1997 Cyberspace Law Sample Final Exam Answer — Eric Goldman

Santa Clara University School of Law/Cyberspace Law Spring 1997
Professor Eric Schlachter (ericgoldman@onebox.com)

This document describes some of the points that I was looking for in this year’s exam answers. There was no “right” answer to the questions, and I saw many high scoring answers that took alternative paths to success. I gave 13 As, 23 Bs and 2 Cs.


There are two easy steps towards improved scores on this exam:

* Answer the call of the question. Many of you lost points unnecessarily by failing to answer the question asked. On question 1, many of you listed all of the causes of actions that could be brought against Wort instead of figuring out a plan to resolve the situation. (Many of you must not have picked up on my belief that litigation is rarely a good resolution to a Net problem). On question 3, many of you critiqued gambling on the Net instead of describing the difficulties in using contracts to control the risks.

* Organization. In both questions 1 and 2, a number of you were able to significantly improve your score through superior organization. On the flip side, a lot of you lost points unnecessarily through weak organization. Although there are many ways to organize answers to the questions, consider the organization I use below.


Question 1

This question was based on a real life situation I faced in my practice. Despite the similarity to Zeran, this situation occurred before the Zeran case was decided. The story goes as follows: our client (Crumb Corp.) entered into a $60 million merger agreement with BoBo. When the signing of the merger was announced, there was significant discussion about Crumb Corp. at the BoBo forum on a website that specializes in discussions about various high technology stocks. Wort launched a series of attack messages against the president of Crumb Corp., Saber. (The messages were paraphrased pretty faithfully in the exam.) The partner on the Crumb Corp. account forwarded to me a message from Saber and told me to take care of the problem. I had never spoken to Saber, had not worked on the merger, and basically had no context. This is a classic cyberspace law practice problem.

The dilemma, then, is figuring out where to go from there. Here is one possible process:

1. Talk to Saber About What He Wants to Do.

Saber is our client and the first step is to figure out what he wants to do. (I was surprised at how many of you skipped over this step!!) Here are some of Saber’s options:

* He can seek to eliminate all lingering offending messages. Note that Saber already complained to the sysop and appears to have succeeded in removing at least 3 of the messages. While everyone assumed that the fourth one was still on the system, in practice it is possible that this one was also removed but cached downstream. It’s truly a case of seeing is not believing. Note also that Saber said “still no action,” implying he does not realize that some of the messages are already down. This is probably because these messages have been cached on his system, and he needs to flush his cache. Believe it or not, in real life the client’s local computer had cached the messages on his hard drive, so he always thought he was being ignored! If you are thinking this issue was too subtle, you’re right—no one got it.

* He can post his own reply. This is a powerful Net-savvy option. In particular, a topic-specific forum such as the BoBo forum is a level playing field where the readers are interested in accurate information and getting to the truth. In real life, unfortunately, the client decided to post a response without consulting us, and he posted a profanity-laced reply that caused the forum to go into a tailspin. Our client’s messages were so bad that the sysop removed his messages along with Wort’s.

* He can try to get Wort to cease posting messages. We’ll talk about this below.

* He can sue. This is definitely the weakest option. We’ll talk about why suits against CompuServe and smallinvestor.com are likely to fail, so his only recourse is against Wort. This is likely to be unsatisfying because (a) we may not be able to find the bad actor, (b) the bad actor is likely to be judgment proof, and (c) while some people claim that there is no such thing as bad press, expanding the press coverage given to this issue while a merger is pending poses significant risks. In this case, a private resolution is likely to be more desirable even if we have legal or moral right on our side.

For purposes of the rest of the question, we’ll assume Saber wants us to pursue all of these.

2. Try to Find the Bad Actor.

We have limited information about the bad actor. While the messages have been from 98765.4321@compuserve.com, an account registered to Lew Wort, we cannot assume this information is true:

* At many sites, people can register under aliases. Therefore, the bad actor may have registered using bogus information. See Zeran v. AOL.

* It is easy to forge headers. The bad actor could make it appear that he was posting from someone else’s real account by forging.

