1998 Cyberspace Law Sample Answer — Eric Goldman

“Sample Answer”
Santa Clara University School of Law/Cyberspace Law Spring 1998
Professor Eric Goldman (ericgoldman@onebox.com)

This document describes some of the issues I was looking for in answers to this year’s final exam. This year, unlike others, this document contains a number of points that no one in the class raised, so this document was not used as a “checklist” to score exams. I gave 5 As, 10 Bs and no Cs.


There were 2 things that would have improved answers generally.

First, this exam proved particularly difficult to organize, especially the first question. With the first question, many of you tried to distinguish between short-term and long-term responses, but many of your short-term steps were often more appropriate for the long-term steps, and vice versa. It would have been much better to outline the answer upfront in a way that ensured you actually made the points you wanted where you wanted. Better organization was generally the difference between an A and a B on this exam.

Second, particularly on the first question, many of you made assumptions about what OhBoy had or had not done without making your assumptions explicit. It is crucial to state your assumptions explicitly, especially when you need more information to make decisions.


This question was based on a real life dispute between Onsale and eBay. See, e.g., http://www.microtimes.com/174/onsaleebay.html and http://www.news.com/News/Item/0,4,16051,00.html.

There were numerous relevant pieces of information missing here that would be helpful for an analysis of the dispute. Among the things that we would want to know:

* Does OhBoy use a robot exclusion header? Did the robot ignore this header?

* Does OhBoy use a user agreement? Was it a mandatory click-through agreement or was it merely a link off the homepage? What did the user agreement say? Did it have a contractual provision that would have applied here? Did the robot “click” on this user agreement? Did an AA employee at some point click on the agreement?

* Has OhBoy ever notified AA before that its robots were not welcome?

* What was on the pages collected by the robot—was it exclusively user content, or were there OhBoy proprietary elements such as logos or other text that OhBoy could claim a copyright interest in? Has OhBoy registered its copyright in one or more of these pages?

Short Term Issues

In the short run, OhBoy has some of the following objectives:

* It wants to reinforce its relationship with its customers

* It wants AA to stop using the database of email addresses

* It wants to prevent AA from sending further robot attacks

* It wants good PR

* It may—or may not—want to tweak its competitor. Competitor-bashing is always a dicey affair, especially in emerging Internet markets. If competitor-bashing causes potential customers to be afraid of the entire Internet auction segment, OhBoy will actually lose long-run value, even if it gains relative market share.

1.         As for reinforcing its relationship with customers, OhBoy needs to communicate honestly and quickly. OhBoy will also want to describe the steps it is taking to prevent future incidents.

2.         As for getting AA to stop using the database of email addresses, OhBoy will have to negotiate with AA or cajole them. First, OhBoy can complain to AA’s ISP that the ISP is harboring a spammer. AA’s spam may have breached its contract with its ISP, and ISPs tend to be pretty responsive to complaints about spam. If AA’s ISP is not responsive, it may be worth going to this company’s ISP or further upstream—eventually, someone upstream will take a negative stand on spam and apply pressure downstream.

In dealing with AA directly, OhBoy can try to marshal evidence of its superior legal position.

A.        Trespass. We do not have enough data to know if OhBoy can assert that AA trespassed its computer resources. Under the CompuServe v. Cyber Promo approach, we appear to have a facial claim that AA trespassed on OhBoy’s server resources, presumably in ways that caused harm (i.e., while the server was responding to AA’s robot, it was slower or unable to respond to other legitimate requests). However, before trespass claim could be brought, the CompuServe court suggested that a trespass plaintiff must exercise reasonable self-help measures and provide notice that trespass was not welcome. It is unclear whether or not OhBoy has done so. If in fact OhBoy used robot exclusion headers that were ignored and OhBoy had clearly announced anti-robot policies, it might be able to make a trespass claim now. If not, it may need to initiate these steps as part of its long-term strategy but cannot use trespass arguments very effectively against AA at the moment.

Note that the argument that all robots are trespassing could have broad ramifications for the operation of the Internet—especially since this is the way that most search engines build their databases. Would this be good policy?

B.         Copyright. We do not know what material was copied by the robot’s operation, so we’re not sure if OhBoy or its users are the likely plaintiffs. I assume for the moment that both OhBoy and user content was copied, so both would have standing.

