There was some timely and topical information in the iTechLaw session on Current Issues in Online Marketing, and my notes follow. I'm just capturing the highlights here, and have inserted an aside or two in brackets.

David Bender, Online Marketing and Privacy

Privacy can be a strong marketing issue. Recommends an article by Martha Rogers and Don Peppers, called Return on Customer. Privacy is an important means to build customer trust and cut down customer "churn." Also references an article from the Ponemon Institute. Purpose of the survey was to determine the perceptions of people who received security breach notices, occasioned by losses of data or network security holes. The survey sought the reactions of those who learn their data may have been compromised. The survey revealed that 19% of recipients had or would terminate their relationship with the company, 40% were considering termination, 58% lost confidence in the company. 52% thought the notice was confusing/ineffective (email, customers assumed it was spam; phone, assumed it was telemarketing; mail, assumed it was junk). 36% thought the potential injury wasn't properly explained, 41% believed the company was holding back information, 5% had retained lawyers to seek recourse. Emphasizes the importance of avoiding these situations through proper security. If one of these situations does somehow nevertheless come up, you have to make the communications timely. Only one good reason for any delay: you may be required to wait by a law enforcement agency in order to investigate the facts. The communication has to get across the fact it's an important message and not junk mail. You have to consider how much it is worth to you as a business to retain your customers when choosing the means of communication. Companies who used a form letter/email were more than 3 times as likely to lose the customer than those who drafted personal messages. It has to be comprehensible. It has to explain what types of information has been compromised, to whom, and what kind of injury is likely to result. Think about providing extras, such as free credit monitoring and a toll-free hotline. Key point: 12% of respondents to the survey said their confidence in the organization increased when their perception was the situation had been handled properly.

Better to prevent something from happening, but there are good ways and bad ways to deal with the situation and it can make a big difference in what a company's customer base will look like after the event.

Jay T. Westermeier on Liabilities of Search Engines in Key Word Advertising

Jay thinks this is one of the more exciting topics addressed at the conference. The whole field of Internet advertising is balooning; by 2010 it's expected that $55 billion will be spent on online advertising worldwide. Keyword advertising is the biggest component. The legal battle with respect to the use of trademarks as keyword triggers is one of the major issues in the law today. To review, keyword advertising = the ability to link ads to particular search terms. Adword programs are a little different, but still based on context and trigger terms, and potentially trademarks as trigger terms. Jay did some sample Google searches for Motorola, Dell, and Microsoft, demonstrated how advertisers are using the search term/trademarks to link ads to searches. Google and Yahoo have different policies concerning trademarks as search terms.

Playboy v. Netscape involved Netscape's and Excite's use of "Playboy" as keywords triggering delivery of ads. Court (9th Circuit) found there was enough evidence of initial interest confusion to grant a preliminary judgment. The evidence was focused on the ads, that were not well marked and it was difficult to tell the ads weren't actually associated with Playboy. We never got a precedential decision out of this; the case settled.

In the 2nd Circuit, SaveNow software used the "1-800 Contacts" mark, and there were pop-up ads related to user activities. But the ads weren't publicly available (displayed only in client software), so no confusion.

Geico v. Google: Geico failed to meet its burden on likelihood of confusion. Recent Merck case involved ZOCOR mark, and in Edina Realty case, use of the search term was a use in commerce and violation of Lanham act. Wells Fargo and WhenU cases (earlier); no infringement. Pure machine linking function. Laptraveler case: postdomain use of mark not infringement (i.e., something.com/laptraveler).

Yahoo no longer allows bidding on keywords containing competitor trademarks. Implementation will be interesting/a challenge. This issue is a dilemma and cries out for trying to reach a balance between trademark owners and advertisers. Have to retain goodwill and quality associates with the mark, have to also let the business of Web search and the enormous and growing advertising economic market go forward.

Matt Gold of the FTC, on the Role of the FTC in Online Marketing

Views expressed here are his own, not the FTC's. FTC receives about 200,000 online fraud complaints/year. Largely involve offline problems that have just migrated online. "Old wine in a new bottle." In 1997, FTC concluded that the problems of the Internet were the same problems seen in the offline world, though the Internet could amplify the problems (pyramid schemes, etc.). Those conclusions still bear out today. Recent cases have involved miracle cures and online opportunities, for example. In the late '90s though, other sorts of problems started cropping up, started seeing new things unique to the online world such as modem hijacking (long distance calls), pagejacking (tricking visitors onto sites they didn't intend to visit), and mousetrapping (disabling the back button, not letting a visitor out).

