Articles Posted in E-commerce

Net Neutrality is the principle that Internet Service Providers (ISP) and the government should treat all web-related traffic equally regardless of the source. If there was no net neutrality, companies would have the ability to purchase priority access to the ISP customers. Larger and wealthier companies (e.g., Google) would be able to pay the ISPs to provide customers more reliable access to their websites instead of to competitors’ websites. This would negatively impact any new start-up service that would not be able to purchase a priority access.

On February 26, 2015, the Federal Communications Commission (FCC) voted to enact the “strongest net neutrality rules in history.”  Millions of Americans contacted the FCC, called their Congress members, and wrote to the White House to express their support.  Although, this decision was a bold move in favor of net neutrality, but more changes may be coming soon. This 2015 Rule meant that ISPs cannot block access to any websites and they cannot interfere with website loading speeds. This rule also banned paid prioritization, which means that ISPs are not able to give preferential treatment to websites that pay an additional fee.

On January 23, 2017, President Trump selected Ajit Pai to lead the FCC as the new Chairman. This Chairman has a record of previously promising to undo the 2015 landmark decision. Then on May 18, 2017, the FCC, led by Chairman Ajit Pai, voted to propose a review of the 2015 rules.  Mr. Pai holds the opinion that the 2015 FCC rules are a “bureaucratic straitjacket” on the ISPs.  The new FCC proposal, which is called “Restoring Internet Freedom” contemplates whether to undo the legal approach that enforced those rules and whether there was anything that warranted the rules in the first place.

After this month’s discussion on the statutes that prohibit the unauthorized access of email accounts and digital assets, one might wonder how these statutes may apply in a case. However, in the lengthy saga of Facebook v. Power Ventures, the Ninth Circuit issued a determination giving a bright line example of what would not be permissible under the law. So, how did Power Ventures violate these unlawful access laws? How did they attempt to move around the laws? What was Facebook’s argument, that has thus-far prevailed in the courts?

Case History

This case focuses on Power’s use of Facebook through the actions of other users.  Power, a type of social media aggregator, would allow users to “link” Facebook, Twitter, and other social media accounts to permit control from a single website.  From there, Power would “scrape” data under the permission of the Facebook users.  However, this was against Facebook’s terms and conditions.  Power would also invite users to invite others in spam-like messages, as well as deploying bots.  This ultimately resulted in an IP-based ban against Power. Yet, Power evaded those bans and defied a cease and desist letter, prompting Facebook to sue based on CAN-SPAM, Penal Code 502, and CFAA.

In our last blog post, we mentioned eBay, Inc. v. Bidder’s Edge, Inc. While the case wasn’t related directly to ransomware, it creates an important precedent for tort liability. Specifically, it supports the idea that common law torts can be carried out and applied in the digital world.  So, what does eBay give us as a legal theory? How might it get applied to ransomware in a hypothetical case? What is the likelihood of succeeding on such a case?

Case Analysis: eBay, Inc. v. Bidder’s Edge, Inc.

In this case, eBay sued Bidder’s Edge for the use of a type of program known as a “spider” or “bot.” These programs would automatically go to eBay, search for information, and repost it on Bidder’s Edge. The purpose of this was to allow others to get better ideas of what to bid on items by searching multiple auction sites. While there were negotiations to allow Bidder’s Edge to access eBay, however, the negotiations broke down, and ultimately prompted the lawsuit.

So, where do we go from here? After the Internet of Things was effectively used as a way to crash various online stores and services, it leaves us with the question of how can we fix this gaping hole in our security that would allow this new technology to continue to exist without causing further risk? As mentioned last week, the most likely solutions are either in the private sector, through consumer choice and manufacturer investment, or through government action. What actions should individuals take? What is the government doing now? What might the government do in the future?

What is the private sector currently doing?

The private sector is not doing much at this time. While consumers could demand more secure smart devices, the focus of the demand for these devices tends to be towards their functioning.  In general, less sophisticated consumers buy smart devices for the sake of convenience, with security being a distant thought when compared to the more sophisticated consumers.  These smart devices, like any other internet-connected device, occasionally need security updates to remain resistant to online bugs (i.e., malware).  So, as the world becomes smarter, this technology will need to adapt and advance, accordingly, in order to mitigate the risks. Yet, without some motive to do so, it’s less likely that resistance to the botnet will emerge, and it may be due to the government’s intervention.

