Editor's note: The New York Attorney General, Eliot Spitzer, is often at the forefront of legal issues relating to technology, marketing and the internet. Just in 2006, Spitzer's office has initiated several high profile investigations into the practices of adware companies, email marketers and others in the online media space-- resulting in settlements and lawsuits.
As head of the Internet Bureau of the NY Attorney General's office, Ken Dreifach has been deeply involved in these issues for several years. He has recently ended his tenure with Mr. Spitzer's office and is joining Sonnenschein Nath & Rosenthal in May as a partner in the firm's Information Security and Internet Enforcement Group. In his last days working for Mr. Spitzer, Dreifach sat down with Alan Chapell to discuss the legal issues facing the online media world.
Their discussion began with the broad idea of "agency," as Dreifach describes how advertisers, email marketers and others in the online space might be held accountable for the actions of their business partners. Touching upon adware, email and affiliate networks, Chapell and Dreifach muse on policing agents, how online marketing will develop and grow, and the costs of developing the necessary infrastructure. They also discuss digital rights management (DRM) and best practices for disclosing the "essence of the bargain" to consumers in a clear and concise way."
Alan Chapell: In several of your recent presentations you've referred to the "agency theory"-- the concept that one company may be held accountable for the actions of its business partners. Can you explain to the iMedia readers what you mean by that?
Ken Dreifach: Sure. Well, principals -- who can essentially be anyone in the iMedia audience -- are generally responsible for the acts of their agents. And whether someone is your agent is generally fact-based. So you can't make broad assumptions about who can or cannot be your agent-- but the general test is if someone is acting under your control or under your direction. A common misperception about agents, at least in cases involving consumer fraud or misdirection, is that if the principal didn't specifically direct the agent to make deceptive statements or commit acts, then the agent was acting beyond the scope of agency.
But that's not actually the legal test. The legal test, for instance in reference to a deceptive statement, is that if your agent -- assuming that the person is your agent in some capacity -- makes a statement that if true would be within the scope of agency, then the fact that it's false does not take that act outside of the scope of agency. In other words, if the agent is doing something that is more or less in the realm of what you gave them authority to do, you're going to be liable for any ill-effect of that act.
Chapell: I think many people are comfortable with the concept of setting up certain quality controls around their immediate business partners. But the very nature of many online media buys can involve multiple intermediaries. How far downstream should, say, an advertiser be looking in order to stay in the right?
Dreifach: Well, it gets a little bit murky when an advertiser puts itself in the position of not having control over advertisements that are being sent on its behalf. Certainly a better, not only legal practice but business practice, is to have some auditable and discernable chain of control. Because let's face it: You really want to know how your advertisements are being sent and what statements are being made. If you don't, and someone is making statements that shouldn't be made, or sending your advertisements through some deceptive medium, your consumers, and the general public, are going to be fairly upset with you. And potentially, regulators are more likely to become involved.
So rule one is not to get yourself in this situation where down the line you say, "Gee, there were six intermediaries between us and this wrong-doer -- whether it's a deceptive spammer or a deceptive spyware company -- and therefore we really didn't or shouldn't know what was going on."
As a practical matter of legal liability, there are a number of reasons, depending on the exact set of facts, why, even though there may be two, or say, six, levels of intermediaries you may nonetheless face allegations that you had constructive or actual knowledge of the wrongdoing. For example, you may have had notice from consumers or recipients of ads -- from deceptive spam or spyware ads -- where consumers may have gotten in touch with your marketing people and complained. For example, to the extent a company receives numerous complaints about the conduct of intermediaries; a company may have fewer defenses against liability for the intermediary's conduct if the company takes no action to rectify the problem after receiving notice. You want to make sure that any complaints are getting funneled to the arm of your organization that is actually hiring and hopefully monitoring your intermediaries.
So the answer is to do your due diligence: to do audits of anyone who has your information or advertisements, to do due diligence to investigate exactly how your ads are being seen. If you're talking about adware, how the underlying piece of software is being downloaded. If you're talking about spam, determining any potentially deceptive methods (such as under the CAN-SPAM act) that might be used to send messages on your behalf. And the way to do this is to seed your email lists so that anything that is going out on your behalf is coming back to people in your organization who can see if there are phony headers, or spam sent through false proxies, or false subject lines.
Chapell: It seems like in other industries -- in the magazine industry for example -- there are all kinds of compliance tools, whether you're talking about audits or contractual obligations, that allow an advertiser to exercise controls over where its ads are appearing. And recognizing that the online space tends to be a lot more complex than the magazine space, it seems that the underlying message here is that the level of complexity does not necessarily relieve businesses of the responsibility for assuring that this level of quality or vetting your business partners…
Dreifach: Yeah, I think that's right. If I were advising a company in this space, I would say that you want to have the ability to know anything that regulators or potential plaintiff class action lawyers know.
