Internet Governance – The Cybersecurity Lawyer

Legal Distortion: How ADA Web Lawsuits Mimic Cybercrime – Part Two

By: Marque N. Staneluis, Esq.

This is the second installment in this series that addresses the ADA website complaints that have a significant cybersecurity and cybercrime dimension. In this installment we look at a case through the lens of the Robles claim. You can find the first part here.

If you are up to speed on part one, then proceed and look at a case that is an extreme illustration, but one that was filed in the U.S. District Court, Southern District of New York and requires the business and therefore website owner to expend time and money to address.

Primitivo Robles v. The Other Side Dispensary, LLC

The nascent legal cannabis industry in New York and New Jersey has faced a number of challenges, from a slower-than-expected roll-out of dispensaries to a plethora of unlicensed dispensaries, which created unfair competition as well as confusion. Now they face a new problem, ADA Title III lawsuits against their internet presence, i.e. their website. One such example is Primitivo Robles v. The Other Side Dispensary, LLC.

A plaintiff, Primitivo Robles, who is a citizen of Bronx Country in New York, and his representation Joseph & Norisberg, LLC, have filed, at the time of this writing, twenty separate class action lawsuits against cannabis dispensaries claiming that he, and others like him, have been “denied the full use and enjoyment of the facilities, goods and services offered to the general public, on Defendant’s Website in Bronx County.” These claims have been filed in the Federal Court of the Southern District of New York seeking both injunctive relief and compensation for “himself and all others similarly situated, seeks to certify a nationwide class.” Of the businesses targeted, four are based and sell cannabis in New Jersey.

This case exemplifies the abuse of ADA litigation. Filed on October 11, 2024 (24-cv-7729), the complaint alleges that the defendant’s website is inaccessible to individuals with visual impairments, violating Title III of the ADA. However, closer scrutiny reveals serious legal deficiencies:

The Claims

On behalf of Mr. Robles, Joseph & Norinsberg, LLC have filed 20 nearly identical claims, with only slight variations for the defendant’s name and website, a few of the product names, the date of first access, and the particular accessibility audit tool used to validate the website. The claim that jumped out at me was the one filed on Friday, October 10, 2024, 1:24-cv-07729-VSB, Robles v. The Other Side Dispensary, LLC.

As is standard in an ADA Title III claim, there is an assertion of subject-matter jurisdiction, venue, and personal jurisdiction over the Defendant. It asserts that venue is proper since “Defendant conducts and continues to conduct a substantial and significant amount of business in [the] District via the Internet and a substantiation portion of the conduct complained [of] …because Plaintiff attempted to utilizes, on a number of occasion, the subject Website within this judicial District.” For personal jurisdiction, it claims the SDNY is proper since “Defendant purposefully targets and otherwise solicits business from New York State residents through its website.

It states the Nature of the Action and then addresses Standing. During the argument for standing the claim asserts that Mr. Robles suffers from Retinitis Pigmentosa that resulted in his loss of vision. His blindness was diagnosed legally blind on March 10, 2024. Because he was worried about the dangers of dependency on his prescription medication, he discovered that a particular strain of marijuana provided particular pain relief. According to the claim, the “specific strains of marijuana (and related products) could also provide significant pain relief and is 100% legal and can be shipped anywhere in the United States, including New York.” and that “Plaintiff intends to utilize the services of Defendant and their Website, www.tosdispensary.com, because he has in the past utilized similar websites that took advantage of his physical condition by failing to send the ordered products…”

