Tapped Out: Controlling the internet via selective authorization

Craigslist, Inc. v 3Taps Inc., No. CV 12-03816 CRB. (N.D. Ca. August 16, 2013) is another case in a now long line of cases that establish that in most situations access to even an otherwise publicly accessible website can be controlled via selective authorization.

The 3Taps case is very straightforward.  3Taps scraped Craigslist’s website, and replicated it.  Craigslist sent them a letter revoking all permissions to access the Craigslist site, but 3Taps ignored that and circumvented IP filters and continued accessing the website, and replicating it.  In other words, Craigslist “singled out” 3Taps and told them that they could not access the Craigslist website.  3Taps was singled out because it was copying the entire Craigslist site, in apparent competition with Craigslist.

Note that unlike the Digital Millenium Copyright Act, which requires there to be sufficient technological measures to protect copyrighted content before there would be a finding of circumvention, under the CFAA, no such technological measures are required. 3Taps sought to dismiss the complaint filed by Craigslist, which complaint asserted that 3Taps violated the Computer Fraud and Abuse Act (“CFAA”) which generally prohibits a person from “intentionally accesses[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.”  The essence of 3Taps’ argument was that because the Craigslist website is publicly available, the CFAA does not apply, and therefore, just as anyone else had “authorization” to access and use the website, so did 3Taps.  [Note: this decision did not address copyright issues with 3Taps’ conduct.]

A long line of cases enforce “terms of service ”  either under contract law, under the CFAA, or both – that is, if terms of service authorize access to information on certain conditions, and those conditions are not met, then the access to that information is not authorized and is a violation of the contract and often, the CFAA.  See Register. com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000), affirmed on other grounds356 F. 3d 393 (2nd Cir. 2004) and their progeny.

You can now add this case to that list.  This case even more bluntly stands for the proposition that a website owner can, with only the typical “protected class” exceptions, discriminate against a particular user and revoke authorization, while at the same time generally authorize the public to access and use the website.   This right, moreover, does not make the website operator a so-called common carrier, and the website operator does not give up its other important immunities, such as the immunity under the Communications Decency Act (47 USC 230). There may be other limitations on a website’s right to discriminate – for example, there may be first amendment interests in the data being accessed, or there might be an argument that certain provisions in a contract limitation constitute a copyright misuse (and hence might make enforcement of the contract, even under the CFAA, problematic).  However, in the majority of private interest cases like Craigslist (or Twitter, or Facebook or virtually any other social media provider) – the owner of the data is going to have a pretty broad right in the U.S. and under U.S. law to protect access to that data via restrictions either in a terms of service, or more directly as was done in the 3Taps case.

Congress is considering an amendment to the CFAA (Aaron’s law – for background, see this Techdirt article the EFF pages, and what I believe is the current draft here)  that might limit a website platform operator’s use of the CFAA to control its content . . . but that issue has come up in various contexts before and Congress has not seemed to have much appetite for monkeying with the CFAA.  Also, that would not eliminate the breach of contract claim (see the Verio case above).

The 3Taps case has been cited in some online commentary for the proposition that IP proxies or anonymization systems (like Tor) are “illegal.”  That is not what the court held.  There are many legal and pro-privacy reasons to use such systems that would not violate the CFAA.  The simplest example would be use of such a system to avoid being tracked while browsing the web.  In these cases you are not accessing a protected computer without authorization, you are simply sending a false identifier to a computer that is collecting the data on its own volition.  CFAA punishes unauthorized access, not access gained by presenting false location or identification data.  However, under the 3Taps case, apparently a terms of service agreement could be written to withdraw consent to any access of the site if a person is using a location or tracking anonymizer/IP spoofer, and hence, a person using such a service and accessing the site could then be in violation of the CFAA.  That question, however, also raises substantial 1st Amendment issues (right to anonymous speech), which were not present in 3Taps.  Thus, it is not clear at all that a court would hold that the CFAA claim would survive in that instance.

Until Congress modifies the CFAA internet users should be cautious about use of “publicly available” but privately owned information on a website, RSS feed, social media firehose, or other resource, and be careful to read and comply with the terms of service.   [Note:  this blog entry does not address governmental or public information, FOIA or the right (or lack of a right) under a contract or CFAA to “privatize” governmental public data]

For more information contact Mike Oliver

(unless specifically attributed, all links on this page are provided for information purposes only and have not been vetted by, and do not necessarily represent the views of, the author)

Our new firm has a home!

