Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. E- enterprise Liability <ul><li>Liability Requirements (how to incur liability): </li></ul><ul><ul><li>By law </li></ul></ul><ul><ul><li>By contract </li></ul></ul><ul><ul><ul><li>Promise of a duty to perform </li></ul></ul></ul><ul><ul><ul><li>Implied promise of a duty to perform </li></ul></ul></ul><ul><ul><li>By Tort </li></ul></ul><ul><ul><ul><li>intentional (libel and slander) </li></ul></ul></ul><ul><ul><ul><li>negligent (lack of reasonable care in handling information) </li></ul></ul></ul><ul><ul><ul><li>strict liability (limited to statutory acts, such as blasting) </li></ul></ul></ul><ul><ul><li>By Relationship </li></ul></ul><ul><ul><ul><li>Husband-to-wife, parents-to-children, guardians-to-children </li></ul></ul></ul><ul><ul><ul><li>Business relationship: master/servant, principal/agent </li></ul></ul></ul>
  2. 2. E- enterprise Liability <ul><li>Duties of Internet Services Providers: </li></ul><ul><ul><li>Protect Lawful Copyright Holders </li></ul></ul><ul><ul><ul><li>Against infringement by subscribers who post material to ISP site. </li></ul></ul></ul><ul><ul><ul><li>Millennium Act: holds ISPs liable for copyright infringement jointly with subscriber if: </li></ul></ul></ul><ul><ul><ul><ul><li>ISP is informed by the copyright holder of the infringement, and (1) does not inform the subscriber of the complaint, or (2) does not remove the infringing material from the web within a reasonable time. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ISP not liable if the subscriber refutes the copyright holder’s claim, and the copyright holder does not sue subscriber. </li></ul></ul></ul></ul>
  3. 3. E- enterprise Liability <ul><ul><li>Protect the Public at Large </li></ul></ul><ul><ul><ul><li>Against libel: libel is a method of defamation expressed by print, writing, pictures or signs. Defamation is an intentional false communication, either published or publicly spoken, that injures another’s reputation or good name. </li></ul></ul></ul><ul><ul><ul><li>Against slander:the speaking of base and defamatory words tending to prejudice another in his reputation, community standing, office, trade, business, or means of livelihood. </li></ul></ul></ul><ul><ul><ul><li>If an ISP allows a subscriber to defame someone using the ISP’s bulletin board: </li></ul></ul></ul><ul><ul><ul><ul><li>Is it libel or slander? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Is the ISP liable, jointly with the subscriber? </li></ul></ul></ul></ul>
  4. 4. E- enterprise Liability <ul><li>Duties of Internet Services Providers (continued): </li></ul><ul><ul><li>Protect the privacy of subscribers: </li></ul></ul><ul><ul><ul><li>Against discovery? </li></ul></ul></ul><ul><ul><ul><li>Against spam? </li></ul></ul></ul><ul><ul><ul><li>Against disclosure of subscriber account information? </li></ul></ul></ul><ul><ul><li>Protect the information of subscribers: </li></ul></ul><ul><ul><ul><li>Against uses not authorized by subscribers, by employees </li></ul></ul></ul><ul><ul><ul><li>Against uses not authorized by subscribers, by hackers </li></ul></ul></ul>
  5. 5. E- enterprise Liability <ul><li>Duties of Internet Services Providers (continued) </li></ul><ul><ul><li>Publisher (Prodigy model) </li></ul></ul><ul><ul><ul><li>Prodigy opted to establish and enforce rules regarding what content may be posted by subscribers, to its bulletin boards. </li></ul></ul></ul><ul><ul><ul><li>A subscriber posted libelous information, and Prodigy was held liable jointly with the subscriber, for failing to exercise a reasonable duty to enforce its own content policy. </li></ul></ul></ul><ul><ul><li>Distributor (Compuserve model) </li></ul></ul><ul><ul><ul><li>Compuserve opted to establish and enforce no rules regarding what content may be posted by subscribers to its bulletin boards. </li></ul></ul></ul><ul><ul><ul><li>A subscriber posted libelous information, and Compuserve was not held liable jointly with the subscriber, because the court found that Compuserve had no duty to police its bulletin board. </li></ul></ul></ul>
  6. 6. E- enterprise Liability Customer Information Protection <ul><li>Duties of Website and Portal Providers </li></ul><ul><ul><li>Gramm-Leach-Bliley Act, 15 USC §§ 6801-6810, Protection of Nonpublic Personal Information </li></ul></ul><ul><ul><ul><li>Establishes duties for financial institutions to “respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. Duties include: </li></ul></ul></ul><ul><ul><ul><ul><li>to insure the security and confidentiality of customer records and information </li></ul></ul></ul></ul><ul><ul><ul><ul><li>to protect against any anticipated threats or hazards to the security or integrity of such records </li></ul></ul></ul></ul><ul><ul><ul><ul><li>to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. </li></ul></ul></ul></ul>
