Berkman Center for Internet & Society.

Using ICANN's UDRP Harvard Law School > Berkman Center > Open Education > E-Commerce: An Introduction


-





Discussion
Reference
Discussion
Discussion
Search

Session 2: Setting UP

Teaching Fellow: Matt Lovell

Guest Panelists:

Bret Fausett, Esq.
Hancock Rothert & Bunshoft, LLP
Los Angeles, California
www.hrblaw.com/atty_bio_248.htm
www.lextext.com

John Palfrey
Co-founder and Vice-President of Operations
Analine.com, Inc.
www.analine.com

Michael Fertik
President and Founder
TruExchange, Inc.
www.truexchange.com/

Laraine Morse Ward
In House Counsel
InfoSpace

David J. Loundy, Esq.
Co-Chair, Intellectual Property & Technology Practice Group
Masuda, Funai, Eifert & Mitchell, Ltd
Chicago, IL
www.masudafunai.com
www.Loundy.com

SETTING UP - TABLE OF CONTENTS

I. Introduction

II. Registering a Domain Name

III. Hosting

IV. ISP Liability

V. Website Development

VI. Marketing and Advertising

VII. Conclusion

VIII. References

IX. Additional Materials


I. Introduction

In today's wired age, it is common knowledge that setting up one's own web page is not a particularly difficult endeavor. Indeed, anyone who has run a broad-based search through one of the major search engines has likely come across myriad "homemade" pages created by individuals reflecting their personal interests or some life ambition. To set up a web site, one really only needs an Internet-connected computer, a web browser equipped with a basic text-editing application and an Internet service provider (ISP) that offers web hosting for its users. Such users are unlikely to seek legal advice, and the legal issues that arise in relation to such sites tend to be limited to copyright and trademark violations by the site creators.

E-commerce, however, presents a wholly different challenge for the site creator and the legal practitioner. The sophisticated nature of the technology required, the number of players involved in setting up a site and facilitating transactions, the privacy concerns of customers who may be giving the site information about themselves, and a host of other realities of online business make effective legal representation critical in this arena. In addition, e-commerce set-up often requires great speed due to the nature of the industry, therefore adding an additional layer of complexity that calls for even more vigilance and preparedness on the part of the legal practitioners in structuring transactions and advising clients. This section of the course will examine some general steps that most U.S. e-businesses will follow in establishing an e-commerce site and explore the necessity or possibility of legal representation at different critical junctures of the set-up process.

A handy keyword searchable glossary for e-commerce terminology is Internet.com's ECommerce Webopedia.

Back to TOC

II. Registering a Domain Name

In setting up a website, the first step usually undertaken is registering a domain name. A domain name is the unique address that guides a user's browser to the computer on which the website resides. It usually consists of two elements, the top-level domain (TLD) and the second-level domain (SLD - which some simply refer to as the "domain name"). The most recognizable example of a TLD is the familiar .com found at the end of many web addresses. In addition, there is another set of TLDs reserved for specific countries. These are known as the country code TLDs, or ccTLDs and include domains such as .jp for Japan, .fr for France, and the much-ballyhooed .tv for Tuvalu. The administration of these sites was given over to authorities in each nation, some of whom have restricted registration to residents of that nation while others (most notably Tuvalu) have opened registration to anyone willing to pay the price. Finally, ICANN, the Internet Corporation for Assigned Names and Numbers (Website)(ICANN1), recently selected seven new gTLDs from proposals submitted by private applicants, including a new .biz TLD for businesses and .pro TLD for lawyers, physicians, and accountants (Website)(ICANN2). Registration in the new gTLDs is not expected to begin before the Fall of 2001.

A. CHOOSING A TOP-LEVEL DOMAIN (TLD)

Choosing a TLD then is the first step in registering a domain name. There are many registry services for the three unrestricted gTLDs, with a variety of prices and service options available. One must closely review the terms of the registrar service agreement policies. The domain holder's rights in a gTLD domain name are very tenuous; most registrars reserve the right to revoke a domain registration at their own discretion. And courts have only just begun to explore the boundaries of domain names and property rights. In one of the few cases addressing domain names as property, a state court in Virginia ruled that a domain name is a form of intangible intellectual property subject to post-judgment creditor remedies (Website)(Umbro). The case was later reversed when the Virginia Supreme Court ruled that the domain names at issue could not be garnished, but that court left open the question of whether the domain names themselves could be considered property (Website)(Umbro II) However, a subsequent Federal court decision (Website)(Dorer), cast some doubt on property rights in domain names before the court ultimately disposed of the case without definitively answering the question.

In addition, all of the current open gTLDs (.com, .org and .net) must abide by a standard Uniform Domain Name Dispute Resolution Agreement under which the domain holder is subject to a mandatory resolution procedure if any trademark owner complains about the domain name. For more details about the UDRP, see the course section on Disputes. In the end, most commercial concerns usually register the same name in all three gTLDs just to avoid confusing customers.

B. CHOOSING A SECOND-LEVEL DOMAIN NAME (SLD)

The next step is to choose a second-level domain (SLD or 2LD), which is the part of the domain name preceding the TLD. Common examples of SLDs include the "Amazon" of Amazon.com and the "CNN" of CNN.com. Choosing an SLD is something particularly important for those involved in e-commerce as they think about branding and trademarks. This choice is best made with the advice of trademark counsel. As most common words and short phrases have already been registered as second-level domains in the unrestricted gTLDs, a business may have to look to an unrestricted ccTLD or one of the new TLDs to register a manageable and easily remembered name. To find out if a name is available in the gTLDs, an e-business should use the VeriSign global registry service Whois search (Website)(Whois). In addition, each ccTLD has its own "whois" database but many are searchable from Allwhois (Website)(Allwhois) and Uwhois (Website)(Uwhois).

One is safest when registering one's own trademark or tradename. If it has already been registered by another party, consult the UDRP or local law for possible grounds to force a transfer of the domain to you. If the other party has superior rights, or if you have not yet established any legal right in the name you wish to use, an important first step in registering a second level domain name is a trademark search. Due to the focus on trademarks in the ICANN UDRP - under which a domain name registrant may be forced to give up a domain name to its trademark holder - it is crucial to make sure the domain name being registered is not a registered trademark belonging to someone else. For a review of the ICANN dispute procedure, see Diane Cabell, Using ICANN's UDRP (2000) (Website)(Cabell).

See Conducting A Trademark Search for more information.

C. CHOOSING A REGISTRAR

Virtually all domain registrars have a very simple search process to see whether a name is available and many also have tools to help users find available domain names containing similar words if the original choice is unavailable. After finding an available domain name (top and second-level), most registrars give registrants a choice of options in terms of pricing and duration. Registrars may only grant domain names for fixed periods of time (Website)(ICANN3) - with an option to renew when the period lapses - and most registrars give options for different registration durations. Choosing a longer registration period has the advantage of locking the registrant into a registration at a price that will not rise, and some registrars offer discounts for registrations of longer duration.

Different registrars also may offer differing packages of services for additional fees. Network Solutions (Website)(NSI), for instance, offers hosting services for registrants. Some registrars do not offer hosting, instead requiring the registrant to provide them with domain name server (DNS) information before they will register the name. The easiest road for those not quite ready to set up their websites is to choose a registrar that offers free parking, which basically means that the registrar registers the name without requiring DNS information and "parks" the name on its server until the registrant is ready to use the name.

While many registrants simply choose the first registrar they come to, the above options considered in light of the user's needs will aid in choosing the best registrar. An equally important consideration that is often overlooked, however, is the Terms of Service (TOS) agreement, or the registration contract. Unfortunately, the registrars are often the guilty party in this oversight, as TOS agreements require the registrant to follow an often-subtle link; most registrars do not even require the TOS agreement page to be accessed before processing an order.

See Domain Name Registration Agreements for more information.

Back to TOC

III. Hosting

After registering a domain name, most businesses will need to arrange for hosting services. As hosting is a relatively new industry, the actual services offered in a web hosting agreement vary from provider to provider, making it difficult to generalize what, exactly, comprises hosting. In general, a host basically stores web pages for a client and operates a giant switchboard of sorts that connects web users' computers with requested pages from the hosted company. Hosts generally facilitate such storage and connections by operating hosting centers, large warehouse spaces that contain the computers on which clients' web pages are stored and connect them to the Internet via high-bandwidth fiber-optic lines.

A. ADVANTAGES OF UTILIZING A HOST

While some companies may have the hardware, office space, and personnel resources to create their own servers and host their own sites, utilizing a host and its hosting center provides some distinct advantages over managing one's own server. For one thing, outsourcing such services can save considerable money - hosting often runs about one quarter of the cost of running one's own site (Website)(Wooley) - in terms of the aforementioned resources. Utilizing a host may also decrease the chances of problems due to security breaches, power outages, and the like, if one selects a hosting center with round-the-clock security, back-up power generators, climate controlled storage space, and buildings created to withstand natural disasters. A final advantage of utilizing a host is speed - the proximity of the server to the user is a major factor in transaction speed, although other factors affecting speed such as bandwidth speed, server speed, and number of hops may lead to situations where the closest server is not necessarily the fastest. (Some European websites with primarily European visitors actually get faster and cheaper connections by hosting in the U.S.). As hosting centers give servers direct, high-capacity, and high-speed access to the Internet backbone, using a host obviates the need to rewire one's physical place of business for the necessary level of connectivity. Employing a host gives a client the advantage of faster connectivity to users/consumers who are located far from the headquarters of the company. Using a host also allows a business to set up a number of alternative servers in various locales in order to bring greater speed to a greater number of people.

B. LEGAL ISSUES IN HOSTING AGREEMENTS

While registering a domain name can and is often done without legal representation, the many legal issues arising in the context of a hosting agreement make the services of a transactional lawyer a necessity. This is especially important considering the somewhat vague definition of what is included in hosting, as the practitioner must make certain that all of the e-commerce client's needs are met when drafting a hosting agreement or making changes to boilerplate hosting agreements. There are several major areas that require special attention to detail when structuring such deals, including: equipment, maintenance, service stoppages, security, and allocation of risk. Part 3: Consumer Privacy reviews some of the issues concerning collection of personal data by hosts.

See Website Hosting Checklist for more information.

Back to TOC

IV. ISP Liability

A major issue in the Internet context is determining who can be held responsible for wrongful acts on the part of Internet users. Should only the user who actually commits the act be held liable, or should the Internet service provider or website operator be held liable for the wrongful acts of its users? These questions take on particular significance for an e-business when considering different options for a website. Offering consumers the ability to post reviews of products or participate in chat room or bulletin board discussions raises such issues of liability. When looking at hosting relationships as well, there is a question whether hosts can or should be held liable for wrongful acts of the parties it hosts. Courts have taken different approaches to address these issues, relying on common law principles, case law precedents, and statutory provisions.

The first major case to arise in the realm of ISP liability was Cubby v. CompuServe (Website)(Cubby). Cubby involved a situation where allegedly defamatory statements regarding the plaintiffs were published on a CompuServe bulletin board, resulting in suit against both the content developer and service provider (CompuServe). In granting summary judgment for CompuServe, the district court emphasized the fact that CompuServe had no editorial control over, or even knowledge of the contents of, the statements published and therefore acted as a mere distributor of the materials available on its message boards and other online fora. The court relied on general principles emanating from the First Amendment (as interpreted in analogous cases dealing with traditional media) to rule that a distributor cannot be held liable for distributed publications containing defamatory statements if it neither knows nor has reason to know of the allegedly defamatory statements. The rule established in Cubby thus provided an incentive for ISPs to remain ignorant of the actual contents of the publications on its network in order to be considered a distributor immune from liability.

