MediaTech Law

By MIRSKY & COMPANY, PLLC

Do We Need to Appoint a (GDPR) Data Protection Officer?

Does your organization need to appoint a “Data Protection Officer”?  Articles 37-39 of the EU’s General Data Protection Regulation (GDPR) require certain organizations that process personal data of EU citizens to appoint a Data Protection Officer (DPO) to record their data processing activities.  Doing so is a lot more than perfunctory – you can’t just say, “Steve, our HR Director, you’re now our DPO.  Congratulations!”  The qualifications for the job are significant, and the organizational impact of having a DPO is extensive.  You may be better off avoiding appointing a DPO if you don’t have to, while if you do have to the failure to do so can expose your organization to serious enforcement penalties. 

Read More

The Growing Problem of Ad Fraud and the Recent Methbot Attack

Fraud, particularly using “bots,” is increasingly threatening the effectiveness of online advertising and arguably calling into question the long-term viability of the industry. According to a recent study reported on by AdWeek, fraud from “bots” was projected to cost brands $7.2 billion in 2016, up from the $6.3 billion in 2015. Basically, “bots” are applications that perform automated tasks. While they can be used for legitimate purposes, in cases of ad fraud bots can “create millions upon millions of ad impressions that are seen by no one but often get charged to marketers as a viewed promotion.”

A recent article in AdWeek discussed some of the common ad fraud schemes. In one, called the “The Phony Traffic Broker,” writer Christopher Heine explained:

• A company wants to increase traffic to its site and goes to a traffic broker site that’s actually run by a fraudster, who promises volumes of highly qualified users;
• The fraudster deploys “bots” to simulate human traffic to the site; and
• The site’s views soar, advertisers pay the company for the increased traffic, and the fraudster gets paid for being the broker.

Read More

Legal Issues in Ad Tech: De-Identified vs. Anonymized in a World of Big Data

In the booming world of Big Data, consumers, governments, and even companies are rightfully concerned about the protection and security of their data and how to keep one’s personal and potentially embarrassing details of life from falling into nefarious hands.   At the same time, most would recognize that Big Data can serve a valuable purpose, such as being used for lifesaving medical research and to improve commercial products. A question therefore at the center of this discussion is how, and if, data can be effectively “de-identified” or even “anonymized” to limit privacy concerns – and if the distinction between the two terms is more theoretical than practical. (As I mentioned in a prior post, “de-identified” data is data that has the possibility to be re-identified; while, at least in theory, anonymized data cannot be re-identified.)

Privacy of health data is particularly important and so the U.S. Health Insurance Portability and Accountability Act (HIPPA) includes strict rules on the use and disclosure of protected health information. These privacy constraints do not apply if the health data has been de-identified – either through a safe harbor-blessed process that removes 18 key identifiers or through a formal determination by a qualified expert, in either case presumably because these mechanisms are seen as a reasonable way to make it difficult to re-identify the data.

Read More

Blogs and Writings We Like

This week we highlight 3 writers discussing timely subjects in media tech law: Sandy Botkin writing about zombie cookies and targeted advertising, Geoffrey Fowler writing about the new world of phishing and “phishermen” (yes, that’s a thing), and Justin Giovannettone and Christina Von der Ahe writing about nonsolicitation agreements and social media law.

FTC vs Turn, Inc.: Zombie Hunters

Sandy Botkin, writing on TaxBot Blog, reports amusingly on the FTC’s December 2016 settlement with digital advertising data provider Turn, Inc., stemming from an enforcement action against Turn for violating Turn’s own consumer privacy policy. Botkin used the analogy of a human zombie attack to illustrate the effect of actions Turn took to end-run around user actions to block targeted advertising on websites and apps.

According to the FTC in its complaint, Turn’s participation in Verizon Wireless’ tracking header program – attaching unique IDs to all unencrypted mobile internet traffic for Verizon subscribers – enabled turn to re-associate the Verizon subscriber with his or her use history. By so doing, according to Botkin, this further enabled Turn to “recreate[] cookies that consumers had previously deleted.” Or better yet: “Put another way, even when people used the tech equivalent of kerosene and machetes [to thwart zombies], Turn created zombies out of consumers’ deleted cookies.”

What we like: We like Botkin’s zombie analogy, although not because we like zombies. We don’t. Like. Zombies. But we do think it’s a clever explanatory tool for an otherwise arcane issue.

*            *            *

Your Biggest Online Security Risk Is You

Geoffrey Fowler writes in The Wall Street Journal (here ($), with an even fuller version of the story available here via Dow Jones Newswires) about the latest in the world of phishing, that large category of online scams that, one way or another, has the common goals of accessing your data, your money or your life, or someone else’s who might be accessed through your unsuspecting gateway.

