Archive for: computer law

Next posts »

E-commerce law, case C-298/07

October 20th, 2008, Tomasz Rychlicki

The Court of Justice of European Communities in its judgment of 16 October 2008 in case C-298/07, deutsche internet versicherung, held that Article 5(1)(c) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (‘Directive on electronic commerce’) must be interpreted as meaning that a service provider is required to supply to recipients of the service, before the conclusion of a contract with them, in addition to its electronic mail address, other information which allows the service provider to be contacted rapidly and communicated with in a direct and effective manner. That information does not necessarily have to be a telephone number. That information may be in the form of an electronic enquiry template through which the recipients of the service can contact the service provider via the internet, to whom the service provider replies by electronic mail except in situations where a recipient of the service, who, after contacting the service provider electronically, finds himself without access to the electronic network, requests the latter to provide access to another, non-electronic, means of communication.

Categories: computer law | Directive 2000/31/EC | e-law issues | EU law | ISP liability | Judgments of Court of Justice of the EC | legal regulations on computer networks.

Computer crimes, case VI K 849/07

October 6th, 2008, Tomasz Rychlicki

On August 11, 2008, the District Court in Glogów (VI Wydzial Grodzki) issued an important ruling case file VI K 849/07, regarding a man accused by the prosecutor of using computers to breach electronic security of a company server and database which allowed him to obtain information not intended for him (personal data) thereby acting to the detriment of the business. Mateusz M. was accused by the prosecutor based on regulations provided in Artice 267 §1 of the Polish Penal Code.

Chapter XXXIII. Crimes against protection of information
(…)
Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.

Mateusz M. had browsed through an internet company website and found that the service contained serious programming errors. He put into the login form a string of signs as follows “‘ or 1 = 1″ (and repeated this operation in the password field), which resulted in him being signed/logged into a random user account which allowed him to gain access to several user accounts and their personal data. Mateusz M. decided to exploit this opportunity and made contact with company’s representatives. He informed them that he detected a gap in their website security which allowed him entry to the marketing database of firms owned or connected with the company which operated this online database. In the meantime, Mateusz M. checked other websites and online services created by the same authors of the first website. He has also found that all of them contained the same programming errors because all these websites were built using the same content management system (CMS). Mateusz M. was invited by the company to sign a contract to remove these programming errors. He was also presented with a non-disclosure agreement (NDA), which he signed. However the NDA’s date was set prior to the date he had detected the programming errors and this was used by the company to enable the police, who were co-operating with the company, to arrest Mateusz M.

During the pre-trial proceedings the court’s expert in the field of information technology stated that in his opinion Mateusz M. had used “a form of attack on the company’s database called SQL Injection”; the aim of such an attack is “to extract confidential information from the database and to disrupt its operation”. In the course of the proceedings before the court, the District Court in G#x142og1ow allowed the counsel for the defence to admit evidence of another expert.

The second expert provided the court with an opinion that by introducing a string “‘ or 1 = 1″ Mateusz M. had not made any breach of the database, he did not crack any password allowing for access to the database, he did not type or insert any software code and Mateusz M. had not affected the functioning of the database in any way. According to the second expert, Mateusz M. had not removed the database security, and he had not changed the password access, nor did he create any new accounts in the database. In this expert’s opinion, the introduction of the said string by Mateusz M. should be considered as an “SQL Injection” method that was used to circumvent the protection of a database, but that it was permitted by the improper and inadequate protection scheme applied to the database by its creators. The “Sign in” form of the database was designed in such a way that merely typing any string of characters was permitted as an input of data for this type of form. The database authors had not implemented any solutions to verify whether the database stored a user name or password attached to such a string, and as it had not, the database did not generate a proper error message

The court held that the action of the accused failed to comply with the statutory elements of Article 267. In the court’s opinion, breaching security occurs when the offender destroys or removes the security, or when the impact of the offender’s action on the security temporarily removes its protective function. Thus a person who gains access to sensitive information without breaking any security measures is not criminally responsible.

The court ruling acquitted the accused of all the charges based on art.632(2) Polish Criminal Proceedings Code, and the court held that the costs of wrongful prosecution were to be covered by the state. This decision was final and consequently there are pending amendments to the Polish Criminal Code relating to the aforementioned regulations.

Categories: Art. 267 CRC | computer law | criminal law | legal regulations on computer networks | Polish courts | Polish District Court | Polish law.

US case law on computers and IT

February 28th, 2008, Tomasz Rychlicki

Last updated on 16 January 2010.

