Forwarded From: phreak moi <hackerelitet_private> http://www.news.com/News/Item/0,4,27374,00.html?st.ne.fd.gif.d Hotmail frames raise legal fire By Paul Festa Staff Writer, CNET News.com October 9, 1998, 1:15 p.m. PT While security experts frequently talk about the universal tradeoff between convenience and security, Microsoft's Hotmail may find itself poised between security and legality. In an attempt to protect users from potential password-stealing schemes, Hotmail recently started framing sites that users access from hotlinked URLs included in incoming email. If a Hotmail user receives a URL in an email message and clicks on it, the new site appears under a banner with the Hotmail logo and the text, "You are visiting a site outside of Hotmail. Close this new browser window to return to Hotmail." The banner persists as long as the user continues to surf within that window unless he or she manually types in a new URL. The new warning banner does not appear when users click on banners for Hotmail advertisers. Hotmail initiated the framing procedure to thwart potential "Trojan horse" attacks designed to steal user names and passwords. While no actual attacks were reported against Hotmail users, security-minded programmers posted a series of demonstrations illustrating how attackers could spoof Hotmail log-in pages and trick users into handing over control of their accounts. But the warning is not universally effective in tipping off users to spoofed log-in pages. The most recent exploit demonstration, posted by Specialty Installations Web programmer Tom Cervenka and dubbed "Attackments," still works and eludes the Hotmail warning. Hotmail notes that it never claimed to have solved the security problem associated with attachments, apart from advising users not to download attachments except from trusted sources. Framing, or the process of linking to a site and then presenting it in a frame within one's own site, has been the source of several legal confrontations. In one high-profile case, the news aggregator TotalNews settled with news publishers that had sued the company for presenting their stories within TotalNews frames and with TotalNews banner advertising. Hotmail was quick to point out differences between its framing practices and those of TotalNews. "This is really just a navigation tool," said Hotmail spokesperson Robin Foster. "What TotalNews got dinged on was because they were profiting from putting other's people's content within their own frame. We're not profiting in any way, and we don't want to profit. We just want to warn our users." Attorneys specializing in trademark and copyright law said Hotmail was legally on fairly solid ground, but not bedrock. As far as trademark law is concerned, a litigant would have to claim that by framing its content, Hotmail had created confusion about the origin of the content, according to attorney Brent Britton of Britton Silberman & Cervantes. But the very text of the banner, informing users that they have left Hotmail, answers that claim, Britton said. On the copyright issue, however, Hotmail may have crossed a line by creating what the law considers a "derivative work," combining its own content--the banner--with the content of the site linked to from within Hotmail. "Technically, Hotmail doesn't have permission to do that," Britton said. "Creating a derivative work is one of the exclusive rights that belong to the copyright holder. By tucking your entire Web page into my Web page, there's technically a copyright infringement." But Britton said the harm caused by such an infringement was probably so minimal, and so difficult to prove, that Hotmail would be an elusive legal target. Additionally, in part because the TotalNews case was settled out of court, there is little legal precedent to rely on in the area of framing and copyright law. One case currently pending, however, may clarify the question of whether framing a site amounts to illegally creating a derivative work. That case, Futuredontics, vs. Applied Anagramics, has seen two rulings so far, one in November 1997 refusing to grant a preliminary injunction, and the other in January of this year refusing to dismiss the claim of copyright infringement. Those two rulings indicate that the judge in the case sees the "derivative work" claim as neither unreasonable nor obviously valid, according to Cooley Godward attorney Eric Goldman. Central to the "derivative work" copyright infringement argument is the alteration of the framed site's "look and feel," Goldman said. By that token, certain sites may object to being framed. Because Hotmail specifies a margin height within its frame, some sites may find their design altered (News.com is one such example). Other sites may have trouble identifying users with subscriptions. "When a site gets framed, it loses control of its look and feel," said Forrester Research senior analyst Jim Nail. "Look and feel is crucial to the user experience, and that is absolutely critical to maintaining loyalty. Anything that removes a level of control over the user experience, the sites are going to fight, and they should. They run the risk of losing users, and losing advertising inventory to sell, and they wind up losing opportunity to create revenue." In addition to the risk of changing the look and feel of a site, framing also may impact how sites measure their visitors. While framing does not affect the hit counts, or records of how many pages or files are accessed from a particular site, it does skew the information regarding the provenance of those requests. In this case, sites accessed from within Hotmail will appear to have originated from Hotmail servers, rather than the personal computers of individual users. Some sites have found a technological way to prevent themselves from being framed. CNN Interactive, for example, refreshes itself and essentially jumps out of the Hotmail frame a few seconds after loading. While Hotmail may have a solid legal argument that its banner eliminates branding confusion that would make it guilty of a trademark violation, the framing practice may cause confusion nonetheless. "It sounds to me like you could very easily confuse the user," Nail said. "First I'm in Hotmail, then it says I'm not in Hotmail--but am I actually still in Hotmail? Less sophisticated users are confused enough--they can't even understand the 'back' and 'forward' buttons. It's not so much a matter of confusing users over whether it is Hotmail vs. non-Hotmail content, but the whole navigation issue that's going to potentially alienate users." Whatever is at stake for sites and users, the legal picture for Hotmail looks fairly clear. "Is what Hotmail is doing illegal, or just annoying?" asked Britton rhetorically. "I think it's probably just annoying." -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:05 PDT