  7. 7. E- enterprise Liability Customer Information Protection <ul><li>Duties of website and portals providers (continued) </li></ul><ul><ul><li>In general, a financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless: </li></ul></ul><ul><ul><ul><li>such institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party; </li></ul></ul></ul><ul><ul><ul><li>the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and </li></ul></ul></ul><ul><ul><ul><li>the consumer is given an explanation of how the consumer can exercise that nondisclosure option. </li></ul></ul></ul><ul><ul><li>For the consumer, then: </li></ul></ul><ul><ul><ul><li>If the consumer arranges in advance for no disclosure, can a website disclose even if it follows the above notice requirements? </li></ul></ul></ul><ul><ul><ul><li>What if the consumer arranges nothing in advance, and does not respond? </li></ul></ul></ul>
  8. 8. E- enterprise Liability Customer Information Protection <ul><li>Duties of websites and portal sites, continued: </li></ul><ul><ul><li>Five FTC Enforcement Actions since the Act’s effective date in 1998: </li></ul></ul><ul><ul><ul><li>FTC v. GeoCities: settled FTC charges that it misrepresented the purposes for which it was collecting indentifying information from adults and children; Geocities agreed to post on its site in a clear and prominent Privacy Notice, a message to consumers about what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information. To ensure parental control, Geocities would have to obtain parental consent before collecting information from children ages 12 and under. </li></ul></ul></ul>
  9. 9. E- enterprise Liability Customer Information Protection <ul><li>Duties of web and portal sites, continued: </li></ul><ul><ul><li>FTC v., Inc., settled charges that it violated consumers’ privacy by harvesting consumers’ personal information from a competitor’s site (eBay) and then sent deceptive spam to those consumers to solicit their business. </li></ul></ul><ul><ul><ul><li>Settlement bars defendant from engaging in such unlawful practices in the future. </li></ul></ul></ul><ul><ul><ul><li>Defendant must delete the personal information of consumers who received spam but declined to register with defendant, and to give those who did register notice of the FTC charges and an opportunity to cancel their registrations and have their personal information deleted from defendant’s database. </li></ul></ul></ul>
  10. 10. E- enterprise Liability Customer Information Protection <ul><li>Duties of web and portal sites, continued: </li></ul><ul><ul><li>FTC v. Rennert, et al: Operators of a group of online pharmacies that promoted themselves touting medical and pharmaceutical facilities they didn’t actually have and making privacy and confidentiality assurances they didn’t keep, settled with FTC </li></ul></ul><ul><ul><ul><li>Settlement prohibits the deceptive claims and requires disclosures about medical and pharmaceutical relationships </li></ul></ul></ul><ul><ul><ul><li>Defendants barred from billing charge cards without proper consumer authorization and prohibited from disclosing information collected from consumers without the consumer’s authorization </li></ul></ul></ul><ul><ul><ul><li>Defendants required to notify consumers of their practices regarding the collection and use of consumers’ personal identifying information. </li></ul></ul></ul>
  11. 11. E- enterprise Liability Customer Information Protection <ul><li>Duties of web and portal sites, continued: </li></ul><ul><ul><li>FTC v. defendant misrepresented to consumers that personal information would never be shared with third parties, and then as part of a bankruptcy settlement, disclosed, sold, or offered that information for sale in violation of the company’s own privacy statement. </li></ul></ul><ul><ul><li>Agreement forbids the sale of this consumer information except under very limited circumstances </li></ul></ul><ul><ul><ul><li>Defendant only allowed to sell such lists as a package which includes the entire web site, and only to a qualified buyer, or one that is in a related market and that expressly agrees to be defendant’s “successor in interest” as to the customer information. </li></ul></ul></ul>
  12. 12. Enforcing the Law and Regulations in the Conduct of E-Business: Who is Responsible? <ul><li>Respondeat Superior and Negligence Doctrine, and the “law of the deep pocket” </li></ul><ul><ul><li>“ Let the Master Answer” </li></ul></ul><ul><ul><li>The employer should have known. . . </li></ul></ul><ul><ul><li>Sue the one who has money </li></ul></ul><ul><li>Can an employer be held liable for fraud perpetrated by an employee, when the employee uses the employer’s e-mail? </li></ul><ul><ul><li>The agency concept </li></ul></ul><ul><ul><li>The “scope of employment” concept </li></ul></ul>