This short compilation of US computer (IT, Internet, cyberlaw, telecommunication) case law will be also available and under later developement on my new Wiki system.

I. Jurisdiction
II. Contracts
III. Trespass to chattels
IV. Intellectual Property
V. Regulating content and speech
VI. Privacy
VII. Computer and Internet crimes
VIII. E-government
IX. Litigation

I. JURISDICTION

A. Specific jurisdiction.

B. General jurisdiction

C. Criminal analogy

D. Enforcement

  • Louis Feraud Int’l S.A.R.L. v. Viewfinder Inc., 406 F. Supp. 2d 274 (S.D.N.Y. 2005).

II. CONTRACTS

A. Browserwrap licenses

  • Pollstar v. Gigmania Ltd., 170 F. Supp. 2d 974 (D. Cal. 2000).
  • Specht v. Netscape Communs. Corp., 150 F. Supp. 2d 585 (S.D.N.Y. 2001).
  • Ticketmaster Corp. v. Tickets.Com, Inc., 2000 U.S. Dist. LEXIS 12987 (D. Cal. 2000).
  • Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000).
  • Comb v. Paypal, Inc., 218 F. Supp. 2d 1165 (D. Cal. 2002).
  • Cairo, Inc. v. Crossmedia Servs., 2005 U.S. Dist. LEXIS 8450 (D. Cal. 2005).

B. Shrinkwrap and clikwrap licenses

C. Terms Of Service

  • Oestreicher v. Alienware Corp., 502 F. Supp. 2d 1061 (D. Cal. 2007)

D. Software licenses

E. FLOSS licenses

  • Computer Assocs. Int’l v. Quest Software, Inc., 333 F. Supp. 2d 688 (D. Ill. 2004).
  • Planetary Motion, Inc. v. Techsplosion, Inc., 261 F.3d 1188 (11th Cir. 2001).
  • Progress Software Corp. v. MySQL AB, 195 F. Supp. 2d 328 (D. Mass. 2002).
  • SCO Group, Inc. v. International Business Machines Corp., Not Reported in F.Supp.2d, 2005 WL 318784 (D.Utah, 2005).
  • Wallace v. Free Software Found., Inc., 2006 U.S. Dist. LEXIS 53003 (D. Ind. 2006).
  • Wallace v. IBM, 467 F.3d 1104 (7th Cir. 2006).

F. Contractual and statutory liability for defective software

  • Kaczmarek v. Microsoft Corp., 39 F. Supp. 2d 974 (N.D. Ill. 1999).
  • In re AOL, Inc. Version 5.0 Software Litig., 168 F. Supp. 2d 1359 (S.D. Fla. 2001).
  • In re SONY BMG CD Technologies Litigation, 2005 U.S. Dist. Ct. Motions 9575, 2006 U.S. Dist. Ct. Motions LEXIS 9329, (S.D.N.Y. 2006).

G. Auction sites and contracts

  • Perez v. Hung Kien Luu, 2007 Tex. App. LEXIS 8670 (Tex. App. 2007)

III. TRESPASS TO CHATTELS

A. Trespass involving spam

  • Compuserve Inc. v. Cyber Promotions, 962 F. Supp. 1015 (D. Ohio 1997).
  • America Online v. LCGM, Inc., 46 F. Supp. 2d 444 (D. Va. 1998).

B. Trespass to online databases

IV. INTELLECTUAL PROPERTY

A. Copyright
1. Protection of computer software

2. Reverse engineering, technological protection measures, anti-circumventions (17 U.S.C. §§ 1201-1204)

3. Different copyright infringement issues (civil actions, DMCA, websites)

  • L.A.Times v. Free Republic, 54 U.S.P.Q.2D (BNA) 1453, 2000 U.S. Dist. LEXIS 5669 (D. Cal. 2000).
  • Umg Recordings v. Mp3.com, Inc., 92 F. Supp. 2d 349 (S.D.N.Y. 2000).
  • A&M Records v. Napster, 239 F.3d 1004 (9th Cir. 2001).
  • MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005).
  • Tur v. Youtube, Inc., 2007 U.S. Dist. LEXIS 50254 (D. Cal. 2007).
  • Biosafe-One, Inc. v. Hawks, 524 F. Supp. 2d 452 (D.N.Y. 2007).