The FTC has an Internet lab in Washington, D.C., set up apart from its computer network. They also have "virgin" computers there, can test programs suspected of spreading spyware or other wrongdoing. The FTC does education by participating in consumer.gov, enabling people to find information from various government agencies based on subject matter. Dot Com Disclosures is relevant info for companies. The FTC also has created about a dozen fake ads online. One is for a phony product called NordiCaLite. The person who clicks through learns, courtesy of the FTC, they could get scammed by responding to an ad like this. [Someone must have found and aggregated all these, yes?]

Spyware: slippery definitional issues, but it has to be something that installs without consent and can cause harm (changing home page; degrading performance; loss of Internet access, modification of system files, etc.) The FTC uses its Section 5 (general) authority to regulate, which means they must prove it unfair or deceptive. Generally the FTC uses the unfairness prong. FTC v. Seismic Entertainment Productions, Inc. is an example. Changed default search engine, installed adware, both charged as unfair practices by the FTC. Spyware also generated ads for a product that allegedly would remove the spyware (but of course didn't work). Case filed in New Hampshire, ongoing.

FTC v. Odysseus Marketing Inc. Kazanon installs additional programs (in addition to itself). There was a disclosure, "the typical EULA, very very long," and the FTC asserted this did not constitute adequate disclosure. Showed screen shots of comparative Google searches, Kazanon kept the look and feel, but changed all the sponsored links that displayed.

Françoise Gilbert on SPAM and Compliance Issues

Marketing channels take many facets, need to consider mail, fax, mail, wireless, as well as email spam. [Let's not forget doorknob spam.] CAN SPAM Act: focuses more on commercial email, the primary purpose of the message dictates whether it's commercial. If so, it can contain no false or misleading messages, there must be an opt-out, the opt-out must work and be implemented within 10 days. There can be aggravated violations of the Act by using tricks such as creating multiple email accounts or harvesting addresses. Enforced by FTC and state attorneys general. Recent cases have focused on people negligent in their implementation of the Act, basic requirements not satisfied. The size of the penalties have been large: Jumpstart $900,000, Optin: $2.4 million. Much bigger than the penalties imposed under earlier laws. Important to get across to companies that the risks associated with violations is very high.

Compliance: it's important to implement procedures. There should be a CAN-SPAM compliant email marketing policy, privacy policies, document retention policies. Policies should be simple and easy to implement, but should take into account there are a number of gray areas where decisions should be left to legal rather than an aggressive marketing staff. There's a provision in the CAN SPAM act allowing for opt-out to be more granular and have a menu of options; this can be an affirmative marketing tool and should not be ignored.

Datran Media LLC case, prosecuted by the NY state attorney general's office. Datran purchased address lists but didn't do proper due diligence as to origins, addresses came from sites who had told customers their information would not be sold. Holding: a written warranty or representation can't be relied on, the purchaser of such lists must independently review, investigate, and confirm the information was legally obtained.

Subcontractors: companies who delegate their advertising and outreach to third parties should have provisions in their service agreement about proper due diligence and compliance with anti-spam laws.

Must consider consequences of anti-spam compliance in connection with M & A as well. Need to consider whether transferring customer databases is prohibited by CAN SPAM, for example. There's an exception for customers who provided affirmative consent to transfer when originally supplying the information. Past violations may accrue to acquiring company and should be taken into account. Think too about consequences of merging databases and differences in policies toward interacting with customers: can policies of a small company be required to alter the policies of a large/global acquiring company? It's possible.

David Schellhase (Senior VP and GC, salesforce.com) on Legal Issues in the Online Service Subscription Model