“If you’re sure you already know all about them, think again. Those grammatically challenged emails from overseas ‘pharmacies’ and Nigerian ‘princes’ are yesterday’s news. They’ve been replaced by techniques so insidious, they could leave any of us feeling like a sucker.”

Oren Falkowitz of Area 1 Security told Fowler that about 97% of all cyberattacks start with phishing. Phishing is a big deal.

Fowler writes of the constantly increasing sophistication of “phishermen” – yes, that’s a term – weakening the effectiveness of old common-sense precautions:

In the past, typos, odd graphics or weird email addresses gave away phishing messages, but now, it’s fairly easy for evildoers to spoof an email address or copy a design perfectly. Another old giveaway was the misfit web address at the top of your browser, along with the lack of a secure lock icon. But now, phishing campaigns sometimes run on secure websites, and confuse things with really long addresses, says James Pleger, security director at RiskIQ, which tracked 58 million phishing incidents in 2016.

What we like: Fowler is helpful with advice about newer precautions, including keeping web browser security features updated and employing 2-factor authentication wherever possible. We also like his admission of his own past victim-hood to phishing, via a malware attack. He’s not overly cheery about the prospects of stopping the bad guys, but he does give confidence to people willing to take a few extra regular precautions.

*            *            *

Don’t Friend My Friends: Nonsolicitation Agreements Should Account for Social Media Strategies

This is an employment story about former employees who signed agreements with their former employers restricting their solicitations of customers of their former employers. In the traditional nonsolicitation context, it wasn’t that hard to tell when a former employee went about trying to poach his or her former company’s business. Things have become trickier in the age of social media, when “friend”-ing, “like”-ing, or “following” a contact on Facebook, Twitter, Instagram or LinkedIn might or might not suggest nefarious related behavior.

Justin Giovannettone and Christina Von der Ahe of Orrick’s “Trade Secrets Watch” survey a nice representative handful of recent cases from federal and state courts on just such questions.

In one case, the former employee – now working for a competitor of his former employer – remained linked via LinkedIn with connections he made while at his former company. His subsequent action in inviting his contacts to “check out” his new employer’s updated website drew a lawsuit for violating his nonsolicitation. For various reasons, the lawsuit failed, but of most interest was Giovannettone and Von der Ahe’s comment that “The court also noted that the former employer did not request or require the former employee to “unlink” with its customers after he left and, in fact, did not discuss his LinkedIn account with him at all.”

What we like: Giovannettone and Von der Ahe point out the inconsistencies in court opinions on this subject and, therefore, smartly recognize the takeaway for employers, namely to be specific about what’s expected of former employees. That may seem obvious, but for me it was surprising to learn that an employer could potentially – and enforceably – prevent a former employee from “friend”-ing on Facebook.

Read More

Legal Issues in Ad Tech: IP Addresses Are Personal Data, Says the EU (well … sort of)

Much has been written in the past 2 weeks about the U.S. Presidential election. Time now for a diversion into the exciting world of data privacy and “personal data”. Because in the highly refined world of privacy and data security law, important news actually happened in the past few weeks. Yes, I speak breathlessly of the European Court of Justice (ECJ) decision on October 19th that IP (internet protocol) addresses are “Personal Data” for purposes of the EU Data Directive. This is bigly news (in the data privacy world, at least).

First, what the decision actually said, which leads immediately into a riveting discussion of the distinction between static and dynamic IP addresses.

The decision ruled on a case brought by a German politician named Patrick Breyer, who sought an injunction preventing a website and its owner – here, publicly available websites operated by the German government – from collecting and storing his IP address when he lawfully accessed the sites. Breyer claimed that the government’s actions were in violation of his privacy rights under the EU Directive 95/46/EC – The Data Protection Directive (Data Protection Directive). As the ECJ reported in its opinion, the government websites “register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.”

The case is Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, and the ECJ’s opinion was published on October 19th.

Read More

Website Policies and Terms: What You Lose if You Don’t Read Them

When was the last time you actually read the privacy policy or terms of use of your go-to social media website or you favorite app? If you’re a diligent internet user (like me), it might take you an average of 10 minutes to skim a privacy policy before clicking “ok” or “I agree.” But after you click “ok,” have you properly consented to all the ways in which your information may be used?

As consumers become more aware of how companies profit from the use of their personal information, the way a company discloses its data collection methods and obtains consent from its users becomes more important, both to the company and to users.  Some critics even advocate voluntarily paying social media sites like Facebook in exchange for more control over how their personal information is used. In other examples, courts have scrutinized whether websites can protect themselves against claims that they misused users’ information, simply because they presented a privacy policy or terms of service to a consumer, and the user clicked “ok.”

The concept of “clickable consent” has gained more attention because of the cross-promotional nature of many leading websites and mobile apps. 

