2001 Final Exam Sample Answer–Eric Goldman and Chuck Schwab

Santa Clara University School of Law
Cyberspace Law – Spring 2001
Sample Answer
By Eric Goldman and Chuck Schwab

This document discusses our Spring 2001 Cyberspace Law final.  There were 19 As, 39 Bs, and 3 Cs.

Question No. 1 (by Chuck)

This question presented fairly straightforward issues of statutory interpretation.  So thoughtful discussion of the facts was more important than “issue spotting.”  Keep in mind that the sample answer below is much longer than expected from any student answer.

A.        Potential Claims

Traditionally, a publisher may be held liable for the material it publishes.  For example, the NY Times may have liability for printing a defamatory letter to the editor even though a Times reader wrote the letter.

Before turning to any statutes that vary this general traditional rule, it is important to describe the different theories of liability that may arise from the content provided by the teens.  Although the general scenario here is common enough, the fact pattern specifically notes that teens may plagiarize articles.  Thus, there is a risk of copyright infringement by such submitted material.  In addition, material submitted by teens may give rise to traditionally state-based tort claims such as defamation (libel), right of publicity, invasion of privacy and others.

1.  Copyright

Direct Infringement.

If a teen user copies a third party’s work and it is made available on the Gozzel website, a number of the exclusive copyright rights may be infringed.  Because Gozzel’s servers are reproducing and distributing the works, an argument can be made that Gozzel is committing direct copyright infringement of the user-submitted infringing works.  Prior to the DMCA, case law was split on this, and it remains an open question today whether or not direct liability attaches in this situation.

Contributory Infringement.

Since Gozzel’s editors develop the article topics, Gozzel knows that its teen reporters sometimes plagiarize articles, and the editors substantively review the articles before posting them, an argument can be made that Gozzel knew of infringing activity and contributed to it by choosing to display the articles.  Gozzel would counterargue that it did not know that a specific article was infringing and thus lacked sufficient knowledge, but this counterargument didn’t go far with the Napster court.

Gozzel can lower its liability exposure by not assigning specific topics or reviewing submitted articles.  These techniques, however, are not foolproof.

Vicarious Infringement.

Gozzel has the right and ability to control the acts because it reviews articles before it posts them.  (Note this case differs from other user-generated content situations because of its substantive pre-review.)  Gozzel presumably generates revenues through the site which is driven by the site content (whether infringing or not)—and in Napster’s case, even tangential revenue generation constitutes “direct financial benefit.”

To minimize this liability risk, Gozzel needs to attack the right and ability to control prong—which isn’t possible unless it eliminates the pre-review.

Therefore, under its current plans and failing a defense, Gozzel likely has copyright liability for infringing articles provided by its teen users.

2.  State Law Torts

The formulations of the various state tort law causes of action vary significantly from state to state.  However, defamation is one tort that is fairly uniform.  It requires the defendant’s publication of a false and damaging statement of fact to another party.  In Gozzel’s situation, any content posted on the website is published to another party (as long as it’s downloaded at least once).  The content provided by teens may or may not be considered statements of fact rather than opinion.  The answers to the questions of fact vs. opinion and veracity are highly fact-specific and would have to be determined on a case by case basis.  For these reasons, it could be prohibitively expensive for Gozzel to accurately vet all submitted content prior to posting it.  If an employee reviews every submission, the employee must first be trained to identify defamatory or other tortious statements and potentially determine veracity as well.

Other potential liabilities include violations of federal obscenity and child pornography laws.  If Gozzel is pre-reviewing the content, its editors should have little problem screening out content that might violate these laws.  Note that this risk could increase if Gozzel loosens its control of the site to take advantage of safe harbors discussed below.

B.        Potential Safe Harbors

Gozzel may be able to take advantage of the safe harbors of section 512c of the Digital Millennium Copyright Act of 1998 (DMCA) for copyright claims and section 230 of the Communications Decency Act of 1995 (CDA) for the state law tort claims discussed above.

1.  Third party content?

There is a threshold question to analyze the safe harbors: is the content really “third party content”?  Specifically, under the CDA, is the “information provided by another information content provider”; and under the DMCA, is the content “stored at the direction of users”?