The next major development in the realm of ISP liability came in the case of Stratton Oakmont, Inc. v. Prodigy Services Co. (Website)(Stratton). In that case, the court held that the Internet service provider Prodigy could be held liable for libelous statements posted on a bulletin board it operated by anonymous users, even though it was not aware of the statements. Key to the court's analysis was that the ISP in this case was more akin to a publisher than a distributor, and was therefore not entitled to special protection under the defamation law. The court further reasoned that because the ISP made representations to the public concerning its regulation and screening of content on its bulletin boards, it was exposed to greater liability than an ISP not making such representations. In the court's opinion, the fact that Prodigy screened only for indecent and obscene content and not defamation was of no consequence. This case could be reconciled with Cubby - and indeed, the court relied on Cubby to reach its outcome - due to the fact that the ISP here attempted to exercise editorial control. However, the reasoning led to the seemingly perverse result that service providers who actually made an effort to police their sites would be judged more harshly than those who chose to remain totally ignorant.

A. THE COMMUNICATIONS DECENCY ACT (1996)

Congress attempted to address the issue raised in the Stratton Oakmont case through the Communications Decency Act (CDA) (Website)(CDA) of the Telecommunications Act of 1996 (Website)(TelecomAct). Although the main thrust of the CDA, which attempted to regulate indecent content on the Internet, was eventually struck down as violative of the First Amendment (Website)(Reno), a safe harbor provision dealing with ISP liability was left intact. That provision, 47 U.S.C. §230(c) [Website)(§230(c)], was drafted to explicitly overrule decisions such as Stratton Oakmont by not subjecting those ISPs that made an effort to screen content to stricter liability than those who made no effort at all (Website)(Record). The provision, which is also known as the "Good Samaritan" defense, states: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" [Website)(§230(c)(1)]. The subsection goes on to preclude civil liability for ISPs attempting to regulate or block access to offensive content [Website)(§230(c)(2)].

These surviving provisions of the CDA played a prominent role in the case of Zeran v. AOL (Website)(Zeran). In that case, a user pretending to be Mr. Zeran posted comments on an AOL message board, offering T-shirts with offensive and tasteless slogans regarding the Oklahoma City bombing, which had occurred just days earlier. The posting, which included Zeran's phone number, resulted in a large volume of angry phone calls, including death threats. While AOL personnel removed this original posting when Zeran notified them, they refused to publish a retraction, and subsequent postings offering merchandise with even more offensive slogans soon followed. The problem was exacerbated when an Oklahoma City radio station broadcast Zeran's phone number and encouraged listeners to call him and let him know what they thought about his offer.

Zeran's suit against AOL claimed that the ISP had failed in its "duty to remove the defamatory posting promptly, to notify its subscribers of the message's false nature, and to effectively screen future defamatory material" (Website)(Zeran,330 ). AOL relied on 47 U.S.C. §230 as an affirmative defense, and the trial court granted its motion to dismiss. In upholding the district court's ruling, the 4th Circuit explored Congress' intent in passing this section of the CDA:

The purpose of this statutory immunity is not difficult to discern. Congress recognized the threat that tort-based lawsuits pose to freedom of speech in the new and burgeoning Internet medium … Faced with potential liability for each message republished by their services, interactive computer service providers might choose to severely restrict the number and type of messages posted. Congress considered the weight of the speech interests implicated and chose to immunize service providers to avoid any such restrictive effect. (Website)(Zeran 330-331)

The court went on to suggest that §230 of the CDA was drafted to respond to and overrule Stratton Oakmont, seeking to remove the disincentives to self-regulation that resulted from that line of reasoning. Along these lines, the court also rejected Zeran's claim that the rules applying to a distributor, as opposed to a publisher, should apply to AOL in this case, arguing that such a conception would defeat the purpose of the statute. While the Zeran court thus recognized the broad sweep of ISP immunity under the CDA, it did stress that the Act allows an injured party to seek redress from the individual responsible for the injury. Zeran, however, was unable to identify the defamatory poster and therefore was left without an easy remedy.

See Additional CDA Cases for more information.

B. THE DIGITAL MILLENNIUM COPYRIGHT ACT (1998)

Congress again addressed the issue of ISP liability through legislation in the Digital Millennium Copyright Act (DMCA) of 1998 (Website)(DMCA), which revised portions of the existing federal copyright law and added new provisions. Title II, §202 of the DMCA, which was incorporated into the copyright code as 17 U.S.C. §512 (Website)(§512), addresses limitations on liability relating to copyrighted material online. Specifically, the provision grants an ISP immunity for possible copyright violations as a result of transitory digital network communications, system caching, storage of copyrighted materials by users in ISP storage space, and directing users to particular locations (through links, directories, or other tools). While the first two of these provisions attempt to address copyright issues that arise specifically due to technological processes (such as passively forwarding network traffic on the way to its ultimate destination), the second two touch more broadly on traditional issues of contributory or vicarious liability for copyright infringement that have closer analogues in the non-digital world.

The immunities granted in these DMCA provisions are subject to numerous conditions that make the law somewhat convoluted. The most basic and important of these conditions are that the ISP have no knowledge of the infringing conduct of its users (or infringing nature of its own links) and that, once an infringement is discovered, it take steps to expeditiously remove infringing material and suspend service to the infringing party. In this way, the DMCA offers a safe harbor to ISPs by withholding liability for infringement from ISPs that have no knowledge of an infringement. When infringement is discovered, the ISP can remain within the safe harbor and escape liability by promptly following the specified procedures for removal or diabling of access once it is notified of the infringement. While this safe harbor combines with the protections of the CDA to give a broad immunity to ISPs, the DMCA provisions may have the ancillary effect of impinging upon free speech by encouraging more stringent actions to be taken by ISPs against alleged infringers in an effort to remain within the safe harbor.

See Notice Provisions of the DMCA for more information.

C. ISP LIABILITY AND THE E-BUSINESS

What does all this mean for the e-business? First of all, an e-business that does not have its own fully self-sufficient infrastructure needs an ISP of some sort, and these case law precedents and statutory provisions will clearly effect e-business-ISP relations. Even the most self-sufficient e-businesses, usually utilize an upstream service provider of some sort. Furthermore, to the extent that an e-business takes on attributes of an ISP, these precedents and provisions may apply directly to the e-business as a service provider. For most e-businesses, the host will be the ISP and issues of ISP liability that arise may be incorporated into a hosting agreement. The default rule set forth by the CDA and the cases interpreting it in regards to defamatory or obscene content will immunize the host from liability for an e-business' wrongdoing in publishing such content. While a specific hosting agreement certainly may be drafted to reallocate the liability in these cases, there is little incentive for the host to do so and the e-business itself is clearly in the best position to regulate its content. These considerations make it likely that the default rule will be followed.

The DMCA safe harbor provision presents an opportunity for a practitioner to draft specific contractual provisions for a hosting arrangement to address the execution of the statutory processes. Because the DMCA safe harbor may give ISPs an incentive to overreact in shutting down sites that are allegedly infringing, an e-business may wish to modify a hosting agreement to allow recovery for damages due to improper termination of service (i.e. termination when there was no infringing content or other infringing activity). An e-business may also wish to draft contractual language concerning the processes by which a host ISP may shut down service. For instance, an agreement could require notice of pending termination to be given to the e-business and provide for a specific period of time to cure the allegedly infringing conduct prior to termination or suspension of service. Such contractual provisions regarding recovery for improper termination or the process of termination can be a powerful tool to blunt the blow upon content providers and other Internet users by the DMCA and its encouragement of vigilance on the part of ISPs. It should be noted however, that contractual provisions that work within the contours of the DMCA and attempt to reach agreement on the ambiguous interpretive junctions of specific statutory provisions will be more likely to withstand challenge, as the federal statute may be found to preempt any explicitly contrary contractual language in court proceedings. This is particularly important considering the rights of third parties (copyright holders) are involved in these types of cases.

The other main situation in which an e-business may be affected by issues of ISP liability is that in which the e-business itself takes on the attributes of an ISP, opening itself up to potential liability for the acts of its users. This process of an e-business taking on the characteristics of an ISP is common for those websites that offer users more interactive services. An e-business may find it advantageous to give its customers fora, such as chat rooms, to discuss products and other topics related to the e-business. Or it may wish to allow its customers to post product reviews that potential buyers can then access. These chat rooms or review areas may be used in a manner that injures third parties - ranging from the posting of defamatory content to copyright infringement (either direct posting of copyrighted material or contributory infringement by posting sites where copyrighted material can be illegally obtained).

Assessing whether an e-business can be held liable for such acts of its users depends on the construction of the statutes at issue. The courts have explored the contours of the CDA and DMCA and their applicability to websites in several major cases.

See Access Provider Liability for more information.

back to TOC

V. Website Development

A. IN-HOUSE DEVELOPMENT V. OUTSOURCING

Like hosting, web design and programming is something that can be developed by in-house personnel or can be outsourced. While most businesses take advantage of the benefits of outsourcing the hosting of servers, web design and, to a lesser extent, programming are often kept in house for several reasons.

Web design is the most crucial aspect of an e-commerce business. The website is where customers interact with the business and buy products; in some instances (as with purely content providers), the website itself is the product. Another reason many companies keep web design and programming in-house is because the Internet economy in general and e-business specifically often calls for rapid changes - both in the content and design of websites. In terms of content, it may often be the case that an e-business needs to add updated products or product information to its website, either as part of the regular course of business or in response to some particular event in the market. For design in general, it will often come to the attention of those running an e-business that a particular new web design or layout of the site would be more attractive to customers or make the site easier to use. It may also come to the attention of those running the business - often in the form of customer complaints - that there is some sort of problem with the functionality of the site or its general layout. Keeping an in-house team of programmers/designers allows the e-business to respond to these stimuli quickly and keep the business running smoothly, which may not be possible if the services are outsourced due to lack of personnel, time or urgency on the part of the contracted designers and programmers.

However, it is not always feasible for every business to keep a fully equipped in-house design and programming team. Some small businesses may not have the budget or the pressing business need to develop their own programmers. Large businesses may choose to outsource certain aspects of the design and programming services, such as graphic design, editing, and backend software development. Many of these oft-outsourced services have to do with design and programming aspects that are not site-specific. One reason for this is the idea that an outside party may not fully understand the vision and purpose of the e-business, so should work only on the more generic aspects of design and programming. In other cases, it may not be cost-effective to develop one's own designers/programmers for things that are not site-specific. For instance, a site in need of graphics for its website may hire an outside graphic designer to develop pictures and icons. Outside programmers are often hired to implement credit card verification systems, inventory and archiving systems, and internal search engines. The more mechanical an aspect of website functioning, the more likely it is to be outsourced. Thus, much programming outsourcing is geared towards backend functionality and internal aspects that keep a website running smoothly behind the scenes.

