Web 20 and the Law

“Web 2.0” is the name for the latest Internet based technologies. Web 2.0 now provides a much improved user’s experience but there are reasons to be cautious. This article will discuss some of the reasons starting with a brief history.

Most everyone of adult age remembers the dot-com bubble burst that happened in the year 2000. The Internet was the latest hot thing that was going to change people’s lives by offering new services that were previously non-existent such as buying books, music and postage on-line. Billions of dollars of investor’s money was raised on these new, hot business ventures and the majority of these companies failed at about the same time in the middle of 2000. Some of the dot-com companies survived the bubble burst because they had a sound business model and were able to produce the services that were promised. EBay and Amazon are just two examples.
Certainly many things have changed in the past seven years in both the technical and legal realms that pertain directly to Businesses, Information Technology and the Internet combined. In 2002, the Sarbanes-Oxley Act became law in response to the Enron and WorldCom disasters. This law applies to publicly traded companies in order to curtail financial fraud to protect employee’s pensions and investor’s funds. Without going into a complete dissertation on this law, a large financial burden fell upon publicly traded companies to upgrade their internal processes, procedures and IT systems in order to comply with this law.

In 2004, an amendment to the FRCP or Federal Rules of Civil Procedure became law. Part of the new FRCP requires all companies who are defendants in U.S. courts to provide evidence of their processes for archiving and retrieving records in the event that the records need to be subpoenaed. In very recent history Microsoft was levied a fine because they were unable to produce certain emails that were subpoenaed. Also, the FIPS or Federal Information Processing Standards have been updated which includes standard number 140-2. This standard pertains directly to the encryption and security of digital information that is protected by any number of Federal laws such as HIPAA or The Health Insurance Portability and Accountability Act. In summary, this FIPS rule applies to all companies that store digital information that is regulated under any of the Federal laws and requires certification from the NIST or National Institute of Standards Testing.

Perhaps one of the contributing factors to the 2000 dot-com failures was the fact that the Internet was a lack-luster experience for users of the Internet. People who used the Internet with Web Browsers had to suffer from a poor experience because the technology was based strictly on HTML or Hyper Text Markup Language. With HTML only, a person on their computer and browser had to wait for the complete web page to reload and update each time they clicked on a link. This could take up to a minute or more on dial-up connections. Today the majority of web sites are still based on HTML only, but thanks to newer broadband Internet connections, the user experience has improved, somewhat. However, even with a broadband connection, HTML based web applications are still no match to the user’s experience of using a locally installed and executed “Desktop” application such as word processors, spreadsheets and e-mail.

Coincidently at about the time of the dot-com bubble burst a new web server and web browser technology was developed called Remote Scripting and later known as AJAX or Asynchronous JavaScript And XML (Extensible Markup Language). AJAX greatly improves performance and the users experience because the AJAX technology deploys on both of the user’s web browser and the web server at the other end of the user’s Internet connection. The first instance of a user visiting an AJAX enable web site, the web server sends a JavaScript program to the user’s web browser and this little program runs inside the web browser. The job of the JavaScript is to handle the graphics and information on the user’s browser window giving performance and a presentation much like a “Desktop” application. Since the JavaScript program is typically much larger than a HTML web page, the user waits longer for the first screen to appear. However, once the initial JavaScript program is loaded into the browser any further request from the user is transmitted asynchronously with much smaller pieces of data in the XML format going to and from the web server and only the new information appearing on the user’s screen. Remember, HTML has to refresh the entire screen while AJAX only refreshes a portion of the screen. With the improved performance and capabilities of AJAX, it is now possible for a web based application to perform with the same type of user experience as a “Desktop” application.

Since the development of the AJAX technology and other similar technologies like FLASH, several new Internet buzzwords have appeared. The new hot Internet thing now is known as Web 2.0 and is based strictly on these asynchronous technologies. Part of the Web 2.0 is a new business model known as SaaS or Software-as-a-Service and is also referred to as Hosted Applications. With SaaS a computer user can use Internet based applications that are identical to conventional software applications that are installed and run on the user’s personal computer “Desktop”. Word processing, spreadsheets, Customer Relationship Management (CRM) and e-mail are a few examples of applications that are now available as AJAX-Saas web applications. Microsoft’s “Office Live” is perhaps one of the most useful SaaS examples. The financial justification for SaaS is that the user does not have to buy a software package (license) and maintain it. The user simply goes to a SaaS web site, enters their login credentials, and uses the software for a nominal fee. There are other aspects of Web 2.0 technologies such as SOA or Service Oriented Architecture for future articles.

As great and promising as Web 2.0 sounds with the reality of serious financial benefits, there are also serious legal pitfalls. If you are a non-business user of Web 2.0 services, there should be no problems. The legal pitfall for business users of Web 2.0 stems from the fact that most SaaS applications reside on an Internet hosted server and so are the user’s computer files. This fact alone violates the three previously mentioned Federal laws and regulations for many businesses. If an SaaS provider is willing to send their attorneys with your attorneys to a U.S. Court for the FRCP discovery phase of a law suit, then we only have the two other legal issues to address. That’s really going to happen now isn’t it? If you don’t put FIPS regulated data on a SaaS service, then that isn’t an issue but how can your company know that it isn’t? As for Sarbanes-Oxley compliance, are you willing to pay your accounting firm’s auditors to audit your SaaS providers? This is not going to happen either. Recently Google has acknowledged the FRCP legal issue with the use of their gmail service and they now offer a fee based service that will automatically print and mail a copy of a user’s emails. Not many business email users will be willing to archive all paper copies of their emails. And what about the postal service costs? This is a self defeating reason for using SaaS email.

The solution to these legal issues and other compliance issues is to use Web 2.0 services (SaaS) that execute on remote servers but store the user data on the business’s in-house servers where it can be safe guarded and easily audited. If a SaaS provider cannot provide this functionality then a locally installed network appliance can accomplish this task. These appliances can capture the flow of XML data between the users and the Web 2.0 providers and send it to a local data base archive. Perhaps the capturing of XML data traffic could be yet another Web 2.0 service.