2. CDA

The courts have applied CDA sec. 230 to a broad range of claims, including defamation, associated negligence claims (Zeran, Doe), inaccurate information (Ben Ezra), privacy rights/public nuisance (Franco), CA B&P 17200 based on bootleg recordings (Stoner), and distribution of fake sports autographs (eBay).  Thus, most state-law tort concerns discussed above, as well as any state-law obscenity claims, should be covered by the sec. 230 safe harbor.

In addition, courts have assumed, without much discussion, that information at issue is “provided by another information content provider.”  The most promising case was Blumenthal v. Drudge, in which AOL was dismissed from the suit because the information was provided by another ICP even though Drudge received a salary rather than being paid by the story and AOL retained the right to edit the content.  However, this issue was assumed away by the court.

Here, teens do not receive a regular salary for articles (they are paid by the article).  However, Gozzel develops ‘assignments’ and specifies what is to be written and takes the articles and revises them substantively.  As Stoner v. eBay dicta points out, at some point Gozzel may be considered a “joint provider” or Gozzel’s actions make the articles Gozzel’s content.  Gozzel’s plans – especially the actual editing rather than just the right to edit as in Blumenthal – may exceed the limit courts are willing to stretch sec. 230.

To improve the odds that the CDA will protect it, Gozzel should not edit the articles substantively and should limit its involvement to formal changes like spelling corrections.  Also, Gozzel should avoid making assignments to specific teens, perhaps by using a volunteer page where it posts suggested subjects that teens can choose from.


Section 512(c) provides protection from copyright infringement liability if the party claiming such protection meets the specified requirements.  Again, the principal question is whether Gozzel is “storing material at the user’s direction.”  Arguably, the answer is no if Gozzel requests articles on certain topics, receives articles, and places them where it chooses.

Therefore, in order to claim the safe harbor, Gozzel must exercise less control over how and where the content is posted, allowing teens to post the content where they want to.  Gozzel should minimize reviewing content submitted by teens to avoid knowledge of any infringing works.  In addition, in its user agreement, Gozzel need not reserve the right to delete any content in its discretion.  Gozzel should limit this power only to copyright infringements and other liability-driven reasons.

To perfect its ability to claim the DMCA safe harbor, Gozzel must meet the other statutory preconditions, such as filing a notice with the Copyright Office and posting the information on its website, responding to DMCA-compliant notices, terminating repeat infringers, and not interfering with standard technical measures.  Although 512c provides that Gozzel need not take down the allegedly infringing content unless the notice substantially conforms to the statutory requirements, the ALS Scan case substantially loosens what qualifies as a DMCA-compliant notice.

Although Gozzel will also try to claim fair use as a defense, this is a last ditch defense with little hope of succeeding.

C.        Closing

To avoid liability for its teen user’s content, Gozzel should significantly reduce its involvement in its creation and posting.  The most important liability to be concerned about is copyright infringement because of the expansiveness of the liability, the difficulty in properly assessing the risk upfront, and the high damages awards.

However, if Gozzel wants to maintain significant involvement with the content, Gozzel should (1) consider insurance for these types of claims (which can be very expensive), or (2) educate its editors to spot copyright infringing and tortious materials before they are posted on the site.

D.        General Comments in Response to Student Answers

There were two main legal issues, CDA and DMCA and the liability from which these safe harbors may offer protection.  A good answer really needed to discuss both issues.  Although the detail of the above sample was not required to earn a high grade, addressing most of the general concepts were integral to high scoring answers.

Perhaps because it is difficult to think creatively at test time, students generally did not do well in suggesting changes to the service, so that aspect figured only minimally in evaluating answers.

Some comments about student answers that were less helpful or unhelpful:

E.         Less Helpful Answers

Concluding that the CDA does not apply and providing no analysis for it.

Suggesting DMCA sec. 512 safe harbor but providing no analysis of how it may help Gozzel.

Concluding that DMCA sec. 512c precludes contributory and vicarious copyright liability.  Although this argument has been made by some, it appears to have been rejected in Napster and ALS Scan.

Spending time on DMCA 512(a) or (b).  These aren’t really relevant ((a) deals with transitory network transmissions and (b) deals with proxy caching); 512(c) is far more relevant as a safe harbor.

Trademark discussion.  Trademarks may have a tangential impact on teen content, but it is hard to see how Gozzel is using any marks on competing products.

