J.A. Graham
An Introduction into E-commerce, Cyberbanking and Law,
2d Update, 1/12/01
Ed. Bauler, 2000
in collaboration with
www.cyberbanking-law.de
www.jagadvocate.com
1.2.1 Domain names
The question of whether a domain name is a “property right” has been considered by some American
courts. Even if case law proclaims that “ a domain name that is not a trademark arguably entails only
contract, not property rights” and thus “ a domain name registration is the product of a contract for services
between the registrar and registrant” 1, I do think that the debate is not closed. First of all, case law
emphasizes that in the ruled cases the involved domain names were not trademarks. Does this mean, that if
it were trademarks, domain names should be treated like “property”? We have also to think about
bankruptcy; would it not be in the interest of the creditors of the bankrupted firm to have the possibility to
engage its domain name, knowing that the value of some of them are about millions of dollars?
3.5 New virtual contracts
In regards to browse-wrap contracts, one has to cite above all the precited Ticketmaster case2,
where the plaintiff argued that its disclaimer was in fact a shrink-wrap agreement. However, the ruling
judge did very pertinently observe that a disclaimer is not the same than a shrink-wrap license, because the
latter is “open and obvious and in fact hard to miss”. It does not matter that the disclaimer is designated as
“terms and conditions”, as “many Web sites make you click on “I Agree” to the terms and conditions
before going on, but Ticketmaster does not. Further, the terms and conditions are set forth so that the
customer needs to scroll down the home page to proceed to find and read them”. Contracts do only exist if
there is a clear consent, which is not the case for disclaimers. In fact, they have no value. If a Webmaster
wishes that its visitors accepts the conditions of an agreement, he must, as the judgment points it out, make
them agree before letting them visiting the site. However, the fact to proceed to submit a search query, after
1
2
Dorer v. Arel, 60 F.Supp. 2d 558, 561 (E.D. Va 1999). See also: Network Solutions, Inc, v. Umbro
International, Inc, 529 S.E.2d 80 (Va 2000); Zukarov v. Register Com, # 600703/01 (SCNY, 2001).
Supra 1.2.4.
having must crossed a Web page that indicates clearly the terms of use equivales a manifestation of assent
to be bound by the terms, even if the user is not asked to click on an icon indicating that he accepts the
latter3. Browse-wrap are so not enforceable, at least whereas there is no real positive action of the net-user
to express its assent4.
5.3 Legal frame
There can be from a theoretical point of view a whole new form of money – virtual money, which would be
a total privatized money. As there does not exist any legal or uniform definition of money, legal scholars
nonetheless agree broadly on two definitions. The first one, called the legal definition, implies that the jura
cudendae monetae only belongs to the State, excluding so any possibility for “private” money. However,
some do consider, in a functional approach, that money defines itself essentially through its function: it is
an instrumentum that detains an unconditional full discharge, a forced currency and that is fungible, neutral
and liquid. If we retain the last definition, it does not matter who is the issuer of the money, as long as it
detain the above-mentioned qualities. In this sense, a system like Payword could be qualified as a new
virtual money, escaping thus the banking regulation 5, especially the E-money directive as it previews its
application only for e-money “considered as an electronic surrogate for coins and banknotes, which is
stored on an electronic device such as a chip card or computer memory and which is generally intended for
the purpose of effecting electronic payments of limited amounts” 6. In the hypothesis of virtual money, we
do not have e–money surrogating for coins and banknotes, but a new money, which is exchanged for
national money like a foreign currency – especially if we do consider that this money circulates in an
international space7. This would imply that such institutions should be treated like currency brokers and
neither like e-money issuers nor financial institutions.
6.3.2 The Council of Europe’s Convention on Cybercrime8
The Convention principally aims at harmonizing the domestic criminal substantive law elements
of offences and connected provisions in the area of cyber-crime providing for domestic criminal procedural
law powers necessary for the investigation and prosecution of such offences as well as other offences
committed by means of a computer system or evidence in relation to which is in electronic form setting up
a fast and effective regime of international co-operation. Jurisdiction is established when the offence is
committed:
a. in its territory; or
b. on board of a ship flying its flag; or
c. on board of an aircraft registered under its laws; or
d. by one of its nationals, if the offence is punishable under criminal law where it was committed
or if the offence is committed outside the territorial jurisdiction of any State.
Following the outline of the Convention, I will distinguish between substantive criminal law and
procedural criminal law. However, I will not undertake a detailed analyse as, for one part, the convention is
a very long and complicated text, and, for other part, I have to remind that we are in presence of a draft text
and the great opposition that encounters the convention may predict that perhaps this text will never enter
Register.com v. Verio (S.D.N.Y, 2000), www.icann.org/registrars/register.com-verio/order08dec00.htm.
