Legal Distortion: How ADA Web Lawsuits Mimic Cybercrime – Part One

Introduction

In recent years, a surge of Americans with Disabilities Act of 1990 (“ADA”) Title III website accessibility complaints has flooded the federal court system. While the ADA is a critical tool for ensuring equitable access, many of these cases lack genuine merit. Instead, they exploit legal ambiguities, overwhelming small businesses, as well as the federal courts, with predatory lawsuits. A prime example of this is Primitivo Robles v. The Other Side Dispensary, LLC, a case emblematic of the broader issue of invalid ADA website complaints. This paper explores this case to highlight how these lawsuits pose a threat not only to legitimate accessibility advocacy but also to emerging industries like cannabis in New York and New Jersey. Further, it argues that ADA website complaints have a significant cybersecurity and cybercrime dimension.  This paper is broken down into three sections which (a) explains what and how a website should be accessible and what does it mean not to be, (b) looks at a case through the lens of the Robles claim, and finally (c) concludes with one of several recommendations to resolve the cybersecurity loophole.  

ADA Title III 

The ADA was enacted to prohibit discrimination against individuals based on their disabilities. The ADA defines disability as “a physical or mental impairment that substantially limits one or more major life activities.” Some of those major life activities are seeing, hearing, speaking, learning, communicating, and walking. While enacting this legislation, Congress declared that “physical or mental disabilities in no way diminish a person’s right to fully participate in all aspects of society, yet many people with physical or mental disabilities have been precluded from doing so because of discrimination.” In the physical world this is bathroom stalls that are not wheelchair accessible or a lack of handicap parking.  In the virtual world, From the ratification of the ADA until 2017, Title III offenses were limited to physical structures and to the limited list of private entities whose operations affect commerce that are classified by one of its twelve definitions.  Each definition encompasses a number of business types that provide similar services, such as “(B) a restaurant, bar, or other establishment serving food or drink; “(E) a bakery, grocery store, clothing store, hardware store, shopping center, or other sales or rental establishment;” or even “(F) a laundromat, dry-cleaner, bank, barber shop, beauty shop, travel service, shoe repair service, funeral parlor, gas station, office of an accountant or lawyer, pharmacy, insurance office, professional office of a healthcare provider, hospital, or other service establishment.  Examples of (B) would be Five Guys, Hooters, Domino’s Pizza, or a local diner.  Examples of (E) would be a Winn-Dixie, Hobby Lobby, or local flower shop.  Examples of (F) Winn-Dixie’s Pharmacy,  Metropolitan Life Insurance, or any lawyer’s office.  To state a claim for relief under Title III of the ADA, a plaintiff “must allege (1) that [he] is disabled within the meaning of the ADA; (2) that defendants own, lease, or operate a place of public accommodation; and (3) that defendants discriminated against [him] by denying [him] a full and equal opportunity to enjoy the services defendants provide.”

Appellate courts are split as to whether the provisions of the ADA, mainly those involving places of public accommodation under Title III, apply to online technology such as websites.  The Third, Sixth, Ninth, and Eleventh Circuits follow the approach that Title III applies to the services of a place of public accommodation and not limited to services only in the place of accommodation. In other words, Title III applies if there is sufficient nexus between the website and the physical location. However, if the physical location is not a place of public accommodation, then neither need be its website.  This is in contrast to the First and Seventh Circuit which broadly applies the ADA and does not limit its interpretation to a physical structure. The United States District Court, Southern District of New York, has started leaning toward following the First Circuit, but in the September, 2024 decision handed down by Laura Taylor Swain, Chief United States District Judge, in Meija v. HIgh Brew Coffee, Inc, this trend has been restrained.  In her decision, Judge Swain stated the “Second Circuit has not squarely addressed the question of whether a website, absent a connection to a physical location, constitutes a place of public accommodation.” She then ruled “the Court finds that a stand-alone website is not a place of public accommodation under Title III of the ADA. Plaintiff thus fails to state a claim on which relief may be granted under the ADA. Because Plaintiff fails to state a claim under the ADA, Count III’s request for declaratory relief is also dismissed.”  This is the latest precedent in New York federal courts, and although not controlling is strongly influential in what circumstances must a website be considered a place of public accommodation in New York.

ADA website litigation has evolved into a form of legal and financial exploitation that parallels cybercrime. These cases are frequently initiated by high-volume plaintiffs or law firms relying on automated tools to identify “violations.” This strategy mirrors the methodology of cybercriminals, who deploy bots to find vulnerabilities in software or systems.  

