Controlling Risks in Gathering Information from Websites

Question

You are an up-and-coming associate at a prestigious law firm. Your hypo_clients brings to you the problem found at http://cyber.law.harvard.edu/globaleconomy/hypo.pdf. The senior partners have divided your class of associates into small teams to parse the many Internet-related legal and business issues presented by this problem. Please draft a short memo to the hypo_clients that highlights a single issue within your assigned topic area. Your memo should also provide initial advice as to how the hypo_clients should address this issue, whether through legal, business-modeling, technical, or other means. You should not seek to address all the possible issues lurking in your topic area. Team members should each write their own memo to the hypo_clients. Please be prepared to summarize your findings and to defend your advice in a meeting of the legal team working on this issue on December 3, 2003. (The assignment is also described at http://cyber.law.harvard.edu/globaleconomy/admin.html).

Controlling Risks in Gathering Information from Websites From: Harry Zhu

Your proposed business model suggests to search and cache websites irrespective of the type of content and access control mechanisms in place. This, together with the for-profit purpose of the service, puts your business under risks concerning information gathering on the web. In what follows, I summarize these risks and provide suggestions for controlling them.

1. Legal Risks

1.1 Risks of Breaking In

Many websites deploy access control mechanisms such as passwords. Accessing protected sites without authorization may cause actions under section 1030 of the Computer Fraud and Abuse Act (CFAA) in the US, so long as damage caused by this unauthorized access exceeds $5000. If your search bot does not respect these access controls, your business runs into this risk because your subscription service essentially sells unlawfully obtained content, thus encroaches owner’s market to the degree that exceeds the limit set in CFAA.

You are also under the risk of section 1201 of DMCA in the US and similar provisions in implementations of WIPO treaty in other countries. Your service not only circumvents access controls, it potentially also circumvents technical protection of copyright holder’s rights as defined in Title 17 of Copyright law because your subscription service redistributes content to subscribers.

1.2 Risks of Gathering

If the gathered web contents are copyrighted, you run the risks of copyright infringement because your for-profit service disqualifies any fair use defense. If the contents are non-copyrightable facts, you still have risks in countries that implement the EU Database Directive. This law creates a new right in collections of facts, defined, for example in the UK implementation, as “property right … in a database if there has been a substantial investment in obtaining, verifying or presenting the contents of the database”. This right will be infringed when someone extracts all or a substantial part of, or repeatedly and systematically extracts insignificant amount of, the database without consent of right holder. Recent cases, such as British Horsing Board (BHB) v. William Hill (extracting forthcoming horse racing events) in the UK and UNMS v. Belpharma Communication (copying a small list of self-helping groups) in Belgium, have shown that the thresholds for both the required investment level and the amount of data being extracted are very low. Caching websites in countries affected by the law will be viewed as systematic extraction of data, thus amounts to infringement of database right.

Risks exist even in countries that have not created database right. Several cases in the US, such as eBay v. Bidder’s Edge and Ticketmaster v. Tickets.com, show that website owners can very likely win when they resort to tort law, such as trespass to chattels.

2. Controlling Risks

Although both the circumvention provisions in DMCA and the entire EU Database Directive are controversial, the risks outlined above are real. I make the following suggestions to reduce and control those risks.

It is necessary to negotiate licensing agreements with websites that have access controls or exercise their database rights. Given the large number of sites that fall under this category, the transaction costs of obtaining a large number of licenses will be prohibitively high for you to become profitable. I suggest solving this dilemma by specializing your searches, i.e.., instead of searching all contents on the web, you search only a few categories. In this case, the number of licenses you need to negotiate will be small enough to cope with. It also works well with your marketing strategy, i.e., you will market your service to a few selected user groups who have interest in the contents of those chosen categories. As your business progresses, you can expand the categories and the corresponding user groups. Being a specialized search engine also lets you avoid fierce competition with well established generic search engines like Google. This divide-and-conquer strategy not only saves upfront costs, but also minimizes and contains legal risks.

Another alternative is to use micro-payment instead of subscription for your revenue model. Recent advancement has drastically reduced the cost of micro-payment systems (see article in December 2003 issue of Technology Review). Your search engine can become an information broker between websites and users, charging a small brokering fee from websites and a small use fee from users. Websites can also change the user a very small fee for the content. In this business model, you are free from those legal risks because you are enabling a transaction that lets website owners enjoy their rights. You can still use the divide-and-conquer strategy when you deploy this model.