J.A. Graham

An Introduction into E-commerce, Cyberbanking and Law,

2d Update, 1/12/01

Ed. Bauler, 2000

in collaboration with


/

1.2.1 Domain names

The question of whether a domain name is a “property right” has been considered by some American courts. Even if case law proclaims that “ a domain name that is not a trademark arguably entails only contract, not property rights” and thus “ a domain name registration is the product of a contract for services between the registrar and registrant”[1], I do think that the debate is not closed. First of all, case law emphasizes that in the ruled cases the involved domain names were not trademarks. Does this mean, that if it were trademarks, domain names should be treated like “property”? We have also to think about bankruptcy; would it not be in the interest of the creditors of the bankrupted firm to have the possibility to engage its domain name, knowing that the value of some of them are about millions of dollars?

3.5 New virtual contracts

In regards to browse-wrap contracts, one has to cite above all the precited Ticketmaster case[2], where the plaintiff argued that its disclaimer was in fact a shrink-wrap agreement. However, the ruling judge did very pertinently observe that a disclaimer is not the same than a shrink-wrap license, because the latter is “open and obvious and in fact hard to miss”. It does not matter that the disclaimer is designated as “terms and conditions”, as “many Web sites make you click on “I Agree” to the terms and conditions before going on, but Ticketmaster does not. Further, the terms and conditions are set forth so that the customer needs to scroll down the home page to proceed to find and read them”. Contracts do only exist if there is a clear consent, which is not the case for disclaimers. In fact, they have no value. If a Webmaster wishes that its visitors accepts the conditions of an agreement, he must, as the judgment points it out, make them agree before letting them visiting the site. However, the fact to proceed to submit a search query, after having must crossed a Web page that indicates clearly the terms of use equivales a manifestation of assent to be bound by the terms, even if the user is not asked to click on an icon indicating that he accepts the latter[3]. Browse-wrap are so not enforceable, at least whereas there is no real positive action of the net-user to express its assent[4].

5.3 Legal frame

There can be from a theoretical point of view a whole new form of money – virtual money, which would be a total privatized money. As there does not exist any legal or uniform definition of money, legal scholars nonetheless agree broadly on two definitions. The first one, called the legal definition, implies that the jura cudendae monetae only belongs to the State, excluding so any possibility for “private” money. However, some do consider, in a functional approach, that money defines itself essentially through its function: it is an instrumentum that detains an unconditional full discharge, a forced currency and that is fungible, neutral and liquid. If we retain the last definition, it does not matter who is the issuer of the money, as long as it detain the above-mentioned qualities. In this sense, a system like Payword could be qualified as a new virtual money, escaping thus the banking regulation[5], especially the E-money directive as it previews its application only for e-money “considered as an electronic surrogate for coins and banknotes, which is stored on an electronic device such as a chip card or computer memory and which is generally intended for the purpose of effecting electronic payments of limited amounts”[6]. In the hypothesis of virtual money, we do not have e–money surrogating for coins and banknotes, but a new money, which is exchanged for national money like a foreign currency – especially if we do consider that this money circulates in an international space[7]. This would imply that such institutions should be treated like currency brokers and neither like e-money issuers nor financial institutions.

6.3.2 The Council of Europe’s Convention on Cybercrime[8]

The Convention principally aims at harmonizing the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form setting up a fast and effective regime of international co-operation. Jurisdiction is established when the offence is committed:

a. in its territory; or

b. on board of a ship flying its flag; or

c. on board of an aircraft registered under its laws; or

d. by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

Following the outline of the Convention, I will distinguish between substantive criminal law and procedural criminal law. However, I will not undertake a detailed analyse as, for one part, the convention is a very long and complicated text, and, for other part, I have to remind that we are in presence of a draft text and the great opposition that encounters the convention may predict that perhaps this text will never enter into force.

A – Substantive criminal law

First, will be established as criminal offences the access to the whole or any part of a computer system without right[9]. Application of specific technical tools may result in an access as defined by the convention, such as the access of a web page, directly or through hypertext links, including deep-links or the application of ‘cookies’ or ‘bots’ to locate and retrieve information on behalf of communication. The application of such tools per se is not ‘without right’. The maintenance of a public website implies consent by the website-owner that it can be accessed by any other web-user. The application of standard tools provided for in the commonly applied communication protocols and programs, is not in itself ‘without right’, in particular where the rightholder of the accessed system can be considered to have accepted its application, e.g. in the case of ‘cookies’ by not rejecting the initial installment or not removing it.

That’s why municipal law may require that the offence ought to be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system. In the same way, illegal interception, meaning when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. Nonetheless, a State may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

Should be a criminal offence, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right, as the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

The Convention foresees also the misuse of devices including:

(a)the production, sale, procurement for use, import, distribution or otherwise making available of:

  1. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the foreseen offences;
  2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the previewed offences; and

(b)the possession of such an item referred with intent that it be used for the purpose of committing any of the established offences in the convention.

However, it is not a criminal offence when such items are used for the authorized testing or protection of a computer system.

In regard to computer-related offences, the Convention indicts forgery defined as the intentional input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. This provision covers data, which is the equivalent of a public or private document having legal effects. The unauthorized "input" of correct or incorrect data brings about a situation that corresponds to the making of a false document. Subsequent alterations (modifications, variations, partial changes), deletions (removal of data from a data medium) and suppression (holding back, concealment of data) correspond in general to the falsification of a genuine document. State legislation may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

Art. 8 renders as illegal intentional causing of a loss of property to another by:

a)any input, alteration, deletion or suppression of computer data,

b)any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another.