Comments are David's views and not those of salesforce. Also, he's not aware of any reported decisions significantly related to this new and still developing business model (i.e., selling software as a service). There are both legal and commercial issues around software as a service, and commercial issues that are disguised as legal issues. Salesforce does software on demand and Web delivery. The identity of the entity delivering your applications and functionality is the primary difference from old software delivery models. Companies outsource and/or supplement their IT departments by using salesforce. Subscription terms can be long or short term. Again, old wine in a new bottle. The kind of agreement you sign looks a lot like a traditional enterprise software license, with some new twists. The issues that come up in customer negotiations are mostly commercial, not legal. But there are legal issues such as privacy and data protection, limitation of liability, warranty, policing behavior of customers and users (indemnities sometimes important). Privacy and data protection: the data on salesforce's service comes from all over the world, and winds up replicating data of international companies on servers in the U.S. EU privacy considerations, customers concerned about privacy concerns and exposure of data to U.S. government, potentially. Salesforce tells customers it will comply with properly issued subpenas, so they're on notice. Limitation of liability: salesforce does this by contract, has customers indemnify against third party claims. The customer has a similar problem going in salesforce's direction (gives up control of data management, etc.) Limit salesforce uses is 1.5 times a customer's annual fee. Warranties: look like most enterprise software warranties, the service will work in accordance with the documentation. What gets warranted though is a moving target. Policing customer behavior: there is some element of monitoring that goes on. Salesforce monitors a customer's use of the system, but not the data itself. User identity issues: is a user on the U.S. denied parties list? From an embargoed country? Difficult points in the customer agreement are indemnities, confidentiality. Service level agreements: online software providers frequently asked to give assurances that the service will be available for some limited number of hours daily or monthly. Oracle learned six years ago that just offering money back if not delighted is not enough. Disaster recovery: industry is still evolving standards as to what constitutes an acceptable amount of downtime and when a customer is brought back up. Getting data out at the end of the relationship must be dealt with. Future directions: there's no much regulation here yet, but David anticipates there will be. Salesforce anticipates it will do $450 million this year. Thinks that service level agreements will slowly go away and service providers will be perceived as a utility with similar expectations on the parts of all involved. [See Google: gmail, calendar, gtalk, etc.]

[Technorati tags: itechlaw, online marketing]

(Continued blogging of the iTechLaw Open Source Software panel, after a mid-morning break). Chris Nadan (Director, Software Legal/Associate GC, Sun) is up next. Impossible to know what will exactly will constitute a "distribution" under the GPL. The Free Software Foundation has a broad reading of the term; there's no guarantee that just because you're an end user you're not engaged in some form of "distribution" as the term is used in the license; words like "distribute" and "derived from" as used by lay developers should be interpreted consistently with the way they have been under copyright law, but there's no way to know for certain that they will be. (This is relevant because if you're "distributing" the licensed work in some way, you also have to make the source available under GPL.) Nadan says it's a myth that the GPL only affects "derivative" works. Professor Nimmer thinks of the derivative work as the work that has both the new (GPL) and old code in it. There's alot of case law that says just because software is copyrightable doesn't mean every line of code is copyrightable expression. Stephen Davidson adds that if you add the right two lines of GPL code to a much larger thing, the whole thing may become derivative.

Steve Mutkoski had an aside about the collision of mindsets between engineers, for whom ones and ones and zeros are zeros, and lawyers, whose definition of one can change to zero at any time and vice versa.

Sherman Chu (Director, Technology Licensing, Cisco) spoke next on developer best practices. It's best to think about open source as a software quality issue. In connection with acquisitions, though you might require representations and warranties of a company being acquired, as a practical matter they don't do much for you. Case study: Cisco and Linksys. Linksys acquired about three years ago by Cisco. Some Linksys products were OEMed from a company in Taiwan, and there was yet another level of derivation; Cisco was three levels removed. Yet, there was "open source contamination" in the code, and as a result Cisco was demanded to release the source code; didn't even have the source code. Because of the relative unimportance of the particular product, it wound up not being a big IP issue for Cisco, but the situation might have been otherwise and this is a cautionary tale. Even so, it was a bad PR and an unnecessary distraction. Sherman and Cisco follow a similar due diligence process in hope of avoiding these kinds of situations as the one Steve Mutkoski described for Microsoft. Due to the slippery nature of the issues involved, training becomes key; the message has to be broadly communicated. You also have to build processes to scale. Engineers just aren't going to come to a lawyer on open source issues if they think it'll take two weeks to get an answer. Cisco automates the approval process. Another tip is to get to know your organization's open source gurus, they're an invaluable resource as to how the community is likely to respond. Along these lines, it not just about the law. Community norms and actions can have just as big an impact (or bigger) than legal actions.

