Profiling Web Users – Some Intellectual Property Problems

‘Half the money I spend on advertising is wasted.  The trouble is, I don’t know which half.’[1]  Can targeted online advertising reduce the waste identified in this pithy and much-quoted observation?  Phorm, Inc’s Webwise system aims to do so by profiling Web users on the basis of their online browsing, and by then selecting the advertisements they see on the basis of their individual profiles. Three of Britain’s largest ISPs, BT, Talk Talk and Virgin Media, are reported to be considering whether to deploy the Webwise system, with BT known already to have conducted technical trials of the system on a number of its customers.

 

Dr Richard Clayton of the Cambridge University Computer Laboratory has published a detailed description of the Webwise system on the basis of information supplied by Phorm.[2]  That description repays careful reading, but for present purposes the following summary is sufficient.  When an ISP runs the Webwise system, it makes a copy of certain of the Web pages visited by those of its customers who it considers have consented to being included in the system.  The ISP then carries out an analysis of each page.  The fruit of that analysis is a list of up to ten of the most frequently used significant words, after disregarding words consisting only of digits, or containing an ‘@’ symbol, or following a title such as ‘Mr’ or ‘Mrs’ – a sort of digest of the page.  That digest is passed by the ISP to Phorm coupled with a pseudonym for the user (a UID), so that Phorm can build a profile for the user by matching the digest against a database of keywords.  Based on this analysis, the user (represented by the UID) is allocated to certain ‘channels’ (travel, music, sports and so on).  When the user later visits a Web site that is a member of Phorm’s Open Internet Exchange (OIX), the profile is used to select advertisements that match the channels to which the user is allocated.

 

This process raises a number of interesting legal issues.  The Foundation for Information Policy Research has published an analysis of the criminal law and regulatory issues affecting ISPs who run the Webwise system.[3]  This article is directed instead to the legal position of the owners of intellectual property rights (IPR) in Web sites whose pages are used by ISPs in the course of profiling users.  (The person who owns the IPR in a Web page may or may not be the person who manages the Web site of which it forms part, but the distinction is immaterial for present purposes. In what follows the IPR owner is referred to for convenience as the site-owner; and references to ISPs are to those ISPs who run the Webwise system.)

 

From the description given above it is clear that when an ISP’s customer fetches a Web page which falls within the scope of the Webwise profiling activity, the ISP makes a copy of that page for the purpose of deriving from it a digest of the page and sending the digest to Phorm.  The process is a rapid one, and the copy is quickly discarded (as, too, is the digest).  But does this process infringe the site-owner’s IPR?

 

In this article, we will discuss whether the operation of the Webwise system infringes the site-owner’s database right and copyright.  But first, we will consider the economic impact of the Webwise system on the site-owner.

 

Where’s the Harm?

 

The economics of the Webwise system are fairly straightforward.  Advertisers pay to advertise on Web sites that are members of OIX.  Exactly how this revenue is divided up is not a matter of public record, but it may safely be assumed that the operator of the Web site on which the advertisement is displayed receives a share, Phorm receives a share and the ISP receives a share.  The site-owner whose content feeds Phorm’s system with the data used to compile its user profiles receives nothing.  But does the site-owner suffer any real harm?

 

It is important to ask this question for two reasons.  First, the question of whether the site-owner suffers harm may be relevant in determining whether his IPR are infringed.  We discuss this further below.  Secondly, Phorm has on several occasions asserted that the Webwise system causes no harm to anyone, and that any contravention of the law or any person’s rights (which Phorm naturally denies) would therefore be of a purely technical nature.

 

In the authors’ view, a site-owner does in fact suffer harm, in the same way that any owner of IPR suffers harm whenever a person uses his IPR without payment.  In some cases the IPR owner can do nothing about this, as the use made of his IPR may fall short of infringement.  Where it is an infringement, however, the IPR owner may be expected to take action to prevent it, or at least to ensure that he is compensated for the use of his IPR through some sort of licence agreement.