B. WEBSITE DEVELOPMENT AND INFRINGING CONDUCT/CONTENT

As with hosting, when programming and design services are outsourced, the e-business and its attorney must undertake an analysis regarding allocation of risk and responsibility through the services contract. Two main areas in which there can be problems are liability for copyright or trademark infringement and service disruptions or other problems due to malfunctioning programming. In terms of copyright, an e-business should communicate to a hired designer that all graphics, photographs, and text used on the website must be original or in the public domain. As most of the photographs and graphics currently used on websites and in print media are copyrighted, the e-business practitioner must diligently attempt to determine whether non-original graphics/photos used by an outside designer are truly in the public domain. The attorney should also be aware of the fair use doctrine (Website)(§107) as it may be useful in excerpting portions of texts (a favorable review of the business' website or products, for instance) or other copyrighted media - although it should be noted that use of copyrighted materials for commercial purposes enjoys less latitude in fair use analysis than non-commercial use (Website)(Sony).

While these copyright concerns apply equally to businesses that design their own websites, it is important to note that contracting the work out will not save the website publisher itself from escaping liability for any infringement, due to the basic tort concept of vicarious liability. One possible way around this is to create a contract that specifically puts the burden of noninfringement on the contracted designer and holds it liable for any infringement. This does not absolve the publisher from copyright infringement, however, and a business may be limited to seeking post-judgment contribution from the designer or may be left to satisfy a judgment if the designer is insolvent or otherwise judgment-proof. While such contractual language is still better than nothing, perhaps the best technique to employ is to carefully check a contracted designer's work or avoid using non-original content at all.

See Prof. William W. Fisher, Linking, Framing, Meta Tags, and Caching at http://cyber.law.harvard.edu/property00/metatags/main.html for more information.

C. PROGRAM MALFUNCTIONS

Programming malfunctions and other associated problems can also be handled through contracts between the e-business and its hired programmers. To the extent that any such problems adversely affect customers (as in overcharges on credit cards, failure to register sales and ship products, etc.), there are similarities to the copyright context regarding satisfaction of a wronged third party. This is a particularly grave concern when problems with programs result in security breaches, which may lead to anything from a hacker putting offensive material on a business' website to the release of personal information or credit card numbers. Once again, when drafting a contract between an e-business and outside programmers, an attorney should be aware of possible problems that may result from faulty or otherwise malfunctioning programs. Contracts should consider a mechanism to address unforeseeable problems should they arise and arrange for necessary modifications to remedy them, as well as remedies for substandard or negligent programming. When hiring outside programmers, e-businesses should inquire into past problems with the programmers' work and their general service records and customer satisfaction in order to make an informed judgment about the likelihood of problems and potential adverse effects on customers. However, it should be recognized that programming is an ever-changing field and therefore never free from errors; this should also lead the e-business to implement contingency plans for problems due to program malfunctions and have mechanisms in place to remedy such problems immediately.

See Security for more information about external threats to website integrity.

D. SOFTWARE LICENSING AND WORK-FOR-HIRE CONTRACTS

Another aspect of programming that warrants brief mention for its legal implications is programmers' use of software and software licensing. For instance, a website may wish to use automated software for matching users up with products, but the contracted programmer is unable to develop a program due to budgetary or technological constraints. In such a case, the e-business or its programmer may look into commercial software available to meet this need. As most software requires a license for each distinct use, an e-business should make certain to pay for the license for the use of such software by its hired programmers. While this will increase the cost of programming services, it is important to ensure the software is being used legally so as to eliminate any possible cause of action by the software rights holder. The cost of these licenses may be charged in the services agreement with the programmers or the e-business can exercise more caution and arrange to pay the software licensing fees directly to the software developers. The latter option would prevent the e-business from assuming any liability in the case of an unscrupulous programmer who charged for software licensing fees but did not pay the software developers. Of course, this is may not always be a concern, as many programmers use their own software and certain software is in the public domain. In drafting a programming arrangement, the diligent attorney should inquire into the software to be used and make sure any needed licenses are obtained.

In addition to respecting others' rights in their software, it is important for an e-business to take measures to protect the software and other materials (including the web page itself, databases, etc.) developed for the e-business itself. All free-lance and other contract work should be done on a "work-for-hire" basis which, when specified in advance by the parties in their written agreement, allows all copyrights in the contractor's work to vest automatically in the e-business. If such agreements are not executed in advance, then the material belongs to the contractor and the e-business must obtain a written license to use the work on the website, or preferably an outright assignment of all rights. The work-for-hire rights automatically accrue to employers when the creation of the website material is required as part of the employee's job duties.

See Website Development Checklist for more information.

back to TOC

VI. Marketing and Advertising

In order to be successful, an e-business must engage in advertising and marketing. These areas have more in common and substantial crossover with their counterparts in the traditional bricks and mortar business world than the more technology-specific concerns above. However, advertising and marketing in the online medium also raise considerable novel issues of which the e-commerce practitioner should be aware. This section will highlight some common modes of advertising and marketing online and examine some legal issues that may arise in those contexts. (Note: This section will not deal with advertising and marketing through traditional media such as television and radio, billboards, mass mailings, etc.).

A. ADVERTISING

Advertising one's e-business online usually takes one of two forms: 1) the purchasing of advertising space on another's website, or 2) swapping advertising space with another business or participating in an general advertising exchange program. Purchasing advertising on another website requires an e-business to determine its potential/desired customers and find an appropriate site through which to reach them. Advertising and marketing online offer e-businesses the advantage of reaching a well-defined target audience easily by buying space on websites whose visitors are in the same demographic as those sought as e-business customers. Websites are able to gather varying amounts of information about the types of visitors to their site (as will be discussed in Part 3: Consumer Privacy) with sites requiring registration or subscription particularly adept at gathering detailed information. This offers a distinct advantage over the types of data that can be gained from other media such as television and radio - instead of merely determining that a program is predominantly reaching the 18 to 25 year-old male demographic (a favorite group of television and movie executives), websites can give a more detailed breakdown of their audiences. This information can include age, sex, race, nationality, and other categories that make targeted advertising and marketing a reality - meaning less money is wasted going after groups to whom the e-business is not really catered. (Note: Gathering such information can raise significant privacy concerns; see the forthcoming course section on Privacy). Websites also can give potential advertisers information about the volume of traffic to their sites and therefore the size of the audience that will be reached by the advertisements.

A preliminary step in finding advertising space is thus determining what types of websites attract users who would be potential customers of the e-business. In some cases this may be easy - a golf news website would be a good fit for an online seller of golf equipment - while in other cases more research will need to be done to determine a good fit between advertiser and host. Most large websites have links to general advertising information and contact information for their advertising sales departments. Prospective advertisers can then make appropriate inquiries into the audience they would reach by advertising on a particular website, the costs of advertising, etc.. One other option is to go through a large-scale advertising service, such as DoubleClick (Website)(DoubleClick), that offers advertisers access to a network of partner websites in different categories. Such services act as middlemen, bringing together advertisers and those with advertising space in similar fields, eliminating many of the transaction costs associated with searching for individual advertising hosts. Utilizing such a service also will likely increase the audience the advertisement reaches by displaying a client's advertisement across a wider array of host sites, although this may come at the expense of reaching a more narrowly defined target audience.

Legal issues in renting advertising space mainly involve the agreements between advertiser and host. An e-business may have different options in structuring these agreements, such as choosing to pay a fixed price for advertising for a particular period of time, paying the host on a sliding scale depending on the amount of traffic to the host site or actual clicks through to the targeted (advertising) site, or paying the host a commission on sales made as a result of the ad. Issues concerning ad placement, number of views, viewership guarantees, ad tracking, and click-through fraud prevention should all be spelled out in the advertising agreement. As an e-business' advertising needs are sure to change over time, an agreement should also contain provisions regarding changing one's advertisements during the course of the contract; such a provision also allows changes to be made in response to consumer complaints/feedback. The advertising host likely will want to include in the agreement clauses indemnifying it in certain situations. These situations - which should also be kept in mind if the e-business itself decides to sell advertising space - include copyright and trademark infringement as well as cases involving fraud or misleading advertising.

Copyright and trademark infringement issues may arise as a result of infringement directly in the displayed advertisement itself or by linking through the advertisement to a site that contains infringing works. In the former case, the infringement itself is posted on the host site and the host is therefore potentially liable for copyright infringement (Website)(Fausett). The case of advertisements linking to a site that contains a copyright or trademark infringement may give rise to a claim of contributory or vicarious infringement against the linking party. Contributory copyright infringement results when "one who, with knowledge of the infringing activity, induces, causes, or materially contributes to the infringing conduct of another" (Gershwin). The U.S. Supreme Court has also acknowledged the doctrine of contributory copyright infringement (Website)(Sony, 435). To deal with these situations, the parties should agree upon which party will be held liable for such infringement, as well as create a plan of action in the case that a possible infringement is brought to the attention of the host or advertiser.

See Advertising Exchanges and Advertising Standards for more information.

B. DIRECT MARKETING

In addition to advertising, many e-businesses also reach potential customers via email. Contacting customers through email usually takes two forms: targeted emails directed at past customers or registered users of an e-business, or mass emails sent to a mailing list usually compiled by a third party. Many respected e-businesses use the first form of targeted emails to customers or registered users in order to keep these consumers apprised of new developments at the e-commerce site, such as new products, sales/promotions, or a new version of the website. When registering at a website (usually for the promise of greater access to information, products, etc.) or when purchasing a product, most e-businesses usually ask for a customer's email address and other basic information (more information is usually required when purchasing a product because of the need for shipping and credit card information). A common technique of many e-businesses is to have email offerings included in the options when a visitor signs up as a member of the website or purchases a product. Visitors are often given the option to receive regular newsletters from the e-business, emails regarding sales or promotions at the website, and a variety of other choices. These options are offered through a series of boxes that show a preference for the service offered when checked. A common ploy of websites to get visitors signed up for the services is to have all the boxes checked as the default, leaving the visitor to uncheck the boxes representing unwanted services. This is an example of an opt-out system - the consumer is required to take active steps to opt out of the plan of services; the passive consumer receives the emails as the default. The other option would be an opt-in plan, whereby the consumer who wished to receive emails would have to take active steps (i.e. checking the boxes) to get on the mailing list. In such an opt-in scheme, the passive consumer receives nothing as the default.

The question of whether to use an opt-in or opt-out scheme for targeted emails is a sensitive one that brings in questions of consumer expectations and privacy. An opt-out scheme may seem invasive to some consumers because they end up receiving emails for which they did not explicitly sign up. However, the user's feeling of inconvenience is probably less in this case than it is in the case where the user simply received unsolicited mail from a website or e-business with which he or she had no prior contact. This is largely because the consumer has already taken active steps to develop a relationship with the e-business, either by signing up as a registered member or by purchasing a product. Due to this relationship, the consumer has or should have more of an expectation that the e-business will contact him/her in the future and should not be put out by receiving emails from the e-business.

Of course, the e-business should use discretion and good business judgment in sending emails - consumers are a lot less likely to be rankled by a bi-weekly email than a daily newsletter or other persistent contact that may lead to annoyance. And an e-business should always make it clear in the email sent that the consumer has the option to opt out of the email service by sending a reply email to unsubscribe from the periodic mailings or by visiting the website to take an email address off the mailing list. Making it difficult to opt out of the mailings or not taking people off the list who wish to be removed may lead to people feeling harassed or invaded and result in a complaint against the offending website. Some e-businesses may make the decision that they wish to play it safe and not offend anyone, and therefore use a strict opt-in sign-up system for marketing emails. Most, however, will find it is worth losing a small percentage of upset customers for the ability to reach more users than they would be able to with an opt-in scheme. Even if most who receive the marketing emails simply delete them, it may be worth it to send them to reach those who do read them and to take a chance that a catchy subject line can get the deleters to read the messages from time to time. In the end, an opt-out scheme probably will lead to a greater audience for these marketing emails and will typically not be considered unduly invasive due to the consumer's pre-existing relationship with the e-business, but the business should make certain that recipients who do not wish to receive emails have a quick and easy method of unsubscribing from a mailing list or otherwise opting out of the service. An e-business should not take lightly the potential for a strong negative reaction on the part of consumers due to the receipt of unwanted email.