Closing out the session was Todd Nelson (Vice President of Legal and General Counsel for Fortinet) on the draft, in process v3.0 of the GPL. Trick is to keep proprietary bits proprietary and open bits open. The Free Software Foundation take on v3.0 is that it's not really a change but really the appropriate interpretation of v2.0, so the draft out for comment is at minimum instructive on the Foundation's take on 2.0. Discussion of the very different views of the GPL adopted by Richard Stallman and Linus Torvalds (who released Linux under 2.0 but has said he's unwilling to release it under 3.0). Key new thinks in 3.0 are the DRM exclusion and patent retaliation provision. Steve Mutkoski observes that 3.0 seems to be routing around the dispute about what's a derivative work. Todd Nelson responds that what 3.0 does is take a sledgehammer approach with a very broad definition. Under 3.0, DRM refers to anything that restricts your use, not just copy restrictions. Anything used to enforcde pre-defined policies controlling access. Upshot is that if anything contains GPL licensed materials all the DRM keys (as DRM just defined) must be provided. Todd had to unfortunately rush through alot of his material because they ran over time, and with that, we're breaking for lunch.

[Technorati tags: itechlaw, open source]

I'm here at iTechLaw, speaking later today on blogs+ip, sitting in now on the Open Source Software panel, and hey! There's Professor Nimmer who spoke a couple of weeks ago at the Blog Law and Blogging for Lawyers conferece. Moderating is Stephen Davidson, and rounding out the panel are Steve Mutkoski (Senior Attorney, IP & licensing, Microsoft), Chris Nadan (Director, Software Legal/Associate GC, Sun), Sherman Chu (Director, Technology Licensing, Cisco), and Todd Nelson (Vice President of Legal and General Counsel for Fortinet). I'm not going to attempt to blog this in any verbatim way but instead am posting highlights. (Some anecdotal ambient observations: good wifi; no powerstrips, have to negotiate for wall jacks; hardly any Macs, low laptop:attendee ratio overall; of the roughly 80 people in this room, maybe 5 are women. Lotsa suits; the panelists are among the most dressed down people in the room.)

The group as a whole discussed general open source licensing considerations to kick things off, mostly focusing on how many different kinds of "open" licenses are now out there. There are at least 400 varieties, and it's an instant political misstep to call something "open source" that is open in many ways but does not allow unlimited modification of the work.

Professor Nimmer spoke next about whether and when licenses become contracts. Points out that licenses are just pieces of paper (or other forms of text...). A contract doesn't form until it becomes a bilateral arrangement with accompanying obligations. Whether a license becomes a contract will have much to do with whether it will be enforceable and durable. Context becomes key in determining whether a license forms a contract. If it's not a contract, is it effective? Just putting something in a file online doesn't control absolutely, other conduct will be relevant too. [This is not something Professor Nimmer is addressing, but consider that last comment in the context of the discussion over implied licenses and RSS.] The point is just to recognize this is an issue; the question of enforceability cannot be answered in general terms, only in specific cases. Important point: a license cannot abridge your rights over other circumstances (unless it's a contract), it can only expand them. Interesting point: open source software license case law is incredibly sparse; there are some 35 reported instances of one being enforced, and then only the GPL. Professor Nimmer observes that's probably a function of the fact that most people applying the over 400 different varieties of licenses to their work are more concerned with giving away and collaboration than with enforcement.

Next up was Microsoft's Steve Mutkoski. Open source diligence is an extension of traditional IP diligence related to company acquisitions, but complicated by the unique restrictions that open source licenses routinely include: noncommercial use, share alike, etc. Microsoft has been tripped up by this enough it now has a four step approach when it's considering an acquisition: it requests disclosure (tell us what you're using), it scans the code (let our consultants go over your source code), it analyzes the results (tell us why this particular module or file is present), and , if there's an issue or a potential one, request remediation (can this potential problem file be removed or replaced?). Steve's experience is all this is still very new and unfamiliar to most people involved in the process.

There's a break now, I'll pick this up when we return.

[Technorati tags: itechlaw, blogs ip, open source]

The OnHollywood Webcast starts in about 20 minutes.

Declan McCullagh and Ann Broache, Net neutrality missing from sweeping telecom bill: "The U.S. Senate took the first serious step on Monday toward rewriting the nation's telecommunications laws, a move that raises politically sensitive questions about digital copyright and Net neutrality and that could take years to complete..."

Wikipedia on network neutrality; CNET tag re same; Doc Searls, Saving the Net.

[Technorati tag: network neutrality]