Digital Technology Law Journal
The Spider’s Stratagem on the Web: Hunting and Collecting Web Users
Morris Averill* Visiting Lecturer University of Western Sydney This article discusses: the traps for consumers browsing the World Wide Web or engaging in electronic commerce (ecommerce), including the privacy implications on being on the Web; the possible legal responses available to Web users or government regulators are considered; as well as Web site operators who consider that some Web techniques are damaging to their business.
Introduction
1. The so-called ‘tech-wreck’ of April 2000, (the ‘correction’ in share values of technology companies listed on the NASDAQ, and other stock exchanges), can be attributed to investors realising that profitable e-commerce would be more difficult that many had imagined. Several commentators have suggested that e-commerce business models based on the premise ‘build the Web site and users will come’ were little more than a modern day cargo cult mentality.[1] The difficulty of attracting visitors to Web sites, has resulted in World Wide Web technology evolving sophisticated techniques of attracting, even capturing, Web users. [2]
Introduction
1. The so-called ‘tech-wreck’ of April 2000, (the ‘correction’ in share values of technology companies listed on the NASDAQ, and other stock exchanges), can be attributed to investors realising that profitable e-commerce would be more difficult that many had imagined. Several commentators have suggested that e-commerce business models based on the premise ‘build the Web site and users will come’ were little more than a modern day cargo cult mentality.[1] The difficulty of attracting visitors to Web sites, has resulted in World Wide Web technology evolving sophisticated techniques of attracting, even capturing, Web users. [2]
2. The development of sophisticated Web site design techniques may have been pioneered by the developers of adult content and gambling sites, however mainstream e-commerce sites are adopting the techniques. At the benign end of the spectrum (but still irritating for some Web users) is the use of ‘pop-up ads’ - at the more aggressive end of the spectrum, is the use of ‘spawning’ and ‘mouse-trapping’ being used to capture Web users at a Web site.
3. Some techniques are criminally motivated scams to extract money from unsuspecting Web users by causing the Web user to incur an astronomically high telephone bill by re-routing their connection to an Internet Service Provider (ISP) via an international call rather than a local call or to send computer programs to the user’s computer in order to search for credit card and other banking information.
4. The legal implications of the exchange of data between the computers of the Web users and Web sites are considered in this article. In particular, the consumer privacy implications of the exchange of data between a Web user and a Web site.[3] The difference between ‘data’ and ‘personal information’ should be acknowledged when considering the exchange between the computer of a Web user and a Web site.
5. “Data” is defined as “information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful.”[4] In the context of an exchange between the computer of a Web user and a Web site, there is an exchange of digital data which is processed by the computer programs operating each computer resulting in the presentation of Web pages and interactive changes to screen display on the Web user’s computer as the user navigates through the Web site.
6. “Personal information”, as defined in the Privacy Act 1988 (Cth)[5] is information or opinion that can identify a person. The exchange of data between the computer of the Web users and a Web site may not, of itself, identify an individual. However the Web has created the ability of Web sites to track users and profile their browsing behaviour
7. In the study by Cyveillance, Inc[6] dated December 2001, many of the techniques listed about are described in their list of 10 objectionable Web techniques.
1. Spawning & Mouse Trapping
8. ‘Spawning’ is a way of programming a Web site so that the new browser windows are automatically launched, faster than the user can close them, when a user attempts to exit a site.[7]
9. Poor Web design and coding can result in a re-directed page entering the browser history[8] resulting in the user being unable to retrace their recent browsing history. However, ‘mouse trapping’ is a deliberate choice of the programmer. ‘Mouse trapping’ is a way of programming a Web site so that the ‘Go To’ command shows only the URL of that site and every click on the ‘Back’ button and ‘Close’ command, still leaves the Web user at the same site.[9] The consequence of which the Web user is trapped at the Web site. The usual buttons to escape from a Web site do not function so that the Web user is prevented from leaving – except by shutting down the connection to the Internet.