  13. 13. Enforcing the Law and Regulations in the Conduct of E-Business: Who is Responsible? Agency Law <ul><li>Conduct of a servant is within the scope of employment if, but only if: </li></ul><ul><ul><li>it is of the kind he is employed to perform </li></ul></ul><ul><ul><li>it occurs substantially within the authorized time and space limits </li></ul></ul><ul><ul><li>it is actuated, at least in part, by a purpose to serve the master, and </li></ul></ul><ul><ul><li>if force is intentionally used by the servant against another, the use of force is not expectable by the master. </li></ul></ul><ul><li>Conduct of a servant is not within the scope of employment if: </li></ul><ul><ul><li>it is different in kind from that authorized, far beyond the authorized time of space limits, or too little actuated by a purpose to serve the master. </li></ul></ul>
  14. 14. Enforcing the Law and Regulations in the Conduct of E-Business: Who is Responsible? <ul><li>Employee misconduct on the Internet in Agency Law: </li></ul><ul><ul><li>Extensive case law confirms that courts traditionally do not use respondeat superior as a basis for expanding an employer’s liability when the employee commits wrongful acts so attenuated or outrageous that they fall outside the scope of employment. </li></ul></ul><ul><li>Employee misconduct on the Internet in Negligence Law: </li></ul><ul><ul><li>Negligent retention or supervision: the employer allowed the wrong to occur because the employer failed to take reasonable care in supervising or retaining the employee-perpetrator. </li></ul></ul><ul><ul><li>Notice of an employee who is a bad actor, actual or implied: obligation to use “proper diligence” to discover bad behavior by employees, and proactively investigate workplace incidents. </li></ul></ul>
  15. 15. Enforcing the Law and Regulations in the Conduct of E-Business: Who is Responsible? <ul><li>Foreseeability of Perpetrator-Employee conduct: </li></ul><ul><ul><li>The employer’s liability will depend upon the scope of the original foreseeable risk tht the employee created through his acts. </li></ul></ul><ul><ul><li>If the intervening cause is one which in ordinary human experience is reasonably to be anticipated, or one which the defendant employer has reason to anticipate under the particular circumstances, the defendant employer may be negligent, among other reasons, for failing to guard against it. </li></ul></ul><ul><ul><li>Issue for the court: “how was employer put on notice about employee’s misconduct? </li></ul></ul>
  16. 16. Enforcing the Law and Regulations in the Conduct of E-Business: Who is Responsible? <ul><li>The Duty to Spot Criminal Conduct by Employees in the Online Worklplace </li></ul><ul><ul><li>Is there a duty? </li></ul></ul><ul><ul><li>E-mail notwithstanding, are companies held liable routinely for criminal use of their telephone and FAX systems by employee-perpetrators? </li></ul></ul><ul><li>Will a Company policy proscribing illegal uses of its E-business systems shield it from liability? </li></ul><ul><ul><li>Well-drafted policy can show that the employer is not negligent </li></ul></ul><ul><ul><li>Published policy should also deter abuse of employer e-business systems. </li></ul></ul>
  17. 17. Spies and Saboteurs <ul><li>Trade Theft in Cyberspace: Economic Espionage Act of 1996 (EEA): </li></ul><ul><ul><li>The following is a summary of the Act’s criminal provisions: </li></ul></ul><ul><ul><ul><li>Imposes up to a $500,000 fine and a 15-year prison sentence on any person that steals or misappropriates a trade secret in order to advantage a foreign government, instrumentality, or agent. </li></ul></ul></ul><ul><ul><ul><li>Imposes up to a $10 million fine on any organization that commits an offense described in the previous provision. </li></ul></ul></ul><ul><ul><ul><li>Imposes a fine and up to a 10-year prison sentence on any person who steals a trade secret in order to benefit any party, including a foreign corporation, other than the owner. </li></ul></ul></ul><ul><ul><ul><li>Imposes up to a $5 million fine on any organization that commits an offense described in the previous provision. </li></ul></ul></ul>
  18. 18. Spies and Saboteurs <ul><li>Trade Theft in Cyberspace: Economic Espionage Act of 1996 (EEA) - in practice: </li></ul><ul><ul><li>Labwerks (1998) </li></ul></ul><ul><ul><ul><li>A state court judge ordered Sladecutter, Inc., a web design firm, to stop hacking into the computer systems of Labwerks. </li></ul></ul></ul><ul><ul><ul><li>Court order was the result of a legal wiretap against Sladecutter. </li></ul></ul></ul><ul><ul><li>Peoplesoft v. Harris Group (civil case - 1998) </li></ul></ul><ul><ul><ul><li>Harris sued for hacking into Peoplesoft’s database and obtaining secrets about job seeking client’s salaries and employers. Settled. </li></ul></ul></ul>
  19. 19. Spies and Saboteurs <ul><li>Trade Theft in Cyberspace: Economic Espionage Act of 1996 (EEA) in practice (continued): </li></ul><ul><ul><li>Cisco theft: </li></ul></ul><ul><ul><ul><li>May, 2000, David Hawkins was convicted of stealing information about a new CISCO product worth billions, which he used to set up his own company that would manufacture a competing product. </li></ul></ul></ul><ul><ul><ul><li>Hawkins received a 3-year prison sentence. </li></ul></ul></ul>
