Hot Topics in Cyberspace Law: 2006 Edition
American Bar Association, Business Law Section
Cyberspace Law Committee
Spring Meeting, April 7, 2006
Sony’s DRM Experience: When Copyright Protection Attacks
Who is Right About WHOIS Privacy?
Kristine F. Dorrain
Internet Legal Counsel
National Arbitration Forum
“So, That’s The End of It, Right?” – Lawyers’ Obligations arising from Gramm-Leach-Blilely
since ABA v. FTC
Larkin Hoffman Daly & Lindgren Ltd.
Is Google the Center of Cyberspace or Just the Center of Attention?
Prof. Sharon K. Sandeen
Associate Professor of Law
Hamline University School of Law
St. Paul, MN
Michael Fleming practices with the firm of Larkin, Hoffman, Daly & Lindgren Ltd in the
Twin Cities of Minnesota. Michael’s practice areas include technology transactions,
including licensing of software and other IP assets, electronic commerce, data privacy
and security, marketing and advertising, and general commercial transactions. He is a
1992 graduate of William Mitchell College of Law, and lives in the Twin Cities with his
wife, a reformed attorney, and four-year old daughter, who is already acting dangerously
like a lawyer. Michael can be reached at email@example.com.
Eran Kahana is a corporate attorney for DataCard Corporation, an international hardware
and software company with offices in 10 major cities around the world. He has nearly 10
years of experience negotiating and drafting a wide variety of commercial agreements,
including software licensing agreements. Eran is a frequent speaker at Minnesota CLE
and other nationwide legal events on issues such as e-commerce, contract law,
intellectual property, privacy and security has authored law review, and Business Law
Today articles on topics ranging from business law, cyber law and entrepreneurial issues.
Eran is also Co-Chair of the Malware Subcommittee, American Bar Association
Cyberspace Law Committee.
Prof. Sharon K. Sandeen
Sharon K. Sandeen is an Associate Professor of Law at Hamline University School of
Law in St. Paul, Minnesota. She received an LL.M. from the University of California
Berkeley, Boalt Hall School of Law, a J.D. from the University of Pacific, McGeorge
School of Law, and a B.A. in political science from University of California Berkeley.
Prior to beginning her teaching career in 2002, Professor Sandeen practiced law for over
fifteen years in Sacramento, California.
KRISTINE F. DORRAIN, Esq.
Internet Legal Counsel
Kristine Dorrain serves as Internet Legal Counsel for the
National Arbitration Forum (NAF). Ms. Dorrain oversees NAF’s
intellectual property (IP) dispute resolution programs, including
NAF’s internationally recognized domain dispute program. She
also manages the recruitment and organization of NAF’s
intellectual property panels.
At NAF, Ms. Dorrain’s work focuses on providing legal counsel
for the domain dispute arbitration program. She counsels NAF case management staff
as well as ensures that NAF arbitration panelists are adhering to NAF’s Code of
Procedure, where applicable, and other relevant domain name dispute rule sets.
Additionally, Ms. Dorrain oversees the strategic development of NAF’s premium IP
Arbitration and Mediation panel. She ensures that NAF’s IP Panel includes the most
well-trained and experienced IP arbitrators and mediators in the business. Ms. Dorrain
also plays a significant role in marketing NAF’s overall IP ADR services.
Prior to joining NAF, Ms. Dorrain was an Intellectual Property Assets Manager for
Samsung Electronics. While at Samsung, she managed patent prosecution and an
extensive patent case portfolio. She was responsible for preparing and evaluating
invention disclosures, writing patent applications and managing research on prior art.
Ms. Dorrain obtained her Juris Doctorate from William Mitchell College of Law and her
undergraduate degree from Saint Cloud State University, Saint Cloud, Minnesota. She is
a member of the American Intellectual Property Law Association (AIPLA) and actively
serves on the Trademark Internet and Cyberspace Committee. She is also a member of
the American Bar Association’s (ABA) Special Committee on Online Trademark Issues
and the Cyberspace Law Committee. Currently, she is serving as a Competition Coach
to the William Mitchell College of Law’s Saul Lefkowitz Moot Court Competition teams.
In addition to her work at NAF, Ms. Dorrain spends most of her free time caring for and
working with her four horses, which has been a lifelong hobby of hers. She is recently
married to her husband Mike, and they live in St. Paul, Minnesota together.
Sony’s DRM Experience: When Copyright Protection Attacks
a. Sony BMG’s (“Sony”) copyright protection methods caused it a significant public
relations nightmare, in addition to (at least) three class action lawsuits, two in
California, one in New York, and an investigation by Florida’s Attorney General. This
controversy highlights the diverging interests the protagonists hold in the battle against
DRM, the definition of malware, and the seemingly Sysephean efforts by copyright
holders to stamp out piracy.
b. Sony’s use of the controversial DRM began in mid-2004 and involves 52 titles
featuring popular artists such as Frank Sinatra, Celine Dion and Louis Armstrong. It
wasn’t until more than a year later that computer security experts, most notably Mark
Russinovich, found rootkits on their system and began blogging about it. The media
frenzy that ensued fanned the proverbial fires causing Sony to suffer a number of
“black eyes” as it scrambled to contain the damage.
c. This case involves the use of technology that some have called “malware”. Others
have resisted this arguably expansive use of the term, preferring instead to label it
“ineptware.” The difference between these two labels appears to rest mainly on
labeling the developer’s intent, rendering the former to an equivalent of causing willful
damage, and the latter to a more benign damage by negligence.
d. This presentation wraps together the definitions, technology and legal actions and aims
to provide practitioners with an understanding and update on what this controversy
a. A “rootkit” is a set of software tools that conceals a variety of running processes that
abuse the host computer, which once infected is known as a “rooted computer”.
Rootkits are usually employed by malware designers who depend for their success on
their activities to remain hidden from the user.
b. Digital Rights Management (“DRM”) refers to technology that controls access to
digital data, such as music and movies.
a. The technology:
i. Sony distributed music CDs that covertly installed a rootkit on the user’s
computer. (It is alleged that the CD package did not alert buyers to the fact an
application would even be installed. That disclosure was made in the EULA,
which is discussed in more detail below.)
ii. The rootkit masked the installation of one of two DRMs, one, known as
Extended Copy Protection (“XCP”), which was developed by a company called
Page 1 of 6
First4Internet (F4I), and the second one, known as MediaMax, developed by
SunnComm. The XCP was cloaked by the installation of Aries.sys. 1
iii. The rootkit transmitted user information back to Sony and, according to some
accounts, could not be removed without damaging the Windows OS.
iv. Early on Sony exhibited an inexplicable arrogance, both in the business and
common sense as illustrated in a comment made by its president of global
digital business: “Most people don't even know what a rootkit is, so why
should they care about it?” 2
v. Is there a legitimate use for a rootkit?
1. While there’s no question that Sony has a legitimate interest in
protecting its copyright, the question is, however, how far does this
right go? 3
2. The XCP’s cloaking was designed to make it difficult for the user to
hack the content protection. But was the necessary tradeoff a
“surreptitious” installation of a rootkit?
3. Rootkits can also be used to prevent DRM software from enforcing
copyrights and are employed by several CD burning and disc emulation
vi. What is the future of DRM? Is employing it a losing battle? Some critics note
that DRM has stopped short from proving to be the panacea to the issue of
piracy. Those intent on circumventing it will find a way to do so, much in the
same way that hackers penetrate even the most “secure” websites; much in the
same way drug smugglers always seem to find a way to bring in drugs and so
on. This line of reasoning can lead to the conclusion that it makes little sense
to install this arguably quasi-malware and risk consumer rage and law suits.
vii. How widespread this rootkit phenomenon is (or how severe the problem
appears to be, depending on your view point) is illustrated by initial estimates
that half a million computers around the world are infected by this rootkit.
viii. The complaint filed by the Electronic Frontier Foundation (“EFF”) alleges
Sony sold 20 million CDs containing the XCP, which suggests that this is
perhaps more widespread than some observers think. Those arguing that the
rootkit is malware point to the brand power associated with Sony and how this
violation injures consumer trust, not only as it relates to Sony but other well-
known brands in which trust might now be diluted.
The Texas complaint, discussed in greater detail below, alleges that renaming or deleting the Aries.sys file uncloaks the
XCP without effecting the functionality of the CD.
It is interesting to draw the relationship between CAN-SPAM’s requirement that the an e-mail contain a valid
“unsubscribe” link and Sony’s failure to initially provide a “valid” method to remove the XCP/MediaMax. Adopting
rationale from the former, Sony could be found to have installed malware. It will be interesting to see if this similarity is
drawn and expanded upon
As in-house counsel I am intrigued by the question of what Sony’s in-house lawyers had to say about employing a
rootkit. It is entirely possible they didn’t even know about it.
Page 2 of 6
ix. Observers point to the fact that virus removal software did not catch the
rootkit’s installation and have difficulty removing it entirely. This is hardly
surprising since an F4I employee shared with reporters that his company
worked with anti-virus companies in developing it. Query whether this
collaboration was meant to ensure the anti-virus software would not detect the
rootkit or whether the collaboration was necessary in order to prevent any more
b. The EULA
i. Did Sony’s EULA adequately obtain consent to install the software?
1. The tension between freedom to contract and (arguably) overreaching
terms is clearly visible in this debate.
