MediaTech Law

By MIRSKY & COMPANY, PLLC

Blogs and Writings We Like

Posted March 21, 2017 by Andrew Mirsky 0

This week we highlight 3 fine writers discussing timely subjects in media tech law: Beverly Berman writing about website terms of service and fair use, Leonard Gordon writing about “astroturfing” in advertising law, and John Buchanan and Dustin Cho writing about a gaping coverage gap with cybersecurity insurance.

Hot Topic: Fake News

Beverly Berneman’s timely post, “Hot Topic: Fake News” blog post (on the “IP News For Business” blog of Chicago firm Golan Christie Taglia), offers a simple cautionary tale about publishing your copyrighted artwork on the internet, or in this case publishing on a website (DeviantArt) promoting the works of visual artists. One such artist’s posting subsequently appeared for sale, unauthorized, on t-shirts promoted on the website of another company (Hot Topic). The aggrieved artist then sought recourse from DeviantArt. Berneman (like DeviantArt) pointed to DeviantArt’s terms of use, which prohibited downloading or using artwork for commercial purposes without permission from the copyright owner – leaving the artist with no claim against DeviantArt.

Berneman correctly highlights the need to read website terms of use before publishing your artwork on third party sites, especially if you expect that website to enforce piracy by other parties. Berneman also dismisses arguments about fair use made by some commentators about this case, adding “If Hot Topic used the fan art without the artist’s permission and for commercial purposes, it was not fair use.”

What we like: We like Berneman’s concise and spot-on guidance about the need to read website terms of use and, of course, when fair use is not “fair”. Plus her witty tie-in to “fake news”.

*            *            *

NY AG Keeps up the Pressure on Astroturfing

Leonard Gordon, writing in Venable’s “All About Advertising Law” blog, offered a nice write-up of several recent settlements of “Astroturfing” enforcement actions by New York State’s Attorney General. First, what is Astroturfing? Gordon defines it as “the posting of fake reviews”, although blogger Sharyl Attkisson put it more vividly: “What’s most successful when it appears to be something it’s not? Astroturf. As in fake grassroots.” (And for the partisan spin on this, Attkisson follows that up with her personal conclusions as to who makes up the “Top 10 Astroturfers”, including “Moms Demand Action for Gun Sense in America and Everytown” and The Huffington Post. Ok now. But we digress ….)

The first case involved an urgent care provider (Medrite), which evidently contracted with freelancers and firms to write favorable reviews on sites like Yelp and Google Plus. Reviewers were not required to have been actual urgent care patients, nor were they required to disclose that they were compensated for their reviews.

The second case involved a car service (Carmel). The AG claimed that Carmel solicited favorable Yelp reviews from customers in exchange for discount cards on future use of the service. As with Medrite, reviewers were not required to disclose compensation for favorable reviews, and customers posting negative reviews were not given discount cards.

The settlements both involved monetary penalties and commitments against compensating reviewers without requiring the reviewers to disclose compensation. And in the Carmel settlement, Carmel took on affirmative obligations to educate its industry against conducting these practices.

What we like: We like Gordon’s commentary about this case, particularly its advisory conclusion: “Failure to do that could cause you to end up with a nasty case of “turf toe” from the FTC or an AG.” Very nice.

*            *            *

Insurance Coverage Issues for Cyber-Physical Risks

John Buchanan and Dustin Cho write in Covington’s Inside Privacy blog about a gaping insurance coverage gap from risks to physical property from cybersecurity attacks, as opposed to the more familiar privacy breaches. Buchanan and Cho report on a recently published report from the U.S. Government’s National Institute of Standards and Technology (NIST), helpfully titled “Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”. Rolls off the tongue.

The NIST report is a dense read (257 pages), and covers much more than insurance issues, in particular recommendations for improvements to system security engineering for (among other things) critical infrastructure, medical devices and hospital equipment and networked home devices (IoT or the Internet of Things).

Buchanan and Cho’s post addresses insurance issues, noting that “purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage”.

What we like: Insurance is always an important and underappreciated business issue, with even less public understanding of the property and injury risks to (and coverage from) cyber damage. We like how Buchanan and Cho took the time to plow through an opaque government report to tell a simple and important story.