Just as cybercriminals exploit software loopholes, opportunistic litigants exploit the lack of detailed federal regulations on website accessibility standards under the ADA.  ADA Title III website accessibility claims have grown exponentially with over 4,000/year since 2021, and New York eclipsing all other states.  In September 2024, there were 342 Lawsuits filed, with 65% of them filed in New York.  More importantly, these claims are filed by a handful of plaintiffs and firms. A small group of plaintiffs is responsible for a significant portion of lawsuits filed under the Americans with Disabilities Act (ADA), 31 Plaintiff Firms File 50% of ADA Website Accessibility Lawsuits.  Many ADA lawsuits are resolved through settlements because defending these cases can cost small businesses tens of thousands of dollars. This “settle or go bankrupt” dynamic is akin to ransomware attacks. Emerging markets, such as the cannabis industry in NY and NJ, are disproportionately affected due to their limited resources and regulatory challenges. These businesses already navigate complex state and federal laws, making them prime targets for predatory litigation.  Even with settlements under $25,000, that would still mean that these cases will cost approximately $100 million. Although small compared to the $42 billion from ransomware attacks in the United States, it is yet another potential cyber attack vector that businesses and their IT staff has to worry about.

As I outlined in my 2021 paper “The ADA and website accessibility: a technical problem without a technical understanding,” website accessibility  cases are rarely decided on the merits of the claim.  The courts have consistently taken the position as was indicated in the Winn-Dixie 2017 court, stating that “[r]emediation measures in conformity with the WCAG 2.0 Guidelines will provide Gil and other visually impaired consumers the ability to access Winn-Dixie’s website and permit full and equal enjoyment of the services, facilities, privileges, advantages, and accommodations provided through Winn-Dixie’s website.”

WCAG

Web Content Accessibility Guidelines (“WCAG”) 2 is developed through the World Wide Web Consortium (“W3C”) in cooperation with individuals and organizations around the world, with a goal of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally.  The guidelines are a set of internationally recognized standards developed through the Web Accessibility Initiative (“WAI”). WCAG provides guidelines for making web content more accessible to people with disabilities, including those with visual, auditory, cognitive, and motor impairments. WCAG is often referenced in legal frameworks, including: (a) 

Americans with Disabilities Act (“ADA”) in the U.S. (as applied to websites via case law), (b) Section 508 of the Rehabilitation Act (this applies to U.S. federal agencies and contractors), (c) European Accessibility Act (EAA) and EN 301 549 (European Union), and (d) other national and regional accessibility laws worldwide.

Key aspects of WCAG focus on being (a) perceivable, (b) operable, (c) understandable, and (d) robust.

  • Perceivable – Content must be presented in a way that users can perceive, including alternatives for non-text content (e.g., captions for videos, text descriptions for images).
  • Operable – Users must be able to interact with and navigate the content, ensuring functionality via a keyboard and providing sufficient time for interactions.
  • Understandable – Information and user interface components must be clear and predictable.
  • Robust – Content must be accessible across various technologies, including assistive devices.

Despite these guidelines, there is no set standard for how compatible a website has to be in order to be ADA compliant.  What appears in complaints are elements or attributes that are missing or incomplete.  In some cases, the lack of these elements or attributes are very detrimental to a disabled person’s use of a site because their screen readers cannot extract conveyable information without these values. An example of this is a picture (“image” in HTML) that does not contain the title attribute. This attribute contains the text description of the picture that appears when a visual user mouses over the image, it is lao what screen readers use to describe the picture in audio.  However, there are also many references to elements or attributes missing that may or may not create issues for the screen readers.  One such HTML construct is the ARIA attributes.  Accessible Rich Internet Applications (ARIA) is a set of roles and attributes that define ways to make web content and web applications (especially those developed with JavaScript) more accessible to people with disabilities.  Based on this definition, it should be obvious that it should be used without fail, and many website accessibility evaluation services like Google Lighthouse and WAVE will report on these when missing.  Ironically, the first rule of ARIA use is “If you can use a native HTML element or attribute with the semantics and behavior you require already built in, instead of re-purposing an element and adding an ARIA role, state or property to make it accessible, then do so.”  

These claims do contain accessibility evaluation reports that reflect the count of missing parts in order to support the claim that the site is not accessible to their plaintiff on the day in question. This is a step forward in making the claims more substantive, but it does not actually prove the site was not accessible as the plaintiff claims.  The real world equivalent would be similar to indicating that NOT ALL of the parking spots are handicap accessible. In the real world, with the rare exception of less than 10 spots, the number of accessible spots does not exceed 10%.  So to indicate that certain elements and attributes are not present is equivalent to pointing out the non-accessible spots with no regard to the number or nearness of the accessible ones.

