All RSS Feeds
TARGETING
Published: April 26, 2006
Exclusive Q&A with the NY AG's Office
By Alan Chapell
More by this Author
Contact Author
 
PRINT

Ken Dreifach, chief of the Internet Bureau in the Office of New York Attorney General Eliot Spitzer, talks about legal issues facing the online media world.

Editor's note: The New York Attorney General, Eliot Spitzer, is often at the forefront of legal issues relating to technology, marketing and the internet. Just in 2006, Spitzer's office has initiated several high profile investigations into the practices of adware companies, email marketers and others in the online media space-- resulting in settlements and lawsuits.

As head of the Internet Bureau of the NY Attorney General's office, Ken Dreifach has been deeply involved in these issues for several years. He has recently ended his tenure with Mr. Spitzer's office and is joining Sonnenschein Nath & Rosenthal in May as a partner in the firm's Information Security and Internet Enforcement Group. In his last days working for Mr. Spitzer, Dreifach sat down with Alan Chapell to discuss the legal issues facing the online media world.

Their discussion began with the broad idea of "agency," as Dreifach describes how advertisers, email marketers and others in the online space might be held accountable for the actions of their business partners. Touching upon adware, email and affiliate networks, Chapell and Dreifach muse on policing agents, how online marketing will develop and grow, and the costs of developing the necessary infrastructure. They also discuss digital rights management (DRM) and best practices for disclosing the "essence of the bargain" to consumers in a clear and concise way."

Alan Chapell: In several of your recent presentations you've referred to the "agency theory"-- the concept that one company may be held accountable for the actions of its business partners. Can you explain to the iMedia readers what you mean by that?

Ken Dreifach: Sure. Well, principals -- who can essentially be anyone in the iMedia audience -- are generally responsible for the acts of their agents. And whether someone is your agent is generally fact-based. So you can't make broad assumptions about who can or cannot be your agent-- but the general test is if someone is acting under your control or under your direction. A common misperception about agents, at least in cases involving consumer fraud or misdirection, is that if the principal didn't specifically direct the agent to make deceptive statements or commit acts, then the agent was acting beyond the scope of agency.

But that's not actually the legal test. The legal test, for instance in reference to a deceptive statement, is that if your agent -- assuming that the person is your agent in some capacity -- makes a statement that if true would be within the scope of agency, then the fact that it's false does not take that act outside of the scope of agency. In other words, if the agent is doing something that is more or less in the realm of what you gave them authority to do, you're going to be liable for any ill-effect of that act.

Chapell: I think many people are comfortable with the concept of setting up certain quality controls around their immediate business partners. But the very nature of many online media buys can involve multiple intermediaries. How far downstream should, say, an advertiser be looking in order to stay in the right?

Dreifach: Well, it gets a little bit murky when an advertiser puts itself in the position of not having control over advertisements that are being sent on its behalf. Certainly a better, not only legal practice but business practice, is to have some auditable and discernable chain of control. Because let's face it: You really want to know how your advertisements are being sent and what statements are being made. If you don't, and someone is making statements that shouldn't be made, or sending your advertisements through some deceptive medium, your consumers, and the general public, are going to be fairly upset with you. And potentially, regulators are more likely to become involved.

So rule one is not to get yourself in this situation where down the line you say, "Gee, there were six intermediaries between us and this wrong-doer -- whether it's a deceptive spammer or a deceptive spyware company -- and therefore we really didn't or shouldn't know what was going on."

As a practical matter of legal liability, there are a number of reasons, depending on the exact set of facts, why, even though there may be two, or say, six, levels of intermediaries you may nonetheless face allegations that you had constructive or actual knowledge of the wrongdoing. For example, you may have had notice from consumers or recipients of ads -- from deceptive spam or spyware ads -- where consumers may have gotten in touch with your marketing people and complained. For example, to the extent a company receives numerous complaints about the conduct of intermediaries; a company may have fewer defenses against liability for the intermediary's conduct if the company takes no action to rectify the problem after receiving notice. You want to make sure that any complaints are getting funneled to the arm of your organization that is actually hiring and hopefully monitoring your intermediaries.

So the answer is to do your due diligence: to do audits of anyone who has your information or advertisements, to do due diligence to investigate exactly how your ads are being seen. If you're talking about adware, how the underlying piece of software is being downloaded. If you're talking about spam, determining any potentially deceptive methods (such as under the CAN-SPAM act) that might be used to send messages on your behalf. And the way to do this is to seed your email lists so that anything that is going out on your behalf is coming back to people in your organization who can see if there are phony headers, or spam sent through false proxies, or false subject lines.

Chapell: It seems like in other industries -- in the magazine industry for example -- there are all kinds of compliance tools, whether you're talking about audits or contractual obligations, that allow an advertiser to exercise controls over where its ads are appearing. And recognizing that the online space tends to be a lot more complex than the magazine space, it seems that the underlying message here is that the level of complexity does not necessarily relieve businesses of the responsibility for assuring that this level of quality or vetting your business partners…

Dreifach: Yeah, I think that's right. If I were advising a company in this space, I would say that you want to have the ability to know anything that regulators or potential plaintiff class action lawyers know. 

Given the ephemeral nature of pop-up ads and sometimes even downloadable software (certainly of spam), you could very well find yourself in a position where someone who has been monitoring wrong-doing -- connected to you directly or indirectly -- may hold all the evidence or all the cards, and that's an awful position to be in, because you're relying on the authenticity and completeness of someone else's record of very ephemeral data. 

So looking at it as an auditor or as a regulator, you certainly want to advise clients to have more information, rather than less, about these processes.

Next: Ken Dreifach addresses technology transparency and audits.