Legal Security of Web Sites: Proposal for a Legal Audit Methodology and a Legal Risks Classification
Professor Jean-Paul Cailloux*
Professor Christophe Roquilly
*This paper is published in memory of Jean-Paul Cailloux, who sadly died on 29 April 2001. He was a marvellous teacher, a creative lawyer and a great gentleman. God Bless Him - Professor Christophe Roquilly
The need for legal security in our society is increasing. Paradoxically, creation and development of web sites for electronic commerce or information sharing are often made in a anarchical way from a legal point of view. Even if web site owners are aware of the media-tized issues (such as domain names conflicts or personal data catching), most are unaware of the many risks involved in the complexity of the legal environment in which their web sites operate. This ignorance creates a risky situation. Poor management of intellectual property rights for their original material available online can generate an expensive dispute for the web site owner. If the online information is not sufficient for consumers, the electronic contract may be cancelled. If contracts relating to advertisement on (or for) the web site demonstrate a lack of security (for example deceptive advertisements or unfair comparisons), then legal proceedings could ensue.
As they are usually more preoccupied with the economic picture than with the legal one, web site owners often forget to think clearly about the legal risks in a global context. It is more a question of getting the organisation right rather than explicitly understanding legal rules. The fear of legal risks must not paralyse the economic project. Some legal risks have marginal economic consequences, whilst others have a very low degree of expectation. Therefore it is essential to be able to identify the relevant legal risks and measure them rationally.
In our paper, we propose a legal audit methodology which details a process dedicated to the detection, analysis and treatment of legal risks relating to web site creation and development. This methodology has been used in many real cases, but requires still some further refinement.
Keywords: Electronic Commerce, E-Economy, Law and the Internet, Legal Audit, Legal Environment, Legal Methodology, Legal Risks.
This is a Refereed article published on 2 July 2001.
Citation: Cailloux JP and Roquilly C, 'Legal Security of Web Sites: Proposal for a Legal Audit Methodology and a Legal Risks Classification', Refereed article, 2001 (2) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/01-2/cailloux.html/>.New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2001_2/cailloux/>.
E-business and internet law have many particular characteristics. Two of them are of a particular interest to us: the relationship with time and the relationship with space.
Ten years ago, when a law professor spoke about a judgement of five years old, he used the expression - 'recent' or 'new' judgement. Today, with internet law, a judgement of just two years old is a 'historic' judgement and a new judicial decision is known (and may be fully 'copied') by anybody, anywhere in the world, in only a matter of one or two days. One consequence of this, among many, is that this creates an intensity of commentaries, exchanges and discussions, with (in some cases) confusion between opinion and law, and a lack of discernment.
This speeding-up of the publishing and dissemination process however must relate to the high level (both in quantity and quality) of 'legal production' (by judges and law makers). Thus, after the 'legal emptiness' time, after the 'doubt' time, we have now entered the 'legal demand' time. The Web is no more something strange, a 'techwonder' which frightens judges, law makers and more generally lawyers.
This understanding of the Internet phenomenon and this subsequent need for Internet law, are altering the sense of many legal questions: for instance, a French court has recognised recently (for the first time) the quality of the 'master piece' (protected by intellectual property law) to a web site, and yet, the question is do all web sites present sufficient originality to benefit from this legal protection?
Internet law operates without time barriers and across national boundaries, but this is not the point. We want to stress the internationalisation of legal issues. In the majority of cases, legal articles or papers refer only to national law or judgements, but with internet law, legal references become international, and are shared by all lawyers. Although various differences remain between countries legal systems, the most common problems can be found all over the place and increasingly similar solutions are being adopted. These similarities have another consequence - a fundamental harmonisation of law (welcomed by companies which work, by definition with the internet, all over the world).
It is clear that the internet does not operate outside of the law but completely 'under the law', a law which changes constantly. Technology is a real limit for law enforcement, but it is also the only tool that can give law a real effectiveness. Legal rules are also subjected to many influences ,for instance, the influence of a consumers' community. This community is indeed playing a role of check and balances to judicial decisions.