4
Pollstar v. Gigmania Ltd, CIV-F-00-5671 (EDCA, 2000); Specht & alii v. Netscape & AOL, 00Civ4871
(SDNY, 2001).
5
For a detailed development of such a theory through the example of Payword: Graham & Praicheux, Essai
sur la monnaie virtuelle, REDI, July 2001, www.alfa-redi.org.
6
Considering (3).
7
Why should Cyberspace, considered by me as an international space, do not have its own currency?
8
http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.htm.
3
into force.
A – Substantive criminal law
First, will be established as criminal offences the access to the whole or any part of a computer
system without right9. Application of specific technical tools may result in an access as defined by the
convention, such as the access of a web page, directly or through hypertext links, including deep-links or
the application of ‘cookies’ or ‘bots’ to locate and retrieve information on behalf of communication. The
application of such tools per se is not ‘without right’. The maintenance of a public website implies consent
by the website-owner that it can be accessed by any other web-user. The application of standard tools
provided for in the commonly applied communication protocols and programs, is not in itself ‘without
right’, in particular where the rightholder of the accessed system can be considered to have accepted its
application, e.g. in the case of ‘cookies’ by not rejecting the initial installment or not removing it.
That’s why municipal law may require that the offence ought to be committed by infringing
security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a
computer system that is connected to another computer system. In the same way, illegal interception,
meaning when committed intentionally, the interception without right, made by technical means, of nonpublic transmissions of computer data to, from or within a computer system, including electromagnetic
emissions from a computer system carrying such computer data. Nonetheless, a State may require that the
offence be committed with dishonest intent, or in relation to a computer system that is connected to another
computer system.
Should be a criminal offence, when committed intentionally, the damaging, deletion, deterioration,
alteration or suppression of computer data without right, as the serious hindering without right of the
functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or
suppressing computer data.
The Convention foresees also the misuse of devices including:
(a) the production, sale, procurement for use, import, distribution or otherwise making available of:
1.
2.
9
a device, including a computer program, designed or adapted primarily
for the purpose of committing any of the foreseen offences;
a computer password, access code, or similar data by which the whole
or any part of a computer system is capable of being accessed with
intent that it be used for the purpose of committing any of the
previewed offences; and
"Without right" means that “it reflects the insight that the conduct described is not always punishable per
se, but may be legal or justified not only in cases where classical legal defenses are applicable, like
consent, self defense or necessity, but where other principles or interests lead to the exclusion of
criminal liability. The expression ‘without right’ derives its meaning from the context in which it is
used. Thus, without restricting how Parties may implement the concept in their domestic law, it may
refer to conduct undertaken without authority (whether legislative, executive, administrative, judicial,
contractual or consensual) or conduct that is otherwise not covered by established legal defenses,
excuses, justifications or relevant principles under domestic law. The Convention, therefore, leaves
unaffected conduct undertaken pursuant to lawful government authority (for example, where the Party’s
government acts to maintain public order, protect national security or investigate criminal offences).
Furthermore, legitimate and common activities inherent in the design of networks, or legitimate and
common operating or commercial practices should not be criminalized. [It] is left to the Parties to
determine how such exemptions are implemented within their domestic legal systems (under criminal
law or otherwise) (Final Draft Explanatory Report, p.7, #38).
All the offences contained in the Convention must be committed "intentionally" for.
(b) the possession of such an item referred with intent that it be used for the purpose of committing
any of the established offences in the convention.
However, it is not a criminal offence when such items are used for the authorized testing or protection of a
computer system.
In regard to computer-related offences, the Convention indicts forgery defined as the intentional
input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that
it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data
is directly readable and intelligible. This provision covers data, which is the equivalent of a public or
private document having legal effects. The unauthorized "input" of correct or incorrect data brings about a
situation that corresponds to the making of a false document. Subsequent alterations (modifications,
variations, partial changes), deletions (removal of data from a data medium) and suppression (holding back,
concealment of data) correspond in general to the falsification of a genuine document. State legislation may
require an intent to defraud, or similar dishonest intent, before criminal liability attaches.
Art. 8 renders as illegal intentional causing of a loss of property to another by:
a) any input, alteration, deletion or suppression of computer data,
b) any interference with the functioning of a computer system, with fraudulent or
dishonest intent of procuring, without right, an economic benefit for oneself or
for another.
