Technology and Ecommerce Briefing 1
Metatags
Earlier this year, the Court of Appeal explored the issue of metatags and using words within a website which could potentially infringe a competitor’s registered trade mark. A metatag is an invisible mark which allows a search engine to identify and flag up a website when a certain word or phrase is keyed into the engine.
Reed Business Information are members of the Reed Elsevier publishing group and use the word “Reed” in relation to their website totaljobs.com, both as a metatag and by using the word as a banner advert keyword with a popular search engine. The Reed Employment Group who provide similar (but evidently not identical services) brought an action against Reed Elsevier for trademark infringement and passing off.
Interestingly, at first instance the judge upheld the allegations of passing off in relation to the use of Reed as a metatag. However, the Court of Appeal rejected this initial approach. It was argued that as the services provided by the two groups were similar but not identical, the action fell to be decided under the Trade Marks Act 1994 which insists that the claimant must prove “a likelihood of confusion”. It was held that the additional words on the end of the patented word “Reed” – in this case “Elsevier” and “Business Information” were successful in distinguishing the groups, did not cause the general public any confusion, and therefore did not constitute a trademark infringement or passing off. The case also touched on the use of surnames as trademarks. It was argued that the general public were alert to small differences in names - in the same way that “WH Smith” could be distinguished from “Smiths”.
This case is particularly interesting, as arguably many companies and organisations use certain words in metatags and banner adverts for the sole purpose of causing confusion and diverting search engines to their website. Although it was held in this case that the use of a trademark in a metatag did not constitute trademark infringement or passing off, it will be interesting to see if future cases before the courts pick up this point and explore it further.
Data Protection
A recent case which has caused quite a stir is Durant V FSA. This case has effectively turned on its head what was previously regarded as best practice concerning, in particular, the accessibility of manual filing systems. As a result, data controllers can breathe something of a sigh of relief regarding their obligations to respond to data subject access requests where the information is held in such systems.
The Data Protection Act outlines the type of information relating to personal matters which individuals can request from organisations. This case has set a precedent as to what can be expected from the courts, should they be asked to intervene.
Mr Durant requested documents from the FSA, which were being used in connection with a complaint he was lodging against Barclays Bank. The FSA gave only limited disclosure of computerised documents, and claimed that manual documents were not part of the “relevant filing system” and therefore did not fall within the ambit of the regulations.
The Court accepted the FSA’s arguments and refused Mr Durant’s application for disclosure, and the Court of Appeal confirmed the decision. The Court of Appeal considered various aspects of the Act, providing new guidance in what is proving to be a difficult area of law.
The Information Commissioner has now published his guidance notes on the Durant case and these should be read carefully when considering a response to a subject access request. It is hoped that the guidance notes may limit the Act’s media presence and ensure that it cannot be manipulated and used as an excuse for blatant errors - such as came to light during the Soham trial .
Spam
The US Federal government has taken steps to legislate against unsolicited emails. In December, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM ”) came into force in the USA providing guidance for commercial emails sent to US recipients.
Last month saw the first criminal prosecution under the new US spam laws. In this case, spammers were “spoofing” their identity by using third party addresses in the “reply to” and “from” fields. Furthermore, recipients were not given the option to opt out of such emails. The Federal Trade Commission issued a statement to the effect that the crack down by the courts on such illegal activities would send a strong message out to spammers.
It remains to be seen, however, whether the UK courts will send out a similar message to spammers under the UK legislation on Data Protection and the European Privacy and Electronic Communications Directive – (which were implemented in December 2003), but it is certainly worthwhile being careful and familiarising yourself with the legislation.
Outsourcing
Computer Weekly reported in November last year, that 41% of IT development activity is outsourced . This was an increase of 6% on the 2002 figures. Computer Weekly also reported that although India continued to be the preferred foreign destination, Russia, the Philippines, Israel and China were now also strong contenders.
Companies which insist outsourcing is the most productive move in today’s economy must, however, pay particular attention to the issue of data protection. The countries mentioned above, are not approved by the European Commission , therefore, information security must be taken very seriously. In particular, there are issues arising in relation to information security under the EU Data Protection Directive 95/46/EC and the trans-border data flow restrictions under the Directive.
Whether the company in question is merely acting as a computer bureau and processing personal data, without making any decisions in relation to that information or actually “making decisions” in relation to the personal data, then regard must be had to the Data Protection Act and in particular the provisions regarding the transfer of personal data to third parties.
India has, however, retaliated by saying that this area is to be reviewed and that data protection will be brought into line with UK regulations before the year end. Whether any arrangements brought in will be sufficient to satisfy the UK Information Commissioner that data may safely be exported to India remains to be seen. The long process regarding the ‘safe harbour’ arrangements with the US are a case in point.
Phishing
With the increased publicity surrounding internet fraud, it is unsurprising that large numbers (and perhaps a majority) of e-commerce transactions are cancelled at the final “confirm and purchase” stage. Although many of these aborted transactions may be the result of a change of mind, it is more likely that people have a general reluctance to divulge personal information and credit card details over the internet.
Internet users are most probably aware that the tiny closed-lock padlock at the bottom right hand corner of the screen indicates that you have now entered a secure site. In fact, the tiny padlock is there to show that the particular page on the site is secured using a Secure Socket Layer (SSL). The SSL’s function is twofold. Firstly, it authenticates the organisation’s identity and, secondly, it ensures that the information keyed in cannot at that time be interfered with or hacked into.
However, “phishing” is the newest form of internet fraud. This involves the mimicking of an established company web-site, and thus enticing visitors to divulge personal and financial information. Some of the biggest internet players have been victims of this new phenomenon, including E-bay , Amazon and NatWest and other major financial institutions. Spoof web-sites are virtually identical to their genuine counterparts except most addresses start with “the” at the beginning of the web address.
How can this fraud be combated?
-
First (and most obviously) by educating the general public never to respond to such requests for information as legitimate businesses would never ask for it in this way.
-
At the technical level, SSL private keys must be kept absolutely secret, by storing them and processing them in a secure hardware device or hardware security module (HSM).
-
Companies that utilise such security devices will be able to display a distinct “VeriSign Secure Site Seal” on their websites that will hopefully eventually lead to greater consumer confidence in internet shopping.
-
The challenge for security device developers is to create SSLs that go deeper into the web-site.
This is big business for the criminals and they will seek to adapt to any change in the security environment. Added to that the institutions and others who have been spoofed are generally reluctant to go public for fear of negative publicity. It will be interesting to see how this develops.
This briefing is for information purposes only. It is not intended to give detailed advice on particular situations and should not be acted upon.