10. ‘Spawning’ and ‘mouse trapping’ can be combined with the launch of advertisements that do not have visible controls so that the only way to exit, apart from shutting down the computer, is to click on the advertisement. These techniques are often associated with ‘page jacking’ and are a product of the online pornography industry.[10]
11. In 2001 the US Federal Trade Commission (FTC) obtained injunctions against John Zuccarini[11] in respect of his practice of ‘domain name mimicry’ (obtaining domain name registrations for misspellings of well known names) and setting up Web sites using those domain names which using ‘mouse trapping’ to force viewers to see endless ad pages. The basis of the injunction being the practices of John Zuccarini amounting to unfair competition and unfair business practices under the Federal Trade Commission Act (US).[12]
2. Page-Jacking, Redirecting & Spoofing Pages
12. ‘Page-jacking’ results in users of World Wide Web sites being re-directed to other sites chosen by the page-jacker.[13] The reason ‘page-jacking’ is carried out is to increase the number of Web users ‘hitting’ the site to which the Web users are re-directed. This will have the effect of artificially inflating the number of ‘hits’ on the site with advertising being sold at a higher rate based on the false perception that the Web site attracts a high number of voluntary users. Web site owners may pay the page-jacker a fee for re-directing Web users to a Web site.
13. The page–jacker copies pages from a popular site and posts the copied pages on their own computer server. The copied pages are re-programmed to re- direct Web users to specific sites. The copied pages continue to be indexed on search engines using the same key words as used in the original site. A Web user making a search will have the fake site displayed in the search results. When the Web user ‘clicks’ to that site they are re-directed to the site chosen by the page-jacker.
14. The consequence of ‘page-jacking’ is that the owner of the legitimate site loses the potential customers and their reputation suffers as the kidnapped Web user assumes the content at the re-directed site is that of the owner of the legitimate site.
15. ‘Page jacking’ is a technique primarily used to increase traffic to the Web site to which the Web users are redirected. However more sophisticated Web design techniques have been developed with the use of ‘spoof pages’ which are ‘seeded’ with trade marks (‘metatagging’) for the purpose of maximising the likelihood that the ‘spoof page’ will appear high on a search engine’s list of results[14] . The ‘spoof page’ being combined with the use of ‘doorway’ or ‘re- direct’ techniques to take the user to some other site, often a pornographic site.[15]
16. The FTC, together with the Australian Competition and Consumer Commission (ACCC),[16] has taken action against persons involved in ‘page jacking’ in FTC v Carlos Periera d/b/a/ atariz.com.[17] Final settlement with one defendant, and default judgments against two others, were obtained on 12 February 2000.[18]
17. Techniques related to ‘page-jacking’ can be used to make a political statement; an example being the report by Robert Lemos[19] that Mr. Racine, the defendant, admitted to tricking VeriSign subsidiary Network Solutions into giving him ownership of the aljazeera.net domain. Racine then redirected visitors from that Internet address to another site. Technically known as a ‘redirect’, the Web users that wanted to go to www.aljazeera.net - as well as the English- language site, english.aljazeera.net - to be redirected to the content hosted on NetWorld's servers where the US flag was displayed.
3. Misleading Links
18. Mislabelling links is the false labelling of hyper links that send the Web user to an unintended destination.[20] A misleading link may be the result of poor Web design and coding. However if the mislabelling is intentional, liability may arise under s 52 of the Trade Practices Act 1974 (Cth) for ‘misleading or deceptive’ conduct or under fair trading legislation.
4. Home-jacking - Changing Home Pages or Favourites List
19. ‘Home-jacking’ is the result of Web design techniques which allow the unauthorised substitution of the ‘home page’ so that when the user next launches their browser, instead of the user’s selected home page coming up on screen, the selected Web site appears.[21] A digital file can also be inserted into the user’s computer so that the selected Web page appears in the ‘favourites’ list in the Web browser program.[22]
20. The unauthorised inserting of data may be a criminal offence under sections 477 (1) or (2) of the Cybercrime Act 2001 (Cth)[23] or under section 308D of the Crimes Act 1900 (NSW).[24] That is, provided there is no consent of the Web user so that the insertion of the data which changes the ‘home page’ or ‘favourites’ is clearly unauthorised, with the necessary intention or recklessness as to the impairment of the functioning of the Web user’s computer browser software.
