MediaTech Law

By MIRSKY & COMPANY, PLLC

Legal Considerations of Agile Development

An interesting change has occurred across software development projects over the past several years, which has seen the practice of Agile software development overtake that of the traditional Waterfall model. Rooted in the 2001 Agile Manifesto, Agile development favors greater interaction between technical and business teams, resulting in a more fluid development lifecycle. That is in comparison to the Waterfall approach, which operates on the basis of clear defined stages and objective within the project.

In the past, with a Waterfall approach, a software development project would be scoped out in full, with every detail and eventuality planned out, and with a completion date identified. So when asked “When is the project launching?”, a project manager or stakeholder would confidently reply with a set date, possibly months or years into the future.

With Agile development, the understanding is that not every detail can be mapped out, and requirements may change as the project advances. Agile allows for shifting of goals and deliverables as requirements shift during the development lifecycle. For that reason, work is done in small increments – referred to as sprints – with each sprint resulting in some working piece of code or “minimum viable product” (MVP). So when asked “When is the project launching?”, a project manager or stakeholder will likely not have a firm date, and instead reply “We expect a working version of this piece of the project by the end of the next two-week sprint.”

Read More

Apple Touts Differential Privacy, Privacy Wonks Remain Skeptic, Google Joins In

(Originally published January 19, 2017, updated July 24, 2017)

Apple has traditionally distinguished itself from its rivals, like Google and Facebook, by emphasizing its respect of user privacy. It has taken deliberate steps to avoid vacuuming up all of its users’ data, providing encryption at the device level as well as during data transmission. It has done so, however, at the cost of foregoing the benefits that pervasive data collection and analysis have to offer. Such benefits include improving on the growing and popular on-demand search and recommendation services, like Google Now and Microsoft’s Cortana and Amazon’s Echo. Like Apple’s Siri technology, these services act as a digital assistant, providing responses to search requests and making recommendations. Now Apple, pushing to remain competitive in this line of its business, is taking a new approach to privacy, in the form of differential privacy (DP).

Announced in June 2016 during Apple’s Worldwide Developers’ Conference in San Francisco, DP is, as Craig Federighi, senior vice president of software engineering, stated “a research topic in the area of statistics and data analytics that uses hashing, subsampling and noise injection to enable … crowdsourced learning while keeping the data of individual users completely private.” More simply put, DP is the statistical science of attempting to learn as much as possible about a group while learning as little as possible about any individual in it.

Read More

Federal Judge Tosses Stingray Evidence

In a first, a federal judge ruled that evidence found through the use of a stingray device is inadmissible. Reuters reports on the case, United States v. Raymond Lambis, which involved a man targeted in a US Drug Enforcement Administration (DEA) investigation. The DEA used a stingray, a surveillance tool used to reveal a phone’s location, to identify Raymond Lambis’ apartment as the most likely location of a cell phone identified during a drug trafficking probe. Upon searching the apartment, the DEA discovered a kilogram of cocaine.

According to ArsTechnica, the DEA sought a warrant seeking location information and cell-site data for a particular 646 area code phone number. The warrant was based on communications obtained from a wiretap order that suggested illegal drug activity. With the information provided by the cell-site location, the DEA was able to determine the general vicinity of the targeted cell phone, which pointed to the intersection of Broadway and 177th streets in Manhattan. The DEA then used a stingray device, which mimics a cell phone tower and forces cell phones in the area to transmit “pings” back to the device. This enabled law enforcement to pinpoint a particular phone’s location.

Read More

Protecting Children’s Privacy in the Age of Siri, Echo, Google and Cortana

“OK Google”, “Hey Cortana”, “Siri…”, “Alexa,…”

These statements are more and more common as artificial intelligence (AI) becomes mainstream. They serve as the default statements that kick off the myriad of services offered by Google, Microsoft, Apple and Amazon respectively, and are at the heart of the explosion of voice-activated search and services now available through computers, phones, watches, and stand-alone devices. Once activated, these devices record the statements being made and digitally process and analyze them in the cloud. The service then returns the search results to the device in the form of answers, helpful suggestions, or an array of other responses.

A recent investigation by the UK’s Guardian newspaper, however, claims these devices likely run afoul of the U.S. Children’s Online Privacy Protection Act (COPPA), which regulates the collection and use of personal information from anyone younger than 13. If true, the companies behind these services could face multimillion-dollar fines.

