Friday, October 27, 2017

Brief Survey of Blockchain Related Lawsuits

As noted in the article, we have yet to see much in the way of actual disputes over the technology itself, but instead we find your more run of the mill contract disputes wherein the contract was related to Blockchain (or, more likely, Bitcoin) performance.

While there isn't a lot here on the Smart Contract side of things, it is interesting to see how the public nature of blockchain based databases, as well as the strong consensus as to the veracity of the records, did come up in quite a few of the cases. 

If nothing else, hopefully blockchain will be able to lift the fog of fear surrounding electronic contracting and business. If we were dealing with standard hard currency, a victim of a fraudulent transfer will never be able to know where the money actually went and has almost no chance of recovery. In cases involving bitcoin, there is at least a public ledger that clearly documents the fraudulent transfer.

Thursday, April 20, 2017

Blockchain and Notarization

BTC Manager ran this terrible headline recently: Be Your own Notary with the new Blockchain Plugin for Microsoft 10. As someone who participates in the e-notary business and who finds blockchain an interesting new technology, I was pretty excited by this headline.

Well, it turns out this headline is pure clickbait and neither Microsoft nor any sort of blockchain based technology will allow you to be your own notary.

First and foremost, notarization isn't, in nearly all jurisdictions, something you can do for yourself. Generally, a notary is not allowed to notarize their own documents, they can only perform the service for someone else. Secondly, most states require a witness for the notarization. The article doesn't even come close to addressing either of these issues, and instead talks in the most general terms about forgery and authenticity.

Proving the authenticity of documents in court is actually easier than this article would have you believe. Documents are presumed authentic unless challenged, and usually such a challenge is based on the other party of the case presenting a competing document. Generally, though, simply walking into court with a piece of paper is all that is necessary, rather than worrying about whether your hashes match.

Sometimes, however, the actual original copy of the document does matter. In those cases, notarization often isn't even the way you prove an original - notarization is the way you prove that the signature is valid.

I'm not exactly sure what the real value is in using blockchain as an e-notary service, but I do think blockchain has a lot of potential for tracking authenticated original documents.

Friday, February 10, 2017

Arizona Bill Enabling Smart Contracts

This came up through CoinDesk (an excellent source which everyone reading this should also be reading) and interestingly uses very similar language to that of electronic signatures (a signature may not be deemed invalid simply because it is electronic).

Unpacking a little bit further, we see that a contract cannot be denied enforceability merely because it includes a smart contract term. Further down in the bill, the term Smart Contract is defined as "Smart Contract means an event-driven program, with state, that runs on a distributed, decentralized, shared and replicated ledger and that can take custody over and instruct transfer of assets on that ledger."

I like that we are starting to define Smart Contracts as they are (automated computer code) and getting away from the goofy notion that they are knowing beings that will put attorneys out of business. I'm a little more confused, though, by the use of the language "take custody over" in conjunction with "instruct transfer of assets on that ledger." One could argue that each time I enter into a casino I do the same - I can put my money in a machine, and agree that depending on the outcome of an event, my assets will be transfered accordingly with no further input or recourse by myself or the house. The main difference is that no slot machine is run by distributed ledger (that I'm aware of) and interestingly the slot machine generates its own outcome data, theoretically the blockchain does not.

For my part, I'll enjoy following this one as it moves through the legislative process and seeing what commentary arises. The full text of the bill is available through Scribd here.

Saturday, December 10, 2016

China to Require Companies to Publish Random Drop Rate Odds

A story has been circulating about China's recent move to begin regulating the way games display information about the drop rates of random loot. This PC Gamer article is a solid source of a summary, and if you want to read the original text it is available here.

I haven't been able to locate a full translation myself but the Google machine translation, plus the chatter floating around the internet, seems to make it clear that a blind box with random items that is available for a virtual currency must display the odds of the player obtaining each of the possible outcomes.

One interesting piece that I picked out is that this will require companies to record and provide actual data to show that the odds are the same as posted.

It will be interesting to see how granular the data must be. If cards are ranked common, rare, epic, and legendary, is displaying those percentages enough? How will the values be assessed? What is stopping a company from making a pool of 10,000 common cards, one of which is essential, and then saying you pull a common 50% of the time? Those odds sound good but really you are looking for the 1 in 10,000 from that 50%.