Read More

Dataveillance Protection: The E.U.-U.S. Privacy Shield

Posted December 20, 2016 by Andrew Mirsky 0

For many years, technology outpaced policy when it came to standards and protections around ownership of and access to personal data. Privacy policies are not set by governments but rather by technology companies that created the digital world as it is experienced today. Many if not all of the dominant players in this space are American technology companies that include Alphabet (i.e. Google), Apple, Amazon, Facebook and Microsoft. These companies have more say about a user’s online life than any individual local, state or national government.

Read More

Legal Issues in Ad Tech: IP Addresses Are Personal Data, Says the EU (well … sort of)

Posted November 20, 2016 by Andrew Mirsky 0

Much has been written in the past 2 weeks about the U.S. Presidential election. Time now for a diversion into the exciting world of data privacy and “personal data”. Because in the highly refined world of privacy and data security law, important news actually happened in the past few weeks. Yes, I speak breathlessly of the European Court of Justice (ECJ) decision on October 19th that IP (internet protocol) addresses are “Personal Data” for purposes of the EU Data Directive. This is bigly news (in the data privacy world, at least).

First, what the decision actually said, which leads immediately into a riveting discussion of the distinction between static and dynamic IP addresses.

The decision ruled on a case brought by a German politician named Patrick Breyer, who sought an injunction preventing a website and its owner – here, publicly available websites operated by the German government – from collecting and storing his IP address when he lawfully accessed the sites. Breyer claimed that the government’s actions were in violation of his privacy rights under the EU Directive 95/46/EC – The Data Protection Directive (Data Protection Directive). As the ECJ reported in its opinion, the government websites “register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.”

The case is Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, and the ECJ’s opinion was published on October 19th.

Read More

Federal Judge Tosses Stingray Evidence

Posted November 2, 2016 by Rob Ellis 0

In a first, a federal judge ruled that evidence found through the use of a stingray device is inadmissible. Reuters reports on the case, United States v. Raymond Lambis, which involved a man targeted in a US Drug Enforcement Administration (DEA) investigation. The DEA used a stingray, a surveillance tool used to reveal a phone’s location, to identify Raymond Lambis’ apartment as the most likely location of a cell phone identified during a drug trafficking probe. Upon searching the apartment, the DEA discovered a kilogram of cocaine.

According to ArsTechnica, the DEA sought a warrant seeking location information and cell-site data for a particular 646 area code phone number. The warrant was based on communications obtained from a wiretap order that suggested illegal drug activity. With the information provided by the cell-site location, the DEA was able to determine the general vicinity of the targeted cell phone, which pointed to the intersection of Broadway and 177th streets in Manhattan. The DEA then used a stingray device, which mimics a cell phone tower and forces cell phones in the area to transmit “pings” back to the device. This enabled law enforcement to pinpoint a particular phone’s location.

Read More

Private Metadata is Doublethink

Posted October 21, 2016 by Andrew Mirsky 0

It is commonly said that if you do not want digital information found, then you should not create any. A challenge however is that there is a class of digital information, called metadata, that often is not created by you but is nonetheless associated with you. While content is any information that can be published or posted online, such as tweets, photos, videos, ebooks, Facebook posts and games, to name a few, metadata is something entirely different.

At first metadata was used to help describe content. It was automatically assigned by the software or app developer to help make the content easier to sort, index and later find. Location tags for example, are a common form of metadata. When content is posted online, the location of the sender may be attached to the content. A person posting a picture of a beach to his Facebook account will reveal to his network that he is in Cabo San Lucas, Mexico and that the picture was taken two days ago at 3:30 PM.

Metadata is expressive now, meaning it reveals information about the individual’s behavior and ultimately identity, regardless of whether the individual wants to be known or the behavior identified, based on the content the individual creates, and what the individual searches or buys online. Thus a user who posts a picture of a positive pregnancy test, shops for prenatal vitamins and performs an online search for baby furniture can be inferred to be female and pregnant.

Read More

Legal Issues in Ad Tech: Who Owns Marketing Performance Data?