The claim then makes a very interesting assertion about how Mr. Robles has had to shop from “numerous providers, many of which operate in the legal gray area, operating without regard for the law or well-being of their customers.” A few paragraphs later he indicates he accessed the website and felt the “user reviews and rating on the website further added to their credibility, offering real-world experiences of other customers.” As the Standing assertion continues, there is an itemized list of issues that the auditing tool revealed. This includes “Broken Links,” “Empty Aria Elements Absent Accessible Names,” “Links without Accessible Names,” “Empty Buttons,” “Redundant Alternative text,” and “Skipped Heading Levels.” The claim continues explaining how WCAG 2.1 Guidelines would provide equal access and that the Defendant is engaging “in acts of intentional discrimination.” The claim provides the appropriate language for why the federal court has subject matter jurisdiction over a federal case; it also has the appropriate language to explain how the court also has supplemental jurisdiction under the New York State Human Rights Law, New York City Human Rights Law, and New York City Civil Rights Law; it also provides the appropriate argument for why venue is proper. The claim then argues that “Defendant purposefully targets and otherwise solicits business from New York State residents through its highly interactive Website,” as well as “Plaintiff has been denied the full use and enjoyment of the facilities, goods and services offered to the general public, on Defendant’s Website in Bronx County” as justification for why this court has personal jurisdiction over the defendant.

When you compare the language between this claim and the 20 other submitted by Mr. Robles and his counsel, there is a striking similarity. The Defendant names, products, and method used to verify, and a few other elements, all of which are bolded, are changed but everything else remains the same.

Jurisdiction

Personal Jurisdiction is the court’s authority to adjudicate the rights and liability of the defendant. According to interpretations of the U.S. Constitution it requires that the defendant has certain minimum contacts with the forum in which the court sits. Minimum contacts are a nonresident civil defendant’s connections with the forum state (i.e., the state where the lawsuit is brought) that are sufficient for the forum state to assert personal jurisdiction over that defendant. Lack of minimum contacts violates the nonresident defendant’s constitutional right to due process and “offends traditional notions of fair play and substantial justice” (International Shoe Co. v. Washington, 326 U.S. 310 (1945)). Defendants’ minimum contacts can take the form of general jurisdiction or specific jurisdiction. Some examples of minimum contacts include conducting business within the state, incorporating in the state, and visiting the state. The courts will even find that a business has contact if the defendant must make an effort to market in the forum state or otherwise purposefully avail himself of the resources of that state. In New York state, the courts have ruled that the contacts must be the defendant’s own choice and not ‘random, isolated, or fortuitous’ In order for the Federal Court in the Southern District of New York, which would then not only allow it to adjudicate the federal ADA claims, but it would also have supplemental jurisdiction for the city and state specific claims. It is a ruling under these claims that would result in significant monetary damages.

Mr. Robles filed the claim on behalf of him and others seeking to certify a New York City Subclass of legally blind individuals who have attempted to access The Other Side Dispensary’s website and are denied equal enjoyment of goods and services from Defendant’s website. The claim asserts that this dispensary purposefully targets and otherwise solicits business from New York State residents through its highly interactive Website, www.tosdispensary.com. So, the jurisdictional argument is made because a cannabis dispensary, which operates legally in New Jersey under New Jersey’s CREAMMA law, which permits it to only sell cannabis products to people who visit its store in New Jersey, has contacts in New York.

This is a farcical argument. Despite his claims that “specific strains of marijuana (and related products) … is 100% legal and can be shipped anywhere in the United States, including New York,” even a first year associate would be aware that this would constitute a deferral crime. The Other Side Dispensary does not reside in New York state nor will it engage in a federal crime by shipping cannabis products across state lines to Mr. Robles in the Bronx. The argument may be made that Mr. Robles was planning on visiting the dispensary and engaging in adult-use in New Jersey, but this does not mean that the dispensary itself had significant contacts in New York. There is no advertising on billboards, radio, or television. In fact, by his own claim, Mr. Robles found the website as “a result of a recommendation by a close friend.” This defendant, and the three others defendant;s that Mr. Robles has filed claims against, that operate solely in New Jersey, cannot and should not be subject to or have to defend in the Second Circuit or against New York specific laws.

Standing

Standing, or locus standi, is the capacity of a party to bring a lawsuit in court. To have standing, a party must demonstrate a sufficient connection to and harm from the law or action being challenged. At the federal level, legal actions cannot be brought simply because an individual or group is displeased with a government action or law. In Lujan v. Defenders of Wildlife (90-1424), 504 U.S. 555 (1992), the Supreme Court created a three-part test to determine whether a party has standing to sue:

Injury in Fact: The plaintiff must have suffered an “injury in fact,” meaning that the injury is of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent.
Causal Connection: There must be a causal connection between the injury and the conduct brought before the court.
Redressability: It must be likely, rather than speculative, that a favorable decision by the court will redress the injury.

