Tag Archive for website design

UPDATE: SOPA’s Manager’s Amendment and Digital Distribution

January 11, 2012 Current Affairs, Intellectual Property, Litigation No comments

In my previous article on Section 103 of SOPA, I discussed concerns relating to the Act as it was first presented to the House. The Act, however, has undergone a Manager’s Amendment and as a result some of the language cited in the previous article has been removed. Many of the issues discussed in the earlier article have also been addressed.

Some of the salient points of the Amendment:

  • Language such as “website or any portion thereof” has been replaced with simply website or site;
  • Notification procedures by private parties to payment vendors and advertising providers have been removed and replaced by court order procedure;
  • Private parties under Section 103 of the Manager’s Amendment must now seek a temporary restraining order, preliminary injunction, or injunction against the defendant prior to sending notice to payment vendors and advertising providers for service suspension;
  • The definition for “Sites dedicated to theft of U.S. Property” has been revised in a few ways:
    • It now only applies to foreign sites;
    • the “engages in, enables, or facilitates” language has been removed, and the following definition applies: “… the site is primarily designed or operated for the purpose of, has only limited purpose or use other than, or is marketed by its operator or another acting in concert with that operator primarily for use in, offering goods or services in violation of…” copyright infringement for commercial purposes or for private financial gain, or trademark infringement;
    • the problematic monitoring language (“is taking, or has taken, deliberate actions to avoid confirming a high probability of the use of the U.S. Directed site to carry out acts” that constitute copyright infringement) has been replaced with “the operator of the site operates the site with the object of promoting, or has promoted its use to carry out acts that constitute  a violation of section 501 or 1201 of Title 17, United States Code, as shown by clear expression or other affirmative steps taken to foster such violation.”
  • Section 104 provides that in cases where the alleged violations only occur on a portion of a website, payment vendors and advertising providers are only required to blacklist that portion.
  • Section 105 has expanded the scope of its limitation of liability in a two ways: (1) the types of entities protected by the limitation of liability has increased to include credit unions and banking institutions; and (2) the limitation on liability, which was once limited to protecting the entities’ preemptive removal of sites posing a threat to public health, has increased to include the blacklisting of “foreign infringing sites” and “Internet sites dedicated to theft of U.S. Property”

The changes in the Manager’s Amendment seem to be a step in the right direction; however, a number of risks still exist and the vague, inadequately defined language used in the amendment creates a multitude of interpretations and loopholes. Taken one by one, the changes seem problematic for the following reasons:

  • Although “any portion thereof” has been removed, there is nothing to say that a website or site couldn’t be limited to a single web address—for instance, the web address for page two of a forum, or in the example referred to in my previous post, a page dedicated to the sale of a single product. The obligation restrictions provided for in Section 104 seem to support this presumption.
  • While section 104 would arguably permit payment vendors and advertising providers to limit enforcement to that single page, the option may not always be technically reasonable depending on how the payment system is structured. Furthermore, this is simply an option for payment vendors and advertising providers—they may still decide to blacklist the entire website.
  • The increased scope of Section 105 is one of the more deceptive aspects of the amendment, and potentially creates a back door approach to the revisions made to section 103. As Logan Margulies, attorney for Riot Games, pointed out in his IAmA on Reddit, the immunity offered, which is based on proactive blacklisting of allegedly infringing sites, presents a Hobson’s choice to payment vendors, advertising providers, search engines, domain name registries and domain name registrars: if a private party notifies those entities of an alleged infringement on a site and threatens to sue under SOPA, the entity has the option of either a) blacklisting the site and guaranteeing immunity based on a “good faith, credible” belief that the content is infringing (this is approximately the same standard a plaintiff needs to send a take down notice under the DMCA– in other words and based on historical reference, not much); or b) fight the good fight alongside the website owner and potentially lose that liability. As Mr. Margulies points out, that isn’t much of a choice for any business.
  • Although the notification procedure is removed and private parties can no longer submit baseless notifications to payment vendors and advertising providers, the Act now gives plaintiffs immediate access to the courts—once again bypassing the exhaustion of remedies under the DMCA Safe Harbors and other legal channels. And while this change may prohibit individuals with shallow pockets from throwing a website onto the blacklist, it certainly doesn’t prohibit deep pockets that would use those court orders to defeat competitors. As stated before, take down notifications by businesses to drive out competitors constituted more than 50% of the take down notices received by Google. It is very likely that this amendment will be treated in the same manner by companies with the financial backing to drive out foreign digital distributors from the U.S. market, even if (and possibly because) they offer customers better service;
  • While the definition of “Site dedicated to theft of U.S. property” has changed significantly, problems still exist. When we’re talking about user generated content or pages dedicated to content uploaded by a user when that content is potentially infringing, that page or “site” is arguably operated for the purpose of that infringement. However, although the website owner is not a direct infringer, the website owner would still ostensibly be on the hook for that infringement even though they are not the direct infringer, and would still be subject to injunctive relief by court order;
  • The addition of legally vague standards like those provided for in 103(a)(I)(C)(ii) of the Manager’s Amendment (“as shown by clear expression or other affirmative steps taken to foster such violation,”) may not actually make any difference as far as removing the obligation to monitor created in the original draft. A plaintiff could argue that an “affirmative step” includes asserting a policy of not monitoring or moderating content except as necessary to comply with DMCA safe harbors or their own country’s laws. Other “affirmative steps” may include permitting a forum to exist, or if we look at the example provided in my earlier article, having an infrastructure that permits users to create their own “sites”.