Given the ephemeral nature of pop-up ads and sometimes even downloadable software (certainly of spam), you could very well find yourself in a position where someone who has been monitoring wrong-doing -- connected to you directly or indirectly -- may hold all the evidence or all the cards, and that's an awful position to be in, because you're relying on the authenticity and completeness of someone else's record of very ephemeral data.
So looking at it as an auditor or as a regulator, you certainly want to advise clients to have more information, rather than less, about these processes.
Chapell: I couldn't agree more. Bringing it back to my original point, implicit in that statement, once you set up these audits and methods around ensuring some level of compliance around your business partners, you're going to discover that business partner A costs you one amount to ensure compliance, and business partner B costs a higher amount. As part of the maturation, you need to make a decision as to whether partner B is worth that cost. I think historically in the online space that hasn't always happened.
Similarly, in the context of digital rights management -- and I'm not talking necessarily about the Sony root kit issue (Editor's note: the "Sony root kit issue" refers to the record label's inclusion of a "root kit" on new CDs in order to restrict consumers' ability to copy the CD. By doing so, they inadvertently created a security risk, and have since discontinued the practice. See DRM This, Sony! for more information) -- I can certainly appreciate the right of any company to protect its intellectual property. But what seems to be happening, at least in some cases, is that companies are changing the essence of the bargain in mid-stream. For example, if I download music at a legitimate, paid music site, and as part of the deal I'm told I can copy my music onto five other devices, and later the company changes that number from five to three, I'm going to feel a bit cheated. Has your office looked into DRM?
Dreifach: The terms that are on the site at the time of purchase are the ones that control the data. The best practice is to have a grace period before the new policy is put into effect. It'd be tough to make the case that the policy that was on the site last year applies to this year's download.
Overall, you've got a broader policy question about what the fair default should be-- which has to balance protection of digital rights on one hand, with potential fair use rights on the other.
Dreifach: That's a good point; it goes to the material aspect of what consumers expect they are getting. But there is a spectrum here: when you're talking about what is very material and what is perhaps arguably material, as opposed to generally not material. It's just something you carry around in your gut, and it's kind of a quasi-legal, quasi-business decision. It'll be interesting to see -- talking about DRM issues -- how various industries define what the reasonable default setting should be.
In Europe, there are even laws that say you are allowed, absolutely, to make a personal copy. I think fair use in the United States would say the same thing. I think most EULAs incorporate that. Then the question becomes: Should you be able to make three copies? Should you be able to make five copies? And it also depends on what product you're talking about. If you're talking about the latest Celine Dion CD, should the reasonable consumer expect to be able to make 50 copies of that CD?
That's a different question than if you're talking about educational programming. One of the big questions with the broadcast flag is if libraries and educators will have their fair use protected. You're seeing this conversation going on every day and week in testimony, back in forth.
Chapell: Not too long ago, your office worked in conjunction with the Nebraska AG's office to establish some "controls over categories of chat rooms that are likely to be frequented by child predators." How do you take the good ideas coming from an AG office in New York or California and take them national? Do you see this as becoming more commonplace, and perhaps working towards the establishment of national standards?
Dreifach: It's interesting. Common law is very similar in all 50 states. And the common law has served us pretty well for a long time. The greatest judges in American history were folks like Oliver Wendell Holmes or Cardozo or Learned Hand, who really mastered the common law, and mastered setting a balance in terms of who should bear certain burdens, and just figuring out what types of burdens you should bear and what types of precautions you should take, simply because they're reasonable, and simply because certain harms are foreseeable.
You see this being applied now in the privacy and security debate. Aspects of the common law can also be applied, and we've applied them, to spam and adware. I think the answer is that, whether people know it or not, there is a largely national standard based on the common law, which says: You have to guard against foreseeable harms arising out of your acts or your products. That says you have to give the recipient of your service or product a reasonable description of the product they're getting, and if you're doing something to someone's property that has a material effect, you have to get permission. These principles are not new-- they're decades or centuries old. It's something that unifies regulators and state attorney generals across the country.
I'm sometimes skeptical when people say we need a national standard, because I think there often already is a national standard. As the FTC has pointed out in reference to spyware, they already have Section 5 jurisdiction to curtail the harmful act. You can go them one further: If you analyze some of these supposedly unifying acts, like the spyware bills, they necessarily require you, by referring to terms like "affirmative consent," to look to some body of law, to determine what "consent" is. And that body of law is, again, state common law.
We've got a lot of arrows in our quiver right now. It's just a matter of understanding the facts and applying the law facts. We're very comfortable with the laws we have under New York State common law.
Chapell: Any final thoughts?
Dreifach: Every year or two, there's a new scam or new questionable way of making money by piggybacking on technological loopholes -- ActiveX technology or open proxies, for example -- I think that's the nature of the beast.
Evaluating each of these business practices, you come down to the same question: Is there something deceptive and a little bit off about the way the business practices are being done? It's the same dynamic, and as new technology comes along, there will be new ways to subvert the technology.