COPPA details, in part, responsibilities of an operator to protect children’s online privacy and safety, and when and how to seek verifiable consent from a parent or guardian. COPPA also includes restrictions on marketing to children under the age of 13. The purpose of COPPA is to provide protection to children when they are online or interacting with internet-enabled devices, and to prevent the rampant collection of their sensitive personal data and information. The Federal Trade Commission (FTC) is the agency tasked with monitoring and enforcing COPPA, and encourages industry self-regulation.

The Guardian investigation states that voice-enabled devices like the Amazon Echo, Google Home and Apple’s Siri are recording and storing data provided by children interacting with the devices in their homes. While the investigation concluded that these devices are likely collecting information of family members under the age of 13, it avoids conclusion as to whether it can be proven that these services primarily target children under the age of 13 as their audience – a key determining factor for COPPA. Furthermore, according to the FTC’s own COPPA FAQ page, even if a child provides personal information to a general audience online service, so long as the service has no actual knowledge that the particular individual is a child, COPPA is not triggered.

While the details of COPPA will need to be refined and re-defined in the era of always-on digital assistants and AI, the Guardian’s claim that the FTC will crack down harshly on offenders is not likely to happen, and the potential large fines are unlikely to materialize. Rather, what will likely occur is the FTC will provide guidance and recommendations to such services, allowing them to modify their practices and stay within the bounds of the law, so long as they’re acting in good faith. For example, services like Amazon, Apple and Google could update their services to request on installation the age and number of individuals in the home, paired with an update to the terms of service requesting parental permission for the use of data provided by children under 13. For children outside of the immediate family who access the device, the services can claim they lacked actual knowledge a child interacted with the service, again satisfying COPPA’s requirements.

Read More

Deceptive Software: Breaking Down VW’s Emissions Cheating Code Scandal

Introduction

After a university study uncovered code designed to cheat emissions testing standards, Volkswagen Inc. (VW) has been on the defensive, admitting wrongdoing and bracing for the onslaught of regulatory fines, class actions suits, and major repairs and recalls.

The code at the heart of the controversy places the car in one of two operating modes. When the car appears to be driving under conditions simulating an emissions test, the “cheat code” is enabled, delivering proficient emissions results and better gas mileage. When driving conditions denote real-world driving, cheat mode is disabled, delivering increased power and torque, but decreasing gas mileage and outputting a level of emissions 40 times greater than the legal limit as regulated by the Environmental Protection Agency (EPA).

Discovering the Cheat Code

Researchers at West Virginia University uncovered the higher emissions during a study funded by the International Council on Clean Transportation, a nonprofit with offices in the U.S. and Europe, to test the emissions of diesel vehicles while driving. Traditionally, emissions testing occurred in a stationary location by placing the front-wheels of a car on a rolling treadmill while the rear wheels remained static. Emissions that escaped through the tail pipe were then collected and measured. The WVU researchers took the tests to the open road by creating a mobile testing rig. Sensors attached to the tailpipe captured the emissions and fed the data to testing equipment stored in the trunk and backseat of the cars. The test results captured the greater emissions and lower fuel efficiency since the cheat code was disabled on open road conditions. Upon discovering the discrepancies and conducting multiple follow up tests, WVU contacted the EPA and the California Air Resources Board, who conducted their own tests and issued a citation to VW.

Read More

Appellate Court Upholds FTC’s Authority to Fine and Regulate Companies Shirking Cybersecurity

In a case determining the scope of the Federal Trade Commission’s (FTC) ability to govern data security, the 3rd U.S. Circuit Court of Appeals in Philadelphia upheld a 2014 ruling allowing the FTC to pursue a lawsuit against Wyndham Worldwide Corp. for failing to protect customer information after three data breaches that occurred in 2008 and 2009. The theft of credit card and personal details from over 600,000 consumers resulted in $10.6 million in fraudulent charges and the transfer of consumer account information to a website registered in Russia.