Come back soon to read Part Two

Bot Code, Norms, and Law

There’s a good post on Dark Reading by Ido Safruti about norms and etiquette for bot code.  According to Imperva’s most recent bot traffic report, bots comprise the majority of Internet traffic.  May bots are intentionally disruptive or misleading — for example, bots that create comment link spam on blogs.  Others are useful — for example, they, allow a search engine to index web pages.  Even useful bots can be disruptive, such as by using up site capacity,  and the robots.txt standard has been developed so that site owners can limit or exclude bot traffic.

Safruti provides the following guidelines for ethical bot code:

1.  Declare who you are;
2. Provide a method to accurately identify your bot;
3.  Follow robots.txt;
4.  Don’t be too aggressive.  

These are sound guidelines, but my lawyer Spidey sense wonders how they might translate into legal norms, or whether they should become legal norms.  The most immediate way in which guidelines like this can become part of legal norms is through a contractual terms of use.  I’m not sure a terms of use would be enforceable either as a legal or practical matter against unwanted bots, not least because the measure of contractual damages would be unclear.  There’s an interesting 2001 case in the First Circuit finding a Computer Fraud and Abuse Act violation for bot use, but the facts are quirky and it seems to me perhaps wrongly decided.  Perhaps guidelines like Safruti’s provide a standard of care for a tort claim if an unwanted bot causes a business interruption, though in states where the economic loss doctrine applies this would produce an difficult question about whether slowing a website is a kind of compensable property damage.  Guidelines like this could also be incorporated into a regulatory regime, which the Internet community as a whole might not find palatable.

 

Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.”  The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq.  The SCA was enacted in 1986.  Microsoft Corp., 2016 WL 3770056 at *6.  The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication.  See id. at 7.  The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause.  See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)).  For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber.  See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)).  When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.”  See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland.  Outlook is part of Microsoft’s “’enterprise cloud service offerings.’”  See id. at *2.  Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries.  See id.  The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network.  Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer.  Id. 

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect.  Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S.  See id. at *3.  The Magistrate denied the motion to quash, and the District Court affirmed.  Id. at 4.  The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990.  Id.  The SCA therefore was adopted in a very different technological context than today’s networked world.  In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago.  The court noted that there is a presumption against extraterritorial application of statutes.  Id. at *9.  Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA.  Id. at *11-12.  Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant.  Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment.  Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.”  Id. at *19.  Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S.  Id. at *20.  He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement.  Id.  Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.”  Id. at 21.  Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality.  Id.  He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S.  Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer.  See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016.  In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”  Id., Complaint for Declaratory Judgment, ¶ ¶  2-3.  For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments.  But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention.  This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xbHlmR2pJa2dra0U/preview?usp=drivesdk” title=”microsoftcertified.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

 

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xQUs4S3Z6dkg5SEk/preview?usp=drivesdk” title=”microsftdj.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

Internet Law and Governance: Some Materials

I’m teaching a module on Internet Law and Governance at Seton Hall Law School again this semester.  Here is some of the introductory material for this week, including a video lecture I created:

For our first class, we will discuss some basic principles of Internet “governance.”  I put “governance” in quotes here because, as you will see, there is no single source of legal norms for the Internet.  Much of the “law” of the Internet is what we call “soft law” — that is, a relatively loose collection of principles and standards held together mostly by contractual relationships.

My experience teaching this material to law students over the past few years has shown that it can be a bit frustrating for you to get a handle on what you are supposed to be learning.  By now, you are used to areas of law governed by a somewhat coherent set of Constitutional, common law, and/or statutory and regulatory principles, from which you can derive legal tests for liability or compliance that can be applied by courts.  That is not, usually, how Internet governance works.  Internet governance is fuzzy.  If you continue on and take any of the other modules in our “Cybersecurity” or “New Media” sequence, however, you’ll see that having a sense of the contours of this fuzziness is important to the more specific legal issues arising from things like copyright in YouTube videos or government e-mail surveillance.  So, for now, enjoy the ride.

ICANN’s Transition Proposal

By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=28871298You may have heard of “ICANN” in connection with procedures for resolving domain name disputes.  What you may not realize is that ICANN is at the heart of “Internet governance,” and that even today there is a heated dispute about whether the United States government should retain any ongoing oversight of ICANN’s functions.

“ICANN” stands for the Internet Corporation for Assigned Names and Numbers.  Every device connected to the Internet is assigned a unique Internet Protocol (“IP”) address.  Under a standard first developed in 1983 (called the Internet Protocol Version 4, or IPv4), long before the Internet was commercially available and long before there was a World Wide Web, an IP address consists of a 32-bit (4-byte) number comprised of four blocks (1 byte per block).   Because the available number space was becoming exhausted, a newer standard, IPv6, was adopted, which increased the address to 128 bits comprised of 16 blocks, but IPv4 is still the most widely used protocol.