More recently, the Supreme Court’s decision in TransUnion LLC v. Ramirez (2021) noted that the injury-in-fact prong of Article III could be reduced to “no concrete harm, no standing.” Of note, the Transunion court also noted that “Article III grants federal courts the power to redress harms that defendants cause plaintiffs, not a freewheeling power to hold defendants accountable for legal infractions.”

Mr. Robles attempted to access the The Other Side Dispensary’s website on October 4, 2024 and October 5, 2024 He was looking for a “specific strains of marijuana” that could be “shipped” to him. No where in his claim is there any indication that he was planning on traveling to another state to both purchase and consume this cannabis. As stated earlier, The Other Side Dispensary will allow customers to reserve products and schedule a time to pay for it with cash or debit cards and pick it up; it is not, however, prepared to violate federal drug-trafficking laws.

In addition, since the most recent ruling in New York Federal court requires there be a nexus to a place of public accommodation and not just a website. Although Mr. Robles was persuaded by “the real-world experiences of other customers,” that would have been very hard to do considering that The Other Side Dispensary had not even opened its doors. When he claimed to visit the website as well as when he filed his claim on October 10, 2024, the website at the time clearly indicated on the front page that opening would be on October 14, 2024. Mr. Robles did not suffer any harm and therefore has no standing. First, nothing in his claim indicates that he was planning on traveling to New Jersey and remaining there. What he was apparently willing to do, and admitted to doing, was participating in the illegal interstate trafficking of a Schedule I drug. Therefore, he suffered no harm to be redressed. Secondly, since The Other Side Dispensary was not even operational at the time the suit was filed, it cannot be a place of public accommodation, and, therefore, ADA Title III does not apply.

Interesting, isn’t it? These are not just nit-picks at minor procedural points, these are grievous errors that call into question the validity of the entire claim. I have one more, very interesting question to pose and some recommendations in the next, and last section coming soon. Stay Tuned!

Legal Distortion: How ADA Web Lawsuits Mimic Cybercrime – Part One

By: Marque N. Staneluis, Esq.

Introduction

In recent years, a surge of Americans with Disabilities Act of 1990 (“ADA”) Title III website accessibility complaints has flooded the federal court system. While the ADA is a critical tool for ensuring equitable access, many of these cases lack genuine merit. Instead, they exploit legal ambiguities, overwhelming small businesses, as well as the federal courts, with predatory lawsuits. A prime example of this is Primitivo Robles v. The Other Side Dispensary, LLC, a case emblematic of the broader issue of invalid ADA website complaints. This paper explores this case to highlight how these lawsuits pose a threat not only to legitimate accessibility advocacy but also to emerging industries like cannabis in New York and New Jersey. Further, it argues that ADA website complaints have a significant cybersecurity and cybercrime dimension. This paper is broken down into three sections which (a) explains what and how a website should be accessible and what does it mean not to be, (b) looks at a case through the lens of the Robles claim, and finally (c) concludes with one of several recommendations to resolve the cybersecurity loophole.

ADA Title III

The ADA was enacted to prohibit discrimination against individuals based on their disabilities. The ADA defines disability as “a physical or mental impairment that substantially limits one or more major life activities.” Some of those major life activities are seeing, hearing, speaking, learning, communicating, and walking. While enacting this legislation, Congress declared that “physical or mental disabilities in no way diminish a person’s right to fully participate in all aspects of society, yet many people with physical or mental disabilities have been precluded from doing so because of discrimination.” In the physical world this is bathroom stalls that are not wheelchair accessible or a lack of handicap parking. In the virtual world, From the ratification of the ADA until 2017, Title III offenses were limited to physical structures and to the limited list of private entities whose operations affect commerce that are classified by one of its twelve definitions. Each definition encompasses a number of business types that provide similar services, such as “(B) a restaurant, bar, or other establishment serving food or drink;” “(E) a bakery, grocery store, clothing store, hardware store, shopping center, or other sales or rental establishment;” or even “(F) a laundromat, dry-cleaner, bank, barber shop, beauty shop, travel service, shoe repair service, funeral parlor, gas station, office of an accountant or lawyer, pharmacy, insurance office, professional office of a healthcare provider, hospital, or other service establishment.” Examples of (B) would be Five Guys, Hooters, Domino’s Pizza, or a local diner. Examples of (E) would be a Winn-Dixie, Hobby Lobby, or local flower shop. Examples of (F) Winn-Dixie’s Pharmacy, Metropolitan Life Insurance, or any lawyer’s office. To state a claim for relief under Title III of the ADA, a plaintiff “must allege (1) that [he] is disabled within the meaning of the ADA; (2) that defendants own, lease, or operate a place of public accommodation; and (3) that defendants discriminated against [him] by denying [him] a full and equal opportunity to enjoy the services defendants provide.”