DMCA sec. 1202 (copyright management information).  Liability under this section is likely to occur only in a subset of the situations where Gozzel will be liable for standard copyright infringement.

Criminal copyright infringement.  Weakly relevant.

F.         Unhelpful Answers

Under-13 issues.  This is relevant only to COPPA or contracts; see the call of the question.

Infringement by Gozzel of copyright material owned by teen users.  Based on the circumstances, Gozzel has at least an implied license to use it.  However, the user agreement would undoubtedly include an express license for Gozzel.

Hot news/misappropriation/trespass.  Hot news is a stretch based on the types of content at issue.  Misappropriation is likely preempted by copyright.  A trespass claim protects the servers and equipment hosting the content, not the content itself; so there is no trespass issue here.

Contracting.  See the call of the question: don’t discuss contract formation.

ACPA (Anti Cybersquatting Protection Act).  ACPA applies only to domain names and thus is irrelevant to this question.

Framing.  Gozzel is not framing content; it is publishing the content from its servers.

Question No. 2 (by Eric)

This was a very difficult question, but many of you handled it impressively.  As usual, this scenario was based on a real life situation.  A vendor, who shall remain nameless, offered to track users who left Epinions.com to visit merchants.  This information would be very valuable to Epinions, so Fliar made it through several layers of business and technical diligence before I finally kyboshed the deal.

Note that I did the most difficult part for you.  Fliar was able to evade many questions from the businesspeople with ambiguous and in some cases misleading answers.  Finally, when I drilled down on exactly how Fliar worked with SSL, all of the other issues became apparent.  However, no one else at Epinions raised—or even recognized—the SSL issue.  This shows how important it is for lawyers to understand the technical and business issues surrounding the legal context; often, the answer lies at the interaction of the legal issues with the technical and business ones.

In analyzing the exam question, there are 4 potential plaintiffs to consider: merchants, users, the government, and the publishers.

1.                  Merchants.

The merchants suffer the following harms: their privacy policies are contravened, their users are spooked and thus the merchants lose goodwill, the page serving times may be lengthened due to the additional processing steps, and they lose control over their valuable business information.  These harms support the following claims:

  • Computer Fraud and Abuse Act (CFAA).  The application of this statute depends on whether or not Fliar would be deemed to be “accessing” the merchants’ servers.  Although case law has not specifically addressed this point, I think the trend supports this conclusion.
  • Electronic Communications Privacy Act (ECPA).  The application of this statute depends on whether or not merchant/user communications would be deemed “private communications.”  A good argument could be made that they are, given the expectations set by merchant privacy policies and SSL.
  • Trespass.  Unwanted links arguably could constitute a trespass to third party servers because  the unwanted links directly result in server use.  On the other hand, the linking site is not directly intermeddling with the server—the linked users are.  So it’s an open question whether or not the Fliar links should constitute a trespass.  If unwanted linking is intermeddling, we have the other trespass elements: the harm is any of the harms described above, and I would argue that SSL constitutes both notice and self-help.
  • Copyright Infringement.  To the extent that browsing is infringement, we could have an infringement here.  However, does Fliar really do anything different than any other Internet access provider? 512(a) might also help Fliar if it needs it.

In addition, we have a frame on top of the merchant pages.  Merchants could argue that this constitutes an unauthorized derivative work, although there really isn’t much additional copyrightable material displayed by Fliar.  However, under the more inclusive Ninth Circuit rulings, even a non-substantive frame could create a derivative work.

  • Anti-Circumvention.  Although it’s never been applied in this context, an argument could be made that Fliar’s scheme violates Section 1201(a)(1).  The central question is whether SSL protects access to a copyrighted work.  I think a good argument could be made that the merchant pages are copyrightable and SSL does protect access to the pages.  To the extent that Fliar offers its service to third parties, an argument could also be made that they are “distributing” or trafficking in the technology; this is a weaker argument.
  • Merchant’s Breach of Privacy Policy.  It’s not clear that merchants would be liable for breaching their privacy policies, as they are not taking any actions that violate their privacy policies.  I believe the contravention of privacy policy is just a harm/damage that supports other causes of action.  However, an argument could be made that any Fliar-caused breach of the privacy policy constitutes a tortious interference with contract.
  • Misappropriation/Unfair Competition/Unfair Business Practices.  There are a wide variety of “soft” torts that could be claimed.

