TechLaw

A study presented today at Carnegie Mellon University's Workshop on the Economics of Information Security suggests that Web users are more willing to purchase from online businesses that offer strong privacy protections and that they are willing to pay a premium for privacy protection.

These findings challenge the conventional wisdom that Web users do not make buying decisions based on privacy concerns and, in fact, that Web users willingly surrender personal information in exchange for very little in return.

According to the authors of The Effect of Online Privacy Information in Purchasing Behavior: An Experimental Study, Web users seem not to value privacy because Web site privacy information is not being conveyed to them in a meaningful way. Privacy policies, the study's authors contend, are "invisible" to Web users: they are rarely read, they are difficult to comprehend when read, and most users mistakenly believe that the presence of a privacy policy means that their personal information is protected.

The study put privacy information front-and-center through the use of a technology called PrivacyFinder, a tool that processes a Web site's Platform for Privacy Preferences (P3P information) and presents the information in an easy-to-read "privacy meter" graphic. Survey participants, when presented with privacy information in this format, "tend[ed] to purchase from online retailers who better protect their privacy."

A significant number of important countries have yet to ratify the Council of Europe's Convention on Cybercrime, a treaty intended to strengthen law enforcement's hand against computer crimes.

Of the 43 countries that signed the treaty back in 2001, 21 -- not quite half -- have ratified it to date. Among the European holdouts are Germany, Spain, the United Kingdom, Ireland and Italy. Important non-CoE member signatories who have yet to ratify are Canada, Japan, Mexico and South Africa.

Next week in Strasbourg the CoE is holding a two-day conference to help revive sagging momentum in the ratification process. Conference sponsors say the event is "aimed at encouraging as many countries as possible" to ratify the treaty.

The House of Representatives yesterday voted 368-48 to approve the SPY Act (H.R. 964). On the surface, the vote was a resounding victory for consumers who would like to know what kinds of information is being collected online and by whom. But on closer inspection we see that over three dozen legislators walked away from the SPY Act yesterday, even though they had voted for tougher versions of the same bill in prior Congresses.

As Winston Churchill might have put it, the vote was not the beginning of the end for spyware but the end of the beginning in the marketing lobby's war against the war on spyware.

In 2004, the SPY Act (H.R. 2929) passed the House 399-1. The next year, the House voted 393-4 to approve the SPY Act (H.R. 29). Marketers, who apparently have little to fear from the Senate, had been working hard to improve their fortunes in the House this time around. A strongly worded letter, signed by the U.S. Chamber of Commerce, the Direct Marketing Association, the American Bankers Association, Acxiom Corp., Experian, and other leading representives of the business community, circulated in advance of the vote. Signers charged that H.R. 964 is bad for business. The measure "cuts to the heart of the information economy," they wrote.

The problem with H.R. 964 was that it is privacy legislation, an idea whose time has apparently not yet come. Section 3 creates a notice-and-consent scheme for the online collection of personal information. Lobbyists working Congress on the eve of the vote said they could not support any spyware legislation that contained a notice-and-consent mechanism. Giving consumers notice of online information collection technologies, they said, "would limit the seamless Internet experience that is responsible for the widespread adoption of the Internet by consumers."

This argument resonated with the following legislators, all of whom had once cast votes in favor of the SPY Act:

1. Rep. Robert B. Aderholt (R-Ala.)
2. Rep. W. Todd Akin (R-Mo.)
3. Rep. J. Gresham Barrett (R-S.C.)
4. Rep. Judy Biggert (R-Ill.)
5. Rep. Rob Bishop (R-Utah)
6. Rep. Roy Blunt (R-Mo.)
7. Rep. Jo Bonner (R-Ala.)
8. Rep. Kevin Brady (R-Texas)
9. Rep. Chris Cannon (R-Utah)
10. Rep. John R. Carter (R-Texas)
11. Rep. K. Michael Conaway (R-Texas)
12. Rep. Geoff Davis (R-Ky.)
13. Rep. Tom Davis (R-Va.)
14. Rep. Tom Feeney  (R-Fl.)
15. Rep. Jeff Flake  (R-Az.)
16. Rep. Virginia Foxx (R-N.C.)
17. Rep. Phil Gingrey (R-Ga.)
18. Rep. Bob Goodlatte (R-Va.)
19. Rep. Alcee L. Hastings (D-Fl.)
20. Rep. Peter Hoekstra (R-Mich.)
21. Rep. Michael M. Honda (D-Calif.)
22. Rep. Bob Inglis (R-S.C.)
23. Rep. Sam Johnson (R-Texas)
24. Rep. Jack Kingston (R-Ga.)
25. Rep. Tom Latham (R-Iowa)
26. Rep. Zoe Lofgren (D-Calif.)
27. Rep. Daniel E.Lungren (R-Calif.)
28. Rep. Donald A. Manzullo (R-Ill.)
29. Rep. Jerry Moran (R-Ks.)
30. Rep. Devin Nunes (R-Calif.)
31. Rep. Stevan Pearce (R-N.M.)
32. Rep. Tom Price (R-Ga.)
33. Rep. Pete Sessions (R-Texas)
34. Rep. Mac Thornberry (R-Texas)
35. Rep. Todd Tiahrt (R-Ks.)
36. Rep. Lynn A. Westmoreland (R-Ga.)
37. Rep. Joe Wilson (R-S.C.)