 

Further, many site-owners generate revenue by making space on their Web sites available to third-party advertisers.  Advertisers have limited budgets, and must choose carefully where to place their advertisements.  Faced with Phorm’s sales pitch, advertisers may well choose to move their business from independent Web sites to those who are members of OIX.  Phorm and its partner ISPs are, therefore, using the content of Web sites that are not members of OIX to create a system that may make it more difficult for those Web sites to earn revenue from advertisers (or, at the very least, a system that will compete with those Web sites for advertising revenue).

 

Worse, when a user visits a Web site that is not a member of OIX, the Webwise system will identify the user as being interested in the subject matter of that Web site.  When that user later visits a Web site that is a member of OIX, he will be shown advertisements that match his interests, from advertisers who are members of OIX – in other words, from competitors of the original Web site.  The content of the original Web site is therefore used to assist the site-owner’s competitors in targeting their advertisements.

 

 

(1)  Infringement of database right

 

A Web site will in almost every case be, or interoperate with, a database as defined by s 3A of the Copyright, Designs and Patents Act 1988: ‘a collection of independent works, data or other materials which (a) are arranged in a systematic or methodical way, and (b) are individually accessible by electronic or other means’.

 

A straightforward Web site consisting of a number of Web pages, each accessible via a hyperlink on a home page (and possibly also via hyperlinks on other Web pages on the Web site), is a database within the meaning of s 3A.  Further, many modern e-commerce Web sites are organised in a manner that is more readily recognisable as a traditional database, with the content stored in a relational database management system such as MySQL, separate from the code used to present the content to the user.

 

In addition, a very large number of Web sites allow users to interact with databases of various kinds, such that each Web page (which will usually be dynamically generated in response to the user’s input) represents the content of one or more records within the database.  Almost every e-commerce Web site operates in this way, as do search engines, the knowledge base sections of vendors’ Web sites and Web sites operated by institutions such as libraries, galleries and museums.

 

It is clear that, when an ISP running the Webwise system makes a temporary copy of a Web page fetched by a user, it will in many cases be making a temporary copy of part of a database.  This raises the question of whether the copying infringes the site-owner’s database right.

 

The relevant legislative provisions are to be found in the Copyright and Rights in Databases Regulations 1997 (the Database Regulations),[4] which implemented Directive 96/9/EC on the legal protection of databases (the Database Directive) in the UK.  Regulation 13 of the Database Regulations provides that there is a property right (database right) in a database[5] if there has been a substantial investment in obtaining, verifying or presenting the contents of the database.  Database right exists entirely independently of any copyright in the database (there may be no such copyright or it may be owned by a different person). 

 

However, in order for database right to subsist, at least one of the makers of the database must qualify for database right.[6]  Regulation 14(1) of the Database Regulations provides that the person who takes the initiative in obtaining, verifying or presenting the contents of a database and assumes the risk of investing in that obtaining, verification or presentation is regarded as the maker of the database, while reg 14(2) provides that where a database is made in the course of employment, the employer is treated as the maker of the database (subject to contrary agreement).  Accordingly, in the commercial context, the maker of the database will tend to be the company in the course of whose business the database was made.  Regulation 18 provides that a company will qualify for database right if it is incorporated in an EEA state and either has its central administration or principal place of business in the EEA or has its registered office in the EEA (but only, in the latter case, if its operations are linked on an ongoing business with the economy of an EEA state).  Accordingly, a multinational organisation with an EEA-based subsidiary may enjoy database right, but it is not sufficient that it has a subsidiary in the EEA – the subsidiary must be one of the makers of the database.

 

Where database right subsists in a database (by virtue of the substantial investment of a qualifying maker in obtaining, verifying or presenting its contents), reg 16(1) provides that that database right is infringed by the extraction or re-utilisation of all or a substantial part of the database without the consent of the owner of the database right.  ‘Substantial’ is defined in reg 12(1) as ‘substantial in terms of quantity or quality or a combination of both’ – as with copyright infringement, one does not look merely at the proportion of the database that is taken.  Regulation 12(1) also defines ‘extraction’ as the permanent or temporary transfer of the contents of a database to another medium by any means or in any form, while ‘re-utilisation’ is defined as making the contents of a database available to the public by any means.  Importantly, reg 16(2) provides that the repeated and systematic extraction or re-utilisation of insubstantial parts of the contents of a database may amount to the extraction or re-utilisation of a substantial part of those contents. 

