Fall 2003 Cyberlaw Sample Answer by Eric Goldman

Fall 2003 Cyberlaw Sample Answer
by Eric Goldman

Introduction

This exam went way off course.  I’m not sure how things went so far wrong, but I’ve never had a set of exams that were so far removed from what I was looking for.  So if this sample answer does not look like yours, you are not alone!

I’ve been thinking carefully about what happened and I’ve come up with at least five hypotheses to explain this unexpected development:

  • the exam was too hard.  This was a hard exam, but I had hoped it was not so far beyond the skill level of the class.  I designed it as more of a thinking exam than past ones in light of the changes I made to the course.  Perhaps I went too far.
  • I did a poor job teaching the course.  I did change the course around to focus on less cases and rules but to do so in more depth.  I made these changes based on feedback from prior classes, and I personally thought it worked pretty well.  However, the number of gross misstatements of the law, and misapplications of the laws to the facts, makes me question how good a job I did.
  • students didn’t adequately prepare for the exam.  This may just be my paranoia, but I worry that students did not adequately prepare based on the combination of having the class notes and the open book exam.  Conspicuously, I got exactly one question about course material between the last class and the exam.
  • students are overrelying on old exams.  I change the course around pretty significantly from year-to-year, in part to reflect changes in the law, so the prior exams and sample answers may end up looking easy because of the changes in the law or to the course.  The old exams are great for showing the style of questions I ask, but I can assure you that none of them were particularly easy when given.  This is a primary reason why I don’t think this exam was that much harder than previous years’ exams.
  • students didn’t spend enough time thinking about the questions and getting their hands dirty with the facts and the cases we discussed.  I got an unprecedented number of answers where the students knew that they had to discuss a legal doctrine but appeared to have no idea what facts implicated the doctrine.  As a result, many answers accurately discussed the rules reasonably correctly but could not tie the rules to the facts.  Perhaps deeper thinking about the problem would have helped with issue-spotting.

Whatever the case, the wide range of answers created a grading problem for me.  After I got over my initial shock of how “off” the exams were, I decided to read all of the exams before grading any of them.  From that, I developed a baseline of what students were able to do on this exam and tried to adjust my expectations against the baseline.  Even so, there were several exams that had such significant issues (even when compared to the peer group)—misstatements of the law, misanalysis of the facts, missed issue spotting—that I could not in good conscience extend the B range far enough to cover them.  There were 2 As, 2 ABs, 10 Bs, 5 BCs and 1 C.

A note about the computer usage.  13 of you typed your exams and 7 wrote bluebooks.  7 of you downloaded the exam electronically and 8 of you returned the exam by email.  Some stats about word counts:

Q1

Q2

Total

Cap

2400

600

Average

1410

398

1808

Median

1385

427

1869

High

1901

553

2454

Low

745

174

919

Question 1

Fundamentally, this question requires you to identify that Google and Tripod each serve third party content and to discuss their risks for intermediary liability both for the content they serve and that their advertising partner serves. Thus, I would divide the analysis into two categories: liability for the ads and liability for Tripod-served content.

Liability for the Ads

Copyright

 

The Google-served ads could contain infringing copyrighted material.  The facts don’t explain the exact process the ads are created.  It could be that the advertisers deliver the ads to Google, that Google prepares the ads on an automated basis, or that Google manually prepares the ads for each advertiser.  Let’s assume for the moment that the advertiser prepares the ads and delivers them to Google for serving.  The advertiser could intentionally or unintentionally infringe third party copyrights when preparing the ad content.

Because the ad content is so brief (maybe 10 words?), it seems unlikely that many ads will contain enough content to constitute copyrightable expression above and beyond the facts and ideas being expressed.  If anything, the ads look a lot like uncopyrightable slogans.  However, copyright can be found in surprisingly small increments of content, so it remains a risk.  The thin layer of copyright protection suggests that fair use might excuse any infringement, but we would need to apply the factors to a particular situation to know.

