I. INTRODUCTION
Recent news articles and publications by experts seem to predict
that courts will not be lenient toward Internet service providers
("ISPs") (1) who fail to protect against semantic attacks. (2)
A semantic attack targets the assigned meaning to content such as
posting false information on message boards. (3)
The recent decision in Hart v. Internet Wire, Inc. addressed the
liability of an Internet service provider against such a semantic
attack. (4) In Hart, Mark Simeon Jakob ("Jakob") was employed
by Internet Wire, a news wire service which distributes corporate news
to the public. (5) Jakob bought short (6) positions on 3,000 shares of
Emulex stock, expecting the price of the shares to drop. (7) Jakob faced
a loss of almost $97,000 when the price of the stock started to climb.
(8) Using his knowledge of the internal methods with which press
releases are submitted to and published on Internet Wire, he then
schemed to drive down the price by publishing a false press release. (9)
Jakob posed as an Emulex public relations executive and sent an
e-mail to Internet Wire, requesting that the press release be published.
(10) The Internet Wire staff treated the press release as authentic.
(11) The press release described various problems at Emulex, including
the restatement of earnings, the resignation of the company's CEO,
and a SEC investigation into the company's practices. (12) Internet
Wire published the press release the next morning. (13) Bloomberg, the
worldwide news organization, picked up the story from Internet Wire and
issued the statement. (14) Bloomberg did not investigate the veracity of
the press release. (15) Within sixteen minutes of the Bloomberg
headline, the Emulex share price dropped by sixty dollars. (16) NASDAQ
halted trading and Emulex exposed the fraudulent release. (17) Bloomberg
then reported that the press release had been false, and the stock price
climbed back to the price at which it normally traded. (18)
During those sixteen minutes, Jakob was able to cover his position
at a profit. (19) And despite a recovery of the stock price, the
fraudulent press release caused an "estimated $2.2 billion lost
market capitalization and $1.10 million in loss to investors in Emulex
securities." (20) A class action suit for securities fraud was
filed on behalf of those persons who had sold common stock or call
options or who had purchased put options in Emulex after the market
opened until trading halted. (21) The court determined that the
plaintiffs had failed to adequately plead scienter and the case was
dismissed with leave to replead. (22)
Another type of attack that can cause severe economic losses is
what Margaret Jane Radin, Professor of Law at Stanford Law School, aptly
names "netjacking." (23) A Distributed Denial of Service
("DDoS") is a severe form of netjacking. (24) Rather than
break into a system to steal data, a hacker attempts to prevent users
from accessing their own network for reasons known only to the hacker,
such as "revenge, economical or political gain, or just plain
nastiness." (25) A DDoS attack may be deliberate or accidental, but
it is "considered to take place only when access to a computer or
network is intentionally blocked as a result of some malicious
action." (26)
The Computer Security Institute, based in San Francisco, released
its 2001 Computer Crime and Security Survey in which 186 of 538 total
respondents collectively reported approximately $378 million in
financial losses in the past year due to computer security breaches.
(27) Other statistics included a report of 85 percent of respondents
experiencing breaches of their computer security systems, 70 percent
pointing to their Internet connections as a frequent point of attack,
and 31 percent stating that their internal systems were targeted for
attack. (28) Denial of service attacks
resulted in a reported loss of millions of dollars to Yahoo!,
Amazon.com, and Ebay in February 2000 alone. (29)
Radin provides this helpful chart of the DDoS chain of actors and
vulnerabilities: (30)
DDOS PARTICIPANT KEY VULNERABILITIES
Individual computer users Open operating system
architecture, high bandwidth
connections.
Portals and commerce sites Lack of awareness; lack of
personnel, technology
Corporations/online business Attack modes keep changing,
sites distributed attacks hard to trace
in real time
Network infrastructure and Unwitting conduit for malicious
service providers packets
If an ISP were subject to a DDoS attack, would it be liable for the
financial losses incurred to the users of its site? If the plaintiffs
had adequately pled their case, could Internet Wire and Bloomberg have
defended themselves with defenses normally used in securities fraud
cases? Would they be subject to any other causes of action or have any
other defenses? Some ISPs have improved their detection of viruses,
worms, and other threats. Therefore, by engaging in semantic attacks or
assaults on meaning, hackers are finding different, subtle ways to
attack and spread misinformation, especially now that the Internet has
become a popular medium for obtaining news. Would a court expect
defendants to safeguard against such semantic attacks?