4. Derivative Works issues (framing, deep links)

  • Futuredontics, Inc. v. Applied Anagramics, 45 U.S.P.Q.2D (BNA) 2005, 1998 U.S. Dist. LEXIS 2265 (C.D. Cal. 1998).
  • Ticketmaster Corp. v. Tickets.com, Inc., 54 U.S.P.Q.2D (BNA) 1344, 2000 U.S. Dist. LEXIS 4553 (C.D. Cal. 2000).
  • Intellectual Reserve, Inc. v. Utah Lighthouse Ministry, Inc., 75 F. Supp. 2d 1290 (D. Utah 1999).
  • Digital Equip. Corp. v. AltaVista Tech., 960 F. Supp. 456 (D. Mass. 1997).
  • Nissan Motor Co. v. Nissan Computer Corp., 2000 U.S. App. LEXIS 33937 (9th Cir. 2000).

5. Communication Act, satellite programming

B. Trademarks (domain names and unfair competition, search engines and trademarks, keywords)
1. Domain names as trademarks

2. Cybersquatting

3. Free speech and fair use of trademarks in domain names

C. Databases

D. Patents (software patents and business models patents)

E. Trade secrets

V. REGULATING CONTENT AND COMMUNICATION

A. Pornography

B. Defamation and information torts

C. Spam

D. Liability of internet service providers

VI. PRIVACY (cookies, adware, spyware)

A. Cookies, adware

  • In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001).
  • In re Intuit Privacy Litig., 138 F. Supp. 2d 1272 (C.D. Cal. 2001).
  • Directv, Inc. v. Jae Sun Chin, 2003 U.S. Dist. LEXIS 15815 (W.D. Tex. 2003).

B. Spyware

  • Specht v. Netscape Communs. Corp., 150 F. Supp. 2d 585 (S.D.N.Y. 2001).
  • Specht v. Netscape Communs. Corp., 306 F.3d 17 (2d Cir. 2002).
  • Sotelo v. DirectRevenue, LLC, 384 F. Supp. 2d 1219 (N.D. Ill. 2005).

C. Other issues
1. Posting different types of information

  • Michaels v. Internet Entertainment Group, 5 F. Supp. 2d 823 (D. Cal. 1998).
  • In the Matter of Geocities, 127 F.T.C. 94 (F.T.C 1999).
  • Remsburg v. Docusearch, Inc., 149 N.H. 148 (N.H. 2003).
  • Topheavy Studios, Inc. v. Doe, 2005 Tex. App. LEXIS 6462 (Tex. App. 2005).
  • John Doe No. 1 v. Cahill, 884 A.2d 451 (Del. 2005).
  • Federal Trade Commission, Gateway Learning Corporation; Analysis to Aid Public Comment, 69 Fed. Reg. 42176, (July 14, 2004).
  • Lambert v. Hartman, 2008 U.S. App. LEXIS 4019 (6th Cir. 2008).

2. Data retention and interception (administrative, civil and criminal aspects)

VII. COMPUTER AND INTERNET CRIMES

A. Hacking (system breach and/or data manipulation, etc.)

  • State v. McGraw, 480 N.E.2d 552 (Ind. 1985).
  • State v. Riley, 121 Wn.2d 22 (Wash. 1993).
  • Thrifty-Tel, Inc. v. Bezenek, 46 Cal. App. 4th 1559 (Cal. Ct. App. 1996).
  • United States v. Sablan, 92 F.3d 865 (9th Cir. 1996).
  • Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817 (E.D. Mich. 2000).
  • Thurmond v. Compaq Computer Corp., 171 F. Supp. 2d 667 (D. Tex. 2001).
  • United States v. Ivanov, 175 F. Supp. 2d 367 (D. Conn. 2001).
  • Guin v. Brazos Higher Educ. Serv. Corp., 2006 U.S. Dist. LEXIS 4846 (D. Minn. 2006).
  • In the Matter of BJ’S Wholesale Club, Inc., 2005 FTC LEXIS 134 (F.T.C 2005).
  • United States v. Heckenkamp, 482 F.3d 1142 (9th Cir. 2007).

B. Dos, DDoS, botnets

  • Tyco Int’l (US) Inc. v. Doe, 2003 U.S. Dist. LEXIS 25136 (S.D.N.Y. 2003).
  • United States v. Ancheta, case No.2:05CR01060, unpublished (C.D. Cal. 2006).

C. Viruses, worms, trojans, timebombs

D. IP crimes

  • United States v. Lambert, 446 F. Supp. 890 (D. Conn. 1978).
  • United States v. LaMacchia, 871 F. Supp. 535 (D. Mass. 1994).
  • Arista Records, Inc. v. MP3Board, Inc., 2003 U.S. Dist. LEXIS 11392, Copy. L. Rep. (CCH) P28,658 (S.D.N.Y. 2003).
  • United States v. Hsu, 40 F. Supp. 2d 623 (D. Pa. 1999).

