The issue in New York arose when Netscape Communications Corp. was the defendant in three related actions for alleged violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Netscape tried to enforce a provision of an online licensing agreement to compel arbitration in these cases.
In this case, Netscape provided a free software program called "SmartDownload." To obtain this software, users could go to a Web page with a button labeled "Download." At the bottom of that page was the statement "[p]lease review and agree to the terms of the Netscape SmartDownload software license agreement before downloading and using the software." When the agreement itself was opened by clicking on the provided hyperlink, the agreement read that by installing or using the software, the individual or entity consented to be bound by the terms of that agreement. The court, however, found that under California law, affirmative assent is required for an agreement to be binding, stating "…downloading is hardly an unambiguous indication of assent. The primary purpose of downloading is to obtain a product, not to assent to an agreement."
Promises become binding when there is a meeting of the minds and consideration is exchanged. So it was at King’s Bench in common law England; so it was under the common law in the American colonies; so it was through more than two centuries of jurisprudence in this country; and so it is today.
New European Commission Personal Data Transfer Safe Harbor
In 1998, the European Commission (EC) issued a Directive on Data Protection. This directive restricted the flow of information from organizations in European countries to organizations in countries that the EC deemed to have inadequate privacy protections. Because the United States chose a self-regulating model for privacy on the Web, it was deemed to have inadequate privacy protections, so exporters (from Europe) and importers (in the United States) of data (including related company transfers) could be subject to sanctions, as well as liability to any individual whose privacy was violated, for any violations of the directive.
Any U.S. entity receiving data from an entity in the European Union is governed by these rules, whether the transfer occurs as part of an acquisition, licensing arrangement or database-sharing arrangement. The restrictions even apply to exchanges of data within a multinational corporation, such as a transfer of personnel records, although the International Chamber or Commerce in Paris is negotiating with the EC to obtain a safe harbor for such internal transfers in the future.
In September of 2000, the European Union and the United States derived the "E.U. U.S. Safe Harbor" in an effort to develop a standard that would protect U.S. companies from being sanctioned or sued based on the directive. To qualify for the safe harbor, a company must apply to the U.S. Federal Trade Commission (FTC) with certain representations and audit requirements. All companies accepted into the safe harbor program are deemed to have adequate privacy protections for purposes of complying with the directive. To date, very few companies have even applied for the safe harbor, in large part because the application must go through the FTC, is public, and puts the EC on notice that one is transferring data between the EC and the U.S. For these reasons and others beyond the scope of this article, the safe harbor program has largely been a failure.
In 2002, however, a new safe harbor alternative became available for U.S. companies to comply with the directive. U.S. parties can qualify for this new safe harbor by including certain specific clauses in contracts with the European companies who send them data. Such clauses include the obligations to process the data only on behalf of the data exporter; to implement certain security measures before processing the data; to permit audits of the data processing facilities; and to notify the exporter of any demands by law enforcement agencies to view such data, of unauthorized accesses, and of requests from data subjects.
‘Spiders’ and ‘Bots’ Can Bite Their Owners
Companies use a variety of techniques to mine data from their competitors on the Internet. The most common tools to do this are data mining software programs commonly known as "bots" or "spiders." While this is a still-developing area of the law, a number of potential categories of causes of action can be brought against companies that employ "bots" or "spiders" for data mining on the Web:
1) breach of contract2) trespass to chattels3) intellectual property infringement4) breach of the Computer Fraud and Abuse Act5) common law claims related to business interference which vary state to state (i.e., misappropriation, interference with prospective economic advantage, unfair competition, unjust enrichment etc.).
To date, only two cases have directly examined these issues. Both were cases for injunctive relief in the commercial context and in both cases relief was granted, preventing the defendant from continuing to use its "bot" or "spider." The two cases were eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058, 54 U.S.P.Q.2d 1798 (N.D.Cal. May 24, 2000) (No. C-99-21200 RMW) and Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y, December 8, 2000) (No. 00 CIV 5747 (BSJ)).
The eBay case concerned Bidder’s Edge (an auction aggregation site) and its use of bots to obtain pricing information from eBay. Bidder’s Edge would permit its users to run a search on an item and Bidder’s Edge would supply the prices at various auction sites, saving the user from having to check each site independently. Ebay sued Bidder’s Edge alleging 1) trespass to chattels, 2) false advertising under the Lanham Act, 3) federal and state trademark dilution, 4) violation of the Computer Fraud and Abuse Act, 5) unfair competition, 6) misappropriation, 7) interference with a prospective business advantage and 8) unjust enrichment. The court upheld a number of these causes of action in granting eBay an injunction restraining Bidder’s Edge. While the injunction was on appeal in the 9th Circuit Court of Appeals, 28 well-known law professors from around the country filed an amicus brief on behalf of Bidder’s Edge, detailing why they felt the decision was incorrect and bad public policy. Unfortunately, Bidder’s Edge subsequently went bankrupt and settled the claims out of court. Today, eBay permits auction aggregators to access its site for a fee. Because this fee is smaller than the cost of litigation and still permits auction aggregators to maximize their market opportunity, it does not appear that these practices will result in another challenge in the near future.
The Register.com case concerned Verio (a Web hosting site) and its use of bots to gather contact information for parties who purchased a domain name through Register.com. Overnight, the Verio bots would gather the contact information for all new registrants through Register.com and Verio would then contact these registrants the following day to try to sell them its hosting services. Register.com sued Verio alleging breach of contract, trespass to chattels, breach of the Computer Fraud and Abuse Act and violations of the Lanham Act. The court granted the injunction and Verio is currently appealing the decision to the U.S. Court of Appeals for the 2nd Circuit.
Since these cases were injunction cases, the courts considered only whether there was a reasonable likelihood that the causes of action would succeed on their merits. No final decision on the merits of these causes of action, nor any ruling regarding damages, was rendered in either case.
Admittedly, awards of damages against users of bots or spiders are speculative and may end up being quite small. The Verio court acknowledged that determining an amount of damages under trespass recovery theories could be extremely difficult. The allegations concerning the amount of lost system usage due to the data mining were very controversial, speculative and were never resolved in these cases. It is difficult to ascertain what the damages would be even if these causes of action were accepted and decisions were made against the defendants. Ultimately, however, there are more than enough indications that entities may be liable for using these technologies and companies should consider obtaining the consent of Web site owners before sending in their bots or reconsider using such technology at all.
Sharon R. Klein and Neil Boyden Tanner