 

Piecing this all together in the context of Phorm’s Webwise system, it is clear that when an ISP makes a temporary copy of a Web page fetched by a user, it will be temporarily transferring to another medium (if only the memory of the server that creates the digest) part of the contents of the database constituted by the relevant Web site.  The copying of a single Web page will not, except in respect of the very smallest Web sites, amount to the extraction or re-utilisation of all or a substantial part of the Web site of which that Web page forms part.  However, it is likely that, in respect of those Web sites that are visited frequently by large numbers of users (particularly the most popular search engines and e-commerce Web sites) an ISP will, over time, undertake such repeated and systematic extraction from the Web site as amounts to the extraction of a substantial part of it (or of an associated database). 

 

However, the Database Regulations must be interpreted in the light of the European case law on the Database Directive, and in particular the judgment of the European Court of Justice in The British Horseracing Board Ltd and others v William Hill Ltd[7].  In the BHB case, the ECJ placed a significant limitation on the scope of database right and also on infringement of database right through repeated and systematic extraction. 

 

Importantly, the ECJ emphasised that database right will subsist only in a database where there has been a substantial investment in obtaining, verifying or presenting the contents of the database.  There will be no database right where there has been an investment merely in creating the contents of the database.  Accordingly, organisations that originate their own content, but make no other substantial investment in respect of the database in which that content is stored, will not enjoy database right.  (They may well, of course, own copyright in the content stored in the database; but that is a different matter.)  This will preclude a large number of site-owners from owning database right (the author of a blog, for example, will generally not own database right, even though his blog may be a database), but there remain significant cases in which database right will still subsist.  In particular, it is suggested that search engines and a large number of e-commerce Web sites make very substantial investment in obtaining and presenting (and, in some cases, also verifying) the contents of their Web sites and associated databases, and will therefore own database right.

 

As regards infringement through repeated and systematic extraction, the ECJ gave consideration to the meaning of Article 7(5) of the Database Directive, which provides that ‘the repeated and systematic extraction and/or re-utilisation of insubstantial parts of the contents of the database implying acts which conflict with a normal exploitation of that database or which unreasonably prejudice the legitimate interests of the maker of the database shall not be permitted’.  The ECJ noted that the purpose of Article 7(5) is to prevent circumvention of the primary prohibition on extraction and/or re-utilisation[8], and that ‘[i]ts objective is to prevent repeated and systematic extractions and/or re-utilisations of insubstantial parts of the contents of a database, the cumulative effect of which would be to seriously prejudice the investment made by the maker of the database just as the extractions and/or re-utilisations referred to in Article 7(1) of the directive would’ [9].

 

However, the ECJ went on to hold that Article 7(5) prohibits only repeated and systematic acts of extraction that would lead to the reconstitution of all or a substantial part of the database.  This clearly will not be the case in the operation of the Webwise system, since each temporary copy of a Web page is erased as soon as it has been analysed; the copies are not combined so as to reconstitute the original Web site.  However, it is submitted that the ECJ’s judgment must be viewed in light of the manner in which the British Horseracing Board exploits its database – by making the data itself available to third parties.[10]  It is apparent why, in that context, the ECJ concluded that a putative infringer would need to reconstitute all or a substantial part of the database in order to prejudice the investment made by the maker of the database.  But that is not how the operators of search engines, for example, exploit their databases.  They do not provide their databases of Web pages directly to third parties – instead, one of the principal means by which they derive revenue from their databases is by analysing the results of each search by a user and then displaying paid advertisements to the user based on those results.  The Webwise system seeks to make precisely the same use of the database, in direct competition with the site-owner; in the authors’ view, this must surely be held to conflict with a normal exploitation of the database by the site-owner, unreasonably prejudice his legitimate interests, or both.

