[ISN] Hotmail frames raise legal fire

From: mea culpa (jerichot_private)
Date: Sat Oct 10 1998 - 03:50:00 PDT

  • Next message: mea culpa: "[ISN] Countries meet on Net Security"

    Forwarded From: phreak moi <hackerelitet_private>
    
    http://www.news.com/News/Item/0,4,27374,00.html?st.ne.fd.gif.d
    Hotmail frames raise legal fire
    By Paul Festa
    Staff Writer, CNET News.com
    October 9, 1998, 1:15 p.m. PT
    
    While security experts frequently talk about the universal tradeoff
    between convenience and security, Microsoft's Hotmail may find itself
    poised between security and legality. 
    
    In an attempt to protect users from potential password-stealing schemes,
    Hotmail recently started framing sites that users access from hotlinked
    URLs included in incoming email. 
    
    If a Hotmail user receives a URL in an email message and clicks on it, the
    new site appears under a banner with the Hotmail logo and the text, "You
    are visiting a site outside of Hotmail. Close this new browser window to
    return to Hotmail." 
    
    The banner persists as long as the user continues to surf within that
    window unless he or she manually types in a new URL. 
    
    The new warning banner does not appear when users click on banners for
    Hotmail advertisers. 
    
    Hotmail initiated the framing procedure to thwart potential "Trojan horse"
    attacks designed to steal user names and passwords. While no actual
    attacks were reported against Hotmail users, security-minded programmers
    posted a series of demonstrations illustrating how attackers could spoof
    Hotmail log-in pages and trick users into handing over control of their
    accounts. 
    
    But the warning is not universally effective in tipping off users to
    spoofed log-in pages. The most recent exploit demonstration, posted by
    Specialty Installations Web programmer Tom Cervenka and dubbed
    "Attackments," still works and eludes the Hotmail warning. 
    
    Hotmail notes that it never claimed to have solved the security problem
    associated with attachments, apart from advising users not to download
    attachments except from trusted sources. 
    
    Framing, or the process of linking to a site and then presenting it in a
    frame within one's own site, has been the source of several legal
    confrontations. In one high-profile case, the news aggregator TotalNews
    settled with news publishers that had sued the company for presenting
    their stories within TotalNews frames and with TotalNews banner
    advertising. 
    
    Hotmail was quick to point out differences between its framing practices
    and those of TotalNews. 
    
    "This is really just a navigation tool," said Hotmail spokesperson Robin
    Foster. "What TotalNews got dinged on was because they were profiting from
    putting other's people's content within their own frame. We're not
    profiting in any way, and we don't want to profit. We just want to warn
    our users." 
    
    Attorneys specializing in trademark and copyright law said Hotmail was
    legally on fairly solid ground, but not bedrock. 
    
    As far as trademark law is concerned, a litigant would have to claim that
    by framing its content, Hotmail had created confusion about the origin of
    the content, according to attorney Brent Britton of Britton Silberman &
    Cervantes. But the very text of the banner, informing users that they have
    left Hotmail, answers that claim, Britton said. 
    
    On the copyright issue, however, Hotmail may have crossed a line by
    creating what the law considers a "derivative work," combining its own
    content--the banner--with the content of the site linked to from within
    Hotmail. 
    
    "Technically, Hotmail doesn't have permission to do that," Britton said.
    "Creating a derivative work is one of the exclusive rights that belong to
    the copyright holder. By tucking your entire Web page into my Web page,
    there's technically a copyright infringement." 
    
    But Britton said the harm caused by such an infringement was probably so
    minimal, and so difficult to prove, that Hotmail would be an elusive legal
    target. Additionally, in part because the TotalNews case was settled out
    of court, there is little legal precedent to rely on in the area of
    framing and copyright law. 
    
    One case currently pending, however, may clarify the question of whether
    framing a site amounts to illegally creating a derivative work. 
    
    That case, Futuredontics, vs. Applied Anagramics, has seen two rulings so
    far, one in November 1997 refusing to grant a preliminary injunction, and
    the other in January of this year refusing to dismiss the claim of
    copyright infringement. Those two rulings indicate that the judge in the
    case sees the "derivative work" claim as neither unreasonable nor
    obviously valid, according to Cooley Godward attorney Eric Goldman. 
    
    Central to the "derivative work" copyright infringement argument is the
    alteration of the framed site's "look and feel," Goldman said. 
    
    By that token, certain sites may object to being framed. Because Hotmail
    specifies a margin height within its frame, some sites may find their
    design altered (News.com is one such example). Other sites may have
    trouble identifying users with subscriptions. 
    
    "When a site gets framed, it loses control of its look and feel," said
    Forrester Research senior analyst Jim Nail. "Look and feel is crucial to
    the user experience, and that is absolutely critical to maintaining
    loyalty. Anything that removes a level of control over the user
    experience, the sites are going to fight, and they should. They run the
    risk of losing users, and losing advertising inventory to sell, and they
    wind up losing opportunity to create revenue." 
    
    In addition to the risk of changing the look and feel of a site, framing
    also may impact how sites measure their visitors. While framing does not
    affect the hit counts, or records of how many pages or files are accessed
    from a particular site, it does skew the information regarding the
    provenance of those requests. 
    
    In this case, sites accessed from within Hotmail will appear to have
    originated from Hotmail servers, rather than the personal computers of
    individual users. 
    
    Some sites have found a technological way to prevent themselves from being
    framed. CNN Interactive, for example, refreshes itself and essentially
    jumps out of the Hotmail frame a few seconds after loading. 
    
    While Hotmail may have a solid legal argument that its banner eliminates
    branding confusion that would make it guilty of a trademark violation, the
    framing practice may cause confusion nonetheless. 
    
    "It sounds to me like you could very easily confuse the user," Nail said.
    "First I'm in Hotmail, then it says I'm not in Hotmail--but am I actually
    still in Hotmail? Less sophisticated users are confused enough--they can't
    even understand the 'back' and 'forward' buttons. It's not so much a
    matter of confusing users over whether it is Hotmail vs.  non-Hotmail
    content, but the whole navigation issue that's going to potentially
    alienate users." 
    
    Whatever is at stake for sites and users, the legal picture for Hotmail
    looks fairly clear. 
    
    "Is what Hotmail is doing illegal, or just annoying?"  asked Britton
    rhetorically. "I think it's probably just annoying." 
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:05 PDT