MediaTech Law

By MIRSKY & COMPANY, PLLC

Change Your Password Every [Blank] Days!

Takeaways from Microsoft’s announcement in May that it would be “Dropping the password-expiration policies that require periodic password changes” in baseline settings for Windows 10 and Windows Server:

First: The major security problem with passwords – the most major of the major problems – is not a failure to change passwords often enough.  Rather, it is choosing weak passwords.  Making passwords much harder for supercomputers (and humans, too) to guess – for example, requiring minimums of 11 characters, randomly-generated, using both upper- and lower-case letters, symbols and numbers – are much more “real-world security” (in Microsoft’s formulation).  As Dan Goodin recently wrote in Ars Technica, “Even when users attempt to obfuscate their easy-to-remember passwords – say by adding letters or symbols to the words, or by substituting 0’s for the o’s or 1’s for L’s – hackers can use programming rules that modify the dictionary entries.”

Read More

Equity Compensation – Stock Options vs Restricted Stock

Start-up and other fast-growing companies wishing to compensate key employees with equity typically issue either restricted stock or stock options.  These compensation tools are available to corporations (including S corporations), while variations of both types of equity are available to limited liability companies (LLCs), although with important limitations.  The following discussion of restricted stock and stock options applies to corporations only, with a separate discussion for LLCs later on.  

1. Incentive Stock Options (ISOs)

Issuable only to employees (no contractors, freelancers, vendors, etc.)

Grantee must hold option for at least 2 years and underlying stock (i.e. post-exercise) at least 1 year after exercise (IRS requirements).

Pros (for employees):

  • Not taxed upon grant, not taxed upon exercise.
  • Taxable only upon disposition of underlying stock.  Therefore, if never exercised, never taxable.
  • Tax calculated based on appreciation between exercise price and price at disposition.
  • Tax is long-term capital gain (i.e. not ordinary income).

Read More

Confusion in “Cookie”-Land: Consent Requirements for Placing Cookies under GDPR and ePrivacy Directive

Must a website get consent from a user before placing cookies in the user’s browser?  The EU’s ePrivacy Directive says that yes, consent from the user is required prior to placement of most cookies (regardless of whether the cookies track personal data).  But under the General Data Protection Regulation (GDPR), consent is only one of several “lawful bases” available to justify collection of personal data.  If cookies are viewed as “personal data” under the GDPR – specifically, the placement of cookies in a user’s browser – must a website still get consent in order to place cookies, or instead can the site rely on one of those other “lawful bases” for dropping cookies?

First, are cookies “personal data” governed by the GDPR?  Or to be more precise, do cookies that may identify individuals fall under the GDPR?  This blog says yes: “when cookies can identify an individual, it is considered personal data.  … While not all cookies are used in a way that could identify users, the majority (and the most useful ones to the website owners) are, and will therefore be subject to the GDPR.”  This blog says no: “cookie usage and its related consent acquisition are not governed by the GDPR, they are instead governed by the ePrivacy Directive.” (emphasis added)  Similarly with this blog.

Read More

Encrypted Data: Still “Personal Data” under GDPR?

An interesting question is whether encrypted personal data is still “personal data” for purposes of the European Union’s General Data Protection Regulation (GDPR), and therefore making processing of that data subject to the GDPR’s library of compliance obligations.  The answer depends on the meaning of encryption: It is not enough to claim that encrypted data is “anonymized” and therefore inaccurate to conclude that it does not relate to the personal data definition’s meaning of an “identified or identifiable natural person.”

If an organization encrypts data in its care, with the encryption thereby rendering the data no longer “identified”, is it still “identifiable”?  Maybe.  If neither identified nor identifiable, then data is no longer “personal data”.

First, what is encryption?  Josh Gresham writes on IAPP’s blog that encryption involves a party “tak[ing] data and us[ing] an ‘encryption key’ to encode it so that it appears unintelligible.  The recipient uses the encryption key to make it readable again.  The encryption key itself is a collection of algorithms that are designed to be completely unique, and without the encryption key, the data cannot be accessed.  As long as the key is well designed, the encrypted data is safe.” (emphasis added)

Read More

Do We Need to Appoint a (GDPR) Data Protection Officer?

