A recent article by The Intercept showed how US and UK intelligence agencies have been impersonating the servers of companies like Facebook. In November, Der Spiegel noted that agencies created "bogus versions" of sites like Slashdot and LinkedIn to plant malware in targets' machines. "We are not happy that our intellectual property is being used in that way," LinkedIn's general counsel told Wired when asked about the techniques.

If whole-cloth copies of websites were used by competitors or scammers, they'd be—at a minimum—buried in lawsuits. But what, if anything, can companies do against government agencies about such impersonations? Turns out, there are avenues available to those who may be bold enough to use them.

"Passing off"

The best course of action for companies subject to impersonation by government snoops that utilized their graphical assets and logos would probably be through federal trademark law, as set forth in the Lanham Act. Unlike copyright infringement suits filed against the government, there are few procedural hurdles to filing a trademark suit, explained Jed Wakefield, an IP lawyer at Fenwick & West.

Copyright claims brought against the government must be filed in the US Court of Federal Claims, and the subject matter in question must have previously been registered with the Copyright Office—something companies don't typically do for their Web interfaces.

In contrast, under the Lanham Act, the government is expressly liable. The law clearly states, "As used in this paragraph, the term ‘any person’ includes the United States, all agencies and instrumentalities thereof, and all individuals, firms, corporations, or other persons acting for the United States and with the authorization and consent of the United States."

As a result, the creation of absolute replicas of a website or other graphical interface using a federally registered mark would violate basic trademark principles. "The Lanham Act prohibits using someone else’s source identifiers to deceive people," said Wakefield. "I don’t think anyone would believe that the government would be able to compete with a business by using its trademarks."

Even if something was merely added to an already existing company website, like a form to provide personal information that would route back to the government rather than the company, the government could be liable under a “passing off” tort theory under the Lanham Act. Under such a theory, an individual is prohibited from misrepresenting another’s goods or services as being his or her own. Hypothetically speaking, "If the NSA or a contractor did not replicate the mark but caused the services to change, there could be a passing off," explained Wakefield. "There have been cases where distributors alter the formula of a product in some way that would constitute passing off."

Wakefield explained that in most of these scenarios, the goal would be injunctive relief—that is, a court order getting the government to stop its behavior—rather than money damages.

Traditionally under trademark law, monetary damages are calculated as the profits gained by the infringer, which are presumed to be equal to the damages suffered by the trademark owner. This metric wouldn't be applicable in cases of government snooping, so the best available remedy in such a scenario would be for a court order that the government simply stop the practice.

Technology versus law

It's unlikely that any technology company would currently be willing to challenge the government's actions in court, but you never know. If revelations about corporate impersonation continue, companies might find such claims more desirable to litigate, if only to prevent the government from pulling off such conduct in the future.

Whether companies decide to pursue legal avenues or not, they would be wise to take technological precautions to prevent unnecessary snooping. While legal action can get political and public attention, there's little question that technological measures move faster.

For example, last year, Facebook activated HTTPS encryption, which Facebook spokesman Jay Nancarrow said should make malicious impersonation more difficult for snoops to circumvent in the future. Similarly, in 2010, Google made HTTPS encryption the default setting in Gmail, and last week it announced, "Gmail will always use an encrypted HTTPS connection when you check or send e-mail." In retrospect, Facebook and Google seem to have been behind the curve in failing to automatically activate HTTPS encryption for all users when they did. Using end-to-end encryption helps not only keep out government snoops, it protects against private phishing scams or other more straightforward security breaches.