Forwarded From: phreak moi <hackerelite@deathsdoor.com>
http://www.news.com/News/Item/0,4,27374,00.html?st.ne.fd.gif.d
Hotmail frames raise legal fire
By Paul Festa
Staff Writer, CNET News.com
October 9, 1998, 1:15 p.m. PT
While security experts frequently talk about the universal tradeoff
between convenience and security, Microsoft's Hotmail may find itself
poised between security and legality.
In an attempt to protect users from potential password-stealing schemes,
Hotmail recently started framing sites that users access from hotlinked
URLs included in incoming email.
If a Hotmail user receives a URL in an email message and clicks on it, the
new site appears under a banner with the Hotmail logo and the text, "You
are visiting a site outside of Hotmail. Close this new browser window to
return to Hotmail."
The banner persists as long as the user continues to surf within that
window unless he or she manually types in a new URL.
The new warning banner does not appear when users click on banners for
Hotmail advertisers.
Hotmail initiated the framing procedure to thwart potential "Trojan horse"
attacks designed to steal user names and passwords. While no actual
attacks were reported against Hotmail users, security-minded programmers
posted a series of demonstrations illustrating how attackers could spoof
Hotmail log-in pages and trick users into handing over control of their
accounts.
But the warning is not universally effective in tipping off users to
spoofed log-in pages. The most recent exploit demonstration, posted by
Specialty Installations Web programmer Tom Cervenka and dubbed
"Attackments," still works and eludes the Hotmail warning.
Hotmail notes that it never claimed to have solved the security problem
associated with attachments, apart from advising users not to download
attachments except from trusted sources.
Framing, or the process of linking to a site and then presenting it in a
frame within one's own site, has been the source of several legal
confrontations. In one high-profile case, the news aggregator TotalNews
settled with news publishers that had sued the company for presenting
their stories within TotalNews frames and with TotalNews banner
advertising.
Hotmail was quick to point out differences between its framing practices
and those of TotalNews.
"This is really just a navigation tool," said Hotmail spokesperson Robin
Foster. "What TotalNews got dinged on was because they were profiting from
putting other's people's content within their own frame. We're not
profiting in any way, and we don't want to profit. We just want to warn
our users."
Attorneys specializing in trademark and copyright law said Hotmail was
legally on fairly solid ground, but not bedrock.
As far as trademark law is concerned, a litigant would have to claim that
by framing its content, Hotmail had created confusion about the origin of
the content, according to attorney Brent Britton of Britton Silberman &
Cervantes. But the very text of the banner, informing users that they have
left Hotmail, answers that claim, Britton said.
On the copyright issue, however, Hotmail may have crossed a line by
creating what the law considers a "derivative work," combining its own
content--the banner--with the content of the site linked to from within
Hotmail.
"Technically, Hotmail doesn't have permission to do that," Britton said.
"Creating a derivative work is one of the exclusive rights that belong to
the copyright holder. By tucking your entire Web page into my Web page,
there's technically a copyright infringement."
But Britton said the harm caused by such an infringement was probably so
minimal, and so difficult to prove, that Hotmail would be an elusive legal
target. Additionally, in part because the TotalNews case was settled out
of court, there is little legal precedent to rely on in the area of
framing and copyright law.
One case currently pending, however, may clarify the question of whether
framing a site amounts to illegally creating a derivative work.
That case, Futuredontics, vs. Applied Anagramics, has seen two rulings so
far, one in November 1997 refusing to grant a preliminary injunction, and
the other in January of this year refusing to dismiss the claim of
copyright infringement. Those two rulings indicate that the judge in the
case sees the "derivative work" claim as neither unreasonable nor
obviously valid, according to Cooley Godward attorney Eric Goldman.
Central to the "derivative work" copyright infringement argument is the
alteration of the framed site's "look and feel," Goldman said.
By that token, certain sites may object to being framed. Because Hotmail
specifies a margin height within its frame, some sites may find their
design altered (News.com is one such example). Other sites may have
trouble identifying users with subscriptions.
"When a site gets framed, it loses control of its look and feel," said
Forrester Research senior analyst Jim Nail. "Look and feel is crucial to
the user experience, and that is absolutely critical to maintaining
loyalty. Anything that removes a level of control over the user
experience, the sites are going to fight, and they should. They run the
risk of losing users, and losing advertising inventory to sell, and they
wind up losing opportunity to create revenue."
In addition to the risk of changing the look and feel of a site, framing
also may impact how sites measure their visitors. While framing does not
affect the hit counts, or records of how many pages or files are accessed
from a particular site, it does skew the information regarding the
provenance of those requests.
In this case, sites accessed from within Hotmail will appear to have
originated from Hotmail servers, rather than the personal computers of
individual users.
Some sites have found a technological way to prevent themselves from being
framed. CNN Interactive, for example, refreshes itself and essentially
jumps out of the Hotmail frame a few seconds after loading.
While Hotmail may have a solid legal argument that its banner eliminates
branding confusion that would make it guilty of a trademark violation, the
framing practice may cause confusion nonetheless.
"It sounds to me like you could very easily confuse the user," Nail said.
"First I'm in Hotmail, then it says I'm not in Hotmail--but am I actually
still in Hotmail? Less sophisticated users are confused enough--they can't
even understand the 'back' and 'forward' buttons. It's not so much a
matter of confusing users over whether it is Hotmail vs. non-Hotmail
content, but the whole navigation issue that's going to potentially
alienate users."
Whatever is at stake for sites and users, the legal picture for Hotmail
looks fairly clear.
"Is what Hotmail is doing illegal, or just annoying?" asked Britton
rhetorically. "I think it's probably just annoying."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat Oct 10 07:46:11 1998
