One of the issues that came up in the metrics that matter panel at HostingCon was the Rackspace IPO. Rackspace's Red Herring estimated a $12-$16 price.  Lou Honick believed that the IPO would price out in the higer range ($14 to $16) Elliot Noss in the lower range ($12 to $14).  Each bet $500 on their position.  Based on a final price of $12.50 (and falling), I say that Lou needs to fly up to Toronto and deliver the novelty check in person.

One of the things I really need is personal finance software.  A number of industry friends have recommended mint.com.  I've looked at it several times and think it would be the right fit.  However, I'm skeptical about turning over all my personal financial information to another entity.  My major concern is not security, nor privacy (which I figure you just about give up when you sign up for any free service), but whether the company will stand behind its products.  To determine this, I looked at mint's Terms of Service.  Not surprisingly, it was disappointing.

As many of you who've seen me speak about "web 2.0" matters know, I believe that the Achilles heel of this new technology is how user's information will be used, disseminated and protected among the participants.  So in this case, will mint.com, and its sponsors protect my information once they're done using it, and will they stand behind these promises.  In the case of mint.com, it appears that the answer is "no."

The mint.com site contains significant information about how information is secured and protected, and how access and use of this information is restricted.  Indeed, the CEO points out that even if my credit card information is stolen, my liability is only $50.  However, in my view, my liability is much greater than that.  For example, let's say that one of mint.com's partners misuses my personal information and somehow damages my credit.  How will mint.com make me whole?

Looking at their Terms of Service, they won't.  Here's what their contract says:

MINT MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE CONTENT OR OPERATION OF MINT.COM OR OF THE SERVICE. YOU EXPRESSLY AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK.

Further:

MINT'S LIABILITY TO YOU FOR ANY CAUSE WHATEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO $500.00 (FIVE HUNDRED UNITED STATES DOLLARS).

So in other words, if something goes wrong, it's my burden to fix – mint.com isn't going to help – no matter what their CEO says on their website.

So what's my point?  I think that companies need to stand behind their products.  That often means thoughtfully considering requests from your customers to change the terms of your contract.  In many cases, you can stand behind your product by agreeing to broader indemnification provisions, or listing a major customer as an additional insured on your insurance policy.  Considering a carefully crafted warranty might also help.  For example in my case, a warranty from mint.com regarding onward data transfer might satisfy my concerns.

While in a consumer context it's unrealistic to assume that a company will amend their contract, in a business context, remaining flexible about contract terms may help differentiate you from your competitors, and lead to a deeper relationship with your customers.

Today’s HostingCon keynote was a fitting capstone to a very good conference.  Although a bit personal at times, it reinforced for me the high emotion that goes into transactions.  For all of the “be objective” talk – deals are emotional.  This is true both for buyers and sellers – though particularly true for sellers.  I don’t see how it is possible not to get emotionally invested in a deal.  From negotiating to money, everything about a deal involves emotional investment.  In my mind, not being emotionally invested in a deal is akin to dating and only looking for friendship – a bit of an oxymoron.

Like dating, however, there are ways to participate in the process without getting completely heartbroken or frustrated.  From my experience the following points may help:

·  Don’t put all your eggs in the buy/sell basket.  Keep operating your business and innovating.

·  Know what your hard stops, or non-negotiables are, and realize that the deal will end if these are reached.  Only designate these as non-negotiables if you are willing to walk away.

·  Communicate with your advisors constantly.  Feel free to vent to us about your frustration – but try not to make it personal unless it really, truly, is deserved.

·  Hire people who have participated in deals before.

·  Don’t give yourself artificial deadlines.  If you want to take a day off to go see your kid’s swim meet, do it.  The deal will be there when you get back.

·  If the deal falls through, take time to deconstruct what happened, what you can learn, and try to reuse any documents that were created in the process.

The first session I moderated yesterday morning revolved around SPAM and new trends in dealing with this problem.  One of the questions I posed to the panelists was whether new ways of dealing with SPAM are simply RBL’s that you pay for.  I think, however, that that is not the case.  Dealing with SPAM and the way it affects your network is one of the key ways of dealing with, and minimizing risk, for your company.  Advanced methods of addressing SPAM are a great way of doing this.

 

From a legal perspective, SPAM poses two risks to your company.  The primary risk is that a  SPAM outbreak cripples your network.  Network outages lead to large contract claims, and may affect your ability to get reasonably priced insurance – the linchpin of any risk mitigation strategy.  The second is more of a nuisance issue:  e-mail outages are the largest source of  letters demanding “$100,000 for missed business opportunities”  because of a missed e-mail.  Assuming you have a decent TOS, these claims are typically easy to deal with.  However they take an inordinate amount of legal time to handle, and, depending on your settlement profile, may actually involve some outlay of cash to address.

