The blame game: can Internet service providers escape liability for semantic attacks? .

• Author: Vir, Monica

1. INTRODUCTION

   Recent news articles and publications by experts seem to predict that courts will not be lenient toward Internet service providers ("ISPs") (1) who fail to protect against semantic attacks. (2) A semantic attack targets the assigned meaning to content such as posting false information on message boards. (3)

   The recent decision in Hart v. Internet Wire, Inc. addressed the liability of an Internet service provider against such a semantic attack. (4) In Hart, Mark Simeon Jakob ("Jakob") was employed by Internet Wire, a news wire service which distributes corporate news to the public. (5) Jakob bought short (6) positions on 3,000 shares of Emulex stock, expecting the price of the shares to drop. (7) Jakob faced a loss of almost $97,000 when the price of the stock started to climb. (8) Using his knowledge of the internal methods with which press releases are submitted to and published on Internet Wire, he then schemed to drive down the price by publishing a false press release. (9)

   Jakob posed as an Emulex public relations executive and sent an e-mail to Internet Wire, requesting that the press release be published. (10) The Internet Wire staff treated the press release as authentic. (11) The press release described various problems at Emulex, including the restatement of earnings, the resignation of the company's CEO, and a SEC investigation into the company's practices. (12) Internet Wire published the press release the next morning. (13) Bloomberg, the worldwide news organization, picked up the story from Internet Wire and issued the statement. (14) Bloomberg did not investigate the veracity of the press release. (15) Within sixteen minutes of the Bloomberg headline, the Emulex share price dropped by sixty dollars. (16) NASDAQ halted trading and Emulex exposed the fraudulent release. (17) Bloomberg then reported that the press release had been false, and the stock price climbed back to the price at which it normally traded. (18)

   During those sixteen minutes, Jakob was able to cover his position at a profit. (19) And despite a recovery of the stock price, the fraudulent press release caused an "estimated $2.2 billion lost market capitalization and $1.10 million in loss to investors in Emulex securities." (20) A class action suit for securities fraud was filed on behalf of those persons who had sold common stock or call options or who had purchased put options in Emulex after the market opened until trading halted. (21) The court determined that the plaintiffs had failed to adequately plead scienter and the case was dismissed with leave to replead. (22)

   Another type of attack that can cause severe economic losses is what Margaret Jane Radin, Professor of Law at Stanford Law School, aptly names "netjacking." (23) A Distributed Denial of Service ("DDoS") is a severe form of netjacking. (24) Rather than break into a system to steal data, a hacker attempts to prevent users from accessing their own network for reasons known only to the hacker, such as "revenge, economical or political gain, or just plain nastiness." (25) A DDoS attack may be deliberate or accidental, but it is "considered to take place only when access to a computer or network is intentionally blocked as a result of some malicious action." (26)

   The Computer Security Institute, based in San Francisco, released its 2001 Computer Crime and Security Survey in which 186 of 538 total respondents collectively reported approximately $378 million in financial losses in the past year due to computer security breaches. (27) Other statistics included a report of 85 percent of respondents experiencing breaches of their computer security systems, 70 percent pointing to their Internet connections as a frequent point of attack, and 31 percent stating that their internal systems were targeted for attack. (28) Denial of service attacks

   resulted in a reported loss of millions of dollars to Yahoo!, Amazon.com, and Ebay in February 2000 alone. (29)

   Radin provides this helpful chart of the DDoS chain of actors and vulnerabilities: (30)

   DDOS PARTICIPANT KEY VULNERABILITIES Individual computer users Open operating system architecture, high bandwidth connections. Portals and commerce sites Lack of awareness; lack of personnel, technology Corporations/online business Attack modes keep changing, sites distributed attacks hard to trace in real time Network infrastructure and Unwitting conduit for malicious service providers packets If an ISP were subject to a DDoS attack, would it be liable for the financial losses incurred to the users of its site? If the plaintiffs had adequately pled their case, could Internet Wire and Bloomberg have defended themselves with defenses normally used in securities fraud cases? Would they be subject to any other causes of action or have any other defenses? Some ISPs have improved their detection of viruses, worms, and other threats. Therefore, by engaging in semantic attacks or assaults on meaning, hackers are finding different, subtle ways to attack and spread misinformation, especially now that the Internet has become a popular medium for obtaining news. Would a court expect defendants to safeguard against such semantic attacks?