In recent years, we have all heard the expression before, but how does someone really “break the Internet?” Recently, an incident arose where a large network of electronic devices joined together resulting in a major interference with online businesses and services. Amazon, Netflix, and Yahoo, were hobbled temporarily due to various flaws in the Internet of Things. This flaw allowed individuals to create what’s known as a botnet, to launch a massive DDoS attack to effectively shut down services.  So, how would we prevent a similar incident from occurring? Should you be concerned about your smart devices? What about your websites and online services?

How did the Internet of Things become weaponized?

As it stands, the Internet of Things, which comprises of smart devices that connect online for the convenience of individuals, became weaponized against service providers, and created a “botnet.”  Effectively, some type of malware was downloaded onto these smart devices prompting them to send requests to certain websites. When these websites become overwhelmed by the requests, it resulted in websites crashing, or becoming generally unavailable to the users.  Here, one might wonder how, but the real answer was due to a lack of knowledge, training, and security. Unlike regular computers, tablets, and cellphones, smart devices do not always have the capability for security updates. With this, even for those devices that might be on a more secure network, the Internet of Things still entails those devices being connected online. This makes them vulnerable to more pinpointed attacks.  From there, the controller of the botnet can use the Internet of Things to launch the DDoS attack and crash a network.

As it stands, the Internet of Things can be a dangerous proposition. Due to various hacking techniques, like rubber ducks, pineapples, and pivoting, one must wonder, if it can be hacked into, and if so, then what can we do about it? What about cars, planes, trains, and power plants? To this point, the U.S. Government has launched the Cybersecurity National Action Plan or CNAP. The idea is to add more information and resources into the system, increasing the amount of resources to help build up cybersecurity and investing resources into security measures. So, what is the government doing with CNAP? How might this help a business? How might this help individuals?

What does CNAP do?

It’s a set of guidelines and goals that the Obama Administration has implemented to help build the cybersecurity network, protect against attacks on the Internet of Things, and the general national network as a whole. The first, and easiest way it plans to do this is through the 2017 budget, allocating approximately 19 billion dollars for cybersecurity, up by 35% from the previous year’s budget.  It also incorporates and promotes other existing goals and changes, such as the BuySecure Initiative requiring credit cards to incorporate smartchips, and making large businesses use the smartchip option rather than the traditional magnetic strip.  CNAP also incorporates other ideas, such as multifactor authentication, identity for Federal Government digital services, training for small businesses, and relaunching  Therefore, it is less of a new initiative, but rather a continuation of previous actions.

Nowadays, we’re using the web for numerous purposes, including, but not limited to, online banking.  So, we should be able to protect our financial information. There are many options for hackers to gain access to financial information, and without the prerequisite security, financial information can be accessed by hackers.  The law outlines the rules for financial institutions, such as data protection, data sharing, data preservation, security breach notification, or insurance requirements.  Also, there are different standards when it comes to consumer and business bank accounts.  For example, businesses face different prerequisites that must be fulfilled prior to submitting a claim towards a financial institution.

How might hackers commit banking fraud?

Looking at how hackers may even access your financial information, there are a few tools that need to be highlighted. Among them are Pivoting, Rubber ducks, and Pineapples. While this perhaps sounds odd, the way they can work is terrifying. Pivoting is a process hackers can use to break into a computer system by accessing it through an already-compromised device. For example, a hacker may access a web server by gaining access to an email server within the same network.  These discrepancies can also occur between smart devices, which indicate a downside to the Internet of Things. Rubber ducks are special USB drives with small processors. They act as a “Trojan Horse” by downloading and re-uploading information quickly and autonomously without causing alerts. Pineapples, in comparison, are more likely to come across, but more difficult to avoid.  These are devices that “clone” Wi-Fi networks. They will function in the same way, allowing individuals to connect and access the web, but can also be used to access and hack data after someone is connected. Pineapples and Rubber ducks are dangerous because they can download “keyloggers” onto computers, which would record and transfer confidential information (e.g., passwords, financial data) to the hacker’s computer.