Does your organization need to appoint a “Data Protection Officer”?  Articles 37-39 of the EU’s General Data Protection Regulation (GDPR) require certain organizations that process personal data of EU citizens to appoint a Data Protection Officer (DPO) to record their data processing activities.  Doing so is a lot more than perfunctory – you can’t just say, “Steve, our HR Director, you’re now our DPO.  Congratulations!”  The qualifications for the job are significant, and the organizational impact of having a DPO is extensive.  You may be better off avoiding appointing a DPO if you don’t have to, while if you do have to the failure to do so can expose your organization to serious enforcement penalties. 

Read More

Blogs and Writings we Like

This week we highlight three writers discussing timely subjects in copyright, technology, and advertising law. Susan Neuberger Weller and Anne-Marie Dao from Mintz Levin discussed a split in thought on when a copyright is officially registered for purposes of filing an infringement lawsuit; Jeffery Neuburger from Proskauer wrote an interesting article reflecting on technology-related legal issues in 2017 and looking forward to potential hot issues in 2018; and Leonard Gordon posted a piece on Venable’s All About Advertising Law Blog about cancellation methods for continuity sales offers.

When is a Copyright “Registered” for Purposes of Filing Suit?

In a recent post, Susan Neuberger Weller and Anne-Marie Dao from Mintz Levin discuss a split among Federal Courts of Appeal about when a copyright is registered. Weller and Dao note that registration of a US copyright is required prior to being able to initiate an infringement suit (or to obtain statutory damages) in federal court, but there is not an agreement on when “registration” actually occurs. Some circuit courts have found that registration happens when the application is filed, but others believe it only occurs when the Register of Copyrights actually issues the copyright registration. The article recounts a recent case in the 11th Circuit in which the court dismissed an infringement case because the copyright holder had filed the application but no action had been taken by the US Copyright Office.

The authors note that the issue could be resolved if the US Supreme Court agrees to hear an appeal by the plaintiff in the 11th Circuit case, although – but, as of April 16, 2018 the Supreme Court had not acted on the plaintiff’s certirari petition.

What We Like: The article raises an important issue for copyright holders that can be critical in copyright infringement cases. In addition to raising the topic, we particularly like the authors’ summary of the various positions among the federal appeals courts about when copyright registration actually occurs. This list is a good reference for any lawyers considering whether (and maybe even where) to bring an infringement case.

***

Reflections on Technology-Related Legal Issues: Looking Back at 2017; Will 2018 Be a Quantum Leap Forward?

Jeffery Neuburger from Proskauer wrote an interesting article reflecting on technology-related legal issues in 2017 and looking forward to issues that will likely be in play in 2018. Neuburger mentions a number of things that came up in 2017 ranging from cybersecurity to privacy. He also discusses the development of blockchain (“a continuously growing list of records, called blocks, which are linked and secured using cryptography,” which is a “core component of bitcoin”) into areas beyond cryptocurrencies and poses questions about potential legal issues that may arise. In the privacy realm, Neuburger opines that “2018 also promises to be the year of Europe’s General Data Privacy Regulation” (GDPR) and notes that mobile tracking also is likely to be a hot issue in the new year.

Most interesting, Neuburger spends almost half the article talking about quantum computing. He explains that quantum computers operate on the law of quantum mechanics and use quantum bits or “qubits” (“a qubit can store a 0, 1, or a summation of both 0 and 1”), and states that quantum computers could be up to 100 million times faster than current computers. The article further sets out four areas of legal issues related to quantum computers: (i) encryption and cryptography; (ii) blockchain; (iii) securities industry; and (iv) military applications. Neuburger ominously notes that “quantum computers may be powerful enough (perhaps) to break the public key cryptography systems currently in use that protects secure online communications and encrypted data.”

What We Like: We’ve always looked forward to Jeff Neuberger’s commentary on new media and tech law issues, particularly his extensive recent blogging on the GDPR and other privacy issues. But we particularly liked his discussion of quantum computing, a topic not ordinarily discussed in these types of summaries and somewhat challenging for non-scientists to tackle. As is clear from Neuberger’s analysis, many aspects of the law may be affected as this technology advances.

***

Sex, Golf, and the FTC – And, of course, Continuity Sales Programs

On Venable’s All About Advertising Law Blog, Leonard Gordon discusses a recent Federal Trade Commission complaint and settlement with a lingerie online retailer related to a continuity sales promotion – “A continuity program is a company’s sales offer where a buyer/consumer is agreeing to receive merchandise or services automatically at regular intervals (often monthly), without advance notice, until they cancel.” (Gordon included a passing reference to a similar case involving golf balls, but did not provide many details – thus, the reference in the title.)