Kim, Pamela, Tina, Larry and I opened our firm’s principal office today at 502 Washington Ave, Suite 605, Towson Maryland.  While we started business on May 1, 2013 it was not really until today that we felt like a complete firm in our own place.  So, we think of today as our first real day in business.   The first 90 days of a new business are brutal – trying to balance client demands, administrative matters, and the variety of oddbird things that you just cannot anticipate.  Many things went right, some went wrong, some were unexpected.  I hope to chronicle some of what we went through in future posts – as a teaser, we started inauspiciously – after engaging a tenant rep (see below) we set off to review space for leasing – and the first two buildings we visited had power out-tages just as we arrived to view the property! Needless to say, we were a little worried that was a bad omen ;-).

Power-outages notwithstanding, today we poured a little champagne in plastic cups, and toasted our office opening to a hoped for success in the future, for us and our clients.  More pictures will come as we get fully up and running (our main lobby sign is not done yet, and the walls are pretty bare).

I cannot possibly fully express my thanks to the three young ladies pictured here (left to right, Kim Grimsley, Tina Neuman and Pamela Riewerts) and Larry Guffey, for taking a real big leap with me on this firm.  I could not be practicing law with better lawyers, or with people that I enjoy working with more.  I am sure we face some challenges ahead, but we are all very focused on client service, upholding high ethical standards, having a fun work environment (a little more on that below), and providing the best legal services we can at a fair and reasonable fee.

That brings me to another thank you – to the clients, service providers, landlords, and friends who have offered advice or just a “good luck” wish at an opportune time.  At the risk of forgetting some, and the risk of the proverbial academy awards music playing to stop the speech, here goes:

First, to the clients that followed us from our prior firm (for privacy reasons we do not list here individuals): Chesapeake System Solutions, Inc. (thanks Peter and Jim), Talascend, Inc. (Thanks Ron, Jason and Bruce), Key Technologies, Inc. (Thanks Brian, Jenny, Keith and Scott), Delmar Brewing Company, LLC (thanks John), Digital Innovation, Inc. (thanks John and Tim), Woofound, Inc. (thank you Dan, Josh, Ken and whole gang there), Calvert Education Services, LLC (thanks Brady), OmniTI Computer Consulting, Inc. (thanks Jim and Theo), Reportsee, Inc./SpotCrime (thanks Coli), Better Business Bureau of Greater MD (thanks Angie and Jody), BJQ Sales & Service, LLC (thanks Tom), Trigger Agency, LLC (thanks Greg), Merritt Properties, LLC (thanks Melissa), Message Systems, Inc. (thanks to Joal, James, George and Alec, and all the staff), Intersect Healthcare, Inc. (thanks Brian and Bob), Celebree Learning Center (thanks Lisa), eCoast Sales Solutions, Ltd. (thanks Chris, Allen and Erik), TenantRex, LLC (thanks Adrian, Sammy and Zach), Art With a Heart, Inc. (thanks Randi), CCL Biomedical, Inc. (thanks Nina and Judy), Bloomery Plantation Distillery, LLC (thanks Linda), Baltimore Technology Group, LLC (thanks James), Barcoding, Inc. (thanks Jay), Mario Armstrong Media, LLC (thanks Mario and Nicole), Founders Financial Securities, LLC (thanks Brad, Kurt, Mike and the whole team there), Maryland Speed, LLC (thanks Branden), Business Stress Management Services, Inc. (thanks Adam), WePassed, LLC (thanks David), Enterprise Insurance Training, Inc. (thanks Tom), American Society for Colposcopy and Cervical Pathology (thanks Kerry), Blackbee Media, LLC (thanks Allison), CAM Technologies, Inc. (thanks Chris), Early Morning Software, Inc. (thanks Cecil and Donna), East-Coast Equipment, LLC (thanks Shad), Finding Definitions, LLC (thanks Mia), Figure 53, LLC (thanks Christopher), HackSurfer, LLC (thanks Jason and Rebekah), MsgWorx (thanks Rick and Sallie), Liaison Group, LLC (thanks Lou), Hertzbach & Company, P.A. (thanks Don), Workuments, LLC (thanks Joe), Randall Point Enterprises (thanks Anthony), OTB Consulting, LLC (thanks Bob and Tom), Mansbach Health Tools, LLC (thanks Bill), Icon Logic, Inc. (thanks Kevin), Sonex Research, Inc. (thanks George), Securities Pricing & Research, Inc. (thanks Brad), Reed Street Productions, LLC (thanks Ryan), South River Technologies, Inc. (thanks Mike and Tracy), Stanton Communications, Inc. (thanks Peter), Star Management Services, Inc. (thanks Eric), R. Boutique LLC (thanks Robert), Impresst Business Solutions, Inc. (thanks Steve), Nut House, LLC (thanks Joanna), Algiatry, LLC (thanks Paul), White Horse Consulting (thanks Dave), Spread Concepts (thanks Michal), Genesic Semiconductors (thanks Ranbir), RevMax Hospitality Management, LLC (thanks Sonny), Smartlegal Forms (thanks Richard), Seven Swells, LLC (thanks Tyler), Sobosoft, LLC (thanks Brian), SOEP Networking & Comm. Solutions, LLC (thanks Daryl), Sweet Satisfaction, LLC (thanks Kathy), The Prosperity Consulting Group, LLC (thanks Don), The Sandy Bottom Enterprise, LLC (thanks Sandy), Tonar, Inc (thanks Asgerdur), W. L. Gore & Associates, Inc. (thanks Laura).