  20. 20. EEA Compliance Advice <ul><li>Compliance standards and procedures: </li></ul><ul><ul><li>The organization must have established compliance standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal conduct. </li></ul></ul><ul><li>Responsibility to oversee compliance: </li></ul><ul><ul><li>Specific individuals within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with such standards and procedures. </li></ul></ul>
  21. 21. EEA Compliance Advice <ul><li>Delegation of discretion: </li></ul><ul><ul><li>The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization know or should have known through the exercise of due diligence had a propensity to engage in illegal activities. </li></ul></ul><ul><li>Communications and training: </li></ul><ul><ul><li>The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, e.g., by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required. </li></ul></ul>
  22. 22. EEA Compliance Advice <ul><li>Monitoring and reporting: </li></ul><ul><ul><li>Reasonable steps to achieve compliance with its standards by utilizing, monitoring, and auditing systems designed to detect criminal conduct by its employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report criminal conduct by others within the organization without fear. </li></ul></ul><ul><li>Enforcement and discipline: </li></ul><ul><ul><li>Standards must have been consistently enforced, through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense. </li></ul></ul>
  23. 23. EEA Compliance Advice <ul><li>Enforcement and discipline (continued): </li></ul><ul><ul><li>Adequate discipline of individuals responsible for an offense is a necessary component of enforcement; however, the form of discipline that will be appropriate will be case-specific. </li></ul></ul><ul><li>Continuous improvement: </li></ul><ul><ul><li>After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses including any necessary modification to its program to prevent and detect violations of the law. </li></ul></ul>
  24. 24. Information Warfare (IW) <ul><li>“ Moonlight Maze” and “Electronic Pearl Harbor” </li></ul><ul><li>What is it? </li></ul><ul><ul><li>“ Coming to grips with information warfare is like the effort of the blind men to discover the nature of the elephant: the one who touched its leg called it a tree, another who touched its tail called it a rope, and so on. Is a good definition possible? Does having one matter? Perhaps there is no elephant: only trees and ropes that aspire to become one. One aspect of information warfare, perhaps, championed by a single constituency, assumes the role of the entire concept, thus becoming grossly inflated in importance.” Martin Libicki of the National Defense University. </li></ul></ul><ul><li>“ National Security” and “Bogeyman” varieties of IW </li></ul>
  25. 25. Information Warfare (IW) <ul><li>IW Forms: </li></ul><ul><ul><li>C2W: command and control systems warfare </li></ul></ul><ul><ul><li>IBW: Intercontinental Ballistic Warfare </li></ul></ul><ul><ul><li>EW: Electronic Warfare (antiradar, anticomms, cryptography) </li></ul></ul><ul><ul><li>PSYOPS: Psychological warfare (propaganda, deception) </li></ul></ul><ul><ul><li>Hacker Warfare </li></ul></ul><ul><ul><li>Economic information warfare (“economic blockade”). </li></ul></ul><ul><ul><li>Cyberwarfare: </li></ul></ul><ul><ul><ul><li>techno imperialism  simula-warfare </li></ul></ul></ul><ul><ul><ul><li>Info terrorism  Gibson warfare (scifi) </li></ul></ul></ul><ul><ul><ul><li>Semantic </li></ul></ul></ul>
  26. 26. Information Warfare (IW) <ul><li>Chinaspam </li></ul><ul><ul><li>Red China’s embassy in Belgrade was bombed by NATO warplanes during May, 1999. </li></ul></ul><ul><ul><li>Although an accident, Red China began an IW blitz against U.S. targets world wide. 72,000 attacks in August, 1999. </li></ul></ul><ul><ul><li>Similar attacks commenced after the U.S. P2 was downed after a mid-air collision with a Red Chinese Mig. </li></ul></ul><ul><li>Yugospam </li></ul><ul><ul><li>Yugoslavia attempted to blitz NATO with IW. </li></ul></ul><ul><li>Code war v. Cold war: </li></ul><ul><ul><li>Tamil “internet black tigers”; Aum Shinri Kyo cult. </li></ul></ul>
  27. 27. Information Warfare (IW) <ul><li>Digital Dirty Tricks and Cyber Plumbers </li></ul><ul><ul><li>“ Australian Underground”- “we have declared infowar on you” </li></ul></ul><ul><ul><ul><li>Within 20 minutes, the rival political group’s office had its call center disabled, e-mail jammed, and computer system shut down. </li></ul></ul></ul><ul><ul><li> diverted internet traffic to the other side. </li></ul></ul><ul><ul><li> cybersquatter that satirized a Presidential candidate. </li></ul></ul><ul><ul><li>“ blackfax:” </li></ul></ul><ul><ul><ul><li>A tactic in which the sender repeatedly faxes an all-black piece of paper in a deliberate attempt to break the recipient’s machine. </li></ul></ul></ul><ul><ul><ul><li>Backlash from the Rep. Hyde scandal. </li></ul></ul></ul>
