-us/library/ms994405.aspx XP HOME: from vowe.net/archives/007236.html * If you share files or printers with other computers in your house, you are not allowed to share with more than 5 other computers. * You agree that at any time, and at the request of “content providers” Microsoft may disable certain features on your computer, such as the ability to play your music or movie files. * You agree that Microsoft can automatically and without your consent put new software on your computer. * You do not have the right to do anything with Windows XP Home not covered by this EULA. * Microsoft (and anyone else chosen by Microsoft) may collect information about your computer and may share it with other companies, but this should not include personal information about you. ==============================================================