Part II of this Note examines possible claims against an ISP. Part
III analyzes the strengths and weaknesses of possible defenses an ISP
could utilize in the event it is charged with failure to protect against
a semantic attack. Finally, Part IV examines the future implications of
this topic in an environment now focused on preventing new forms of
cyber terrorism.
II. CLAIMS
A. Federal Statutes
Congress addressed hacker liability in the Electronic
Communications Privacy Act (31) and the Computer Fraud and Abuse Act.
(32) This current law, however, "is not clear[] ... regarding a
company's duty to protect its computer network from third-party
glitches within its own system." (33) The Gramm-Leach-Bliley Act
(34) guidelines "suggest a number of security measures that banks,
credit unions, and other financial institutions should implement to
protect their computer databases." (35) Every state, with the
exception of Vermont, has enacted computer crime legislation. (36)
Nevertheless, a statute addressing the liability of private
companies does not currently exist. Therefore, whether courts would hold
Internet sites (37) liable for security breaches of their databases that
contain customers' private information is unclear. (38)
B. Breach of Contract
Raul suggests that the contract model "might apply in the
context of parties who have contracted to provide and receive data
storage or processing services, but would not generally apply in the
case of security breaches affecting individuals or other third
parties." (39) In contrast, Radin argues that contractual
disclaimers are "legally efficacious in some contexts, but not
always." (40) While she concedes that "contractual disclaimers
are not binding on third parties who are not parties to the
contract," (41) Radin notes that "not all contracts are valid
and enforceable." (42) If a contract is of invalid formation or of
invalid content, it could be unenforceable. (43) Radin believes that a
court will scrutinize terms of service for over reaching, especially to
determine whether there was unequal bargaining power between an ISP and
an individual consumer. (44)
Courts in various jurisdictions differ as to whether they would
allow an ISP to shift its own negligence to the other party in its
contract. (45) Radin uses the AOL contractual disclaimer as an example
of an attempt to shield itself from a DDoS attack:
UNDER NO CIRCUMSTANCES SHALL
AMERICA ONLINE, ITS SUBSIDIARIES, OR
ITS LICENSORS BE LIABLE FOR ANY
DIRECT, INDIRECT, PUNITIVE,
INCIDENTAL, SPECIAL, OR
CONSEQUENTIAL DAMAGES THAT RESULT
FROM THE USE OF, OR INABILITY TO USE,
THIS SITE. THIS LIMITATION APPLIES
WHETHER THE ALLEGED LIABILITY IS BASED
ON CONTRACT, TORT, NEGLIGENCE, STRICT
LIABILITY, OR ANY OTHER BASIS, EVEN IF
AMERICA ONLINE HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
BECAUSE SOME JURISDICTIONS DO NOT
ALLOW THE EXCLUSION OR LIMITATION
OF INCIDENTAL OR CONSEQUENTIAL
DAMAGES, AMERICA ONLINE'S LIABILITY
IN SUCH JURISDICTIONS SHALL BE
LIMITED TO THE EXTENT PERMITTED BY
LAW. (46)
Whether a court would find this disclaimer valid and enforceable
depends on such factors as the choice of law, choice of forum, and
whether courts in those jurisdictions approve of contracts of adhesion.
(47)
C. Tort Liability
Another available claim appears under the tort model. Applying this
theory, victims of security breaches would need to prove the following
elements to recover for damages: "(1) a reasonable duty of care
necessary to prevent security breaches, (2) a breach of that duty, (3) a
proximate relationship between the breach of the duty and the injury,
and (4) actual loss or damage sustained as a result of the breach."
(48) Nevertheless, establishing a standard duty of care for all Internet
service providers is difficult, unwieldy, and may even promote hacking.
