On Friday November 25, 2011, the Department of Justice (DOJ) working with Immigration and Customs Enforcement (ICE) seized 130 domains operated by alleged counterfeiters. The seizures seem to be a continuation of last year’s “Operation In Our Sites v. 2.0” an initiative designed to crack down on online piracy and counterfeiting by seizing the domain names under which they operate. In last year’s seizures over 82 domains were seized.
The seizure seems to have been timed to anticipate “Cybermonday,” the follow-up to “Black Friday” when consumers are encourage to shop on-line. The domains seized include clothing resellers such as 100jerseys.com, purse and bag resellers such as Louisvuiton-bags-forcheap.com, shoe resellers such as Reeboksite.com and even an auto software cite autocd.com. Attempts to log into to the sites results in a message which states:
Such seizures have been criticized in the past by consumer advocates as excessive and violations of first amendment rights. At least one senator has expressed his displeasure with these tactics in the past. Senator Ron Wyden (D-OR) wrote to ICE and stated:
In contrast to ordinary copyright litigation, the domain name seizure process does not appear to give targeted websites an opportunity to defend themselves before sanctions are imposed. As you know, there is an active and contentious legal debate about when a website may be held liable for infringing activities by its users. I worry that domain name seizures could function as a means for end-running the normal legal process in order to target websites that may prevail in full court. The new enforcement approach used by Operation In Our Sites is alarmingly unprecedented in the breadth of its potential reach…
For the Administration’s efforts to be seen as legitimate, it should be able to defend its use of the forfeiture laws by prosecuting operators of domain names and provide a means to ensure due process. If the federal government is going to take property and risk stifling speech, it must be able to defend those actions not only behind closed doors but also in a court of law.
The Senator’s letter also focused on the scant evidence and investigation required to obtain the seizure warrants and how they resulted in wrongful seizure in at least one case.
Aside from their legality, the effectiveness of such seizures has also been questioned. Also, popular web browser Firefox has a plug-in which allows users to find the website despite the domain seizure. Nevertheless, for the average consumer who is not technically sophisticated, the domain seizures provide an effective means for sending a message against the purchase of counterfeit goods. No press release has been issued by ICE regarding the new seizures.
On Thursday the European Court of Justice (“ECJ”) ruled that an Internet Service Provider (“ISP”) cannot be forced to filter all Internet traffic in order to stop the sharing of copyright infringing content. This opinion is the culmination of a seven year old legal battle in the case of Sabam v. Scarlet.
In 2004 a Belgian royalty collection agency, Sabam, brought legal action against Scarlet, a Belgian ISP, seeking an injunction ordering the ISP to put in place a mechanism to prevent its users from downloading copyrighted works via peer-to-peer (P2P) networks without permission from the copyright owner. In 2007 the Brussels Court of First Instance ordered Scarlet to take measures to stop the downloading of copyrighted works without the authority of the copyright owner or face fines of €2,500 per day. This decision ignored testimony from experts that no reasonable electronic measure existed for adequately stopping the downloading of copyrighted content.
Scarlet appealed the decision. In January of 2010, the Brussels Court of Appeal referred the following two questions to the European Court of Justice:
- [Do European directives on Intellectual Property rights construed in light of personal freedoms guaranteed by law] permit … a national court…to order an [ISP] to install, for all its customers, in abstract and as a preventive measure, exclusively at the cost of that ISP and for an unlimited period, a system for filtering all electronic communications, both incoming and outgoing, passing via its services, in particular those involving the use of peer-to-peer software, in order to identify on its network the movement of electronic files containing a musical, cinematographic or audio-visual work in respect of which the applicant claims to hold rights, and subsequently to block the transfer of such files, either at the point at which they are requested or at which they are sent?
- [If the answer to the first question is yes then can the court] apply the principle of proportionality when deciding on the effectiveness and dissuasive effect of the measure sought?
Effectively what the Court of Appeals was asking was, do we have the authority to order an ISP to engage in broad filtering of all content in order to identify some offending content and, if so, can we apply a proportionality, cost and benefit, analysis in granting or denying such relief? Clearly the Court felt uncomfortable with the scope of relief which Sabam claimed that it was entitled to under the existing Directives.
On Thursday, November 24, 2011, the ECJ ruled that European law precludes an injunction of the kind under review which would require monitoring of all internet user communications as a preventive measure at the ISP’s expense and for an unlimited period of time for the purpose of stopping copyright infringing content.
In its ruling the ECJ focused on the rights to privacy of Internet users. It state dthat that the general monitoring of all communications that would be required to accomplish the requirements of the injunction, would itself violate European privacy directives. The ECJ went on to say that in granting relief to copyright owners, “courts must strike a fair balance between the protection of copyright and the protection of the fundamental rights of individuals who are affected by such measures.” Moreover, the “injunction could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications.”