I'm also curious to see how the tension between virtual and real currency, as well as player selected vs. skill based awards plays out under this regulation. From what I can see from the machine translations, this is looking at cases where a player purchases a virtual currency with real currency and then is able to use that virtual currency to obtain items. But what if that virtual currency is available from in game actions? Additionally, will the extend to things like drop rates from monster kills? What if a game charges you $5 to fight a battle, and the monster can drop one of three possible items on defeat - does this require full explanation under this regulation?

Friday, August 12, 2016

Academic Approach to Smart Contract Language

Barclays and the University College London recently published this linked academic paper on Smart Contracts and the need for formalized language. Interestingly enough, it is a good step in the right direction, as it seeks to normalize the current tension between Smart Contracts as automated computer code with the legal notion of a Contract as a formal agreement. It is a tough read but worthwhile for anyone interested in the topic.

I'm still digesting it, but one thing that stands out is the call (which I have seen repeated elsewhere) for a standardization of "Smart Contract" language (in both code and the legal meaning) as a way forward. While this is great in theory, I think it also is a red herring in turning "Smart Contracts" into an everyday form of business.

In a traditional paper and ink world, contract terms have a level of standardization that has arisen out of practice, however much is also open to interpretation. Additionally, under U.S. law there is a significant body of case law surrounding the various negotiation power of a contract. Does each side have equal power to negotiate? Who drafted the actual words, even if both approved in the end? Is this a take it or leave it contract, or can the terms be negotiated?

This is where the movement to standardize Smart Contract terms breaks down - even if a group were to come up with defined, standardized terms to be used in all Smart Contracts, it would still be conditioned upon both parties agreeing to use those pre-defined terms and not either a) a different set of pre-defined terms or b) negotiating the terms from scratch. Right away, you have opened yourself up to potential litigation on the terms.

This in and of itself shouldn't be a roadblock to further development, but a good, readily available analogy is to compare this to website terms and conditions. A "Smart Contract" for trading crypto currency based on other pre-defined values could use the standardized Smart Contract terms promulgated by a party, but this is no different than agreeing to the jurisdiction under which the contract terms are interpreted. Essentially, you have layered an additional jurisdictional requirement over the contract.

It is refreshing to see experts working to solve some of the fundamental problems, and taking a somewhat academic approach to do so, but it is clear that issues still exist and Smart Contracts remain in the realm of Automated Computer Code.

Tuesday, July 12, 2016

Another Lawyer's Perspective on Smart Contracts (article and analysis)

Finally! An attorney who understands that "Smart Contract" is a terrible misnomer. This article about Smart Contracts by Selachii attorney Richard Howlett was refreshing to read, as I see so much written and discussed about Smart Contracts and how a few lines of computer code will revolutionize the world. Howlett makes insightful points regarding the difficulties faced with both complexity and grey areas in contracting. Complexity seems entirely solvable to me, it will just take time and effort to get there. I have no doubt that if Grand Theft Auto 5 can be coaxed into existence, someone can write a computer program that meets the complex needs of a contract.

The second issue, though, stems from what could be called the worst part of contracting - those grey areas. Howlett describes it as the "creativity and flexibility that can come only from real-life experience." This is true - contracts often are matters of interpretation and situational developments, and what works for one situation may not work for others. Ideally, though, a contract leaves no room for interpretation and has a definite answer for every situation. Whether this is possible or practical for human use, is another question, and strikes at why Smart Contracts as automated computer code leave some gaps between written agreements.

One area where I do disagree (at least slightly) with Howlett is in his objection surrounding the jurisdictional issues. He notes that there is no international internet law (a point I would somewhat dispute but that is a much larger discussion for another day) as well as the difficulties in selecting and determining the jurisdiction under which the contract will be interpreted. This is a standard clause (at least under an American legal theory) in every contract, and such a provision in contained in every click-thru license agreement. Jurisdictional provisions are in the terms associated with any payment processor, any online commercial transaction, and within the terms and conditions or acceptable use policies on any website. Why Howlett cannot imagine that a Smart Contract or Automated Computer Code couldn't (and wouldn't!) contain the same language is beyond me.

I'll grant him that even with jurisdictional language included, there remain significant legal challenges regarding choice of law, venue, interpretation, and enforcement.