(49) In the Hart case, Jakob was an employee of Internet Wire; (50)
therefore, the plaintiffs could have also pursued a vicarious liability
claim under the theory of respondeat superior. (51)
D. Securities Fraud and 10b-5 Claims
A securities fraud claim can arise under section 10b-5 of the
Securities Exchange Act of 1934. (52) This was the claim used by the
class action plaintiffs in Hart v. Internet Wire. (53) In Hart, the
court noted that to "satisfy the scienter element of Section 10(b),
a complaint must allege facts giving rise to a strong inference that the
defendant acted with `intent to deceive, manipulate, or
defraud,"' (54) and that "[f]ailure to plead this basic
element is grounds for dismissal of a Section 10(b) claim." (55)
Nevertheless, given the monetary and reputation losses that ISPs
suffer in the wake of a semantic attack, plaintiffs will have difficulty
alleging that an ISP willfully intended to "deceive, manipulate, or
defraud" (56) itself or its customers by allowing a hacker to
invade its website. While the securities fraud claim that the Hart
plaintiffs alleged was in the context of a false press release published
by an Internet news wire service, the same difficulty exists in other
types of semantic attacks. As a provider of Internet news, Internet Wire
wants to maintain a reputation as a publisher of truthful information.
Since publishing a false press release would undermine this goal, the
company lacks the requisite willful intent. Additionally, claims of
misrepresentation and intent to defraud may fail because they are often
elements of a 10b-5 claim, and if the elements cannot be proven as part
of a whole case, proving each element as a separate case will be
difficult.
Commentator Robert Prentice believes that a 10b-5 claim can
succeed. (57) He describes a hypothetical "[e]mployee[] with
[l]oose [l]ips." (58) Such a situation arises when a company's
insider uses an alias to post a rumor promoting the stock either to help
the company, raise the stock price, or sell personal holdings. (59)
Prentice asserts that "such anonymous postings violate the
manipulation provisions of [section] 10(b) and are actionable.... The
individual actors are liable, and the company is probably liable as well
on a respondeat superior basis." (60) Employees participating in
news groups or chat rooms would also be liable under 10b-5. (61)
Prentice argues that such participation is similar "to an
employee's appearing and speaking at the meeting of an investment
club." (62) The investment club might believe that the employee is
authorized to speak on his company's behalf, even though the
company believes otherwise. (63) Thus, "[any] statements could be
treated as disclosures by the company. Any inaccuracies could lead to
finn liability for misrepresentation under Rule 10b-5. Prentice further
postulates that "even accurate disclosures could be viewed as
illicitly `selective' and invite insider trading
liability...." (64)
III. DEFENSES
A. Procedural
The first line of defense should be procedural. A 12(b)(6) (65)
motion to dismiss should be the initial response. The plaintiff will
have difficulty meeting his burden of persuasion when the ISP claims
lack of awareness or lack of the requisite intent. (66) For example, the
plaintiffs in Hart failed to adequately plead that the defendants either
knew that the press release was false or doubted its validity at the
time of its publication. (67) Since the plaintiffs did not allege this
element of their [section] 10b-5 claim, the defendants prevailed on
their 12(b)(6) motion. (68)
B. Constitutional Claims
In general, ISPs have managed to avoid liability for hate speech
and defamatory messages posted online and in chat rooms. (69) Hate
speech online is distinguishable from semantic attacks. Posters of hate
speech online use the ISP as a forum to disseminate speeches and
writings. A semantic attack wreaks havoc by taking advantage of the
breaches in computer security; it changes the content of information
online or disrupts service, thereby causing dissemination of false
information and economic loss.