Appellate courts are split as to whether the provisions of the ADA, mainly those involving places of public accommodation under Title III, apply to online technology such as websites. The Third, Sixth, Ninth, and Eleventh Circuits follow the approach that Title III applies to the services of a place of public accommodation and not limited to services only in the place of accommodation. In other words, Title III applies if there is sufficient nexus between the website and the physical location. However, if the physical location is not a place of public accommodation, then neither need be its website. This is in contrast to the First and Seventh Circuit which broadly applies the ADA and does not limit its interpretation to a physical structure. The United States District Court, Southern District of New York, has started leaning toward following the First Circuit, but in the September, 2024 decision handed down by Laura Taylor Swain, Chief United States District Judge, in Meija v. HIgh Brew Coffee, Inc, this trend has been restrained. In her decision, Judge Swain stated the “Second Circuit has not squarely addressed the question of whether a website, absent a connection to a physical location, constitutes a place of public accommodation.” She then ruled “the Court finds that a stand-alone website is not a place of public accommodation under Title III of the ADA. Plaintiff thus fails to state a claim on which relief may be granted under the ADA. Because Plaintiff fails to state a claim under the ADA, Count III’s request for declaratory relief is also dismissed.” This is the latest precedent in New York federal courts, and although not controlling is strongly influential in what circumstances must a website be considered a place of public accommodation in New York.

ADA website litigation has evolved into a form of legal and financial exploitation that parallels cybercrime. These cases are frequently initiated by high-volume plaintiffs or law firms relying on automated tools to identify “violations.” This strategy mirrors the methodology of cybercriminals, who deploy bots to find vulnerabilities in software or systems.

Just as cybercriminals exploit software loopholes, opportunistic litigants exploit the lack of detailed federal regulations on website accessibility standards under the ADA. ADA Title III website accessibility claims have grown exponentially with over 4,000/year since 2021, and New York eclipsing all other states. In September 2024, there were 342 Lawsuits filed, with 65% of them filed in New York. More importantly, these claims are filed by a handful of plaintiffs and firms. A small group of plaintiffs is responsible for a significant portion of lawsuits filed under the Americans with Disabilities Act (ADA), 31 Plaintiff Firms File 50% of ADA Website Accessibility Lawsuits. Many ADA lawsuits are resolved through settlements because defending these cases can cost small businesses tens of thousands of dollars. This “settle or go bankrupt” dynamic is akin to ransomware attacks. Emerging markets, such as the cannabis industry in NY and NJ, are disproportionately affected due to their limited resources and regulatory challenges. These businesses already navigate complex state and federal laws, making them prime targets for predatory litigation. Even with settlements under $25,000, that would still mean that these cases will cost approximately $100 million. Although small compared to the $42 billion from ransomware attacks in the United States, it is yet another potential cyber attack vector that businesses and their IT staff has to worry about.

As I outlined in my 2021 paper “The ADA and website accessibility: a technical problem without a technical understanding,” website accessibility cases are rarely decided on the merits of the claim. The courts have consistently taken the position as was indicated in the Winn-Dixie 2017 court, stating that “[r]emediation measures in conformity with the WCAG 2.0 Guidelines will provide Gil and other visually impaired consumers the ability to access Winn-Dixie’s website and permit full and equal enjoyment of the services, facilities, privileges, advantages, and accommodations provided through Winn-Dixie’s website.”