Law 'in revolution', new and inventive practices of web site owners, evolution of technology tools, are serious reasons to think of internet law in terms of legal risks. But at the same time, web sites owners, consumers, and public authorities (for different reasons) want more legal security. This security is essential for e-business development.
This demand for legal security is also formulated in quite an amazing context. New technology law infringement (or law infringement with new technology) is not always regarded with moral disapproval. Hackers are often heroes!. Young people who copy music or DVD in violation of intellectual property rights, have generally no desire to infringe law.
So to answer the demand of legal security within this global context, we decided to develop a legal audit methodology for web sites. The broad discussions and tasks we have carried out in companies with web sites, demonstrated that there is generally a poor awareness of the legal risks relating to web site development. Apart from domain names privacy and intellectual property rights issues, trials concerned with internet disputes are quite rare. Nevertheless, there are some clear indications that the number of e-commerce/e-economy disputes and trials are likely to increase quite significantly. Consumers are paying increased attention to their rights, especially because with the huge media-tization of e-commerce issues. The competition is intensive; only the more profitable and more legally secured web sites will survive. Our experience shows that web site owners do not know how to treat and effectively manage the relevant legal risks:
These questions usually do not receive the appropriate handling within the company, and law firms do not have any global answer (or they propose some services at a price which is often prohibitive for many companies).
Our experience in the field of legal risk treatment has lead us to work on a methodology of legal audit which could be used to legally secure web sites. This research has not been developed with a strong theoretical background, because this background does not currently exist! The legal risk analysis has not been really studied by legal scholars. Nevertheless, it is clear that the use of our methodology is operational only if substantial rules (related to e-commerce, such as contract law, intellectual property law, competition law etc) are well known.
Our methodology is not complex. It is organised along the following lines:
1. Identify all the different kind of legal risks related to the web site creation and development.
2. Classify all the risks in categories, within two broad bands:
3. Identify whether legal risk is present or not.
4. Measure the level of tolerance for each specific legal risk.
Taking into account the level of tolerance, some action and procedures must be set up. In other words, which kind of legal risks must be immediately and imperatively treated and covered by the company to avoid major difficulties for the web site and the company? A Risk Treatment Board is used in this respect.
When treating the risks step by step (imperative risks, and so on), the company may tend towards an optimal covering of all legal risks of the web site.
In Part 2, we develop the legal audit methodology (detection, evaluation and treatment of legal risks). In Part 3 we show how all legal risks can be classified, and we explain how these risks can measured and put on a Legal Risk Graph. Part 4 is dedicated to a presentation of web site profiles from legal risks point of view.
Several legal academics and practitioners refer to the notion of 'legal risk'. Many lawyers say that 'legal risks must be covered' or that 'this project (or action) is too risky from a legal perspective'. As Law and its constraints are more closely associated with the management decision process, the 'Legal Risk Approach' shows its usefulness. The density of legal rules and the increase in trials, demonstrate that the need for legal security is growing. Bearing in mind the complex nature of electronic commerce or, more generally, the Internet, the level of legal insecurity around web site development must not be neglected. Meanwhile, it seems the speediness of web site creation often overrides the importance of the legal risk treatment. In the best case, just a few legal risks seem to have been identified, very often for a marketing cause - 'The web site that respects your privacy!'.
A proper treatment of legal risks, however, requires a rational methodology which goes beyond the traditional empiricism. In the first section we develop the first and second steps of the methodology (identification of the web site and its legal risks). In the next section, we then study the three steps, dedicated to the evaluation of legal risks and to procedures and actions which could be used to treat these risks.
Our methodology involves five different steps. For each of them, standard documents are used. Indeed, a methodology only exists if it can be systematised to all web sites. The first and second steps are dedicated to the 'identification' process.
An identity card of the web site is created (Web Site Identity Card - WebSitIc). The WebSitIc contains the following information:
Our experience shows that, for some web sites, problems first appear when we try to fulfil the WebSitIc criteria. Sometimes, no editor's details or an ISP address appear on the home page. This is clearly not a good start.
This first level of identification is done entirely online. The aim of this first level is to determine an a priori legal risk level. This a priori legal risk level must be sometimes confirmed by further analysis (see Step 5), which will take place off line. To enable this identification, some information is first established by asking questions of the web site. For each category of potential legal risk (see Part 2), we use a specific key-questions list. The auditor fills in a 'Key Questions Board', as shown below in Table 1, which is an example used for assessing advertisements on a web site.