While the original hypothetical mentioned in my original article may change in light of these revisions, the Act at its core threatens legitimate digital distribution channels with both criminal and civil penalties. The threat of an injunction and the removal of financial support by private parties is still a prominent part of the Act even if the easily-exploited notification procedures are removed. Under this legislation any large business can easily petition for court orders for the sole purpose of driving out foreign competitors, thus providing customers and content creators alike with fewer options for digital distribution. And the revisions to section 105 arguably makes the court order approach unnecessary– entities granted a promise of immunity have a greater stake in protecting that immunity, legally and financially speaking, than protecting foreign sites that may only offer incremental income.

Living in a global market facilitates competition and growth. Digital distribution channels are the living example of that growth and are vital for independent game developers. The U.S. marketplace does not exist in a vacuum, and it makes little difference where a site’s owner is located. U.S. consumers still have a right to enjoy those distribution channels without the threat of those channels being blacklisted to the sole benefit of U.S. competitors.

This Act doesn’t just threaten digital distribution. It threatens every facet of the Internet and particularly online communities. At this time the markup of the Act has been delayed– other changes may be implemented that either reduce the risks presented or reintroduce earlier regulations and procedures. However, there is nothing to suggest that the core drive behind the legislation will change in any way.

Understanding DMCA Safe Harbors

November 10, 2009 Intellectual Property 2 comments

I briefly discussed the DMCA safe harbors in a previous post. However, considering the complexity of the safe harbors (and at the behest of Washu over at Gamedev.net) some elaboration is necessary.

What are the safe harbors?

Simply put, the safe harbors limit the liability of certain online service providers from copyright infringement claims. Protected service providers include ISPs, carriers, and websites that transmit or store user content. For instance, a website like youtube.com, which hosts user-generated video content, almost certainly falls under the DMCA safe harbor. Similarly your ISP or internet carrier, be it Comcast, Qwest, or Time Warner, would theoretically be protected under the safe harbor. The limitation of liability does not mean that absolutely no liability exists, but it does provide certain protections to those providers who exercise limited control over user content and the use of their services.

The History

Congress recognized the need for safe harbors years before the advent of the DMCA. As demonstrated in the passing of the "passive carrier" section of the 1976 Copyright Act (17 U.S.C. 111(a)(3)), Congress realized that services like telephones and cable providers could potentially be held liable for copyright infringement to the extent that their services were used to relay infringing content. The Internet further demonstrated the need for these protections because of the sheer quantity of content that could be transmitted through those same cable and phone lines. Both the courts and Congress decided that a line needed to be drawn in the case of internet websites, Usenet, and other automated systems by which content could be automatically reproduced and distributed without control or action by the original website or Usenet creator.

Thus under the umbrella of the DMCA, the Online Copyright Infringement Liability Limitation Act was enacted. The act created safe harbors for four "types" of services providers: (1) the ISPs and infrastructure providers who transmitted packets of information; (2) the carriers that cached content to speed up transmission; (3) the websites and service providers that allowed users to upload their own content; and (4) search engines that host links and thumbnails to content.

