United States: Top 10 Internet Law Developments in 2001

Written by Stuart D. Levi, Rita A. Rodin & Kenneth M. Kaufman

The Internet industry went through some much-anticipated growing pains in 2001. Numerous dot-coms failed to make it through the year, and venture capital funding continued to be scarce. However, the industry also matured considerably, with an increasing number of "brick and mortar" industry leaders folding e-commerce and Web strategies into their business models. Internet law also matured as courts and legislators continued to strike a balance between regulating the Internet and allowing it to expand freely. Although there were a number of important legal developments, we have listed below the ten that we believe are most likely to shape the development of the Internet in the coming years. Like any top-10 list, what is included, and what isn’t, is subject to debate. We welcome your thoughts and comments.

The Year 2001 saw the introduction of two of the seven new global Top Level Domains ("TLDs") that were approved in order to expand the crowded domain name space currently dominated by .com and, to a lesser extent, .net and .org. This marked the first time since 1983 that new global TLDs were introduced to the Internet, and is likely only the first step toward the introduction of many new TLDs in the future. The first two new TLDs to launch were .info (in September) and .biz (in October); the remaining five - .name, .pro, .aero, .museum and .coop - are likely to launch in 2002.

With the exception of .info, each of the new TLDs is subject to different limitations, imposed by the TLD operator, as to who may register domain names in the TLD and, in some cases, to what use such domain names may be put. For example, while anyone may register a .biz domain name, the name must be put to a "bona fide commercial use." Domain names in the .name TLD must correspond to the registrant’s personal name or the name of a fictional character in which the registrant has trademark rights. The .pro, .museum, .aero and .coop TLDs are each limited to certain types of registrants and the organizations that service and support them (.pro is for accredited professionals, .museum is for museums, .aero is for the air transport industry, and .coop is for cooperative businesses).

The launch of these new TLDs raises two important issues that businesses must address: (i) how do these new TLDs fit into their on-line strategies, and (ii) what should trademark owners do to protect their marks from "cybersquatters" who try to register domain names corresponding to pre-existing trademarks in the hopes of reselling them to the mark owners.

In addressing the first issue, businesses must evaluate, among other factors: (a) the level of public acceptance of these new TLDs; (b) how they can use these TLDs to improve their communication with the public; and (c) how the availability of new types of domain names will affect their branding strategies.

In addressing the second issue, trademark owners may have to reevaluate their trademark protection strategies. When .com, .net and .org dominated the domain name space, some trademark owners aggressively sought to protect their marks by registering them as domain names in every TLD available. Some took this further and sought to register variations on their marks as well (such as common misspellings of their marks, or their marks plus common prefixes and suffixes).

As more TLDs launch, however, such an approach could easily become cost-prohibitive. Thus, some trademark owners have decided to be less aggressive, registering only their most important marks in the new TLDs and relying on other available remedies to protect their rights such as: (i) the United States Anticybersquatting Consumer Protection Act; (ii) local trademark and related laws; and (iii) the Uniform Domain Name Dispute Resolution Policy, which offers a relatively inexpensive and quick procedure for reclaiming domain names from cybersquatters and which will apply to all of the new TLDs.

U.S.-based Web sites have always been concerned that they could become subject to the laws of foreign countries because they could be accessed around the world. Two recent international cases suggest that these concerns are not unjustified, and a United States federal court decision further demonstrates that this issue remains unresolved.

The first case involved the offering of Nazi and Third Reich items on Yahoo!’s U.S. auction site. In May 2000, a French court held that since the auction site was accessible in France, Yahoo! Had violated a French law prohibiting the sale of Nazi objects. The French court ordered Yahoo! To eliminate access to the prohibited material, to post warnings that any search on Yahoo.com may yield search results containing material prohibited by French law, and to remove index headings from browser directories and hyperlinks related to Nazi propaganda.

Yahoo! requested that the French court reconsider the terms of the order, arguing that compliance was not technologically feasible. In November 2000, the court rejected Yahoo!’s request, reaffirmed its order of May 22, and stated that Yahoo! had three months to comply with the order or face a penalty of 100,000 francs for each day of non-compliance. In response to both the order and public pressure, Yahoo! decided to ban hate-related items from its auction pages.