The other major type of email marketing involves sending unsolicited emails to mailing lists compiled by a third party or an e-business itself. Unsolicited emails such as these raise significant concerns that do not arise where the parties have a prior connection. This type of system goes beyond a mere opt-out system in pushing emails upon potentially unwilling recipients because the recipients have no pre-existing relationship with the entity sending the emails. Due to this lack of a relationship, the emails are more likely to be viewed as an invasion of a consumer's privacy or as a form of harassment. Such unsolicited emails, also known as spam, are generally considered a form of junk mail and are typically utilized by and associated with pornography websites, get-rich-quick schemes, and generally solicitous and invasive businesses. The annoyance to, and resulting outrage of, recipients, as well as the stigma of being associated with a certain type of business entity is enough to steer many e-businesses away from utilizing spam, but there are legal considerations that militate against such practices as well.

In the case of Intel Corp. v. Hamidi (Website)(Hamidi), a California Court issued an injunction against a former employee of Intel who was sending unsolicited emails to Intel employees regarding the company's employment policies. The court based its ruling on a trespass theory, suggesting that such emails were tying up the computing resources and time of Intel employees and therefore causing material loss to the corporation. While this case involved a somewhat different factual situation than one where an e-business spams a wide range of potential customers, it does show that certain forms of abuse will not be tolerated and that spamming can be illegal in certain circumstances.

While courts have thus relied on existing legal doctrines to find some spammers guilty of unlawful conduct, recent proposed legislation in the states and in the U.S. Congress would explicitly make certain actions involved with spamming illegal. Because many ISPs have anti-spam measures and take steps to block spam coming from particular addresses or computers, many spammers jump from account to account to avoid detection and being shut down. The new proposed bill, the "Anti-Spamming Act of 2001" (Website)(Anti-Spam ) provides for criminal penalties for Internet users who falsify their email addresses in this manner in order to send spam. The bill, whose sponsor views spam as a substantial burden on Internet users whose connections are adversely affected by the volume of commercial junk mail received, allows for monetary fines and damages awards against generators of spam. Several previous efforts to regulate spam by state lawmakers have been struck down on the theory that such measures, as state laws affecting interstate commerce, violate the Commerce Clause of the U.S. Constitution (Website)(Clause), which gives Congress sole power to regulate interstate commerce (Website)(Kaplan). As the new proposed legislation would be passed by the U.S. Congress, it does not suffer this Constitutional deficiency.

In addition to legal issues raised by reaching potential customers through unsolicited emails, there are other measures taken to prevent Internet users from receiving spam that may adversely affect an e-business attempting to utilize mass mailings.

See Anti-Spam Groups for more information.

In the end, the threat of an e-business' emails being blocked by a private service, triggering penalties under the proposed federal statute, or causing loss of business due to annoyance to potential customers leads to the conclusion that mass unsolicited mailings are an unwise (and potentially illegal) marketing method to be employed by an enterprise. Furthermore, promoting an e-business via spam may also constitute a breach of the company's ISP/host agreement and result in termination of service. The best way to reach customers therefore is through the aforementioned techniques of advertising or using targeted email directed at past customers or registered users of a website.

If an e-business wishes to reach a wider audience via email, the best way to do so may be to partner with another entity that sends targeted emails to customers and is willing to add an advertisement or link to the e-business' website, in exchange for similar concessions or some other consideration. If such a plan is followed, the businesses involved should make it clear to customers in the agreement to receive emails (the box checking form discussed previously) that their emails may contain information about its partners and affiliates. A decision to enter such an agreement should account for potential adverse customer reactions (depending on the level of perceived intrusion) and any implementation of the agreement should always offer the recipient to opt out of some or all of the services.

C. SEARCH ENGINES

Perhaps the most effective and cost-efficient means for an e-business to reach potential customers is through search engines, a method by which many consumers are matched up with businesses offering products or services they desire. There are two major types of search engines: web directories and engines utilizing spiders or web crawlers to catalog websites. Directories generally work by soliciting websites for inclusion in a web directory, which is then searched by users. In this sense, it is an active process that requires affirmative action on the part of an e-business in order to get listed in the directory. The most well known web directory is Yahoo! (Website)(Yahoo!), which accepts submissions from websites to be included in a particular category under the Yahoo! organization scheme (Website)(Suggest). Simply suggesting a site does not guarantee immediate inclusion in the Yahoo! directory, however, as Yahoo! must review the site prior to its inclusion to determine whether it is in the appropriate category and whether it is appropriate to include the website at all.

Search engines that utilize spiders or web crawling technologies to catalog websites operate in a very different manner than web directories. These engines use technological means (often called robots or spiders) to scour the web and then catalog the websites in their engines to be pulled up when matched with user search terms. An example of a popular search engine that utilizes such technology is Google (Website)(Google), which uses its Googlebot web crawler to explore the vast offering of web pages available on the Internet and index them for use in its search engine. This offers an advantage to e-commerce sites over directory services in the sense that no affirmative action is necessary to have one's website listed; the web crawlers automatically add all cataloged sites to the search engine's index. In addition, some robot-based engines, such as Google, offer submission of URLs for faster addition to their indexes (Website)(Submit).

See Search Engines and Directories for more information.

In contrast to the early days of search engines, the ability to purchase higher rankings on the top search engines no longer exists. Understanding the ranking systems of search engines, however, allows an e-business to take measures in several major areas to ensure higher placement. These areas include click popularity, stickiness, link popularity, and page-related factors such as tags and keywords.

Click popularity is a measure of the number of times search engine users click on a particular site when it is returned as a result of a search. The greater the number of users who choose a particular site, the higher ranking it will have. DirectHit (Website)(DirectHit), a search engine whose technology is used by a number of other major search engines (including Lycos at http://www.lycos.com, HotBot at http://www.hotbot.com, and MSN at http://www.search.msn.com), utilizes a unique ranking system that incorporates click popularity to match users up with the most popular sites in the search field. The DirectHit ranking scheme also incorporates the related concept of stickiness, which is a measure of the length of time users spend at a site once they click through to it from a search engine. The greater the stickiness, measured by the length of time between clicks on different results of an original search, the higher the ranking the engine gives the website. In order to achieve greater click popularity, an e-business should look to have a good, descriptive title that sets it apart from other sites. As users of search engines see only a title and brief description (either based on a submitted description or the first lines of text on the website) when results of a search are returned, the title and description should be tailored to entice viewers or otherwise set one's site apart from others' sites. As to stickiness, the layout of one's website and the overall design will be very important to users when determining how much time to spend at a site. The greater the extent to which an e-business can further draw users into its website, the greater the stickiness will be and the higher the ranking. When designing a site or overseeing the work of outside designers, an e-business should consider factors influencing stickiness, such as general layout, ease of navigability, functionality, and frequency of site updates. Self-audits measuring stickiness can often be performed by hosting services, from which an e-business can gain valuable information regarding its visitors and how long they stay, allowing tailoring of a website to increase stickiness by better meeting its visitors' preferences and computing needs.

Link popularity is very important in certain search engines' ranking schemes, particularly Google's. This metric basically measures the number of links to a website from other websites, giving higher rankings to sites with more links to them from other websites. In addition to measuring sheer numbers, certain ranking schemes (most notably Google) take into account the origin of the links, weighing links from more highly rated pages greater than those of lesser-ranked pages. Thus, a link to one's website from CNN.com is given more weight than a link from Joe Smith's News of Wichita. The effect of link popularity on ranking schemes thus may influence marketing plans when determining affiliate and partnership agreements with other websites, as well as different advertising strategies.

Page-related factors deal less with viewer's perceptions of a website and more with how a search engine reads the internal placement of keywords in the text of a website and use of meta-tags in web programming. In this sense, while the above factors more heavily influence the ranking or placement of a site on a results page, the page-related factors are the gatekeepers for whether a site is returned as a result in a search at all. An e-business website thus must reverse-engineer searches in a way, making a determination of how users will get to the site through a search engine or how it wishes these users to get to its site. The main way to ensure that users get to one's site is to create a set of keywords that describe the content and product offerings of the website.

See Keywords and Tags for more information.

Practitioners and e-businesses alike should be aware that a large number of cases have arisen involving meta-tags and trademark disputes. Many of these cases have involved situations where, in an effort to drive traffic to their sites (and away from competitors), web developers have used the trademarks of competitors in their meta-tags. One major case involving such a dispute was Playboy Enterprises, Inc. v. Welles (Website)(Playboy). The defendant in that case, a former Playboy model, used the plaintiff's trademarks such as "Playboy" and "Playmate of the Year" as keywords in her website's meta-tags. Playboy claimed that the use of these trademarks by her site, which was a competitor to Playboy's own website due to its adult content, constituted trademark infringement. The court, however, granted summary judgment for the defendant, ruling that, as a former Playboy model and Playmate of the Year, defendant was entitled to use the trademarks to identify herself as such under the fair use exception to the trademark doctrine (Website1, Website2)(§1115(b)(4) and 1125(c)(4)).

In other cases where a fair use defense has not been available, however, the competitor's use has been found to constitute an infringement. In Brookfield Communications, Inc. v. West Coast Entertainment Corp. (Website)(Brookfield1), the defendant used the plaintiff's trademark "MovieBuff" in both its domain name and meta-tags. The appellate court reversed the district's court denial of a preliminary injunction for the plaintiff, ruling that irreparable injury would likely result from the defendant's continued use of the trademark in the domain name and meta-tags. On the meta-tag issue, the court stated that while "West Coast can legitimately use an appropriate descriptive term in its metatags," plaintiff's trademark MovieBuff was "not such a descriptive term" (Website)(Brookfield2). Plaintiffs have prevailed on motions for preliminary injunctions in similar cases involving the use of plaintiffs' trademarks in defendant competitors' meta-tags (Website)(Roberts).

These cases sound a stern warning to e-businesses thinking about using competitors' trademarks in meta-tags. However, they should not prevent an e-business from using in its website text terms that may be trademarked but are used for descriptive purposes in accordance with trademark's fair use doctrine. To this end, an e-commerce practitioner should be familiar with the relevant sections of the trademark code dealing with fair use [Website1, Website2)(§1115(b)(4) and 1125(c)(4)] and run a trademark search (Website)(TESS) on any potential keywords that may be trademarked by a competitor. And to the extent that these issues will be encountered in website development, a web development agreement should incorporate an e-business' policies regarding tagging for search engine placement.