The Four Types

Transmission. The first exception applies to internet carriers that transmit and in some cases temporarily store and/or copy packets of information for the purpose of allowing users to connect through the network to websites, FTP hosts, and the like. Essentially the first safe harbor applies to the network infrastructure provider that allows your computer or console to connect to whatever it is you're trying to connect to. Without this safe harbor ISPs would be potentially liable for any infringement that occurred on their system depending on the method of transmission.

Caching. Similarly ISPs who cache (e.g. store and save) data on their systems so that previously visited websites load faster for a user are granted limited liability. Certain requirements must be met for this safe harbor to apply, which will be discussed below.

User Generated Content. The third exception, and the one that generally receives the most attention, applies to websites and service providers that permit users to automatically store content on the website/service provider's server or system. In this case even more requirements must be met, including the registration of a DMCA agent with the Copyright office.

Search Engines. The last exception applies to search engines, directories, indexes, references, and other internet tools that link to websites or online data containing infringing content.

Qualifying for Safe Harbor Protection

As a Transmission service provider. It's unlikely that this will apply to anyone reading this blog, but people may still be interested in learning how their ISP can limit their copyright infringement liability:

  • The service provider can't initiate the transmission—this should be obvious. If the provider is the one transmitting infringing content, they're direct infringers.
  • The transmission must be an automated technical process that doesn't filter or select material. If the ISP engages in a selection or editing process in the course of transmission they may lose their limited liability (which raises some truly fascinating questions in the Net Neutrality argument).
  • The ISP can't choose who receives the material—the process must be automatic and it must be in response to a request from an end user.
  • The next qualification has two parts: first, transmitted information on the system can't be stored in a manner that would normally allow accessibility to the content by anyone other than the requesting end user; second, the information can't be stored for longer than is necessary for the transmission to the requesting end user.
  • ISPs can't modify the content in the course of transmission.

If you're caching data and content. Caching can occur at any point between request and transmission, so it's necessary to break down the players in the caching game: (1) content providers; (2) service providers; and (3) end users. It's necessary to note here that a service provider can include any site that caches user data to make logging in or other preferences readily available to the user, including site like Ebay and Amazon. Unfortunately this safe harbor is a bit convoluted, but I'll try to clarify the key points:

  • Content must be provided by someone other than the service provider. This is nothing new and is identical to the first requirement for the transmission safe harbor.
  • The system in place must be fully automated for the purpose of making material available to system users/end users.
  • The service provider can't modify the content stored on its system.
  • This is where things get tricky: the service provider must also comply with rules concerning the "refreshing, reloading, or other updating of the material when specified by the person making the material available". Ordinarily this could be exploited—for instance, an infringing content provider could establish rules that require a page to refresh every millisecond so as to make caching useless. There is fortunately a limitation to unreasonable rules. If the rules unreasonably limit or impair intermediate storage they will not interfere with the limited liability of the caching service provider.
  • Provided that the technology associated with the content doesn't (1) unreasonably impair caching (2) go against industry standards or (3) phish or extract data from the server provider's system (except already available information), a service provider who caches that content can't interfere or alter the functionality of the technology associated with the content.
  • The service provider must comply with the content provider's access conditions with respect to individual users. For instance, the content provider may require a password or fee before cached information can be received by the end user.
  • If the content provider is himself infringing, the service provider must respond promptly to notification of infringement and remove or disable the infringing material. However, because caching must be automatic, this requirement is only necessary if (1) the infringing content has been removed from the originating site and (2) the notifying party (e.g., the copyright owner) includes in the notification a statement concerning removal of infringing content on the originating site.

If users can upload and store content. This is where sites like Veoh, YouTube, and other services that permit users to upload their own content come into play. It also includes webhosts like geocities, and blog hosts like WordPress and TypePad, that enable users to store and share content on their servers. It can even apply to forums, chat rooms, and anywhere else where users designate what is uploaded or stored on the service provider's system. This safe harbor has three major requirements:

  • The service provider cannot have knowledge of the infringement. The actual knowledge requirement provides a significant safe guard to service providers—simply being told that certain content may be infringing is rarely sufficient, and those providing notification of infringement may be required to provide appropriate available evidence in support of an infringement claim.
  • The next requirement has two parts: (1) the service provider cannot receive any direct financial benefit from the infringement, and (2) the service provider cannot have any right or ability to control infringing activity. Both parts require some elaboration. In terms of direct financial benefit, a service provider may, for example, obtain a one-time registration fee or a monthly subscription fee from an infringing user without running afoul of the safe harbor. Courts generally take a common sense approach to the financial benefit requirement and have ruled that the benefit must result directly from the infringing activity, and not generally from the user's access to the service. In terms of control, it typically must exceed the ability to block or disable content—this is common sense in light of take down notifications, discussed below. Courts have gone so far as to hold that the voluntary practice of limited monitoring to screen obvious infringements doesn't amount to control. However, the question of "control" can become a slippery slope, so monitor at your own risk.
  • As with caching, if the service provider receives adequate notification of infringement (including infringement that is patently obvious, regardless of whether the copyright owner has given notification), the service provider must take down the infringing content to qualify for limited liability. Although a service provider may refuse to take down content in response to a take down notice if it is clear to the service provider that the content is not infringing, the service provider loses protection under the safe harbor and must avail itself to the defenses that would cause the content to be non-infringing.

Linking to infringing content. This is in some ways the easiest safe harbor to understand. The infringing activity doesn't occur on any server, host, or system created by the service provider. Instead, the service provider provides an html link to content that is not hosted by the service provider. The qualification are thus fairly straightforward:

  • The service provider must lack knowledge of the infringement. Even if the service provider lacks actual knowledge of the infringement it may still lose its safe harbor protection if the service provider is aware of facts or circumstances that make infringement obvious. If the service provider receive knowledge of infringement, it must disable or block the link.
  • The service provider cannot receive a direct financial benefit from the infringement. However, this requirement is only applicable if the service provider has the right or ability to control infringing activity.
  • If the service provider receives notice of infringement, they must promptly remove the link.

Notification Requirements

What must a web site do when requiring notification? Below is a very rough outline of what the DMCA Notification portion of your Terms of Service should look like if you own or operate a web site that contains a forum or other mechanism that permits users to upload content:

  • Formalities: The notification must include (1) the signature of the copyright owner or a person authorized to act on behalf of the owner; (2) the notification must state that the complaining individual is authorized to do so; (3) the complaining individual must make a statement asserting that they believe in good faith that the content is infringing;
  • Identification of the copyrighted work and infringing material: The notification must link to or include copies of the copyrighted work, or otherwise appropriately describe the content. The complaining party must also link to or otherwise direct the DMCA agent to the content that infringes on the copyrighted work in question. Note that in both of these cases, the material provided must be enough for the DMCA agent to identify and locate the content.
  • Service on a designated agent: The web site MUST have a designated agent registered with the Copyright Office, and must provide the contact information for that agent.

Exercising  Caution When Sending Notifications

One important aspect of the notification requirement is a "good faith" belief that the material is infringing. Courts have found that this includes taking into account valid fair use defenses before submitting the notification. 17 U.S.C. 512(f)(2) holds complainants liable when they misrepresent an infringement. In those cases the the complainant is accountable for damages, costs, and attorneys' fees. 


Privacy Policies and Consumer Protection

April 15, 2009 Contracts No comments

    With more and more games being provided online and through websites as opposed to the old brick and mortar model, consumer privacy protection is an ever evolving issue. When you develop a game or product that derives data from the user it is important to take that user's privacy into consideration. To that end, you may ask yourself whether you need a privacy policy and what you need to do to comply with consumer protection laws or industry standards. In this entry I'll cover some of the legal issues that are relevant to user privacy and your obligations as a developer or website designer.

     Consumer Protection and Privacy

    In the U.S. consumer privacy is protected and enforced by the Federal Trade Commission (FTC). To protect consumer privacy the FTC relies on specific legislation such as COPPA and the Gramm-Leach-Blilely Act as well as legislation governing false advertising and deceptive trade practices under Section 5 of the FTC Act. Most businesses are not legally obligated to protect user privacy unless they promise to do so (via a Privacy Policy). There are exceptions: Financial institutions, websites and businesses that collect medical data subject to HIPAA regulations, and websites, games or businesses that collect personal information from individuals under the age of 13 must comply with federal regulations by providing notice and complying with specific requirements under the law. In those cases notice in the form of a privacy policy is required. For the purpose of game development, perhaps the most relevant regulation falls under COPPA, which concerns data collection from children under the age of 13.