Although the issue seemed resolved, Yahoo! decided to challenge the French court’s order in U.S. federal court. Specifically, Yahoo! sought a declaratory judgment that the French court’s order was neither cognizable nor enforceable under U.S. laws. The U.S. district court agreed, and held that the French court’s order was unenforceable in the United States.¹ The court reasoned that the First Amendment protects content generated in the United States by American companies from being regulated by countries that have more restrictive laws. Although the court’s ruling will prevent enforcement of the French order in the United States, it will not prevent French authorities from enforcing the French court’s order against Yahoo!’s entity and assets in France.

The issue of international jurisdiction also arose in a recent ruling by the Supreme Court of Victoria, Australia. In Joseph Gutnick v. Dow Jones,² an Australian businessman sued Dow Jones for defamation based on the content of an article that was published on-line. Dow Jones argued that the court did not have jurisdiction because the article was published in New Jersey where its Web server is located, and that to hold contrary would result in a chilling effect for on-line publishers. On August 28, 2001, the court rejected Dow Jones’ arguments and determined that publication occurs in the location where a third party comprehends the matter. The practical effect of the ruling is that U.S.-based Web sites could be subject to the defamation laws of Australia if Australians have access to the sites. On September 21, 2001, Dow Jones filed an appeal.

The controversies in La Ligue and Gutnick demonstrate that there remains a great deal of uncertainty in the area of Internet jurisdiction. As a result, companies should take precautions to limit their exposure to these risks, such as by posting notices saying that access to their Web sites are limited to residents of certain specified jurisdictions.

In an attempt to bridge the gap between the interests of users in protecting their privacy and the interests of Web sites in operating efficiently, the World Wide Web Consortium has developed the Platform for Privacy Preferences Project ("P3P"). P3P is a protocol that can automatically com-pare a Web site’s privacy policy to a user’s stated privacy preferences and alert the user if the privacy policy does not meet the user’s requirements. This might be done with a pop-up window, a red P3P eye-shaped icon, or other similar warning notice.

To implement P3P on its Web site, a company must translate its privacy policy into a standard machine-readable format. This can be accomplished in-house or by utilizing one of several available P3P policy generators. The new coded privacy policy is then placed in a reference file on the company’s Web site, which can be accessed by P3P-enabled Web browsers.

Users express their privacy preferences by adjusting different settings within P3P-enabled Web browsers. For example, a user can specify what types of cookies they are willing to have placed on their computers by adjusting the cookie privacy setting from high (where all cookies are blocked) to low (where cookies are allowed) with various gradations in between.

The W3C released the most recent working draft of the P3P protocol in September 2001, and is currently seeking comments from those sites that have already implemented it. The W3C also released a P3P 1.0 Deployment Guide in May 2001, which was updated in November 2001. To date, only Microsoft’s recently released Internet Explorer 6 ("IE 6") supports the P3P protocol and allows users to select their privacy settings and, at present, only with respect to cookies. It is anticipated that other privacy settings will be enabled in the near future.

While it has been estimated that only about 15% of the top 100 Web sites are P3P-enabled, there are certain practical benefits to implementing P3P. First, as more users switch to P3P-enabled browsers, these users may avoid, or react negatively to, sites that are not P3P-enabled. Second, third-party privacy organizations may require that Web sites implement P3P as a prerequisite to being endorsed by such organizations. Finally, as a policy and public relations matter, a company that gives its users more control over the collection of their information through P3P may find that they attract and retain more users.

There were two important developments in the area of information security in 2001. On the domestic front, the United States enacted the USA Patriot Act, which addresses computer hacking, and government access to computer information and electronic communications. On the international front, the Council of Europe’s Committee of Ministers adopted a Convention on Cybercrime to harmonize the substantive and procedural laws related to the international investigation and prosecution of computer crime.

On October 26, 2001, President Bush signed into law an act that, among other things, modifies the legal standards and procedures relating to government access to stored computer information and electronic communications (including e-mail and voice mail) and strengthens the scope of federal laws against computer hacking - the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" ("USA Patriot Act" or "the Act").³

Among other things, the Act provides the government with easier access to electronic communications or stored computer data held by companies on behalf of subscribers. Many of these changes modify the Electronic Communications Privacy Act of 1986 ("ECPA"), which established a framework for such access.

The Act also strengthens federal laws relating to hacking in a number of ways. For example, the Act expands federal law to cover (a) computers located outside the United States that affect inter-state or foreign commerce or communication; and (b) any computer system used by or for a government entity in furtherance of national defense, national security or the administration of justice, regardless of whether it is owned or operated by a government entity. Attacks on these computerscan now be addressed through both criminal and civil actions.