The email addresses are likely not copyrightable (Feist), but the robot copied the entire page, not just the email addresses. In fact, the robot may have effectively made a copy of the entire OhBoy site, so we might be able to claim that all of our copyrighted material on the site was copied.

It will be tough to prove damages from the copyright infringement itself, but maybe the loss of server resources is a recognizable damage under this claim, and if we have a registered copyright on the website, we might be able to get statutory damages and attorneys’ fees.

Of course, AA can argue that its robot made only fair use or had an implied license. In some ways, the implied license analysis is similar to the trespass analysis. AA will try to argue that its robot did nothing different from what OhBoy’s ordinary users do when they browse the site, but this argument becomes less plausible if the robot ignored exclusion headers.

As for fair use, we had a commercial use (against AA), published material (for AA), both fact and non-fact (wash), 100% copying (against AA), and an uncertain effect on the market (the copying itself did not diminish the market demand for OhBoy, but the use of the uncopyrightable email addresses did have a negative effect on market demand—a wash). So we’re not sure if the copyright claim is a strong one.

Depending on how you feel about the implied license/fair use argument, you might also assert that AA willfully infringed OhBoy’s copyright, which would be a predicate condition for criminal copyright claims.

C.        Breach of Contract. We don’t have enough facts on this claim, but AA’s behavior could be a breach of OhBoy’s user agreement—either as entered into by an AA employee or as entered into by the robot (if a robot can legally enter into a contract).

D.        Computer Fraud and Abuse Act (18 USC §1030). We didn’t discuss this much in class, but there are good arguments that the robot violated this law, giving rise to both civil and criminal remedies.

E.         Tortious Interference/Unfair Competition. We didn’t discuss this in class, but you should note that there are arguments that AA’s behavior constitutes tortious interference with contract or interference with prospective economic advantage. There are probably also colorable arguments under state unfair competition laws (which are generally pretty easy to state a claim under).

F.         Threaten a Class Action on Behalf of OhBoy’s Users. While OhBoy will not have standing to enforce its users’ rights, a class action—perhaps initiated by OhBoy—may be a meaningful threat. (Of course, if OhBoy really wanted to tweak AA, it could encourage multiple OhBoy users to bring suit individually throughout the country in their home courts—which would be a big drain on AA’s legal resources). First, OhBoy’s users could complain about copyright infringement, although this is likely to be a weak claim. Second, OhBoy’s users or their ISPs could complain about trespass of their resources. Third, AA may have violated one or more anti-spam statutes (although at the moment none are effective, laws in Nevada and Washington become effective this summer).

G.        Trade Secret? Some of you thought there may be a trade secret claim here, but the fact that the email addresses were publicly available negates any trade secret claim OhBoy could make in its customer email address lists.

H.        Right of Privacy/Publicity? Some of you claimed that users would have a right of privacy claim, and a couple of you claimed they would have a right of publicity claim. Since users voluntarily posted their emails on the web, there’s no basis to claim privacy in the address. As for the right of publicity claim, it’s extremely weak to claim that AA made a commercial use of a protected interest here.

3.         To prevent further robot attacks, AA must be on notice that its robots are not welcome. A cease and desist letter ought to be sufficient to lay the groundwork for a future trespass claim. Some of the self-help techniques described below would also help.

4.         As for good PR, OhBoy can make press releases about its existing and perhaps news and improved policies about spam, and it can couple the announcements with some of the changes described below. If OhBoy wants to tweak its competitor, it will likely get some press attention to do so as the reporters write up the press releases.

Long Term

Among the steps that OhBoy could take to make its future position stronger (under trespass, copyright or breach of contract) or to technologically limit the chance of these events recurring:

* Use robot exclusion headers

* Block the IP address used by AA’s robots. Of course, AA could merely use a different IP address in the future or forge headers, but it would be a start.

* Use other anti-robot technology (such as limiting the number of http pages that will be delivered to a single IP address during a certain period of time).

* Send (automatically or manually) a notice to every person who sends a robot to OhBoy’s site that robots are not welcome.

* Place all pages containing email addresses behind a password protected page and/or use usernames instead of email addresses to identify people on the site. In fact, eBay did give people usernames and then made the email addresses available in a password protected searchable database (and then, only one address at a time). Not only does this technologically limit the problem, it assures that all people trying to harvest email addresses will be registered users who have clicked through the user agreement.

* On all pages (both the home page and others), provide a notice that says that robots are not welcome.

* In the user agreement, restrict the use of robots and the use of other users’ email addresses.