  28. 28. Information Warfare (IW) <ul><li>Defensive Information Warfare - Recommendations </li></ul><ul><ul><li>Contact law enforcement when attacks are detected. </li></ul></ul><ul><ul><li>Turn on audit trails and logs. </li></ul></ul><ul><ul><li>Use keystroke monitoring. </li></ul></ul><ul><ul><li>Designate an incident management team. </li></ul></ul><ul><ul><li>Designate evidence custodian. </li></ul></ul><ul><ul><li>Record dollar losses associated with the incident. </li></ul></ul><ul><ul><li>Make back-ups, print out logs. </li></ul></ul><ul><ul><li>Document activity </li></ul></ul><ul><ul><li>“ Theorize” - law enforcement will need to know where to start, they will ask how the hacker got in, etc. </li></ul></ul>
  29. 29. The First Amendment and the Internet <ul><li>The Communications Decency Act of 1996 </li></ul><ul><ul><li>Part of the Telecommunications Act of 1996 </li></ul></ul><ul><ul><li>Struck Down by the Federal Court </li></ul></ul><ul><li>Judicial Review of 1st Amendment Restrictions Imposed by the Communications Decency Act </li></ul><ul><ul><li>Strict Scrutiny: Court found that the CDA’s premises were not proven. </li></ul></ul><ul><ul><li>Were the statutory requirements the least intrusive? </li></ul></ul><ul><ul><ul><li>Technical means to achieve the CDA’s objectives </li></ul></ul></ul><ul><ul><ul><li>Parental Controls such as the V-chip </li></ul></ul></ul><ul><ul><ul><li>Industry-standard ratings for violence, sex, foul language, etc. </li></ul></ul></ul>
  30. 30. After CDA: The Children’s Online Protection Act (COPA) <ul><li>Addresses the two CDA provisions that were found to be unconstitutional: </li></ul><ul><ul><li>Cannot transmit any “communications which is obscene or indecent, knowing that the recipient of the communication is under 18 years of age.” </li></ul></ul><ul><ul><li>No transmission to someone under 18 “communication that, in the context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs.” </li></ul></ul><ul><li>Supreme Court holding in CDA case: </li></ul><ul><ul><li>Compelling state interest, but. . . </li></ul></ul><ul><ul><li>No reason for unnecessarily broad suppression of speech to adults </li></ul></ul>
  31. 31. After CDA: The Children’s Online Protection Act (COPA) <ul><li>COPA </li></ul><ul><ul><li>Prohibits “knowingly and with knowledge of the character of the material. . .by means of the world wide web, making or communication for commercial purposes. . .available to any minor. . .that includes any material that is harmful to minors.” </li></ul></ul><ul><ul><ul><li>Only applies to web communications </li></ul></ul></ul><ul><ul><ul><li>Only commercial communications are affected </li></ul></ul></ul><ul><ul><ul><li>Only applies to communication that is harmful to minors </li></ul></ul></ul><ul><ul><li>Non-compliance with the COPA results in criminal and civil penalties, including fines and imprisonment. </li></ul></ul><ul><ul><li>Allows for good faith defenses, including credit/debit cards, adult access code, or adult PIN, digital certificate that verifies age, etc. </li></ul></ul>
  32. 32. After CDA: The Children’s Online Protection Act (COPA) <ul><li>COPA Challenged: </li></ul><ul><ul><li>Did not fix the CDA problems </li></ul></ul><ul><ul><li>Congress attempted to use internet technology to verify age and distinguish minors from adults, as an attempt to fix the CDA problems of “too burdensome.” </li></ul></ul><ul><ul><li>District Court stayed COPA, after finding that the Constitutional issues raised by plaintiffs (ACLU and others) have a good chance at succeeding when the case makes it to the Supreme Court. </li></ul></ul><ul><ul><li>Is it possible to craft a statute that protects children online from indecent communication? </li></ul></ul>
  33. 33. FIRST AMENDMENT RIGHTS V. THE NEED TO PROTECT CHILDREN <ul><li>Methods used by websites to obtain info from kids: </li></ul><ul><ul><li>Info needed to chat with fictitious cartoon characters </li></ul></ul><ul><ul><li>Info needed to play games, enter contests and enter chat rooms </li></ul></ul><ul><li>1996 FTC Workshop Conclusions: </li></ul><ul><ul><li>Children are a special online audience </li></ul></ul><ul><ul><li>Information collection from children raises special concerns </li></ul></ul><ul><ul><li>A need to notify parents of web site information practices </li></ul></ul><ul><ul><li>A need to provide parental control over info collected from kids </li></ul></ul>
  34. 34. FIRST AMENDMENT RIGHTS V. THE NEED TO PROTECT CHILDREN <ul><li>DOJ/FBI Staff Report: </li></ul><ul><ul><li>Child chat rooms are used by adult predators of children </li></ul></ul><ul><ul><li>A reporter, posing as a known child murderer, obtained a list of 5,000 children living in various neighborhoods </li></ul></ul>