The ECJ was also sensitive to the business impact on the ISP. It stated that courts must also “strike a fair balance between the protection of the intellectual property right enjoyed by copyright holders and that of the freedom to conduct a business enjoyed by operators such as ISPs.” The expensive monitoring system requested by Sabam would “result in a serious infringement of the freedom of the ISP concerned to conduct its business since it would require that ISP to install a complicated, costly, permanent computer system at its own expense.”
While this ruling forbids broad monitoring it does not prevent blacklisting of websites, a tactic affirmed by the British High Court last year in a case against British Telecom and currently under consideration in at least one bill pending before Congress. Nevertheless, privacy advocates were pleased with this decision.
It was big news last month when Dropbox, the popular cloud storage provider, announced that it was offering new multiuser business accounts at a competitive price. The business which initially launched as a consumer service announced that it woiuld now be offering its new service to small and medium size corporate clients. Corporate users would be able to create virtual disk folders on their computers which would be mirrored on the cloud and would be available anywhere.
The promotional information for the new service promoted its high level of security which includes password protection and user side encryption. What Dropbox did not easily disclose in its promotional materials was that the service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law. Use of the service by a corporation subject to these acts could result in substantial fines and penalties.
Although many similar servies also do not meet these requirements, Dropbox’s new service is directed not at the home user but at corporate customers in industries likely to be governed by these regulations. Dropbox’s explanation for not emphasizing this shortcoming in its promotional literature was that its customers were more concerned with collaborative ease than with regulator compliance.
Ultimately, this is an example of the basic rule of all cloud computing – user beware. A corporation in a regulated industry needs to be proactive in confirming that a service which it intends to use fulfills its regulatory requirements. Furthermore, corporations need to create, promote and enforce internal guidelines to avoid use of cloud based services which could results in regulatory violations. For such guidelines to be effective, the company’s employees need to be educated to avoid using such services for company information without prior company approval.
Three controversial new laws are on the horizon which, if enacted could have a significant impact on the Internet in the United States. Imagine if your business is accused by a competitor of distributing infringing content and your site is taken off the Internet before you have a chance to defend. Imagine search engines refusing to show your site on search results. Imagine being banned from using the Internet. Imagine your music player or laptop searched at the border for infringing content. All of this and more could come true under these pending laws.
Protect IP Act
Sponsors of the “Protect IP Act” (S. 968) claim that the law is intended to fight piracy and copyright infringement. It is a law that is strongly supported by the large media companies who face serious problems with content infringement. However, the bill has attracted broad criticism from small business and civil liberties groups. The bill, if passed into law, would give the Justice Department the ability to seek court orders seizing the sites’ domain names and requiring search engines, payment processing companies and advertising networks to blackball web sites deemed to promote infringing content. The problem is that the bill does not provide a clear definition of what constitutes an infringement-promoting site therefore leaving the door open to commerce chilling threats web site shutdowns. Separately, including a private right of action means that any rights holder can tie up a service provider in costly legal action, even if the claims eventually turns out to not be valid. For a small business or startup this makes them very vulnerable to the well-established media companies. The bill has been put on hold by Senator Ron Wyden (D-OR).
Stop Online Piracy Act
A successor to the Protect IP Act is the “Stop Online Piracy Act” (H.R. 321) which was introduced last month by a bipartisan group of senators. The House Judiciary Committee will hold a hearing on the act November 16, 2011. As with the stalled Protect IP Act, H.R.321 allows copyright owners to required search engines to block accused websites from showing up on search results. Internet service providers such as AT&T or Comcast can be required to block accused websites from their customers. Payment companies such as PayPal, Visa or MasterCard can stop all payment processing for any website that they suspect may be posting copyrighted work without permission. The bill has been criticized for its “shoot first ask questions later” approach and the economic damage that it could cause falsely accused sites.
The Anti-Counterfeiting Trade Agreement
The last of these three new potential laws is part of a new international copyright protection treaty. The Anti-Counterfeiting Trade Agreement (ACTA) is a multilateral agreement which would create a new international network of laws and regulations governing copyrighted content. Several factors have made ACTA controversial. First, it has been negotiated amongst the parties outside of established multinational organizations in order to keep its terms secret. This secrecy has been justified by the US and Japan as matters of national security. Repeated leaks have raised concerns about elements of the treaty that call for border searches of laptops, mandatory banning of users from the Internet, enhanced fines and criminal penalties. Another controversial factor in the treaty is that ACTA negotiations have excluded infringement producing countries such as China, India, Russia and Pakistan. The penalties and rules are therefore targeted at punishing users in content producing countries in order to dry up demand (parallels could be made to the drug war strategy). Finally, numerous concerns have been raised about surveillance and human rights.
A signing ceremony was held on October 1, 2011 in Tokyo, at which the United States, Canada, Australia, Japan, New Zealand, Morocco, Singapore, and South Korea signed the treaty. The European Union, Mexico, and Switzerland did not sign the treaty, but attended the ceremony and indicated their intent to sign the treaty in the near future.
