Domingo Rivera Cyber Lawyer Blog

Internet lawyer Domingo Rivera blog on cyber law topics

Your website’s Privacy Policy: Draft carefully and always abide by it.

Almost every e-Commerce website collects personal identifiable information from its users.  Personal identifiable information includes name, address, e-mail address, phone number, social security number, date of birth, age, gender, income, occupation, browsing patterns, etc.  Many websites have a posted privacy policy explaining what information is collected from the users of the website and how the information is used. 

Once a company posts a privacy policy on its website, it will be held legally liable for its failure to abide by the policy.  For example, Geocities’ website contained the statement “we will never give your information to anyone without your permission.” However, when it appeared that Geocities sold and disclosed the information to others, the FTC accused Geocities of misrepresenting its reasons for collecting information from adults and children.  The matter eventually settled.

So with such a big risk, why should companies even post a privacy policy at all?  After all, it is impossible to violate a privacy policy that does not exist.  However, some jurisdictions require websites to have posted privacy policies. 

For example, the California Online Privacy Protection Act requires websites to 1) identify the categories of information collected and with whom the information may be shared; 2) describe how to review and change the personally identifiable information; 3) explain how to find out about changes to the privacy policy; and 4) indicate the effective date of the privacy policy.  Additionally, websites that collect information from children are subject to the requirements of the Children’s Online Privacy Protection Act (COPPA).  The European Union also imposes privacy protection requirements for websites who operate in or have customers in the European Union. 

Therefore, if your website obtains business from California residents, children, or the European Union, you must have a carefully drafted privacy policy and must abide by it.  

Cyber Lawyer, Domingo J. Rivera, is an attorney specialized in Internet Law, handling cases throughout the United States. 

  403 Hits

Cybercrime basics...

The term Cybercrime is broadly defined to include any criminal activity committed on the internet.  Almost everyone has at least a basic understanding about online identity theft, probably the most common cybercrime.  However, there appears to be considerable confusion regarding some of the other basic cybercrimes and their definitions.  I recently visited the website of a firm where the terms phishing and spoofing were incorrectly used interchangeably! 

Some of the most common cybercrimes are: 

Email spoofing – The forgery of an e-mail header in a manner that the message appears to have originated from somewhere other than the actual source.   Widely used by spammers, a spoofed e-mail may appear to be from a legitimate source asking for personal information, passwords, credit card numbers, etc. 

Phishing – The sending of an email to a recipient in an attempt to scam the recipient into revealing private information. The email contains a link to what appears the website of a legitimate enterprise but is only a fake version of the organization’s website.  When the recipient visits the fake website, the recipient is asked to update personal information, such as passwords and credit card, social security, and bank account numbers that the legitimate organization already has.

Cookie Poisoning – Some websites store cookies on your computer's hard drive to authenticate your identity, speed up your transactions, monitor your behavior, and personalize your website experience. Cookie poisoning is the modification of a cookie by an attacker to gain unauthorized access to private information about the user.  The attacker may use this private information for identity theft and to gain access to the user's existing accounts.

Continue reading
  381 Hits

CAN-SPAM Act: Non-compliance is a crime… and overzealous ISPs may refuse to deliver legally compliant email messages

On May 31, 2007, the BBC reported “U.S. Arrests Internet spam king” Robert Soloway.   (A copy of the Article can be found at:  

Mr. Soloway is accused of being “responsible for tens of millions of unsolicited e-mails promoting his own company between November 2003 and May 2007” in violation of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.

The CAN-SPAM Act is codified under 15 U.S.C. § 7701-7713.  Contrary to the belief of many, the CAN-SPAM Act does not prohibit sending spam emails.  Instead, it imposes certain requirements.  These mandatory requirements include, inter alia, the use of accurate email subject lines and transmission information, opt-out procedures where recipients can elect not to receive additional emails fom the sender, mandatory timeframes for the removal of users who elect to opt-out, and a prohibition of improper email harvesting. 

But, what happens when a sender complies with all the requirements of CAN-SPAM?  Can an ISP still refuse to deliver compliant email messages to the intended recipients?

In White Buffalo Ventures, LLC v. University of Texas, 420 F.3d 366 (5th Cir. 2005), the Plaintiff, White Buffalo, was an online dating service operating several online dating websites, including one that targeted students of the University of Texas (UT).  White Buffalo obtained the "non-confidential, non-exempt email addresses" held by UT through a Public Information Act request. 

