The Legal Quicksand Of Giving Online Stuff Away For Free

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

We all love to get stuff for free. Whether it is a coupon, a sample or a trial, if it's free, it's good. For retailers, offering a freebie can get customers used to using their products or services, may engender goodwill and may be a smart business decision. But if those retailers fail to adequately define the terms of the free trial, they may be setting themselves up for a disaster. The recent suicide of online activist Aaron Swartz, who was under indictment for breaking into MIT's computers to "steal" information from an online resource, raises many issues about criminal law, prosecutorial discretion and the open nature of information. But for retailers, it raises questions about the terms and conditions under which they can control the distribution of digital access and digital information.

This holiday season, I was walking through the mall seeking out the See's Candies ladies with their free samples. I would gladly take a chocolate lollipop or a toffee square, circle the mall and come back for another. The free sample came with no terms or conditions and no obvious limitations on access or use. Could I then argue that, because See's was giving away chocolate lollipops, these items were "free" and that I was, therefore, lawfully entitled to take six or seven boxes from behind the counter without paying for them? Absurd. But why? Because in the real world, we have loosely formed social conventions and a system of shaming to enforce them. I can have one or two chicken teriyaki samples on a toothpick but can't make that my dinner for a month. The enforcement tends to be of the type, "Hey, haven't you been here before?" Although there are some abuses, for the most part, the system does what it is supposed to do.

Online may be different. I say may, because although the normal conventions for what is "acceptable" and what is not may still apply online (or new comparable conventions may exist), the ability to quickly and efficiently thwart such conventions may create new legal and technological problems for anyone with an online presence. To understand this, we must first understand what Aaron Swartz did that got him into legal hot water.

In a nutshell, Swartz—by all accounts a brilliant programmer and online activist—initially obtained a free trial to the U.S. Government's PACER system of electronic court records by visiting the federal courthouse in Chicago. Virtually all filings in the federal courts, pleadings, motions and court opinions are stored on PACER, which charges a per-document fee for access. Because these are government documents (well, many of them are not, but we'll put that aside for now), the government does not obtain an enforceable copyright in its works. Swartz then used his free trial and a bit of technology (a PERL script) to attempt to download the entire PACER database, which he was going to make available for free on a cloud server. He downloaded more than 19 million documents, for which PACER would have charged $0.08 each, or a potential "theft" of more than $1.5 million from the federal government. Certainly not what PACER envisioned when it gave Swartz a free trial. But because neither the PACER Terms of Service nor free trial terms appeared to prohibit this, and because the works taken were not obviously subject to copyright (at least those created by the government), the FBI investigated but did not prosecute these actions.

In the second case, Swartz accessed the open networks at MIT and obtained a free wireless MIT account, using it to access the MIT library's JSTOR access account. JSTOR is a repository of academic and technical journals that charges a fee of up to $50,000 a year to academic institutions for access. These institutions then make access to these journals available to their communities. Ordinary users must obtain a user ID and password from JSTOR and pay for access to individual articles. But Swartz accessed the MIT Wi-Fi network, created a guest account and wrote a program called "keepgrabbing" to get around JSTOR's limits on downloading. When MIT and JSTOR blocked this access, he changed his IP address, got a different computer and, eventually, just went into an MIT wiring closet and hardwired a computer into the network to keep downloading JSTOR documents. Swartz planned to make the JSTOR documents available on P2P networks. This time, he was indicted for hacking, and those charges may ultimately have lead to his suicide.

So what does this mean for retailers?So what does this mean for retailers?

We are back to my See's Candies problem. Whenever any content is made available or accessible online, we create a "right" to access, download, view and use that data. Under copyright law, we have created an implied license. That means we give up a tiny bit of our copyright rights. Apart from copyright law, we have created an implied right to access our computers (Web servers) and view (download) content. But for what purposes? What rights have we granted? Just like in the See's Candies case, we want online viewers to act responsibly—to use the content properly and to not abuse it. But once the content is up there, what actually prevents or limits abuse—both technologically and legally?

The key here is to have an appropriate balance between law, enforcement, monitoring and technology commensurate with the business model retailers intend to operate. This means having more detailed and robust terms of use and terms of service that set out exactly what you, as a retailer, are giving up and what you are not giving up. It means telling users with some degree of specificity what they can and cannot do. Remember, though, that you will never be able to think of all the various forms of abuse and misuse people can engage in. So retailers should reserve the right to terminate or restrict access to anyone they believe is acting in a manner that is abusive or improper.

Retailers should also state that circumvention or attempted circumvention of access controls or limitations on access or use constitute either unauthorized access, attempted unauthorized access or exceeding authorized access to their systems or data. In addition, retailers should include some copyright language that restricts republishing or reuse of copyrighted data. All of this gives retailers the legal ability to enforce some restrictions. It's like putting up a sign that says, "One lollipop per customer." It's not perfect, but it's a start.

Next, of course, is to have a robust abuse monitoring program. Whether retailers are operating a Web site or a full on E-Commerce server, they need to keep tabs on the system and take appropriate action when abuse occurs. The Swartz case illustrates that people who want to abuse your network will take actions—sometimes extraordinary actions—to hide what they are doing. Indeed, if you wanted to re-create the entire JSTOR database in a way that would elude detection, you would simply add a browser plug-in to all JSTOR users' computers that would take any document those users looked at (lawfully) and copy it into a new database.

Such a plug-in, called RECAP, already exists for users of Firefox who access the PACER system. Over time, all of the protected files are copied into an unprotected database, with activity that simply looks like normal activity. So instead of visiting the See's Candies stand a thousand times, I get a thousand people to visit once each and then give me the lollipops. I quickly get my free boxes of lollipops.

Finally, online retailers must have a robust incident response plan or program. So, now that I see abuse, what do I do? How do I circumvent those who are trying to circumvent my access controls? Do I call the police? MIT itself is under withering criticism for the way the university attempted to protect its own networks and for the fact that it was cooperating with the FBI and the local U.S. Attorney’s Office. Responding properly to such an "incident" is a combination of law, technology, reputation management and uncommon sense.

Abuses will continue to occur. The key here is to detect and manage such abuse. And, oh, haven't you already had three mocha lollipops?

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.