MediaTech Law

By M STREET LEGAL

The Weird World of Open Source Software Licenses

I like to think that somewhere in America, at this very moment, a college kid has just agreed without reservation to accept five bucks from his friend to drink an entire bottle of hot sauce. Non-lawyers are often surprised to learn that, public policy concerns aside, such an agreement contains all the elements necessary to create a legally binding contract: Offer, acceptance and consideration.

Part of a lawyer’s job is to identify relevant legal issues lurking beneath factual scenarios. Issue spotting can be frustratingly difficult, however, because, as the absurd hot sauce agreement illustrates, the law is often counterintuitive. Counter-intuitions abound in the weird world of open source license agreements. License agreements have become commonplace in our tech-saturated lives. If you’re not sure what they are, jog your memory to the last time you downloaded an app for your laptop or smartphone. Remember being asked to read and agree to an endless list of terms and conditions? That contract that you “read” and agreed to was almost certainly an end user license agreement to use the app for a specific purpose.

Over the past twenty years or so, several copyright licensing movements have gained traction. In general, these new types of licenses challenge traditional notions of copyright protection by granting licensees the right to modify the original copyrighted material for future use free of charge so long as certain promises are kept and/or conditions are met.

One well-known movement is the Open Source Initiative, which reviews and approves open source software (OSS) licenses. OSS licenses typically provide licensees with the right to access the source code of the original software program (hence “open” source) and create new software programs subject to the terms of the license.

Read More

Legal Considerations of Agile Development

An interesting change has occurred across software development projects over the past several years, which has seen the practice of Agile software development overtake that of the traditional Waterfall model. Rooted in the 2001 Agile Manifesto, Agile development favors greater interaction between technical and business teams, resulting in a more fluid development lifecycle. That is in comparison to the Waterfall approach, which operates on the basis of clear defined stages and objective within the project.

In the past, with a Waterfall approach, a software development project would be scoped out in full, with every detail and eventuality planned out, and with a completion date identified. So when asked “When is the project launching?”, a project manager or stakeholder would confidently reply with a set date, possibly months or years into the future.

With Agile development, the understanding is that not every detail can be mapped out, and requirements may change as the project advances. Agile allows for shifting of goals and deliverables as requirements shift during the development lifecycle. For that reason, work is done in small increments – referred to as sprints – with each sprint resulting in some working piece of code or “minimum viable product” (MVP). So when asked “When is the project launching?”, a project manager or stakeholder will likely not have a firm date, and instead reply “We expect a working version of this piece of the project by the end of the next two-week sprint.”

Read More

The Growing Problem of Ad Fraud and the Recent Methbot Attack

Fraud, particularly using “bots,” is increasingly threatening the effectiveness of online advertising and arguably calling into question the long-term viability of the industry. According to a recent study reported on by AdWeek, fraud from “bots” was projected to cost brands $7.2 billion in 2016, up from the $6.3 billion in 2015. Basically, “bots” are applications that perform automated tasks. While they can be used for legitimate purposes, in cases of ad fraud bots can “create millions upon millions of ad impressions that are seen by no one but often get charged to marketers as a viewed promotion.”

A recent article in AdWeek discussed some of the common ad fraud schemes. In one, called the “The Phony Traffic Broker,” writer Christopher Heine explained:

• A company wants to increase traffic to its site and goes to a traffic broker site that’s actually run by a fraudster, who promises volumes of highly qualified users;
• The fraudster deploys “bots” to simulate human traffic to the site; and
• The site’s views soar, advertisers pay the company for the increased traffic, and the fraudster gets paid for being the broker.

Read More

New DMCA Agent Registration Requirements: Action Required by all Online Service Providers

Providers of online services (including websites and apps that enable users to post content) must register an agent with the United States Copyright Office by December 31, 2017 using the Office’s new online system, which went into effect in December 2016. Those who don’t register risk losing valuable liability protections under Section 512 of the Digital Millennial Copyright Act (DMCA). Service providers can click here to begin the registration process and the Copyright Office has created a number of videos to guide users.

Service providers with agent information on file under the old, paper system must re-submit the information through the online portal. The agent information must be updated as it changes and the registration must be renewed or updated at least once every three years. There also is a new fee structure: $6 registration fee per designation of an agent.