WCAG

Web Content Accessibility Guidelines (“WCAG”) 2 is developed through the World Wide Web Consortium (“W3C”) in cooperation with individuals and organizations around the world, with a goal of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally. The guidelines are a set of internationally recognized standards developed through the Web Accessibility Initiative (“WAI”). WCAG provides guidelines for making web content more accessible to people with disabilities, including those with visual, auditory, cognitive, and motor impairments. WCAG is often referenced in legal frameworks, including: (a)

Americans with Disabilities Act (“ADA”) in the U.S. (as applied to websites via case law), (b) Section 508 of the Rehabilitation Act (this applies to U.S. federal agencies and contractors), (c) European Accessibility Act (EAA) and EN 301 549 (European Union), and (d) other national and regional accessibility laws worldwide.

Key aspects of WCAG focus on being (a) perceivable, (b) operable, (c) understandable, and (d) robust.

Perceivable – Content must be presented in a way that users can perceive, including alternatives for non-text content (e.g., captions for videos, text descriptions for images).
Operable – Users must be able to interact with and navigate the content, ensuring functionality via a keyboard and providing sufficient time for interactions.
Understandable – Information and user interface components must be clear and predictable.
Robust – Content must be accessible across various technologies, including assistive devices.

Despite these guidelines, there is no set standard for how compatible a website has to be in order to be ADA compliant. What appears in complaints are elements or attributes that are missing or incomplete. In some cases, the lack of these elements or attributes are very detrimental to a disabled person’s use of a site because their screen readers cannot extract conveyable information without these values. An example of this is a picture (“image” in HTML) that does not contain the title attribute. This attribute contains the text description of the picture that appears when a visual user mouses over the image, it is lao what screen readers use to describe the picture in audio. However, there are also many references to elements or attributes missing that may or may not create issues for the screen readers. One such HTML construct is the ARIA attributes. Accessible Rich Internet Applications (ARIA) is a set of roles and attributes that define ways to make web content and web applications (especially those developed with JavaScript) more accessible to people with disabilities. Based on this definition, it should be obvious that it should be used without fail, and many website accessibility evaluation services like Google Lighthouse and WAVE will report on these when missing. Ironically, the first rule of ARIA use is “If you can use a native HTML element or attribute with the semantics and behavior you require already built in, instead of re-purposing an element and adding an ARIA role, state or property to make it accessible, then do so.”

These claims do contain accessibility evaluation reports that reflect the count of missing parts in order to support the claim that the site is not accessible to their plaintiff on the day in question. This is a step forward in making the claims more substantive, but it does not actually prove the site was not accessible as the plaintiff claims. The real world equivalent would be similar to indicating that NOT ALL of the parking spots are handicap accessible. In the real world, with the rare exception of less than 10 spots, the number of accessible spots does not exceed 10%. So to indicate that certain elements and attributes are not present is equivalent to pointing out the non-accessible spots with no regard to the number or nearness of the accessible ones.

Come back soon to read Part Two

Bot Code, Norms, and Law

There’s a good post on Dark Reading by Ido Safruti about norms and etiquette for bot code. According to Imperva’s most recent bot traffic report, bots comprise the majority of Internet traffic. May bots are intentionally disruptive or misleading — for example, bots that create comment link spam on blogs. Others are useful — for example, they, allow a search engine to index web pages. Even useful bots can be disruptive, such as by using up site capacity, and the robots.txt standard has been developed so that site owners can limit or exclude bot traffic.

Safruti provides the following guidelines for ethical bot code:

1. Declare who you are;
2. Provide a method to accurately identify your bot;
3. Follow robots.txt;
4. Don’t be too aggressive.

These are sound guidelines, but my lawyer Spidey sense wonders how they might translate into legal norms, or whether they should become legal norms. The most immediate way in which guidelines like this can become part of legal norms is through a contractual terms of use. I’m not sure a terms of use would be enforceable either as a legal or practical matter against unwanted bots, not least because the measure of contractual damages would be unclear. There’s an interesting 2001 case in the First Circuit finding a Computer Fraud and Abuse Act violation for bot use, but the facts are quirky and it seems to me perhaps wrongly decided. Perhaps guidelines like Safruti’s provide a standard of care for a tort claim if an unwanted bot causes a business interruption, though in states where the economic loss doctrine applies this would produce an difficult question about whether slowing a website is a kind of compensable property damage. Guidelines like this could also be incorporated into a regulatory regime, which the Internet community as a whole might not find palatable.

Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.” The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2^nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq. The SCA was enacted in 1986. Microsoft Corp., 2016 WL 3770056 at *6. The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication. See id. at 7. The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause. See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)). For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber. See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)). When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.” See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland. Outlook is part of Microsoft’s “’enterprise cloud service offerings.’” See id. at *2. Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries. See id. The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network. Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer. Id.

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect. Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S. See id. at *3. The Magistrate denied the motion to quash, and the District Court affirmed. Id. at 4. The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990. Id. The SCA therefore was adopted in a very different technological context than today’s networked world. In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago. The court noted that there is a presumption against extraterritorial application of statutes. Id. at *9. Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA. Id. at *11-12. Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant. Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment. Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.” Id. at *19. Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S. Id. at *20. He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement. Id. Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.” Id. at 21. Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality. Id. He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S. Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer. See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016. In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Id., Complaint for Declaratory Judgment, ¶ ¶ 2-3. For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments. But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention. This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xbHlmR2pJa2dra0U/preview?usp=drivesdk” title=”microsoftcertified.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xQUs4S3Z6dkg5SEk/preview?usp=drivesdk” title=”microsftdj.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

Internet Law and Governance: Some Materials

I’m teaching a module on Internet Law and Governance at Seton Hall Law School again this semester. Here is some of the introductory material for this week, including a video lecture I created:

For our first class, we will discuss some basic principles of Internet “governance.” I put “governance” in quotes here because, as you will see, there is no single source of legal norms for the Internet. Much of the “law” of the Internet is what we call “soft law” — that is, a relatively loose collection of principles and standards held together mostly by contractual relationships.

My experience teaching this material to law students over the past few years has shown that it can be a bit frustrating for you to get a handle on what you are supposed to be learning. By now, you are used to areas of law governed by a somewhat coherent set of Constitutional, common law, and/or statutory and regulatory principles, from which you can derive legal tests for liability or compliance that can be applied by courts. That is not, usually, how Internet governance works. Internet governance is fuzzy. If you continue on and take any of the other modules in our “Cybersecurity” or “New Media” sequence, however, you’ll see that having a sense of the contours of this fuzziness is important to the more specific legal issues arising from things like copyright in YouTube videos or government e-mail surveillance. So, for now, enjoy the ride.

ICANN’s Transition Proposal

You may have heard of “ICANN” in connection with procedures for resolving domain name disputes. What you may not realize is that ICANN is at the heart of “Internet governance,” and that even today there is a heated dispute about whether the United States government should retain any ongoing oversight of ICANN’s functions.

“ICANN” stands for the Internet Corporation for Assigned Names and Numbers. Every device connected to the Internet is assigned a unique Internet Protocol (“IP”) address. Under a standard first developed in 1983 (called the Internet Protocol Version 4, or IPv4), long before the Internet was commercially available and long before there was a World Wide Web, an IP address consists of a 32-bit (4-byte) number comprised of four blocks (1 byte per block). Because the available number space was becoming exhausted, a newer standard, IPv6, was adopted, which increased the address to 128 bits comprised of 16 blocks, but IPv4 is still the most widely used protocol.

The following graphic shows a typical IPv4 address, with both binary and dotted-decimal notation:

(Graphic source: Wikimedia Commons). In general, the first two blocks specify a network (the network identifier) and the last two blocks specify a host or machine (the host identifier). In the example above, the network identifier 172.16 would indicate a private network such as an intranet, and the host identifier 254.1 would identify a computer or device connected to that local network. If you have ever had to fiddle with your home or office computer network, you have probably seen IP addresses in the dotted-decimal notation representing the addresses of your printers and other devices.

