Supporting Abuse Desks
IT Group Presentation/June 23, 1999
by Eric Goldman
1. SOURCE MATERIALS. To support an abuse desk, you need a copy of the user agreement and privacy policy. You also need to understand the site’s risk management procedures for reducing liability from third party content.
2. LIABILITY CLAIMS.
2.1 Philosophy.
(a) Some sites tend towards restricting user content; others tend to be more permissive. Understand your client’s philosophy.
(b) CSRs act like private judges. Users want CSRs to be reasonable and consistent across similar situations (increases predictability). In contrast, CSRs are often capricious and arbitrary. This can quickly result in user confusion.
(c) Some sites are considering outsourcing certain decisions to neutral third parties and abiding by their decisions. This can include independent contractors or ADR.
2.2 Defamation. Working belief is that a website is not liable for third party defamatory content. 47 USC 230(c)(1). So the site can leave material up or take it down without any legal liability.
2.3 Copyright. The DMCA (17 USC 512(c)) set up safe harbors for direct copyright infringement attributable to third party infringing content—thus not affecting contributory and vicarious infringement liability theories.
Since vicarious infringement is a strict liability offense, if it can be confirmed that the material is infringing, the website’s best course of action is to take down the material ASAP to minimize damages.
With respect to contributory infringement, the DMCA’s description of “adequate notice” may be persuasive even if the DMCA does not apply. A DMCA-compliant notice requires: (a) physical/electronic signature of a person authorized to act on copyright owner’s behalf, (b) identification of the infringed work (or representative sample), (c) identification of the infringing copies with information reasonably sufficient to permit the website to locate the material, (d) contact information for the complainer, (e) a statement that complainant has a good faith belief that the material is not authorized for this use, and (f) a statement that the information in the complaint is accurate and, under penalty of perjury, the complainant is authorized to act on the owner’s behalf. A deficient notice means that the website lacks actual knowledge or awareness of circumstances of infringement. However, if a notice contains (b)-(d) but is otherwise defective, the website has to ask for the other info to claim the safe harbor.
If a CSR receives a non-DMCA compliant notice, currently we advise the CSR to notify the complainant of the requirements of the DMCA and not to take any action until a compliant notice is submitted. THIS RISKS THAT A COURT WILL DEEM THE STANDARD FOR KNOWLEDGE (UNDER CONTRIBUTORY INFRINGEMENT DOCTRINE) AS BEING SOMETHING LESS THAN A DMCA-COMPLIANT NOTICE.
If the website wants to try to preserve the DMCA safe harbor for direct infringement, the website must: (w) act when it receives notice, (x) file a notice with the copyright office designating someone to receive complaints of infringement, and post this notice on their website, (y) notify users in their user agreement and follow a policy to terminate repeat infringers, and (z) accommodate and not interfere with “standard technical measures.”
2.4 Trademark. No clear precedent in this area. The danger is contributory infringement, but we don’t have clear standards on what constitutes sufficient notice of trademark infringement. Working theory is to err on the conservative side when notice is received.
2.5 Obscenity/Child Porn/Porn. Scienter is probably required before a site can be liable for obscenity/child porn. If a site gets sufficient notice, however, it may be liable. Working policy is to assume that the most restrictive statutory definition will apply.
Some sites prohibit non-illegal pornography. In this situation, is no good answer about when a picture should stay up or come down. Usually this ends up being a situation where the CSR will leave the content up or take it down using arbitrary/capricious standards.
2.6 Spam/Spamvertising. Spam might be illegal, but usually the best the service provider can do is kick the user off the system. With respect to spamvertising, the Realtime Blackhole List demands that the advertised website be taken down. Usually this is the most expeditious course of action, but it begs the question of whether liability attaches from following this course of action.
2.7 What If a CSR “Stumbles Across” Problematic Content? CSRs often stumble across bad content without having received a third party complaint. Per our standard risk management procedures, we recommend that CSRs don’t monitor. If in fact CSRs are monitoring, there is no good answer for what to do then. If they are not monitoring but incidentally see bad content, assume they have the requisite scienter for liability.
3. REQUESTS FOR DISCLOSURES.
3.1 Private Requests.
(a) Plaintiff v. Doe. This leads to a subpoena or court-ordered request for documents. See memo 163086/SD for a more thorough discussion.
(b) If the request is for voluntary disclosure of information, need to check your privacy policy! Also, the ECPA restricts the disclosure of the contents of private or stored communications to private parties.
(c) DMCA-Compelled Disclosures. 17 USC 512(h). Copyright owner may request a subpoena requesting the identity of an alleged infringer from the clerk of a federal district court by submitting (a) a copy of the DMCA-compliant notice already submitted to the website, (b) a proposed subpoena ordering the website to disclose information sufficient to identify the alleged infringer to the extent the website has such information, and (c) a sworn declaration that the identity info will be used only to protect copyright interests. The clerk is required to issue a subpoena if it receives such a request. Upon the subpoena’s submission to the website, the website is supposed to expeditiously disclose the information required by the subpoena.
3.2 Government Requests.
(a) Assume the government is lying to you, ESPECIALLY if they say their request complies with the ECPA.
(b) Electronic Communications Privacy Act. Most websites want to cooperate with the government to avoid becoming a target of the investigation. However, a website’s violation of the ECPA can lead to civil and in some cases criminal penalties. Tread cautiously!
- Private/Stored Communications. Any disclosure of this info requires at least a government subpoena (but more may be required). If you are evaluating a request for this info, you must review 18 USC 2702(b) and 2703.
- User Information. With a government subpoena, the government can obtain ONLY the name, address, telephone records, telephone number, other user number or identity, length of service and types of service used. Other disclosures of user information (NOT user content) require a civil subpoena, criminal defendant subpoena, criminal warrant, federal court order or subscriber consent.
- Publicly Available Content/Information. This is a silly request, since the government can obtain this information merely by accessing the site. Ironically, the ECPA is opaque on this point, and it might be an ECPA violation to give this information to the government without the requisite subpoena/warrant/court order. Conservative approach is to make the government get the info off the site itself.