  35. 35. The FTC’s “Son of COPA” <ul><li>The FTC’s Child Online Privacy Protection Rule (4/2000) </li></ul><ul><ul><li>Supplements COPA </li></ul></ul><ul><ul><ul><li>Definitions follow COPA, but account for developing technology </li></ul></ul></ul><ul><ul><ul><li>Notice is further required at each site, and specified </li></ul></ul></ul><ul><ul><ul><li>Operator prohibited from conditioning child participation on personal information disclosure </li></ul></ul></ul><ul><ul><li>Added procedural sense to COPA </li></ul></ul><ul><ul><ul><li>Operators must make a good faith effort to obtain “verifiable parental consent” before information can be taken and stored from children </li></ul></ul></ul><ul><ul><ul><li>Reasonable exceptions, triggered by good faith efforts on the part of operators, remove the objectionable aspects of COPA </li></ul></ul></ul><ul><ul><ul><li>FTC rules received positive acclaim from the privacy lobby as a reasonable compromise to COPA’s draconian measures. </li></ul></ul></ul>
  36. 36. FBI Crackdown on Predators of Children, and Child Pornography <ul><li>FBI “Innocent Images” Program </li></ul><ul><ul><li>Launched in 1994, the FBI discovered that pedophiles frequently share child pornographic materials through elaborate encryption schemes. Also, packs of predators would hunt children online. </li></ul></ul><ul><ul><li>FBI agents, posing as children, conducted online sting operations </li></ul></ul><ul><li>Results (1997 numbers): </li></ul><ul><ul><li>200 search warrants </li></ul></ul><ul><ul><li>40 consensual searches </li></ul></ul><ul><ul><li>91 arrests </li></ul></ul><ul><ul><li>83 felony convictions </li></ul></ul><ul><ul><li>By 1999, 1,497 cases were opened, yielding 532 arrests. </li></ul></ul>
  37. 37. The Effectiveness of Protecting Our Children’s Privacy Online <ul><li>CDA, COPA: Wrapped up in Court Challenges </li></ul><ul><li>FTC’s Rules: </li></ul><ul><ul><li>Violators don’t take rules seriously: estimated 88% of the most popular children’s sites still collect personal information from children without parental consent. </li></ul></ul><ul><ul><li>Systematic detection is not technically feasible right now. </li></ul></ul><ul><li>Self-regulation? </li></ul><ul><ul><li>TrustE and BBB guidelines work well, but parents and children must be diligent to allow kids to use websites that contain those service marks, exclusively. </li></ul></ul><ul><ul><li>If parents were diligent in the first place, would COPA and the FTC regulations be necessary? </li></ul></ul>
  38. 38. GOVERNMENT ENFORCEMENT <ul><li>Federal </li></ul><ul><ul><li>FTC, FCC, DOJ, BATF, Dept. of Commerce </li></ul></ul><ul><li>State: </li></ul><ul><ul><li>Consumer protection laws, tax laws </li></ul></ul><ul><li>Local </li></ul><ul><ul><li>Courts (enforce contracts0 </li></ul></ul><ul><li>International: </li></ul><ul><ul><li>Treaties (e.g., WTO/World Court) </li></ul></ul>
  39. 39. Criminal Liability <ul><li>Laws to Combat Internet Crimes: </li></ul><ul><li>Hacking Cracking: </li></ul><ul><ul><li>Counterfeit Access Device and Computer Fraud and Abuse Law fo 1984; Computer Fraud and Abuse Act of 1986 </li></ul></ul><ul><ul><li>National Information Infrastructure Protection Act of 1996: </li></ul></ul><ul><ul><ul><li>Applies to computers and computers attached to the internet in one or multiple states. Codified at 18 USC §1030 et seq . </li></ul></ul></ul><ul><ul><ul><li>Prohibits computer espionage and theft of financial information. </li></ul></ul></ul><ul><ul><ul><li>Prohibits theft of U.S. government information and information from protected computers and hacking. </li></ul></ul></ul><ul><ul><ul><li>Makes computer fraud and trespass illegal. </li></ul></ul></ul><ul><ul><ul><li>Outlaws password trafficking and computer extortion. </li></ul></ul></ul>
  40. 40. Criminal Liability <ul><li>National Stolen Property Act </li></ul><ul><ul><li>Covers illegal fund transfers and software transmission. </li></ul></ul><ul><li>Electronic Communications Privacy Act of 1986 (ECPA) </li></ul><ul><ul><li>Bars illegal surveillance and unauthorized access to data. </li></ul></ul><ul><li>Fraud (statutes): </li></ul><ul><ul><li>Federal Trade Commission Act </li></ul></ul><ul><ul><li>Clayton Act </li></ul></ul><ul><ul><li>Truth in Lending Act </li></ul></ul><ul><ul><li>Fair Credit Billing Act </li></ul></ul><ul><ul><li>Fair Credit Reporting Act </li></ul></ul><ul><ul><li>Telephone Disclosure and Dispute Resolutions Act </li></ul></ul>
  41. 41. Criminal Liability <ul><li>Fraud (400 FTC regulations covering specific transactions) for example: </li></ul><ul><ul><li>Used car rule </li></ul></ul><ul><ul><li>Franchise rule </li></ul></ul><ul><ul><li>Telemarketing sales rule </li></ul></ul><ul><ul><li>The “Ten dot.cons” </li></ul></ul><ul><li>Cyberstalking: </li></ul><ul><ul><li>Executive Order 13133, Unlawful Conduct Using the Internet </li></ul></ul><ul><li>Theft of Intellectual Property </li></ul><ul><ul><li>No Electronic Theft Act </li></ul></ul><ul><ul><li>Economic Espionage Act </li></ul></ul><ul><ul><li>Copyright Felony Act </li></ul></ul>