Back to TOC

VII. Conclusion

Like any business venture, developing an e-commerce website involves contributions by a wide variety of parties and engenders important legal considerations that have the potential to derail even the most well-intentioned entrepreneur. The above discussion of domain name registration, hosting, website development, security, and marketing and advertising is meant to highlight some of the major issues e-businesses will face in getting up and running. The list is by no means exhaustive and every e-business will encounter a different set of circumstances that may require additional issues to be addressed or the same issues to be addressed in different ways. The remainder of the course will take a more in-depth look at particular legal issues in the e-commerce context, including transactions, consumer privacy, and disputes.

back to TOC

VIII. References

ICANN, http://www.icann.org (back to text)

See ICANN, Seven New TLD Proposals Accepted, available at http://www.icann.org/tlds/ (back to text)

See Umbro Int'l, Inc. v. 3263851 Canada, Inc., 50 U.S.P.Q.2d (BNA) 1786 (Va. Cir. Ct. 1999), available at http://www.bc.edu/bc_org/avp/law/st_org/iptf/headlines/content/umbroadd.html (back to text)

See Network Solutions, Inc. v. Umbro Int'l Inc., 259 Va. 759, 770 (2000) ("[W]e do not believe that it is essential to the outcome of this case to decide whether the circuit court correctly characterized a domain name as a 'form of intellectual property.'"), available at http://www.gigalaw.com/library/nsi-umbro-2000-04-21-p1.html (back to text)

Dorer and Forrms, Inc. v. Arel, 60 F. Supp. 2d 558 (E.D. Va. 1999), available at http://lw.bna.com/lw/98266.htm (back to text)

Whois, http://www.crsnic.net/whois/ (back to text)

Allwhois, http://www.allwhois.com/home.html (back to text)

Uwhois, http://www.uwhois.com/ (back to text)

Diane Cabell, Using ICANN's UDRP (2000), available at http://cyber.law.harvard.edu/udrp/ (back to text)

See ICANN, ICANN Registrar Accreditation Agreement, available at http://www.icann.org/registrars/ra-agreement-12may99.htm (back to text)

Network Solutions, http://www.networksolutions.com (back to text)

See Scott Wooley, Goldmine or Glut?, FORBES GLOBAL, June 12, 2000, available at http://www.forbes.com/global/2000/0612/0312054a.html (back to text)

Cubby v. CompuServe, 776 F. Supp. 135 (S.D.N.Y. 1991), available at http://www.loundy.com/CASES/Cubby_v_Compuserve.html (back to text)

Stratton Oakmont, Inc. v. Prodigy Services Co., No. 31063/94, 1995 N.Y. Misc. LEXIS 229 (N.Y. Sup. Ct. May 24, 1995), available at http://www.jmls.edu/cyber/cases/strat1.html (back to text)

Communications Decency Act, Pub. L. No. 104-104, 110 Stat. 133 (1996) (codified as amended in scattered sections of 47 U.S.C.), available at http://www.epic.org/cda/cda.html (back to text)

Telecommunications Act of 1996, Pub. L. No. 104-104, 110 Stat. 56 (1996) (codified as amended in scattered sections of 15, 18, and 47 U.S.C.), available at http://thomas.loc.gov/cgi-bin/query/z?c104:S.652.ENR: (back to text)

See Reno v. ACLU, 521 U.S. 844 (1997), available at http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=000&invol=96-511 (back to text)

47 U.S.C. §230(c) (Supp. IV 1998), available at http://caselaw.lp.findlaw.com/casecode/uscodes/47/chapters/5/subchapters/i/sections/section_230.html (back to text)

See 141 CONG. REC. H8469-70 (1995) (statement of Rep. Cox.), available at http://frwebgate3.access.gpo.gov/cgi-bin/waisgate.cgi?WAISdocID=0554725202+0+0+0&WAISaction=retrieve (back to text)

47 U.S.C. §230(c)(1) (Supp. IV 1998), available at http://caselaw.lp.findlaw.com/casecode/uscodes/47/chapters/5/subchapters/i/sections/section_230.html (back to text)

See 47 U.S.C. §230(c)(2) (Supp. IV 1998), available at http://caselaw.lp.findlaw.com/casecode/uscodes/47/chapters/5/subchapters/i/sections/section_230.html (back to text)

Zeran v. AOL, 129 F.3d 327 (4th Cir. 1997), available at http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=4th&navby=case&no=971523P (back to text)

Zeran at 330 (back to text)

Zeran at 330-31 (back to text)

Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860 (1998) (codified as amended in scattered sections of 17 U.S.C.), available at http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: (back to text)

17 U.S.C. §512 (Supp. V 1999), available at http://caselaw.lp.findlaw.com/casecode/uscodes/17/chapters/5/sections/section_512.html (back to text)

See 17 U.S.C. §107 (1994), available at http://caselaw.lp.findlaw.com/casecode/uscodes/17/chapters/1/sections/section_107.html (back to text)

See Sony Corp. v. Universal City Studios, Inc., 464 U.S. 417 (1984) (Discussing the importance of whether a use of copyrighted material was commercial or non-commercial in determining whether such use was fair), available at http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=464&invol=417 (back to text)

DoubleClick, http://www.doubleclick.com (back to text)

Bret A. Fausett, Linking Legalities, WEBTECHNIQUES (2001), available at http://www.webtechniques.com/archives/2001/02/legal/ (back to text)

Gershwin Publ'g. Corp. v. Columbia Artists Mgt., Inc., 433 F.2d 1159, 1162 (2d. Cir. 1971). (back to text)

See Sony at 435 ("[T]he concept of contributory infringement is merely a species of the broader problem of identifying the circumstances in which it is just to hold one accountable for the actions of another.") (back to text)

Intel Corp. v. Hamidi, 1999 WL 450944 (Cal. Super. Apr. 28, 1999) (unpublished case), available at http://www.faceintel.com/permanentinjunction.htm#Tentativeruling (back to text)

Anti-Spamming Act of 2001, H.R. 1017, 107th Cong. (2001), available at http://www.spamlaws.com/federal/hr1017.html (back to text)

See Carl S. Kaplan, In Spam Case, Another Defeat for State Internet Laws, NEW YORK TIMES CYBER LAW JOURNAL, Mar. 24, 2000, available at http://www.nytimes.com/library/tech/00/03/cyber/cyberlaw/24law.html (back to text)

U.S. CONST. art. I, §8, cl. 3, available at http://caselaw.lp.findlaw.com/data/constitution/article01/ (back to text)

Yahoo!, http://www.yahoo.com (back to text)

See Yahoo!, How to Suggest Your Site, available at http://docs.yahoo.com/info/suggest/ (back to text)

Google, http://www.google.com (back to text)

See Google, For Site Owners: Submit Your URL, available at http://www.google.com/addurl.html (back to text)

DirectHit, http://www.directhit.com (back to text)

Playboy Enterprises, Inc. v. Welles, 78 F. Supp. 2d 1066 (S.D. Cal. 1998), available at http://www.loundy.com/CASES/Playboy_v_Wells.html (back to text)

15 U.S.C. §§1115(b)(4), 1125(c)(4) (1994), available at http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/22/subchapters/i/sections/section_1115.html, http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/22/subchapters/i/sections/section_1125.html (back to text)

Brookfield Communications, Inc. v. West Coast Entertainment Corp., 174 F.3d 1036 (9th Cir. 1999), available at http://lw.bna.com/lw/19990504/9856918.htm (back to text)

Brookfield at 1066 (back to text)

See, e.g., Ken Roberts Co. v. Go-To.com, No. C99-4775-THE, 2000 U.S. Dist. LEXIS 6740 (N.D. Cal. May 10, 2000) (Judgment against defendants who used plaintiff's trademarks in meta-tags on basis of trademark law regarding false designation of origin and trademark dilution, as well as state law claims), summary available at http://www.finnegan.com/summ/cases/kenroberts.htm (back to text)

See 15 U.S.C. §§ 1115(b)(4), 1125(c)(4) (1994), available at http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/22/subchapters/i/sections/section_1115.html, http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/22/subchapters/i/sections/section_1125.html (back to text)

See USPTO, U.S. Trademark Electronic Search System (TESS), available at http://www.uspto.gov/web/menu/tm.html (back to text)

Back to TOC

IX. Additional Materials (Optional Reading)

A. CONDUCTING A TRADEMARK SEARCH

To determine whether a potential SLD is free or trademarked by another entity, one should run a trademark search. If the enterprise intends to do business on a global basis through its website, then it would be advisable to search for trademark conflicts on a global basis. Trademarks registered in Europe can be searched theough the Community Trademark Consultation Service (available at http://www.oami.eu.int/search/trademark/la/en_tm_search.cfm), while marks registered in Canada can be searched at the Canadian Trade-Marks Database (available at http://strategis.ic.gc.ca/cgi-bin/sc_consu/trade-marks/search_e.pl.). For U.S. federal marks, one can run a search for potential domain names through the U.S. Trademark Electronic Search System (TESS) (available at http://www.uspto.gov/web/menu/tm.html) of the United States Patent and Trademark Office (USPTO) (available at http://www.uspto.gov). This can then be supplemented with a quick nationwide business name search through an online yellow pages (available at http://www.yellowpages.com). Together, these searches will give the user a rough idea of any potential conflicts and exhibit a good faith effort to ferret them out, although such cursory searches do not guarantee the absence of conflicts or indemnification of the user. An exhaustive search would include state trademark registrations, other national registries and other business registries. For more information on searching, see Susan E. Gindin, Researching Trademarks (1998) at http://www.info-law.com/tmsearch.html. More comprehensive services along these lines are available through private trademark search services such as Trademark.com at http://www.trademark.com/new_tmdocs/index.shtml, Thomson & Thomson at http://www.thomson-thomson.com/, DialogWeb at www.DIALOGweb.com, Micropatent at http://www.micropatent.com, and Trademark Register at http://www.trademarkreg.com/.

Selection of a domain name for an online enterprise is as complex as the process for choosing a trademark name. Legal advice is strongly recommended to protect the value of the entrepreneur's investment in the name from claims of infringement. In the end, those wishing to take the most effective measures possible against potential conflict can take steps to register their trademarks through their local government (in the U.S., the USPTO). The USPTO website, for one, allows users to make an official registration filing online at http://www.uspto.gov/teas/index.html.

Back to TOC

B. DOMAIN NAME REGISTRATION AGREEMENTS

1. Terms

In addition to general contractual language concerning payment of fees and what constitutes breach, provisions concerning the following are common in gTLD registration terms of service agreements:

  • Dispute resolution under ICANN's UDRP
  • Registrar's rights to terminate or amend the registration
  • Conditions for transfer of name/registration to another registrar
  • Registrar's use of registrant's registration information (name, address, etc.) and penalties for giving false information
  • Registrant's responsibilities for acts of its agents and licensees
  • Limitation of registrar's liability in certain circumstances
  • Indemnification of registrar for acts of registrant
  • Representations and warranties of registrar and registrant
  • Governing law and forum selection

These boilerplate contracts/agreements are generally nonnegotiable due to transaction costs associated with the customization of contracts. Most registrants take substantially the same positions in their contracts, although some have additional provisions exceeding those above. One provision that often differs from registrar to registrar in its specifics are the governing law and forum selection clauses, as these tend to be tied to the registrar's place of business. In the end, very few users will take the time to look through such provisions and most of the disputes that arise will probably deal with the UDRP procedure and the cancellation or transfer of a domain name. Due to the fact that many e-commerce entrepreneurs will seek legal representation only at a later stage in the set-up process, practitioners should be aware of these agreements should any disputes arise at a later date or if the client wishes to modify the registration in some manner.