As background, Section 512 of the DMCA provides a safe harbor from copyright infringement liability to online service providers, primarily to protect online services from situations involving copyright infringement arising from content posted by third party users. In order to qualify, a service provider must designate an agent to receive take-down notices from copyright holders who believe their rights have been infringed. In addition to posting the agent information online, the service provider is required to provide its agent’s information to the Copyright Office. Previously, agent information was provided to the Copyright Office on a paper form that was later scanned and posted online by the staff, but concerns arose regarding cost and whether this information was being properly updated.

While the Copyright Office reported that comments it received during the rulemaking proceeding demonstrated “widespread support for the creation of an electronic registration system,” that is only part of the story.

There are many benefits to the Copyright Office’s new online system (and some of the changes may be long overdue). As noted by Brandon Huffman, filing online will generally be easier and cheaper. However, some have criticized the new rules because of requirements that: (i) all service providers who previously registered through the paper system re-register via the new online system and (ii) all registrations must be renewed every three years (unless they were updated during that three-year period). A currently compliant service provider that does nothing risks losing its existing safe harbor protections.   So, for example, Elliot Harmon of the Electronic Frontier Foundation noted that large online service providers, such as YouTube and Facebook, will not have a problem complying, but “small companies, small nonprofits, and activist groups” with few resources are more likely to be at risk of losing their safe labor protections for non-compliance. Eric Goldman has been particularly critical of these requirements, going so far as to write that “This story has been like watching a train wreck in slow motion.” Professor Goldman suggests that the Copyright Office’s efforts to inform service providers about lapsed registrations could inadvertently help litigious copyright owners:

To ‘help’ service providers, the Copyright Office says they can reinstate lapsed registrations by paying the fee. But the Copyright Office will publicly display the periods when the registration lapsed, giving a useful roadmap to copyright owners who can easily just sue for the lapsed time period. So the public disclosure of the lapsed period will make a super ‘SUE HERE’ flag for litigious copyright owners, helpfully provided as a public “service” by the Copyright Office.

In the end, all online service providers need to take notice – and action.

Read More

Apple Touts Differential Privacy, Privacy Wonks Remain Skeptic, Google Joins In

(Originally published January 19, 2017, updated July 24, 2017)

Apple has traditionally distinguished itself from its rivals, like Google and Facebook, by emphasizing its respect of user privacy. It has taken deliberate steps to avoid vacuuming up all of its users’ data, providing encryption at the device level as well as during data transmission. It has done so, however, at the cost of foregoing the benefits that pervasive data collection and analysis have to offer. Such benefits include improving on the growing and popular on-demand search and recommendation services, like Google Now and Microsoft’s Cortana and Amazon’s Echo. Like Apple’s Siri technology, these services act as a digital assistant, providing responses to search requests and making recommendations. Now Apple, pushing to remain competitive in this line of its business, is taking a new approach to privacy, in the form of differential privacy (DP).

Announced in June 2016 during Apple’s Worldwide Developers’ Conference in San Francisco, DP is, as Craig Federighi, senior vice president of software engineering, stated “a research topic in the area of statistics and data analytics that uses hashing, subsampling and noise injection to enable … crowdsourced learning while keeping the data of individual users completely private.” More simply put, DP is the statistical science of attempting to learn as much as possible about a group while learning as little as possible about any individual in it.

Read More

We’ve Updated our Terms of Use!

Why are they sending me this information, and what am I supposed to do with it? You’ve just received an email like the one below from Uber, or from one of your various subscription services, credit card companies, banks, ISPs or any of a zillion different web applications:

SUBJECT: We’ve Updated our Terms of Use

Hi Andrew, we’ve been able to bring Uber to more than 400 cities in 72 countries. And that’s in just a little over 6 years. In light of that growth and some changes to our services, we’ve made some updates to our US Terms of Use

They have your attention. You sit up alert in your chair, you rub your eyes and read on. The company then sometimes offers a summary of the changes, often in as cheery and euphemistic a way as possible, with statements like “We revised our arbitration agreement which explains how legal disputes are handled”, or “We have updated our Terms of Use regarding the ways in which we may contact you.” All, no doubt, good things.

Turns out, noone actually reads these updates. That last sentence is not meant as sarcasm. The non-partisan Stanley Roper Polling Organization actually published a study that concluded “Noone actually reads these updates.” Editor’s Note: There is no such organization and there was no such study. Evidently. Although Andrea Peterson reports in The Washington Post about a 2008 study (about privacy policies) that concluded “it would take a staggering 244 hours a year for the average American to read the privacy policies of every site they visit over the course of a year.”