Read More

Targeted Election Ads: New Frontier in Political Advertising

The next U.S. President won’t be sworn in for almost two years, but the jostling and positioning among likely candidates has already begun. When candidates consider how to reach potential voters, an increasingly sophisticated weapon in their arsenal will be targeted advertising to reach voters in-between commercial breaks of their favorite TV shows. These “addressable ads” allow advertisers – in this case political campaigns – to pay content providers, such as satellite networks, to reach specific homes. Addressable ads present a sharp departure from previous eras of political advertising that used a “shotgun approach” to appeal to as many potential voters as possible, regardless of demographics, previous political affiliation, or likelihood of voting.

Satellite television providers DirecTV and DISH Network have already embraced this technology by selling data about subscribers’ individual viewing habits to campaigns. Subscriber data are initially anonymized, but with addresses intact, and then matched to the addresses on voter-registration and canvassing databases. According to a USA Today report, once the targeted households are selected, the satellite provider sends the addressable ads to the home’s digital video recorder (DVR), and the ad airs in the next available commercial slot as part of whatever programming the customer is watching. After the ad plays, the remainder of the user’s TV show continues unaffected until the next ad slot opens.

Read More

Cookies For Sale? How Websites Obtain Permission to Track and Sell Online User Data

Have you ever wondered how websites get your permission to “install” a cookie on your computer, and then sell the data associated with it? The simple answer… when you accept their terms and conditions, you give them the keys to your data.

There is a marketplace in this country for technology companies, advertisers, media firms and other enterprises to purchase consumers’ cookie “identifiers” and their associated information, allowing those organizations to know where you are, and what you are doing, online. Almost always, this information is used solely for tracking website analytics, sign-in permissions and for other advertising purposes.  A cookie is “placed” onto a website user’s computer through the user’s browser, typically by publishers or their third party partners.  The cookie then collects information – pages that you visit, sign-in information, profile information, what you click, what purchases you make, what you read, etc.  When this data is sold (if it is sold), most of this information is not personally identifiable, but some of it can be.

In this blog, the first of a few on the topic of cookies, I will briefly explain the process of how and when websites get your permission to install cookies on user’s computers, and how they use the resulting data collected.

First of all, what is a cookie? Google has a two nice working definition that we can use:

(https://support.google.com/chrome/bin/answer.py?hl=en&answer=95647&topic=14666&ctx=topic)

Read More

Copyright of “Public Facts”: Craigslist v. PadMapper (updated)

Craigslist was meant for the common good, or as founder Craig Newmark puts it, “doing well by doing good”.  At least, that has been its announced mission since it began as an email distribution among friends. Craigslist kept its mantra through its rise to Silicon Valley stardom, snubbing multi-million dollar buyout offers and fighting attempts to monetize the site along the way.

The physical layout of Craigslist hasn’t changed much over the years. Point your browser in its direction and, like an old friend, you’ll be greeted with the same underlined blue links you’ve known for years. Fans are legion, but so too are critics: Critics see stagnation in this comfort, some of whom have taken matters into their own hands through attempts at innovation. However, as some have already discovered, developing tools to work around (critics would say “enhance”) Craigslist’s simple functionality can invite legal response. Is an early darling of Silicon Valley showing a decidedly uglier side, or is Craigslist still simply looking out for the common good?

This past July, Craigslist filed a lawsuit in the US District Court, Northern District of California, alleging that apartment-hunting site PadMapper and its data exchange partner, 3Taps, unlawfully repurpose Craigslist postings and therefore undermine “the integrity of local Craigslist communities, ultimately harming both Craigslist and its users.”  While the complaint parallels Craigslist’s “common good” business model, 3Taps CEO Greg Kidd sees it differently. “We believe Craigslist is acting like a copyright troll,” Kidd recently told AllThingsD.  Kidd’s company provides PadMapper an API for data about Craigslist postings that 3Taps gathers via means it claims are not subject to Craigslist’s Terms of Use and that likewise do not violate Craigslist’s copyrights.

This isn’t the first time Craigslist has claimed such violations, including several now-shuttered earlier services built on top of Craigslist’s platform. In July 2010, Newmark took to Q&A site Quora to defend his company’s actions in a case similar to Padmapper’s, saying he did not take issue with sites that do not affect Craigslist’s servers. “Actually, we take issue with only services which consume a lot of bandwidth, it’s that simple,” Newmark wrote.

June 22: Craigslist sends Padmapper a cease and desist letter and blocks PadMapper from pulling CL ads (at least from doing so directly).  According to CL’s complaint (filed July 20th), traffic to Padmapper immediately plummeted.  

PadMapper claims not to siphon off Craigslist’s servers. Through its partnership with 3Taps, PadMapper accesses a database of Craigslist listings found and organized from search engines including Google and Bing.