E. Digital espionage, carding, e-banking robbery, online wars

F. Pornography

G. Other

  • People v. Fernino, 2008 NY Slip Op 28044, 1 (N.Y. Misc. 2008).

VIII. E-government (e-administration, e-voting, technological neutrality of the state, open standards) issues

  • Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195 (D. Cal. 2004).

IX. Litigation (e-evidences etc.)

  • Bakhtiari v. Lutz, 507 F.3d 1132 (8th Cir. 2007).

Categories: case law | computer law | telecommunication law | US law.

C-275/06, Promusicae

January 29th, 2008, Tomasz Rychlicki

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) do not require the Member States to lay down, in a situation such as that in the main proceedings, an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings. However, Community law requires that, when transposing those directives, the Member States take care to rely on an interpretation of them which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order. Further, when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with those directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality.

Details about this case in the judgment C-275/06, Promusicae.

Categories: computer crime | computer law | copyright law | Directive 2000/31/EC | EU law | Judgments of Court of Justice of the EC.

Internet domains and trade mark law, case I ACa 1228/05

June 14th, 2007, Tomasz Rychlicki

The Appellate Court in Poznań in its judgment of 26 April 2006, case file I ACa 1228/05, published in electronic database LEX no. 214296, ruled that in the case of a trade mark in the form of a particular word, the word representing a sign it is important, so long as it has the distinctive character and it is possible to distinguish the goods supplied or manufactured by a company from the products of another company. The appearance of a sign that may be represented by letters written in different fonts was less important in the described case. The conclusion that the only the graphic/figurative similarity between the two marks would give a plaintiff the right to assert claims arising out from article 296 of the Polish Act of 30 June 2000 on Industrial Property Law – IPL – (in Polish: ustawa Prawo własności przemysłowej) of 30 June 2000, published in Journal of Laws (Dziennik Ustaw) of 2001 No 49, item 508, consolidated text of 13 June 2003, Journal of Laws (Dziennik Ustaw) No 119, item 1117, with later amendments, would render the protection resulting from this provision purely illusory and would wreck the sense of norms arising from this article.

Article 296
1. Any person whose right of protection for a trademark has been infringed or any person who is permitted by law to do so, may demand the infringing party to cease the infringement, to surrender the unlawfully obtained profits and in case of infringement caused by fault also to redress the damage:
(i) in accordance with the general principles of law,
(ii) by the payment of a sum of money at the amount corresponding to the license fee or of other reasonable compensation, which while being vindicated would have been due on account of consent given by the holder to exploit his trademark.

1a. To the claims referred to in paragraph (1) the provisions of Article 287(2) and (3) shall apply accordingly.

2. Infringement of the right of protection for a trademark consists of unlawful use in the course of trade of:
(i) a trademark identical to a trademark registered in respect of identical goods,
(ii) a trademark identical or similar to a trademark registered in respect of identical or similar goods, if a likelihood of misleading the public, including in particular a risk of associating the trademark with a registered trademark, exists;
(iii) a trademark identical or similar to a renown trademark registered for any kind of goods, if such use without due cause would bring unfair advantage to the user or be detrimental to the distinctive character or the repute of the earlier trademark.

3. The claims referred to in paragraph (1) shall also be enforceable against a person who only puts on the market the goods already bearing that trademark, provided that the goods do not originate from the right holder or from a party authorised by him to use the trademark.

4. When invoking the right of protection conferred by his trademark, the licensor may enforce the claims referred to in paragraph (1) against a licensee who breaches any provision in his licensing contract with regard to its duration and territory covered by the contract, the form covered by the contract in which the trademark may be used, as well as the scope of the goods for which the trademark may be used or the quality of the goods. This shall apply accordingly to the sub-license.

5. A holder of a right of protection for a trademark may enforce the claims referred to in paragraph (1) against a licensee or a sub-licensee in case where the provisions of the sub-license contract, referred to in paragraph (4) have been breached, as well as in the case, where the contract has been concluded in breach of Article 163(2).

The Court also held that the registration of a web site under a given domain name address, and conducting a business activity through, and also its advertising, complete the condition of “trade mark use”.

See also “Polish case law on domain names“.

Categories: Art. 10 CUC | Art. 296(1) IPL | Art. 296(2)(ii) IPL | Art. 3(1) CUC | case law | computer law | distinctive character | domain names | Internet domains law | Polish Act on Combating Unfair Competition | Polish Act on Industrial Property Law | Polish Appeallate Court | Polish TLDs | trade mark infringement | trade mark use.