* The account holder may have lost control over his or her account. This is what happened in Stratton Oakmont v. Prodigy, where the emails were posted by a person who hacked into a former employee’s inactive account. In real life, when we finally traced down the owner of the account, we learned that it was an inactive general corporate account held by Emerald, a competitor/customer of Crumb Corp. It actually became somewhat easy to seek a resolution when they realized their account was being abused.

The lesson here is clear: many of you were prepared to send nasty-grams and flame mail at the account holder. This is likely to be a misstep. At maximum, the account holder should be approached with a light touch. You never know if they are foe or friend. Also, remember my “wild animal” analogy—you never know when or how these people will strike next.

3. Approach CompuServe for Help.

Our goal is to get CompuServe’s help in (a) finding out more information about 98765.4321 and (b) ceasing the postings from this account. Since it is possible that the email headers are being forged or the account is an alias, we should not assume CompuServe has any control over the situation. However, they may prove to be helpful even if the headers are being forged, since the poster’s actions reflect on CompuServe.

As a number of you pointed out, CompuServe is unlikely to tell us anything about 98765.4321 because of privacy concerns. Short of seeking a court order or getting discovery, there is no legal basis for disgorging this information from CompuServe. However, I was able to convince CompuServe to contact 98765.4321 and notify them of our concerns, which led to our discovery that Emerald was involved.

As a number of you also pointed out, unless there is a forged header/alias problem, the behavior of 98765.4321 likely is a violation of its agreement with CompuServe. While it is doubtful Saber would be a third party beneficiary of that agreement, it is relatively easy to convince CompuServe to terminate the account.

As we saw in Zeran, terminating the account does not do much, but it is a good start.

As for CompuServe’s legal liability, we are likely to find that its liability is preempted by CDA Section 509 and Zeran. CompuServe is an interactive computer service, and as we saw in Zeran, the I.C.S. is likely to be able to absolve itself of legal liability for the actions of its users.

4. Approach the Sysop of smallinvestor.com.

The single biggest point of confusion on Question 1 was the identity of the sysop of smallinvestor.com. Some of you assumed that smallinvestor.com was part of CompuServe; a few of you thought it was sponsored or run by BoBo. Although I thought the facts were clear, about ½ of you were confused about this, so I tried not to penalize people for this confusion (unless the confusion extended to the rest of the analysis). I had intended smallinvestor.com to be an independent website.

Our objectives in approaching the sysop are (a) obtain more information about 98765.4321, (b) remove any remaining messages, (c) seek to have the sysop help us prevent further attacks, and (d) perhaps have the sysop post some sort of retraction. Ultimately we may need to bring suit against the sysop, but our first approach needs to be friendly.

As with CompuServe, the sysop may be reticent about disclosing information. A perusal of the site might yield some information, however.

The sysop should be responsive to removing other messages if they have already removed some of the messages. A discussion should reveal why only 3 messages were taken down—maybe it was an error, maybe our client had not complained about the fourth, or maybe there was some reason why the sysop chose to keep it. (I changed the fact pattern from the real life situation. There, a different message than 178 had stayed up because it had not contained any offensive material in the sysop’s eyes; when I complained, the sysop agreed to take it down anyway). We’ll talk about the legal liability issue below.

The sysop may also be responsive to preventing the user from further postings. As with CompuServe, this may be of dubious efficacy. However, note that since 98765.4321 appears to be a frequent poster, locking them out (even if it forces them to reregister under a different name) would destroy some of the reputational interest they have built. We’ll talk about the legal liability issue below.

Finally, we might need to ask the sysop to post a retraction to preserve legal rights, despite the holding of It’s In the Cards. As a matter of practice, it would probably be better for our client to post a reply than to get the sysop to post a retraction.

As for the sysop’s liability, we could assert that the sysop is the publisher or speaker of the messages posted and therefore should be liable for their contents. We can support this argument by their implicit editing of the content by leaving one of the messages up (which perhaps they “selected” to stay) or by republishing it after notice from Saber. Of course, it is likely that any such argument will be preempted by the CDA Section 509 and Zeran. However, there are a few outstanding issues here:

* is a website an I.C.S.?