Posted October 11, 2016 by Andrew Mirsky 0

Does a marketer own data related to performance of its own marketing campaigns? It might surprise marketers to know that data ownership isn’t automatically so. Or more broadly, who does own that data? A data rights clause in contracts with DSPs or agencies might state something like this:

“Client owns and retains all right, title and interest (including without limitation all intellectual property rights) in and to Client Data”,

… where “Client Data” is defined as “Client’s data files”. Or this:

“As between the Parties, Advertiser retains and shall have sole and exclusive ownership and Intellectual Property Rights in the … Performance Data”,

… where “Performance Data” means “campaign data related to the delivery and tracking of Advertiser’s digital advertising”.

Both clauses are vague, although the second is broader and more favorable to the marketer. In neither case are “data files” or “campaign data” defined with any particularity, and neither case includes any delivery obligation much less specifications for formatting, reporting or performance analytics. And even if data were provided by a vendor or agency, these other questions remain: What kind of data would be provided, how would it be provided, and how useful would the data be if it were provided?

Read More

Legal Issues in Ad Tech: Anonymized and De-Identified Data

Posted September 30, 2016 by Andrew Mirsky 0

Recently, in reviewing a contract with a demand-side platform (DSP), I came across this typical language in a “Data Ownership” section:

“All Performance Data shall be considered Confidential Information of Advertiser, provided that [VENDOR] may use such Performance Data … to create anonymized aggregated data, industry reports, and/or statistics (“Aggregated Data”) for its own commercial purposes, provided that Aggregated Data will not contain any information that identifies the Advertiser or any of its customers and does not contain the Confidential Information of the Advertiser or any intellectual property of the Advertiser or its customers.” (emphasis added).

I was curious what makes data “anonymized”, and I was even more curious whether the term was casually and improperly used. I’ve seen the same language alternately used substituting “de-identified” for “anonymized”. Looking into this opened a can of worms ….

What are Anonymized and De-Identified Data – and Are They the Same?

Here’s how Gregory Nelson described it in his casually titled “Practical Implications of Sharing Data: A Primer on Data Privacy, Anonymization, and De-Identification”:

“De-identification of data refers to the process of removing or obscuring any personally identifiable information from individual records in a way that minimizes the risk of unintended disclosure of the identity of individuals and information about them. Anonymization of data refers to the process of data de-identification that produces data where individual records cannot be linked back to an original as they do not include the required translation variables to do so.” (emphasis added)

Or in other words, both methods have the same purpose and both methods technically remove personally identifiable information (PII) from the data set. But while de-identified data can be re-identified, anonymized data cannot be re-identified. To use a simple example, if a column from an Excel spreadsheet containing Social Security numbers is removed from a dataset and discarded, the data would be “anonymized”.

But first … what aspects or portions of data must be removed in order to either de-identify or anonymize a set?

But What Makes Data “De-Identified” or “Anonymous” in the First Place?

Daniel Solove has written that, under the European Union’s Data Directive 95/46/EC, “Even if the data alone cannot be linked to a specific individual, if it is reasonably possible to use the data in combination with other information to identify a person, then the data is PII.” This makes things complicated in a hurry. After all, in the above example where Social Security numbers are removed, remaining columns might include normally non-PII information such as zip codes or gender (male or female). But the Harvard researchers Olivia Angiuli, Joe Blitzstein, and Jim Waldo show how even these 3 data points in an otherwise “de-identified” data set (i.e. “medical data” in the image below) can be used to re-identify individuals when combined with an outside data source that shares these same points (i.e. “voter list” in the image below):

Data Sets Overlap Chart

(Source: How to De-Identify Your Data, by Olivia Angiuli, Joe Blitzstein, and Jim Waldo, http://queue.acm.org/detail.cfm?id=2838930)

That helps explain the Advocate General opinion recently issued in the European Union Court of Justice (ECJ), finding that dynamic IP addresses can, under certain circumstances, be “personal data” under the European Union’s Data Directive 95/46/EC. The case involves interpretation of the same point made by Daniel Solove cited above, namely discerning the “personal data” definition, including this formulation in Recital 26 of the Directive:

“(26) … whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person …”

There was inconsistency among the EU countries on the level of pro-activity required by a data controller in order to render an IP address “personal data”.   So, for example, the United Kingdom’s definition of “personal data”: “data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller” (emphasis added). Not so in Germany and, according to a White & Case report on the ECJ case, not so according to the Advocate General, whose position was that “the mere possibility that such a request [for further identifying information] could be made is sufficient.”