Table 1: A Key Questions Board for assessing advertisements on a web site
Some questions do not require further analysis. An answer can be given after a quick surf on the web site (for instance, 'is there any hypertext link to commercial web sites?', or 'is there any commercial banner on the web site?'). Some other questions need deeper analysis (for instance 'is there any advertisement which could be considered as deceptive?').
This research of legal risks clues is repeated for each category of legal risks (see Part 3).
After these identification steps, we have to evaluate the legal risks level, and then propose suitable procedures with the aim of eliminating, restricting or covering the risks.
First of all, it is absolutely necessary to evaluate the legal risks which have been previously detected.
During the third step, the tolerance level of identified legal risks must be assessed. Two postulates have guided the elaboration of our methodology. To try and cover every kind of legal risk associated with a web site is materially impossible and not very useful. In fact, some legal risks may sometimes be considered as derisive considering their economic consequences for the web site owner, or because the chance of occurrence is close to zero. Therefore, it is necessary to determine which legal risks have to be immediately treated and covered. The second postulate is that risk analysis, whatever its nature, is always submitted to the limited rationality of people. There is necessarily a difference between the 'perceived' risk and the 'real' risk. When we measure the legal risk, we must refer to criteria that increase our objectivity.
We measure the legal risks according to two criteria: a first one which represents the degree of expectation, and a second one which represents the gravity of consequences.
By 'degree of arising', we point out the expectation that the risks becomes reality. On this first criteria, the risk is classified as described below:
Obviously, the point is to know what kind of key-points may be used to classify the legal risk on this criteria. Some key-points are obviously useful: the web site notoriety; the number of hits on the web site; the repetition of the risk. For instance, we would usually assume that the lack of acknowledgement for publishing celebrities' pictures on a web site, with only a small number of pictures, and a poorly known web site, would create a very low probability of risk If, on the other hand, the pictures are totally original, the probability is more important. If the web site is well-known, the probability should be very high.
The second criteria is related to the gravity of consequences for the web site owner. This gravity is appreciated in relation to the economic consequences which could spring from a judicial decision. For example, the amount of damages, the possible penalty, the activity or trouble cessation, the web site closing etc. The measure of this gravity requires an expertise in the field of law, with the appropriate skill to understand legal texts and precedent cases. On this second criteria, the risk is classified as described below:
Once the legal risk has been evaluated on both criterion, a 'Legal Risk Graph' (LRG) is worked out. We show an example of a completed LRG in Part 3.
Now, the web site owner has to decide if the legal risk is tolerable. The tolerance level depends on the intersection between the degree of expectation and the degree of gravity. For instance, a legal risk with slight consequences and a low expectation, could be considered by the web site owner as highly tolerable. It could mean that this specific legal risk does not have to be immediately treated. This approach underscores two important issues: there is no 'absolute legal risk', it depends on both degrees; and lawyers do not have to make an economic decision instead of the web site owner - their mission is to identify and evaluate both degrees of legal risks, and then check with the web site owner where the tolerance level lies.
Five different levels are used:
Some key-questions cannot be resolved by a simple online identification of the legal risk. In this case, the legal auditor has to use the most appropriate way to complete his 'Key Questions Board' (for instance, questions asked to the main web site developer, questions to the marketing director, questions to the webmaster, and so forth). Another standard-document is used to complete the on line identification, as shown below in Table 2.
Table 2: Questions to be Verified Board for evaluating risks relating to advertisements
This check completes the legal risks identification done with the 'Key Questions Board'. After this check, the Key Questions Board is updated. Therefore, the a priori Legal Risk Graph (LRG) may be confirmed or modified. This final version of the LRG is the one which will be taken into account for Step 5.
When the Legal Risk Graph is updated, it is advisable to determine if the legal risk must be treated or not, and how.
If we use again the example of 'Risks related to advertisements on the Web site', let's assume that the 'Key Questions Board' and the 'Questions to Be Verified Board' show some legal risks. For instance, hypertext links (and comments joined to these links), go to web sites whose contents do not correspond to these comments. Moreover, some banners which appear on the web site do concern regulated products. The French law, for instance, makes provision for some specific rules regarding the advertisement for these kind of products.