An example from the UDRP context shows the importance of awareness of the specifics of a TOS. Under the UDRP, a trademark owner who brings an action agrees to submit to one of two possible jurisdictions should the domain holder wish to appeal an adverse decision. The choice is between the jurisdiction of the domain holder or the jurisdiction of the registrar. The registrar's location may therefore be important to a domain registrant who has no prior legal rights in the domain name. The language of the registration agreement is the language in which the UDRP must be conducted, so this is another factor to consider in selecting one's registrar. For those registrants with the foresight to obtain representation prior to registering a domain name, the practitioner's comparison of the specifics of different registrars' TOS agreements can be helpful in advising the client as to which service to use.

2. Sample Agreements

  • eNic.cc Registration Agreement at http://www.ccnic.cc/policies/registration_agreement
  • Register.com, Services Agreement, available at http://www.register.com/service-agreement.cgi?1
  • 1stDomain.net, Terms + Conditions, available at https://www.sslsecureservice.net/cgi-bin/registrar/help.cgi?hfid=1stdomain&topic=domainterms
  • Network Solutions Inc, Service Agreement, available at https://www.networksolutions.com/en_US/legal/service-agreement.jhtml

Back to TOC

C. WEBSITE DEVELOPMENT CHECKLIST

For a good checklist of hosting issues, see Scott Austin, Fifteen Things You Need to Know to Advise Your Clients About Websites (Website).

The following issues should be addressed in a website development agreement:

  • Scope of work - initial development, updates, and changes
  • Transfer of work to the website owner's server
  • Functionality - performance standards and technical specifications for both Internet users and company personnel
  • Acceptance processes - testing, milestones, and final acceptance
  • Fees - fixed fees, sliding fees, and overall budget
  • Warranties - standards and remedies
  • Right of termination or withholding of fees for unacceptable work, consecutive failures, or failure to meet milestones
  • Training of e-business personnel by website developers
  • Schedule for work to be completed and procedures for changing schedules
  • Ownership of work - content, graphics, general design, and other intellectual property used or created
  • Placement of copyright notices on the website
  • Obtaining appropriate licenses, clearances, and permissions to use others' works and materials
  • Resources to be provided by each party - software, hardware, project management
  • Indemnities for violations of rights of the parties or third parties and limitation of liability
  • Confidentiality - e-business and developer confidentiality and user privacy
  • Standard contractual provisions - dispute resolution, governing law, and amendment of contract

Back to TOC

D. WEBSITE HOSTING CHECKLIST


The following issues in these general areas should be taken into consideration when drafting a hosting agreement:

Equipment:

  • Equipment ownership
  • Location of equipment - division between equipment stored at host facilities and the e-business offices
  • Equipment management and maintenance - performing back-up, fixing equipment problems, and updating equipment
  • The e-business' right of access to equipment at hosting facilities
  • Connectivity and performance issues - connection speed, maintenance of connections, and general standards of performance
  • Ownership/control of data stored in the equipment

Traffic and Maintenance Issues:

  • Uptime guarantees - percentage of time a website will be up
  • Response when the connection is lost and website is down or otherwise disrupted
  • Response to changes in traffic - necessary upgrades/updates to deal with greater influx of traffic
  • Maintenance performance and effect on connection

Service Agreements:

  • Services included in the agreement - standard services and custom services
  • Fee schedules - fixed costs for standard services and sliding costs for additional services
  • Warranties regarding level and quality of service
  • Acts/omissions constituting breach
  • Assignment of the services contract - host's and customer's obligations

Risk and Indemnification:

  • Responsibility for injuries to third parties resulting from security breaches and loss of service
  • Responsibility for ensuring compliance with laws of other nations where users are located
  • Disaster recovery plans and procedures - for both the host and website owner
  • Circumstances under which a site can be shut down - responsibility for resulting injuries
  • Actions to be taken upon breach

Back to TOC

E. ADDITIONAL CDA CASES

Blumenthal v. Drudge, 992 F. Supp. 44 (D.D.C. 1998) available at http://www.techlawjournal.com/courts/drudge/80423opin.htm

The defendant in this case had posted some allegedly defamatory statements regarding the plaintiff on his Internet news site. The plaintiff sued not only the generator of the content (Drudge), but also AOL, which had an exclusive agreement with Drudge to distribute his column to its subscribers. In granting AOL's motion to dismiss the charges against it, the court made the distinction between an ISP that actually develops content itself - which is not covered by the 47 U.S.C. §230 immunity - and one that merely posts or distributes the content of others. The court ruled that AOL fit in the latter category, which was protected by the statutory immunity. The court also found unavailing the plaintiffs' argument that this case should be decided differently than previous cases decided under the CDA because Drudge was not merely an anonymous poster to a chat room and AOL maintained a degree of editorial discretion over his content. While the court recognized that such a distinction seemed logical, it stressed that "Congress has made a different policy choice by providing immunity even where the interactive service provider has an active, even aggressive role in making available content prepared by others."

Gucci America, Inc. v. Hall & Assocs., No. 00 Civ. 549 (RMB), 2001 U.S. Dist. LEXIS 2627 (S.D.N.Y. Mar. 14, 2001), available at http://www.loundy.com/CASES/Gucci_v_Hall.html

Gucci America represents a departure from the trend towards a wide scope of immunity for ISPs, suggesting that courts might impose liability on ISPs in certain circumstances. The court in that case addressed the issue of ISP liability arising from a claim of trademark infringement by Gucci against Hall, whose e-commerce site containing allegedly infringing materials was hosted by Mindspring. Mindspring moved to dismiss Gucci's claim, arguing that it was immune from liability under §230(c)(1) of the CDA. The court rejected this claim, however, relying on §230(e)(2) of the CDA, which states: "Nothing in this section shall be construed to limit or expand any law pertaining to intellectual property." The court reasoned that because, "[u]nder existing intellectual property law, publishers may, under certain circumstances, be held liable for infringement," §230(e)(2) unambiguously constrained it from extending the §230(c)(1) immunity to Mindspring.

The court rejected Mindspring's argument that because the issues of trademark infringement had never arisen in the ISP context, there was no existing intellectual property law to trump the immunity. Furthermore, the court found unavailing Mindspring's reliance on Zeran, distinguishing that case on the basis that it construed the CDA on the grounds of tort immunity and not immunity from intellectual property claims. The fact that Congress had chosen to pass the Digital Millennium Copyright Act to address ISP liability in the area of intellectual property law further supported the court's interpretation of the CDA as limited to immunity from tort liability. The ISP was not entitled to rely on the Digital Millennium Copyright Act, however, because the court stressed that the Act applied only to copyright and not trademarks. While the procedural posture of the case and the novelty of the issue leave its precedential value open to question, it nevertheless serves as an important indication that there are limitations to an ISP's immunity under the CDA scheme.

Back to TOC

F. NOTICE PROVISIONS OF THE DMCA

The notification procedures of the DMCA have the potential to mute certain ancillary effects. Under 17 U.S.C 512(c)(3), a copyright holder must follow certain procedures in notifying a service provider of copyright violations in order to force the taking down of copyrighted materials. These notice requirements include, among others: identification of the copyrighted work claimed to have been infringed (or a representative list of such works), identification of the material that is claimed to be infringing and that is to be removed or disabled, and a statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.

In the recent case of ALS Scan v. RemarQ Communities, 239 F.3d 619 (4th Cir. 2001), the court addressed the issue of the level of notice this DMCA provision required. The plaintiff in that case became aware of the existence of hundreds of its copyrighted images on the defendant service provider's newsgroups. When the plaintiff notified the defendant of these violations by identifying two newsgroups that were devoted to trading in the copyrighted images, the defendant refused to comply with the request to take down the images, asking instead for the plaintiff to identify each individual work being infringed with greater specificity. The plaintiff filed suit under the copyright code and DMCA, which the defendant sought to dismiss on the basis that the notice given was defective in that it did not follow the technical requirements of the DMCA.

In reversing the district court's dismissal of the case, the court of appeals stressed that 17 U.S.C. 512(c)(3)(A) requires only substantial compliance with its technical requirements and that identifying a representative list of infringed works was permissible when the identification of each individual work is impractical. The court responded to RemarQ's claim that the forced removal of the materials may encompass some noninfringing content by noting that "[t]o the extent that ALS Scan's claims about infringing materials prove to be false, RemarQ has remedies for any injury it suffers as a result of removing or disabling noninfringing material" (239 F.3d 619, 625) under 17 U.S.C. 512(f), (g). The court's accommodating interpretation of the DMCA's notification provision in this case suggests that service providers who attempt to hide behind technicalities will not be able to escape punishment under the DMCA for harboring infringing works or users. However, the ruling also has the potential to minimize some of the built-in safeguards the notification procedure may have otherwise had in protecting website operators and other users in borderline cases. (ALS Scan v. Remarq Communities is available at http:://www.loundy.com/CASES/ALS_v_RemarQ.html).

While the notice provisions may therefore seem to tip the scales in favor of the copyright holder, there are several provisions of the DMCA that allow a noninfringing website/user to take action to restore its content or recover damages for the removal of its content. The counter-notice provision, 17 U.S.C. 512(g)(3), allows for a website operator or other person whose content is removed to file a counter-notice with the service provider stating that he/she "has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material to be removed or disabled" [17 U.S.C. 512(g)(3)(C)]. If such a counter-notice is given to the service provider, the service provider must replace the content or cease disabling access within 14 business days, unless it receives a court order from the original complainant (copyright holder) restraining the user from continuing infringement [17 U.S.C. 512(g)(2)(C)]. If the service provider does not follow these procedures, the provision immunizing the provider from liability for injuries to its users from removal/disabling access [17 U.S.C. 512(g)(1)] does not apply, allowing the user to recover for a wrongful "take-down" [17 U.S.C. 512(g)(2)]. The other main provision allowing a user to recover is 17 U.S.C. 512(f) concerning misrepresentations. That provision allows for an adversely affected user to recover damages (including attorney's fees) from anyone who "knowingly materially misrepresents that material or activity is infringing" [17 U.S.C. 512(f)(1)]. It should be noted that this provision cuts both ways, however, as there is also a provision [17 U.S.C. 512(f)(2)] allowing damages to be assessed against a user for his/her knowing misrepresentations in filing a counter-notice. To date, no published opinions have explored the contours and boundaries of the counter-notice and misrepresentation provisions.

Back to TOC

G. ACCESS PROVIDER LIABILITY

It should be noted that while hosts often play various roles other than strict access/service provider, courts are likely to grant them the wide immunity from liability under the CDA unless it can be clearly shown that the host was acting solely in another capacity in regards to the alleged wrongdoing. A recent case in which this issue arose is John Does v. Franco Productions. In that case, the court granted the defendant hosts' motion to dismiss, ruling that their "immunity or status as service providers under the CDA is not vitiated because of their web hosting activities, whether viewed in combination with their roles as service providers or in isolation." John Does v. Franco Productions, No. 99 C 7885, 2000 U.S. Dist. LEXIS 8645, 8645 (N.D. Ill. June 2, 2000), available at http://members.theglobe.com/ericgoldman/DoevFranco.html)

The CDA "Good Samaritan" provision applies to an "interactive computer service," which is defined as "any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server." [47 U.S.C. §230(f)(2)] While determining whether an e-business fits into this definition may depend on a court's construction of terms such as "service," "system," and "server," it appears there could be a plausible claim for many e-businesses to status as an "interactive computer service," depending on the services offered.