In 2012, the FTC sued Wyndham, which brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge. The basis of the claim stated that Wyndham’s conduct was an unfair practice and its privacy policy deceptive. The suit further alleged the company “engaged in unfair cybersecurity practices that unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The appellate court’s decision is of importance because it declares the FTC has the authority to regulate cybersecurity under the unfairness doctrine within §45 of the FTC Act. This doctrine allows the FTC to declare a business practice unfair if it is oppressive or harmful to consumers even though the practice is not an antitrust violation. Under this decision, the FTC has the authority to level civil penalties against companies convicted of engaging in unfair practices.

What exactly did Wyndham do to possibly merit the claim of unfair practices?

According to the FTC’s original complaint, the company:

  • allowed for the storing of payment card information in clear readable text;
  • allowed for the use of easily guessed password to access property management systems;
  • failed to use commonly available security measures, like firewalls, to limit access between hotel property management systems, corporate networks and the internet; and
  • failed to adequately restrict and measure unauthorized access to its network.

Furthermore, the FTC alleged the company’s privacy policy was deceptive, stating:

“a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

Wyndham requested the suit be dismissed arguing the FTC did not have the authority to regulate cybersecurity. The appellate court found otherwise, however, stating that Wyndham failed to show that its alleged conduct fell outside the plain meaning of unfair.

The appellate court’s ruling highlights the need for companies to take special care in crafting a privacy policy to ensure it reflects the company’s cybersecurity standards and practices. This includes staying up-to-date on the latest best practices, and being familiar with the ever-changing industry standard security practices, including encryption and firewalls.

Read More

Delayed Results of Google’s “Mobilegeddon” Show Small Sites Suffer on Mobile

On April 21st online behemoth Google altered its search engine algorithm to favor websites it considered mobile-friendly. This change, dubbed “Mobilegeddon” by web developers and search engine optimization (SEO) specialists, sought to reward sites that used responsive design and other mobile-friendly practices to ensure sites display well on smartphones and other mobile devices. Conversely, sites that were not mobile friendly would ultimately be penalized by ranking lower on mobile search results.

At the time, it was unclear just how large of an impact this change would have on companies’ appearance in organic mobile search results. A recent report by Adobe Digital Index, however, shows that the impact has indeed been substantial. The report determined that traffic to non-mobile-friendly sites from Google mobile searches fell more than 10% in the two months after the change, with the impact growing weekly since April. This means that non-mobile-friendly sites have dropped sharply in mobile search rankings, while mobile-friendly sites have risen in rankings, showing up higher on the mobile search results page. This change has had the greatest impact on small businesses that likely underestimated the value of mobile search traffic, and also affected financial services and law firms.

In a recent article in the Wall Street Journal, Adobe analyst, Tamara Gaffney, found that companies which were unprepared for the impact on search results have tried to offset the decrease in organic traffic by buying mobile search-ads from Google. This tactic served to keep mobile users visiting their sites through paid ads. Substituting paid results for organic results may work in the short term but is usually not a sound long-term approach. A sustainable long term online add strategy over time usually consists of a balanced approach between building brand and consumer trust through organic search, and strategically supplementing that with paid ads.

What is a company adversely affected by Mobilegeddon to do?

One obvious course of action for a site that has suffered from Mobilegeddon is to become mobile friendly. This means putting in place a responsive theme, and implementing best practices that aid in mobile user experience. This includes using larger easier-to-read text and separating links to make them easier to tap on a smaller screen. Those who are unsure of how their site fares according to Google can use the company’s Mobile Friendly Test Tool to see what recommendations may be made to improve the mobile user’s experience.

With mobile search queries outpacing desktop, Google is sending a clear message that it is willing to reward sites that provide a good mobile experience, and businesses that fail to heed that message will suffer in the search rankings.

Read More

License Plate Numbers: a valuable data-point in big-data retention

What can you get from a license plate number?

At first glance, a person’s license plate number may not be considered that valuable a piece of information. When tied to a formal Motor Vehicle Administration (MVA) request it can yield the owner’s name, address, type of vehicle, vehicle identification number, and any lienholders associated with the vehicle. While this does reveal some sensitive information, such as a likely home address, there are generally easier ways to go about gathering that information. Furthermore, states have made efforts to protect such data, revealing owner information only to law enforcement officials or certified private investigators. The increasing use of Automated License Plate Readers (ALPRs), however, is proving to reveal a treasure trove of historical location information that is being used by law enforcement and private companies alike. Also, unlike historical MVA data, policies and regulations surrounding ALPRs are in their infancy and provide much lesser safeguards for protecting personal information.

