E-Commerce Law Week, Issue 404

Big Brother's Growing Family
The Bush Administration has revealed precious few details about the National Security Agency's (NSA) warrantless wiretapping program since it was revealed by the New York Times in December 2005. Pretty much all it has said is that the program involves only phone calls and emails between the U.S. and abroad, not strictly domestic communications, and that it targets the communications of terrorists, not "ordinary Americans."  On May 11, however, USA Today reported that AT&T, Verizon, and BellSouth have provided NSA with the phone records of "tens of millions of Americans" with no suspected connection to terrorism so that NSA can analyze call patterns in an effort to "detect terrorist activity." While members of Congress are suddenly, like Captain Renault in Casablanca, "shocked, shocked" to learn that innocent Americans' phone records are being run through the NSA grist mill, Congress itself provided the legal authority for obtaining huge troves of non-content "call detail records" (i.e., information about who calls whom, and when) when it drastically expanded the government's National Security Letter (NSL) authority in the USA PATRIOT Act. According to press reports, though, it seems that the companies may not have even required NSLs from the government, but provided the information to NSA voluntarily, raising the question whether they violated statutes protecting the privacy of call records (e.g., 47 U.S.C. § 222 and 18 U.S.C. § 2702 ). Several class actions have already been filed against the telcos in New York and Washington, D.C.  And all three have denied at least some of the USA Today allegations. The two big legal questions for telecommunications carriers (and any other company that might have similarly cooperated with government data collection efforts) are: (1) what was the legal basis for providing the call record information, and (2) will the government attempt to short-circuit the mounting lawsuits by dropping the "state secrets" bomb, as it did in the class action over warrantless wiretapping?

ICANN Says "ICANN'T" To .XXX Domain
When a coalition is diverse enough to include social conservatives and porn website operators, it tends to get what it wants. And in this case, what it wanted was rejection of the proposed .xxx domain by the Internet Corporation for Assigned Names and Numbers (ICANN). On May 10, ICANN's Board of Directors complied, voting 9-5 to scrap the proposal, which would have created a virtual black curtain for segregating "adult" web content -- the Internet's version of the adult section in the back room of a video store. But the death of .xxx hasn't ended the controversy. There's still no clear consensus about how to deal with sexually explicit content on the web. Some believe that creating an Internet red-light district would be an effective way to shield innocent Internet surfers -- especially children -- from sexual content. Others believe the domain would actually encourage more porn, especially because registration for .xxx would have been purely voluntary and would not have done away with porn available through .com sites. The point may be moot for now, but the issues that gave birth to the .xxx idea clearly haven't gone away.

FCC Finally Publishes Second CALEA Order, While Judge Calls Defense of First Order "Gobbledygook"
Last August, the Federal Communications Commission (FCC) adopted an order extending the scope of the Communications Assistance for Law Enforcement Act (CALEA) to cover broadband Internet access service providers and "interconnected VoIP service" providers. The order did no more than (1) specify which entities CALEA now covers and (2) require covered providers to come into compliance within 18 months of the effective date of the order. Other issues -- such as enforcement, compliance extensions, and cost recovery -- were left to be dealt with in a second order to be issued "in the coming months."  On May 12, roughly nine months later, the FCC has finally gotten around to issuing that second order, while leaving the compliance deadline unchanged. But this order is certainly not the last word on this issue. A week earlier, the D.C. Circuit heard hearings on a challenge to the first order and expressed serious misgivings about the extension of CALEA to broadband access providers.  So providers are left with a short time to comply with an order that seems likely to be struck down at least in part.

Congress Can't COPE With Cable, So the Nutmeg State Spices Things Up
As H.R. 5252, the "Communications Opportunity, Promotion, and Enhancement Act of 2006," or COPE Act, works its way through Congress, debate continues over whether Internet service providers that deploy new Internet Protocol-based video ("IPTV") technologies should be subject to the same regulatory framework as traditional cable TV providers. A key point of contention among lawmakers and regulators has been whether such new technologies should be regulated based on "function" or "design." In its current wording, the COPE Act sides with the "functionalists," amending the definitions of "cable operator" and "cable service" given in Section 602 of the Communications Act of 1934 to include "the transmission to subscribers of video programming -- without regard to delivery technology, including Internet protocol technology," even in cases where the video programming is provided in combination with "a telecommunications service or information service." This would mean that IPTV would be regulated like traditional cable TV. But the COPE is still a long way from passage. And while the federal government continues to debate, states are beginning to move ahead on their own, which could result in ISPs' confronting a "crazy quilt" of differing approaches across the country. Connecticut is one of the first, and it has taken the opposite approach from the COPE Act. The Nutmeg State recently announced in a draft decision that IPTV "is merely another form of data stream transmitted ... over the Internet, and as such is not subject to legacy cable franchising requirements."

"Economic Loss" Rule Bars Negligence Claim in Breach Lawsuit, Court Rules
The difficulty of proving damages can sometimes make it tricky to bring negligence lawsuits against companies that have suffered computer security breaches. And even if damages can be proven, certain damages just don't count. That's the gist of the common law "economic loss" rule, which bars recovery on a negligence claim for purely economic losses. According to this rule, plaintiffs must prove something more, such as physical injury or damage to personal property. And this rule applies not just to suits by individuals, but also to suits brought by plaintiff companies, according to recent federal court decisions involving suits by banks against BJ's Wholesale Club, Inc. See Sovereign Bank v. B.J.'s Wholesale Club, Inc., and Banknorth, N.A., v. B.J.'s Wholesale Club, Inc. So while banks and other companies stand to benefit from this rule when they're the defendants in a breach case, they could suffer from it when they're the plaintiffs and are trying to recover for losses caused by someone else's bad security. It remains to be seen whether the economic loss doctrine is consistently applied in the relatively new area of breach lawsuits, or whether courts begin to develop ways to allow plaintiffs to get around it.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.