2. Click-through agreements are enforceable and it is equally well
established that a user need not have read or even understood a EULA
to be bound to it, only that he/she had an opportunity to read it. The
question remains, however, whether the user’s consent was valid and
that ties into whether or not the opportunity to read the EULA was
3. The opportunity to read the EULA, or the lack thereof, begins with the
fact that Sony did not disclose on the CD’s packaging that anything will
be installed on the consumer’s computer. Had it done so, consumers
would have had more information and could have made a more
informed purchase decision. 4
4. There is also no indication that the user had an opportunity to read the
EULA anywhere else before opening or installing the CD.
Furthermore, the EULA does not explicitly or implicitly provide that
the user may return the CD and receive a refund if he/she does not agree
to its terms and conditions. 5
5. The EULA contains a number of interesting items, as highlighted by the
a. Restrictions on the user’s ability to use the digital content on the
CD in the event that that consumer chooses to leave the United
b. Restrictions on resale and transfer of the digital content on the
c. Restrictions on user’s ability to use the digital content on the
CDs at work;
d. Restrictions on user’s ability to use and retain lawfully-made
copies of the digital content on the CDs in the event that the
original CD is stolen or lost;
A disclosure akin to “Contains Explicit Lyrics” would have served Sony well.
This suggests that if the user disagrees all he/she will be able to use the CD for is a coaster.
Page 3 of 6
e. Restrictions on user’s ability to use the digital content on the
CDs following a bankruptcy;
f. Conditioning the user’s continued use of the digital content on
the CDs on acceptance of all Sony BMG software updates;
g. A purported $5.00 limit on Sony BMG’s entire liability to the
purchaser of the CDs;
h. Restrictions on user’s ability to examine and test his or her
computer to understand and attempt to prevent the damage cause
by the rootkit;
i. A reservation of rights by Sony BMG to use technological “self-
help” measures against the computers of users who desire to
make use of the digital content on the CDs “at any time, without
j. Restrictions on the user’s ability to seek redress in California
courts, under California law, and the purchaser’s ability to seek
a trial by jury;
k. A disclaimer of all warranties, including implied warranties of
merchantability, satisfactory quality, noninfringement, and
fitness for any particular purpose.
c. Is this malware?
i. A universal definition of malware is illusive and divisive, but if the normative
framework for the definition is the user’s perception of what this rootkit did
and how difficult and precarious removing it initially was then (similar to
Justice Potter Stewart’s I-know-it-when-I-see-it) it is likely to fall within that
ii. Sony doesn’t think so. In its FAQ page at http://cp.sonybmg.com Sony is
asked if this software is considered malware. Their answer is “Of course not.
The protection software simply acts to prevent unlimited copying and ripping
from discs featuring this protection solution. It is otherwise inactive. The
software does not collect any personal information nor is it designed to be
intrusive to your computer system.
iii. Microsoft apparently thinks Sony’s rootkit is malware. Microsoft is adding
Sony’s rootkit to the worms, Trojans, and viruses its Windows Malicious
Software Removal Tool detects and deletes.
iv. The definition of malware may be more fitting if the analysis centers on the
inability of users, even savvy users, to first detect and then remove the XCP.
But even if this is malware, it does not necessarily change the analysis if the
user validly assented.
d. The Texas complaint.
i. Filed on November 21, 2005. Seeks civil penalties of $100,000 for each
violation of the law, attorneys’ fees and investigative costs.
ii. Alleges Sony violated the Texas Consumer Protection Against Computer
Spyware Act (“CPACSA”) of 2005.
Page 4 of 6
1. According to the complaint, the CPACSA prohibits, among other
things, changing “the name, location or other designation of computer
software to prevent the owner from locating and removing the
software…and [c]reate randomized or intentionally deceptive file
names or random or intentionally deceptive directory folders, formats,
or registry entries to avoid detection and prevent the owner from
removing computer software.”
e. There are 3 class action suits filed.
i. Two were filed in California
1. Filed by EFF and others on November 21, 2005 in the LA County
Superior Court, California. The suit alleges Sony:
a. Violated the Consumer Legal Remedies Act.
b. Violated the California Business and Professions Code § 17200.
c. Breached the Implied Covenant of Good Faith and Fair Dealing.
d. Made false or misleading Statements.
2. Another one filed by EFF and others on December 8, 2005 in the
Northern District of California. The suit alleges Sony:
a. Violated the Computer Fraud and Abuse Act (“CFAA”).
b. Violated the Consumer Legal Remedies Act.
c. Violated the California Business and Professions Code § 17200.
d. Breached the Implied Covenant of Good Faith and Fair Dealing.
e. Made false or misleading Statements.
ii. A third was filed in New York by EFF and others on December 2, 2005.
1. The suit alleges Sony violated:
b. New York General Business Law § 349 et seq. Deceptive Acts
c. New York General Business Law § 350 et seq. False
d. Breached the Implied Covenant of Good Faith and Fair Dealing.
iii. The S.D.N.Y hearing order.
1. On January 6, 2006 Judge Naomi Buchwald entered a hearing order.
2. The order instructed Sony, among other things, to release its settlement
offer before February 15, 2006; provide a link to the settlement offer
which will be displayed each time a user inserts an XCP or MediaMax
CD into their computer (the software queries Sony’s website); work
with search engines to ensure the notice is displayed prominently when
users search for “XCP”, “MediaMax” and Sony BMG Settlement; and
contains an injunction preventing any recipient of the notice who does
not exclude themselves from the class before May 1, 2006 from
pursuing independent action.
3. A notice of appeal to the injunction entered by the hearing order was
filed in New York on January 27, 2006 by Frederick D. Cooke, Jr.
Page 5 of 6
iv. An investigation has been opened by the Florida Attorney General’s Economic
Crimes Division office.
v. There are reports Sony is facing six more class action law suits.
vi. The Proposed Settlement
1. A proposed class action settlement was released by Sony on February
2. Sony is offering to compensate users by:
a. A replacement CD.
b. A cash benefit of $7.50.
c. Free downloads of the music on the CD.
d. Up to 3 additional free album downloads.
e. Software updates to fix known security vulnerabilities.
3. The proposed settlement “requires SONY BMG…[and the other
defendants] to update their content protection software on SONY BMG
CDs for security vulnerabilities discovered in the future. The
Defendants also will ensure that, until 2008, any future content
protection software will be fully and accurately disclosed,
independently tested, and readily uninstalled.”
a. What is clear is that Sony’s rootkit opened a back door for undisputed malware to
come in and damage a user’s computer. But it is not clear that their software fits neatly
in the malware category.
b. If nothing else, other companies seeking to protect copyrights and others who have
designs on installing similar copyright protection mechanisms will have (hopefully)
closely followed Sony’s saga and arrived at appropriate conclusions that would include
(i) avoid the temptation to use a rootkit and if you really can’t then (ii) provide a clear
and conspicuous disclosure on the packaging and (iii) provide an easy and workable
detection and removal process (akin to the “unsubscribe” link mentioned earlier).
Page 6 of 6
WHO IS RIGHT ABOUT WHOIS PRIVACY?
by Kristine F. Dorrain, Esq.
What is WHOIS?
Although the many definitions of WHOIS vary widely in terms of detail, 1
WHOIS is most simply a database of domain name owners. Launched with the purpose
of allowing those “techies” who were savvy enough to register domain names in the early
and mid-‘90s to easily contact one another with questions or access problems, WHOIS
has morphed into a repository of personal information accessible via a few mouse clicks
to all with a modem.
With millions of domain names registered, 2 the WHOIS database is a repository
of personal and corporate names and address, most of which are correct. The Internet
Corporation for Assigned Names and Numbers (“ICANN”), the organization
commissioned under a Memorandum of Understanding with the United States
Department of Commerce, is responsible for administering the domain name system
Domain names must be registered through accredited registrars. For domain
names ending in the ubiquitous “.com,” each domain name registrant, or owner, agrees to
contractual terms when registering a domain name. One of those terms is a promise to
keep the WHOIS database current with the registrant’s contact information. 3 This
contact information includes a full name, an address, an email address, a phone number,
and a fax number for the registrant, an administrative contact, a technical contact, and a
billing contact. Often, in cases where the domain name owner is not a corporation, the
four contacts are the same individual.
How does WHOIS work?
Each registrar keeps its own WHOIS database; this database is available on the
registrar’s website. Some of this information is also fed into the other WHOIS databases
such as the WHOIS database maintained by Network Solutions Inc., the original
For a very detailed definition, see http://en.wikipedia.org/wiki/whois; for a more technical definition,
search “whois” at www.dictionary.com.
Verisign, the corporation responsible for administered “.com” and “.net” domain names has reported in
excess of 40 million domain names registered. See http://www.verisign.com/information-services/naming-
services/index.html (last visited February 13, 2006).
The Registrar agrees to keep the WHOIS correct pursuant to an agreement with ICANN (see
http://www.icann.org/registrars/ra-agreement-17may01.htm#2 (last visited February 13, 2006) for an
example of the terms of the Registrar accreditation agreement). This obligation is passed on to registrants
(an example of a registration agreement used by one prominent registrar may be found at
visited February 13, 2006)).
“Thick” WHOIS vs.“Thin” WHOIS
Some WHOIS databases maintain all records for all or a subset of domain name
registrants for a particular top-level domain, such as “.com.” This type of information is
typically maintained by each registrar for the domain names registered through it. This is
called a “thick” database because it contains all of the relevant information.
Some databases harvest minimal identifying information from the individual
registrar databases, such as registrar name, name server, and the expiry date of the
domain name. These databases are “thin” databases, and to get more information, the
user typically has to check the “thick” database of the registrar for the particular domain
Conducting the WHOIS query
Although there many sophisticated means of searching WHOIS databases, most
registrars now have a simple Web interface that allows a user to simply type the domain
name about which they are inquiring into a search box. The search results are displayed
and formatted on a new webpage for easy viewing. 4
What is the purpose of WHOIS?
