Computer and Internet Law

I had an IM (instant-messaging) discussion with a photographer friend last night concerning her practice of posting photographs on various wallpaper websites for free, non-commercial use. Among other things, we discussed legal protections for those photographs, and the difficulties of maintaining identification and copyright information associated with them – especially given the speed and ease with which data is distributed over the Internet, and with which attribution and licensing information may be lost or discarded.

During the discussion, I took another look at the Orphan Works bills currently pending before the United States Senate (S. 2913) and House of Representatives (H.R. 5889) – which she, and apparently many of her photographer colleagues, had not heard of. Both bills were introduced on April 24, 2008. The Senate version has been considered and revised in committee, and recommended for the entire Senate. However, the revisions do not appear to address all of the issues and concerns raised by the various photography and visual artist trade groups. (See, e.g., the Stock Artists Alliance Orphan Works Blog.)

While I will reserve my own judgment of the Act until it is enacted in its final form, I did recommend to my friend that she avoid letting her works become ‘orphans’ in the first place by embedding her identification and copyright information directly into her photographs as prominent watermarks. Up until now, she had simply included her contact information and licensing restrictions as separate text or meta-data.

While my recommendation would certainly decrease the visual appeal and popularity of her photographs, it may be the best preemptive measure in light of this pending legislation. Few downloaders will go through the trouble of separately copying unattached text for their records. Meta-tags do not guarantee the same level of ‘permanence,’ especially given the ease with which meta-tags may be inadvertently or intentionally removed by others. Of course, watermarks may also be removed with sufficient application of time and photo-editing expertise. However, that may require much more effort than most downloaders are willing to expend.

On July 22, 2008, Robert Soloway was sentenced to 47 months in federal prison for violation of the federal CAN-SPAM Act of 2003. [Article] This sentence follows two civil judgments in 2005 against Mr. Soloway related to the sending of spam mail – one in favor of Microsoft for over $7 million dollars, and a second in favor of an Oklahoma internet service provider for over $10 million. [Article]

Mr. Soloway is not the first person to fall afoul to the CAN-SPAM Act, nor will he be the last. Since the CAN-SPAM Act may serve as a basis for both civil and criminal liability, it is important that all business owners advertising via e-mail, either directly or through an ‘affiliate’ program or third-party advertiser, understand its provisions.

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, 15 U.S.C. § 7701 et seq.) restricts, but does not prohibit, the sending of unsolicited commercial electronic mail messages. A commercial electronic mail message is defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” (15 U.S.C. § 7702.) Unsolicited commercial electronic mail messages must comply with certain requirements, including, but not limited to: accurate e-mail header information; non-deceptive subject lines; clear and conspicuous identification of the e-mail as an advertisement or solicitation, or as containing adult materials, if appropriate; provision of a valid unsubscribe or opt-out mechanism; and the inclusion of the sender’s postal address. (15 U.S.C. § 7704.) Furthermore, the sender must comply with opt-out requests within a certain short period of time.

It is also important to note that the CAN-SPAM Act does not only apply to the e-mail sender. Instead, a person or business whose products are being promoted by the e-mails may also be liable under the CAN-SPAM Act if the person or business: knew, or should have known, that the products were being promoted in the e-mails; received, or expected to receive, an economic benefit from the promotion; and took no reasonable action to prevent the transmission, or detect the transmission and report it to the FTC. (15 U.S.C. § 7705.)

Finally, while the CAN-SPAM Act expressly supersedes many state laws that regulate commercial e-mail messages (see 15 U.S.C. § 7707), it permits states to maintain laws governing false or deceptive commercial e-mail messages, laws not specific to e-mail, and laws related to fraud and computer crime. Furthermore, other states have enacted statutes to protect the privacy rights of children, Internet users, etc.

[Note: The FTC occasionally updates the CAN-SPAM Act. Its most recent update (16 C.F.R. § 316, effective July 7, 2008) supplements several definitions and clarifies some ambiguities - and perhaps most importantly, bars an e-mail sender from imposing opt-out fees, and limits the number of steps that the recipient must undertake in order to opt out of future e-mails.]

Over the next few weeks, I will discuss recent, noteworthy legal developments that occurred prior to the launch of this blog. The first development pertains to the Ninth Circuit’s decision in Quon et al. v. Arch Wireless Operating Co. Inc. et al., 529 F.3d 892 (9th Cir. 2008), filed on June 18, 2008. [Decision]

In Quon, the City of Ontario had a Computer Usage, Internet and E-Mail Policy, which Quon acknowledged, and agreed to comply with, as part of his employment. However, the City failed to enforce the policy. In fact, the City acted contrary to the policy by allowing its employees to avoid audits of their cell phone usage so long as they reimbursed the City for overage charges, which Quon did.

When the City subsequently enforced the Policy, the plaintiffs sued the City, wireless provider and other defendants for invasion of privacy. The Court noted that the Policy may have been enforceable if the City had complied with it. However, the Court found that the plaintiffs enjoyed a reasonable expectation of privacy in their cell phone text messages – notwithstanding Quon’s prior agreement to the Computer Usage, Internet and E-Mail Policy – due to the City’s inconsistent and contrary conduct (the “operational reality”) with respect to that Policy.

This decision ultimately serves as a strong reminder that employers may inadvertently undermine their computer, Internet and e-mail policies by acting inconsistently with those policies. Employers should take special care not to do so, and emphasize such care to their supervisors and managers, especially given the importance of computer, Internet and e-mail data in discovering instances of employee misconduct.

CNN posted an article yesterday concerning charges brought against a former TV anchor for accessing a colleague’s e-mail accounts and releasing details of her personal life. [Article] The charges arise from the Computer Fraud and Abuse Act (18 U.S.C. § 1030), which was passed in 1986 to address the hacking of computer systems.

While the charges brought against the former TV anchor are of a criminal nature, many employers and attorneys do not realize that the Computer Fraud and Abuse Act may also be used in civil litigation, particularly against any wrongful conduct perpetuated by competitors, former employees, etc. Specifically, a civil claim under the Computer Fraud and Abuse Act may be brought against any person who:

knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;

provided that the conduct (or attempted conduct, if it had been successful) causes, or would have caused, a loss of at least $5,000.00 in value during a one year period.

The Computer Fraud and Abuse Act also provides a claim against those who knowingly, and with intent to defraud, traffic in computer passwords or any other information that would allow a computer to be accessed without authorization, provided that such trafficking affects interstate or foreign commerce.