 

Further, it is submitted that whether the database is reconstituted cannot be the sole test of whether acts of repeated and systematic extraction fall within Article 7(5), since that would overlook the fact that, in today’s connected world, unfettered online access to a database provides a third party with many of the same benefits as having an offline copy.  There are even advantages – the data is guaranteed to be up-to-date and the third party does not even need to use his own disk space for storage.  In the authors’ view it would be perverse if taking a copy of a database (whether all at once or gradually over time) amounted to infringement, but ‘dipping in’ to an online copy of the database itself on an unlimited basis, without the permission of the database owner, did not.

 

It is therefore the authors’ view that the operation of the Webwise system is likely to infringe the database right of many site-owners whose Web sites are visited frequently by large numbers of users.  As noted above, this will not necessarily apply to all Web sites, and site-owners who principally act as creators of content may not enjoy database right (although they are likely to own copyright in their content); however, a number of site-owners, and in particular operators of search engines and e-commerce Web sites, may well have a claim for infringement of database right.

 

Phorm and its partner ISPs may well argue that they have an implied licence to undertake these acts of extraction by reason of the site-owner making the Web site available to the public.  In the authors’ view this is doubtful – the only licences that may be implied are those necessary for ordinary Web browsing (including incidental copying in the course of transmission) and, most likely, also for ‘spidering’ by search engines (partly because Web sites benefit from inclusion in search engines’ results, partly because of their ubiquity and partly because of the well-known means of preventing access by spiders).  In any event, many Web sites (or at least URLs within Web sites) are not made known to the public, and several are password-protected[11] – in these cases, it is even more doubtful that Phorm and its partner ISPs have an implied licence to copy any part of the Web sites’ content.

 

Further, many commercial Web sites make their content available on terms that expressly prohibit the acts of extraction carried out by ISPs operating the Webwise system.  In these cases, it is beyond doubt that there is no implied licence.

 

 

(2) Infringement of copyright

 

A Web page will usually be a literary work as defined by s 3(1) of the CDPA, which provides that ‘literary work’ means any work, other than a dramatic or musical work, which is written, spoken or sung, and includes, among other things, a table or compilation.  By s 2(1), the owner of the copyright in a work has the exclusive right to do the acts specified in Chapter II as the acts restricted by the copyright in a work of that description.  And by s 16(1)(a), which forms part of Chapter II, the owner of the copyright in a work has the exclusive right to copy the work. Bt s 16(3), references to the doing of an act restricted by the copyright in a work are to the doing of it (a) in relation to the work as a whole or any substantial part of it, and (b) either directly or indirectly; and it is immaterial whether any intervening acts themselves infringe copyright.  Copying in relation to a literary work means reproducing the work in any material form; and this includes storing the work in any medium by electronic means (s 17(2)).  Finally, by s 17(6), copying in relation to any description of work includes the making of copies which are transient or are incidental to some other use of the work.

 

From these provisions it is clear that the ISP will prima facie infringe the site-owner’s copyright by making an electronic copy of the Web page without the site-owner’s consent.  But there is an exception that may apply for the ISP’s benefit.  Section 28A provides that copyright in a literary work, other than a computer program or a database, is not infringed by the making of a temporary copy which is transient or incidental, which is an integral and essential part of a technological process and the sole purpose of which is to enable (a) a transmission of the work in a network between third parties by an intermediary; or (b) a lawful use of the work; and which has no independent economic significance.

 

Section 28A was added as part of the UK’s implementation of the Copyright Directive.[12]  Recital 33 to the Directive explains that ‘the exclusive right of reproduction should be subject to an exception to allow certain acts of temporary reproduction, which are transient or incidental reproductions, forming an integral and essential part of a technological process and carried out for the sole purpose of enabling either efficient transmission in a network between third parties by an intermediary, or a lawful use of a work or other subject-matter to be made.  The acts of reproduction concerned should have no separate economic value on their own.  To the extent that they meet these conditions, this exception should include acts which enable browsing as well as acts of caching to take place, including those which enable transmission systems to function efficiently, provided that the intermediary does not modify the information and does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information.  A use should be considered lawful where it is authorised by the rightholder or not restricted by law.’

 

It is clear that limb (a) of s 28A will not apply to the Webwise system; but limb (b) might.  There are three issues that must be addressed in determining whether the exception in s 28A applies: (a) whether the making of the temporary copy of the Web page infringes copyright in a computer program or a database, (b) whether the use of the Web page is lawful and (c) whether the making of the temporary copy has independent economic significance.