Interestingly, he doesn't hit on my biggest concern regarding so called Smart Contracts or Automated Computer Code - the fact that they aren't in fact smart. A fundamental tenet of Contracts practice is that you do not waive your remedies in advance or by your failure to take a certain action. A smart contract, as commonly envisioned, does just this. A favorite example is for car rental - the idea being you use your blockchain identity to walk up to car, verify your identity, and then the "Smart Contract" automatically enables you to drive the car while charging you in accordance with the terms and conditions. In this scenario, let's say your payment method fails and the Smart Contract is set to revoke access to the car. Rather than the car rental agency having to send a breach notification, give you a time to cure, and then moving to restrict your further access without payment, instead the "Smart Contract" simply deducts what money it can from your account, stops the car, and says Have a Nice Day.

No where in this process can you challenge this under any circumstances until after the fact. There is no room for necessity (a chance to say, not be stranded in the middle of desert!), there is no chance to cure (by say, providing access to alternative forms of payment), there is no place for administrative errors to be corrected. In my view, this is a glaring oversight to calling automated computer code based on the blockchain Smart Contracts.

Sunday, April 15, 2012

.XXX Owner Attempting to Add .SEX, .PORN, and .ADULT to its Portfolio

Although this in and of itself is not a huge news story, I thought it provided some interesting commentary on possible uses of new gTLDs and business strategies. ICM, the registrar of .XXX, has announced bids for .ADULT, .SEX, and .PORN gTLDs, and presumably filed applications. (PCMag article here and marketwatch article here).

It remains to be seen whether or not they are able to obtain these registrations, as obvious adult related gTLDs will likely be seen as a potential opportunity for several potential registrars. More interesting is perhaps ICM's proposed use. ICM has stated that they will offer package deals for registering websites across all four adult domains, including the opportunity for other rights holders to block registrations across each with one fee and filing.

The first question is whether or not this is wise. The .XXX registrations have yet to set the internet aflame as adoption remains slow. Anecdotal evidence suggests the most profitable use has been blocking registrations by non-adult rights holders. Perhaps ICM simply believes that by obtaining as many top level domains that a rights holder would want to block is the most profitable approach, and thus the 'package deal' is simply to avoid the wrath of rights holders.

This registration also highlights another problem inherent in the gTLD process. ICM, one registrar, will potentially own four competing domain names. What, therefore, will ICM's liability be to trademark holders if it offers infringing registrations across its own holdings? Will the current safe harbor provisions be enough if the same company registers to the Hefner media empire, and then gives to a start-up competitor and to a cyber squatter?

Furthermore, one begins to wonder why so many top level domain names are needed, unless it is decided that each one represents a separate market. Although there are grandfathered exceptions, generally a registration of a trademark on .com is enough to prohibit a non-rights holder from registering it on .biz. Therefore, will each new gTLD simply be pre-filled with the same famous names that already exist?

These also have the potential to fully test the dispute procedures. These adult oriented names are likely to be applied for by others. Will ICM's current status as .XXX registrar help or hinder their chances? They can surely prove that they have the technical ability to operate a top level domain, but will they have to worry about antitrust regulators with their power over the adult domain name market?

Only time will tell on this one. It seems somehow fitting that, as per usual, a momentous development in the history of the Internet will be worked out by porn companies.

Thursday, April 5, 2012

In the Matter of Facebook, Inc.

In the Matter of Facebook, Inc. 2011 WL 6092532

Mark Zuckerberg sweating through that interview, pre FTC privacy case.
Facebook's privacy practices have been in the public's collective consciousness with  regularity after it was discovered that personal information was being shared with advertisers and other third parties. Compounding this was Facebook's then Byzantine privacy settings, which in theory provided users with control, but in practice either were ignored or used incorrectly.

Eventually the FTC investigated Facebook, and the two entered into a consent order late in 2011.

First, the Facebook agreed to not misrepresent any information concerning privacy or security settings of users, including a) the collection of information, b) the extent to which a consumer could control that information, c) the extent that information was sold to third parties, d) the steps Facebook had taken to verify the security of third parties with access to the information, e) the extent to which the information was available after an account was deleted and f) the extent to which Facebook complied with various government issued privacy guidelines.

Facebook was ordered to clearly state in a separate user agreement the privacy and information collection settings, and obtain users express consent before collecting any private information. Like the Twitter case, Facebook also was required to designate an employee and set up a monitoring and auditing program to assess the new privacy controls and features. Facebook is also required to submit reports to the FTC discussing the implementation and success of such a program.