Computer fraud manipulations are criminalized if they produce a direct economic or possessory loss of
another person's property and the perpetrator acted with the intent of procuring an unlawful economic gain
for himself or for another person. The term 'loss of property', being a broad notion, includes loss of money,
tangibles and intangibles with an economic value.
Beneath child pornography, the Convention also invites States to sue Intellectual Properties rights
infringements as defined under municipal law pursuant to the obligations the State has undertaken under
the Paris Act of 24 July 1971 of the Bern Convention for the Protection of Literary and Artistic Works, the
Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, the
International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting
Organizations done in Rome (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual
Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral
rights conferred by such Conventions, where such acts are committed willfully, on a commercial scale and
by means of a computer system.
Art. 11, paragraph 1 requires Parties to establish as criminal offences aiding or abetting commission
of any of the offences under the foreseen provisions. Liability arises for aiding or abetting where the person
who commits a crime established in the Convention is aided by another person who also intends that the
crime be committed. For example, though the transmission of harmful content data or malicious code
through the Internet requires the assistance of service providers as a conduit, a service provider who does
not have any criminal intent cannot incur liability under this section. Thus, there is no duty on a service
provider to actively monitor content to avoid criminal liability10.
A major improvement of the Convention is Art.12 that forces ratifying States to ensure that a legal
person can be held liable for a criminal offence established in accordance with this Convention, committed
for its benefit by any natural person, acting either individually or as part of an organ of the legal person,
who has a leading position within the legal person, based on:
a. a power of representation of the legal person;
b. an authority to take decisions on behalf of the legal person;
c. an authority to exercise control within the legal person.
10
Final Draft Explanatory Report, p.16, #119.
B – Procedural Criminal Law
Without entering into details, one may say that the Convention foresees a positive obligation upon
providers to collect data, to keep them and to transmit them to the territorial authorities on the base of a
court order. However, each measure is subject to conditions and safeguards provided by applicable
international human rights instruments.
Each State Party has to adopt measures to enable its competent authorities to order or similarly
obtain the expeditious preservation of specified computer data, regardless of whether one or more service
providers were involved in the transmission of that communication, including traffic data, that has been
stored by means of a computer system, in particular where there are grounds to believe that the computer
data is particularly vulnerable to loss or modification. It is to oblige that person to preserve and maintain
the integrity of that computer data for a period of time as long as necessary, up to a maximum of 90 days,
however, renewable if so provided by law, to enable the competent authorities to seek its disclosure. The
custodian or other person who is to preserve the computer data may be obliged to keep confidential the
undertaking of such procedures for the period of time provided for by its domestic law.
Service providers offering their services in the State’s territory are, in case of injunction, to submit
subscriber information relating to such services in that service provider’s possession or control; "subscriber
information" meaning any information, contained in the form of computer data or any other form, that is
held by a service provider, relating to subscribers of its services, other than traffic or content data, by which
can be established:
a. the type of the communication service used, the technical provisions taken thereto and the
period of service;
b. the subscriber’s identity, postal or geographic address, telephone and other access number,
billing and payment information, available on the basis of the service agreement or arrangement;
c. any other information on the site of the installation of communication equipment available on
the basis of the service agreement or arrangement.
Service providers may also be compelled to undertake real-time collection of traffic data.
Extradition and mutual assistance principles are also previewed in order to reinforce the
international cooperation.
7.1.2 Brussels Convention
Regulation 44/2001 took into account the objections of the European Working Group and provides
that the place of performance of the obligation in question is in the case of the sale of goods, the place in a
Member State where, under the contract, the goods were delivered or should have been delivered, and in
the case of the provision of services, the place in a Member State where, under the contract, the services
were provided or should have been provided. The real difficulty is once again the requirement of the
conclusion in the consumer's State. Technically speaking, the contract is not concluded on the consumer's
Pc; it's concluded on the seller's server. Consequently, the consumer can never benefit from his protection.
That's why, the Commission in its proposal of regulation has eliminated the second requirement
and replaced the wording of the first one by “directed to a member State”. Unfortunately, during the
Commission's public hearing in Brussels, it were surprising how the new draft was misinterpreted by the
representatives of industry who consider that the simple fact of having a Web site fulfills the new
requirement, though I defended in time that the proposed provision went in the right direction. In fact,
activities should be considered as directed to a Member State if the site is “targeting” in a special manner
the local consumers (the site is registered in a European cctld, the pages are in a national language, the
prices are in euros, etc). Fortunately, Regulation 44/2001 took over the Commission’s proposal in its Art.
15.