Let’s assume that an advertiser’s content infringes and is not fair use.  Because Google serves the ad, it will be reproducing and distributing the content.  On this basis, Google could be liable for direct copyright infringement.  If Google manually prepared the ad, this claim is clearly supportable.  However, if advertisers upload the content to Google on an automated basis for Google’s serving, Google is acting just like a web host.  Some case law has rejected direct copyright infringement for web hosts, and Google can also insulate itself from direct copyright infringement liability for hosting and serving the infringing content using 17 USC 512(c).

Google has a more serious risk of contributory copyright infringement.  They could be considered to materially contribute to the infringement merely by hosting and serving the infringing content.  If so, that raises the issue of scienter.  We had initially thought a 512(c)(3) notice was required to trigger knowledge, but the courts have not been requiring that.  Instead, Napster used a very loose standard of knowledge, although in that case the record companies still had to send some form of notice.  Grokster applied a more rigorous standard for knowledge.  Where would Google fall?  It does have some “knowledge” about the ads—at minimum, what words are associated with each ad—but we’d like to think that knowledge about the keywords, without more, is insufficient to meet the contributory infringement test.

Google also has some risk of vicarious copyright infringement.  Even under a rigorous standard for “direct financial interest,” Google’s profit-making for each delivery of an ad would qualify.  What about its “right and ability to supervise”?  We don’t know what’s in the advertising agreement between Google and the advertisers—it seems likely that Google has placed a “we can do whatever we want” clause in the contract just like every other online entity, but we don’t for sure—but we do know that Google’s system automatically associates ads with keywords.  Is this enough to say that Google can “supervise” those ads?  I could certainly make an argument that it does.

The DMCA 512(c) safe harbor theoretically was intended to provide Google a safe harbor from the risks of contributory and vicarious infringement, although we haven’t seen it actually help in practice.

Let’s now look at Tripod’s risk of liability for copyright infringement due to the ads’ content (assuming again that the content infringes and is not fair use).  Tripod does not host the ad, so I can’t think of a principled way to put Tripod on the hook for direct infringement.  Instead, Tripod implicitly “in-line links” the ad by pulling each ad into its page, so I would analyze Tripod’s risk for in-line linking to infringing content.

I still have problems articulating the prima facie case of how linking to infringing content is contributory infringement, but we have plenty of cases suggesting that linking can constitute infringement (Napster, Aimster and Grokster are all recent examples).  But under the Grokster standard, does Tripod know the ad infringes at a time when it can do something about it?  Unlike Google, Tripod has no knowledge about what ad will be served, since Google dynamically makes the association between the Tripod-passed keyword and the particular ads that will be served.  Tripod can stop passing keywords if they will invariably lead to infringing ads, but Tripod has to have some basis to know that.  At minimum, I think this reduces or eliminates Tripod’s risk of contributory infringement prior to receiving an adequate level of knowledge of infringement.  A 512(c)(3) notice should be sufficient to require Tripod to do something, although I’m not sure what they would do other than inform Google.

I have similar problems finding vicarious infringement by Tripod.  It’s fair to assume that Tripod has direct financial interest in the infringement based on whatever compensation is paid via the Tripod/Google agreement.  However, I have difficulties thinking of how Tripod has the right and ability to supervise the infringing activity.  Maybe a “we can do whatever we want” clause in the Tripod/Google agreement would enable that argument.  Otherwise, Tripod doesn’t know what ads will be served until Google serves them, so I’m not sure how we can find a supervisory capacity.

In theory, 512(d) could provide a safe harbor for linking to infringing content, but we have yet to see that safe harbor provision work.

In summary, I think Google has a meaningful risk of being contributorily or vicariously liable for any ad content that infringes a third party’s copyright and is not fair use.  However, I don’t think Tripod has a particularly significant risk of copyright infringement for the ads.

Trademark

The ads could also infringe third party trademarks in at least two ways: (1) the ad content, and (2) the process of associating ads with keywords.

We don’t have a lot of facts to analyze the former situation, so I’m going to focus on the latter.  In that situation, Tripod could pass to Google a third party trademark as the keyword.  Google could have sold that trademark as a keyword to advertisers—competitive or otherwise—resulting in an ad being displayed for the sole reason that the third party trademark appears in the content of the web page (or, more unlikely, that Tripod makes an association with a third party trademark even though it is not used on the web page at all).

