This is page 2 of:

The Legal Quicksand Of Giving Online Stuff Away For Free

January 16th, 2013

So what does this mean for retailers?

We are back to my See’s Candies problem. Whenever any content is made available or accessible online, we create a “right” to access, download, view and use that data. Under copyright law, we have created an implied license. That means we give up a tiny bit of our copyright rights. Apart from copyright law, we have created an implied right to access our computers (Web servers) and view (download) content. But for what purposes? What rights have we granted? Just like in the See’s Candies case, we want online viewers to act responsibly—to use the content properly and to not abuse it. But once the content is up there, what actually prevents or limits abuse—both technologically and legally?

The key here is to have an appropriate balance between law, enforcement, monitoring and technology commensurate with the business model retailers intend to operate. This means having more detailed and robust terms of use and terms of service that set out exactly what you, as a retailer, are giving up and what you are not giving up. It means telling users with some degree of specificity what they can and cannot do. Remember, though, that you will never be able to think of all the various forms of abuse and misuse people can engage in. So retailers should reserve the right to terminate or restrict access to anyone they believe is acting in a manner that is abusive or improper.

Retailers should also state that circumvention or attempted circumvention of access controls or limitations on access or use constitute either unauthorized access, attempted unauthorized access or exceeding authorized access to their systems or data. In addition, retailers should include some copyright language that restricts republishing or reuse of copyrighted data. All of this gives retailers the legal ability to enforce some restrictions. It’s like putting up a sign that says, “One lollipop per customer.” It’s not perfect, but it’s a start.

Next, of course, is to have a robust abuse monitoring program. Whether retailers are operating a Web site or a full on E-Commerce server, they need to keep tabs on the system and take appropriate action when abuse occurs. The Swartz case illustrates that people who want to abuse your network will take actions—sometimes extraordinary actions—to hide what they are doing. Indeed, if you wanted to re-create the entire JSTOR database in a way that would elude detection, you would simply add a browser plug-in to all JSTOR users’ computers that would take any document those users looked at (lawfully) and copy it into a new database.

Such a plug-in, called RECAP, already exists for users of Firefox who access the PACER system. Over time, all of the protected files are copied into an unprotected database, with activity that simply looks like normal activity. So instead of visiting the See’s Candies stand a thousand times, I get a thousand people to visit once each and then give me the lollipops. I quickly get my free boxes of lollipops.

Finally, online retailers must have a robust incident response plan or program. So, now that I see abuse, what do I do? How do I circumvent those who are trying to circumvent my access controls? Do I call the police? MIT itself is under withering criticism for the way the university attempted to protect its own networks and for the fact that it was cooperating with the FBI and the local U.S. Attorney’s Office. Responding properly to such an “incident” is a combination of law, technology, reputation management and uncommon sense.

Abuses will continue to occur. The key here is to detect and manage such abuse. And, oh, haven’t you already had three mocha lollipops?

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.