 

(a)  Infringement of copyright in a computer program or a database

 

There is no statutory definition of ‘computer program’.  It is certainly arguable that a Web page is a computer program, in that it consists of a series of commands (in the form of HTML tags) that are executed by a computer.[13]  Further, if the Web page contains any form of client-side[14] script (such as JavaScript) then, to that extent, it is a computer program.  However, it is suggested that a court would be at pains to hold to the contrary, since to hold that a Web page is a computer program would be to defeat the principal purpose of s 28A and the provisions of the Directive from which it is derived.

 

For the reasons explained above, a Web site will in many cases be a database.  However, it is unlikely that copyright in the database itself (as distinct from its contents) would be infringed by the Webwise system, since the system only copies individual Web pages and does not in any sense reproduce all or a substantial part of the structure of the Web site.

 

(b)  Is the use of the work lawful?

 

In order for s 28A to apply, the temporary copy must be made to enable a use of the work that is lawful.  However, there are several reasons why this may not be the case.

 

(i)  Infringement of database right

 

First, for the reasons given above, the use of the Web page will in many cases amount to an infringement of the site-owner’s database right.  In these cases the use of the Web page will not be lawful, and the ISP will be liable for both copyright infringement (since s 28A will not apply) and for infringement of database right.

 

(ii)  Unlawful interception

 

Secondly, in the authors’ view the copy of the Web page is obtained in contravention of the Regulation of Investigatory Powers Act 2000.  The reasons for this are set out in detail in the FIPR analysis referred to above,[15] but in summary it is an offence under s 1(1) of RIPA for any person intentionally and without lawful authority to intercept, at any place in the UK, any communication in the course of its transmission by means of a public telecommunications system.  When an ISP makes a copy of a Web page in the course of its transmission through the ISP’s network, it is intercepting the transmission between the user and the site-owner.  For practical purposes, this will be lawful only if both the user and the site-owner have consented to the interception (s 3(1)).

 

The ISP may seek to argue that the interception is permitted under its terms and conditions, but it is doubtful whether such a general provision can constitute effective consent as required under s 3(1).  Even if it is effective, that would only apply where the subscriber (ie the party to the ISP’s terms and conditions) is also the user – where the user is an employee or a family member of the subscriber, the provisions of the ISP’s terms and conditions are irrelevant.  And even if the user is also the subscriber, the site-owner must also consent to the interception in order for s 3(1) to apply, and such consent will almost never be expressly given or even sought; it is by no means clear why such consent should be implied (and in many cases it will be expressly withheld).

 

In circumstances where the copy of the Web page is obtained in a manner that constitutes the commission of an offence, it is difficult to see how any further use of that copy can be described as lawful.

 

(iii)  Use prohibited by site-owner

 

As noted above in respect of database right, in many cases the site-owner will purport to make use of the Web site subject to terms and conditions that prohibit the acts of copying involved in the operation of the Webwise system.  These terms may take the form of a limited licence, or may purport to give rise to a contract between the site-owner and the person accessing the content of the Web site.

 

It appears that any such licence terms will not, by themselves, prevent the application of s 28A.  Section 28A creates an exception to the copyright owner’s exclusive rights.  Accordingly, the copyright owner’s licence is not required for acts that are within the scope of the section; any restriction in its licence is therefore  irrelevant.  Nor, it is suggested, can the site-owner prohibit the ISP from creating the very brief summary of the Web page derived from the temporary copy (in the form of the channels to which the user is assigned), since the creation of such a brief summary is not itself an act restricted by copyright any more than it is an infringement of the copyright in this article simply to record that it has to do with computers and law.

 

That said, the language of the final sentence of recital 33 to the Copyright Directive (‘[a] use should be considered lawful where it is authorised by the rightholder or not restricted by law’) does leave ambiguous whether an express statement by the site-owner that certain acts are not authorised will make a contrary use of a Web page unlawful.  There is a pending reference[16] to the ECJ from the Supreme Court of Denmark that will, it is hoped, provide greater clarity on this issue.