  42. 42. INTERNET FRAUD FTC’s Disclosures: Information about Online Advertising <ul><li>The same consumer protection laws that apply to commercial activities in other media apply online </li></ul><ul><ul><li>No “unfair or deceptive acts or practices” </li></ul></ul><ul><ul><li>FTC issues rules and guides for specific industries and subject areas, e.g., telemarketing, vitamin supplements and travel agencies. </li></ul></ul><ul><ul><li>The “Plain Language” rule </li></ul></ul><ul><ul><li>“ Clear and conspicuous disclosure” rule </li></ul></ul><ul><ul><li>Duty to communicate with customers can be satisfied online: ship goods when promised or otherwise within 30 days, negative option communications, written warranty obligations </li></ul></ul>
  43. 43. INTERNET FRAUD FTC’s Disclosures: Information about Online Advertising <ul><li>To Guaranty that disclosures are not misleading, advertisers should consider: </li></ul><ul><ul><li>The Placement of the disclosure in an ad and its proximity to the relevant claim. </li></ul></ul><ul><ul><li>The Prominence of the disclosure </li></ul></ul><ul><ul><li>Whether items in other parts of the ad distract attention from the disclosure </li></ul></ul><ul><ul><li>Whether the ad is so lengthy that the disclosure needs to be repeated </li></ul></ul><ul><ul><li>Audio disclosures are in appropriate volume and cadence </li></ul></ul><ul><ul><li>Visual disclosures are of sufficient duration </li></ul></ul>
  44. 44. INTERNET FRAUD FTC’s Disclosures: Information about Online Advertising <ul><li>To make a disclosure clear and conspicuous, advertisers should: </li></ul><ul><ul><li>Place disclosures near, and when possible, on the same screen as the triggering claim </li></ul></ul><ul><ul><li>Use text or visual cues to encourage consumers to scroll down a Web page when it is necessary to view a disclosure </li></ul></ul><ul><ul><li>When using hyperlinks to view a disclosure: </li></ul></ul><ul><ul><ul><li>Make the link obvious * Label the hyperlink appropriately </li></ul></ul></ul><ul><ul><ul><li>Use consistent styles so the customer knows they are there </li></ul></ul></ul><ul><ul><ul><li>Place the hyperlink near relevant info * Make it noticeable </li></ul></ul></ul><ul><ul><ul><li>Take consumers directly to the disclosure on the click-thru page </li></ul></ul></ul><ul><ul><ul><li>Assess effectiveness - monitor click-thru rates and change if needed </li></ul></ul></ul>
  45. 45. INTERNET FRAUD FTC’s Disclosures: Information about Online Advertising <ul><li>To make a disclosure is clear and conspicuous, advertisers should (continued): </li></ul><ul><ul><li>Recognize and respond to any technological limitation or unique disclosure techniques, such as frames or pop-ups </li></ul></ul><ul><ul><li>Display disclosures prior to purchase, and don’t necessarily restrict them to the order page </li></ul></ul><ul><ul><li>Creatively incorporate disclosures in banner ads or disclose them clearly and conspicuously on the page the banner ad links to. </li></ul></ul><ul><ul><li>Prominently display disclosures so they are noticeable by consumers, and evaluate their size, color, and graphic treatment </li></ul></ul><ul><ul><li>Ensure that the text, graphics, hyperlinks, or sound do not distract consumers’ attention from the disclosure. </li></ul></ul>
  46. 46. INTERNET FRAUD FTC’s Disclosures: Information about Online Advertising <ul><li>To make sure that disclosures are clear and conspicuous, advertisers should (continued): </li></ul><ul><ul><li>Repeat disclosures as needed on lengthy websites and in connection with repeated claims. </li></ul></ul><ul><ul><li>Use audio disclosures when making audio claims, and present them in a volume and a cadence so that consumers can hear and understand them </li></ul></ul><ul><ul><li>Display visual disclosures long enough for consumers to notice, read, and understand them. </li></ul></ul><ul><ul><li>Use clear language and syntax so that consumers understand the disclosures. </li></ul></ul>
  47. 47. INTERNET FRAUD FTC’s Disclosures: Information about Online Advertising <ul><li>FTC rules and guides that use specific terms: “written,” “writing,” “printed” or “direct mail” are adaptable to the internet </li></ul><ul><ul><li>Rules and guides that apply to written ads or printed materials also apply to visual text displayed on the Internet. </li></ul></ul><ul><ul><li>If a seller uses email to comply with Commission rule or guide notice requirements, the seller should ensure that consumers understand that they will receive such information by email and provide it in a form that consumers can retain. </li></ul></ul><ul><ul><li>“ Direct Mail” solicitations include e-mail. If an email invites consumers to call the sender to purchase goods or services, that telephone call and subsequent sale must comply with the Telemarketing Sales rule requirement. </li></ul></ul>