Yet perhaps the most interesting is that Facebook was given 60 days to implement systems that would ensure private information could not be accessed by any third parties within 30 days of a user deleted his or her account. Facebook, as well as other websites that accept user submitted content, have always warned that deleted information may remain on their servers for sometime. This has to do with the way the data is stored across multiple servers. Even Facebook was upfront about this when they first began introducing photo sharing. Even if the link on a Facebook page is deleted, users can still access photos by entering the direct address until Facebook's servers purge the information. It stands to reason that a third party could do the same.

Since Facebook agreed to this consent order, they must have a method for implementing this requirement. This is good news for users who decide to remove information. Ideally, it would instantly be inaccessible to a third party, but even within the 30 day time limit is an extra level of assurance. It should still be noted that this doesn't necessarily mean Facebook cannot access the information, but it is a step in the right direction.

Saturday, March 31, 2012

Point-Counterpoint: gTLDs Will NOT Become a Haven for Cybersquatters

Since first learning of the new gTLD program, I have been trying to determine a way for cybersquatting a gTLD to make sense. This is of course the first reaction of every commentator (check IPwatchdog’s coverage here for an example). ICANN comes back with mentions of steps to address this, but they generally ring hollow as descriptions of procedural steps that most do not trust the company to fairly or accurately enforce.

My take, from the beginning, has been that cybersquatting will not be a major issue in the new gTLD period.

1. The cost alone is prohibitive

ICANN requires a $185,000 application fee. This alone should deter almost any cybersquatter. Even at the height of the domain name speculation frenzy, I cannot recall transfers going for such high amounts. A cybersquatter would need to know that she could either generate this in sales through further registrations, or generate a lot of ad revenue.

The $185,000, however, is not the full cost. Operation of a gTLD will cost a minimum of $25,000 per year, although ICANN urges potential registrants to expect close to $100,000. For most, it will require a subcontractor to administer the domain. Cybersquatters tend to be opportunistic, looking for possible typos or search engine friendly variants that can be cheaply registered, monetized for a few months, and then cheaply dumped when the rights holder takes action.

2. The objection procedures are adequate

ICANN has developed some objection procedures (see my coverage here) to address potential cybersquatting (or other misuse). The legal rights objection follows basic trademark and UDRP theories for preventing potential cybersquatting dispute. The application period requires a background check into previous domain name registrations for evidence of cybersquatting. The registrations can only be pursued by individuals or companies in good standing.

On their own, these procedures might not be enough. Coupled with the high barriers to entry, I think they will generally prove adequate.

The biggest concerns with the objection procedures are the inherent and existing problems with UDRP proceedings. Reviews of cases have shown evidence of copying and pasting decisions (including in egregious examples the wrong domains!), the inherent bias in that the objector brings the proceeding, and therefore the fee, the inadequacy in number and training of the expert panelists, and the brevity of the proceedings. A company which has invested $185,000 plus could lose their entire application (and fee) over a proceeding where the entire filing needed to be less than 5,000 words or 20 pages.

3. History indicates this will not lead to a dramatic increase in cybersquatting

If nothing else, the gTLD period is highly unlikely to suddenly diverge from the history of adding top level domains and create an explosion of cybersquatting. Top level domains are added from time to time in the regular course of ICANN’s business, and each time there is potential cybersquatting issues. .xxx was recently heralded as the beginning of a long fight for legitimate interests to root out their porn cybersquatters. Instead, most pre-registered their domains and simply redirected them, otherwise the problems seem to mostly be between various companies fighting within the .xxx space. When Tuvalu was granted its own ccTLD of .TV, there was promise of a great new webspace for televisions websites. And yet today, .TV is almost unheard of.

Even if a cybersquatter is able to grab a .brand gTLD, it will still require users to actually type that address into their browser. All signs point to .com continuing as the default. Thus, cybersquatters will be forced to pay for advertising on top of the other fees to make a profit.

Next post, I will do a counter-point with the potential ways a cybersquatter COULD take advantage of a gTLD.

Tuesday, March 27, 2012

Behind the Headlines: Can Facebook Trademark "Book" in the User Agreement?