Read More

Copyright, Fair Use, and the Kissing Picture: Storms v. New England Sports Network, Inc.

Recently, a photojournalist, Michael Storms, filed an intriguing lawsuit in the U.S. District Court for the Southern District of New York against a website that published photographs taken by Mr. Storm without his permission and without paying Mr. Storms a licensing fee. The photos were of New York Mets pitcher Matt Harvey kissing Victoria Secret model Adriana Lima at a restaurant in Miami, not long after Ms. Lima broke up with New England Patriots wide receiver Julian Edelman. The pictures were posted on the website of the New England Sports Network (NESN). (The case is Storms v. New England Sports Network, Inc.)

On its face, the complaint is relatively short and generic, but it will be interesting to see the defendant’s reply, whether the network argues that its use of the photos constitutes permissible “fair use,” and the potential effect of the court’s decision on copyright law as a whole.

Under the U.S. Copyright Act, 17 U.S.C. §§ 101 et seq., the “fair use of a copyrighted work, including . . . for purposes such as . . . news reporting . . . is not an infringement of copyright.” While there is no strict formula for how a court determines “fair use”, the Copyright Act (17 U.S. Code § 107) requires consideration of 4 factors:

  1. the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
  2. the nature of the copyrighted work;
  3. the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
  4. the effect of the use upon the potential market for or value of the copyrighted work.
Read More

Legal Issues in Ad Tech: De-Identified vs. Anonymized in a World of Big Data

In the booming world of Big Data, consumers, governments, and even companies are rightfully concerned about the protection and security of their data and how to keep one’s personal and potentially embarrassing details of life from falling into nefarious hands.   At the same time, most would recognize that Big Data can serve a valuable purpose, such as being used for lifesaving medical research and to improve commercial products. A question therefore at the center of this discussion is how, and if, data can be effectively “de-identified” or even “anonymized” to limit privacy concerns – and if the distinction between the two terms is more theoretical than practical. (As I mentioned in a prior post, “de-identified” data is data that has the possibility to be re-identified; while, at least in theory, anonymized data cannot be re-identified.)

Privacy of health data is particularly important and so the U.S. Health Insurance Portability and Accountability Act (HIPPA) includes strict rules on the use and disclosure of protected health information. These privacy constraints do not apply if the health data has been de-identified – either through a safe harbor-blessed process that removes 18 key identifiers or through a formal determination by a qualified expert, in either case presumably because these mechanisms are seen as a reasonable way to make it difficult to re-identify the data.

Read More

Blogs and Writings We Like

This week we highlight 3 writers discussing timely subjects in media tech law: Sandy Botkin writing about zombie cookies and targeted advertising, Geoffrey Fowler writing about the new world of phishing and “phishermen” (yes, that’s a thing), and Justin Giovannettone and Christina Von der Ahe writing about nonsolicitation agreements and social media law.

FTC vs Turn, Inc.: Zombie Hunters

Sandy Botkin, writing on TaxBot Blog, reports amusingly on the FTC’s December 2016 settlement with digital advertising data provider Turn, Inc., stemming from an enforcement action against Turn for violating Turn’s own consumer privacy policy. Botkin used the analogy of a human zombie attack to illustrate the effect of actions Turn took to end-run around user actions to block targeted advertising on websites and apps.

According to the FTC in its complaint, Turn’s participation in Verizon Wireless’ tracking header program – attaching unique IDs to all unencrypted mobile internet traffic for Verizon subscribers – enabled turn to re-associate the Verizon subscriber with his or her use history. By so doing, according to Botkin, this further enabled Turn to “recreate[] cookies that consumers had previously deleted.” Or better yet: “Put another way, even when people used the tech equivalent of kerosene and machetes [to thwart zombies], Turn created zombies out of consumers’ deleted cookies.”

What we like: We like Botkin’s zombie analogy, although not because we like zombies. We don’t. Like. Zombies. But we do think it’s a clever explanatory tool for an otherwise arcane issue.

*            *            *

Your Biggest Online Security Risk Is You

Geoffrey Fowler writes in The Wall Street Journal (here ($), with an even fuller version of the story available here via Dow Jones Newswires) about the latest in the world of phishing, that large category of online scams that, one way or another, has the common goals of accessing your data, your money or your life, or someone else’s who might be accessed through your unsuspecting gateway.

“If you’re sure you already know all about them, think again. Those grammatically challenged emails from overseas ‘pharmacies’ and Nigerian ‘princes’ are yesterday’s news. They’ve been replaced by techniques so insidious, they could leave any of us feeling like a sucker.”