  48. 48. Spies and Saboteurs <ul><li>Insiders - the Disgruntled Employee </li></ul><ul><ul><li>“ Adelyn loves Larry,” so Larry fires Adelyn </li></ul></ul><ul><ul><ul><li>Larry Ellison, Oracle’s CEO had an alleged affair with an employee, Adelyn Lee. After an unsuccessful date, Larry has Adelyn fired. </li></ul></ul></ul><ul><ul><ul><li>Adelyn sues Oracle for wrongful dismissal, after producing numerous e-mail messages between them and between Larry and the guy he ordered to fire Adelyn. She wins $100k. </li></ul></ul></ul><ul><ul><ul><li>County prosecutors found evidence, however, that Adelyn herself created those incriminating e-mails. She was found guilty of felony perjury, had to give the $100K back, and spent a few months in jail. </li></ul></ul></ul>
  49. 49. Spies and Saboteurs <ul><li>The Disgruntled Employee </li></ul><ul><ul><li>“ Omega Man,” Tim Allen Lloyd </li></ul></ul><ul><ul><ul><li>Omega Engineering Corp. serves NASA and the USN; lost $10 million due to Lloyd’s software “time bomb” that “exploded” two weeks after Lloyd was terminated by Omega. </li></ul></ul></ul><ul><ul><ul><li>Lloyd went from “hero to zero,” lashing out at his colleagues both physically and verbally; bottlenecked projects that he wasn’t placed in charge of, and even knowingly loaded faulty programs to make co-workers look bad. He was written up twice, demoted, and terminated. </li></ul></ul></ul><ul><ul><ul><li>Lloyd was convicted and sent to jail. </li></ul></ul></ul>
  50. 50. Cyber Muggers and Molesters <ul><li>Identity Theft </li></ul><ul><ul><li>Adelaide Andrews </li></ul></ul><ul><ul><ul><li>Investment researcher began receiving disturbing phone calls from money lenders and collection agencies looking for payments she had no idea that she owed. Situation grew worse: her application for refinancing her home mortgage was rejected, because the bank said she was a bad credit risk. IRS informed her she owed taxes on income she never earned. There was even a Nevada arrest warrant for domestic battery issued against her. </li></ul></ul></ul><ul><ul><ul><li>Someone used her identity to establish credit lines of up to $100k, rented apartments, set up utilities, and took in income. </li></ul></ul></ul><ul><ul><ul><li>Adelaide hired a PI to track down the identity thief, whom she suspected. </li></ul></ul></ul>
  51. 51. Criminal Liability <ul><li>The Identity Theft Epidemic </li></ul><ul><ul><li>Trans Union consumer complaints rose from 35,236 in 1992 to 522,922 in 1997. </li></ul></ul><ul><ul><li>Techniques: </li></ul></ul><ul><ul><ul><li>Chinese method: hack into databases to compromise credit cards and identity details (Social Security Numbers are biggest prize). </li></ul></ul></ul><ul><ul><ul><li>Nigerian method: bribe bank officials to obtain customer information. </li></ul></ul></ul><ul><li>How to Prevent Identity Theft: </li></ul><ul><ul><li>Call 888.567.8688 and request that your name be removed from marketing lists to reduce the number of pre-approved credit card applications that you receive via snail mail. </li></ul></ul><ul><ul><li>Protect your SSN and check your credit reports annually. </li></ul></ul>
  52. 52. Criminal Liability <ul><li>How to Prevent Identity Theft (continued): </li></ul><ul><ul><li>Credit reporters that need to be checked annually: </li></ul></ul><ul><ul><ul><li>Equifax <>, fraud line 800.997.2493 </li></ul></ul></ul><ul><ul><ul><li>Experian <>, 888.397.3742 </li></ul></ul></ul><ul><ul><ul><li>Trans Union: <>, fraud line 800.680.7289 </li></ul></ul></ul><ul><li>What to do if you become a victim: </li></ul><ul><ul><li>Secret Service’s tips (<>): </li></ul></ul><ul><ul><ul><li>Report the crime to your local police immediately, and obtain a case number that banks and financial outfits will ask for, later. </li></ul></ul></ul><ul><ul><ul><li>Contact immediately your credit card issuers, and get replacement cards with new account numbers; close out existing accounts “by customer request. Follow up these requests in writing. </li></ul></ul></ul><ul><ul><ul><li>Report theft to the credit reporters above, and have accounts flagged. </li></ul></ul></ul>
  53. 53. Criminal Liability <ul><li>What to do if you become an Identity Fraud Victim(cont’d) </li></ul><ul><ul><li>File a complaint with the FTC: </li></ul></ul><ul><ul><ul><li>The FTC has no statutory authority to bring a criminal case against an identity thief, but it has vast resources to investigate theft and gather evidence against identity thieves. It can also refer your complaint and the evidence to the FBI, Secret Service, and others. </li></ul></ul></ul><ul><ul><ul><li>Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. </li></ul></ul></ul><ul><ul><ul><li><> </li></ul></ul></ul><ul><ul><ul><li>877.382.4357 </li></ul></ul></ul>