An argument can be made that the appearance of such an ad can create consumer confusion.  If the ad content creates the confusion, then this situation merges with the first scenario and the keyword association is not the problem.  Alternatively, the appearance of the ad on a page could cause initial interest confusion, especially if the ad is for a competitor.  Under those situations, the competitor is getting access to consumers who might be interested in the trademark and, in theory, trying to divert them.

There has been a little litigation over the use of keywords as triggers for ad content, but it’s been irresolute.  Although I generally disfavor initial interest confusion as a doctrine, in this context I find any claim particularly uncompelling.  The ad’s layout and combination with other ads does not seem especially “diverting” to me.  Further, under Welles, a good argument could be made that the keyword usage constitutes nominative fair use.  However, under Promatek, we probably have a prima facie case of initial interest confusion.

Let’s assume for a moment that the process of associating an ad with a third party trademark violates trademark law.  Could Tripod or Google be liable for direct trademark infringement?  The multi-factor likelihood of confusion test is impossible to apply to this scenario, and the nebulous standards for initial interest confusion would seem to point towards the advertiser as the direct infringer.

Assuming the advertiser is directly infringing trademarks through the purchase of a keyword that’s a third party trademark, can we find contributory liability?  The test for contributory trademark infringement is continuing to supply the product knowing it’s being used to infringe, but the Lockheed case has modified that in the services context to look at the degree of control the service provider has over the means used to infringe.  Google would try to argue that it, like NSI, provides rote translation services—the advertisers pick the keywords they want, Tripod passes the keywords, and Google merely makes the match.  However, we know that Google does more: first, I would be surprised if they don’t play a non-passive role in determining which keywords are available for sale and at what price, and second, Google hosts the ads.  Thus, I think a credible argument can be made that Google has more control over ads than NSI had over web content at domain names.  Thus, Google does have some risk of contributory infringement.

I feel less comfortable about Tripod’s liability.  True, Tripod is picking what keywords to pass to Google, but Tripod has no idea what ads Google will select in response.  For example, if Tripod passes a third party trademark to Google, Google may very well only serve up ads from the third party trademark owner.  Thus, it seems that Tripod has far less control over the infringement than Google does.

In either case, Google and Tripod could try to argue that they are innocent printers/publishers under 15 USC 1114, which if established would remove damages from the equation.

Other Content-Based Liability

The ad content could violate other laws: false advertising, obscenity (it seems hard for just text to be obscene, but hypothetically it could), defamation, etc.  Here, 230 casts a long shadow.  Both Tripod and Google would claim to be interactive computer services, claims that appear to be supportable based on the case law interpretations of the term.

Tripod and Google would also claim that the ad content constitutes information provided by another information content provider (the advertiser).  For Google to make this claim, we need more information about exactly how the ads are prepared.  If Google manually writes the ads for advertisers, then I think it would be responsible, at least in part, for the development of the content, and 230 would not be available.  But even if Google creates the ad content in an automated fashion (such as by scraping the advertiser’s site), I think it can claim that the ad content is provided by a third party so long as the advertiser writes the scraped content.  In all cases, Tripod should have no problems claiming that the ad content is provided by a third party (whether Google or the advertiser).

If Google and Tripod can claim 230, then the liability for the ad content is virtually nil.  The ECPA remains a claim, but I cannot in any way think of how the ECPA would apply to ad content (more on the ECPA in a moment).  Federal criminal law could also apply, but I think that scienter will be a prerequisite for liability, which in this case should necessitate at least some form of notification from the government.

Privacy

I was hoping that you would spot the similarities between this fact pattern and the Pharmatrak case.  In each case, a third party uses a web bug and captures information about page contents.  In Pharmatrak’s case, that opened the door to ECPA liability.  What about here?