Numeric addresses are difficult for most humans to remember. This is not a problem for things like the printer on your home network — you simply configure the network server to remember such things for you. It is a problem on the World Wide Web, if we want to remember, or conduct searches for, the content that interests us. This is where the where “domain names” come into play. The Domain Name System, or DNS, establishes the hierarchy of words and symbols that relate to numeric IP addresses. For example, the domain name “Google.com” brings you to Google’s home page. It is much easier to remember “Google.com” than the site’s IP address (172.217.1.206, as identified through a “Whois” IP lookup). Obviously, if “Google.com” does not consistently resolve to the IP address 172.217.1.206, the web will cease to function. The DNS is a vital part of how people and organizations identify their “space” in cyberspace.

With over one billion pages on the web today (according to http://www.internetlivestats.com/total-number-of-websites/), the administration and security of the system for registering, recording, transferring and protecting domain names obviously is complex. The question of whether to approve new “Top Level Domains (TLDs)” – that is, the part of a domain name to the right of the last dot, such as .com or .gov – can be contentious because such domains can be used to stake out a new “location” in cyberspace. Until 2012, ICANN strictly restricted the issuance of new “generic” top level domains (gTLDs), but under ICANN’s present rules new gTLDs are much easier to obtain, with about 1,300 new gTLDs now approved and more to come. Here is an amusing ICANN video describing this process:

These administrative and oversight functions are ICANN’s role. It is fair to say, then, that ICANN oversees a core system of protocols that makes the Internet possible. The global information and communication system that underpins every aspect of our global society depends on the governance functions ICANN performs.

But ICANN is not an agency of any national government or international treaty body. ICANN is not an arm of the United Nations, the World Trade Organization, the World Intellectual Property Organization, or any other transnational organization established by agreement of various nation-states. Instead, ICANN is a California non-profit corporation first established in 1998. It operates under a “multi-stakeholder” model that includes input from volunteers serving on numerous working groups, overseen by a Board of Directors comprised of 16 individual voting members. See “A Quick Look at ICANN.”

Why is this vital Internet governance function run by a California non-profit corporation? The name and number functions we have been discussing (referred to as the Internet Assigned Numbers Authority, or IANA, functions) originally were managed by a single individual, John Postel, who was a computer science researcher at UCLA and USC. Postel helped create an early packet switching network, the Advanced Research Projects Agency Network, or ARPANET, funded by the U.S. Defense Department, which was a forerunner to today’s Internet. ARPANET may have been funded by the DOD in part over concerns about maintaining military communications in the event of nuclear war. Although the connection to fears of nuclear war are debated, there is no doubt that the ARPANET was a cold-war era defense project. The U.S. federal government therefore had a vital role in the early development of the Internet.

When Postel decided he could no longer handle the domain name functions himself, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) instituted a rulemaking for this function that led to the creation of ICANN. From its inception, ICANN operated under a contractual arrangement with the U.S. Department of Commerce. ICANN therefore derives its legal authority from California corporate law and its contract with the U.S. Department of Commerce.

To many participants, particularly outside the U.S., this historical arrangement suggests that ultimately the U.S. government holds too much power over the DNS without adequate checks and balances. In response to these concerns, the Obama administration announced in March, 2014 that it would relinquish control of the DNS to the global multi-stakeholder Internet community. A plan for this transition was developed by ICANN and was submitted to the NTIA on March 10, 2016.

The planning process was coordinated by a group “comprised of 30 individuals representing 13 communities.” Id., ¶ X002. That should be an astonishing statement: 30 people were in charge of planning this core function of Internet governance! This group included executives from companies such as Oracle, Cisco, Verisign and GoDaddy, academics, entrepreneurs, and representatives of country domain registries. Id., n. 2 and http://www.ianacg.org/coordination-group/icg-members/.

The ICAAN plan runs to 210 pages of single-spaced type and 3,115 numbered paragraphs, with an Executive Summary that loosely ties together separately drafted proposals from the “Domain Names Community,” the “Internet Number Community,” and the “Protocol Parameters Registry Community.” It contains many paragraphs that read like this: “Following exhaustion of the foregoing escalation mechanisms, the ccNSO and GNSO will be responsible for determining whether or not a Special IFR is necessary.” See ICANN Plan, ¶ 1303. If all of these sounds like a proposal put together by engineers rather than lawyers – it is. Perhaps that is a good thing, but many questions about representation and accountability remain.