Most of these legislators voted not once but twice in favor of earlier versions of the SPY Act. Tougher versions of the measure didn't attract much interest in the Senate two years ago. It is hard to imagine it will do better this time around.

E-mail marketers, who frankly have had little to smile about the past few years, can at least take comfort in the gradual accumulation of cases giving a broad reading to the CAN-SPAM Act's state-law preemption provision. If this trend continues, state legislatures will have almost no room to regulate beyond the modest set of e-mail restrictions negotiated by direct marketers in the process leading up to the CAN-SPAM Act.

The Fourth Circuit's ruling in Omega World Travel Inc. v. Mummagraphics Inc., No. 05-2080 (4th Cir., Nov. 17, 2006) (state cause of action for "immaterial" errors in header information preempted by CAN-SPAM), was followed recently by Gordon v. Virtumundo Inc., No. 06-204 (W.D. Wash., May 15, 2007) (to extent that marketer's use of vm-mail.com as "from" address was materially misleading under state law, law was preempted by CAN-SPAM).

A third case recently came down, holding that a state-law challenge to an e-mail marketer's tactic of launching messages from multiple domain names is preempted by the federal CAN-SPAM Act. The case is Kleffman v. Vonage Holdings Corp., No. 07-2406 (C.D. Cal., May 22, 2007).

California law gives anyone a cause of action to sue marketers whose messages are "accompanied by falsified, misrepresented, or forged header information." Cal. Business & Professions Code 17529.5. According to Kleffman, Vonage employed numerous e-mail addresses to originate its messages in order to evade spam filters. Kleffman contended that this tactic was misleading under California law.

The Kleffman court ruled that the plain language of the California statute would not support the plaintiff's novel theory, but, assuming that California law did outlaw Vonage's tactic, the law would be preempted by CAN-SPAM. The court remarked that CAN-SPAM's preemption provision "left states room only to extend their traditional fraud prohibitions to the realm of commercial emails because it was confident that legitimate businesses would not unwittingly transgress such well-established prohibitions."

The court ascribed to Congress a sensitivity to the needs of e-mail marketers, stating that Congress did not want to them to have to guess at the meaning of state e-mail restrictions. Theories like the one advanced by the plaintiff -- e.g., the use of multiple but accurate "from" addresses is unlawful because it diminishes the effectiveness of spam filters -- seemed to the court to be the kind of claim Congress did not want marketers to have to beat back on a state-by-state basis.

Before parting, the court, in a footnote, challenged the reasoning of a pair of early cases rejecting CAN-SPAM preemption arguments. These cases, the court said, "merely compared the language of the statues at issue to the savings clause, as opposed to examining the nature of the plaintiffs' theory of liability. See Gordon v. Impulse Mktg. Group, 375 F. Supp.2d 1040, 1045-46 (E.D. Wash. 2005); Beyond Sys. v. Keynetics Inc., 422 F. Supp.2d 523, 535 (D. Md. 2005). The Supreme Court has indicated that this method is improper. See Cippollone v. Liggett Group, 505 U.S. 504, 523-24 (1992)."

Linden Research, creator and operator of the Second Life virtual world, suffered a tough loss in federal court the other day.  The trial court, in a case where a Pennsylvania plaintiff alleged that Linden Research unlawfully confiscated his "virtual property" when it terminated his right to keep playing the game, held that California-based Linden Research and its CEO were both subject to suit in Pennsylvania.

And matters went downhill from there. The court denied Linden Research's motion to compel arbitration, holding that the Second Life terms of service agreement -- which called for arbitration -- was procedurally and substantively unconscionable.

Essentially, Judge Eduardo C. Robreno rolled up the court's opinion in Comb v. Paypal Inc., 218 F. Supp.2d (N.D. Cal. 2002), and proceeded to beat Linden Research over the head with it for about a dozen pages.