Recently, there has been a series of headlines proclaiming that Facebook is attempting to trademark the word “book” by placing it in the Statement of Rights and Responsibilities (pretty much the Terms of Service). The exact language reads as follows:
“You will not use our copyrights or trademarks (including Facebook, the Facebook and F Logos, FB, Face, Poke, Book and Wall), or any confusingly similar marks, except as expressly permitted by our Brand Usage Guidelines or with our prior written permission.”
As pointed out by Wired and the other sources covering this, there really is no way to use Facebook without accepting these terms. Therefore, the articles posit, Facebook must be gaining control over the word book! Wired even quotes a University of Minnesota Law Professor stating that trademark rights are about use, not registration.
While this is all true, the actual way this functions is much more complex. True, trademark rights are built around use. Facebook controls some of this, by using the same logos and phrases they become associated with the product, and thus trademarks. However, obviously letting a company gain trademark rights simply through use is self-serving. The other piece is that a trademark gains strength through secondary meaning, or when the public at large begins to associate the mark with the company.
Thus, as some of the articles hint at, by making users agree that “book” is a trademark of Facebook, it does strengthen Facebook’s rights. Trademark disputes almost always contain evidence of “fame” which literally means how famous or well known a mark is. This can be demonstrated through sales, advertising, and often simply market research consumer surveys. Theoretically, Facebook could argue in the future, everyone who uses our site (in other words almost everyone who has internet access) agrees that book is our trademark.
The problem, however, is that it is unlikely that a term buried in the agreement will make much of an impression on consumers. You could probably ask 100 consumers what Facebook protects in their Rights and Responsibilities, and it is likely that none of them will be very accurate. Simply placing this language in the Terms is not going to get Facebook a trademark.
The real strength is slightly more sinister. When news outlets, including Wired and NBC, ZDnet, and Entertainment Weekly cover it, more and more people become aware of it. In fact, even non-Facebook users are probably aware of this, simply from reading the headline. Worse still, it could be possible for many readers to see the headline “Facebook making trademark claim on word ‘book’” (direct quote from Entertainment Weekly). Now, if we go back to that hypothetical survey of the general public, when asked what Facebook’s trademark terms are, users may say “Oh, book!” thinking back on these articles. Evidence which Facebook could then assert against others, and which may have some weight.
And that, my friends, is the true genius behind this move. Facebook knows that people watch its legal terms for evidence of privacy abuses or other sliminess, and also that the traditional arguments for a trademark of the term “book” are incredibly difficult. Instead, Facebook has taken advantage of this, and used it to their advantage.

Saturday, March 24, 2012

NYC to Register .NYC gTLD

New York City has formally stepped forward and announced their intention to register a .nyc gTLD with ICANN. (Read articles here and here.) Although the official confirmation is welcome, this cannot be called a complete surprise.

New York has wisely decided to use an existing registry operator to administer the domain. This is also a predictable step. The costs, both financial and technical, with administering a gTLD are considerable. In fact, I would fathom that there is no way New York could muster the technical strength during the application period without sub contracting to an existing registry operator.

New York City has also given some guidance on what they plan to do with their gTLD, stating that businesses and users will have to show “a substantial and lawful connection” with the city or (according to an unquoted article) a “nexus” to the city.

Obviously, the difficulty then becomes how to define such a connection. Lawful seems clearly designed as an excuse to root out cybersquatters (and I suppose operators of unlawful, but New York City based businesses. We will have to wait for, but what is “substantial?” Does it mean a physical address? Within the five boroughs?  What if I am just outside the city limits? Also, isn’t requiring a physical address counter-intuitive to an internet based initiative? If I want to have, am I forced to surrender it when I have children and move to the suburbs?

The second issue is even more interesting (at least to me): under what scheme will these rights be handled? A web address is almost a property right, a location over which the owner has the right to exclude others from. Will New York City use existing real property law? Will registry operator Neustar get to decide? Will New York City set up an administrative code to decide?

The obvious answer is to simply let current law, including WIPO and UDRP procedures, control. The danger with this path is that it does not clearly provide authorization for domain name seizures.

This announcement is not all doom and gloom, however. Imagine if the city undertook an initiative to give resident’s virtual addresses corresponding to their physical address. I could have an email address that was the same as my mailing address, reducing reliance on the slower and more costly physical mail systems. There are some interesting possibilities. Will advertising be equally expensive on as it is at the real location?

Wednesday, March 21, 2012

What Happens to Companies that Get Hacked?

As our world continues to grow more connected and more of our services move online, a host of new problems have developed. One such problem is hacking, or compromising otherwise secure networks. Interestingly, hacking can take several forms. It may have a criminal elements, such as attempting to gain access to financial records, or hacking to disrupt essential computer systems. It may be designed to embarrass and humiliate, such as hacking social networks for private photos or to send inappropriate messages from a user's account. It may also be used as a form of guerrilla protest, or an attempt to vandalise.