It goes without saying, without clients, we would not have a firm.  Thank you for bearing with us when we could not quite manage the turnaround times you might have been used to.

Next, we thank the lawyers, accountants and others that place their trust in us and continue to refer their clients to us for legal services in our practice area.  When we can, we will return the favor of referrals.

Next, to some folks who helped us out at the beginning – Elliott Wagonheim – thanks Elliott for meeting with us and helping us on some of our own legal issues; Stephanie Cereijo at Towson Executive Offices – for renting us temporary space, and her staff for being absolutely fantastic to work with; Chris Murray, Gates Blair and Natalie Meconi at Mid Atlantic Properties, our new landlord – they have been utterly fantastic to deal with, soup to nuts; and Matt Mueller at Mackenzie Properties, who worked with us as a tenant rep and told us the staff at Midap were great to work with.

Next to our new clients who are taking a risk on a new firm – and that somehow found us even though we have done absolutely no marketing of any kind – we have just not had the time.

Finally, but not in the least, to our spouses, children, and extended families for putting up with us.  We have been working essentially non stop the last 90 days (and even before that) and that puts a lot of stress on our loved ones.

As we get going and find the time, we hope to begin posting spotlights of some of our clients and referring parties.

We are incredibly lucky to have a viable business and as soon as we fully get our feet on the ground and find some free time (what small business owner has any of that!), we want to give some back as well – and help someone the way all of the above named and unnamed people have helped us or if we can, provide pro bono services.

And now to that teaser about a fun place to work – two of us are trekkies (mostly closet trekkies), so we got this little device – Star Trek Electronic Door Chime – so when you come into my office or Tina’s, if we have it on, you hear that turbolift sound.

More later.  Best regards to all, Mike

Cybercrime Series – What is Cybercrime?

This column starts my foray into working with Hacksurfer (a client here) in explaining the legal side of cybercrime.  These articles are first published at the Hacksurfer site, which is a very good resource for this issue.  This article was published there about 3 months ago; more current articles are located there.  In the coming articles I am going to start from ground zero, introduce basic legal constructs and concepts, go through primarily federal criminal statutes, and then start working through major cases.  If I am successful and you manage to stay awake through it, you will have a deep understanding of the major aspects of cybercrime law.  I will throw in a little procedure as well, but criminal procedure is tedious, heavily constitutional, and frankly, more relevant to prosecutors and defense counsel than the average reader here.  I will also be reviewing all of the computer security laws that impact regular businesses, and going over common pitfalls, errors and issues that businesses face trying to navigate through the mass of computer security laws, rules, regulations and orders.