In Zeran v. America Online, Inc., the plaintiff Zeran sued America
Online ("AOL") for an unreasonable delay in removing
defamatory messages posted by an unidentified third party, for not
posting a retraction of those messages, and for failing to screen for
subsequent similar postings. (70) Zeran argued on appeal that [section]
230 of the Communications Decency Act of 1996 (the "CDA")
rendered interactive computer service providers, like AOL, liable for
"possess[ing] notice of defamatory material posted through their
services." (71) He also asserted that [section] 230 did not apply
to him because his claim for AOL's negligence arose before the CDA
was enacted. (72)
The issue was whether AOL could be held liable for defamatory
speech initiated by a third party. (73) Section 230 provides, in
relevant part, that "[n]o provider or user of an interactive
computer service shall be treated as the publisher or speaker of any
information provided by another information content provider." (74)
The court explained that the plain language of [section] 230
"creates a federal immunity to any cause of action that would make
service providers liable for information originating with a third-party
user of the service." (75) This section also "precludes courts
from entertaining claims that would place a computer service provider in
a publisher's role. Thus, lawsuits seeking to hold a service
provider liable for its exercise of a publisher's traditional
editorial functions--such as its decision to publish, withdraw, postpone
or alter content--are barred." (76) The congressional public policy
rationale was to prevent "deter[rence of] harmful online speech
through the separate route of imposing tort liability on companies that
serve as intermediaries for other parties' potentially injurious
messages." (77)
Zeran next argued that knowledge of the defamatory language was
sufficient to impose notice liability on AOL. (78) The court rejected
this argument, stating that notice liability would defeat the purpose of
[section] 230 and "reinforce[] service providers' incentives
to restrict speech and abstain from self-regulation." (79) The
court continued:
If computer service providers were subject to
distributor liability, they would face potential
liability each time they receive notice of a
potentially defamatory statement--from any party,
concerning any message. Each notification would
require a careful yet rapid investigation of the
circumstances surrounding the posted information,
a legal judgment concerning the information's
defamatory character, and an on-the-spot editorial
decision whether to risk liability by allowing the
continued publication of that information....
Because service providers would be subject to
liability only for the publication of information,
and not for its removal, they would have a natural
incentive simply to remove messages upon
notification, whether the contents were defamatory
or not.... Thus, like strict liability, liability upon
notice has a chilling effect on the freedom of
Internet speech. (80)
Zeran also argued the legal distinction between the terms
"distributor" and "publisher," since a different
standard of liability attaches to each in the context of defamatory
messages. (81) The court dismissed this claim as well, stating that
notice does not transform an original publisher into a distributor. (82)
Rather, the contrary is true. When an ISP receives notice of a
defamatory posting, it becomes a publisher. (83) At that point,
"[t]he computer service provider must decide whether to publish,
edit, or withdraw the posting. In this respect, Zeran seeks to impose
liability on AOL for assuming the role for which [section] 230
specifically proscribes liability--the publisher role." (84)
The Zeran court decided that AOL was not liable in its role as a
publisher for the defamatory messages posted on its service. (85) In
addition, the third party's identity was unknown. (86) The Hart
defendants could analogize the Zeran court's no-liability decision
to their position if the article that Jakob posted contained defamatory
information about Emulex. According to the Zeran court, the inclusion of
such defamatory information would provide greater protection, and
Internet Wire and Bloomberg could have a defense against their failure
to investigate the accuracy of the statements in the article. If the
story, however, contained no defamatory messages, this argument could
lose some of its strength.
C. Contract
A possible defense for an ISP exists under a contract theory.
"Most courts will adhere to the traditional privity of contract
requirement, which restricts liability for injuries to those arising
from the exchange of goods or services between the parties to a
contract." (87) Therefore, "under a contract theory, a victim
of a hacker attack launched via a third party's unsecure computer
system would have no claim against the third party, because of the
absence of a contractual relationship with the victim." (88)
D. Tort
A significant obstacle in recovering under a tort theory is the
economic loss rule. (89) This rule is traditionally invoked to deny
plaintiffs recovery for economic losses in the absence of physical
damages. (90) Using this rule could deny the victim plaintiffs damages
in a computer security breach case. A possible exception could exist by
applying the rule from People Express Airlines v. Consolidated Railway.
(91) If the victim is foreseeable, a court may award damages, despite an
absence of physical harm. (92) Radin notes that courts have sometimes
rejected liability of third-party defendants where the level of risk or
ability to anticipate the risk exposure was disproportionate to the
party's role. (93) ISPs also could argue that victim plaintiffs
assumed the risk of providing information on the website with knowledge
that a breach of security could occur.