* will Section 509 preempt liability for all of the types of harm caused by 98765.4321? We know it preempts defamation and other “publisher or speaker” torts. Are all of the torts committed by 98765.4321 such torts?

* Will other courts follow Zeran? Or will other courts follow footnote 20 of Zeran and say that the sysop’s actions made them a “provider”?

5. Approach the Bad Actor.

Here we must be clearest about our objectives. As I have indicated, the bad actor may be hard to find, and bad actors as a general rule are unpredictable. We need to plan for other things that the bad actor might do. These could include further attacks on electronic forums, other sorts of attacks (attacks on our website, mail bombs, etc.), bringing the issue to the mass media’s attention and perhaps even physical attacks. As a result, the LAST thing I would do is send flame mail to 98765.4321 without knowing that the bad actor is there and knowing other information about their identity so that we can act quickly in the event of further misbehavior.

Perhaps we can induce the bad actor to post his or her own retraction. This would probably be a great result for our client.

*IF* we choose to approach the bad actor, Saber has numerous potential claims:

* defamation (messages 172, 178 and 179). We have per se defamation. There are some issues here about public figure/public concern, although I doubt we’ll have

a problem with malice. The most problematic defense is truth.

* harassment/intentional or negligent infliction of emotional distress. We don’t need to discuss all of the ways in which these claims might or might not succeed.

* threats (message 182). Note that this message is probably too “soft” to qualify for a prosecution under 18 USC 875(c) (i.e., the statute at issue in U.S v. Baker).

But it may be enough to get a restraining order under state law (see Internet America v. Massey by way of example).

* interference with contract/interference with prospective economic advantage (message 178) for potentially interfering with the merger.

* rights of privacy (unlikely).

There are other potential third party claims that could be brought against the bad actor. Since this does little to “resolve the matter,” they did not warrant much time on your exam except perhaps as they might have supported your leverage against the bad actor. These other claims include:

* stock fraud (especially 178). The SEC might be interested in this.

* negligent misrepresentation. The potential plaintiffs would be all of those who detrimentally relied (i.e., people who sold based on allegedly bogus information). Except in the case of a class action, this cause of action is likely to be too diffuse to be of much good. In addition, under Daniel v. Dow Jones, it is unlikely these plaintiffs will be able to assert a special relationship.

* group libel (unlikely)

* trade libel/interference with contract claims that could be brought by Crumb Corp. or even BoBo.

Note that Saber might try to get others involved to assist him to resolve the matter, such as the SEC, the FBI, the local police, or BoBo’s attorneys. This might deflect further attacks being levied against Saber, and it might help defray the costs.

In conclusion, you did not have enough time to address all of these points. However, many of you ran into a time crunch by doing extensive legal analyses of all of the ways to smack the bad actor instead of focusing on the process of resolving the matter.


Question 2

Question 2 is also a real life question. I got a call from another attorney trying to prepare for a call with his client who was proposing this scheme. The attorney thought there might be some issues. Was he right?!

1. Copyright.

As many of you discerned, our client is doing something like caching. Technically, I would consider this to be mirroring.

As many of you pointed out, a number of copyright rights are implicated by Foreignews actions, including reproduction, distribution, creation of derivative works (in the form of compilations), public display (possibly), and public/digital performance (possibly).

Foreignews could assert the fair use defense:

* purpose and character of use. The use is pretty clearly commercial.

* nature of copyrighted work. Some of you rightly pointed out that it is likely to be more like fact than fiction and the works are clearly published.

* amount taken. 100% of each article.

* effect on the market. Some of you tried to argue that, since the periodicals were directed at South America, there was no loss in the market. In my mind, the Internet collapses geographic markets. So, for example, if these foreign periodicals were charging per page impression, they will lose these impressions. I think courts would likely find a detrimental effect on the market.

All told, it looks like our client probably loses on fair use.