Just a real quick background on me – I grew up in the early 70’s and worked on every computer I could get my hands on – and learned any programming language I could when I was young.  Back then there were no remotely affordable hard drives – I learned on old IBM punch card decks, mainframes and low level consumer computers like the “Trash” 80, Commodore 64 and similar products.  There was no internet as we know it today, no email, and really, no electronic communications like electronic mail, short message service or instant messaging that someone not inside of ARPANET could get their hands on.  To me, “hacking” always meant “hacking code” that is, trying to make the code more efficient  elegant, robust, and resilient.  After a few movies popularizing unauthorized acces to computers, which labeled that activity “hacking” – the term has become more criminal sounding than programming sounding.  In these articles I will usually use “cracking” to describe the efforts to gain unauthorized access to a computer, and “hacking” to refer to source code development – i.e. “code hacking.”

Also a brief word about citations.  I will cite to both primary source materials (i.e. the actual code, case etc) and to secondary sources, such as Wkipedia.  My articles are not intended to be scholarly, so I have not verified any source or statement.  I merely provide the user with additional points of reference if they are interested.   Note that I am also not treating the telephone system as a general purpose computer, and for the purposes of these articles, excluding unauthorized access to non digital telephone networks.

So, let’s start at the beginning.  The first real digital computer, the ENIAC, was invented in 1945, and began operations in 1946.  [Ref]  That computer, and all digital computers after it, until a digital transmission network was reliably established (the first true digital communication packet was transmitted on October 29, 1969 via ARPANET) had one important common feature – they were accessible only from a standard input terminal and had physical limitations, that is, they were generally not accesible remotely.

While these computers could be accessed without authorization, early computers had extremely proprietary software interfaces, it was very hard to gain physical access to them, and they tended to be operated for military or other government activity and hence were very secure.  The number of reported computer crimes against these early computers is very low, and tended to be committed by employees or other persons who had physical access to the computer  – true computer crime was likely related to spying.  See generally, Kabay, M.E.,  A Brief History of Computer Crime: An Introduction for Students, at p. 5 (2008).

So before there was “cyber crime” there was “computer crime” – and conceptually this is quite a distinct crime.  Computer crime was more akin to breaking and entering, or vandalism, because it tended to be destruction of the computer itself.  Cybercrime as we know it today involves unauthorized access to, or exceeding authorized access in respect of, a protected computer.  The key to most current cybercrime statutes is this concept of a protected computer.  A protected computer is defined as “a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States”  See 18 USC Sec 1030(e)(2). (emphasis added).

The emphasized language is the first step into the green is blue world of law, and your first introduction to legal terms of art.  A term of art in law is a word or phrase that has a common english meaning, but has a very technical specific meaning in the legal context.  In this particular case, “used in or affecting interstate commerce” essentially means any computer connected to the internet.

More on how we get there in the next installment, where we will discover how the law impacts a person accessing a protected computer.  (consider momentarily you and your spouse are separating, and you want to view your spouses emails for infidelity . . . how does this concept of “protected computer” impact what you can do without committing  a  felony?)  We will see . . .

Best – mike oliver

Trademark Symbols – The Difference Between the ™ and ® Symbols and When Is A Trademark Owner Permitted Use of The Symbols

Trademark Symbols – The Difference Between the ™ and ® Symbols and When Is A Trademark Owner Permitted Use of The Symbols 

A common question among trademark owners is what’s the difference between the ™ symbol and the ® symbol and when can I use them on my trademarks.  It is also a common misconception that you have to obtain a federal trademark registration on your trademark before you can use the ™ symbol.  That is not the case.

You may use the ™ symbol on a trademark even though the trademark is not registered (or even applied for). Thus, whether you have a trademark application pending at the United States Patent and Trademark Office, but it has not reached registration yet, or you have yet to file a trademark application, you may use the ™ symbol on your trademark.  The ™ symbol is notice to others that you are using a word, phrase or logo as a trademark.  It also potentially wards off third parties from using the same or similar mark.  Thus, once you begin using a trademark on a good or service you are providing, you may use the ™ symbol on the mark (or the ℠ symbol if you prefer to distinguish a service mark although ™ may be used on trademarks used in connection with goods or services).  Note – although this is a whole new topic for another article, you should make sure that another party is not already using the same or similar trademark in the same, similar or related area before you begin using the trademark.