Considering the number of hits on the web site and the economic consequences of possible penalties which could be ordered by the court, the risk related to advertisement on the web site has been rated as slightly tolerable. Therefore, some procedures to treat this risk must be organized, with a 'Risk Treatment Board' as shown below (Table 3):
Table 3: The Risk Treatment Board
The Risk Treatment Board, which is a real document of reference, must be shared within the company. In fact, the best way to anticipate and to treat legal risks is the information and knowledge sharing between all staff members.
In this second Part, we explain how we classify all legal risks related to the development of a web site and we show how the Legal Risk Graph can be worked out.
The legal audit of web sites requires a rigorous methodology. This methodology must be applied to all legal risks which could appear during the creation and growth of a web site. It is advisable to determine what kind of risks need to be detected and, if necessary, treated. The question is to know how legal risks can be classified and organised sensibly.
One approach consists of classifying legal risks by domains of law (for instance, intellectual property law, consumer law, competition law, privacy etc). A second approach consists of classifying the cause of the legal risk: for instance, no check of advertisement contents, no check of the origin of pictures and videos available on the web site, and so on.
The first approach has an advantage in that it is perhaps closer to lawyers' sensibilities and their usual reasoning, but it also has a disadvantage in that it is further removed from the reality of a web site's 'life cycle' and the chronology of its creation and operation. This is vice-versa for the second approach.
We consider the most interesting direction to be a mix of both approaches. In other words, we adopt a legal risks classification which has two entries: on the one hand, an entry based on the web site's 'life cycle', its creation, development, address etc; and on the other hand, an entry based on fields of law such as intellectual property law, contract law, consumer law etc.
The following Legal Risks Classification Board (Table 4) shows a simplified version of how we organise legal risks. We actually work on a more complete and precise version.
Table 4: A simplified version of the Legal Risks Classification Board
For each category of legal risks, a Legal Risk Graph is worked out, taking into account all sub-categories. For instance, for 'Risks related to the web site creation' (R1), the LRG could look like Figure 1:
Figure 1: How a Legal Risk Graph might look for 'Risks related to the web site creation' (R1)
This Graph dedicated to the 'risks related to the web site creation' shows that two categories of risks seem to be slightly tolerable: risks related to rights of personality and risks related to public order. It means that these risks must be treated as an emergency.
Once each category of legal risks has been specifically treated, the final Legal Risk Graph (for the whole web site, taking into account each category) can be worked out, as shown in Figure 2:
Figure 2: How the Final Legal Risk Graph might look
In fact, the tolerance level for each category refers to the previous stage, specific to each category. For instance, if we look at the 'Risk 1 (related to the web site creation) LRG', we can see that the tolerance level may be different for each sub-category. To set up the final Legal Risk Graph, we take into account the more risky tolerance level (in this case, Level 4). It means that the risk must be treated, with the appropriate Treatment Board. But the sub-categories of legal risks with a 'good' tolerance level (for Risk 1, the sub-category no 3, means R-1-3) won't be immediately treated. Therefore, once the final Legal Risk Graph has been worked out, the legal auditor must return to the specific category Graph, check the relevant sub-categories, and then use the Risk Treatment Board.
The inventory of legal risks relating to the creation and development of a web site, and the elaboration of their cartography, are an attempt to give a definition of web sites' profiles from a legal risk point of view. A set of preventive solutions must be developed for each profile, with the objective to avoid or to cover this legal risk in the future.
This typology is defined on the basis of a 'centre of gravity' of legal risks for each category of web site. These five major categories are used: of 'C reative', of 'Competitor', of 'Contractor', of 'Consumer' and of 'Citizen', hence the '5C' profiles.
This first category concerns web sites whose risks are mainly related to creativity (or to the lack of creativity etc). Three great type of web sites are affected by this profile: web sites with a very strong graphic added value (attractive and aesthetic sites or sites promoting arts), sites which contain creative elements (pictures, videos etc), and 'public places' web sites linked to texts or master pieces (for instance, sites with links to documents or press articles).