Our client could also assert the implied license defense. I have always approached this defense gingerly, and I certainly would not approve of it as the basis of our client’s business here.

In fact, if anything, I think our client could be liable for criminal copyright infringement. The elements of criminal copyright infringement are willful infringement plus direct financial benefit, or willful infringement plus losses of $5,000. Under either test, I think we could have a prima facie case.

Inexplicably, some of you asserted that, while Foreignews’ business model as described was defective, our client could remedy the situation by caching. Huh? Please review my Cache 22 article.

As many of you concluded, the best we can do is recommend our client use hypertext links instead of mirroring. Even this is not free from peril (see Shetland Times case, plus the more recent cases involving Totalnews and Ticketmaster). However, it does make the risk more manageable. As a number of you pointed out, obtaining a license would also solve the problem, but this is likely to be significantly more costly.

2. Liability for Content.

Since the robot is picking up content without any review, it is possible (likely?) that the content could contain liability-creating material, such as defamatory material, material which our foreign counterpart loaded in violation of copyright, obscene material, etc. In this circumstance, we reach the anomalous result that Foreignews is likely protected by CDA Section 509. Of course, there are still some limits to this:

* is a website an I.C.S.?

* would any court extend Section 509 protections to a party that has itself engaged in such blatant (and possibly criminal) infringement?

* will a court uphold a dichotomy in liability incurred by an online periodical versus a print periodical?

* 509 will not protect Foreignews for being a further infringer of intellectual property.

3. Jurisdiction.

Foreignews presumably will find itself liable in these foreign jurisdictions to the extent that they can reach Foreignews.

4. Trademarks.

Depending on the way in which Foreignews uses the trademarks of the other periodicals it is copying, it might be liable for trademark infringement.

5. Business Model.

As some of you pointed out, the banner ad business model has weaknesses. A few of you asserted that the audience might be too narrow; I found this perplexing, since the Internet is best at narrowcasting.


Question 3

This question was deceptively simple. I had written this question to cover a real life client situation, but that situation got murky in light of Zeran. So I tried to alter the question to make sure the sysop was liable for its own activity—hence, gambling. Many of you were excited to tell me all of the problems with gambling on the Net—but that was last year’s question! This year’s question was really intended to enumerate all of the reasons why clickthrough agreements may not achieve their desired results:

* leaky clickthrough agreements: to ensure maximum enforceability, they must be structured so that no one can access the site without clicking through. If technically someone can enter the site without clicking on the page, then they can assert they never had notice of the terms

* illegality: no matter what the sysop tries to do in the agreement, the sysop will still be liable for engaging in illegal conduct where ever its conduct is illegal. Since the site probably violates both federal and state laws, there is little we can do in the agreement to prevent a criminal action from being brought. I believe this to be true even if the agreement contains disclaimers (i.e., you are not welcome if you are from specified verboten states) or a representation or warranty that the user is not from verboten states.

Even advertising the website could be sufficient to violate state laws (see Minnesota v. Granite Gate Resorts). Again, this risk cannot easily be eliminated by contract.

* jurisdiction. Although we presumably can have a binding governing law, jurisdiction and venue clause in our agreement with end users, this clause will be ineffective against third party plaintiffs (i.e., the government).

* Unenforceability. There are multiple reasons why the agreement might be unenforceable:

– Illegality. To the extent that the agreement is for illegal purposes, we will not be able to enforce it against the users. Some of the terms of the agreement might also be “preempted” by local law.

– language. We are unlikely to be able to enforce the agreement against people who do not understand English.

– minor. Unless we verify age, there is no way to enforce the agreement against minors.

– other incapacities, such as intoxication or insanity. There is no way to know if a user clicking through is afflicted with these conditions.

– unconscionability. The more aggressively we try to protect ourselves, the more likely the agreement could be deemed unconscionable.

Some of you asserted that there must be a refund option to have an enforceable agreement. I do not think this is a natural reading of ProCD; if anything, Easterbrook seemed to assume that agreements for services were enforceable even if the terms were disclosed later (i.e., on the back of a ticket) and without any stated refund policy.