There are, of course, differences between this fact pattern and Pharmatrak’s.  Let me identify at least two crucial ones.  First, Google interacts more with the web visitor than Pharmatrak did.  While Pharmatrak merely reported information back to the website operators, Google uses the information to serve an ad to the web visitor.  Second, Google does not gather information directly from its web bug.  Instead, Tripod passes the information to Google.

I think the latter fact is fatal to an ECPA claim.  Google is not “listening in” to the transmission between the website and the web visitor in real time; instead, it is acting on the information provided to it by Tripod.  We also have issues about whether there is a private communication.  Certainly when I publish my web pages to the world, I can’t claim those are my private communications.  However, I think Tripod could end up serving ads on pages that have some potential claims for privacy—consider, for example, if I were to build a web page with a “private” URL that I provide only to one person and never publish publicly, the content on that web page might very well constitute a private communication.  Tripod may also be able to reduce or eliminate the ECPA risk through its user agreement.

However, I don’t think the privacy issues are limited to the ECPA.  Tripod is reporting information about its web users to a third party (Google).  If Tripod claims in its privacy policy that it never provides information about its web users to a third party, this would be a violation.  We could potentially find a technical violation even if Tripod says it will never provide personal information to third parties.  I can imagine pages where Tripod’s automated processes would capture personal information (email, phone number, name) as a keyword to pass.

Liability for Tripod-Hosted Content

I also wanted you to consider if this process changed Tripod’s risk of liability for content it hosts and serves, and if Google may become liable for the Tripod-hosted content.

With respect to Tripod, the process of automatically scanning each page and distilling the content into keywords gives Tripod some additional insights into the page, perhaps enough to constitute more “knowledge” for scienter purposes.  With that additional “knowledge,” one could further argue that it has more control over the contents or more right and ability to supervise the content.

This additional insight/knowledge/control is irrelevant for 230 purposes.  However, for copyright and trademark infringement purposes, this could further increase the risks that Tripod is liable for the content that it hosts.  If I’m plaintiff’s counsel and Tripod tries to argue that it is a passive host of content that the user solely controls and that it has no idea what’s going on with those pages, I’m going to argue that this program belies those statements.

Also, to the extent it matters, this program should confirm that Tripod has a direct financial interest in any infringing content it hosts.

As for Google, there’s a strong argument that it has a direct financial interest in the Tripod-hosted content as well.  However, I think it would be tough to show that Google has any control or supervisory ability over that content.  Google might get knowledge of infringement through other means (e.g., a 512(c)(3) notice) but this program doesn’t really change that.

Comments on Student Answers

A number of you wrote about trespass.  There is a very minor trespass issue here arising from Google’s serving of the ad to a user’s computer.  In theory, the user could try to argue that Google is trespassing the user’s computer.  I think it’s a very hard claim to support, but it was OK to mention in passing.

However, a number of you argued, in various forms, that Tripod was either (a) trespassing its own servers, which is a logical impossibility (they own the chattel), or (b) trespassing the intangible contents of my website, which is also logically impossible (trespass applies to chattels, and you have to make very aggressive arguments to treat intangibles as chattel).

A few of you also argued that Google was trespassing the advertisers by scraping their sites.  While Google could theoretically scrape an advertiser’s site to build ad content, you have to make a lot of aggressive assumptions for that conduct to reach trespass (the most obvious assumption being that although the advertiser has voluntarily chosen to advertise through Google, they don’t want Google to scrape ad content).

As you can see, most trespass arguments were not very convincing and thus were usually detrimental to your score.

Some of you discussed Tripod’s responsibilities under COPPA.  There were no facts to support the discussion.  A COPPA claim requires that Tripod’s privacy policy says it won’t pass data, and then Tripod must breach the privacy policy.  In other words, I don’t think there’s anything unusual or different about Tripod’s obligations here under COPPA compared to general privacy/contract law.

Some of you discussed Tripod’s liability for copyright infringement for passing the keyword to Google, arguing that the keyword was protected by copyright and Tripod infringes by copying the keyword to Google.  Although copyright protection has been found in very small units of expression, it strains credibility to argue that a single word can infringe copyright.  Even if Tripod passes a multi-word keyword, this argument is very aggressive.