The purpose of the WHOIS database varies according to the interested group surveyed.
Recently, several of ICANN’s constituencies weighed in with their opinions on this
heated topic. 5 Not only did the answer to the question differ from group to group, but the
rationale for WHY the answers were different were all quite compelling. Some of the
“purposes” for the WHOIS database range from allowing anyone interested to contact
any domain name registrant for any legitimate reason, all the way to the provision of
basic information to put one in touch with someone who can solve a technical problem
with the domain.
What are the benefits of unrestricted public access to WHOIS data?
Protection of Intellectual Property
The proponents of a regulation requiring domain name registrants to publish their
true and correct contact information on publicly accessible WHOIS pages offer several
reasons for their point of view. Probably the most predominate reason is so that nefarious
“cybersquatters” (those who register domain names that reflect the trademarks of others
in an attempt to siphon off business and/or goodwill) are more easily tracked. Correct
information ensures that the domain name registrant is highly likely to receive a cease
and desist letter, a UDRP 6 complaint, or service of a lawsuit.
Visit http://en.wikipedia.org/wiki/whois for details on different ways to query WHOIS servers (last visited
February 13, 2006).
See Preliminary task force report on the purpose of WHOIS and of the WHOIS contacts, published at
http://gnso.icann.org/issues/whois-privacy/prelim-tf-rpt-18jan06.htm on January 18, 2006 (last visited
February 13, 2006).
Uniform Domain Name Dispute Resolution Policy, found at http://www.icann.org/dndr/udrp/policy.htm,
often also used in a generic sense for any dispute resolution policy most TLD’s require registrants to agree
to. Most dispute resolution policies are based on the UDRP.
Business usage, technical support
Others use, or wish to use, correct, complete WHOIS information to make offers
to buy a domain name, to commend or quarrel with a registrant on website content, 7 or
even to market to those listed in the database. The most basic reason to publish correct
and complete WHOIS data is simply to allow access to the technical support staff of a
website, in case the website is malfunctioning or there is some other error. In all cases,
the amount of information needed for each purpose will vary.
False WHOIS data
Of course, though the registration agreements require correct WHOIS
information, not all domain name registrants provide that information as requested. As a
result, an unusually high number of domain names are registered to “Mickey Mouse,”
“Barney Fife in Mayberry,” or “This domain for sale.” Having unrestricted access to this
kind of information is not helpful for anyone.
What are the problems with unrestricted public access to WHOIS data?
With so much personal contact information at the fingertips of anyone who asks,
there are bound to be problems. Probably the biggest complaint of domain name
registrants is the use of “bots” 8 to harvest email addresses and send millions of “spam” 9
emails each day. Not only are emails addresses used, but bots can harvest home
addresses, fax numbers, and phone numbers, all for the purposes of hawking cheap
medications, personal physical enhancements, or pornography.
Another significant problem with having all of a person’s contact information
accessible by anyone, is the increased likelihood of identity theft. In some cases
someone’s identity may be stolen to gain access to their finances or other assets. In other
cases, a person’s identity may simply be used for the purpose of registering domain
names, so that it appears the individual whose identity was stolen owns a particular
domain name, when in fact, they have no control of the name.
Many people use the Internet as a “soapbox” from which they can quickly and
easily pass along political, moral, or other messages to anyone who searches for it, or
actively stumbles across it. Yet, for every point of view, there is nearly always a
counterpoint. This concept of free speech is a major tenet of United States ideology and
Some examples of this might include commenting on a person’s political speech or criticizing someone
for a moral or ethical position they have espoused on a website.
A “bot” is a software “robot” that searches the web for email addresses, collecting them for use in email
“Spam” refers to unwanted email, such as marketing or solicitation emails, usually sent to hundreds,
thousands, or millions of people at a time.
the ideologies of most of the free world. 10 Sometimes the “speech” broadcast over the
Internet, while being protected, is inflammatory or offensive, inciting persons having an
opposing viewpoint to react. Often, the ability of a person or group to “speak” while
hiding behind a shield of anonymity is paramount to the cause. Forcing domain name
registrants who would like to take advantage of the anonymity of the Internet to speak
freely removes the mechanism that protects their privacy.
Very closely related to anonymity is privacy. While the anonymous user does not
ever want her speech traced back to her, the private user simply does not want her
information available to all. In many cases, the private user may already be a victim of a
crime such as stalking or identity theft. For this person, having their personal details
available for easy searching is an open invitation for the crime’s perpetrator to strike
Some individuals are so perverse as to actually take advantage of the WHOIS
database and use the mined data to send malware 11 to unknowing recipients. Malware
sent to people whose contact information is ready available can range from spyware 12 to
viruses 13 to phishing 14 attempts.
What is being done?
United States Department of Commerce
The Department of Commerce, which regulates the “.us” TLD domain space,
recently “clarified” its policy regarding WHOIS information for “us” domain name
registrants. 15 As of January 26, 2006, all registrants of “.us” domain names had to update
the WHOIS records for their domain names or risk losing their names. Services
purchased to shield a domain name owner’s contact information from public view were
to be disabled. Some constituencies that advocate this approach are encouraging ICANN
to adopt a similar stance on the WHOIS data for generic TLD’s.
See Doe v. 2themart.com, Inc., 140 F.Supp.2d 1088, 1092 (W.D.Wash. 2001) for a discussion of the
freedom of anonymity on the Internet; see also Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 578
Malware is a term coined for malicious software, generally.
Spyware is software that is installed on the computer of an unknowing victim that “watches” his/her
computer usage; in many cases, the software actually takes full or partial control of the host computer. See
http://en.wikipedia.org/wiki/Spyware for more information.
“A virus is a self-replicating program that spreads by inserting copies of itself into other executable code
or documents.” http://en.wikipedia.org/wiki/Computer_virus (last visited, February 14, 2006).
Phishing is “characterized by attempts to fraudulently acquire sensitive information, such as passwords
and credit card details, by masquerading as a trustworthy person or business in an apparently official
electronic communication, such as an email or an instant message.” http://en.wikipedia.org/wiki/Phishing
(last visited, February 14, 2006).
One source that reported this update was http://www.wired.com/news/privacy/0,1848,66787,00.html (last
visited, February 14, 2006).
Canada and Europe
In other parts of the world, the privacy and security of personally identifiable
information is of utmost importance. 16 The European Union 17 and Canada 18 are both
actively passing data privacy laws that restrict the types of information companies may
maintain, what information is allowed to be publicly accessible, and strict procedures for
instances of “accidental divulsion” of sensitive data. In many cases, these laws are in
direct conflict with a WHOIS policy of full and complete public information. Both
Europe and Canada have applied pressure to ICANN to require a “bend” in the policy so
that their citizens can register “.com” and “.org” domain names, for example, without
violating their privacy rights.
To date, ICANN has called for its consituencies to define the purpose of the
WHOIS database and what information should be included. This information has been
compiled in the the “Preliminary Task Force Report on the Purpose of WHOIS and of the
WHOIS contacts.” 19 The public comment period ended February 8, 2006. 20 Interested
parties will be following the next steps closely as no resolution has been reached.
What solutions have been proposed?
Follow the EU and Canadian model
The “.eu” and “.ca” ccTLD 21 registration authorities, while gathering the data
necessary to track down a registrant, should the need arise, are choosing to publish (or to
recommend publishing) only limited information for each registrant on a publicly
accessible database. The full information is available on an as-needed basis to those who
have demonstrated a need to know.
This solution offers the greatest measure of privacy protection and offers the
greatest level of difficulty of access for intellectual property interest holders.
Presumably, law enforcement would have the access necessary to track down Internet
One website that tracks and compares the privacy law progression of the world is
http://www.privacy.org/pi/issues/compliance/index.html (last visited February 14, 2006).
The European Union’s Privacy Directive is a template or model for the individual EU member states to
follow when passing their own privacy laws and can be found at
http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited February 14, 2006).
Canada has a privacy law that affects many business that retain personal information
(http://www.privcom.gc.ca/ekit/index_01_e.asp#000). Canada has also proposed a more restrictive
WHOIS policy that will permit the Internet Registration Authority to collect registrant data, but to limit the
data available to the public. One version of this new policy can be viewed at
http://www.cira.ca/en/Whois/whois_privacy-policy.html. (Both pages last visited February 14, 2006).
See note 5, supra.
Commentary on the task force report can be found at http://forum.icann.org/lists/whois-comments/ (last
visited February 15, 2006).
ccTLD stands for “country-code top-level domain.” The “.eu” ccTLD stand for the European Union; the
“.ca” ccTLD is for Canadian domain names.
Utilize a tiered system
Some creative thinkers have proposed a tiered accessibility system, 22 where
certain groups of individuals can purchase or simply have more access than others. In
some proposed systems, the “average” user accessing a WHOIS database would see
minimal contact information, perhaps only a shielded email address or link. In some
systems, people who have been previously screened as requiring “extra” access, such as
law firms or intellectual property interest holders, can use passwords to access more
contact information. Finally, law enforcement would have all access for the purpose of
tracking down crime.
Some problems with this suggested approach include: delegation of the operation
of a complex, tiered system; determination as to who should get increased access and for
what purpose; and ability to abuse the system.
Utilize graphics and/or verify the requestor
One private registrar, Name Intelligence, runs a complex WHOIS system at
www.whois.sc. This search engine has several protective features: 1.) complex software
filters out most bot and automated queries, 2.) multiple queries from one IP address are
subject to authentication of the user, 3.) WHOIS records are displayed with the
registrant’s email address displayed as a graphic file so that it cannot be read by bots, and
4.) some advanced search services are available only to registered users.