These changes complement the existing federal and state information security laws that provide criminal and civil remedies for unauthorized access to or damage to computer systems, theft of trade secrets, or copyright infringement. Companies that suffer violations of their information security should be aware of these additional avenues of recourse.

On November 8, 2001, the Council of Europe’s Committee of Ministers adopted a Convention on Cybercrime ("the Convention"). This is the first multilateral agreement drafted specifically to address the problems posed by the international nature of computer crime. It helps to harmonize both the substantive and procedural laws related to computer crime, and its adoption should remove or minimize many of the obstacles that can delay or endanger international investigation and prosecution of these cases. On November 23, 2001, the Convention was opened for signature by the member states of the Council of Europe and non-member states - including the United States - that participated in its creation.

The Convention focuses on three subjects: substantive law; procedural law; and international-cooperation. With respect to substantive law, signatory parties are committed to adopting legislation classifying a number of acts as criminal offenses when such acts are committed intentionally and where classical legal defenses (such as consent) are not available. The procedural provisions require that local officials be authorized to obtain certain orders and to undertake certain investigation activities. Finally, the Convention provides an extensive set of provisions to foster international cooperation with respect to investigating and prosecuting computer crimes.

Although in 2001 there were few substantive developments in the enactment of an omnibus on-line privacy statute, certain industry sectors moved forward with privacy regulations that govern specific types of personal information. Perhaps the best example of this is the protection now afforded medical data.

Under the Health Insurance Portability and Accountability Act of 1996, the Department of Health and Human Services was required to develop and publish standards and guidelines to protect medical data.⁴ These guidelines, The Standards for Privacy of Individually Identifiable Health Information (the "Health Privacy Standards") went into effect on April 14, 2001, and grant patients certain control over their personal medical information.⁵ The Health Privacy Standards create six federal patient rights and impose administrative obligations on health plans, health care providers and other entities that process or facilitate the processing of health information to protect these rights. The six patient’s rights that are protected are: (1) the right of access to inspect and copy one’s own medical records; (2) the right to amend one’s own medical records to correct inaccuracies; (3) the right to require the health care provider to account for any disclosures of medical data, and to allow patient inspection of any such disclosures; (4) the right to restrict the disclosure of one’s medical data; (5) the right to provide written consent before the provider can use and disclose the patient’s health information for treatment, payment and healthcare operations; and (6) the right to receive notice of these six rights when providing consent.

Most health plans, health care providers and data processors have until April 14, 2003 to comply with the new Health Privacy Standards; small health plans have an additional year. The Department of Health and Human Services’ Office of Civil Rights ("OCR") is responsible for enforcing the Health Privacy Standards and, upon receipt of a complaint, may initiate an investigation, impose civil fines for non-compliance, and/or refer the matter to the Department of Justice if there appears to have been any criminal activity. OCR may also conduct compliance reviews even absent a specific complaint if it has reason to believe that an entity may be in breach of its obligations under the Health Privacy Standards.

The Department of Health and Human Services has estimated that the cost of implementing the Health Privacy Standards will be $17.6 billion over 10 years. Much of the actual cost of implementation for specific providers will depend upon the extent to which their existing information technology systems need to be modified or replaced to comply with the new administrative obligations.

The Year 2001 yielded some important case decisions on the scope of the statutory protection provided by the Digital Millennium Copyright Act of 1998 ("DMCA"). ⁶ and the Communications Decency Act of 1996 ("CDA").⁷

Although the DMCA was enacted in order to protect copyrighted works as they are exploited in a digital environment, it also creates a safe harbor that protects "service providers" (such as online services) from liability in certain cases when they innocently allow users to post infringing material. If the service provider complies with the safe harbor requirements, such as by removing infringing material when it has received proper notice of the infringement, a plaintiff cannot recover monetary damages and its ability to obtain an injunction is significantly impaired.

eBay relied on these safe harbor provisions in order to defend against a claim of copyright infringement. In Hendrickson v. eBay, Inc., ⁸ eBay had received a cease-and-desist letter from Hendrickson, in which he claimed to own the copyright in a documentary that was listed for sale on eBay. eBay requested that Hendrickson submit a notice that met the procedural notice requirements of the DMCA. For example, a proper notice under the DMCA must be made under penalty of perjury, identify the copyrighted work at issue, and specify where the infringing material can be found. Hendrickson ignored eBay’s request, and instead filed a lawsuit claiming that eBay had violated the DMCA. The Court agreed with eBay and granted its summary judgment motion. The ruling in Hendrickson suggests that service providers will be protected under the DMCA safe harbor provision if the notice of infringement that they receive - even if in the form of a cease-and-desist letter - does not comply with the DMCA.