ALPR – what is it?

Consisting of either a stationary or mobile-mounted camera, ALPRs use pattern recognition software to scan up to 1,800 license plates per minute, recording the time, date and location a particular car was encountered.

Read More

PII at the Center of RadioShack Bankruptcy Auction and Mediation

A recent New York Times article highlights the disconnect between a company’s privacy policy and the disclosure of user data when the company is sold. According to the Times, while a company, like Hulu, declares that it “respects your privacy”, should the company go up for sale, user names, birth dates, email addresses and unique subscriber information can be made available to the highest bidder. Often it is this very information that can be of most value to a struggling or defunct company. This very issue played out recently with the bankruptcy of RadioShack, the electronics retail store founded in 1921, and the recent sale of its brand.

The now-bankrupt RadioShack reached a mediated agreement with U.S. states on May 14th over the sale of customer data, which barred the transfer of personal customer information; limited the number of emails to be included in the sale; and provided opt-out mechanisms to customers prior to transfer.

New York-based Standard General purchased 1,750 RadioShack stores and trademark and intellectual property, out of bankruptcy. The sale included personal customer information provided by customers to RadioShack over many years, including email addresses, postal addresses and phone numbers.

Read More

Real World Implications of Cyber Warfare

Introduction

Amid all of the publicity and media attention of the December cyberattack on Sony Pictures Entertainment, a cyber-intrusion on a German steel mill received comparably scant notice. Unlike the Sony hack, however, it highlighted an important and disturbing trend in cyber warfare. Detailed in a German government report released in December, the hacking of the German steel mill signified the second confirmed instance in which a wholly digital attack resulted in the physical destruction of equipment. By initially gaining access to the plant’s business network, the intruders were able to successfully make their way to the production network and access the controls of the plant’s equipment. They were able to control the system to such a degree that a blast furnace could not be properly shut down, resulting in “massive” damage.

According to Wired’s coverage of the incident, much information about the attack is not detailed in the report, including the name of the steel mill, exactly when it happened, and how long the hackers were in the network before the destruction occurred. The report does relay that the hackers apparently had advanced knowledge, not only of conventional IT security, but of the applied industrial controls and the mill’s production processes.

The incident highlights what is possible with the increasingly prevalent networked nature of physical real-world systems, from critical infrastructure networks like electric grids and water treatment systems, to simple and increasingly networked household and personal items in the growing Internet-of-Things (IoT).

Read More

A Simple Takeaway from the Recent Sony Hack

The hack of Sony Pictures Entertainment placed Sony Entertainment Pictures in the spotlight for the last two months of 2015, highlighting the company’s lax security protocols and placing international focus on the recently released James Franco/Seth Rogan comedy “The Interview”. For the uninitiated, a group calling themselves the “Guardians of Peace” (with the unfortunate acronym “GOP”) hacked into the Sony’s computer systems, gaining unauthorized access to a treasure trove of sensitive data, including: social security numbers of over 47,000 celebrities, freelancers, and Sony employees; several unreleased movie titles that were later released to file-sharing websites; and corporate files including email correspondence, film budgets and passport/visa information for movie casts and crew. The data breach appeared to be supported by North Korea, which denied responsibility. While the United States National Security Agency directly blamed North Korea for the attack, other industry insiders claim North Korea had nothing to do with the attack.

Read More

Ubergate: Year-end troubles persist for the popular rideshare company

The rideshare and taxi service Uber has had a very public and turbulent end to 2014. From privacy abuse allegations and Congressional scrutiny, to public protests and all-out bans in certain countries, the San Francisco-based, mobile-app-focused company has managed to retain its valuation of $40 billion. The company, which provides its service in 45 countries and over 200 cities, ran into trouble after a Buzzfeed report detailed November 14th remarks by the company’s Senior Vice President Emil Micahel who spoke of his desire to dig up dirt on the personal lives of journalists critical of the company. In particular was the intent to spread the personal details of one Sarah Lacey, editor of the Silicon Valley website PandoDaily. The Buzzfeed report also detailed the examination of private travel records of a reporter by an Uber executive. The combination of the aggressively toned nature of the comments and the willingness of the company to access user’s personal data gave rise to the November trending hashtag #Ubergate.

Read More