While this approach is a very advanced, highly technical, and effective solution to
spam problems, it doesn’t address Internet anonymity concerns or the needs of some
individuals to remain private.
Permit/require identity shields
An approach currently offered by many domain name registrars is, upon payment
of a fee, to substitute their own contact information in the WHOIS record for a domain
name. 23 This information often will also include a unique identifier, either the domain
name itself, or another string of characters that links the domain name back to the
registrant’s true identity. Upon a request from a court, law enforcement, or an arbitration
provider, some registrars will disclose the registrant’s information to the party authorized
to receive it. Some registrars have chosen to simply pass along communication to the
registrant, maintaining the privacy shield while passing along relevant communication.
In either case, the necessary contact is made, and the identity of the registrant is private
until such a time as it needs to be disclosed.
One drawback to this particular approach is that intellectual property owners do
not typically get access to the registrant information in this scenario. This can present a
problem when attempting to name defendants in lawsuits or arbitration complaints and
can frustrate service of process.
One public forum outlining a tiered plan can be found at
http://www.thepublicvoice.org/news/tf2suggestions.html (last visited February 15, 2006).
One such registrar, GoDaddy.com, offers this service for a nominal fee. See
https://www.godaddy.com/gdshop/dbp/landing.asp?se=%2B&ci=257 (last visited February 15, 2006).
The question “Who is right about WHOIS privacy?” has no easy answer. It
seems that those with the intent to use the Internet for harassment or harm stay just ahead
of the developments needed to impede their progress. The proposals presented each
provide solutions to some of the problems, but it seems that no solution provides a
satisfactory answer to all. It is likely that ICANN will eventually come under enough
pressure to accommodate the strict data privacy laws of the European Union and Canada,
requiring trademark holders and law enforcement to seek new and creative ways to
access the information they need.
“So, That’s The End of It, Right?”
Lawyers’ Obligations arising from Gramm-Leach-Blilely since ABA v. FTC
Michael Fleming ∗
In 2005, the American Bar Association achieved an important victory on behalf of its members
by pursuing action against the Federal Trade Commission’s attempts to directly regulate lawyers
subject to the privacy and data safeguarding edicts of the Gramm-Leach-Blilely Act. But, some
argue that the celebrations should be tempered because many of the same obligations that have
been averted at the front door will sneak into the profession through the regulatory back door –
the obligations of covered entities to obtain contractual undertakings from their ‘service
After a short discussion of the ABA v. FTC litigation, this paper will review some of the GLBA
regulatory framework regarding service providers and how it might require covered entities (i.e.,
financial institutions) to get contracts from their lawyers.
The FTC, one of the four federal regulatory agencies charged with regulating and enforcing both
the privacy and data safeguard provisions of the GLBA, announced in a letter to certain bar
associations including the ABA that the FTC would consider a law firm as a regulated entity – a
‘financial institution’ – under the GLBA. Such an interpretation, if enforceable, would have
required lawyers and/or law firms to each follow the privacy and opt-in/out regime specified in
the FTC’s privacy rule (see 16 CFR Part 313), and subsequently to the FTC’s later-issued data
safeguarding rule (see 16 CFR Part 314). The bar associations took issue with this interpretation,
and after a period of fruitless negotiation litigation followed.
In American Bar Association v. Federal Trade Commission, 430 F.3d 457 (CADC 2005) (a copy
of the decision follows this paper), the court rejected the FTC’s attempts to claim jurisdiction
over lawyers for purposes of GLBA regulation. The rejection was hardly subtle: “To find this
interpretation deference-worthy [under Chevron], we would have to conclude that Congress not
only had hidden a rather large elephant in a rather obscure mousehole, but had buried the
ambiguity in which the pachyderm lurks beneath an incredibly deep mound of specificity, none
of which bears the footprints of the beast or any indication that Congress even suspected its
presence.” ABA, 430 F.3d 457 at 469. It further found that given the age-old understandings that
the practice of law was the purview of the states, Congress would need to be especially clear in
Michael Fleming practices with the firm of Larkin, Hoffman, Daly & Lindgren Ltd in the Twin Cities of
Minnesota. Michael’s practice areas include technology transactions, including licensing of software and other IP
assets, electronic commerce, data privacy and security, marketing and advertising, and general commercial
transactions. He is a 1992 graduate of William Mitchell College of Law, and lives in the Twin Cities with his wife,
a reformed attorney, and four-year old daughter, who is already acting dangerously like a lawyer. Michael can be
reached at firstname.lastname@example.org.
its statement that it was taking over the regulation of the practice of law before the agency would
be found to have obtained the authority. Id. at 472. In short, the court had little trouble in
finding that the FTC had overstepped its authority to directly regulate the practice of law, and the
ABA’s request for a declaratory judgment was granted – lawyers are not, in and of themselves,
financial institutions subject to regulation under the GLBA.
And, that’s the end of it. Right?
Well, not so fast.
Obviously, the FTC, as well as its partner banking-regulation agencies (the Federal Reserve, the
Office of the Comptroller of the Currency and the Office of Thrift Supervision) each continue to
regulate their respective groups of financial institutions – banks, savings and loans, credit unions,
mortgage companies – the list of business types is quite long. See 12 C.F.R. § 225.28 (2000),
commonly known as ‘Regulation Y,’ for the lengthy list of institutions that conceivably fall
within the scope of the GLBA. The three banking agencies have a rather objective definition of
which institutions they are charged with regulating, but the FTC’s authority was granted to all of
the other institutions that are ‘financial institutions’ that are not covered by the other three
The statute itself was rather brief (at least with regard to this issue), but it created the framework
of the two side-by-side pillars of GLBA regulation – privacy and security/safeguard. “It is the
policy of the Congress that each financial institution has an affirmative and continuing obligation
to respect the privacy of its customers and to protect the security and confidentiality of those
customers’ nonpublic personal information.” 15 U.S.C. § 6801(a). The regulating agencies
generally followed that same bifurcation, regulating privacy and security through two separate
(but related) rules. The three traditional banking agencies actually all worked together to issue
common documents for their two parts, while the FTC acted alone. Although FTC’s rules were
issued separately, and tended to use significantly different structures and language, the end
results were quite similar in terms of the regulated entities’ actual obligations – particularly with
regard to the security/safeguard rules.
Since the statute’s only edict was that the agencies should draft rules regarding financial
institutions’ “continuing obligation to … to protect the security and confidentiality of those
customers’ nonpublic personal information,” the agencies were left with a relatively open slate.
Amongst the many concepts that all four agencies ultimately embraced, one found in common
among all four agencies schemes is that of the ‘service provider.’ Unlike the scope of what may
be directly regulated through the statute – financial institutions – there is no such limitation on
the scope of what may be a service provider. The FTC’s definition is “any person or entity that
receives, maintains, processes, or otherwise is permitted access to customer information through
its provision of services directly to a financial institution that is subject to this part.” 16 CFR
§ 314.2(d). The Federal Reserve’s definition is “any person or entity that maintains, processes,
or otherwise is permitted access to customer information through its provision of services
directly to the bank.” 12 CFR Part 208 at Appendix D–2—Interagency Guidelines Establishing
Standards For Safeguarding Customer Information (hence “Federal Reserve Guidelines”), at
Section I(C)(2)(e). The other two banking agencies more or less parrot the Federal Reserve’s
Arguably, lawyers could fall within both of those definitions, at least vis-à-vis particular clients,
to the extent they are (a) providing services to a financial institution, and (b) their services to that
institution permits the lawyers access to GLBA-protected data held by the institution. There is
nothing in either rule to suggest that legal services are not ‘services’ for purposes of the
definition. So, it is arguably true that the practice of law is the act of being a ‘service provider’ –
and therefore the regulated financial institution might have some additional obligations with
regard to its lawyers-cum-service providers.
And so they do. For FTC-regulated entities, the institution must:
(d) Oversee service providers, by:
(1) Taking reasonable steps to select and retain service providers
that are capable of maintaining appropriate safeguards for the
customer information at issue; and
(2) Requiring your service providers by contract to implement and
maintain such safeguards.
16 CFR 314.4(d) (emphasis added).
Similarly, for Federal Reserve-regulated banks, the institution must:
1. Exercise appropriate due diligence in selecting its service
2. Require its service providers by contract to implement
appropriate measures designed to meet the objectives of these
3. Where indicated by the bank’s risk assessment, monitor its
service providers to confirm that they have satisfied their
obligations as required by paragraph D.2. As part of this
monitoring, a bank should review audits, summaries of test results,
or other equivalent evaluations of its service providers.
Federal Reserve Guidelines at Section II(D)(emphasis added).
The banking agencies have specifically acknowledged their intention to treat attorneys as service
providers. “One commenter urged the Agencies to modify this definition so that it would not
include a financial institution’s attorneys, accountants, and appraisers. . . . In order to protect
against these risks, a financial institution must take appropriate steps to protect information that
it provides to a service provider, regardless of who the service provider is or how the service
provider obtains access. The fact that an entity obtains access to customer information through,
for instance, providing professional services does not obviate the need for the financial
institution to take appropriate steps to protect the information. Accordingly, the Agencies have
determined that, in general, the term ‘‘service provider’’ should be broadly defined to encompass
a variety of individuals or companies that provide services to the institution.” Commentary to
Interagency Guideline Issuance, 66 Federal Register 8619 (Feb. 1, 2001). The FTC has similarly
come down favoring a broad definition, first noting that the banking agencies had specifically
declined to create exemptions for professionals (and therefore seeking homogeneity between the
four regulations). FTC also noted that “In addition, no commenters demonstrated that the
confidentiality requirements that apply to auditors and accountants (or other professionals)
would address unauthorized access to information by third parties, fraud, or any other security
issues contemplated by the Rule. Further, given the Rule's flexibility, the Commission is aware
of no duplicative burdens that will result from application of the Rule to auditors, accountants, or
other professionals, or to service providers to, or affiliates of, banks.” Comments to Issuance of
Safeguards Rules, 67 Federal Register 36488 (May 23, 2002).