Hacking now receives significant media coverage, as mainstream networks have covered the "lulzsec" and "anon" activities. Even the Sony PlayStation Network scandal was well publicized, even though it was contained within the PS3 network. The coverage drops, however, once the system has been restored, but what actually happens to the users who are hacked?

One possible remedy is an FTC case. According to the stipulated facts, on January 4, 2009, a brute force password guessing program was able to break into a Twitter users administrative account. Once accomplished, the hacker had access to every Twitter users profile, account settings, and both protected and public Tweets. This user, among other things, sent messages from Barack Obama's account offering free gasoline cards.

Disabling webcams doesn't have the same criminal panache as a good ol' fashioned ski mask.
On April 27, 2009, it happened again, when a hacker was able to break into a Twitter users personal email account (Twitter had a policy of not providing employees with work email accounts, and instead encouraged them to use a personal one). This time, the hacker went a reset the passwords of several users, and accessed private accounts.

The FTC challenged Twitter on two counts, the first that Twitter represented that it had taken reasonable security steps to protect information when it had in fact not, and that it represented to users that it would honor the privacy of a users settings.

The FTC entered into a consented order with Twitter to resolve the case (as expected). The settlement included several very specific steps Twitter must take to ensure compliance.

The first was to designate an employee or employees to be responsible for Twitter's information security plan.

The second was to identify reasonably foreseeable risks, both internal and external, that could create risk of intrusion. These risks included the areas of employee training and management, information systems including network and software design, and prevention, detection, and response to attacks. Twitter was also required to design and implement a plan to address these risks.

There also was a separate sub paragraph directing Twitter to maintain the privacy of user information, not just from outside sources but also internally. The FTC gave an outline of possible sources of verification and testing of the security and correctness of these implementations.

This agreement gave Twitter 60 days to implement the agreement, which was slated to last for 20 years.

There are a few takeaways from this case. First, you clearly do not want to FTC to have reason to issue such a complaint against your company. As a part of this agreement, Twitter does have some strict and onerous requirements. However, the order also makes it clear that Twitter had incredibly lax security policies. The cracked password was a short, all lowercase, dictionary word that was guessed by a brute force program, that simply guessed basic words, submitted them, and then tried again. The FTC noted also that Twitter did not have a policy of expiring passwords, of assessing password strength, or even of locking out users from repeatedly guessing.

Secondly, it appears that Twitter opened itself up to some liability in the realm of privacy. The FTC noted that Twitter repeatedly asserted that direct messages and protected tweets were private, when in fact every single Twitter employee had access to them. Although not explicitly stated, it does appear that if Twitter had disclosed that employees could access private user content, there would have not been a case.

Tuesday, March 20, 2012

gTLDs and Property Rights: Legal Rights Objection

With the opening of the top level domain space, ICANN and the Internet community face a potential wave of new infringers and cybersquatters. ICANN has openly discussed the possible issues, and has put forth a procedure for addressing them. The gTLD Applicant Handbook describes the “Legal Rights Objection” as the best remedy for a proposed gTLD that infringes an existing legal right.

ICANN contemplates several possible standards that are very similar to trademark law. The applied for string may not take “unfair advantage of the distinctive character or the reputation” of an established mark. A second impermissible use is one that “unjustifiably impairs the distinctive character or the reputation” of the existing mark or name. Finally, the proposed string must not “otherwise create[] an impermissible likelihood of confusion” between the applied for string and the existing mark.

The existing legal right is proposed to exist in either a registered or unregistered service mark. Despite using language generally consistent with trademark principles, there are other legal rights contemplated. For example, very specific language describes the possibility of an IGO organization’s name or acronym as an existing legal right which new gTLDs must stay clear of. Although generally an IGO should register for rights in the various locations that it operates, ICANN specifically calls them out. Perhaps this is ICANN’s attempt to recognize the completely international nature of the internet domain space.

Interestingly, ICANN describes separate standards for evaluating a legal rights objection based on trademark rights or an existing IGO. There are eight non-exclusive factors for evaluating an objection based on trademark rights.

The first is whether the applied-for gTLD is identical or similar to the legal rights objector’s mark. This can include in appearance, phonetic sound, or meaning.