Which then circles things back to the question at the top, namely: Are Anonymized and De-Identified Data the Same? They are not the same. That part is easy to say. The harder part is determining which is which, especially with the ease of re-identifying presumably scrubbed data sets. More on this topic shortly.

Read More

Protecting Children’s Privacy in the Age of Siri, Echo, Google and Cortana

Posted September 26, 2016 by Rob Ellis 0

“OK Google”, “Hey Cortana”, “Siri…”, “Alexa,…”

These statements are more and more common as artificial intelligence (AI) becomes mainstream. They serve as the default statements that kick off the myriad of services offered by Google, Microsoft, Apple and Amazon respectively, and are at the heart of the explosion of voice-activated search and services now available through computers, phones, watches, and stand-alone devices. Once activated, these devices record the statements being made and digitally process and analyze them in the cloud. The service then returns the search results to the device in the form of answers, helpful suggestions, or an array of other responses.

A recent investigation by the UK’s Guardian newspaper, however, claims these devices likely run afoul of the U.S. Children’s Online Privacy Protection Act (COPPA), which regulates the collection and use of personal information from anyone younger than 13. If true, the companies behind these services could face multimillion-dollar fines.

COPPA details, in part, responsibilities of an operator to protect children’s online privacy and safety, and when and how to seek verifiable consent from a parent or guardian. COPPA also includes restrictions on marketing to children under the age of 13. The purpose of COPPA is to provide protection to children when they are online or interacting with internet-enabled devices, and to prevent the rampant collection of their sensitive personal data and information. The Federal Trade Commission (FTC) is the agency tasked with monitoring and enforcing COPPA, and encourages industry self-regulation.

The Guardian investigation states that voice-enabled devices like the Amazon Echo, Google Home and Apple’s Siri are recording and storing data provided by children interacting with the devices in their homes. While the investigation concluded that these devices are likely collecting information of family members under the age of 13, it avoids conclusion as to whether it can be proven that these services primarily target children under the age of 13 as their audience – a key determining factor for COPPA. Furthermore, according to the FTC’s own COPPA FAQ page, even if a child provides personal information to a general audience online service, so long as the service has no actual knowledge that the particular individual is a child, COPPA is not triggered.

While the details of COPPA will need to be refined and re-defined in the era of always-on digital assistants and AI, the Guardian’s claim that the FTC will crack down harshly on offenders is not likely to happen, and the potential large fines are unlikely to materialize. Rather, what will likely occur is the FTC will provide guidance and recommendations to such services, allowing them to modify their practices and stay within the bounds of the law, so long as they’re acting in good faith. For example, services like Amazon, Apple and Google could update their services to request on installation the age and number of individuals in the home, paired with an update to the terms of service requesting parental permission for the use of data provided by children under 13. For children outside of the immediate family who access the device, the services can claim they lacked actual knowledge a child interacted with the service, again satisfying COPPA’s requirements.

Read More

Appellate Court Upholds FTC’s Authority to Fine and Regulate Companies Shirking Cybersecurity

Posted November 30, 2015 by Rob Ellis 0

In a case determining the scope of the Federal Trade Commission’s (FTC) ability to govern data security, the 3rd U.S. Circuit Court of Appeals in Philadelphia upheld a 2014 ruling allowing the FTC to pursue a lawsuit against Wyndham Worldwide Corp. for failing to protect customer information after three data breaches that occurred in 2008 and 2009. The theft of credit card and personal details from over 600,000 consumers resulted in $10.6 million in fraudulent charges and the transfer of consumer account information to a website registered in Russia.

In 2012, the FTC sued Wyndham, which brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge. The basis of the claim stated that Wyndham’s conduct was an unfair practice and its privacy policy deceptive. The suit further alleged the company “engaged in unfair cybersecurity practices that unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The appellate court’s decision is of importance because it declares the FTC has the authority to regulate cybersecurity under the unfairness doctrine within §45 of the FTC Act. This doctrine allows the FTC to declare a business practice unfair if it is oppressive or harmful to consumers even though the practice is not an antitrust violation. Under this decision, the FTC has the authority to level civil penalties against companies convicted of engaging in unfair practices.