    The U.S. is more lax about consumer privacy and data collection than the EU. Under the EU Data Privacy Directive of 1995 EU signatories were required to implement laws and regulations in compliance with the directive. The Directive contains strict guidelines for consumer data collection. It also requires the registration of consumer databases with government agencies. If you live in the EU it is very likely that as a business you are required to handle user data in accordance with the Directive. You can find the full text here.
The EU Directive can apply to American companies that operate in the EU or exchange user information with EU companies—to that end, use of a privacy policy is required to be protected under the Directive's Safe Harbor for US companies.

    Do I Need a Privacy Policy?

    A privacy policy is a form of notice. It lets users know how their information will be used, exchanged, and stored and protected. While legally you may not be required to have a privacy policy, many businesses choose to use a privacy policy for ethical or business reasons. Certification programs like eTrust are widely recognized and many consumers won't share their personal or financial information without some kind of assurance that their privacy will be protected. This is especially true if you collect credit card or other financial information. From a business standpoint, a privacy policy may be conspicuous in its absence. While consumers may not read every line and verse of a privacy policy, they still expect to see one.

    What Does my Privacy Policy Need to Include?

    The most dangerous thing you can do when creating a privacy policy? Make a promise you don't intend or aren't able to keep. While you may not be required to protect user privacy by law, you are absolutely required to comply with your own privacy policy. Failing to do so will expose you to liability under the FTC's deceptive practices regulation. This is incidentally how most companies get into trouble—they promise to protect user data but then engage in data management that doesn't fulfill the promise made in the policy. For this same reason, it's important to keep your policy up to date.

    Bearing that in mind, below is what a functional privacy policy will include:

    1. Introduction—this includes the company name, the business you're engaged in, and special instructions (e.g. parental verification)

    2. Description of what information is being collected—having a user fill out a form and stating the information collected from that form should be obvious. However, this also includes the personal information that is passively collected such as information logged by your server or collected by a third party program that is integrated in your site or game.

    3. Method of Collection—Explain how you're getting the information from the user, whether it be automated, passive, or via form.

    4. Description of the use of the information—how do you plan on using the information? Who has access to the information? Do you need to share this information with third parties, and if so, who? Are you going to sell this information to marketing or advertising firms? Honesty is the only policy here. If you need or want to share user information with third parties for any reason, you need to say so.

    5. Storage/Protection—this is another area where honesty is the only policy. If you decide to describe the technology by which you plan to store and protect user privacy, make sure you a) accurately describe that technology and b) update your policy whenever you change that method.

    6. Contact information—Give several options and make sure users are able to contact you to discuss their privacy. This includes e-mail, a phone number, etc.

    7. Compliance with regulations—you may be required to comply with federal or international regulations. If that's the case, you have to include everything those regulations require.

    Regulations and Regulation Compliance

    The Children Online Privacy Protection Act

    COPPA pertains to websites and businesses directed to children that collect data from children under the age of 13. If your audience includes minors 13 or younger and you're collecting their e-mail, address, or other personal info, here's what you need to know:

    1. You must have a privacy policy. The policy must state a) what information is being collected, b) how that information will be used, and c) who will have access to that information (disclosure policy).

    2. You need a way to obtain verifiable parental consent. You have some options here:

        a) Provide a form that the parent can fill out and send;

        b) Require the parent to use a credit card in connection with a transaction;

        c) Provide a phone number where parents can call in their consent;

        d) Get consent via e-mail from the parent, provided the e-mail contains a digital signature.

    3. You need to provide a method by which parents can make requests concerning the child's personal information—this includes destroying that information or refraining from selling or sharing that information.

    You should carefully review the COPPA FAQ. Not only can it provide specific guidelines for compliance, but you may also be eligible for certain exceptions.

    State Laws That Require Privacy Policies    

    California law requires that any website or operator who collects private information from California residents must provide a privacy policy if the user data is being sold or shared with third parties. The policy must also provide a method for opting out or full disclosure—i.e., something the consumer can send in to request that the information not be shared or, in the alternative, receive a list of the third parties who have purchased or received that consumer's personal info.

    The FTC provides a comprehensive guide for managing user data. This information will help you organize your own policies and best practices for consumer and employee data management.