Many Web sites contain a link to a Terms of Service (“TOS”), Terms and Conditions of Use, or similarly titled Web page. What are these? Essentially, these pages are the site owner’s contract or license agreement with users who simply browse or use the services offered by the site owner. TOS are important to Web site owners for various reasons such as limiting stresses placed on the host network from unreasonable use, protecting intellectual property, and protecting against inappropriate use of the site.

Indeed, Facebook, the popular social networking site that claims 175 million users, recently had a backlash from users when Facebook changed its terms of use to grant Facebook what protesters claimed was greater control over user content. Facebook reverted to its former terms of use while it studies the situation.

Are a Web site’s Terms of Service enforceable? As with most legal issues, the qualified answer is “it depends.” Most sites’ TOS can be lumped into one of two types of agreements: “click wrap” and “browse wrap” agreements. There are generally no negotiations on the Internet and a contract or license requires consent. The type of consent – explicit or implicit – is the differentiator between click wrap and browser wrap agreements.

A click wrap agreement requires users to click an “I Agree” button or manifest assent by checking a checkbox. Click wrap agreements are used particularly by online social networking, membership and commercial online sellers, where the site owners usually also require additional personal information. This agreement is typically a prerequisite to viewing the site or unlocking members-only content or functionality. Of course, premium content paid sites and software as a service sites (“SaaS” and formerly referred to as an application service provider or “ASP”) also require electronic payment information and assent to payment terms.

Unlike the click wrap agreement, a browse wrap agreement is used passively on a site and is either contained on the site’s homepage or on a Web page accessed via a link to a page containing the site’s TOS. A user is deemed to consent to the TOS by using the site. Thus, a browse wrap agreement does not require any clear user agreement with the TOS. Courts interpreting browse wrap agreements have been mixed as to their validity. As a general rule, the enforceability of the browse wrap TOS has turned on whether the user has actual or constructive notice that the TOS applies.

All Web sites should have a Terms of Service page. The TOS itself will vary depending on the site itself. Short of requiring each user to agree to the TOS via an intrusive click wrap agreement, a site owner can increase the likelihood that users have constructive notice of the TOS. For example, the Web site owner can make the TOS more prominent by using noticeable icons or hyperlink to the TOS with distinguishable font types, font size, capitalizations or emphasis. Moreover, a header or footer containing language to the effect that use of the site is governed by the TOS would be more effective.

Labels: terms of service, TOS

In 1984 Congress enacted the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, to protect against hacking into U.S. government and financial institution computers. With the expansion of computer use, the explosion of the Internet and the adaption of crime to these expanding technologies, Congress broadened the CFFA to include almost any computer. Moreover, a 1994 amendment added a civil cause of action to the criminal statute.

The CFAA prohibits seven acts briefly summarized as:

1. trespassing a computer to commit espionage;
2. trespassing a computer and obtaining specified financial, credit, governmental or commercial information;
3. trespassing a government computer;
4. trespassing a computer to commit fraud;
5. damaging a computer;
6. trafficking in computer passwords; and
7. threatening to damage a computer.

The CFAA contains several definitions that apply the statute broadly. For example, the CFAA applies to “protected computers.” This includes computers owned by the U.S. government, financial institutions and those “used in or affecting interstate or foreign commerce or communication.” Thus, the CFAA applies to virtually all computers.

As abbreviated above, trespassing includes accessing a computer “without authorization” or “exceeding authorized access.” A Computer Fraud and Abuse Act violator could have authorized computer access such as a log-in ID and password, but later access data that was not within that user’s authorized scope. By way of example, a bank employee may have authorization to access and modify data in the ordinary course of business, but if the bank employee violates computer use policies by viewing an acquaintance’s account records with no business need to do so, the CFAA is violated by exceeding authorized access.

Federal courts have creatively interpreted the terms “without authorization” and “exceeding authorized access.” In Shureguard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000), a federal court in Seattle held that a former employee lost “authorized access” when he became an agent of a competitor by e-mailing the competitor trade secrets and proprietary information belonging to the former employer while still employed there. The court did not rely on a non-disclosure agreement, but rather on an agency common law principle where the employee’s authority terminates when the employee “acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty” to the employer. While some courts have disagreed with this ruling, see, e.g., Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) others have followed this line of reasoning.

In another case involving a former employee who used confidential information obtained from the former employer to benefit a new competitor, the court focused on the use of “Confidential or Proprietary Information” and the existence of a confidentiality agreement. EF Cultural Travel BV. v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). There, plaintiff was in the business of providing global tours for high school students. Former executive had confidential information of tour codes and data structure of proprietary information of former employer and was bound by a confidentiality agreement (“NDA”). The former executive assisted competitor’s Internet consultant in designing a “scraper” program to extract pricing information from former employer’s Web site. The competitor then used this data to undercut former employer’s prices. The First Circuit Court of Appeals did not reach the question of whether the competitor was authorized to navigate plaintiff’s Web site to obtain competitive data. Rather, the court held that defendant former executive exceeded that authorization “by providing proprietary information and know-how” to the Internet consultant to create the scraper program for the competitor.

The CFAA has also been invoked by Web site operators where the user had violated the Web site’s Terms of Service (“TOS”). America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E. D. Virginia 1998), involved an AOL member who harvested AOL members e-mail addresses for sending unsolicited bulk e-mails (“spam”) via AOL’s network in breach of AOL’s Unsolicited Bulk E-Mail Policy and its TOS. While the case involved other serious issues such as trademark violations for “spoofing” the spam e-mail messages as being from the “aol.com” domain, the trial court held that the TOS violations rendered defendants’ access as unauthorized and in violation of the CFAA for computer trespassing and gaining commercial information.

While the AOL case involved a member TOS agreement, Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435 (N.D. Texas 2004), involved Southwest Airline’s Web site’s TOS and directly warning defendants about prohibited activities on its Web site. Defendant software company created and licensed software that could “scrape” Southwest’s Web site to obtain data by “sending out a robot, spider, or other automated scraping device across the Internet.” Another defendant licensed the software to use in a product for corporate travelers to search airline fare information. Southwest sued under various theories, including violation of the CFAA. Defendants argued that Southwest’s Use Agreement (“TOS”) was an unenforceable contract. The court reserved that fact question as inappropriate in a motion to dismiss. Rather, the court relied on Southwest’s direct communication to one of the defendants that Southwest prohibited the use of “any deep-link, page-scrape, robot, spider or other automatic device, program, algorithm or methodology which does the same things.” Thus, Southwest directly informed one defendant that its access was authorized, giving the court grounds to deny defendants’ motion to dismiss this claim.

While the CFAA is a criminal statute, there is a private right of action. Generally, the prospective plaintiff needs to prove damage to the computer, or “loss” exceeding $5,000. Losses are defined as “any reasonable costs to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or consequential damages incurred because of interruption of service.” Proving the statutory minimum loss to institute a civil lawsuit for injunctive and/or monetary damages can be easily met with costs of investigation and plugging security holes. The fair value of in-house IT staff has been allowed in the calculation of “loss.”

The CFAA will likely be increasingly used in employment, trade secret and unfair competition cases. The key takeaways with respect to the CFAA include:

· Maintain network security;
· For employees and other “insiders,” require non-disclosure agreements (“NDAs”) and provide clear limits on data access, modification and deletion through a comprehensive IT or computer use policy;
· For Web sites, provide clear Terms of Use (“TOS”) and monitor traffic to determine whether there may be a violation of TOS and serve cease and desist letters on identifiable violators.

Labels: computer fraud, computer law, terms of service