Consistent with the history of the treaty, its ratification into US law is now clouded in controversy. The USTR has claimed that ACTA is consistent with current U.S. copyright, patent, and trademark laws, and therefore it “does not require the enactment of implementing legislation.” The USTR further stated that “The United States may therefore enter into and carry out the requirements of the Agreement under existing legal authority, just as it has done with other trade agreements.” This claim that the Act does not require ratification has not been well received. Critics have voiced concerns that the ACTA is not consistent with U.S. law and that the president does not have the proper authority to bind the U.S. to the agreement without congressional ratification. Senator Ron Wyden (D-Ore.) has stated that “if the USTR ratifies ACTA without Congress’ consent it may be circumventing Congress’s Constitutional authority to regulate international commerce and protect intellectual property.” Time will tell what will happen.
The 9th Circuit has ruled in Suzion Energy Ltd v. Microsoft Corporation, that emails belonging to a non-US national which are hosted on US based servers by a US Cloud providers. The Electronic Communications Privacy Act of 1986 (ECPA) provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communica- tion while in electronic storage by that service.”
In this case Suzlon sought emails under to use in a civil fraud proceeding pending against Rajogopalan Sridhar and others in the Federal Court of Australia (the “Australian Proceedings”). Although Sridhar is a citizen of India and is imprisoned abroad, the relevant emails are stored on a US server by a domestic corporation, Microsoft. The district court initially granted Suzlon’s petition for production of documents. In response, Microsoft filed objections that the district court deemed to be a motion to quash.
The Court construed the term person as defined in the Act to extend to “any person” regardless of nationality. Thereby the court expands the application of the ECPA to foreign nationals. This reading is consistent with other decisions that have interpreted similar laws such as the Freedom of Information Act.
On Friday the Obama administration released the second draft version of the National Strategy for Trusted Identities in Cyberspace (“NSTIC”). The trusted ID plan is part of the Obama administrations Cyberspace Policy Review, released in May 2009. This new draft focuses the effort to create an online identification system on the private sector with the government serving in a coordinating capacity.
The press release emphasizes the importance of the Internet to commerce but also its “online fraud and identity theft, that harm consumers and cost billions of dollars each year.” By making online transactions trustworthy “we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.”
Key elements of the trusted identification systems suggested by the strategy include the ability to opt into the system, different types of credential for different categories of access and preservation of an anonymous option. The strategy promises benefits such as faster transaction processing, age restriction for content, easier smartphone transactions and enhance public safety.
Much criticism of the strategy has come from privacy advocates. This latest draft emphasizes that identification systems will be optional and will not abolish anonymity. At the announcement of the latest draft Commerce Secretary Gary Locke dismissed such worries as conspiracy theories.
In negotiating a cloud based services contract a company is going to have to consider may unique and individualized needs. Many of these needs will depend on the corporations industry and its likely use of the cloud service to the transfer or storage of privileged, regulated or restricted information. While no single list can possibly cover all points the following should provide good starting checklist for most companies.
1. Does the cloud provider own all storage and transfer sites for static and dynamic data which will be put on the service?
2. If not, who are the subcontractors?
3. Will the subcontractors be bound to the terms of your contract?
4. Will you have a direct right of action against the subcontractors?
5. If work is subsequently transferred to subcontractors will you be notified in advance to allow you to re-evaluate service? Will identity of intended subcontractors be disclosed in advance?
6. Where are the storage servers located–where will your data reside?
7. If in a foreign state or country, are you comfortable with the foreign law? You may want to restrict the cloud provider to only using local sites or a specific site.
8. Do you need and will the cloud service provide customization? Remember that customization may keep you from benefiting from regular cite upgrades.
9. Do you need up time guarantees? Get a representation as to their prior year’s downtime record.
10. Lock down the provider’s maintenance schedule and its impact on the service.
11. Lock down security guaranties. Are they providing encryption? Who has access to the servers? Other legal security and segregation requirements (e.g., HIPAA, European Union, Gramm-Leach-Bliley, and state information privacy laws such as those in Massachusetts).
12. If your company has environmental guidelines, does the provider comply? One online provider, for example, uses only wind power for their servers.
13. Will the provider agree to certain deletion standards if the contract is terminated?
14. Will the provider agree to procure SAS 70 Type II audits or are they ISO 27001 certified for security?
15. Will they notify you in the event of a breach of security? How and how quickly? What level of detail? This may be necessary for certain regulated information. (e.g. HIPAA, HITECH)
16. Will they notify you in the event of insolvency? Advanced notice of termination?
17. Will they provide you with different format options to recover or transfer your data upon termination of the relationship?
18. What happens to your data in the event of a dispute with the provider? You don’t want to be held hostage.
19. Are damages caps acceptable for the type of data stored? Are intentional or grossly negligent acts exempted?
20. What privacy standards and laws apply?
21. What jurisdiction for a dispute?