Read More

Blogs and Writings We Like

This week we highlight three writers discussing timely subjects in privacy and trademark law. Brandon Vigliarolo wrote in TechRepublic about Google’s new app privacy standards; Sarah Pearce from Cooley wrote a practical guide to the EU’s General Data Protection Regulation that includes a 6-month compliance plan; and Scott Hervey posted a piece on the IP Law Blog analyzing whether there was trademark infringement under an interesting situation involving a strain of pot.

Google’s new app privacy standards mean big changes for developers

In TechRepublic, Brandon Vigliarolo wrote about Google’s new app privacy standards that will begin on January 30, 2018. At the forefront, app developers will need to explain what data is being used, how it is used, and when it is used – and get user consent. Vigliarolo anticipates that most developers will need to make changes to their app design in order to comply with the new standards. In addition, any transmission of data (even in a crash report) has to be explained and accepted by the user. While Vigliarolo writes that it is not completely clear how Google will enforce these standards, beginning at the end of January users will be given warnings if an app (or a website leading to an app) is known by Google to collect user data without consent. Non-compliant developers could see lower ratings and less traffic.

Read More

Equifax Breach Ignites Discussions about Open Source Software

In the recent Equifax data beach, massive amounts of personal information (including the names, social security numbers, birth dates, addresses and driver’s license numbers of 145.5 million U.S. consumers) were potentially accessed by hackers. As a result, Equifax parted ways with its CEO and other executives. While Equifax has offered credit monitoring and identity theft protection to victims, the full extent of the damage still may not be known for some time.

Interestingly, the incident has sparked a discussion about the use of open source software by companies because Equifax claims the breach was caused by a vulnerability in an open source application framework called Apache Struts (the formal name of the vulnerability is CVE-2017-5638). Apache Struts is a very popular framework for building web applications and was used by Equifax as part of a web portal that allowed consumers to dispute the accuracy of credit information.   For context, the vulnerability in Apache Struts is only one of many known and widely exploited security vulnerabilities in open source projects, including among others OpenSSL Heartbleed, gSOAP Devil’s Ivy, and Shellshock.

Equifax’s use of open source software is not unique. In a 2016 article in Wired, Kline Finley explained that open source can be the best way to develop software in part because it “lets companies share the burden of developing common infrastructure and compatibility standards.”

Read More

Blog and Writings We Like

This week we highlight three writers discussing timely subjects in copyright and privacy law, as well as the on-boarding process for Software as a Service (SaaS) customers: Eric Goldman wrote in the Technology & Marketing Law Blog about the use of copyright law as a “reputation management” tool; Katie Townley and Christie Grymes Thompson posted in Ad Law Access about a request from advocacy groups that the federal Consumer Product Safety Commission (CPSC) recall the Google Home Mini smart speaker over privacy concerns; and Aleksander Gora provided useful guidance on the Webdesigner Depot website about designing effective sign-up forms.

First Circuit Rejects Copyright Workaround to Section 230 – Small Justice v. Ripoff Report

Eric Goldman published an interesting article in the Technology & Marketing Law Blog about using copyright law as a way to protect one’s reputation. In Small Justice v. Ripoff Report (which was most recently argued before the U.S. Court of Appeals for the First Circuit), the plaintiff, Richard Goren, ran a law firm called Small Justice and one of the defendants, Christian DuPont, wrote two negative reviews about Small Justice on the website Ripoff Report. Goren sued DuPont in state court for libel and intentional interference with prospective contractual relations, and the court awarded Goren a copyright over the reviews as a default judgment. Goren then asserted a copyright claim against Ripoff Report, who had published the reviews. (Interestingly, Professor Goldman questions whether the state court had the authority to award copyright ownership, but notes that the First Circuit did not address this point.)

Read More

The Growing Problem of Ad Fraud and the Recent Methbot Attack

Fraud, particularly using “bots,” is increasingly threatening the effectiveness of online advertising and arguably calling into question the long-term viability of the industry. According to a recent study reported on by AdWeek, fraud from “bots” was projected to cost brands $7.2 billion in 2016, up from the $6.3 billion in 2015. Basically, “bots” are applications that perform automated tasks. While they can be used for legitimate purposes, in cases of ad fraud bots can “create millions upon millions of ad impressions that are seen by no one but often get charged to marketers as a viewed promotion.”