The DMCA was also invoked to stop the distribution of DeCSS - source code that can decrypt DVDs and provide the decrypter with access to the underlying copyrighted work.⁹ In Universal City Studios v. Reimerdes,¹⁰ several movie studios sued Eric Corley claiming that by distributing DeCSS he violated provisions of the DMCA that prohibit the distribution of anti-encryption software. Corley defended his actions by challenging the constitutionality of the DMCA, and claiming that DeCSS was "pure speech" protected by the First Amendment.

The district court enjoined Corley from distributing DeCSS on the grounds that source code is speech and that it "embodies an expressive" element, but found that it is "fundamentally [a] utilitarian construct" that is not protected by the First Amendment. On appeal, the Second Circuit agreed, holding that while computer code may indeed be considered "speech," DeCSS is not the type of speech that is protected by the First Amendment since it does not involve the conveyance of information to another human.¹¹

In 2001, Internet service providers also found protection under the CDA. In Doe v. America Online,¹² an individual was selling child pornography over the AOL network. The parents of the Florida child who was the subject of some of the offensive materials sued, claiming that AOL had knowingly or negligently published and distributed the child pornography in violation of Florida law. AOL argued that it was protected under the CDA, which states that an ISP cannot be treated "as the publisher or speaker of any information provided by another information content provider." The plaintiff asserted, however, that because the CDA used the phrase "publisher," it did not protect "distributors" like AOL. The court rejected this argument, holding that the clear objective of the CDA was to encourage technological solutions and parental involvement to block offensive and illegal materials found on the Internet. To draw a distinction between "publish" and "distribute" would frustrate this purpose, the court concluded.

As these cases illustrate, both the DMCA and the CDA can shelter ISPs, Web sites and other service providers from liability in connection with third-party content. However, these protections are not absolute. Internet service providers should pay close attention to the knowledge requirements, notice provisions and other similar prerequisites of the DMCA and CDA to secure shelter from liability.

The scope of infringement for distributing copyrighted material on-line continued to be defined by the world of music in 2001. In July, Napster - the popular music file-sharing service - was effectively shut down when a federal court ruled that Napster could be held liable for the infringing activities of its users, even though it did not itself illegally copy any material available through the use of its service. The court held that Napster’s knowledge of the availability of infringing material through the use of its service, and the fact that it facilitated infringing activity, exposed it to "contributory" liability. The court also found that Napster could be held "vicariously" liable for the infringing activities of its users because it derived a financial benefit from, and could have blocked, the infringing activity.¹³

Napster and the Recording Industry Association of America ("RIAA") are still in court arguing about Napster’s obligations under the injunction to "block" infringing music files from its service. The argument centers on whether it is technically feasible for Napster to comply with the terms of the injunction given that, for example, a misspelled song title or file name may not be picked up and blocked by its technology.

The end of Napster did not, however, end the controversy over on-line music distribution. The RIAA and others are now targeting the next generation of song swapping services such as MusicCity and Kazaa. Unlike Napster, these new peer-to-peer services do not run a central indexing server and the file exchanges they facilitate do not flow through a central point. Rather, once users have installed the software on their own computers, they can directly exchange digital files with other users without the need for any central server. This structure could make it difficult for copyright holders to shut down these peer-to-peer services since there is no central node to attack.

There were several important decisions in 2001 interpreting the scope of a licensee’s rights to use a copyrighted work in an electronic format where the original license grant was silent as to such rights. In each case, the court has been required to classify the electronic work under the U.S. Copyright Act as either a permissible "revision" to a collective work or a "new work" requiring an additional grant of rights from the licensor.

On June 25, 2001 in New York Times v. Tasini¹⁴ the United States Supreme Court ruled (7-2) that the rights granted by freelance authors to publish their articles in print form did not extend to including those same articles in electronic databases. The Supreme Court stated that because database users could search for and download the individual articles themselves without seeing the entire publication, the articles were being used as "new works" and not "revisions" of the original collective work.

On July 11, 2001, a New York district court also ruled in favor of freelance authors’ rights in Random House, Inc. v. Rosetta Books LLC.¹⁵ In that case, certain authors had granted Random House an exclusive license to print and publish their works in "book" form, without defining what was meant by a "book." The court held that publication of these works in a digital medium such as electronic books was a "new use" that was not covered by the language of the contracts in question.