Computer fraud manipulations are criminalized if they produce a direct economic or possessory loss of another person's property and the perpetrator acted with the intent of procuring an unlawful economic gain for himself or for another person. The term 'loss of property', being a broad notion, includes loss of money, tangibles and intangibles with an economic value.

Beneath child pornography, the Convention also invites States to sue Intellectual Properties rights infringements as defined under municipal law pursuant to the obligations the State has undertaken under the Paris Act of 24 July 1971 of the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organizations done in Rome (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such Conventions, where such acts are committed willfully, on a commercial scale and by means of a computer system.

Art. 11, paragraph 1 requires Parties to establish as criminal offences aiding or abetting commission of any of the offences under the foreseen provisions. Liability arises for aiding or abetting where the person who commits a crime established in the Convention is aided by another person who also intends that the crime be committed. For example, though the transmission of harmful content data or malicious code through the Internet requires the assistance of service providers as a conduit, a service provider who does not have any criminal intent cannot incur liability under this section. Thus, there is no duty on a service provider to actively monitor content to avoid criminal liability[10].

A major improvement of the Convention is Art.12 that forces ratifying States to ensure that a legal person can be held liable for a criminal offence established in accordance with this Convention, committed for its benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person, based on:

a. a power of representation of the legal person;

b. an authority to take decisions on behalf of the legal person;

c. an authority to exercise control within the legal person.

B – Procedural Criminal Law

Without entering into details, one may say that the Convention foresees a positive obligation upon providers to collect data, to keep them and to transmit them to the territorial authorities on the base of a court order. However, each measure is subject to conditions and safeguards provided by applicable international human rights instruments.

Each State Party has to adopt measures to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, regardless of whether one or more service providers were involved in the transmission of that communication, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification. It is to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of 90 days, however, renewable if so provided by law, to enable the competent authorities to seek its disclosure. The custodian or other person who is to preserve the computer data may be obliged to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.

Service providers offering their services in the State’s territory are, in case of injunction, to submit subscriber information relating to such services in that service provider’s possession or control; "subscriber information" meaning any information, contained in the form of computer data or any other form, that is held by a service provider, relating to subscribers of its services, other than traffic or content data, by which can be established:

a. the type of the communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment available on the basis of the service agreement or arrangement.

Service providers may also be compelled to undertake real-time collection of traffic data.

Extradition and mutual assistance principles are also previewed in order to reinforce the international cooperation.

7.1.2 Brussels Convention

Regulation 44/2001 took into account the objections of the European Working Group and provides that the place of performance of the obligation in question is in the case of the sale of goods, the place in a Member State where, under the contract, the goods were delivered or should have been delivered, and in the case of the provision of services, the place in a Member State where, under the contract, the services were provided or should have been provided. The real difficulty is once again the requirement of the conclusion in the consumer's State. Technically speaking, the contract is not concluded on the consumer's Pc; it's concluded on the seller's server. Consequently, the consumer can never benefit from his protection.

That's why, the Commission in its proposal of regulation has eliminated the second requirement and replaced the wording of the first one by “directed to a member State”. Unfortunately, during the Commission's public hearing in Brussels, it were surprising how the new draft was misinterpreted by the representatives of industry who consider that the simple fact of having a Web site fulfills the new requirement, though I defended in time that the proposed provision went in the right direction. In fact, activities should be considered as directed to a Member State if the site is “targeting” in a special manner the local consumers (the site is registered in a European cctld, the pages are in a national language, the prices are in euros, etc). Fortunately, Regulation 44/2001 took over the Commission’s proposal in its Art. 15.

[1] Dorer v. Arel, 60 F.Supp. 2d 558, 561 (E.D. Va 1999). See also: Network Solutions, Inc, v. Umbro International, Inc, 529 S.E.2d 80 (Va 2000); Zukarov v. Register Com, # 600703/01 (SCNY, 2001).

[2]Supra 1.2.4.

[3]Register.com v. Verio (S.D.N.Y, 2000),

[4]Pollstar v. Gigmania Ltd, CIV-F-00-5671 (EDCA, 2000); Specht & alii v. Netscape & AOL, 00Civ4871 (SDNY, 2001).

[5] For a detailed development of such a theory through the example of Payword: Graham & Praicheux, Essai sur la monnaie virtuelle, REDI, July 2001,

[6] Considering (3).

[7] Why should Cyberspace, considered by me as an international space, do not have its own currency?

[8]

[9]"Without right" means that “it reflects the insight that the conduct described is not always punishable per se, but may be legal or justified not only in cases where classical legal defenses are applicable, like consent, self defense or necessity, but where other principles or interests lead to the exclusion of criminal liability. The expression ‘without right’ derives its meaning from the context in which it is used. Thus, without restricting how Parties may implement the concept in their domestic law, it may refer to conduct undertaken without authority (whether legislative, executive, administrative, judicial, contractual or consensual) or conduct that is otherwise not covered by established legal defenses, excuses, justifications or relevant principles under domestic law. The Convention, therefore, leaves unaffected conduct undertaken pursuant to lawful government authority (for example, where the Party’s government acts to maintain public order, protect national security or investigate criminal offences). Furthermore, legitimate and common activities inherent in the design of networks, or legitimate and common operating or commercial practices should not be criminalized. [It] is left to the Parties to determine how such exemptions are implemented within their domestic legal systems (under criminal law or otherwise) (Final Draft Explanatory Report, p.7, #38).

All the offences contained in the Convention must be committed "intentionally" for.

[10]Final Draft Explanatory Report, p.16, #119.