In short, tough luck lawyers – at least until the next litigation. If we choose to practice for
GLBA regulated institutions, and we are given access to protected data as part of that practice,
our clients are obligated to get contractual promises from us that we will implement and maintain
appropriate safeguards for that data. Presumably, if we refuse to enter into those contracts
(which is clearly always the lawyer’s prerogative), the client would be obligated to stop using the
service provider – in this case the lawyer.
Of course, there are some bright spots in that statement. First off, it is entirely possible that
many lawyers could be providing services to a financial institution but not have access to the
institution’s protected data. While in the past the lawyer might not have thought of creating such
a distinction, there are now incentives to clearly state in a retention letter (for example) that the
legal services will not require access to non-public personal information held by the client that
may be protected by the Gramm-Leach-Blilely Act and its implementing regulations. Of course,
words are meaningless if not backed up by the facts, so that trick might not work for all
circumstances. Still, consider that as one option.
Second, all of the agencies have specifically stated that they do not intend for the service
providers to necessarily have to implement the entire range of the data safeguard rules. The
Federal Reserve requires “appropriate safeguards” without defining what those might mean.
“Instead, by stating that a service provider’s security measures need only achieve the objectives
of these Guidelines, the Guidelines provide flexibility for a service provider’s information
security measures to differ from the program that a financial institution implements.” 66 FR
8624. It also mitigates the express duty to monitor a service provider by acknowledging that
many service providers come from professions that traditionally respect confidentiality. “[A]
financial institution’s oversight responsibilities will be shaped by the institution’s analysis of the
risks posed by a given service provider. If a service provider is subject to a code of conduct that
imposes a duty to protect customer information consistent with the objectives of these
Guidelines, a financial institution may take that duty into account when deciding what level of
oversight it should provide.” 66 FR 8619. The FTC suggested that it encouraged flexibility in
the contractual obligations in specifically declining to provide sample clauses. 67 FR 36490.
None of that suggests that a lawyer can get a pass out of having to enter into a contractual
arrangement, but it does suggest that the actual contract, and the subsequent duties to perform,
may be rather inconsequential given the existing data security practices of most law firms.
Finally, note that the service provider rules discussed here are only applicable to the
safeguard/security rules. See 67 FR 36488 (“Finally, the [Federal Trade] Commission has
determined that the [Safeguard] Rule should apply to all service providers, even those that the
Privacy Rule does not require to enter into agreements concerning reuse and redisclosure of the
relevant information.”). Thus, the regime of privacy notices, opt-in and opt-out requirements,
and the many other aspects of the privacy pillar of GLBA are not generally implicated by an
obligation to maintain data security and safeguards. This alone should give some comfort to law
firms who were interested in the ABA litigation largely to avoid that obligation (since the ABA
litigation actually arose out of the FTC’s Privacy Rule, not the later Safeguard Rule).
Law firms and attorneys should not be surprised to see demands from their financial institution
clientele to have contractually binding obligations on the part of the law firm to implement and
maintain data safeguards, particularly where the lawyer’s work will actually touch upon the
institution’s data troves. (Similar demands may also arise out of the HIPPA Act, potentially
from state law, and potentially from non-USA law for clientele located out of the country.) Any
law firm that faces the decision of signing versus not signing may well be facing the decision of
‘keep or not keep’ that client. And, signing such an obligation should only be done if the law
firm is actually in a position to comply with the concepts – Something that all law firms should
be doing in any event, but which still remained a somewhat murky practice in many firms.
Still, if a firm is doing what it should be in the first place under existing ethical rules as well as
under the good practices that its malpractice carriers will certainly demand, hopefully complying
with the contractual obligations to implement and maintain reasonable safeguards should be a
relatively low-cost proposition. It might also be fair to resist an overly cumbersome contract
(deep audits, on-site inspections, or the like), particularly given the comments from each of the
agencies suggesting that attorneys and similar professionals should be less of an issue given their
So, while ABA v. FTC was probably not the whole end of it, the second coming of the GLBA
into law firms should be less of an issue than might have first appeared.
United States Court of Appeals,
District of Columbia Circuit.
AMERICAN BAR ASSOCIATION, Appellee
FEDERAL TRADE COMMISSION, Appellant.
430 F.3d 457
Argued May 5, 2005.
Decided Dec. 6, 2005.
Before: GINSBURG, Chief Judge, and SENTELLE and ROBERTS Circuit Judges.
Opinion for the Court filed by Circuit Judge SENTELLE.
SENTELLE, Circuit Judge.
The Federal Trade Commission ("FTC" or "the Commission") appeals from an order of the District Court granting
summary judgment in consolidated cases brought by the appellees American Bar Association and the New York
State Bar Association (collectively, "ABA" or "the Bar Associations"). The Bar Associations sought a declaratory
judgment that the FTC's decision that attorneys engaged in the practice of law are covered by the Gramm-Leach-
Bliley Act ("GLBA" or "the Act") exceeded the statutory authority of the Commission and was therefore invalid as a
matter of law. Because we agree with the District Court that the Commission's attempt to regulate the practice of
law under the Act fell outside its statutory authority, we affirm the judgment under review.
A. Statutory Framework
Effective November 12, 1999, Congress enacted the Gramm-Leach-Bliley Financial Modernization Act, Pub.L. No.
106-102, 113 Stat. 1338. The Act declared it to be "the policy of the Congress that each financial institution has an
affirmative and continuing obligation to respect the privacy of its customers and to protect the security and
confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801(a). To further that goal,
Congress enacted broad privacy protective provisions, described by one Member of the House of Representatives as
"represent[ing] the most comprehensive federal privacy protections ever enacted by Congress." 145 Cong. Rec.
H11,544 (daily ed. Nov. 4, 1999) (statement of Rep. Sandlin).
The privacy provisions empowered the Federal Trade Commission, along with other federal regulatory agencies, to
"prescribe ... such regulations as may be necessary to carry out the purposes of this subchapter with respect to the
financial institutions subject to their jurisdiction under section 6805 of this title." 15 U.S.C. § 6804(a)(1). The cited
section, 6805, outlines the institutions and persons subject to the jurisdiction of "Federal functional regulators," and
in section 6805(a)(7) assigns enforcement "[u]nder the Federal Trade Commission Act ... [to] the Federal Trade
Commission for any other financial institution or other person that is not subject to the jurisdiction of any agency or
authority under" the preceding paragraphs of the subsection. The definitional section of the statute, section 6809,
defines "financial institution" as "any institution the business of which is engaging in financial activities as described
in section 1843(k) of Title 12." Id. § 6809(3)(A). Other subsections of section 6809 create exceptions and
modifications to the general definition of "financial institution." See id. § 6809(3)(B)-(D).
Title 12 U.S.C. § 1843(k), referenced in section 6809(a), is a part of the Bank Holding Company Act of 1956,
Pub.L. No. 109-41, 70 Stat. 133 (codified as amended at 12 U.S.C. § § 1971-1978, 1841-1850) ("BHCA"). The
BHCA, in section 1843, limits the ability of the bank holding companies regulated under that statutory scheme to
hold interests in nonbanking organizations. Specifically, section 1843(a) provides that
[e]xcept as otherwise provided in this chapter, no bank holding company shall ... retain direct or indirect
ownership or control of any voting shares of any company which is not a bank or bank holding company or
engage in any activities other than (A) those of banking or of managing or controlling banks and other
subsidiaries authorized under this chapter or of furnishing services to or performing services for its
subsidiaries, and (B) those permitted under [other subsections of the statute]. .
12 U.S.C. § 1843(a). However, section 1843(k) limits the effect of the general prohibition created by section
1843(a) by providing that
[n]otwithstanding subsection (a) of this section, a financial holding company may engage in any activity,
and may acquire and retain the shares of any company engaged in any activity, that the [Federal Reserve]
Board ... determines (by regulation or order)--(A) to be financial in nature or incidental to such financial
activity; or (B) is complementary to a financial activity and does not pose a substantial risk to the safety or
soundness of depository institutions or the financial system generally.
Id. § 1843(k)(1).
The BHCA declares to be financial in nature activities listed in section 1843(k)(4), to wit:
(A) Lending, exchanging, transferring, investing for others, or safeguarding money or securities.
(B) Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or
providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in
(C) Providing financial, investment, or economic advisory services, including advising an investment
company (as defined in [section 80a-3 of Title 15] ).
(D) Issuing or selling instruments representing interests in pools of assets permissible for a bank to hold
(E) Underwriting, dealing in, or making a market in securities.
Id. § 1843(k)(4).
Following the list of activities that "shall be considered" financial in nature, the BHCA enacted the following
category of activity, which is most pertinent to the current case:
(F) Engaging in any activity that the Board has determined, by order or regulation that is in effect on
November 12, 1999, to be so closely related to banking or managing or controlling banks as to be a proper
incident thereto (subject to the same terms and conditions contained in such order or regulation, unless
modified by the [Federal Reserve] Board).