In a prior post I opined that web hosts could use a good association to deal with a number of issues.  Thanks to the efforts of a dedicated team of core members, the hosting industry has a nascent association:  the Association of Internet and Hosting Service Providers or AIHSP.  The AIHSP is getting great send off here at HostingCon

thanks to the efforts of George Roberts and Frank Spaulding who have given AIHSP space to promote the association, and the opportunity to network with hosts attending the show.

As I’ve pointed out in the past, an association is good for many reasons.  The first is helping raise the profile of an industry that gets relatively little notice, and, honestly, that has relatively little cohesion.  Aside from HostingCon, and a couple of other events, it is rare for hosts to get together and compare notes.  Even when hosts do get together, only pressing issues are discussed.  There is little time for discussing standards, best practices and other issues that are hallmarks of an industry that has reached a bit of maturity.  An association gives companies the breathing room and time necessary to think and talk about these issues in more depth.

So what can you do?  Stop by the AISHP’s booth in the HostingCon exhibit hall and see what they’re up to, and what you can do to make the association what you’d like it to be.  If you’re unable to make it to HostingCon, just stop by the web site and get active – or at least sign up for news.  If none of those work, feel free to drop me an e-mail, or stop me in the hall at the show, and I’ll be happy to point you in the right direction.

As has been widely reported, three of the nation’s largest, ISPs have entered into an agreement with New York’s Attorney General Cuomo in which they will begin blocking certain sites alleged to contain child pornography.  While it’s unclear why these ISPs agreed to cooperate (although given A.G. Cuomo’s past law enforcement efforts, it’s certainly easy to assume that a certain amount of arm twisting was involved) the way this agreement will be implemented is quite illuminating. 

The press release issued by the A.G.’s office makes for interesting reading.  It appears that the State of New York will begin building a library of objectionable images and assign these images hash values.  This will allow the State to identify images across multiple networks without having to re-identify them.  The ISPs will also use lists of illegal images compiled by the National Center for Missing and Exploited Children (NCMEC) to administer the program and remove data.  In addition, in the release, we learn that the A.G.’s office “uncovered” a “major source” of the content, “known as news groups.” 

What is missing from the release is how these programs will be administered.  Predictably, this minor issue was not included in the press release, nor in reporting by major news outlets.  However, reporters from “Mashable” did some digging and found that each of the ISPs were going to approach the issue differently:  TimeWarner is blocking all USENET access; Sprint the alt* hierarchy; and Verizon different newsgroups on a case-by-case basis.

So what does this mean in a broad context?  In general, I believe it reflects a dangerous trend of placing law enforcement tools in the hands of private, or quasi-private, entities.  Make no mistake, child pornography is illegal.  As I point out in almost every presentation I make, U.S. child pornography laws are “strict liability:”  you violate the law when you view the content, no matter how noble your intentions.  However law enforcement tools exist to combat this material.  Agreements such as this reflect the thin wedge of private Internet censorship.

When I read this warning flags shot up all around.  Other entities are already trying to implement similar schemes for other types of content.  Indeed, the RIAA, MPAA, NAB, and similar organizations are currently lobbying Congress to rewrite Intellectual Property laws to require certain types of content screening.  Last year former U.S. Attorney General Alberto Gonzales embarked on a campaign to eradicate all pornography on the Internet.  Taken together, these events should alarm hosts and other Internet Infrastructure providers.

Hosts sit at a particularly unique point in the Internet Infrastructure.  Because such a substantial amount of Internet traffic must ping their servers, it is incredibly easy to use this fact to control content.  This fact already results in hosts receiving a significantly higher number of criminal and civil warrants and subpoenas.  Hosts simply have the information. Moving the policing of illegal and objectionable content from law enforcement and requiring private entities to assume this task is likely to sharply increase the cost of doing business and significantly raise the risk profile of hosts.

While we all take great pains to make it clear that child pornography is objectionable, and its content irredeemable, the simple fact is that this agreement results in two major ISPs blocking access to a part of the Internet that is of great utility for other uses.  Similarly the organizations representing copyright holders have argued that P2P networks should be shut down because they can function as conduits for piracy.  It is not a far stretch to speculate about a future in which new methods of content dissemination are studied not for their effectiveness in moving Internet traffic, but for their potential to offend.  A chilling development indeed.

