Evan Schuman's StorefrontBacktalk

So what does this mean for retailers?

We are back to my See’s Candies problem. Whenever any content is made available or accessible online, we create a “right” to access, download, view and use that data. Under copyright law, we have created an implied license. That means we give up a tiny bit of our copyright rights. Apart from copyright law, we have created an implied right to access our computers (Web servers) and view (download) content. But for what purposes? What rights have we granted? Just like in the See’s Candies case, we want online viewers to act responsibly—to use the content properly and to not abuse it. But once the content is up there, what actually prevents or limits abuse—both technologically and legally?

The key here is to have an appropriate balance between law, enforcement, monitoring and technology commensurate with the business model retailers intend to operate. This means having more detailed and robust terms of use and terms of service that set out exactly what you, as a retailer, are giving up and what you are not giving up. It means telling users with some degree of specificity what they can and cannot do. Remember, though, that you will never be able to think of all the various forms of abuse and misuse people can engage in. So retailers should reserve the right to terminate or restrict access to anyone they believe is acting in a manner that is abusive or improper.

Retailers should also state that circumvention or attempted circumvention of access controls or limitations on access or use constitute either unauthorized access, attempted unauthorized access or exceeding authorized access to their systems or data. In addition, retailers should include some copyright language that restricts republishing or reuse of copyrighted data. All of this gives retailers the legal ability to enforce some restrictions. It’s like putting up a sign that says, “One lollipop per customer.” It’s not perfect, but it’s a start.

Next, of course, is to have a robust abuse monitoring program. Whether retailers are operating a Web site or a full on E-Commerce server, they need to keep tabs on the system and take appropriate action when abuse occurs. The Swartz case illustrates that people who want to abuse your network will take actions—sometimes extraordinary actions—to hide what they are doing. Indeed, if you wanted to re-create the entire JSTOR database in a way that would elude detection, you would simply add a browser plug-in to all JSTOR users’ computers that would take any document those users looked at (lawfully) and copy it into a new database.

Such a plug-in, called RECAP, already exists for users of Firefox who access the PACER system. Over time, all of the protected files are copied into an unprotected database, with activity that simply looks like normal activity. So instead of visiting the See’s Candies stand a thousand times, I get a thousand people to visit once each and then give me the lollipops. I quickly get my free boxes of lollipops.

Finally, online retailers must have a robust incident response plan or program. So, now that I see abuse, what do I do? How do I circumvent those who are trying to circumvent my access controls? Do I call the police? MIT itself is under withering criticism for the way the university attempted to protect its own networks and for the fact that it was cooperating with the FBI and the local U.S. Attorney’s Office. Responding properly to such an “incident” is a combination of law, technology, reputation management and uncommon sense.

Abuses will continue to occur. The key here is to detect and manage such abuse. And, oh, haven’t you already had three mocha lollipops?

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.