Oren Falkowitz of Area 1 Security told Fowler that about 97% of all cyberattacks start with phishing. Phishing is a big deal.

Fowler writes of the constantly increasing sophistication of “phishermen” – yes, that’s a term – weakening the effectiveness of old common-sense precautions:

In the past, typos, odd graphics or weird email addresses gave away phishing messages, but now, it’s fairly easy for evildoers to spoof an email address or copy a design perfectly. Another old giveaway was the misfit web address at the top of your browser, along with the lack of a secure lock icon. But now, phishing campaigns sometimes run on secure websites, and confuse things with really long addresses, says James Pleger, security director at RiskIQ, which tracked 58 million phishing incidents in 2016.

What we like: Fowler is helpful with advice about newer precautions, including keeping web browser security features updated and employing 2-factor authentication wherever possible. We also like his admission of his own past victim-hood to phishing, via a malware attack. He’s not overly cheery about the prospects of stopping the bad guys, but he does give confidence to people willing to take a few extra regular precautions.

*            *            *

Don’t Friend My Friends: Nonsolicitation Agreements Should Account for Social Media Strategies

This is an employment story about former employees who signed agreements with their former employers restricting their solicitations of customers of their former employers. In the traditional nonsolicitation context, it wasn’t that hard to tell when a former employee went about trying to poach his or her former company’s business. Things have become trickier in the age of social media, when “friend”-ing, “like”-ing, or “following” a contact on Facebook, Twitter, Instagram or LinkedIn might or might not suggest nefarious related behavior.

Justin Giovannettone and Christina Von der Ahe of Orrick’s “Trade Secrets Watch” survey a nice representative handful of recent cases from federal and state courts on just such questions.

In one case, the former employee – now working for a competitor of his former employer – remained linked via LinkedIn with connections he made while at his former company. His subsequent action in inviting his contacts to “check out” his new employer’s updated website drew a lawsuit for violating his nonsolicitation. For various reasons, the lawsuit failed, but of most interest was Giovannettone and Von der Ahe’s comment that “The court also noted that the former employer did not request or require the former employee to “unlink” with its customers after he left and, in fact, did not discuss his LinkedIn account with him at all.”

What we like: Giovannettone and Von der Ahe point out the inconsistencies in court opinions on this subject and, therefore, smartly recognize the takeaway for employers, namely to be specific about what’s expected of former employees. That may seem obvious, but for me it was surprising to learn that an employer could potentially – and enforceably – prevent a former employee from “friend”-ing on Facebook.

Read More

“Do Not Track” and Cookies – European Commission Proposes New ePrivacy Regulations

The European Commission recently proposed new regulations that will align privacy rules for electronic communications with the much-anticipated General Data Protection Regulation (GDPR) (the GDPR was fully adopted in May 2016 and goes into effect in May 2018). Referred to as the Regulation on Privacy and Electronic Communications or “ePrivacy” regulation, these final additions to the EU’s new data protection framework make a number of important changes, including expanding privacy protections to over-the-top applications (like WhatsApp and Skype), requiring consent before metadata can be processed, and providing additional restrictions on SPAM. But the provisions relating to “cookies” and tracking of consumers online activity are particularly interesting and applicable to a wide-range of companies.

Cookies are small data files stored on a user’s computer or mobile device by a web browser. The files help websites remember information about the user and track a user’s online activity. Under the EU’s current ePrivacy Directive, a company must get a user’s specific consent before a cookie can be stored and accessed. While well-intentioned, this provision has caused frustration and resulted in consumers facing frequent pop-up windows (requesting consent) as they surf the Internet.

Read More

Circuits Weigh-in on PII Under the VPPA

The Video Privacy Protection Act (VPPA) was enacted in 1988 in response to Robert Bork’s Supreme Court confirmation hearings before the Senate judiciary committee, during which his family’s video rental history was used to great effect and in excoriating detail. This was the age of brick-and-mortar video rental stores, well before the age of instant video streaming and on-demand content. Nonetheless, VPPA compliance is an important component to any privacy and data security programs of online video-content providers, websites that host streaming videos and others that are in the business of facilitating consumers viewing streaming video.