Today’s keynote speaker at ISPCON was Elliot Noss of Tucows.  His keynote addressed how Internet Infrastructure companies can compete with the likes of Google and Go daddy.  His answer:  more customization and real personalization.  He used McDonalds to represent Google and Go daddy, and Starbucks as an example of customization and personalization.  In his presentation Rackspace is the Starbucks of the Internet world.  In his opinion Rackspace succeeds not because it is the cheapest, but because it provides a much more stable experience than most infrastructure providers.  Examples of this include robust mail service with large storage space.

As a frequent conference attendee, I hear this keynote often.  In other conferences the keynote has been entitled, alternately, “How to compete with 1and1 and Microsoft,” “Withstanding the entry of the giants,” and so on, and so forth.  Depending on the audience, the theme always seems to be “specialization and customization”

I wonder, honestly, how specialized and customized companies can get and still make money.  Early on in my practice, one of my clients had the idea of creating different brands for different segments of the hosting market.  The CEO called this the “supermarket” strategy:  he wanted to own the most shelf space in the hosting market.  Consequently the company had over 10 brands, each with a different message, back end, support needs, etc.  Needless to say, this level of specialization became uneconomical over the long term, and we ended up folding all the brands into two major brands.

Similarly, another client sought to compete in various segments of the market.  So he targeted lawyers, doctors and chambers of commerce.  This specialization required an enormous amount of sales time, and very expensive marketing (getting a lawyer’s attention isn’t cheap).  This marketing effort worked, but the customer market was so specialized, and the product not scalable to other markets, it was eventually folded into a standard “unlimited bandwidth, storage, 10 GB e-mail” plan, with resulting churn.

What Elliot talked about, that strikes me as true, based on those of my clients who are successful, is that successful Internet businesses are high touch, and that people will pay to have their problems go away.  Examples of this, and hosting companies that are taking business from 1 and 1, etc., include those that focus on customer support, implementing complex outsourced solutions like exchange, and hold the hand of overburdened IT departments. 

In each of these examples the customization and specialization is applicable across the entire product line, and is not feature based.  So instead of creating an e-mail solution that meets the unique needs of lawyers, they have support that teaches the lawyers how to create the e-mail product they need. 

I see an analogy in my own business:  clients pay me to make problems go away.  They’re not interested in the most recent regulatory pronouncement about green marketing from the Federal Trade Commission, they just want to be able to market their new “green” data center.  Similarly, the nuanced thread that has run through all these keynotes, whatever their title, has been that customers will pay you to make problems go away.  Seems to me that’s a great way to succeed. 

The Supreme Court of New Jersey joined a small, but growing, number of state courts who have ruled that individuals have an expectation of privacy in the IP addresses assigned to them by their ISPs.  The unanimous decision in  State v. Reid was based on the New Jersey state Constitution, rather than the U.S. Constitution. 

At base, the court held that a demand for an IP address must be connected with some sort of judicial proceeding, and not a simple subpoena issued by a court without any kind of review.  The court stated that the demand for the IP address must “bear some possible relationship” to an investigation.  That relationship can be demonstrated by requiring that the subpoena be issued as part of the grand jury process, rather than through a process in which a subpoena may be issued without any demonstration of relevance.  The court refused to go further, and require that a subpoena be issued by a grand jury only upon demonstration of probable cause (the standard necessary to issue a warrant).

This decision shows the difference in privacy rights that is developing between state constitutions and the U.S. constitution.  Federal courts have routinely held that there is no Constitutionally based expectation of privacy in IP addresses, while state courts are increasingly interpreting their constitutions the opposite way.   Like many similar state vs. Federal issues, these different interpretations are ironic since most state constitutions are based on the Federal constitution.  However state courts have a long history of interpreting their constitutions differently than the U.S. constitution.

For hosts, this decision reinforces the need to require some sort of service of process prior to disclosing information about your customers.  It’s important to note that the ISP in this case, Comcast, was not a party to the suit, and not held to be liable for its response to the defective subpoena.  However, what this case does illustrate is the growing body of law supporting customer’s expectation of privacy in information generated by their use of technology.

From a micro perspective, hosts should always require that any request for customer information be part of a judicial proceeding, or otherwise authorized by law.  From a macro perspective, it should cause those who are interested in commercializing this information to be careful in how customer information is used.  The line between a host’s ownership of information generated by customer’s use of its technology, and a customer’s expectation of privacy, becomes thinner with every decision in this area.