E. Corporate
A plaintiff might argue that a type of agency relationship exists
between the ISP and the hacker who attacks its website. In corporate
law, prior acts by an agent do not bind the principal since the agent
does not have actual, apparent, or inherent authority. (94) If the
principal, however, agrees with the prior acts and ratifies the prior
acts as if originally authorized by the principal, then the agent acts
with actual authority. (95) For example, if Agent lacks actual authority
to tell third party Buyer that Buyer can have a discount, but
subsequently Principal tells Agent that Principal thinks the discount is
a good idea, Agent's prior act of giving the discount is ratified
and it is as if Agent did act with actual authority. (96)
A major limitation is that at the time of ratification the
principal has to have the capacity to ratify both when the original act
was affected by the agent and at the time the principal seeks to ratify.
Silence does not equal ratification. Since the purpose in creating a
website is conceivably not to create a host for the hacker, establishing
an agency relationship will be difficult. Therefore, the claim that a
website's failure to implement security measures to protect against
semantic attacks creates a host for the hacker implicitly linking both
will probably fail.
Nevertheless, a plaintiff can argue that an agency relationship is
established by the type of attack, such as one in which a hacker gaining
entry into a network by undermining its security measures. This can be
accomplished "by setting up programs that try millions of passwords
until one is accepted." (97) For instance, "[a] hacker may set
up `sniffers,' programs that check data to find encrypted or
sensitive information. Once [the sniffers] gather the information they
can decode it, or if unencrypted, use it directly to find out more about
a network and penetrate it more easily." (98) If an ISP knows that
its security is being undermined, but it takes no preventive measures to
protect against future attacks, and a future attack does occur, a
plaintiff's argument may be bolstered.
Another possible argument by a plaintiff is that, like the
fiduciary duty that runs from a corporation's directors to that
corporation's shareholders, a similar duty should be created
between an ISP and the user of its website. One type of duty usually
referenced is a duty of care. (99) Under the duty of care standard,
directors occupy a fiduciary relationship to the corporation and must
exercise the care of ordinarily prudent and diligent persons in like
positions under similar circumstances. (100) The basic objective
standard is that a director shall perform in good faith in a manner he
reasonably believes to be in the best interest of the corporation. (101)
The duty of care standard is shielded by the business judgment rule
("BJR"). (102) The BJR protects the decisions of directors
regarding management of the corporation from shareholders who disagree
with that decision. (103) Courts generally defer to the decision of
directors and the BJR and will not review a director's decision
even if it is a wrong or poor decision. (104) The courts acknowledge
that they have neither the expertise required nor the proper role to
make business decisions. (105)
The policy rationale underlying such deference is to allow
directors to implement business decisions without fear of a lawsuit in
order to realize the shareholders' goal of wanting directors to
take risks to produce profit even though mistakes may be costly. (106)
The effect of judicial review on such business decisions, which thereby
possibly could create liability for directors, "could make
directors overly cautious, resulting in reduced shareholder value."
(107) Directors of an ISP could argue that the decision of whether to
implement security software falls within the ambit of the B JR.
Directors could cite such things as cost, time, and efficiency as
reasons for not wanting to implement security measures. (108)
A potential counterclaim is that an Internet company's assets
are, generally speaking, limited to its website's content and the
team of individuals behind that website. Therefore, the website's
managers owe a duty to protect the investment that comprises the main
value of a shareholder's ownership of stock. In an agency
relationship, the principal tends to be the least cost avoider. (109) In
an Internet company, however, the assets are limited to the content and
human capital, so it may not be the "deep pocket" that
shareholders expect.