Judicial application of the VPPA to online content has produced inconsistent results, including how the statute’s definition of personally-identifiable information (PII)—the disclosure of which triggers VPPA-liability—has been interpreted. Under the VPPA, PII “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 3710(a)(3). Courts and commentators alike have noted that this definition is vague particularly when applied to new technological situations, as it describes what counts as PII rather than providing an absolute definition. Specifically in the streaming video context, the dispute of the PII definition typically turns on whether a static identifier, like an internet protocol (IP) address or other similar identifier uniquely assigned to consumers, counts as PII under the VPPA.

Read More

Blogs and Writings We Like

This week we highlight 3 fine writers discussing timely subjects in media tech law: Beverly Berman writing about website terms of service and fair use, Leonard Gordon writing about “astroturfing” in advertising law, and John Buchanan and Dustin Cho writing about a gaping coverage gap with cybersecurity insurance.

Hot Topic: Fake News

Beverly Berneman’s timely post, “Hot Topic: Fake News” blog post (on the “IP News For Business” blog of Chicago firm Golan Christie Taglia), offers a simple cautionary tale about publishing your copyrighted artwork on the internet, or in this case publishing on a website (DeviantArt) promoting the works of visual artists. One such artist’s posting subsequently appeared for sale, unauthorized, on t-shirts promoted on the website of another company (Hot Topic). The aggrieved artist then sought recourse from DeviantArt. Berneman (like DeviantArt) pointed to DeviantArt’s terms of use, which prohibited downloading or using artwork for commercial purposes without permission from the copyright owner – leaving the artist with no claim against DeviantArt.

Berneman correctly highlights the need to read website terms of use before publishing your artwork on third party sites, especially if you expect that website to enforce piracy by other parties. Berneman also dismisses arguments about fair use made by some commentators about this case, adding “If Hot Topic used the fan art without the artist’s permission and for commercial purposes, it was not fair use.”

What we like: We like Berneman’s concise and spot-on guidance about the need to read website terms of use and, of course, when fair use is not “fair”. Plus her witty tie-in to “fake news”.

*            *            *

NY AG Keeps up the Pressure on Astroturfing

Leonard Gordon, writing in Venable’s “All About Advertising Law” blog, offered a nice write-up of several recent settlements of “Astroturfing” enforcement actions by New York State’s Attorney General. First, what is Astroturfing? Gordon defines it as “the posting of fake reviews”, although blogger Sharyl Attkisson put it more vividly: “What’s most successful when it appears to be something it’s not? Astroturf. As in fake grassroots.” (And for the partisan spin on this, Attkisson follows that up with her personal conclusions as to who makes up the “Top 10 Astroturfers”, including “Moms Demand Action for Gun Sense in America and Everytown” and The Huffington Post. Ok now. But we digress ….)

The first case involved an urgent care provider (Medrite), which evidently contracted with freelancers and firms to write favorable reviews on sites like Yelp and Google Plus. Reviewers were not required to have been actual urgent care patients, nor were they required to disclose that they were compensated for their reviews.

The second case involved a car service (Carmel). The AG claimed that Carmel solicited favorable Yelp reviews from customers in exchange for discount cards on future use of the service. As with Medrite, reviewers were not required to disclose compensation for favorable reviews, and customers posting negative reviews were not given discount cards.

The settlements both involved monetary penalties and commitments against compensating reviewers without requiring the reviewers to disclose compensation. And in the Carmel settlement, Carmel took on affirmative obligations to educate its industry against conducting these practices.

What we like: We like Gordon’s commentary about this case, particularly its advisory conclusion: “Failure to do that could cause you to end up with a nasty case of “turf toe” from the FTC or an AG.” Very nice.

*            *            *

Insurance Coverage Issues for Cyber-Physical Risks

John Buchanan and Dustin Cho write in Covington’s Inside Privacy blog about a gaping insurance coverage gap from risks to physical property from cybersecurity attacks, as opposed to the more familiar privacy breaches. Buchanan and Cho report on a recently published report from the U.S. Government’s National Institute of Standards and Technology (NIST), helpfully titled “Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”. Rolls off the tongue.

The NIST report is a dense read (257 pages), and covers much more than insurance issues, in particular recommendations for improvements to system security engineering for (among other things) critical infrastructure, medical devices and hospital equipment and networked home devices (IoT or the Internet of Things).

Buchanan and Cho’s post addresses insurance issues, noting that “purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage”.

What we like: Insurance is always an important and underappreciated business issue, with even less public understanding of the property and injury risks to (and coverage from) cyber damage. We like how Buchanan and Cho took the time to plow through an opaque government report to tell a simple and important story.

Read More