Some Web sites overtly ask the Web user if they wish to change their home page, if this option is selected the user is clearly consenting to the change. However with a covert change it can be argued that the unauthorised inserting of a digital file into the Web user’s computer is a criminal act.
21. However the level of ‘impairment’ of functioning of the computer may be disputed, with a de minimus argument that changes to the ‘home page’ or ‘favourites’ falls below what could be considered to be damage to the functioning of the computer.
22. The need of the Web user to replace the ‘home page’ setting or remove files inserted into the ‘favourites’ file can be argued to be ‘damage’ to the computer. Causing damage when computer programs are removed from a computer or interfered with has been considered in Cox v Riley[25] & R v Whitley.[26] R v Whitley involves the prosecution of a ‘hacker’ under the Criminal Damage Act 1971 (UK). The prosecution had to establish that the defendant had caused damage to tangible property contained on the computer disc. Counsel for the defendant argued that there was no damage to tangible property. However, in considering that argument, Lord Lane CJ stated that it contained a basic fallacy:
“What the Act requires to be proved is that tangible property has been damaged, not necessarily that the damage itself ‘should be tangible’… The fact that the alternation [to the metallic particles on the disk] could only be perceived by operating the computer did not make the alternations any the less real, for the damage, if the alternation amounted to damage, any the less within the ambit of the Act.”
5. Spyware - unauthorised, or unknown, software downloads
23. The development of ‘parasite’ business models[27] results in software programs being supplied as an ‘add on’ or ‘plug-in’ to a primary software program[28] . The developer of the primary software program (usually made available to the user without cost) has a business model of generating money from parasite software or generating income from advertising revenue from ‘pop-up ads’. The users of such a business model would naturally choose other descriptive phrases to describe their technology and may be aggrieved at the use of pejorative terms to describe their technology. The Gator Corporation, a developer of ‘pop-up’ widow technology,[29] has alleged trade libel, false advertising and tortuous interference claims, against others using the term "spyware" to describe the Gator technology.[30] The Gator Corporation prefer to describe their technology as providing “contextually relevant advertisement[s]”.
24. Legislatures are beginning to respond to public concern about intrusive Web techniques, with commentators suggesting that the legislatures are also responding to the conflicting results of litigation in US federal courts over whether Web techniques, such as ‘pop-up ad’ software infringes intellectual property rights or unfair trade practice legislation. [31]
25. The State of Utah enacted the Spyware Control Act (2004) which, as stated in the general description of the statute:
Prohibits spyware from delivering advertisements to a computer under certain circumstances;
Requires spyware to provide removal procedures;
Allows a website, trademark, or copyright owner to bring an action to enforce the requirements.
26. The Spyware Control Act[32] defines ‘spyware’ in a Subsection 4 beginning the extensive definition describing the ambit of the software techniques that are being regulated: monitoring software,[33] that reports back to a remote computer or delivers obtrusive ‘pop-up ads’ (without making appropriate disclosure to the Web user):
“Except as provided in Subsection (5), "spyware" means software residing on a computer that: (a) monitors the computer's usage; (b) (i) sends information about the computer's usage to a remote computer or server; or (ii) displays or causes to be displayed an advertisement in response to the computer's usage if the advertisement: (A) does not clearly identify the full legal name of the entity responsible for delivering the advertisement; (B) uses a federally registered trademark as a trigger for the display of the advertisement by a person other than: (I) the trademark owner; (II) an authorized agent or licensee of the trademark owner; or (III) a recognized Internet search engine; (C) uses a triggering mechanism to display the advertisement according to the Internet websites accessed by a user; or (D) uses a context based triggering mechanism to display the advertisement that partially or wholly covers or obscures paid advertising or other content on an Internet website in a way that interferes with a user's ability to view the Internet website”
read much more @ http://www.austlii.edu.au/au/journals/DTLJ/2004/1.html