Access to public information, case OSK 600/04

September 12th, 2006, Tomasz Rychlicki

ISOC Poland requested the President of the Social Insurance Institution – ZUS – (in Polish: Zakład Ubezpieczeń Społecznych) to make available public information concerning technical specification of the KSI MAIL format, that is used in Płatnik software. Płatnik computer program is a free but not open source software to use (fill in and send) a statement of payment declarations to the Social Insurance Institution. It works only with MS Windows.

The President of ZUS ruled that the Polish Act of 13 October 1998 on the Social Insurance System, consolidated text published in Journal of Laws (Dziennik Ustaw) of 2007 No. 11, item 74 as amended, obliges payers of social insurance to prepare documents including inter alia protected data, for instance sensitive data concerning health, in the electronic format and to transmit of such documents from Płatnik to ZUS. These data are personal data protected by law. Making them available could result in significant disruption in the supply KSI MAIL system, exposing to a breach of professional secrecy of ZUS and undermine the statutory exclusivity of the software provided by ZUS. Regardless of the abovementioned arguments, ZUS stated that KSI MAIL module is subject to business confidentiality and trade secrets due to the greement conducted between ZUS and Prokom Software S.A. on the design and implementation of a comprehensive system for social security. The agreement obliged ZUS to keep confidential all information relating to the transferred technology and solutions contained in KSI MAIL. ZUS based its final decision on article 5 of the the Polish Act of 6 September 2001 on access to public information – API – (in Polish: Ustawa o dostępie do informacji publicznej) Journal of Laws (Dziennik Ustaw) No. 112, item 1198, with subsequent amendments.

Article 5. 1. The right to public information is subject to limitation to the extent and on the principles defined in the provisions on the protection of confidential information and on the protection of other secrets being statutorily protected.
2. The right to public information is subject to limitation in relation to privacy of a natural person or the secret of an entrepreneur. The limitation does not relate to the information on persons performing public functions, being connected with performing these functions, including the conditions of entrusting and performing these functions and in the event when a natural person or entrepreneur resigns from the right to which he was entitled to.
3. The access to public information on matters resolved before the state authorities, in particular in the administrative, criminal or civil proceedings cannot be limited, with the stipulation of it. 1 and 2, with respect to protection of the party’s interest, if the proceedings concern the public authorities or other entities performing public functions or persons performing public functions – in the scope of these functions or tasks.
4. The limitations of access to information on cases, defined in it. 3, do not breach the right to information on organisation and work of the bodies conducting proceedings, in particular on time, mode and place and the order of investigating cases.

ISOC filed a complaint before the Voivodeship Administrative Court in Warsaw. It emphasized that the technical specification of KSI MAIL is public information. Its publication broadens the possibility of fulfilling the duties of citizens who do not wish to invest in MS Windows. ISOC further argued that ZUS can not rely on contractual provisions, as it was contrary to the mandatory provisions of the API and that they are invalid. Also, ZUS made an erroneous interpretation of the law to rely on business secrets and trade secrets, because ISOC did not request the source code of the program, or other works protected by copyright or industrial property rights/patents.

The Voivodeship Administrative Court in its order of 30 January 2004 case file II SA 3732/03 held that this request concerns matters that are not subject to the administrative jurisdiction, but the civil courts which is in accordance with the provisions of article 22(1) of the API.

Article 22.
1. The entity, which was denied the access to the public information in respect to its exclusion of its openness when quoting the protection of personal data, the right to privacy and the secret other than state, official, treasury or statistical secret, is entitled to put an action to the court for making such information available.
2. The entity, to which the exclusion of public information is related, has a legal interest in commencing as an accidental intervener on the defendant’s side.
3. The competent court for resolving the cases, defined in it. 1, is the district court with respect to the seat of the entity, which refused to make the public information available.

The Supreme Administrative Court in its judgment of 3 March 2004 case file OSK 600/04 stated that the cassation complaint is unfounded and declared that, the term “when quoting” as used in article 22(1) of the API, has such meaning that it is sufficient for the entity who posses requested information to invoke the mentioned in this provision object of protection, to exclude the possibility of control by an administrative court. The administrative court cannot control in this case the legality of the decision and investigate if the indicated condition actually occurred.

Categories: Art. 22 API | Art. 5(2) API | case law | computer law | e-access | e-documents | e-law issues | e-proceedings | e-signature | free or libre and open source software | open standards | Polish Act on access to public information | Polish Supreme Administrative Court | public information | Voivodeship Administrative Court.

Next posts »