What exactly did Wyndham do to possibly merit the claim of unfair practices?

According to the FTC’s original complaint, the company:

  • allowed for the storing of payment card information in clear readable text;
  • allowed for the use of easily guessed password to access property management systems;
  • failed to use commonly available security measures, like firewalls, to limit access between hotel property management systems, corporate networks and the internet; and
  • failed to adequately restrict and measure unauthorized access to its network.

Furthermore, the FTC alleged the company’s privacy policy was deceptive, stating:

“a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

Wyndham requested the suit be dismissed arguing the FTC did not have the authority to regulate cybersecurity. The appellate court found otherwise, however, stating that Wyndham failed to show that its alleged conduct fell outside the plain meaning of unfair.

The appellate court’s ruling highlights the need for companies to take special care in crafting a privacy policy to ensure it reflects the company’s cybersecurity standards and practices. This includes staying up-to-date on the latest best practices, and being familiar with the ever-changing industry standard security practices, including encryption and firewalls.

Read More

What’s Behind the Decline in Internet Privacy Litigation?

Posted September 8, 2015 by Roman Vayner 0

The number of privacy lawsuits filed against big tech companies has significantly dropped in recent years, according to a review of court filings conducted by The Recorder, a California business journal.

According to The Recorder, the period 2010-2012 saw a dramatic spike in cases filed against Google, Apple, or Facebook (as measured by filings in the Northern District of California naming one of the three as defendants). The peak year was 2012, with 30 cases filed against the three tech giants, followed by a dramatic drop-off in 2014 and 2015, with only five privacy cases filed between the two years naming one of the three as defendants. So what explains the sudden drop off in privacy lawsuits?

One theory, according to privacy litigators interviewed for The Recorder article, is that the decline reflects the difficulty in applying federal privacy statutes to prosecute modern methods of monetizing, collecting, or disclosing online data. Many privacy class action claims are based on statutes passed in the 1980s like the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), both passed in 1986, and the Video Privacy Protection Act (VPPA), passed in 1988. These statutes were originally written to address specific privacy intrusions like government wire taps or disclosures of video rental history.

Read More

License Plate Numbers: a valuable data-point in big-data retention

Posted August 6, 2015 by Rob Ellis 0

What can you get from a license plate number?

At first glance, a person’s license plate number may not be considered that valuable a piece of information. When tied to a formal Motor Vehicle Administration (MVA) request it can yield the owner’s name, address, type of vehicle, vehicle identification number, and any lienholders associated with the vehicle. While this does reveal some sensitive information, such as a likely home address, there are generally easier ways to go about gathering that information. Furthermore, states have made efforts to protect such data, revealing owner information only to law enforcement officials or certified private investigators. The increasing use of Automated License Plate Readers (ALPRs), however, is proving to reveal a treasure trove of historical location information that is being used by law enforcement and private companies alike. Also, unlike historical MVA data, policies and regulations surrounding ALPRs are in their infancy and provide much lesser safeguards for protecting personal information.

ALPR – what is it?

Consisting of either a stationary or mobile-mounted camera, ALPRs use pattern recognition software to scan up to 1,800 license plates per minute, recording the time, date and location a particular car was encountered.

Read More

Website Policies and Terms: What You Lose if You Don’t Read Them

Posted July 15, 2015 by Roman Vayner 0

When was the last time you actually read the privacy policy or terms of use of your go-to social media website or you favorite app? If you’re a diligent internet user (like me), it might take you an average of 10 minutes to skim a privacy policy before clicking “ok” or “I agree.” But after you click “ok,” have you properly consented to all the ways in which your information may be used?

As consumers become more aware of how companies profit from the use of their personal information, the way a company discloses its data collection methods and obtains consent from its users becomes more important, both to the company and to users.  Some critics even advocate voluntarily paying social media sites like Facebook in exchange for more control over how their personal information is used. In other examples, courts have scrutinized whether websites can protect themselves against claims that they misused users’ information, simply because they presented a privacy policy or terms of service to a consumer, and the user clicked “ok.”

The concept of “clickable consent” has gained more attention because of the cross-promotional nature of many leading websites and mobile apps. 

Read More

Copyright 2022 Mirsky & Company, PLLC