The phrase "order or regulation that is in effect on November 12, 1999" adopts a Federal Reserve Board ("Board")
regulation published at 12 C.F.R. § 225.28 (2000), commonly known as Regulation Y. Regulation Y, as is to be
expected, deals with the subject matter of section 1843(k), that is, "nonbanking activities and acquisitions by bank
holding companies": It lists "permissible nonbanking activities." That list is described in the regulation as activities
(a) Closely related nonbanking activities. The activities listed in paragraph (b) of this section are so closely
related to banking or managing or controlling banks as to be a proper incident thereto, and may be engaged
in by a bank holding company or its subsidiary in accordance with the requirements of this regulation.
12 C.F.R. § 225.28(a). We set forth the entire text of the relevant subsection in the footnote below not because it
is all in itself relevant, but in order to demonstrate the depths plumbed by the Commission in order to find authority
to undertake the regulation of the practice of law, which we will discuss further, infra.
To recapitulate: The GLBA contains extensive privacy protection provisions that apply to "financial institutions."
In section 6809, the Act defines "financial institution" as "any institution the business of which is engaging in
financial activities as described in section 1843(k) of Title 12." The referenced section of Title 12 is contained in
the BHCA. Specifically, that section identifies institutions engaged in nonbanking activities that are financial in
nature, such that bank holding companies may retain ownership interests in institutions engaged in their pursuit.
The section of the BHCA defining those activities incorporates by reference Regulation Y, which offers an extensive
list of examples of such "financial activities" so closely related to banking as to be permissible.
B. The Commission's Interpretation
Upon the passage of the Act, the FTC, pursuant to the authority granted it in 15 U.S.C. § 6805(a)(7), undertook a
rulemaking. In May 2000, the FTC concluded the rulemaking and issued regulations published at 65 Fed.Reg.
33,646 (codified at 16 C.F.R. pt. 313). Although the FTC relied in the first instance on Congress's definition of
"financial institution" as "an institution the business of which is engaging in financial activities," the Commission
restated the definition: "An institution that is significantly engaged in financial activities is a financial institution."
16 C.F.R. § 313.3(k)(1).
Like the statute, the regulations at no point describe the statutory or regulatory scheme as governing the practice of
law as such. Indeed, the phrase "practice of law" never appears in part 313, and the word "attorneys," while present
in two places, appears in the context of describing persons to whom financial institutions can make release of
customer information, if authorized, not in the context of defining "financial institutions" as including attorneys.
Nonetheless, the breadth of the FTC's regulation, apparently taken in conjunction with statements to or by news
media, caused concern among representatives of the bar. Therefore, various bar associations, including the
American Bar Association, made inquiry of the Commission as to whether the Commission was taking a position
that privacy provisions of the GLBA and the regulations made pursuant thereto governed attorneys engaged in the
practice of law.
On April 8, 2002, the Director of the Bureau of Consumer Protection at the Commission sent a letter to the
President and the Director of Governmental Affairs of the ABA "in response to your correspondence regarding the
application of Title V, Subtitle A, of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.... and the Federal Trade
Commission's Rule, Privacy of Consumer Financial Information ... to attorneys at law." (Citations omitted.) As part
of the inquiry, the ABA had also requested exemption from the Act if the Commission purported to regulate the
practice of law under the Act. That position has been abandoned by the bar associations during the course of this
litigation, but was still a live question between the parties at the time of the FTC's communication to the ABA.
Although recognizing that the bar associations' letters had "question[ed] the appropriateness and utility of applying
the GLB Act's privacy provisions to attorneys engaged in the practice of law," the Director only directly addressed
the ABA's request for exemption. However, in rejecting that request, the Director made it plain that the Commission
was purporting to regulate attorneys engaged in the practice of their profession and asserted that "the GLB Act itself
states that entities engaged in 'financial activities' are subject to the Act." (emphasis supplied).
After some further negotiation, the bar associations brought the present litigation.
II. The Litigation
The New York State Bar Association and the American Bar Association separately filed actions for declaratory
judgment. While the prayers for relief in the two complaints are differently worded, the gist is the same, in that each
seeks, inter alia, a declaratory order that, in the words of the ABA complaint:
(a) Congress did not in the GLBA confer authority on the FTC to regulate the confidentiality, privacy and
security of information disclosed by clients to their attorneys;
(b) The FTC's decision that attorneys engaged in the practice of law are covered by the GLBA is unlawful
and hereby set aside; ....
Although the district judge never formally ordered the two actions consolidated, he dealt with them together and
ultimately disposed of them in a single opinion and order. The FTC moved to dismiss the actions under Federal
Rule of Civil Procedure 12(b)(6), on the theory that the complaints failed to state a claim for relief. The District
Court denied the motion. N.Y. State Bar Ass'n v. FTC, 276 F.Supp.2d 110 (D.D.C.2003). In that opinion, the court
reasoned that Congress did not intend GLBA's privacy provisions to apply to attorneys. Further, the court reasoned,
even if the GLBA were ambiguous on that point, the court should not defer to the FTC's interpretation applying the
Act to attorneys because the interpretation was not the product of notice and comment rulemaking, did not appear to
have been made with any degree of deliberation, and was supported only by post hoc rationalization. The court held
that the Commission's attempt to regulate attorneys under the privacy provisions of the GLBA was not only
inconsistent with the statute, but also arbitrary and capricious in violation of the Administrative Procedure Act.
After the denial of the motion to dismiss, the parties proceeded with cross-motions for summary judgment. The
District Court found no genuine issues as to any material fact and, incorporating its earlier decision on the motion to
dismiss, again held that Congress in 5 U.S.C. § 706(2)(C) did not intend the GLBA's privacy provisions to apply to
attorneys engaged in the practice of law.
The current appeal followed.
As we analyze the FTC's arguments for the proposition that Congress in the privacy provisions of the GLBA
enabled the Commission to regulate the practice of law, we are reminded repeatedly of a recent admonition from the
Supreme Court: "[Congress] does not ... hide elephants in mouseholes." Whitman v. Am. Trucking Ass'ns, 531
U.S. 457, 468, 121 S.Ct. 903, 149 L.Ed.2d 1 (2001). The FTC begins its defense of its attempted turf expansion in
the correct place, that is, by recognizing that "the starting point in any case involving the meaning of a statute[ ] is
the language of the statute itself." Group Life & Health Ins. Co. v. Royal Drug Co., 440 U.S. 205, 210, 99 S.Ct.
1067, 59 L.Ed.2d 261 (1979). The Commission argues, as it did before the District Court, that the language of the
statute evidences a congressional intent to empower the Commission to regulate attorneys engaged in certain types
of law practice as "financial institutions" under the privacy regulations promulgated pursuant to the GLBA privacy
provisions. More specifically, the Commission notes that the legislation defines "financial institution" quite broadly
as "any institution the business of which is engaging in financial activities as described in section 1843(k) of Title
12." The statute in turn deems as "financial in nature" various listed activities, together with those not expressly
listed but theretofore listed by the Federal Reserve Board in Regulation Y. Regulation Y, set forth at its staggering
full-length above, includes the activities "[p]roviding real estate settlement services," and "[p]roviding tax-planning
and tax-preparation services to any person." 12 C.F.R. § 225.28(b)(2)(viii), (b)(6)(vi) (2001). The Commission
then asserts, "[t]hus, under the terms of the statute, any institution that is in the business of engaging in a financial
activity listed in section 4(k) of the BHCA, including those set forth in Regulation Y, qualifies as a 'financial
institution.' " Appellant's Brief at 16. That statement by the Commission is unassailable: Indeed, it does no more
than restate the provisions of that statute. That is precisely the problem. The Commission's reasoning, doing no
more than restating the statute, leaves as open as ever the question of whether an attorney practicing law is an
"institution engaging in the business of financial activities."
The statute certainly does not so plainly grant the Commission the authority to regulate attorneys engaged in the
practice of law as to entitle the Commission to what is called a "Chevron One" disposition. That is, rather simply
we cannot hold that Congress has directly and plainly granted the Commission the authority to regulate practicing
attorneys as the Commission attempts. See Chevron U.S.A. Inc. v. Natural Res. Def. Council, Inc., 467 U.S. 837,
842-43, 104 S.Ct. 2778, 81 L.Ed.2d 694 (1984). Indeed, such professionals are subject to regulation under the
words of the statute only if they are "institutions" and if they are "engaged in the business of financial activity." It is
not plain at all to us that Congress has entered such a direct regulatory command by plain language of a statute, a
lengthy statute incorporated by reference, and an even more lengthy and detailed regulation incorporated by
reference in the second statute, none of which ever mentioned attorneys engaged in the practice of law. Therefore, if
the Commission is to prevail, it must do so under a deferential standard of review. That is, to uphold the
Commission's regulatory decision, we must conclude first that the words of the statute are ambiguous in such a way
as to make the Commission's decision worthy of deference under the second step of Chevron. Id. at 843, 104 S.Ct.
2778. If we so hold, we will then uphold the agency's interpretation of the ambiguous statute if that interpretation is
"permissible," that is, if it is "reasonable." Id. at 845, 104 S.Ct. 2778.
A. Chevron Step One
The first question, whether there is such an ambiguity, is for the court, and we owe the agency no deference on the
existence of ambiguity. Deference to the agency's interpretation under Chevron is warranted only where "Congress
has left a gap for the agency to fill pursuant to an express or implied 'delegation of authority to the agency.' " Ry.
Labor Exec. Ass'n v. Nat'l Mediation Bd., 29 F.3d 655, 671 (D.C.Cir.1994) (en banc) (internal citation omitted).