The following graphic shows a typical IPv4 address, with both binary and dotted-decimal notation:

(Graphic source:  Wikimedia Commons).  In general, the first two blocks specify a network (the network identifier) and the last two blocks specify a host or machine (the host identifier).  In the example above, the network identifier 172.16 would indicate a private network such as an intranet, and the host identifier 254.1 would identify a computer or device connected to that local network.  If you have ever had to fiddle with your home or office computer network, you have probably seen IP addresses in the dotted-decimal notation representing the addresses of your printers and other devices.

Numeric addresses are difficult for most humans to remember.  This is not a problem for things like the printer on your home network — you simply configure the network server to remember such things for you.  It is a problem on the World Wide Web, if we want to remember, or conduct searches for, the content that interests us.  This is where the where “domain names” come into play.  The Domain Name System, or DNS, establishes the hierarchy of words and symbols that relate to numeric IP addresses.  For example, the domain name “Google.com” brings you to Google’s home page.  It is much easier to remember “Google.com” than the site’s IP address  (172.217.1.206, as identified through a “Whois” IP lookup).  Obviously, if “Google.com” does not consistently resolve to the IP address 172.217.1.206, the web will cease to function.  The DNS is a vital part of how people and organizations identify their “space” in cyberspace.

With over one billion pages on the web today (according to http://www.internetlivestats.com/total-number-of-websites/), the administration and security of the system for registering, recording, transferring and protecting domain names obviously is complex.  The question of whether to approve new “Top Level Domains (TLDs)” – that is, the part of a domain name to the right of the last dot, such as .com or .gov – can be contentious because such domains can be used to stake out a new “location” in cyberspace.  Until 2012, ICANN strictly restricted the issuance of new “generic” top level domains (gTLDs), but under ICANN’s present rules new gTLDs are much easier to obtain, with about 1,300 new gTLDs now approved and more to come.  Here is an amusing ICANN video describing this process:

These administrative and oversight functions are ICANN’s role.  It is fair to say, then, that ICANN oversees a core system of protocols that makes the Internet possible.  The global information and communication system that underpins every aspect of our global society depends on the governance functions ICANN performs.

But ICANN is not an agency of any national government or international treaty body.  ICANN is not an arm of the United Nations, the World Trade Organization, the World Intellectual Property Organization, or any other transnational organization established by agreement of various nation-states.  Instead, ICANN is a California non-profit corporation first established in 1998.  It operates under a “multi-stakeholder” model that includes input from volunteers serving on numerous working groups, overseen by a Board of Directors comprised of 16 individual voting members.  See A Quick Look at ICANN.”

Why is this vital Internet governance function run by a California non-profit corporation?  The name and number functions we have been discussing (referred to as the Internet Assigned Numbers Authority, or IANA, functions) originally were managed by a single individual, John Postel, who was a computer science researcher at UCLA and USC.  Postel helped create an early packet switching network, the Advanced Research Projects Agency Network, or ARPANET, funded by the U.S. Defense Department, which was a forerunner to today’s Internet.  ARPANET may have been funded by the DOD in part over concerns about maintaining military communications in the event of nuclear war.  Although the connection to fears of nuclear war are debated, there is no doubt that the ARPANET was a cold-war era defense project.  The U.S. federal government therefore had a vital role in the early development of the Internet.

When Postel decided he could no longer handle the domain name functions himself, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) instituted a rulemaking for this function that led to the creation of ICANN.  From its inception, ICANN operated under a contractual arrangement with the U.S. Department of Commerce.  ICANN therefore derives its legal authority from California corporate law and its contract with the U.S. Department of Commerce.

To many participants, particularly outside the U.S., this historical arrangement suggests that ultimately the U.S. government holds too much power over the DNS without adequate checks and balances.  In response to these concerns, the Obama administration announced in March, 2014 that it would relinquish control of the DNS to the global multi-stakeholder Internet community.  A plan for this transition was developed by ICANN and was submitted to the NTIA on March 10, 2016.

The planning process was coordinated by a group “comprised of 30 individuals representing 13 communities.”  Id., ¶ X002.  That should be an astonishing statement:  30 people were in charge of planning this core function of Internet governance!  This group included executives from companies such as Oracle, Cisco, Verisign and GoDaddy, academics, entrepreneurs, and representatives of country domain registries.  Id., n. 2 and http://www.ianacg.org/coordination-group/icg-members/.