The second is whether the objector’s acquisition and use of rights in the mark has been bona fide. This rule seems to be contemplating the possibility of a “reverse troll,” that is a case where the applicant is a bona fide user, and the objector is a holder of a trademark for reasons other than legitimate use. An interesting issue that may arise are situations where both the objector and the applicant lack bona fide rights to the particular mark.

The third factor is a single lengthy sentence; “Whether and to what extent there is recognition in the relevant sector of the public of the sign corresponding to the gTLD, as the mark of the objector, of the applicant or of a third party.”  The “public recognition” may be a fame or secondary meaning analysis; however it is important to note that the “relevant sector” of the public must be considered. It is unclear if this is similar to a “channels of trade” determination or if there are other divisions. Could a trademark holder without a significant online presence be blocked from challenging an otherwise infringing gTLD string because the “relevant sector” includes only internet users?

The fourth factor considers the applicant’s intent in pursuing the registration. This is further defined by sub-factors. The first is whether the applicant had knowledge of, or “could not have been reasonably unaware of,” the objectors existing mark. The second is whether the applicant has previously engaged in registering or operating confusingly similar domain names. ICANN has clearly considered the possibility of various opportunistic possible registrations, including those that are fundamentally infringing or in bad faith. However, ICANN has also chosen to include a knowledge requirement.

ICANN has instructed dispute resolution providers to consider the extent the applicant has prior use with the mark, which can also be proven through “demonstrable preparation to use” the mark with goods or services “in a way that does not interfere with the legitimate exercise by the objector.” This factor would give weight to co-existing marks or previous settlement agreements. However, this could spell trouble for licensors who have given licensees permissions to use the licensor’s mark.

The sixth factor is to consider the applicant’s other intellectual property rights in the same sign or mark, and again, if those rights were acquired bona fide. This inquiry should extend to one question further, however, and also consider whether the use of the gTLD will be consistent with the applicant’s other intellectual property rights in the mark.

The seventh factor succinctly asks “to what extent the applicant has been commonly known by the sigh corresponding to the gTLD” and if the planned use of the gTLD will be consistent with this prior use.

The eighth and final factor asks if the applicant’s “intended use of the gTLD would create a likelihood of confusion with the objector’s mark as to the source, sponsorship, affiliation, or endorsement of the gTLD.” This has the potential to be a powerful tool for objectors who desire to block a similar gTLD registration. The applicant could have full rights to the mark, be using the mark in bona fide good faith, and could otherwise not be infringing in any way on the objector’s mark, but the objector could still make a strong case for the disallowance of the gTLD.

It is important to remember that the legal rights objection process has an important distinction from the string contention process. String contention (covered here) is designed to resolve disputes between competing interests where each party is attempting to register a gTLD. With the legal dispute process, an objector would be likely attempting to block a gTLD registration without filing their own or filing their own but under a different mark.

This perhaps may be the best evidence of ICANN’s good faith in opening the gTLD space for registration. While each new gTLD operator will provide significant financial compensation for ICANN, as well as furthering ICANN’s stated goals of access and openness, the legal rights objection could actually stop both of these from occurring. A strong objector could theoretically close down a variety of potential gTLDs if they already had a strong enough mark.

Sunday, March 18, 2012

Are Google Keywords Protectable?

Mary Kay, Inc., v. Amy L. Weber
601 F.Supp.2d 839

This case answers the age old question, “When is a touch of pink a touch too much?”

Mary Kay is a distributor and wholesaler of cosmetics. Mary Kay relies primarily on a network of independent sales representatives to sell the products to consumers. In Mary Kay parlance, they are Independent Beauty Consultants (“IBCs”) and the top one each year gets a special pink Cadillac as a reward (Fun fact: This is the only example of a custom color created by Cadillac). At the time Defendant Ms. Weber was involved, Mary Kay simply sold the products to the IBC, who then disbursed with them as she saw fit. Mary Kay had no influence over the price or methods, but did require each IBC to order at least $200 worth of product each month.