The Commission argues along the line suggested by the scant reasoning in the letter announcing its decision. The
opinion letter had directed its language principally toward the question of whether the Commission should "exempt
attorneys at law from the application of the Privacy Rule." True, the Bar Association had requested such an
exemption, but only as a conditional request if the Commission held in the first instance that the privacy provisions
of the GLBA covered attorneys engaged in the practice of law, a proposition that the association resisted. The
Commission's letter, while claiming that "[w]e have carefully considered your concerns, and recognize the issues
you have raised regarding the application of the GLB Act to attorneys at law," addressed only the "significant
questions as to the legal authority of the Commission to grant the exemption you request."
The Commission apparently assumed-without reasoning-that it could extend its regulatory authority over attorneys
engaged in the practice of law with no other basis than the observation that the Act did not provide for an
exemption. Before the District Court and before us, the Commission has persisted in this style of reasoning. While
there is limited post hoc rationalization in the Commission's brief addressing the inclusion of attorneys in the
definition of "financial institution," which we will discuss infra, the Commission repeatedly repairs to the position
that no language in the statute exempts attorneys from regulation. That is not the question. As we have often
cautioned, "[t]o suggest, as the [Commission] effectively does, that Chevron step two is implicated any time a
statute does not expressly negate the existence of a claimed administrative power ... is both flatly unfaithful to the
principles of administrative law ... and refuted by precedent." Ry. Labor Exec. Ass'n, 29 F.3d at 671 (emphasis in
original). Plainly, if we were "to presume a delegation of power" from the absence of "an express withholding of
such power, agencies would enjoy virtually limitless hegemony ...." Id. (emphasis in original). Therefore, if there is
the sort of ambiguity that supports an implicit congressional delegation of authority to the agency to make a
deference-worthy interpretation of the statute, we must look elsewhere than the failure to negate regulation of
attorneys. That failure does not advance the Commission's cause at all. Otherwise put, the question is not whether
the statute permits exemption from regulation for attorneys, but whether it supports such regulation at all. We will
defer to the agency's interpretation on that subject only if the statute "is silent or ambiguous with respect to the
specific issue." Barnhart v. Walton, 535 U.S. 212, 218, 122 S.Ct. 1265, 152 L.Ed.2d 330 (2002) (internal quotation
marks and citation omitted).
We further recognize that the existence of ambiguity is not enough per se to warrant deference to the agency's
interpretation. The ambiguity must be such as to make it appear that Congress either explicitly or implicitly
delegated authority to cure that ambiguity. "Mere ambiguity in a statute is not evidence of congressional delegation
of authority." Michigan v. EPA, 268 F.3d 1075, 1082 (D.C.Cir.2001) (citations omitted). The deference mandated
in Chevron "comes into play, of course, only as a consequence of statutory ambiguity, and then only if the reviewing
court finds an implicit delegation of authority to the agency." Sea-Land Serv., Inc. v. Dep't of Transp., 137 F.3d
640, 645 (D.C.Cir.1998) (emphasis added). When we examine a scheme of the length, detail, and intricacy of the
one before us, we find it difficult to believe that Congress, by any remaining ambiguity, intended to undertake the
regulation of the profession of law-a profession never before regulated by "federal functional regulators"-and never
mentioned in the statute. To find this interpretation deference-worthy, we would have to conclude that Congress not
only had hidden a rather large elephant in a rather obscure mousehole, but had buried the ambiguity in which the
pachyderm lurks beneath an incredibly deep mound of specificity, none of which bears the footprints of the beast or
any indication that Congress even suspected its presence. We therefore seriously doubt that Congress intended to
empower the Commission to undertake that regulation, and we are reluctant to even afford the regulation the
deference due agency action that survives the analysis at the first step of Chevron. See FDA v. Brown &
Williamson Tobacco Corp., 529 U.S. 120, 160-61, 120 S.Ct. 1291, 146 L.Ed.2d 121 (2000).
By way of comparison, in California Independent System Operator Corp. v. FERC, 372 F.3d 395 (D.C.Cir.2004)
("CAISO "), we reviewed an order of the Federal Energy Regulatory Commission ("FERC") purporting to replace
the governing board of a nonprofit, "public benefit" corporation created by the State of California pursuant to
statutes of that state. FERC claimed Chevron deference for its action, pointing specifically to the language of 16
U.S.C. § 824e(a), which empowered FERC, upon a finding that "any rule, regulation, practice, or contract affecting
[a] rate, charge, or classification is unjust, unreasonable, unduly discriminatory or preferential," to "determine the
just and reasonable rate, charge, classification, rule, regulation, practice, or contract to be thereafter observed and in
force ...." FERC construed the word "practice" to be sufficiently ambiguous to allow it, under the deferential formula
of Chevron, to set aside and replace the state-imposed method for selecting the corporation's board.
On review, we noted that the sort of ambiguity giving rise to Chevron deference " 'is a creature not of definitional
possibilities, but of statutory context.' " 372 F.3d at 400 (quoting Brown v. Gardner, 513 U.S. 115, 118, 115 S.Ct.
552, 130 L.Ed.2d 462 (1994)). In granting review and setting aside the FERC order, we concluded, inter alia, that
the intent of Congress in the statutory section before us was "actually quite plain: the grant of authority to regulate
rates, charges, classifications, and closely related matters." Id. We further concluded that it was "quite a leap to
move" from the context of transactional terms used in the statute to an implication that, by the ambiguity inherent in
the word "practice," Congress intended to grant to the Commission not merely the power "to effect a reformation of
some 'practice' in a more traditional sense," but also "to reform completely the governing structure of the utility ...."
We further held that such an extraordinary construction of "practice" in such a discrete regulatory context was a
"sufficiently poor fit with the apparent meaning of the statute that the statute is not ambiguous on the very question
before us," as would be necessary to afford Chevron deference at the first step of the two-step inquiry. Id. at 401.
We were instructed in our CAISO reasoning by the Supreme Court's decision in Brown v. Gardner, 513 U.S. 115,
115 S.Ct. 552, 130 L.Ed.2d 462 (1994). In Gardner, the Court considered an interpretation by the Veterans
Administration of statutory language requiring the VA to compensate for "an injury, or an aggravation of an injury,"
that occurs "as a result of" VA treatment. 38 U.S.C. § 1151(a) (1994) (amended 1996). The Veterans
Administration, in 38 C.F.R. § 3.358(c)(3), interpreted the compensation requirement as covering an injury only if it
resulted from negligent treatment by the VA or an accident occurring during treatment. The lower courts held that
the statute imposed no such fault-or-accident requirement and found the regulation invalid. The Supreme Court
affirmed and, in language followed by us in CAISO, noted the "poor fit of this language with any implicit
requirement of VA fault ...." 513 U.S. at 120, 115 S.Ct. 552. We find a similarly poor fit between the statutory
language and the Commission's interpretation in this case.
Lest it be forgotten, the basic language in which the Commission finds the ambiguity permitting it to regulate the
practice of law is that of § 6805 empowering the Federal Trade Commission and other "federal functional
regulators" to enforce the statute and regulations prescribed under it with respect to "financial institutions and other
persons subject to [the Commission's] jurisdiction ...." 15 U.S.C. § 6805(a). That language, even with-perhaps
especially with-the layers of incorporated statutory and regulatory language describing financial institutions makes
an exceptionally poor fit with the FTC's apparent decision that Congress, after centuries of not doing so, has
suddenly decided to regulate the practice of law. This fit is helped but little, if at all, by the congressional definition
of "financial institution" as "an institution the business of which is engaging in financial activity." 15 U.S.C. §
6809(3)(A). An attorney, or even a law firm, does not fit very neatly into the niche of a "financial institution." Even
if one concedes-and it is quite a concession-that Congress would have intended the word "institution" to include an
attorney, or even a law firm, it still requires quite a stretch to conclude that such an institution is a "financial
institution." It trims the stretch little, if at all, to read the entire statutory definition of "financial institution" as "any
institution the business of which is engaging in financial activities as described in section 1843(k) of Title 12" (set
forth above). Without reiterating the language of the incorporated statute, attorneys and law firms, even if viewed as
"institutions," are not institutions "the business of which is engaging in financial activities," as defined in the statute.
The Commission itself seems to recognize the improbability of Congress's having intended to include law firms
within the designation "institutions" in the letter under review, in which it conspicuously substituted the word
"entities" for "institutions." Such a dramatic rewriting of the statute is not mere interpretation. Even if we accept the
inclusion of "entities" such as law firms within the meaning of "institutions," the "business" of a law firm (if the
practice of a profession is properly viewed as business) is the practice of the profession of law.
The Commission distorts the definition slightly but improves the fit but little by its regulatory definition that a
financial institution is "an institution that is significantly engaged in financial activities," as opposed to requiring that
the institution must be one the business of which is engaging in financial activities. Building on this stretch, the
Commission, in its brief, supplies reasoning conspicuously lacking from the letter of determination that we review.
Although we cannot affirm an agency's actions based on the post hoc rationale of its litigating position, see, e.g.,
Motor Vehicle Mfrs. Ass'n v. State Farm Mut. Auto. Insurance Co., 463 U.S. 29, 50, 103 S.Ct. 2856, 77 L.Ed.2d
443 (1983), even if we charitably construe the letter to imply the reasoning, it is still inadequate.