We know that the JOBS Act has been officially confirmed by the government. We have written about the JOBS Act in the past, and Title III has provided various new rules regarding equity crowdfunding, specifically on who can donate, and where the participating entities can receive funds.  Yet, even with these developments, few issues have emerged with various blind spots in the law, prompting new efforts to patch them to make crowdfunding viable for startups.  So, what are the new rules? What are the blind spots? How are they being addressed by lawmakers?

What’s Title III?

As it stands, Title III allows entities to raise money for their projects, or business in general, through an equity format. This would differentiate itself from the more prominent crowdfunding platforms, like Kickstarter, which have projects that would not give an investor any stake in the company, instead selling copies of the product, akin to an advanced order. Instead, under Title III, unaccredited investors can invest over $2,000, or 5% of their annual income or net worth—whichever is higher—if they have an income under $100,000, or 10% of an individual’s net worth or income if they make $100,000 annually.  However, this is capped at $100,000 per investor, per year, with a larger cap of $1,000,000 in fundraising for the entity.  In addition, the money must be gathered through a fundraising portal, such as Crowdfunder, and those portals are not currently exempt from liability.  Unfortunately, while this law has been a positive step towards fundraising, however, it has fallen short on certain issues.  For example, there are issues with the fundraising caps, as well as, the responsibilities and liabilities of the portals.  In capping the investments, investors are limited in the aggregate to how many projects or entities they may wish to support, while an entity may need to undertake various crowdfunding efforts for larger projects costing over one million dollars.

In the current business world, parties may be separated by great distances and may never meet face-to-face. During the course or interactions, their communications may only be online, leading to a constant trade of contracts over e-mail.  So, when it comes time to sign the contracts, a meeting may not be feasible, and instead, an electronic signature may be needed to finalize the transaction.  Electronic signatures or “e-signatures” are those substitutes for a traditional “wet signature.” We have mentioned in passing some ways these signatures can be formed, but it leaves the question of what exactly can be an e-signature? To what extent can it be used? What are the benefits of using an electronic signature, and how might it be detrimental to your business arrangements?

What can be used as an electronic signature?

An electronic signature can be any sufficient substitution for a wet signature. This ranges from typing the individual’s name in a signature box, to signatures placed onto the electronic document through some sort of tablet device, or a checkbox in a click-wrap agreement stating: “I Agree.” There are even some cases where biometric data is being used as an electronic signature, such as fingerprint or facial image. Furthermore, while these could be used as electronic signatures, digital signatures differ, as they rely on a form of encryption to validate the authenticity of a document. These are then affixed to electronic documents, again, like a click-wrap agreement, or a contract that has been transmitted electronically. There are business services that facilitate and authenticate these signatures, e.g., DocuSign, that allows the tagging of the signature pages in the document. However, there are some limitations on what can be an electronic signature. As part of ESIGN (United States Electronic Signatures in Global and National Commerce Act), voice recordings for an oral agreement do not work as electronic signatures.

Following from last week, there is another counterpart to clickwrap agreements, known as a browsewrap. These are ultimately agreements that are harder to enforce than a clickwrap because instead of an action to assent to the agreement, a contract is formed, in part, by the individual continuing to browse the website. This would be akin to the terms of use that a website may have listed for users.  This could be implemented to bind users, much like click-wrap, and for the same purposes. However, what are the limits to a browsewrap agreement? What is required to enforce a browsewrap agreement? What are some of the things that could ultimately dismantle a browsewrap agreement and how can you to avoid them?

What is required for a valid browsewrap agreement?

A valid browsewrap agreement requires that the agreement be available on the website, via a hyperlink, and can be clicked on for the visitor to read.  However, this is generally harder for an individual to enforce, as there’s no “affirmative statement” like in clickwrap agreements. Instead, the affirmative statement is determined by the continued use of the website as specified in the terms. Yet, the way that this is compensated for is to demonstrate that the individual is aware that the agreement exists, and generally aware of its terms. In essence, if an agreement is present, and the visitor is aware that there are terms, the browsewrap agreement is more likely to be held as valid.