In our early days of insuring internet risks, perhaps a decade ago, some London reinsurers were quick to ask about the risks we expected to encounter in cyberspace. Some risk-influencing factors were easy to see, such as: speed of publication, breadth of dissemination, jurisdictional issues in lawsuits and the ease of copying and transmitting content. Torts already existing under the law could accommodate, or be tweaked to handle, those risks, we answered. Old laws would be applied in new contexts.
What we weren’t as adept at foreseeing was the multitude of ways that new technologies would test old laws. The URL wars with cybersquatters, framing and linking, trademark uses and abuses in metatags and search engine ads are a few examples.
Another example is evident in a new case filed in an Illinois state court. It becomes one of a growing number to use a trespass claim as a weapon in cyberspace, this time against defendants who allegedly place software code onto the computers of others without the computer owner/user’s consent. The case against Direct Revenue, LLC, a company accused by some of being a major distributor of so-called spyware, aims to stop surreptitious placement of spyware on computers.
Direct Revenue reportedly boasts that its software resides on 12 million computers in the United States , and the case alleges that the software was deceptively placed on many of them. It says the spyware is bundled with other software that can be downloaded free, such as game software, and that through various means Direct Revenue fails to inform the user or gain their consent to place spyware on their machine.
The software tracks and profiles a user’s internet browsing and generates pop-up ads tailored to the user’s interest areas. The complaint alleges the spyware destroys other software programs on a computer, causes the machine to slow down, uses computer memory, causes other problems and is difficult to locate and delete from a computer.
While the complaint alleges unfair and deceptive practices, unjust enrichment, negligence and computer tampering, we find the trespass claim perhaps the one of greatest interest. Cyberspace trespass claims have been appearing more frequently in recent years as plaintiffs try to stop others from what plaintiffs see as improper use of their computer resources or placement of unwanted computer code into their systems.
Unlike the illicit creation and release of viruses, internet advertising is done via a range of delivery vehicles, many of which are used by legitimate advertisers. While trespass allegations might not affect illicit actors because they’re hiding their tracks or operating out of a distant jurisdiction, businesses that are more in the mainstream could be affected if they advertise through companies using spyware and if this kind of case is successful. The Direct Revenue case is pled as a class action.
The allegations in the Direct Revenue lawsuit sound similar to some of the allegations made this week by New York Attorney General Eliot Spitzer in a different suit his office filed. In his case against Intermix Media, Inc., the New York attorney general also chose to rely on the law relating to trespass to chattels, as well as New York laws prohibiting deceptive acts and false advertising.
With Spitzer adding the weight of his office to the assault against certain online advertising techniques, it appears more likely that fundamental changes will be taking place with some kinds of online advertising.
Unlike Spitzer’s case which is aimed solely at Intermix Media, the advertising services company, the plaintiffs in the Direct Revenue case also appear to be suing two advertisers, and thus may have a more direct impact on mainstream companies advertising on the internet.
Companies may also discover they have other potential cyber trespass exposures. Spam and other unwanted e-mail is viewed by some people as a type of trespass in cyberspace. In an e-mail case decided in 2003, the California Supreme Court said that companies could sue for trespass based on unwanted e-mail if the messages caused actual damages to equipment or property. But in a close vote the plaintiff in Intel v. Hamidi lost that case because the court ruled Intel had not shown that its system was actually slowed or otherwise impaired by the burden of bulk e-mails to thousands of Intel employees by a disgruntled former employee. Cyberspace trespass claims are more likely to succeed against spammers generating volumes of e-mail that demonstrably affect a company’s systems.
Some advocates of a broader cyber trespass cause of action would like for mere entry into or use of a computer system to qualify as a trespass, regardless of whether the property trespassed upon is harmed in some way. They liken it to a claim against someone trespassing upon land without permission, regardless of whether the property is harmed. The California court declined to go that far.
Instead, the court followed general law of trespass to chattels (personal property), which requires that to successfully sue:
- the possessor of the chattel must be dispossessed or deprived of its use for a substantial period of time,
- the chattel must have been impaired in condition, quality or value,
- bodily harm must have been caused to the possessor or
- harm must have been caused to something in which the possessor has a legally protected interest.
The owners of software robots, or “bots” that scour websites for information have on occasion been accused of trespassing in cyberspace. Such accusations have been made, for example, when the bot gathers information from one or more competitors and incorporates it into the bot owner’s own site. Examples of such cases include Ticketmaster Corp. v. Tickets.com, eBay, Inc. v. Bidder’s Edge, Inc. Oyster Software v. Forms Processing and American Airlines, Inc. v. Farechase, Inc. Decisions in such cases have been mixed, but courts generally appear to be willing to protect content on websites in such cases but differ on what kinds and levels of intrusion warrant legal redress.
Sometimes insurers and insureds know very well the risks for which insurance coverage is needed or appropriate. But sometimes risks aren’t as readily foreseen, and that has happened more frequently in the relatively new and quickly evolving field of cyberspace liability. It’s an area where a good policy can provide a measure of protection for risks that may not be anticipated.