 

Of course, where Web site terms create a contract between the site-owner and the ISP, any act of copying in breach of that contract (whether an act restricted by copyright or not) will not be lawful, and the making of a temporary copy for a purpose prohibited by that contract will therefore not be permitted under s 28A.  However, it is expected that ISPs will deny that any such contract is created through their use of a site-owner’s content; and since no contract may be created against the clearly expressed intention of the offeree, a site-owner will need to rely on his remedies at law for infringement of his IPR.

 

(iv)  Copy obtained in breach of confidence

 

In some cases the information in a Web page will be provided by the site-owner to the user in confidence.  An example might be the offering of discounted prices to certain users, a matter which the site-owner might not wish to be known to other users.  Although the confidentiality of the information will often be the subject of express contractual terms, it is worth noting that breach of confidence is not necessarily dependent on the existence of contractual relations.  In some cases, therefore, it may constitute an independent basis for concluding that the making of a copy by the ISP is an unlawful use of the page.  It follows that breach of confidence will in many cases supply independent grounds for the conclusion that the making of a copy of a Web page by the Webwise system does not fall within the exception provided by s 28A.

 

(c)  Does the making of the temporary copy have an independent economic significance?

 

Finally, s 28A will not apply if the making of the temporary copy of the Web page has an independent economic significance.  This requirement has recently been considered by the English courts in Football Association Premier League Ltd and others v QC Leisure and others.[17]  In that case, Kitchin J made reference to Article 5(5) of the Copyright Directive, which provides that the exception in Article 5(1), from which s 28A is derived, ‘shall only be applied in certain special cases which do not conflict with a normal exploitation of the work or other subject-matter and do not unreasonably prejudice the legitimate interests of the rightholder’.[18]  Kitchin J made particular reference to the opinion of the Economic & Social Committee on an early draft of the Copyright Directive, and in particular the view of the Committee that, ‘[a]ny reproduction that in effect is consumption of the work, such as the temporary copying of programmes or data into memory in order to use or access such works, for example the act of accessing online databases, should only be permitted with the rightholder’s authorisation’.

 

Considered in this context, in the authors’ view the making of the temporary copy of the Web page by the ISP does have an independent economic significance.  It is an integral and necessary part of the Webwise system, from which the ISP, Phorm and others derive revenue which they would not receive without making the copy, and the use made of the page by the ISP is entirely independent of that made by the user who fetches the page.  For this reason, as well as those stated above, it is unlikely that s 28A would apply to the Webwise system.

 

Without the protection afforded by s 28A, and with no licence to carry out these acts of reproduction (for the same reasons as given above in respect of database right), an ISP operating the Webwise system will infringe the site-owner’s copyright in each Web page copied and analysed by the system.

 

Remedies

 

Site-owners who object to their content being used in the manner described in this article may wish to consider what remedies might be available. 

 

Damages may be awarded for infringement of database right and for copyright infringement, and an account of profits is also available as an alternative remedy.  The latter is designed to enable the claimant to strip the infringer of the profits of infringement, and may be particularly attractive in cases such as the use of the Webwise system where the ISP derives profit directly from the infringing acts.  It is also possible that a court would grant an injunction prohibiting an ISP from applying the Webwise system to a site-owner’s Web site, although it is highly unlikely that such an injunction would be granted if Phorm were to incorporate an effective opt-out mechanism for site-owners.[19]

 

Conclusion

 

If the claims made by Phorm about Webwise are to be believed, the system presents great opportunities for ISPs seeking to maximise their revenues.  But it also presents ISPs with significant legal risks.  Site-owners whose Web sites will make a major contribution to Phorm’s profiling activity, and whose own advertising revenues could be put at risk by the Webwise system, are likely to object to this use of their content, and may well take action to prevent it – or, at least, to ensure that they are adequately remunerated.  This article shows that those site-owners have significant opportunities to enforce the IPR in their Web sites in order to protect their established position.

 

Nicholas Bohm is General Counsel to the Foundation for Information Policy Research.  Joel Harrison is an associate at Milbank, Tweed, Hadley & McCloy LLP.