Chapell: Some business models in the online world have historically been notoriously difficult to reign in. So as I listen to what you're saying -- although I don't want to put words in your mouth -- is the implicit message here that any business model that involves a low level of transparency and control might not be able to survive what I would loosely describe as the maturation of the internet economy?
Dreifach: Not having given the question that much thought, my inclination is to say that, in most cases, it's not the case that a particular medium or technology is itself not transparent. It almost seems like a cop-out to write off a particular technology as inherently not transparent or not capable of giving the consumer proper or even robust notice.
If you look at technology itself, it's inherently neutral. Across the board we've been agnostic as to whether a particular technology is good or bad. There are a lot of people who will say that pop-up ads are just bad. Certainly trademark holders and operators of websites would tell you that the product now known as adware is simply, across the board, bad, because it interferes with what they see as their control of their websites. Folks in the "open commons community" and elsewhere would take the position that this is just not the case-- and the 2nd Circuit has held this is not the case, in the case brought against WhenU recently.
So I think the answer is, if you're talking about a technology such as adware, it can be employed in a perfectly transparent and legal way, and there are certainly companies that are making a go with that model. There are other companies -- as our cases have shown -- who do not incorporate that transparency into their model.
I would disagree with the underlying premise that there are certain technologies that give way to a lack of transparency in and of themselves.
Chapell: What I’m thinking of is-- you've seen certain businesses in the online space announce that they just don't work with certain affiliate networks or even media networks, because they feel like they are inherently problematic.
Dreifach: I think this dovetails with the bigger question… you're talking about adware, more or less…
Chapell: Not necessarily. There are even advertisers now who are reluctant to work with certain media or affiliate networks, because, for example, they don't want their ads showing up next to a blog with political content which they're uncomfortable with.
Dreifach: It's probably an instance where the ground-level technology is a couple of paces beyond what the large corporations that are making use of that technology are familiar with. As a result they have relied on ad networks who they perhaps regarded as knowing more about the technology instead of getting up to speed on it themselves.
To some extent, there's a market correcting force out there, where as the bad actors get weeded out, there's greater trust, and maybe in the future, if you're dealing with a smaller set of well known, above board, transparent and credible actors, then the affiliate networks gain some more trust. But absent that, you're going to keep seeing regulatory action, you're going to keep seeing a call for legislation and you're going to keep seeing consumer class action lawsuits-- and that's going to chip away at the credibility of the entire industry. And that's a bad thing.
I think our lawsuits are a good thing-- they serve as a warning to not only the top-tier advertisers but also the affiliate networks for what they should be on the alert for. It's still an unanswered question as to what pressures we're going to see on the industry internally to correct itself. That's what's going to determine if the affiliate networks survive and prosper -- or don't -- because there's a continued low level of trust in the industry.
Chapell: One of the overall benefits to the industry by the actions taken by your office, the FTC, or some other organizations like the Center for Democracy and Technology, is that increasingly the online media world is starting to ask questions. It's starting to say "Hey, do we really know what's going on beyond our organizational walls?" It's like the old saying, that necessity is the mother of invention. We're already seeing-- I don't think it has developed nearly where it needs to be, but it's starting to go in the right direction-- organizations out there that are able to provide a pretty thorough audit of where advertisers' ads show up. And that's kind of the first step. It's not easy to do this, but the minute you're able to provide a reliable audit trail, you're able to move down the chain, where you can start selling these affiliate networks and large media networks on the premise, and really get a sense of where your ads are likely to appear.
Dreifach: Anything that hasn't been done before is generally labeled as "too difficult." Part of our investigation has been to look at companies that are using these services. What you see is a general unfamiliarity with the advertisers and adware companies and with their practices. Even if you're talking about a large organization, you only need one skilled compliance person-- and if not in house, you can hire another firm to do it. You're not talking about the most complicated type of audit in the world. It's very doable. I think we'll start to see that.
Chapell: We're used to, in this space, low infrastructure costs. So relative to other industries, the cost of actually facilitating a transaction is pennies on the dollar. As part of the maturation process of online, you need to recognize that there are going to be additional costs and the business model will need to take this into account.
Dreifach: You look at email, or online advertising-- it's an industry that's truly in its infancy. I don't think it has gotten that far down the road as far as the potential that I think we're going to see.
You can talk about the economies of scale and the extraordinary savings and efficiency of being able to advertise digitally. Think about the differences of sending out a catalogue to someone, with the paper and postage and compare it to email-- it's off the charts. The downside of digital media is that it's incredibly easy to transfer across systems. And since it's incredibly easy to transfer it's that much harder to monitor. Overall the benefits of the industry -- the potential of the industry -- in terms of the savings of the industry, outweigh that extra level of expertise and compliance that you have to undergo to make sure that bits and bytes are being served in the right way to the right people at the right place.