The reasoning in the brief relies on the language of Regulation Y, the second tier incorporation. As noted above,
Regulation Y, in its original application, described the "closely related nonbanking activities" in which a bank
holding company or its subsidiaries might engage. Within that voluminous listing, the regulation included two
activities, "[p]roviding real estate settlement services," and "[p]roviding tax-planning and tax-preparation services,"
in which attorneys sometimes, and apparently in the view of the Commission, significantly engage. See 16 C.F.R. §
313.3(k)(1). Again, if Congress intended to empower a federal financial regulator to undertake regulation of the
practice of law, this seems a strangely unclear method of doing so. The statute after all defined a "financial
institution" as "an institution the business of which is engaging in financial activities." Congress did not adopt the
approach of the Commission by covering "an institution that is significantly engaged in financial activities."
Certainly it did not extend that definition to cover all "entities." In sum, Congress did not leave an ambiguity on the
question before us that is, the power of the Commission to regulate the practice of law-sufficient to compel
deference to the Commission's determination to do so. .
We further determine that even if we err in our conclusion that the regulation fails at Chevron Step One, we are
satisfied that the interpretation afforded by the Commission is not sufficiently reasonable to survive that deference at
B. Chevron Step Two
All the reasons set forth above for our determination that Congress did not intend to leave sufficient ambiguity to
support deferential review return to convince us that the interpretation is not reasonable even if we afford it
deference. But our analysis under Chevron Step Two need not end there. It is undisputed that the regulation of the
practice of law is traditionally the province of the states. Federal law "may not be interpreted to reach into areas of
State sovereignty unless the language of the federal law compels the intrusion." City of Abilene v. FCC, 164 F.3d
49, 52 (D.C.Cir.1999). Otherwise put, "if Congress intends to alter the 'usual constitutional balance between the
States and the Federal Government,' it must make its intention to do so 'unmistakably clear in the language of the
statute.' " Will v. Michigan Dep't of State Police, 491 U.S. 58, 65, 109 S.Ct. 2304, 105 L.Ed.2d 45 (1989) (quoting
Atascadero State Hospital v. Scanlon, 473 U.S. 234, 242, 105 S.Ct. 3142, 87 L.Ed.2d 171 (1985)). By now it should
be abundantly plain that Congress has not made an intention to regulate the practice of law "unmistakably clear" in
the language of the GLBA. In Gregory v. Ashcroft, 501 U.S. 452, 111 S.Ct. 2395, 115 L.Ed.2d 410 (1991), citing,
inter alia, Will and Atascadero State Hospital, the Supreme Court held that
[t]his plain statement rule is nothing more than an acknowledgment that the States retain substantial
sovereign powers under our constitutional scheme, powers with which Congress does not readily interfere.
501 U.S. at 461, 111 S.Ct. 2395.
The Commission contends that this plain statement rule of Gregory is not applicable, arguing that Gregory, which
concerns a determination of qualification for state officials, involved a "decision of the most fundamental sort for a
sovereign entity." Id. at 460, 111 S.Ct. 2395. According to the Commission, the present regulation, "by contrast ...
regulates the conduct of private entities or individuals; there is no regulation of States or state officials." Reply
Brief at 27. This response does not pass muster. Gregory itself quoted from Will the language in which the Supreme
Court rejected an argument that the plain statement rule applied only in an Eleventh Amendment context. "
'Atascadero was an Eleventh Amendment case, but a similar approach is applied in other contexts.' " Gregory, 501
U.S. at 461, 111 S.Ct. 2395 (quoting Will, 491 U.S. at 65, 109 S.Ct. 2304). We see no reason why the reasoning
should not apply in the present context. The states have regulated the practice of law throughout the history of the
country; the federal government has not. This is not to conclude that the federal government could not do so. We
simply conclude that it is not reasonable for an agency to decide that Congress has chosen such a course of action in
language that is, even charitably viewed, at most ambiguous.
Finally, the original context of the language of Regulation Y argues against the Commission's application in the
present context. That regulation sets out the "[c]losely related nonbanking activities," which "are so closely related
to banking or managing or controlling banks as to be a proper incident thereto." (emphasis added). The effect of the
regulation was to establish what activities "may be engaged in by a bank holding company or its subsidiary in
accordance with the requirements of this regulation." Granted, banks and bank holding companies may at times
engage in "providing real estate settlement services, and providing tax planning and tax preparation services." We
know of no instance in which banks or bank holding companies have engaged in the practice of law. We know of
no state in which state bar regulations would permit such practice. We know of no instances in which the
Commission has approved a bank holding company owning a law firm as its subsidiary. We are not prepared to
hold on the basis of the present record that it would be lawful for a bank or a bank holding company to do so;
nonetheless, that result would seem to flow from the holding the Commission seeks to have us enter today. We
cannot hold that an interpretation compelling that result is reasonable, even if the Commission's letter order survives
Chevron Step One and earns deference.
For the reasons set forth above, we hold that the Commission's interpretation is not entitled to Chevron deference.
We further hold that, even if we afford the interpretation deference, the Commission's interpretation is not a
reasonable one. We therefore conclude and hold that the judgment appealed from is affirmed.
IS GOOGLE THE CENTER OF CYBERSPACE
OR JUST THE CENTER OF ATTENTION?
By Sharon K. Sandeen
Associate Professor of Law
Hamline University School of Law
If you have read a newspaper or magazine in recent months you could not avoid stories about
Google. Whether it is news about Google’s stock value or its policies concerning the
confidentiality of search queries, Google has been at the center of a lot of attention. This is
not surprising given Google’s status as the most used search engine. When you are a large
and successful company, you are bound to draw the scrutiny of many. But something more
is going on. The attention that is being paid to Google is the result of the new business
models it is developing. Google, like other Internet pioneers such as E-Bay, Amazon, and
Yahoo, is using digital technology and the Internet in ways that disrupt the status quo and
make people uncomfortable.
When Google announced in December of 2004 that it was embarking on a project with
Stanford University and the University of Michigan (later extended to include the New York
Public Library, Oxford University and Harvard University) to have the contents of their
libraries scanned and made available online, the writing community got uncomfortable. So
uncomfortable, in fact, that a group of authors recently sued Google to challenge the practice.
The following is an overview of the Google Print project and the resulting lawsuit.
What is Google doing?
Although Google and others often refer to Google’s book scanning project as the Google
Print Library project or the Google Books project, the project includes several different
aspects that are referred to under different names. There is the Book Search function of
Google’s site, the Library Partners project and the Partners Program. To understand the
legal issues which arise under the Google Print project, the following is a description of each
aspect of the project as gleaned from Google’s website (as of February 14, 2006):
The Book Search Function: According to Google’s own characterization, the book search
function is “a book-finding tool, not a book-reading tool.” It allows users to search for a
book and view either a snippet of the book, a sample page from the book, or the full text of
the book. It also enables users of the system to learn where they can purchase or borrow
selected books. Google describes the snippet view as being “like a card catalogue.” The
sample page view is only provided if the author or publisher has given permission to Google.
The full text of a book is only available for books that are in the public domain.
The Google Books Partners Program: The Partners Program is described simply as a way
for publishers and authors to promote their books for free. Authors and publishers agree to
allow Google to make their writings available online in exchange for the opportunity to
promote them on one of the most visited sites on the Internet.
The Google Books Library Project: Google’s website contains mixed messages concerning
the Library Project. It states that it is “working with several major libraries to include their
collections. . . and, like a card catalog, show users information about the book plus a few
snippets – a few sentences of their search term in context.” In describing its vision, Google
says that it “sees a world where all books are online and searchable.” This, of course,
requires all books to be scanned and made available through an online service such a Google
Book Search. In further describing the Library Project, however, Google says that its aim is
“to make it easier for people to find relevant books – specifically books they wouldn’t find
any other way such as those that are out of print.” It pledges to work with publishers and
authors to “create a comprehensive, searchable, virtual card catalog of all books in all
languages that helps users discover new books and publishers discover new readers.”
What legal issues arise as a result of Google’s business model?
According to a class action lawsuit that has been filed against Google by the Author’s Guild
and three individual authors, the Google Print project infringes the copyrights of the
plaintiffs because “Google has made and reproduced for its own commercial use” copies of
plaintiffs’ works. Thus, the first issue that the lawsuit raises is whether there has been a
copyright violation. With respect to works of authorship that are not yet in the public
domain, there appears to be little question that a copy of the works have been (or will be)
made. Thus, one would anticipate that infringement will be conceded and that the focus of
the lawsuit will be on the question of whether Google’s actions constitute fair use. Indeed,
the frequent use of the word “commercial” in the complaint signals that the purpose of the
use is likely to be the focus of such inquiry.
Judging from Google’s public relations campaign, however, there is reason to believe that
Google will not necessarily concede that it has engaged in unauthorized copying. First,
Google notes that not all of the works that it is scanning are protected by copyright. Second,
with respect to works that are not yet in the public domain, Google is using its Partners
Program to secure as much authorization for copying as possible. Third, Google is providing
copyright owners with an opportunity to object to the scanning of their books. In essence,
they can “opt out” of the Google Print project. Fourth, there is the issue of copyright
ownership. Although it is the norm in the publishing industry for authors to retain their
copyrights, it is possible that the original authors of various works are no longer the owners
of the copyrights therein. They may have assigned their copyrights to others or they may
have died and their rights could have descended to unknown or unaware relatives.
Based upon the foregoing, the Google Print case will not only examine the basic copyright
infringement issue of whether one or more of the plaintiffs’ exclusive rights have been
violated but it will also test the boundaries and meaning of fair use. The plaintiffs will
emphasize the commercial nature of Google’s activities, while Google will attempt to paint
itself as the benevolent savior of lost or inaccessible texts. As a result of the opt-out
procedure, it may also challenge accepted notions about how consent to copy must be