It is important to note that the risk may be passive (for instance, the web site is counterfeited by another one) or active (the web site is counterfeiting another one).
This category combines web sites which are particularly in the scope of competition law ('commercial networks' law or unfair competition law).
For instance, it is the case of commercial web sites owned by producers who develop a 'closed distribution network' and/or the case of web sites owned by retailers who belong to this kind of network.
From another point of view, are also in the scope of this category web sites with an activity which directly concerns a large number of companies. For example, web sites which are dedicated to the comparison between prices of products and services offered on the Internet. If the editor forgets to mention products of some competitors, or if he hides the fact that some commercial relationships between him and some companies (which are favoured in the comparison) do exist, or if he compares prices of products which have a great different level of quality, he takes some risk regarding competition or civil law.
In this category, the main risks are directly connected to the 'heart' of the commercial relationship, in other words to the commercial contracts which bind the site and clients or partners.
Two examples give a good overview of this category:
This category is the most 'classical' one. It concerns the majority of 'Business to Consumers' web sites. In this case, the 'centre of gravity' of legal risks is related to the consumer's information, to sales conditions (content and access), to evidence of order, to expression and validity of consent, to home delivery etc.
The legal background of these obligations is especially interesting if we think about the question of the choice of applicable law and the different levels of consumers protection.
This last category combines web sites whose legal risks are divided into two major fields:
For each of these five 'generic' profiles, some specific profiles of legal risks can be defined. These risks profiles are only 'a priori' profiles - they may be completed, modified and , in some cases, overthrown, by the audit of each web site.
But they permit to have a preventive overview of the major risks which have to be avoided.
In using the same codes that in our 'Legal risks classification board', we may obtain , for each profile, a graph of 'a priori risks' which combines 'degree of expectation' and 'degree of gravity'.
Two examples give a good overview of these graphs, see Figures 3 and 4:
Figure 3: 'Citizen' profile: a priori risks graph
The high level for R1 is explained by the sub risk R1-4 (public order). The very high level for risk R4 (risks relating to personal data) is an evidence. The medium level for R5 and R6 can be explained by the large number of links on these web sites and by the liability which may result from these links.
Figure 4: 'Competitor' profile: a priori risks graph
The very high level for R5 and R6 is an evidence. The high level for R2 is explained by potential conflicts between domain names and trade marks or companies names.
A visual comparison between two profiles shows what we mean by 'centre of gravity' of legal risks, see Figures 5 and 6.
Figure 5: 'Creative' profile: a priori risks graph
Figure 6: 'Contractor' profile: a priori risks graph
For each profile of legal risk, some 'packages' of preventive solutions may be used. It seems important to recall that these solutions are only an instruction which may be changed or completed with the results of the audit for each specific web site and with the analysis of its specific characteristics. With this aim, we have explained in Part 1, the principles of legal risks treatment with 'custom made' procedures.
An example of these preventive solutions may be given with the 'Creative' profile. In that case, we suggest to create a data base which contains all the elements of the web site (by type and by element). It is just one procedure among many. This data base may be worked out as shown in Table 5:
Table 5: A possible database for the 'creative' profile
With this data base, it is easier to control the risk of active counterfeiting, which is one major risk in the 'Creative' profile.
This data base is only a managing tool, which becomes a legal tool when connected, by specific procedures, with legal risks. It is really typical of our methodology which is dedicated to the research of legal risk behind practices, and whose objective is to obtain legal security with other practices.
This methodology of legal audit for web sites is not a frivolous play thing. Its role is not to provide fun for lawyers! Our experience in this domain, admittedly still in the developmental stages, shows its usefulness stands at two levels. The legal audit methodology allows companies involved in electronic commerce, or more generally speaking web site owners, to become aware of the complex legal environment in which they operate. It helps them to work out procedures and preventive actions to avoid disputes and trials that could prove costly and which may lead to the closing of the web site.
The global level of security presented by a web site (taking into account all kind of legal risks) could constitute an interesting marketing argument and, moreover, a competitive advantage. The creation of legal labels for web sites (not only regarding privacy, personal data protection or electronic signatures) is going to be developed. One can imagine that perhaps soon, search engines will be bringing up in priority, only certified web sites.