The Second Life TOS was a take-it-or-leave-it clickwrap deal. The site operator had superior bargaining power over the plaintiff and, Judge Robreno found, there were no reasonable available market alternatives to Second Life. Of all the virtual worlds out there, only Second Life granted its users property rights in virtual land. Judge Robreno also faulted Linden Research for putting the arbitration provision in a "lengthy paragraph under the benign heading `GENERAL PROVISIONS.' "

Linden Research fared no better on the substantive unconscionability inquiry. Judge Robreno faulted the Second Life TOS on numerous grounds:

• lack of mutuality. The TOS gave Linden Research the right to terminate users "for any reason or no reason," the right to invoke several one-sided remedies to protect its own rights, and the right to modify the TOS at any time, including the arbitration provision.
• excessive arbitration costs. Up-front costs for arbitration were significantly greater than the costs of filing a federal court action.
• venue in California.  The TOS unreasonably demanded that Second Life users travel to California to  arbitrate claims  commonly involving minimal sums.
• confidentiality agreement. The gag order on arbitration proceedings called for by the TOS allows Linden Research to accumulate knowledge about arbitrations involving the TOS, while individual plaintiffs must begin from scratch in every case.
• business realities. Judge Robreno said that Linden Research made no showing that such a one-sided agreement was necessary to conduct its business.

On balance, the court concluded, the Second Life TOS seeks to impose a one-sided dispute resolution scheme that tilts unfairly, "in almost all situations," in Second Life's favor.

The upshot of all this is that a federal court, not an arbitration panel, will decide in an open court the novel cyberlaw issues present in this case. That's a positive outcome, regardless of where the court ultimately comes down.

The case also contains lessons for attorneys drafting online terms of service agreements. A fair reading of this case and Comb should lead counsel to reign in their natural impulse to write every single deal point in favor of their client and against the user. 

The case is Bragg v. Linden Research Inc., No. 06-4925 (E.D. Pa. May 30, 2007).

MySpace.com and two of its litigation counsel, Ian C. Ballon and Wendy M. Mantell, at Greenberg Traurig, appear to have found a winning recipe for keeping spammers off MySpace.com's social network: Start with a creative interpretation of federal and state anti-spam provisions, top off with an aggressive terms of service agreement that demands liquidated damages for violations.

MySpace.com yesterday announced it had reached a settlement with The Globe.com, an outfit Myspace.com said was using MySpace accounts to send unsolicited commercial "MySpace e-messages" to other users. Over 400,000 such messages were sent from 95 dummy MySpace.com accounts. The seeds of the settlement were sown on Feb. 27, 2007, when Judge R. Gary Klausner ruled, in an unpublished opinion:

• MySpace e-messages meet the CAN-SPAM Act's definition of electronic mail, despite the fact that MySpace e-message addresses do not have a traditional domain name component and the messages never leave the MySpace.com network during transmission.
• MySpace.com qualifies as an "Internet access service" eligible to invoke CAN-SPAM's civil remedies. The court rejected the defendant's contention that the CAN-SPAM Act protects only "traditional ISPs," an argument that succeeded recently in Gordon v. Virtumundo Inc., No. 06-204 (W.D. Wash. May 15, 2007).
• Header information accompanying the e-messages was "false and misleading" in violation of CAN-SPAM even though literally accurate, because the MySpace accounts were opened using fictitious information that did not identify The Globe.com as the message sender.
• The Globe.com was liable under the California anti-spam statute, Cal. Bus. Code 17529.5, which provides a cause of action against senders of e-mail messages containing false or misleading headers or subject lines, provided the message is transmitted to or from a California e-mail address.
• The Globe.com was liable for breaching MySpace.com's terms of service agreement. The court ruled that the TOS was enforceable and that its liquidated damages provision calling for a penalty of $50 per forbidden message was reasonable. (CAN-SPAM sets statutory damages in a range between $25-$300 per message.)

The damage calculations derived from the court's order placed The Globe.com's liability at $5.5 million, a strong impetus toward settlement one would think. The terms of the May 31 settlement were not disclosed.

The case is MySpace Inc. v. The Globe.com Inc., No. 06-3391 (C.D. Cal. Feb. 27, 2007).

The federal government spent over $74 million on information security training in 2006, prodded by the 2002 Federal Information Security Management Act, 44 U.S.C. 3541.

Despite this expenditure, many federal agencies score poorly on the dreaded Federal Computer Security Report Card, which is derived from annual FISMA audit information.  The most recent report card, dated April 12, 2007, gave the Department of Defense an F, the U.S. Treasury an F, and the Department of Homeland Security a D.  The Department of Veterans Affairs, which accidentally released personal information on 26.5 million active and retired military personnel in 2006, did not bother to file a FISMA report.

SecureInfo Corp. thinks it may have uncovered one explanation for the government's poor performance. According to a May 2007 study by the McLean, Va., consulting firm, 65 percent of federal workers surveyed had not even heard of FISMA. Of those who had heard of FISMA, 40 thought it was a "compliance headache."