 

In Fair Housing Council v. Roomates.com, the U.S. Court of Appeals for the 9^th Circuit has further clarified the meaning of the term “publisher or speaker” or the “conduit immunity” status of Internet businesses.  In this case, Roomates.com was alleged to have created a questionnaire that collected information that is prohibited under state and federal fair housing laws.  Roomates.com argued that it qualified for conduit immunity under the Communications Decency Act since it was merely an interactive computer service, rather than a publisher or speaker, who would be liable for the content of information they published (or spoke).  Fair Housing Council argued that Roomates.com fell outside of this category, and was a publisher, of the discriminatory questionnaire, since it developed the questionnaire.  The court agreed with the Fair Housing Council.

The court determined that Roomates.com created the questions and choice of answers used in the questionnaire, and as a result, under the CDA was a publisher of the questionnaire, and not a mere conduit through which the questionnaire was distributed.  The court focused on the creation and development of the questionnaire as the key activity that moved Roomates.com from a conduit to a publisher.  By selecting the questions to be asked, and by actually developing the questionnaire itself, Roomates.com became a publisher.  The court further reasoned that the CDA does not provide immunity for an entity that facilitates a violation of the law by actively soliciting and classifying the information that forms the violation of the law.

What does this mean for hosts?  One of the statements in the opinion is very important for hosts to remember:  hosts can be both a conduit and a publisher under the CDA.  So in the Roomates.com example, unguided postings merely disseminated by Roomates.com would be within the conduit exception.  Developing a method for classifying these ads, and displaying them, in a manner that violated fair housing laws, made Roomates.com a publisher for claims made based on that activity. 

This is an important distinction for hosts to remember.  The fact that you are a host does not automatically grant you conduit status under the CDA.  Rather, it is the activities in which you are engaged that create the circumstances according to which CDA status is accorded. 

As Liam noted in his blog, I’m at Webhostingday.  This is my first hosting event outside the U.S.  As the title above suggests  - the question I’m getting the most is “why are you here?” or with a bit more meat:  “what use are you to hosts and other internet infrastructure providers who are outside of the U.S.?”

Sidestepping the jurisdictional issues (I’m a member of the bars of the District of Columbia and State of New Mexico), this question goes to the fundamental issue facing all hosts, and the Internet in general:  who’s law applies?

Let me answer that in a typical lawyer fashion:  it depends.  Let’s say I’m representing a company in Ohio.  They have a disgruntled customer in Maine.  I’m going to argue that Ohio law applies, since that’s where my client is based.  Let’s say there’s the same set of facts, however the customer in Maine has money in a bank we’re trying to get.  I’m going to argue that Maine law applies.  U.S. law supports both arguments, particularly in the business to consumer context.

In the international context, the arguments are relatively similar, except it’s much more difficult to get courts of one nation to apply the laws of another.  This is VERY true of U.S. courts, who will almost never apply the laws of a foreign jurisdiction, or, for that matter, even cede that a foreign court may have come to a more reasonable decision.

However the Internet is global, and my clients, and the attendees at Webhostingday, have clients all over the world.  So, to make the example above more complicated, how does a datacenter in Cologne leasing space to my client in Ohio, deal with my client’s problem customer in Maine?

The answer that applies 75% of the time is by using a common contract.  In the hosting industry, along with many other Internet industries, a consensus has developed about what is, and what isn’t, acceptable in contracts.  Except in their extreme forms, most hosting contracts (at least those that I’ve written) can be distilled down to very basic principles.  These principles have wide application in almost every country that has accepted the principle of doing business by contract.  By creating contracts that hew to these principles, it is much more likely that they will be enforced by courts from the U.S. to Uruguay.

So what about the other 25%.  The other 25% tends to involve issues, such as privacy, reseller and redistribution rights, and price floors, on which many countries disagree.  As companies move up the value chain, and create more varied products and services, their ability to sell over the internet with a standard contract that applies to all customers regardless of country, decreases.  In that case, typically my clients will engage me to prepare a standard contract, and we’ll work with attorneys in targeted countries, or geographic areas, to create a specific contract.

So that, I think, is the general answer to “what can you do for non-U.S.” hosts.  As to other reasons why I’m here:  I’ve done several transactions in the past year where, thanks to the weak dollar, my clients were either acquiring a company in the U.S., or being acquired by a company in the E.U.;  I have clients in the E.U. who have encouraged me to come; and finally, to Liam’s point in a recent blog entry, I’ve always wanted to ride roller coasters as much as I desired without waiting in line.  Just don’t tell my daughter.