* Ensure that each page of the site contains OhBoy copyrightable material.

* Register the website with the copyright office.

Some of you suggested putting the entire site behind password protection. This is OK, but it’s not really necessary if you are only trying to protect email addresses and it would discourage new users.

Some of you suggested trying to make the email addresses into a trade secret. Since the facts said that the email addresses needed to be accessible to all users to permit user-to-user communication, it is going to be difficult to assert trade secret protection in email addresses when they are accessible to several hundred thousand of our closest customers.


One of my hot button issues is that there is a lot of bad information disseminated about cyberspace law. If you pull up the full text of the article, you’ll see what I mean (sorry, I don’t think it’s available on the web).

The first paragraph is absolutely wrong. With respect to online libel liability for the AOLs of the world, the distinction between “distributors” and “publishers” is not pivotal—it’s IRRELEVANT! (Or, as one of your peers wittily observed: “It’s passé, not pivotal!”) As Zeran and Blumenthal clearly indicated, publishers and distributors of third party defamatory content are treated equally under 47 USC §230(c)—neither are liable for the defamation if they are covered by the statute. The assertion that, if AOL was characterized as a publisher, it would be legally responsible for third party defamatory content is wrong—Zeran treated AOL as the publisher of the statements it, in its editorial discretion, refused to remove, and still held AOL not liable.

The article snippets also raise a related question—who are we talking about? The article uses, apparently interchangeably, the terms “America Online”, “Internet providers” and “websites.” In fact, 230(c) distinguishes between “interactive computer services” and (presumably) everything else. The article does not help us understand what is an ICS and whether or not “Internet providers” or “websites” will be deemed ICSs like AOL has been determined to be. This is just sloppy language on the reporter’s part, but it makes a big legal difference.

The second paragraph is a bit of a head scratcher. What is a “rigorous disclaimer”? Is it a part of the user agreement, or is it non-legally binding notice just stuck somewhere on the site? To the extent that it is the latter, why bother?

To the extent that the “rigorous disclaimer” is part of a legally binding agreement, we need to be clear about the purpose and benefit of such a “disclaimer.” If we are concerned about liability for defamation (note the article title!), such a provision will be irrelevant—presumably the “Internet provider” is not liable, regardless of the presence or absence of the disclaimer and regardless of the degree of control over user content.

If we are concerned about other types of liability for user-generated content, then it is OK to have a contract provision that tells the user that we are taking the position of a passive conduit of user information. But, let’s be honest, this is self-serving language that will probably be ignored by a judge. The risk management strategy must be carried through in practice in all of the sysop’s interactions with user-generated content, so either the sysop behaves in practice like a passive conduit or it does not. A “rigorous disclaimer” won’t persuade any judge that the sysop behaved like a passive conduit if the facts are otherwise.

Therefore, with respect to the third paragraph, it’s true that users may be liable for what they say—but is this a useful observation that needs to be made to users, and does it change CitySearch’s potential liability at all? And the statement that CitySearch is “NOT” liable (presumably someone thinks the statement is more effective because the “not” is capitalized) is not legally correct—in certain circumstances CitySearch is liable for copyright and trademark infringement and other non-speaker or publisher torts. So why bother with the statement? And why did the article implicitly suggest that this statement is part of cutting edge legal practices?

Some of you noted that I include the following paragraph in my user agreements:

You are solely responsible for your information, and we act as a passive conduit for your online distribution and publication of your information. However, we reserve the right to take any action with respect to such information we deem necessary or appropriate in our sole discretion if we believe it may create liability for us or may cause us to lose (in whole or in part) the services of our ISPs or other suppliers.

As I mentioned, the first sentence is potentially self-serving, but if it is a correct statement of factually how my client runs its business, it will be a helpful way to explain our risk management policy to third parties. In particular, the first sentence is very helpful in expediting the resolution of user-to-user disputes. The second sentence sets out by contract a very narrow set of exceptions when the site will not act as a passive conduit and will be removing user content from the site. This proves very helpful to explain to users why the site is taking—or not taking—action with user generated content. However, under no circumstances do I advise my client to put this provision into their agreement and then stop worrying about their risk management strategy, like the article suggests. Indeed, consider if a site’s risk from user-generated content would increase if we omitted my paragraph from the agreement altogether and were just silent on these points.

Sysop liability analyses are very complicated. Be wary of getting guidance from any source other than the statutes and the cases.