Ms. Weber appears to have done this for some time, but eventually stopped placing orders. To dispose of her leftovers, she began selling on eBay. Ms. Weber found a ready market, and began buying and selling Mary Kay products through eBay, eventually setting up her own eBay store, “marykay1stop.” When marykay1stop came to the attention of Mary Kay, legal letters were exchanged, culminating in a conversation with a paralegal at Mary Kay. As a result, Ms. Weber changed the name of her store to Touch of Pink and registered

Doubt Ms. Weber will be driving one of these anytime soon.
Ms. Weber asserted fair use as an affirmative defense. After a look at the relevant case law, the court found that using a trademarked name to attract search results is protected through fair use. The court noted, citing a law review article, that Internet search engines would be rendered useless if sellers were not allowed to include trademark names as search terms. Fairly describing a cosmetic as Mary Kay brand is an accurate description that enables users to find what they are looking for. This was held despite the fact that Ms. Weber had purchased 79 Google keywords relating to Mary Kay at a cost of $20,000 per month.

The court did note that even if the fair use defense was available to the defendants, there was still a likelihood of confusion analysis. The court used the “digits of confusion” test, including the following seven factors, reviewed in turn.

1) The type of the mark allegedly infringed and 2) the similarity of the two marks: The court found these to be nearly identical.

3)The similarity of the products or services: Again, they are nearly identical.

4)The identity of the retail outlets and purchasers: Neither had retail outlets, but both sold to individuals interested in Mary Kay cosmetics. Although Mary Kay sells through IBCs, they also make products available directly through their website.

5)The identity of the advertising media used: Both use Internet based advertising, including Google.

6)The defendant’s intent: The court looked to the disclaimer stating that there was no relationship between the Weber site and Mary Kay. The court noted that it was hidden on the bottom of the About page, and furthermore that such disclaimers do not carry evidentiary weight if they are confusing or not prominently displayed. Overall, the court found this factor to weigh neither for nor against confusion.

7) Any evidence of actual confusion: There was evidence of at least one customer of Ms. Weber contacting Mary Kay customer service, as well as a market research survey conducted by Mark Kay. There were evidentiary issues which mostly discounted the survey, but overall the court found evidence weighing in favor of confusion.

Weighing these seven factors, the court found that there was a genuine issue of material fact as to confusion, and based on this, denied summary judgment for defendant Weber.

This case contained a careful analysis of Internet business principles. The court was able to draw distinctions between print and online advertising, and also thoughtfully understood the use of trade names as search engine identifiers. It appears that this was the last time this case was before a judge, so we unfortunately do not get to read the dramatic conclusion.

Thursday, March 15, 2012

Subpoenas Issued for Twitter Accounts

Apparently New York prosecutors are issuing subpoenas for the Twitter accounts of Occupy Wall Street protestors. Although this is generally outside the scope of this blog, it is interesting to note the new role of the Internet in legal proceedings. It appears that prosecutors are looking towards the tweets as evidence of knowledge of the illegality of the protestor's actions.

The protester mentions in the article that all of his tweets are public, and still posted. He suggests that this negates the need for a subpoena. However, courts have previously held that publicly available information  that tends to suggest the possible existence of private information is discoverable in civil cases.

Wednesday, March 14, 2012

gTLDs and Property Rights: String Confusion

ICANN's Applicant Guidebook (Jan. 2012 revision available here) lists several objections to proposed gTLD domain names. One such possible objection is string confusion. The string confusion objection is designed to prevent similar top level domains from registering, resulting in confusion. ICANN has established that “string confusion exists where a string so closely resembles another that it is likely to deceive or cause confusion” and that “it must be probable, not merely possible that confusion will arise in the mind of the average, reasonable Internet user.” ICANN's Applicant Guidebook, 3-18. ICANN further clarifies, “Mere association, in the sense that the string brings another string to mind, is insufficient to find a likelihood of confusion.” Id.

Despite using language similar to the likelihood of confusion standard from trademark law, the string confusion objection as contemplated by ICANN is designed to protect against a uniquely Internet issue. Computers can read any variation in domains as unique, but humans are more likely to confuse them if they share similarities in pronunciation or appearance. Therefore, while the website "www.lawschoolrulez.adobodobanana" is located at a completely distinct and separate address as "www.lawschoolrulez.adododobanana," most users (read: humans) would struggle mightily with even appreciating the distinctions.

ICANN further notes that “mere association” between two proposed strings, or a string which “brings another string to mind,” are both insufficient grounds for a string confusion objection. Applicant Guidebook, 3-18. Again, this is because a string confusion objection is not a trademark remedy. It is uniquely related to our own inability to perceive small variations in complicated, unfamiliar character strings.

In the far flung future, when our machine overlords download their history into their mechanical offspring, I hope they cite this article as evidence of our inferiority.