The ICAAN Plan did include some new accountability mechanisms to address concerns about the openness of ICANN’s processes. For example, paragraph 1106 of the Domain Names Community’s part of the proposal states that the mutistakeholder community would have the ability to appoint and remove ICANN Board members, to oversee key Board decisions, and to approve amendments to ICANN’s fundamental bylaws. This part of the proposal was consistent with an Accountability Report released by a different ICANN working group in February, 2016. But, of course, none of this is analogous to a citizen’s rights in a constitutional government. It is more analogous to how shareholders might have some say in the governance of a private membership organization. The ICAAN proposal does not contemplate that any governmental or inter-governmental organization will take on the role previously played by the U.S. Commerce Department. See ICANN Plan, ¶ X028.

On June 9, 2016, the NTIA released an Assessment Report finding that the ICANN plan met the NTIA’s criteria for a working transition plan. In particular, the NTIA Assessment found that the transition plan would satisfy the following requirements:

Support and enhance the multi-stakeholder model;

Maintain the security, stability, and resiliency of the Internet DNS;

Meet the needs and expectations of the global customers and partners of the IANA services; and

Maintain the openness of the Internet.

Most technology industry players also support ICANN’s plan. At the same time, some commentators and U.S. lawmakers are not as willing as President Obama or the NTIA to cede U.S. control over the DNS. On June 8, 2016, Representative Sean Duffy (R-WI) and Senator Ted Cruz (R-TX) introduced the “Protecting Internet Freedom Act,” which would prohibit the NTIA from allowing its contract with ICANN to expire. See S. 3034 and H.R. 5418, 114th Cong., 2d Sess., June 8, 2016. This bill would also require the Commerce Department to secure permanent U.S. ownership of the .gov and .mil domain top-level domains. Id., sec 4. This Bill echoes concerns by commentators such as Kristian Stout, Associate Director for Innovation Policy with the International Center for Law and Economics, stated that under the ICANN plan, “several fundamental governance issues remain outstanding, including ICANN’s ability to thwart threats of foreign government intrusion, its willingness and ability to ensure a basic level of contractual compliance and respect for property rights among registrars and registries, and its avoidance of antitrust risk.” S

Unless some legislative or Executive action is taken, which seems unlikely, the NTIA contract with ICAAN will expire according to its own terms on September 30, 2016. This will mark another milestone, for better or worse, along the path towards the creation of a global critical infrastructure resource that is managed primarily by consensus (social norms) and contracts (private law) rather than by national and international public law.

Sikhs for Justice v. Facebook: Site Blocking

The ability of an ISP or social media site to block access to controversial or inflammatory content is a difficult issue at the intersection of cybersecurity and Internet governance. In a case just decided by Judge Lucy Koh in the Northern District of California, Facebook won dismissal on the pleadings of Sikhs for Justice’s (“SFJ”) claim that Facebook blocked access to SFJ’s page in India.

SJF’s claim was based on Title II of the Civil Rights Act of 1964, 42 U.S.C. § 2000a, which provides that “[a]ll persons shall be entitled to the full and equal enjoyment of the goods, services, facilities, privileges, advantages, and accommodations of any place of public accommodation . . . without discrimination or segregation on the ground of race, color, religion, or national origin.”

The court held that SJF’s Title II claim is barred by the Communications Decency Act (“CDA”), 47 U.S.C. § 230. This holding was consistent with other cases holding that ISPs are publishers entitled to CDA immunity.

Cases like this are important for Internet governance because of the gate keeping role played by large ISPs, search providers, and social media sites such as Facebook. If these gate keepers can arbitrarily block access to sites a government finds objectionable, traditional political sovereigns can exercise significant control over the Internet. On the other hand, if these gate keepers cannot accede to the wishes of governments in territories where they have users without threat of liability elsewhere, users in one country (such as the U.S.) could use local law to thwart the policies of another country (such as India).

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xdUhxTWdzYzNjWHc/preview?usp=drivesdk” title=”sikhsforjustice.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]