Although most cases arising under the CDA have involved traditional ISPs, a recent Ohio case addressed the issue of whether a website operator offering interactive services fit under the statutory definition. In Sabbato v. Hardy, No. 2000-CA-00136, 2000 Ohio App. LEXIS 6154 (Ohio Ct. App. Dec. 18, 2000) available at http://legal.web.aol.com/decisions/dldefam/sabbato.html], the defendant ran a website called "Citizens for a Better Jackson Township" where users could register and post opinions on the website. The plaintiff sued when alleged defamatory content was posted on the site, but the district court dismissed her compliant on the basis of the CDA's Good Samaritan provision, 47 U.S.C. §230(c). While the appellate court remanded to the district court for a determination of whether the website operator himself was a generator of some of the defamatory content, it did not upset the trial court's ruling that his website qualified for protection under the CDA in its role as a distributor. Based on the language of the statute and the Ohio court's interpretation, it therefore appears that there can be a plausible claim for an e-business to immunity from liability under the CDA for acts of its users. Due to the uncertainties in this area, however, it may be in the best interests of an e-business to remain ignorant of the content of its chat or other discussion areas in an attempt to stay within the bounds of Cubby and Stratton should the CDA not apply. A policy of simply responding to user complaints regarding improper content rather than actual periodic policing of the site contents may stay within the bounds of these precedents. To this end, it is important to spell out one's policy in regards to termination of user rights and removal of content in the Terms of Service agreement, particularly when users are paying a fee for interactive services.

The DMCA safe harbor provision applies only to a "service provider," which is defined differently for different specific provisions of the statute. For the purposes of 17 U.S.C. §512(a), regarding transitory digital network communications, a service provider is defined as "an entity offering the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing, without modification to the content of the material as sent or received" [17 U.S.C. §512(k)(1)(A)]. For the rest of the DMCA's provisions, a "service provider" is defined as "a provider of online services or network access, or the operator of facilities therefore, [including] an entity described in subparagraph (A)" [17 U.S.C. §512(k)(1)(B)]. The definition for purposes of §512(a) appears to have in mind hosts (and others) providing network infrastructure and possibly traditional ISPs, while the second provision seems to have more room for interpretation and might allow certain e-businesses to fall within the protection of the safe harbor.

These issues were addressed in the much-publicized Napster case. In that case, plaintiff record companies sued the defendant, a peer-to-peer file-sharing network enabling users to swap music files, for copyright infringement. In dismissing Napster's motion for summary judgment, the court rejected the application of the DMCA's safe harbor to Napster. In its opinion, the district court first addressed the issue of whether Napster qualified as a service provider under 17 U.S.C. §512(k)(1)(A) or (B). [A&M Records, Inc. v. Napster, Inc., No. C 99-05183 MHP, 2000 U.S. Dist. LEXIS 6243 (N.D. Cal. May 5, 2000) available at http://www.gigalaw.com/library/am-napster-2000-05-12.html]. Napster argued that it qualified as a service provider under §512(k)(1)(A), thus entitling it to protection under the §512(a) safe harbor for transitory digital network communications. The court expressed skepticism and opined that it was not entirely clear whether Napster qualified as such a service provider, but did not have to resolve the issue as the plaintiff conceded that Napster was a service provider under §512(k)(1)(A). The plaintiff instead argued that, even if Napster was a service provider, it failed to meet the other requirements of the safe harbor provisions. In the end, the court declined to grant Napster summary adjudication because Napster did not meet the requirement of the safe harbor in §512(a); specifically, it did not "transmit, route, or provide connections through its system" [2000 U.S. Dist. LEXIS 6243, at *25 (emphasis added)]. On Napster's appeal from the district court's subsequent injunction, the 9th Circuit Court of Appeals ruled that the plaintiff had raised significant questions that strongly supported an injunction, including "whether Napster is an Internet service provider as defined by [the DMCA]." A&M Records v. Napster, Inc., 239 F.3d 1004, 1025 (9th Cir. 2001) available at http://cyber.law.harvard.edu/~wseltzer/napster.html.

In the end, the Napster litigation did not definitively answer the question of whether a service such as Napster would qualify as a service provider under the DMCA, but signaled that the courts will likely construe the statute rather narrowly. Clearly, however, the §512(k)(1)(B) definition will be construed more broadly and may allow for certain e-business sites fall into the definition. See Elizabeth A. McNamara et al., Online Service Provider Liability Under the Digital Millennium Copyright Act, 17 Comm. Law. 5, 6 (1999) ("Less obvious is the fact that the definition is broad enough to potentially include employers that provide e-mail accounts to their employees and other entities-including newspapers, magazines, and other media companies-that simply host informational Web sites."), abbreviated version available at http://www.dwt.com/related_links/adv_bulletins/CMITFall1999ISPLiab.htm. Future cases may very well arise testing the statute and its application to other e-commerce networks that provide interactive services, such as Amazon and eBay, both of which are "service providers" with agents listed with the U.S. Copyright Office for notification of claims of infringement pursuant to the DMCA. Until there is settled case law on the matter, the uncertainty in the definitions of service provider should lead an e-business to take caution and proceed under the assumption that it will not be protected by the DMCA safe harbor provisions.

Back to TOC

H. SECURITY

Security is an area that is critical to the effective functioning of an e-business and has major implications for both hosting and development agreements. Breaches of security may lead to service interruptions and corresponding loss of business or, worse, may lead to the loss of sensitive business information or even customer information - ranging from email addresses to credit card numbers. Such dire consequences make it imperative that security is given high priority in setting up an e-commerce site and that an e-business make security a priority when arranging for hosting and programming services. This section will address some common concerns an e-business should consider when addressing security, including: access attacks, information theft, and damage to equipment and systems.

Access Attacks

Access attacks, also know as denial of service (DoS) attacks, are a relatively easy way to disable a website. Basically, those behind such attacks overwhelm the servers, routers, and other network infrastructure of a website by inundating the host with a deluge of information packets, effectively crippling the website and preventing access by customers. Such attacks have received a lot of attention recently, as major Internet presences such as Amazon, Yahoo, and CNN have had service disrupted for long periods of time by DoS attacks, costing the businesses millions of dollars in lost sales. Compounding the problem for the affected websites, the attackers in those cases used a technique that made it difficult to trace the source of the data flood and ferret out the perpetrators - making it difficult to both stop the flow as well as potentially seek any remuneration from or punishment of the attackers. Such episodes exhibit the potential deleterious effects of DoS attacks on e-businesses, where every minute of lost service may result in hundreds of lost sales and corresponding revenue.

As DoS attacks are not completely preventable and the motivations of attackers are unclear, every e-business should have an emergency plan incorporating: 1) countermeasures to be taken when such attacks occur (such as blocking packets from the originators of the attack or having a back-up hosting arrangement to switch to in case of an attack), 2) information-gathering techniques for determining the source of attacks after the fact, and 3) a public relations strategy aimed at customers, business partners, and investors addressing the loss of service and its consequences. If an e-business utilizes an outside host instead of hosting its own website, the countermeasure aspect of such an emergency plan is one that can take shape in the hosting services agreement. While it is impossible for hosts to fully prevent such attacks without seriously inhibiting the speed and efficiency of the network backbone, most hosts have some network security resources available to combat DoS attacks. [For one host's approach to service attacks and a more in-depth examination of the mechanics of such attacks, see Bill Hancock, The Exodus Network Backbone Environment and DoS/DDoS Attacks, Network Attacks: Denial of Service And Distributed Denial of Service, available at http://www.exodus.com/press_room/information/ddos/ddos_content.html.] When arranging for a host, an e-business should inquire into how the host typically handles DoS attacks and a client's options in minimizing the impact of or thwarting such attacks. An agreement between e-business and host can then incorporate a plan in the case of a DoS attack - what the parties' responsibilities are in handling the attack, any guarantees a host may make concerning its ability to reroute traffic and limit the scope/duration of an attack, and other issues relating to allocation of risk and responsibility (e.g., who will be held liable for injuries to third parties, such as customers).

Information Theft

Information theft can have even greater negative effects than an access attack. While DoS attacks may leave customers frustrated and cut into a day's revenues, the stealing of proprietary information can lead to loss of sensitive business information ranging from financial data to long-term corporate strategy. If customer information is stolen, such theft can also lead to the erosion of customers' trust in both a specific e-business as well as the general medium of online business transactions. In addition, such theft may result in a lawsuit directed at the e-business for not adequately safeguarding such information. Thus the loss of proprietary information can often have longer lasting effects than mere denial of service and resulting loss of sales.

While DoS attacks work by overwhelming one's network infrastructure, information theft is achieved by exploiting weaknesses in software and technological protections. Proprietary information may be stolen by hackers getting around or through a network's firewall, [FN: For a discussion of firewalls and their mechanics, see Matt Curtin and Marcus J. Ranum, What Is an Internet Firewall?, INTERNET FIREWALLS: FREQUENTLY ASKED QUESTIONS, available at <http://www.interhack.net/pubs/fwfaq/#SECTION00031000000000000000>] by unscrupulous programmers who leave a backdoor in software applications for their access at a later time, or by disgruntled employees with access to files who wish to personally profit from company information/resources. Dealing with employees who may have the motive and means to steal sensitive company information is largely an internal personnel and security matter for an e-business to address. Problems due to hackers penetrating a network or programming deficiencies allowing access to sensitive information, on the other hand, must be addressed when considering developing in-house programmers or outsourcing programming. If an e-business determines it is in its interest to outsource such services, potential partners should be vigorously screened and service agreements should be carefully drafted to ensure specific security standards as well as allocate responsibility for security breaches.

Damage to Equipment, Software or Data

A third and final type of security threat is damage to equipment, software, or data. Damage to equipment can be prevented in a relatively straightforward manner by assuring limited access to equipment and appropriate physical security. For those e-businesses housing their hardware at their offices, the nature of the business makes it imperative that a high priority is given to ensuring the physical security of system hardware. The level of physical security is also an important issue to consider when choosing a host, and is a consideration that should be explicitly addressed in any hosting agreement. Software and data can be corrupted or damaged by viruses that are permitted to enter a business' internal network or directly by those who gain access by penetrating a firewall or exploiting another weakness. The risk of damage by viruses can be minimized by adopting appropriate technological measures to screen incoming packets, while damage resulting from unauthorized access can be combated by taking the measures to minimize information theft discussed above. Even if these technological measures fail, an e-business can minimize the fallout from damage to software and data by periodically backing up data and applications to utilize in the event of damage or corruption. While the total loss of information through information theft can often cause irreparable damage, a well-prepared e-business can seriously minimize the negative impact of data/software damage through such periodic backups.

Minimizing Security Risks Through Audits and Contracts

An e-business can additionally minimize all these types of security risks by hiring a third-party security consultant to conduct periodic audits of the business network and/or physical premises for weaknesses in security. Such auditors can often detect hidden backdoors in programs, weaknesses in firewalls, as well as prior undetected security breaches. Some businesses may also wish to create a position for a chief security officer or make sure its systems administrator has expertise in security issues. As discussed above, however, many security concerns can be effectively dealt with through appropriate agreements with service providers (hosts, programmers, etc.). To this end, the e-commerce practitioner should be aware of the following security issues when drafting agreements for an e-business client: [Note: While the preceding discussion and following lists separate hosting and programming services, note that hosts often provide some programming as part of their package of services, particularly in areas such as firewalls.]