Now the Internet is widely spread. Consumers inform themselves and the global demand for a better legal security in our society is in evidence. The bankruptcy of a great number of start-ups or 'e-companies' is a cruel reality. This phenomena indicate that legal parameters are essential for the e-economy survival. We don't argue for a legal totalitarianism. Every act or decision does not have to lead to law. It is advisable to find an equilibrium between the level of legal risks, the marketing strategy for developing the web site, and the financial budget that can be dedicated to the legal security of the web site.
The role of lawyers is to help companies to identify legal risks, to propose viable solutions taking into account the specificity of the company and its environment. Considering the polysemy of legal risks relating to the Internet and its complexity, a legal audit methodology helping to take rational decisions is essential. As Professor Jean Paillusseau has demonstrated in his well-known paper:
'lawyers are technicians...but they are also organizers.
A strong legal organisation of the electronic activity helps avoid or anticipate many threats for companies such as disputes, bad reputation etc.
We hope that our work brings a modest contribution to the legal research in the e-century.
2. O'Rourke, Progressing Toward an Uniform Code for Electronic Commerce or Racing Toward Non Uniformity? The Berkeley Technology Law Journal, 1999, Vol.14-2.
3. See, for instance, the saga 'Etoy-Etoys' in which, finally, the toys web site, winner in front of the court, abandoned its victory (and gave money) because of the pressure of consumers.
4. On this question and on the question of technology: Lee, Pak, Kim, Shapiro 'Electronic Commerce, Hackers and the Search for a Regulatory Proposal', The Berkeley Technology Law Journal, (1999, Vol. 14-2); Samuelson, 'Intellectual Property and the Digital Economy: Why the Anti-circumvention Regulations Need to be Revised', The Berkeley Technology Law Journal, 1999, Vol. 14-2.
5. For a global legal analysis on e-advertisement, Buis, Aspects Iinternationaux du Droit de la Publicité et des Promotions sur Internet, Revue Communication-Commerce électronique, 2000, no.9-10.
6. For some development on personal data, see Pearce and Platten, 'Achieving Personal Data Protection in the European Union 36, Journal of Common Market Studies, 1998.
7. On this question, see Dearing, 'Personal Jurisdiction and the Internet: Can the Traditional Principles and Landmark Cases Guide the Legal System into 21st Century?', Journal of Technology Law and Policy, 1999, Issue 4.
8. For the background, Mills, Metatags: Seeking to Evade User Detection and the Lanham Act, The Richmond Journal of Law and Technology, 2000, Volume 6, Issue 5.
9. For the background, Caprioli, Le Juge et la Preuve électronique (2000), Juriscom.net. Murray, Vick and Mortley, 'Regulating e-commerce: Formal Transaction in the Digital Age', International Review of Law, Computers and Technology, 1999, 13.2.
10. For developments on defamation and the internet, Waelde and Edwards, 'Defamation and the Internet: A Case Study of Anomalies and Difficulties in the Information Age' , International Review of Law, Computers and Technology, 1996, 2.
11. In background, for instance: P-E. Moyse, Internet, Droit des Obligations et Droit D'auteur, <http://www.Juriscom.net> , mars 1999. A. Lewis, 'Playing Around with Barbie: Expanding Fair Use for Cultural Icons' , The Journal of Intellectual Property, Chicago Kent School of Law, nº 61.
12. A good example of this category was given by the site 'Total News' well known for its past judicial problems.
13. And it is true for the others profiles.
14. In background, M.J Lockerby, A World Wide Web of Potential Franchise Law Violations, Richmond Journal of Law and Technology, Volume VI, Issue 1, Symposium 1999. C. Roquilly and C. Collard, Electronic Commerce and Closed Distribution Networks: Proposals for Solving Legal Problems, The Journal of Information, Law and Technology (JILT), 2000 (2),
15. See Come and Rouet, 'La Demande de Justice des Consommateurs', Cahiers du CERAS, Reims, 1996.
16. Paillusseau, Le Droit est Aussi une Science D'organisation, Revue Trimestrielle de Droit Commercial, janv.-mars 1989.