   Part II of this Note examines possible claims against an ISP. Part III analyzes the strengths and weaknesses of possible defenses an ISP could utilize in the event it is charged with failure to protect against a semantic attack. Finally, Part IV examines the future implications of this topic in an environment now focused on preventing new forms of cyber terrorism.

2. CLAIMS

   1. Federal Statutes

      Congress addressed hacker liability in the Electronic Communications Privacy Act (31) and the Computer Fraud and Abuse Act. (32) This current law, however, "is not clear[] ... regarding a company's duty to protect its computer network from third-party glitches within its own system." (33) The Gramm-Leach-Bliley Act (34) guidelines "suggest a number of security measures that banks, credit unions, and other financial institutions should implement to protect their computer databases." (35) Every state, with the exception of Vermont, has enacted computer crime legislation. (36)

      Nevertheless, a statute addressing the liability of private companies does not currently exist. Therefore, whether courts would hold Internet sites (37) liable for security breaches of their databases that contain customers' private information is unclear. (38)

   2. Breach of Contract

      Raul suggests that the contract model "might apply in the context of parties who have contracted to provide and receive data storage or processing services, but would not generally apply in the case of security breaches affecting individuals or other third parties." (39) In contrast, Radin argues that contractual disclaimers are "legally efficacious in some contexts, but not always." (40) While she concedes that "contractual disclaimers are not binding on third parties who are not parties to the contract," (41) Radin notes that "not all contracts are valid and enforceable." (42) If a contract is of invalid formation or of invalid content, it could be unenforceable. (43) Radin believes that a court will scrutinize terms of service for over reaching, especially to determine whether there was unequal bargaining power between an ISP and an individual consumer. (44)

      Courts in various jurisdictions differ as to whether they would allow an ISP to shift its own negligence to the other party in its contract. (45) Radin uses the AOL contractual disclaimer as an example of an attempt to shield itself from a DDoS attack:

      UNDER NO CIRCUMSTANCES SHALL AMERICA ONLINE, ITS SUBSIDIARIES, OR ITS LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES THAT RESULT FROM THE USE OF, OR INABILITY TO USE, THIS SITE. THIS LIMITATION APPLIES WHETHER THE ALLEGED LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER BASIS, EVEN IF AMERICA ONLINE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, AMERICA ONLINE'S LIABILITY IN SUCH JURISDICTIONS SHALL BE LIMITED TO THE EXTENT PERMITTED BY LAW. (46) Whether a court would find this disclaimer valid and enforceable depends on such factors as the choice of law, choice of forum, and whether courts in those jurisdictions approve of contracts of adhesion. (47)

   3. Tort Liability

      Another available claim appears under the tort model. Applying this theory, victims of security breaches would need to prove the following elements to recover for damages: "(1) a reasonable duty of care necessary to prevent security breaches, (2) a breach of that duty, (3) a proximate relationship between the breach of the duty and the injury, and (4) actual loss or damage sustained as a result of the breach." (48) Nevertheless, establishing a standard duty of care for all Internet service providers is difficult, unwieldy, and may even promote hacking. (49) In the Hart case, Jakob was an employee of Internet Wire; (50) therefore, the plaintiffs could have also pursued a vicarious liability claim under the theory of respondeat superior. (51)

   4. Securities Fraud and 10b-5 Claims

      A securities fraud claim can arise under section 10b-5 of the Securities Exchange Act of 1934. (52) This was the claim used by the class action plaintiffs in Hart v. Internet Wire. (53) In Hart, the court noted that to "satisfy the scienter element of Section 10(b), a complaint must allege facts giving rise to a strong inference that the defendant acted with `intent to deceive, manipulate, or defraud,"' (54) and that "[f]ailure to plead this basic element is grounds for dismissal of a Section 10(b) claim." (55)

      Nevertheless, given the monetary and reputation losses that ISPs suffer in the wake of a semantic attack, plaintiffs will have difficulty alleging that an ISP willfully intended to "deceive, manipulate, or...