    Hosting Agreements:

  • How does the host generally handle DoS attacks? (What is its default position?)
  • What services does it offer to thwart/minimize the impact of DoS attacks? What security options does it recommend as a core package?
  • How will the proposed security measures affect network performance?
  • Can DoS attacks launched at other businesses hosted in the same facility affect the client e-business' own website?
  • Does the host have its own network security personnel or is such security work outsourced?
  • What is the level of physical security (access, alarms, guards, etc.) at the hosting facility?
  • What security problems/breaches have arisen in the past and what has been done to prevent their recurrence? (One may choose to draft an agreement incorporating certain types of risks as being the responsibility of one or another party; a list of past problems establishes the foreseeability of particular kinds of breaches.)
  • What guarantees is the host willing to make concerning both physical and technological security measures? Does it carry liability insurance? (Due to the great loss of money that may result from loss of service, an E-business should consider a contracting party's ability to pay should damages result from a security breach.)
  • Development agreements:

  • What level of technological security measures is available? What level is recommended? (As with most business decisions, choosing the level of security involves a cost-benefit analysis - the extra security from a more expensive technological protection may not be worth the cost.)
  • How do various levels of security affect the performance of software applications or the website as a whole?
  • Have other clients had security problems with any of the programmer's services/products? What was done to remedy such problems?
  • What guarantees is the programming service willing to make regarding the inviolability of its technological security protections? Does it carry liability insurance?

Back to TOC

I. ADVERTISING EXCHANGES


Another option for advertising is the use of advertising exchanges, which match-up websites looking for advertising. Such exchanges, like Microsoft's bCentral (available at http://adnetwork.bcentral.com/), work by trading advertising space on one website for space on another member's site. The advantage of such services is that they are free alternatives to seeking out high-priced advertising space on other websites. On the downside, it is more difficult to target advertising to a particular audience, and the viewing audience may be much smaller due to the fact that most high-traffic sites do not participate in such programs. Furthermore, there may be less control over what types of sites end up advertising on the websites of participating members. Some of these problems may be minimized by joining an exchange that offers a different package of services (often for a fee), such as more targeted advertising by linking members in similar fields, better tracking of visitors to advertisers' sites, etc.

Utilizing an advertising exchange service may pose problems regarding copyright or trademark infringement through linked advertising due to the fact that the individual advertisers do not come together to draft an advertising agreement. Most of the services include indemnification for the exchange providers themselves in the case of infringement or other wrongdoing, but this leaves open the possibility of causes of action against either an advertiser or a host. When signing up for such a service, an e-business should be aware of the terms and conditions of the exchange service itself, as well the exchange's policy regarding its members when instances of infringement or other wrongdoing arise. Due to potential problems in these areas, an e-business should be careful in choosing an advertising exchange provider by inquiring into whether past situations regarding infringement have arisen and how they were handled.

Back to TOC

J. ADVERTISING STANDARDS

A good example of default standards dealing with the legal issues surrounding online advertising arrangements is the "Standard Terms and Conditions for Internet Advertising" devised by the American Association of Advertising Agencies (AAAA) and the Internet Advertising Bureau (IAB). These standard terms, meant to cover agreements between an advertiser and advertising host (termed "Media Company" in the standards), address a variety of issues, including: insertion orders (orders concerning accounting of data related to advertising - number of clicks on an advertisement, the costs of the party making such calculations, etc.), ad placement and positioning, payment and payment liability, reporting, cancellation, ad materials, indemnification, and privacy. In regard to the aforementioned issues of copyright and trademark infringement and consumer loss, the standards set the default rule of indemnifying the host (media company) for "any loss relating to or arising out of Advertiser's product or the content of any Advertisement delivered accurately, including but not limited to materials that violate the right of a third party; materials that are defamatory or obscene; or materials that would constitute a criminal offense." [American Association of Advertising Agencies and Internet Advertising Bureau, Standard Terms and Conditions for Internet Advertising, Mar. 19, 2001 at 6, available at http://www.iab.net/news/content/T_CInternetAdv.doc]. Advertisers and hosts looking for a basic set of contractual provisions may choose to use these terms and conditions, which are totally voluntary and represent a standard default contract of those wishing to cut transaction costs. The standards also can be used to the extent they are practical, with the parties making changes to any of the provisions in order to tailor a more specific agreement or one on different terms. While advertising exchanges are not covered, the drafting organizations plan to meet in the future to discuss standards for advertisers utilizing third-party advertising servers.

Back to TOC

K. ANTI-SPAM GROUPS

The practice of ISPs blocking email from generators of unsolicited mail may prevent an e-business from reaching both unwilling and willing recipients of marketing emails. They also join in private "vigilante" groups that act to block email from spammers. One such effort is the Real-time Blackhole List (RBL) of the Mail Abuse Prevention System (MAPS) (accessible at http://mail-abuse.org/rbl/). The RBL works by identifying generators of spam and then "blackholing" the networks utilized by the spammers if the ISP used by the offending party refuses to take measures to prevent access by the spammer. This process involves rerouting mail sent by offending parties to an online "blackhole," which prevents all mail (both solicited and unsolicited) originating from a network on the RBL from being received by subscribers to the RBL. Another service that operates to block email generated by spammers is the Open Relay Behaviour-modification System (ORBS) (accessible at http://www.orbs.org/whatisthis.html) which operates in a slightly different manner than the MAPS RBL.

These private spam-blocking services and other similar services have an advantage over the proposed legislation because they block unsolicited emails before they are received rather than imposing penalties after the fact, and they also reach non-U.S. spam-generating entities, which the legislation may be powerless against. Such private services have drawn the ire of many bulk emailers, however, and several lawsuits have been threatened or initiated against such blocking services for interfering with the business of the email generators. Most of the cases have been dismissed by the courts, or settled as a result of the offending party amending its email policy. MAPS webpage reporting on the litigation at http://mail-abuse.org/pressreleases/. But see also Christopher Saunders, 24/7 Media Snags Restraining Order Against MAPS, INTERNET.COM (Nov. 17, 2000) available at http://www.internetnews.com/IAR/article/0,,12_514611,00.html.

Some useful articles about anti-spam groups include:

Back to TOC

L. SEARCH ENGINES AND DIRECTORIES

Problems with Robot-Based Search Engines

One problem with search engines that utilize web crawling robots, however, is that they may index portions of websites that an e-business does not wish users to link to directly from a search engine. For example, some websites may wish for all traffic to originate at its main homepage, either to maximize advertising revenues, make sure visitors are aware of the full range of services and products offered, or for other similarly compelling reasons. A search engine that links to internal pages discovered by robots may bypass such a main page in taking the searcher to the desired target. An additional problem with robot-utilizing engines is that valuable system resources might be consumed by robots crawling through and searching an entire website. For a discussion of legal issues involving the use of robots in a somewhat different context, see eBay, Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000), available at http://pub.bna.com/lw/21200.htm. These problems can often be remedied, however, by simply programming a web page to not accept web crawling robots and therefore exclude such pages from consideration in a search engine. Google, for one, offers website administrators tips on how to keep certain parts of its website off limits to its Googlebot. See How Do I Request Google to Not Crawl Parts or All of My Site?, GOOGLE SEARCH FREQUENTLY ASKED QUESTIONS, available at http://www.google.com/help/faq.html#nocrawl. This may pose a dilemma for e-businesses, though, as users who would otherwise be directed to a part of their website may not retrieve information about the website at all, and may even be led to a competitor's site. These considerations should be taken into account when determining whether certain portions of a website should remain robot-free. Regardless of the decision made, search engines utilizing "bots" are another important (and free) tool directing Internet users to an e-business website.

Basic Search Engine Ranking Schemes - Automated v. Human

When considering using either of the above types of search engines, an e-business should assess how the different search engines rank search results. The higher the ranking a search engine gives a website, the higher it appears on the list of sites returned after a search is conducted. Google utilizes its PageRank™ software to rank websites according to specified criteria, such as the number of links from other sites, importance of the website, relevance, and quality. These complex, automated techniques "make human tampering with [Google's] results extremely difficult" (Integrity, GOOGLE SEARCH TECHNOLOGY, available at http://www.google.com/technology/index.html) and Google does not sell placement within the results themselves. Yahoo! also does not sell higher rankings to those willing to pay, but does use a more subjective, human-oriented method of determining rankings than Google's automated approach. See Suggested Sites Help, YAHOO!, available at http://help.yahoo.com/help/us/url/url-10.html.

Keywords and Tags

For ComeStudyAbroad.com, for instance, the keywords "international," "study," and "students" would be a good start. When determining keywords, an e-business should also keep in mind to add common variations of the words used, such as capitalized versions and common misspellings or alternate spellings (such as U.K. English).

After an e-business determines the keywords to be used, it must go about the task of incorporating them into both the content of the website itself as well as the internal programming code used. When incorporating keywords into site content, the e-business should make sure to consider keyword prominence, proximity, and frequency. Keyword prominence is important for search engines that base their descriptions of websites on the first words found on a page. For such search engines, it is important to put keywords at the top of a page, so they most closely reflect what a site is about in the site description returned in a search. Keyword proximity is a factor used by some search engines when determining what pages to receive. If a user runs a search for "international" and "study," for instance, a page that contains the words in close proximity in its text (such as "The best international study resource guide on the Internet" or "Want to study in an international setting?") is more likely to be returned as a relevant search result. Keyword frequency simply measures the number of times a keyword appears in any given text. In theory, the higher the ratio of keywords to text, the greater likelihood the website will be returned as a result of a search for those keywords. In practice, some search engines look out for websites' attempts to manipulate search results and punish parties guilty of such altering tactics.

Keywords also play an important role in the source code for a website, which is generally unseen by the viewer. Some search engines use the tags found in a site's source code to determine the relevance of a particular site to a searcher's request. There are different types of tags used in web programming and read by search engines, including meta keyword tags, meta description tags, ALT tags, and comment tags. Keyword tags are basically lists of a website's keywords in the source code. As some search engines use meta keyword tags to determine whether a cataloged website is relevant to a particular search, utilizing the keyword tag in programming source code is an easy way to make sure a website is matched up with an appropriate target audience. The meta description tag is a description of a website's content in the source code. The meta description tag is used by some search engines as the basis for determining the relevance of a website to a search, the description of a site to be listed under search results, or both. Because some search engines use the meta description tag to determine the relevance of a website to a search, it is important to include appropriate keywords in this source code description as well. To the extent that some search engines will also use this tag as the description for search results, it is also important for the purposes of click frequency to make sure the tag entices the searcher to enter the site. ALT tags are used in source code to describe an image that appears on a page, while comment tags are internal notes used by source code programmers. While these do not have the importance of the keyword and description tags, some search engines that use spiders scan these tags, and adding keywords to them will increase keyword frequency and can therefore potentially increase the relevance of a website to a search. For more information on the use of tags and general tips for optimizing search engine results, see the guides at SearchEngines.com (available at http://www.searchengines.com/intro_optimize.html) and SearchEngineWatch.com (available at http://searchenginewatch.com/webmasters/index.html).

For legal issues surrounding use of keywords and meta tags, see Prof. William W. Fisher, Linking, Framing, Meta Tags, and Caching at http://cyber.law.harvard.edu/property00/metatags/main.html.

Back to TOC

 

-


Please send all inquiries to: Diane Cabell

Home | Introduction | Setting Up | Transactions | Privacy | Disputes | Reference | Search

The Berkman Center for Internet & Society

Design by: Robert Ditzion and Grethe Thilly