Some insurance providers sell professional liability or anti-hacker
insurance policies to companies at risk of an information security
breach. (110) If insurance companies provide coverage, defenses of ISPs
may be weakened since now it is the insurance company with the deep
pockets. (111)
F. Blaming Others
ISPs may be able to escape liability by blaming network service
providers. Radin argues:
Legal liability is sensitive to the state of the art
on cost-effective precautions, both technology and
practices. Right now, Web sites and network
service providers are trying to fight attacks on a
"retail" basis, site by site, attack program by attack
program. Technologies are emerging, however,
that tackle the problem "wholesale," on a network
basis, by enabling backbone service providers and
network intermediaries to analyze and screen
attack traffic. When wholesale prevention becomes
practical, courts will have reason to place the
liability on network entities, because it will give
these entities the incentive to implement the most
efficient protective strategy. (112)
Nevertheless, it can be argued that the same defenses available to
ISPs will be available to network entities. Radin provides the following
diagram on who can best shoulder the blame:
POTENTIAL LIABILITY VS. ABILITY TO TAKE COST-EFFECTIVE
PRECAUTIONS (113)
DDOS PARTICIPANT POTENTIAL ABILITY TO TAKE
LIABILITY COST-EFFECTIVE
PRECAUTIONS
Individual computer Negligible None
users
Portals and Moderate Can implement security
commerce sites practices, but detection
in real time remains
difficult
Corporations/online Moderate Can implement security
business sites practices, but detection
in real time remains
difficult
Network Moderate to Can implement
infrastructure and high network-wide wholesale
service providers filtering technology
Radin dismisses the defenses in this next figure: (114)
CURRENT LEGAL ANALOGIES FOR DDOS LIABILITY
Traditional Common Carrier Not applicable to ISPs and
Law network infrastructure
providers--their services are not
open to all
Communications Decency Act * Not applicable: limits ISP
liability for passing through
defamatory or other
objectionable content
Digital Millenium Copyright Not applicable; limits ISP
Act liability for hosting or
transmitting copyrighted content
* Section of Telecommunications Act of 1996
G. Risk Management
If an ISP does take steps to safeguard against a semantic attack,
will this be enough to escape liability? Arguably, it should be since
the nature of hackers is to find a weakness and every system is likely
to have one bug that has escaped testing. For example, although not an
ISP, but rather a software provider, Microsoft's Windows XP was at
the center of controversy when the FBI's National Infrastructure
Protection Center issued an alert that the universal plug and play
feature contained a glitch that could result in a severe security
breach. (115) Microsoft "acknowledged that Windows XP suffers from
serious problems that allow hackers to steal or destroy a victim's
data files across the Internet or implant rogue computer software."
(116) The FBI was prompted to release the warning since "[t]he
glitches were unusually serious because they allow hackers to seize
control of all Windows XP operating system software without requiring a
computer user to do anything except connect to the Internet." (117)
IV. FUTURE IMPLICATIONS
Criminal liability for hackers is impossible to escape, and the
government is taking extra steps to prevent and punish those that engage
in this conduct. (118) Civil liability may continue to standstill as the
Federal Trade Commission ("FTC") recently announced that it
will not seek new laws but will focus on strengthening existing privacy
laws. (119) Higher level courts may be unwilling to decide on these
types of cases until public policy becomes more resolute towards a
particular course of action.
The situation could become ripe in the coming year, especially in
the aftermath of the recent terrorist attacks. Government officials warn
that cyberspace could be the next battleground. (120) Despite the
prognostication that "`[i]t is only a matter of time before the
convergence of bad guys and good stuff occurs,'" (121)
cyberthreats are still considered "weapons of mass disruption"
rather than "weapons of mass destruction." (122) Some computer
security experts believe the DDoS attack to be "evidence of
increasingly potent attacks by hackers, [o]ne of the forms of computer
attack that is hardest to defend against, ... becoming more common and
more disruptive, and `causing greater collateral damage.'"
(123) Cyberterrorism advisor Richard Clarke believes an industry
attitude change has occurred and that "high-technology executives
are more willing to talk about building and buying more secure
technologies." (124)
Congress also recognizes this commentary by experts. One expert
testified on September 26, 2001 that "politically motivated web
site defacements will likely continue to escalate during the war on
terrorism." (125) He went on to cite semantic attacks as the
"most serious consequence[] of web site defacement[]" (126)
since it involves a subtle change in a web page's content, which
would then disseminate false information. He stated that "[a]
semantic attack on a news site or government agency site, causing its
web servers to provide false information at a critical juncture in the
war on terrorism, could have a significant impact on the American
population." (127)
The federal government and the private sector are now making
substantial investments in cyber security technologies. However, neither
the private nor public sectors are adequately elucidating the
fundamental principles that underlie complex, interconnected
infrastructures, or developing key technologies or analytical
methodologies crucial to protecting the information infrastructure.