White Buffalo used these email addresses to send CAN-SPAN compliant commercial emails to members of the UT community. UT issued a cease and desist letter but White Buffalo refused to comply.  As a result, UT blocked all emails originating from White Buffalo’s IP address.

White Buffalo sued UT, arguing that the First Amendment and the CAN-SPAM Act precluded UT’s actions.  The Court disagreed and held that the CAN-SPAM Act does not prevent Internet Service Providers (ISPs), in this case UT, from filtering CAN-SPAM compliant commercial emails.

Continue reading
  288 Hits

Are domain names property or contractual rights, and why do we care?

Some courts have held that that domain names are property.  In Kremen v. Cohen, 337 F.3d 1024 (9th Cir. 2003), the plaintiff registered the domain name  The registrar transferred the name to a different individual on the basis of a forged letter.  The Court reversed the district court’s holding that domain names were intangibles not subject to conversion.  The Court held that the registrar was subject to liability “for giving away someone else's property.”  Id. at 1035.

Other courts, however, have concluded that "a domain name registration is the product of a contract for services between the registrar and registrant.”  Network Solutions, Inc. v. Umbro Int'l, Inc., 259 Va. 759, 770 (2000) (citing Dorer v. Arel, 60 F. Supp. 2d 558, 561 (E.D. Va. 1999)). 

If considered property rights, domain names would be subject to state property laws and state property causes of action, such as conversion, would be applicable.  However, if domain names confer only contractual rights, the nature of the protection afforded to the registrant would be quite different. 

Under ICANN rules, a domain name owner must intervene within five days to stop an inter-registry transfer request.  Therefore, whether a domain name is treated as property or as a contractual right can make a huge difference in the remedies available to victims of domain name hijacking who do not intervene within the five-day period prescribed by ICANN.

  318 Hits

The Digital Millennium Copyright Act: Protecting the ISPs and bogging down technology

The Digital Millennium Copyright Act (DMCA), codified in 17 U.S.C. § 512, amended the U.S. Copyright Act of 1976.  The DMCA provides for severe criminal penalties for circumventing technical measures protecting copyrighted works. 

The DMCA protects Internet Service Providers (ISPs) from liability arising from acts by the ISP’s customers.  However, there are certain conditions that an ISP must meet in order to qualify for the Act’s safe harbor provisions.  To enjoy safe harbor protection, an ISP must:  

1. Implement a policy to terminate infringers;
2. Designate a service provider agent for notification of claims of infringement.  (The list of designated service provider agents is located at:
3. Provide means to receive notice of infringement and upon obtaining notice act expeditiously to remove, or disable access to the infringing material; and
4. Have no actual knowledge of the infringing activity.

Arguably, the DMCA has bogged down the development of technology.  For example, in Sony Corp. v. Universal City Studios, Inc., 464 U.S. 417 (1984), a case decided prior to the passage of the DMCA, the U.S. Supreme Court held that a manufacturer of video tape recorders could not be held liable for contributory copyright infringement.  The Court found that although video tape recorders could be used to copy copyrighted television shows, there were commercially significant non-infringing uses for the device.  This decision facilitated the commercial widespread of video tape recording devices such as Betamax and VCRs.

In Universal City Studios v. Reimerdes, 111 F. Supp. 2d 294 (2000), a case decided after the passage of the DMCA, motion picture studios brought action under the DMCA to enjoin Internet website owners from posting or downloading software that decrypted digitally encrypted movies on DVDs.  The United States District Court for the Southern District of New York granted the injunction under the authority of the DMCA. 

Despite the obvious differences between the distribution of a machine that records unencrypted television shows and the distribution of code that allows the copying of encrypted DVDs, had the DMCA existed in 1984, what would have happened to the development of the home video recording industry?

  292 Hits

FTC Opens preliminary antitrust investigation into Google’s acquisition of DoubleClick

Today Google owns the Internet search engine market and DoubleClick owns the Internet banner advertisement market.  Now Google is bidding $3.1 billion to dominate the search engine market, the banner advertisement market… and a lot of data.  

DoubleClick has the ability to track what sites people visit and Google has the ability to collect search histories.  Unfettered exclusive access to all this information could potentially allow Google, not the market, to set the prices for Internet advertisement.  We will be waiting for the Federal Trade Commission’s report.