Some of you discussed the risk that Tripod might mislabel a website (for example, pick a pornographic keyword for a site that is not pornographic in nature).  If Tripod did this, and if this met the standards for defamation, note that 230 would not protect Tripod from liability because Tripod (instead of a third party) is doing the labeling itself.

Several of you argued that Tripod (and in some cases Google) would qualify for the 512(a) safe harbor.  I know that’s not the intent of the subsection, although on a textual basis the topic seems open for discussion.  However, under the definitions in 512(k), the safe harbor in 512(a) is available only for “an entity offering the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, without modification to the content of the material as sent or received.”  I think this definition poses a number of problems to the 512(a) argument, most noticeably that the service provider is routing or providing connections for “material of the user’s choosing.”  This could apply to the Tripod-hosted content but I have a harder time applying this to the Google-served ads (unless Tripod takes the position that Google is the “user,” or unless Google takes the position that the advertiser is the “user”).

Question 2

I had thought this was an easy question: 30 minutes, a couple of issues, no problems.  I didn’t expect so many of you seemed to take the advertising content at its face without questioning its veracity.  If you accepted the statements on their face, you were likely to miss everything.  This particularly surprised me because the email is internally contradictory (how it tries to describe how it got my email address).  You need to be a healthy skeptic of what people say!

There are four major claims to consider: violation of anti-spam laws, trespass/CFAA, breach of contract/privacy policies and false advertising.

I think the best way to analyze the issue is to consider the different ways that the sender got my email address:

  • I sent articles through their website.  Many sites now have “email-this-article-to-a-friend” functionality.  But did they tell me that they were collecting my email address?  Did they say they were not?
  • I received articles from someone else that were sent through a “send-this-article-to-a-friend” function.  If this occurred, I never gave my permission for anything (if anyone gave “consent,” my “friend” did).  For that matter, I never voluntarily formed any relationship with the site at all.
  • I contacted the site with a question or comment.  If this is true, what was the nature of the contact?  Was I asking for technical support?  Was I asking them to remove my email address from their database?  Or did I have an ongoing relationship with them and my question or comment was part of that?
  • None of the above, and they lied.

With this framework, let’s look at the causes of action:

Breach of Contract/Privacy Policy

To support this claim, we would need to find evidence that the website promised not to email me and breached the promise.  So we would like to find the contract or privacy policy that was displayed to me when I interacted with the site.  What did those terms say?  Also, we would like to see if the contract was properly formed.  Where were the terms displayed, and how did I manifest assent?

Anti-Spam Laws

The various state anti-spam laws are recently mooted by CAN-SPAM, but they were relevant for purposes of this class and exam.  To identify the potential risks, we would need to know which state’s laws applied, what they restricted and who could enforce them.  Some of the core questions that seem likely to arise: was there actually a previous existing business relationship?  How was the spam labeled? Was the subject line accurate?  Was the routing information accurate?  Did the spam give me a chance to opt-out?  (Notice they claim that this is a one-time mailing—does that actually comply with the law?  And do we believe them?).

False Advertising

If the statements made in the email were false (i.e., I never contacted them as they claimed), that could potentially support a claim for false advertising.

Trespass/CFAA

Like any unwanted bits using my computer resources, the email can support a trespass to chattels claim.  But to determine if there’s an actual claim, we need to know more information.  If the common law applies, did I remove any actual or implied consent to the email, such as through notice or technological self-help?  If the Intel v. Hamidi rule applies, did I actually experience harm to my chattel, such as a computer crash due to this email?  Note that despite language in the opinion to the contrary, under the Intel case, a single email could theoretically cause sufficient damage to the chattel to support a claim.  So we would want to look for evidence of damage to my computer.  Without such damage, I believe that the trespass to chattels claim will fail.

Whenever you see trespass to chattels, you also want to consider the Computer Fraud & Abuse Act.  The critical prerequisite here will be $5,000 of damage.  Although the definition of damage is more inclusive under the CFAA than Intel, I still have a hard time thinking how I could claim $5,000 from damage to my personal computer.

Visit Full Blog