Following Tasini, on October 9, 2001, the Supreme Court denied certiorari to the Eleventh Circuit’s ruling in National Geographic v. Greenberg.¹⁶ This case involved National Geographic’s creation of a CD-ROM set that included every issue of the magazine from 1888 through 1996.

Greenberg, a freelance artist, had licensed some of his pictures to National Geographic before the CD-ROM set was envisioned. National Geographic incorporated Greenberg’s pictures in the CD-ROM without his permission, and Greenberg sued for their unauthorized use. The Eleventh Circuit held that by compiling all the magazines together in one CD-ROM, National Geographic had created a new work, and not a permissible revision.

In the wake of Tasini, Rosetta Books, and National Geographic, and as the electronic medium becomes increasingly important and lucrative, publishers need to address explicitly the issue of electronic rights in their contracts with freelance contributors, and include not only CD-ROMs, databases and e-books, but also wireless, broadband and other media that may be developed in the future.

A federal court decision in 2001 helped clarify the types of on-line agreements that are enforceable. In Specht v. Netscape Communications Corp.,¹⁷ Netscape sought to enforce a "browse wrap" agreement on its Web site that governed the downloading of Netscape software. "Browse wrap" agreements are posted on Web sites for users to review, but do not require users to take any affirmative action - such as clicking an "I agree" button - to manifest assent.

The United States District Court for the Southern District of New York, applying California contract law, found the Netscape agreement to be unenforceable. In its opinion, the court focused on three factors, each a frequent Web site practice. First, the court found that the agreement itself was not obvious to the user because it was accessible only by clicking on a link that appeared below-the-fold on the Web site’s download page. Second, adherence to the license agreement did not appear to be mandatory because users were merely invited (by virtue of another below-the-fold reference) to "review and agree to the terms of the . . . agreement before downloading and using the software." Third, a user could download the software without indicating his or her assent to the agreement, or even viewing the agreement. Thus, users could receive the benefit of the agreement "without taking any action that plainly manifests assent to the terms of the associated license or indicates an understanding that a contract is being formed." The court’s decision is consistent with an earlier finding by a federal district court in California that merely posting terms of use on a Web site below-the-fold is not enough to create an enforceable contract.¹⁸

Despite the ruling in Specht, sites do not necessarily need to have users click on an "I agree" button to establish consent. For example, in Register.com, Inc. v. Verio Inc,¹⁹ Register.com’s terms of use, which appeared on the homepage of its Web site, advised users that "[b]y submitting [a domain name] query, you agree to abide by these terms." The United States District Court for the Southern District of New York, applying New York contract law, found that the terms of use were enforceable because they were clearly posted on Register.com’s Web site, and that users manifested assent to these terms when they submitted a query. State appeals courts in California and Florida similarly suggested in 2001 that on-line agreements will be enforceable if a user has a meaningful opportunity to manifest his or her assent to the terms.²⁰

On November 28, 2001, President Bush signed into law the Internet Tax Nondiscrimination Act (the "Act"), thereby extending until November 1, 2003, the Internet tax moratorium that has been in place since 1998.²¹

The Act prevents states from imposing taxes on access to the Internet (e.g., as provided by ISPs), other than any access taxes imposed and actually enforced prior to October 1, 1998. The Act generally does not affect the imposition of traditional sales taxes in connection with the sale of tangible personal property over the Internet, but it does prohibit states from imposing multiple and discriminatory taxes on Internet-related activity. Accordingly, the "significant physical presence" or "nexus" test remains the law. Under this test, states are barred from forcing out-of-state sellers to collect sales taxes in the absence of the seller having a significant physical presence in the buyer’s state. The Act suggests that the mere presence of a server in a state is not sufficient to establish such "nexus" for sales tax purposes. Since most e-commerce merchants do not have any nexus in most of the states in which they do business, these states cannot force the merchants to collect a sales tax.

Where the seller does not have any "nexus" in the buyer’s state, the state cannot collect sales taxes on Internet purchases unless the buyers themselves calculate and remit the tax, as is often required by state law (i.e., a "use" tax). The reality, however, is that most buyers fail to do so, and this requirement has been difficult, if not impossible, to enforce.

The amount of the sales tax loss to the states, in the aggregate, may be quite significant. For example, a recent report from the Institute for State Studies ("ISS") estimated that for on-line purchases the sales tax loss amounted to over $13 billion in 2001 alone. The ISS estimates the sales tax loss will increase to $55 billion yearly by 2011.