Other merchant claims that I didn’t want you to discuss but could apply:

  • Passing Off/Trademark Infringement.  The framing/domain name usurpation could support these claims.
  • Trade Secret Misappropriation.  A trade secret is information that is valuable and for which reasonable efforts are used to keep secret.  Customer lists are often considered a trade secret.  Here, Fliar arguably misappropriates customer information that could be considered a trade secret.  Certainly a merchant’s use of SSL would constitute reasonable efforts to keep the information secret.

2.                  Users.  Users could make the following claims:

  • CFAA
  • ECPA
  • Fliar’s breach of its own privacy policy.  We didn’t have any information about Fliar’s privacy policy, but any claim that Fliar honors SSL could be misleading.

3.                  Government.  The government could make the following claims:

  • CFAA
  • ECPA
  • FTCA for causing merchants to violate their privacy policy
  • FTCA for Flair violating its own privacy policy (if it does)
  • Criminal copyright infringement (doubtful)

4.                  Publishers.  The Fliar/publisher contract governs any liability to the publishers.  Publishers will likely demand an indemnity that insulates them from liabilities they may incur directly.  However, some liability, like criminal violations of the CFAA and ECPA, cannot be shifted by contractual indemnity, so publishers will remain skittish.  Ironically, Fliar’s form service contract tried to shift almost all of the risk to Epinions.

5.                  Fliar’s Sustainability.  My rule of thumb is that if merchants could potentially make 9 different claims against Fliar, at least one would stick.  I think most judges would apply a common sense rule—this doesn’t make sense—and then find one or more claims to back them up.  So the law isn’t Fliar’s friend.  However, Fliar’s business isn’t sustainable for other reasons as well:

  • Merchants could IP address block Fliar.  One merchant wouldn’t be a problem; massive blocking puts Fliar out of business.  The only challenge is determining Fliar’s IP addresses—it may be able to “hide” behind publishers’ IP addresses, making blocking more difficult.
  • Merchants could cut off contracts with publishers who use Fliar.
  • Publicity could kill this business.  See http://news.cnet.com/news/0-1007-200-2520471.html.   Even though users are tracked surreptitiously multiple ways every time they use the Internet, this feels especially invasive for some reason.
  • As discussed below, properly deploying Fliar would require both merchants and publishers to make disclosures to users.  Neither of them will want to make these disclosures:

–         merchants have no incentive to change their privacy policies

–         publishers will not want to make the disclosure because it will scare their users from using the links.  Indeed, many publishers probably already make contrary disclosures in their existing privacy policies that they don’t track users or collect information about their users.  See http://www.revenews.com/advice/news/080300a.html.

6.                  Mitigating Measures.  Disclosure to users will eliminate user complaints and negate any related complaints from merchants.  (Note “contractual” consent is not necessarily required; notice may be sufficient).  However, nothing short of disclosure to users and consent from merchants will make this system workable.  Thus, mitigating steps include:

  • Get merchants to disclose the use of Fliar to users.
  • Get publishers to disclose the use of Fliar to users.
  • Become more visible in the process and make its own disclosures to users.  This could be accomplished through an interstitial (which is a bad user/product experience) or by legending the merchant pages (which could make the derivative work claim worse).
  • Put the onus on publishers to get merchant consent.  Interestingly, Fliar took this approach.  Ludicrously, it argued that Fliar was permitted by merchants through the “audit” section of publisher/merchant agreements (trust me, this argument doesn’t pass the laugh test).

7.                  Other Discussion.  Some points made in your exams that warrant commentary:

  • COPPA is a minor issue.  Because kids under 13 have minimal capacity to transact online, the chances of COPPA violations are very small.  However, Fliar should make sure that no included merchants collect age information.
  • Caching was really not an issue.  It’s not clear that any copyrightable material is cached.
  • Derivative liability and 47 USC 230(c)/17 USC 512(c) and (d) was effectively irrelevant.  The risk of Fliar being liable for bad merchant content is not worth worrying about.
  • Unjust enrichment is not really a claim on its own—it’s a remedy for damages.
  • As mentioned above, non-consenting merchants probably are not violating their privacy policies and thus won’t be liable under the FTCA.
  • A few of you thought another plaintiff would be the “SSL technology provider.”  Good try, but no such thing exists.
  • Intangible information can’t be trespassed.