As for the ® symbol, you may use that once the U.S. Patent and Trademark office issues a registration for your trademark.  You should not to use the ® symbol on your trademark prior to obtaining a federal registration – such use is considered a misrepresentation to the public that you have a federally registered mark.  Upon registration, you may (and should) use the ® symbol on the trademark.

This ® symbol provides notice to others that you have a federal registration. It is important to note that the failure to include the ® symbol can potentially result in a limitation in damages that you would have been entitled to in a trademark infringement action as your damages could potentially run later. Thus, it is beneficial to include the ® registration symbol once the U.S. Patent & Trademark Office issues the registration to you.

For additional information, please contact Kim Grimsley at kim@olivergrimsley.com.

Delaware or Maryland when starting a business?

We often are asked whether to file a Maryland or a Delaware corporation or limited liability company.  The chart below explains some of the factors that can affect this decision.  We do not believe that there is any material difference if you are forming a single member LLC or sole stockholder entity and you are a maryland resident and the property and business is located in MD – in these cases it is just easier to register in MD.  In any other case, this issue should be considered fully.

[table caption=”Delaware vs Maryland” width=”500″ colwidth=”100|200|200″ colalign=”left|left|left”]
Court System^Advantage Delaware:  Delaware has the Court of Chancery, which is a pre-eminent court system, and a significant body of case law that allows lawyers to give fairly accurate advice regarding outcomes in disputes^Maryland has a Technology Track in its circuit court, but many fewer decisions, so it is harder to predict how a particular issue might be resolved

Informal actions^Delaware has a very flexible law for approving informal actions – they can be approved with just the number of persons necessary to take the action, unanimous approval is  not generally necessary^Maryland law requires most informal actions to be unanimous, so as the number of members increases, this becomes inconvenient

Number of Members^As the number of members / stockholders increase, the harder it is to maintain a contractual stockholder agreement (this factor is about even for LLC’s), so the more you have to rely on applicable law.  Delaware law is more fully developed than Maryland law^As noted above Maryland law does not allow for easy informal actions, so as the number of members / owners increase, it is harder to maintain control over the minority members.

Taxation^Delaware has no state income tax so non resident members are not taxed on passthrough income (at the state level)^There is no material difference for pass throughs as long as all members are MD residents- however, for non resident members who own a Maryland pass through entity, there is a tax withholding requirement for the Maryland LLC.

Conversions^Delaware law has a form entry for entity conversions (i.e. LLC to Corp or Corp to LLC)^Maryland law does not provide for a simple conversion process – you must fully document a merger transaction (which makes such conversion transactionally more expensive)

Garnishment^Bank accounts in Delaware are not subject to garnishment^Bank accounts in Maryland are subject to garnishment, however, a Maryland entity may own accounts in Delaware, so this is more a matter of convenience


More countries join Madrid Protocol – Next Up India

More Countries Join the Madrid Protocol – Next Up: India

Effective July 8, 2013, India will join the Madrid Protocol – the international registration trademark system.  This is on the heels of Colombia, Mexico, New Zealand and Philippines, which have all joined the Madrid Protocol within the past 12 months.

The Madrid Protocol is one of the two treatises of the Madrid System (or the International Trademark System), which allows a trademark owner to seek international registration with one filing.  Businesses are growing worldwide today and as such, more and more businesses are finding they need international protection.  Under the Madrid Protocol, international registration is a more simplistic and cost-effective means of providing trademark owners with the ability to obtain trademark protection in up to 90 designated countries with only one trademark application filing. Registration under the Madrid Protocol is beneficial from a management standpoint as well as the international trademark registration can be managed more easily since only one step will serve to record any changes in the trademark registration, such as a change in ownership or even the address of the owner.

Thus, if your company wants to obtain trademark protection in fifteen15 countries, rather than having to file, pay for and manage 15 trademark filings in various countries, a trademark owner can obtain trademark protection in 15 countries with simply one application filing.  Not only is this cost effective in filing fees, but also it is also cost-effective in the time spent in preparing and filing the trademark application.  Although filing under Madrid Protocol is beneficial to all trademark owners no matter how small or large the company may be, smaller businesses that once thought international trademark protection was just not feasible from a cost perspective can now realistically move toward international trademark registration and protection on a global basis under the Madrid Protocol.

For more information, please contact Kim Grimsley at kim@olivergrimsley.com.