A related news article can be found at:

  287 Hits

KSR International Co. v. Teleflex, Inc - Obvious non-obviousness?

Teleflex International Co. held a patent titled “Adjustable Pedal Assembly With Electronic Throttle Control.”  One of the claims of the patent describes a mechanism where an electronic sensor is combined with an adjustable pedal to control the throttle in an automobile.  KSR International Co. added an electronic sensor to its previous automobile pedal design and Teleflex obviously sued for patent infringement. 

The District Court dismissed the case, holding that the claim contained in Teleflex's patent was obvious.  The Federal Circuit reversed, applying its "Teaching, Suggestion, Motivation" test.  Under this test, the combination of existing processes to create new processes is not obvious when there is no prior art that explicitly or implicitly teaches, suggests, or motivates the combination.  

The Supreme Court reversed, holding that the Federal Circuit's application of the test need not become “rigid and mandatory formulas” and finding that “any need or problem” can provide the patentee with a reason for combing processes.   The Supreme Court's new obviousness standard will probably increase litigation on obviousness grounds (the Verizon v. Vonage appeal comes to mind)... However, the full impact of the new obviousness standard is certainly non-obvious.

The full text of the opinion may be found at:

  312 Hits

Site Pro-1 Inc. v. Better Metal LLC: a better approach for deciding trademark infringement claims resulting from competitive metatag usage and keyword advertising?

This was a trademark infringement lawsuit filed by Site Pro-1, Inc, the owner of the registered trademark SITE PRO 1®, against Better Metal, LLC.  Better Metal is a competitor of Site Pro-1. 

Better Metal purchased a "sponsored search" from Yahoo! that caused its website to be included among the results listed when a Yahoo! search user searched for some combination of the terms "1", "pro", and "Site."  The SITE PRO 1® mark was not displayed in the sponsored search result linking to Better Metal's website.

The Court stated:

The key question is whether the defendant placed plaintiff’s trademark on any goods, displays, containers, or advertisements, or used plaintiff’s trademark in any way that indicates source or origin. Here, there is no allegation that Better Metal did so, and therefore no Lanham Act “use” has been alleged. Indeed, the search results submitted as an exhibit to the complaint make clear that Better Metal did not place plaintiff’s SITE PRO 1® trademark on any of its goods, or any advertisements or displays associated with the sale of its goods. Complaint, Ex. B. Neither the link to Better Metal’s website nor the surrounding text mentions SitePro1 or the SITE PRO 1® trademark. The same is true with respect to Better Metal’s metadata, which is not displayed to consumers.

The Court's approach seems to be inline with the Second Circuit's position regarding competitive metatag usage and keyword advertising.  Most courts do not share this approach. Under similar facts, Courts in Virginia, California, Pennsylvania, Minnesota, and many others, have reached contrary results.  

So which court has the better approach for deciding trademark infringement claims resulting from competitive metatag usage and keyword advertising?  The debate continues... 

The text of the opinion may be found at:

  295 Hits

Email privacy at work: Your employer can lie to you about reading your emails… and then fire you for relying on these lies!

Most employees probably know that the emails sent from their work email accounts are probably being monitored.  However, what if your employer repeatedly assures you that all e-mail communications would remain confidential and privileged?  What if your employer further tells you that e-mail communications could not be intercepted and used by against you as grounds for termination or reprimand?  Can your employer still intercept your emails, read them, and then fire you for the contents…?  YOU BET!!

In Smyth v. Pillsbury Co., 914 F. Supp. 97 (1996), Pillsbury maintained a company e-mail system which the employees used to communicate among themselves.  Mr. Smyth was an employee of Pillsbury. Pillsbury assured Mr. Smyth as well as the other employees that all e-mail communications would remain confidential and privileged and that the e-mail communications could not be intercepted and used against the employees as grounds for termination or reprimand. 

The U.S. District Court for the Eastern District of Pennsylvania surprisingly held that despite the assurances made by Pillsbury, its employees did not have a “reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system.”  The Court went on to hold that no “reasonable person would consider the . . . interception of these communications to be a substantial and highly offensive invasion of his privacy.” 

The Pillsbury case, although decided under Pennsylvania law and dating back to 1996, has been cited with approval by courts in other states, including Massachusetts, Rhode Island, New York, Oregon, and Texas.

So, what should this mean to you?

Continue reading
  298 Hits