The ICAAN plan runs to 210 pages of single-spaced type and 3,115 numbered paragraphs, with an Executive Summary that loosely ties together separately drafted proposals from the “Domain Names Community,”  the “Internet Number Community,” and the “Protocol Parameters Registry Community.”   It contains many paragraphs that read like this:  “Following exhaustion of the foregoing escalation mechanisms, the ccNSO and GNSO will be responsible for determining whether or not a Special IFR is necessary.”  See ICANN Plan, ¶ 1303.   If all of these sounds like a proposal put together by engineers rather than lawyers – it is.  Perhaps that is a good thing, but many questions about representation and accountability remain.

The ICAAN Plan did include some new accountability mechanisms to address concerns about the openness of ICANN’s processes.  For example, paragraph 1106 of the Domain Names Community’s part of the proposal states that the mutistakeholder community would have the ability to appoint and remove ICANN Board members, to oversee key Board decisions, and to approve amendments to ICANN’s fundamental bylaws.  This part of the proposal was consistent with an Accountability Report released by a different ICANN working group in February, 2016.  But, of course, none of this is analogous to a citizen’s rights in a constitutional government.  It is more analogous to how shareholders might have some say in the governance of a private membership organization.  The ICAAN proposal does not contemplate that any governmental or inter-governmental organization will take on the role previously played by the U.S. Commerce Department.  See ICANN Plan, ¶ X028.

On June 9, 2016, the NTIA released an Assessment Report finding that the ICANN plan met the NTIA’s criteria for a working transition plan.  In particular, the NTIA Assessment found that the transition plan would satisfy the following requirements:

  1. Support and enhance the multi-stakeholder model;
  2. Maintain the security, stability, and resiliency of the Internet DNS;
  3. Meet the needs and expectations of the global customers and partners of the IANA services; and
  4. Maintain the openness of the Internet.

Most technology industry players also support ICANN’s plan.  At the same time, some commentators and U.S. lawmakers are not as willing as President Obama or the NTIA to cede U.S. control over the DNS. On June 8, 2016, Representative Sean Duffy (R-WI) and Senator Ted Cruz (R-TX) introduced the “Protecting Internet Freedom Act,” which would prohibit the NTIA from allowing its contract with ICANN to expire.  See S. 3034 and H.R. 5418, 114th Cong., 2d Sess., June 8, 2016.  This bill would also require the Commerce Department to secure permanent U.S. ownership of the .gov and .mil domain top-level domains.  Id., sec 4.  This Bill echoes concerns by commentators such as Kristian Stout, Associate Director for Innovation Policy with the International Center for Law and Economics, stated that under the ICANN plan, “several fundamental governance issues remain outstanding, including ICANN’s ability to thwart threats of foreign government intrusion, its willingness and ability to ensure a basic level of contractual compliance and respect for property rights among registrars and registries, and its avoidance of antitrust risk.”  S

Unless some legislative or Executive action is taken, which seems unlikely, the NTIA contract with ICAAN will expire according to its own terms on September 30, 2016.  This will mark another milestone, for better or worse, along the path towards the creation of a global critical infrastructure resource that is managed primarily by consensus (social norms) and contracts (private law) rather than by national and international public law.

Sikhs for Justice v. Facebook: Site Blocking

The ability of an ISP or social media site to block access to controversial or inflammatory content is a difficult issue at the intersection of cybersecurity and Internet governance.  In a case just decided by Judge Lucy Koh in the Northern District of California, Facebook won dismissal on the pleadings of Sikhs for Justice’s (“SFJ”) claim that Facebook blocked access to  SFJ’s page in India.

SJF’s claim was based on Title II of the Civil Rights Act of 1964, 42 U.S.C. § 2000a, which provides that “[a]ll persons shall be entitled to the full and equal enjoyment of the goods, services, facilities, privileges, advantages, and accommodations of any place of public accommodation . . . without discrimination or segregation on the ground of race, color, religion, or national origin.”

The court held that SJF’s Title II claim is barred by the Communications Decency Act (“CDA”), 47 U.S.C. § 230.  This holding was consistent with other cases holding that ISPs are publishers entitled to CDA immunity.

Cases like this are important for Internet governance because of the gate keeping role played by large ISPs, search providers, and social media sites such as Facebook.  If these gate keepers can arbitrarily block access to sites a government finds objectionable, traditional political sovereigns can exercise significant control over the Internet.  On the other hand, if these gate keepers cannot accede to the wishes of governments in territories where they have users without threat of liability elsewhere, users in one country (such as the U.S.) could use local law to thwart the policies of another country (such as India).

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xdUhxTWdzYzNjWHc/preview?usp=drivesdk” title=”sikhsforjustice.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]