A recent article in AdWeek discussed some of the common ad fraud schemes. In one, called the “The Phony Traffic Broker,” writer Christopher Heine explained:

• A company wants to increase traffic to its site and goes to a traffic broker site that’s actually run by a fraudster, who promises volumes of highly qualified users;
• The fraudster deploys “bots” to simulate human traffic to the site; and
• The site’s views soar, advertisers pay the company for the increased traffic, and the fraudster gets paid for being the broker.

Read More

New DMCA Agent Registration Requirements: Action Required by all Online Service Providers

Providers of online services (including websites and apps that enable users to post content) must register an agent with the United States Copyright Office by December 31, 2017 using the Office’s new online system, which went into effect in December 2016. Those who don’t register risk losing valuable liability protections under Section 512 of the Digital Millennial Copyright Act (DMCA). Service providers can click here to begin the registration process and the Copyright Office has created a number of videos to guide users.

Service providers with agent information on file under the old, paper system must re-submit the information through the online portal. The agent information must be updated as it changes and the registration must be renewed or updated at least once every three years. There also is a new fee structure: $6 registration fee per designation of an agent.

As background, Section 512 of the DMCA provides a safe harbor from copyright infringement liability to online service providers, primarily to protect online services from situations involving copyright infringement arising from content posted by third party users. In order to qualify, a service provider must designate an agent to receive take-down notices from copyright holders who believe their rights have been infringed. In addition to posting the agent information online, the service provider is required to provide its agent’s information to the Copyright Office. Previously, agent information was provided to the Copyright Office on a paper form that was later scanned and posted online by the staff, but concerns arose regarding cost and whether this information was being properly updated.

While the Copyright Office reported that comments it received during the rulemaking proceeding demonstrated “widespread support for the creation of an electronic registration system,” that is only part of the story.

There are many benefits to the Copyright Office’s new online system (and some of the changes may be long overdue). As noted by Brandon Huffman, filing online will generally be easier and cheaper. However, some have criticized the new rules because of requirements that: (i) all service providers who previously registered through the paper system re-register via the new online system and (ii) all registrations must be renewed every three years (unless they were updated during that three-year period). A currently compliant service provider that does nothing risks losing its existing safe harbor protections.   So, for example, Elliot Harmon of the Electronic Frontier Foundation noted that large online service providers, such as YouTube and Facebook, will not have a problem complying, but “small companies, small nonprofits, and activist groups” with few resources are more likely to be at risk of losing their safe labor protections for non-compliance. Eric Goldman has been particularly critical of these requirements, going so far as to write that “This story has been like watching a train wreck in slow motion.” Professor Goldman suggests that the Copyright Office’s efforts to inform service providers about lapsed registrations could inadvertently help litigious copyright owners:

To ‘help’ service providers, the Copyright Office says they can reinstate lapsed registrations by paying the fee. But the Copyright Office will publicly display the periods when the registration lapsed, giving a useful roadmap to copyright owners who can easily just sue for the lapsed time period. So the public disclosure of the lapsed period will make a super ‘SUE HERE’ flag for litigious copyright owners, helpfully provided as a public “service” by the Copyright Office.

In the end, all online service providers need to take notice – and action.

Read More

We’ve Updated our Terms of Use!

Why are they sending me this information, and what am I supposed to do with it? You’ve just received an email like the one below from Uber, or from one of your various subscription services, credit card companies, banks, ISPs or any of a zillion different web applications:

SUBJECT: We’ve Updated our Terms of Use

Hi Andrew, we’ve been able to bring Uber to more than 400 cities in 72 countries. And that’s in just a little over 6 years. In light of that growth and some changes to our services, we’ve made some updates to our US Terms of Use

They have your attention. You sit up alert in your chair, you rub your eyes and read on. The company then sometimes offers a summary of the changes, often in as cheery and euphemistic a way as possible, with statements like “We revised our arbitration agreement which explains how legal disputes are handled”, or “We have updated our Terms of Use regarding the ways in which we may contact you.” All, no doubt, good things.

Turns out, noone actually reads these updates. That last sentence is not meant as sarcasm. The non-partisan Stanley Roper Polling Organization actually published a study that concluded “Noone actually reads these updates.” Editor’s Note: There is no such organization and there was no such study. Evidently. Although Andrea Peterson reports in The Washington Post about a 2008 study (about privacy policies) that concluded “it would take a staggering 244 hours a year for the average American to read the privacy policies of every site they visit over the course of a year.”

Read More