Therefore, the government becomes the only realistic underwriter to
ensure that these technologies are developed. (128) If Congress follows
this advice, it could enact legislation that either allocates funds to
develop the technologies to protect the information infrastructure or
limits the ISPs' liability as it did in the Digital Millennium
Copyright Act. (129)
V. CONCLUSION
Semantic attacks are dangerous. False press releases can raise or
lower the price of stocks; inaccurate news stories can lead to
defamation; pictures can be doctored (130) and accepted as real; and
information can literally be disseminated by just one click of the
mouse, sending the information around the world and back again before a
user even leaves his computer. Although public policy would dictate that
ISPs take precautions to prevent and protect against semantic attacks,
the possible claims of injured plaintiffs are still vague. The defenses
available to ISPs, derived from aspects of constitutional, procedural,
contract, tort, and corporate law provide some basis for proceeding with
and potentially succeeding against such claims.
(1.) "[T]he term `service provider' means an entity
offering the transmission, routing, or providing of connections for
digital online communications, between or among points specified by a
user, of material of the user's choosing, without modification to
the content of the material as sent or received." 17 U.S.C.
[section] 512(k)(1)(A) (Supp. V 1999) (emphasis added). The term can
also mean "a provider of online services or network access, or the
operator of facilities therefore ...." Id. [section] 512(k)(1)(B).
Examples of Internet service providers include America Online
("AOL") and CompuServe. In addition, websites may qualify as
service providers, as a court found the website Ebay to fit within the
"broad definition of [[section] 512(k)(1)(B)] online `service
provider [OSP].'" Hendrickson v. Ebay, Inc., 165 F. Supp. 2d.
1082, 1088 (C.D. Cal. 2001). "The term `Internet access
provider' [IAP] means a person engaged in the business of providing
a computer and communications facility through which a customer may
obtain access to the Internet, but does not include a common carrier to
the extent that it provides only telecommunications services." 47
U.S.C. [section] 151 (f)(2)(A) (1994). For the purposes of this Note,
the terms ISP, IAP, and OSP will be used interchangeably. For a
comprehensive judicial review of the nuanced distinctions between these
terms, see ACLU v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996).
(2.) See Sarah Faulkner, Invasion of the Information Snatchers:
Creating Liability for Corporations with Vulnerable Computer Networks,
18 J. MARSHALL J. COMPUTER & INFO. L. 1019 (2000); Jeff Nemerofsky,
The Crime of "Interruption of Computer Services to Authorized
Users" Have You Ever Heard of It?, 6 RICH. J.L. & TECH. 23
(Spring 2000), at http://www.law.richmond.edu/jolt/v6i5/article2.html
(last visited Jan. 22, 2003) (on file with the Rutgers Computer &
Technology Law Journal); Margaret Jane Radin, Distributed Denial of
Service Attacks: Who Pays?, at
http://www.mazunetworks.com/radin-print.html (last visited Jan. 22,
2003) (on file with the Rutgers Computer & Technology Journal); Alan
Charles Raul, et al., Liability for Computer Glitches and Online
Security Lapses, Sidley Austin Brown & Wood (Aug. 2001), at
http://www.sidley.com/cyberlaw/features/liability.asp (last visited Jan.
22, 2003) (on file with the Rutgers Computer & Technology Law
Journal); Carl S. Kaplan, Can Hacking Victims Be Held Legally Liable?,
N.Y. TIMES, Aug. 24, 2001, available at
http://www.nytimes.com/2001/08/24/ technology/24CYBERLAW.html (last
visited Jan. 22, 2003) (on file with the Rutgers Computer &
Technology Law Journal).
(3.) See Vatis Statement, infra note 125. Bruce Schneier, CTO of
Counterpane Internet Security, believes that there are three waves of
network attacks. The first is physical such as attacking computers,
wires, and electronics. He believes this wave is easy to solve simply by
reducing the dependencies on any one computer. Bruce Schneier, Semantic
Network Attacks: Industry Trend or Event, 43 COMM. OF THE ASSOC. FOR
COMPUTING MACHINERY [ACM] 168, 168 (2000). The second wave is syntactic,
which is attacking vulnerabilities in software products, for example.
Id. Although the solution is not easy, at least the security problem has
been recognized. Id. Schneier believes the third wave of semantic
attacks to be the most devastating. He warns against believing
everything you read:
How often have you needed the answer to a question and
searched for it on the Web? How often have you taken the
time to corroborate the veracity of that information, by
examining the credentials of the site, finding alternate
opinions, and so on? Even if you did, how often do you think
writers make things up, blindly accept "facts" from other
writers, or make mistakes in translation? On the political
scene, we've seen many examples of false information being
reported, getting amplified by other reporters, and eventually
being believed as true. Someone with malicious intent can do
the same thing.
Id.
(4.) 145 F. Supp. 2d 360 (S.D.N.Y. 2001).
(5.) Id. at 362.
(6.) A short sale is "[s]elling a security that the seller
does not own but is committed to repurchasing eventually. It is used to
capitalize on an expected decline in the security's price."
Yahoo! Finance, at http://finance.yahoo.com/ (selecting
"Glossary" link and then letter "s") (last visited
Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law
Journal).
(7.) Hart, 145 F. Supp. 2d at 362.
(8.) Id. at 363.
(9.) Id.
(10.) Id.
(11.) Id.
(12.) Id.
(13.) Id.
(14.) Id.
(15.) Id.
(16.) Id. at 363-64.
(17.) Id. at 364.
(18.) Id.
(19.) Id. at 363.
(20.) Id. Schneier argues that semantic attacks are serious because
"[c]omputer processes are rigid in the type of inputs they
accept," much less than a human. Schneier, supra note 3, at 168.
Computers do not demand corroborating evidence, know what it is, or even
how to use it. As a result, "[t]he people who lost the most in the
Emulex hoax were the ones with preprogrammed sell orders." Id.
(21.) A call option is "[a]n option contract that gives its
holder the fight (but not the obligation) to purchase a specified number
of shares of the underlying stock at the given strike price, on or
before the expiration date of the contract." Yahoo! Finance, at
http:// finance.yahoo.com/ (selecting "Glossary" link and then
letter "c") (last visited Jan. 22, 2003) (on file with the
Rutgers Computer & Technology Law Journal). A put option is a
"security [that] gives investors the right to sell (or put) a fixed
number of shares at a fixed price within a given period. An investor,
for example, might wish to have the fight to sell shares of a stock at a
certain price by a certain time in order to protect, or hedge, an
existing investment." Id. at http:// finance.yahoo.com/ (selecting
"Glossary" link and then letter "p") (last visited
Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law
Journal). A put option is the opposite of a call option. See id.
(22.) Hart, 145 F. Supp. 2d at 366, 371. The plaintiffs did file an
amended complaint, which the court dismissed with prejudice because
"to state a claim, a complaint to be sufficient must allege that
defendants acted with the required state of mind, viz., scienter, which
is `intent to deceive, manipulate, or defraud'" and the
plaintiffs' complaint did not qualify. Hart v. Internet Wire, Inc.,
163 F. Supp. 2d 316, 321 (S.D.N.Y. 2001) (citing Lanza v. Drexel &
Co., 479 F.2d 1277, 1301 (2d Cir. 1973).
(23.) Radin, supra note 2. She defines "netjacking" as
"the Internet's susceptibility to manipulation and attack by
mischievous or malicious intruders." Id.
(24.) Radin describes a DDoS attack as follows:
In a DDoS attack, intruders commandeer unsuspecting users'
computers and use these distributed "zombies" to flood a
target site or service with junk messages. The junk messages
overwhelm the servers of the victim and cause that site to
experience a period of "denial of service" to its legitimate
customers. The success of typical DDoS attacks involves the
"cooperation" of a number of players, or a chain of actors.
The chain consists of (1) computer use