 July 9: Padmapper re-launches using 3Taps data.

July 20: Craigslist sues 3Taps and Padmapper.  CL claims:

  • Copyright infringement (for the CL site and for CL listings)
  • Contributory copyright infringement (against 3Taps)
  • Breach of contract (TOS)
  • Trademark infringement
  • Trademark dilution
  • Unfair trade practices

Perhaps that’s why Craigslist is now requiring users to “expressly grant and assign to Craigslist all rights” to enforce the copyright. Other sites like Yelp! and Facebook only require a non-exclusive license to their users’ content. But even if courts interpret this as a legally binding transfer of copyright to Craigslist, facts, like those in classified listings, often cannot be copyrighted. Therefore, it is possible that details such as an apartment’s price, address and number of bedrooms will not be protected.

This is of course Greg Kidd’s argument. “No Terms of Use can ride roughshod over the fact that there is no copyright in facts,” Kidd says. “Padmapper’s use of exchange posting is not infringing use. It is fair use or free use … of public facts.” According to Kidd, PadMapper could just be the beginning to what could be, “a whole class of use case conflicts if this stands.” Via this interpretation, as Kidd sees it, “a [Craigslist] posting retweeted via Twitter is going to be just as problematic as one through PadMapper.”

This argument inelegantly ignores 2 obstacles under contract and copyright.

Contract

First contract law, by virtue of the binding nature of Craiglist’s TOU as a contract.  So, as Craigslist notes in its complaint:

[3Taps and Padmapper] regularly accessed the CL website and affirmatively accepted and agreed to the [TOU] to, among other things, test, design, and/or use the software that allows Defendants to provide their services.  Likewise … Defendants regularly accessed the CL website with knowledge of the [TOU] and its prohibitions against copying, aggregating, displaying, distributing, performing and derivative use of the CL website and any content posted on the CL website … and regularly access the CL website and copied, aggregated, displayed, distributed, and made derivative use of the CL website and the content posted therein.

3Taps disagrees: 3Taps cannot be bound by Craigslist’s TOU, since 3Taps never touches Craigslist’s servers to obtain the data it provides via its API.  Says Kidd:

The [CL] data in question is indexed by public search engines and is made available in the public domain.  One does not have to belong to or even go to Craigslist to find this information on the description, price, and time of availability of a posting. The information is freely available in the public domain and is a fundamental component of transparency of supply and demand and price discovery that are the foundation of free markets.

Craigslist then says that 3Taps’ argument about not directly accessing data from Craigslist is absurd:

3Taps copies all of craigslist’s content – including time stamps and unique craigslist user ID numbers – and makes it available to third parties for use in competing websites or, for whatever other purpose they wish. On information and belief, 3Taps is obtaining this content by improperly accessing craigslist’s website and “scraping” content.

Copyright – Facts and Facts

Kidd’s “public domain” argument – challenging Craigslist’s private ownership of public “facts” – has its own problems.  That’s because there are public facts and … there are public facts. For starters, what makes an apartment listing a public fact? Arguably, an apartment listing is a private piece of information uniquely created and formatted by a landlord and Craigslist: How listed, what information is listed, what pricing, etc.  Perhaps not the most highly creative of copyright subject matters protected by “original works of authorship fixed in any tangible medium of expression” US Copyright Act (Title 17 US Code), but nonetheless protected by copyright.

No, Craigslist may not be able to protect names and addresses, but it may be able to protect Craigslist’s particular presentation of those names and addresses.  And Craigslist makes this very point in its complaint, claiming that 3Taps “displays craigslist’s copyrighted content in virtually identical visual fashion to the manner in which they appear on craigslist.”

August 1: After filing its July suit, Craigslist amends its TOU, telling users they were not permitted to cross-post their sales items anywhere else on the internet:

Clicking ‘continue’ confirms that Craigslist is the exclusive licensee of this content, with the exclusive right to enforce copyrights against anyone copying, republishing, distributing, or preparing derivative works without its consent.

August 5: Craigslist instructs all general search engines to stop indexing CL postings.

August 9: CL amends its TOU – again – to remove “exclusive license” language from its TOS:

Second, Craigslist may be able to rely on copyright arguments similar to those historically made by mapmakers and telephone book publishers, where the compilation of otherwise public facts is itself copyrightable. (See, for example, Feist Publications, Inc. v. Rural Telephone Service Co., 499 US 340 (1991).)  This argument, where the unique presentation, design, layout, or formatting give a compiler a copyright edge, still gives scant protection to the component parts, but it can give viability to a legal claim of misappropriation.

Other Arguments – Trademark and Unfair Competition

Craigslist makes other legal arguments, including most notably trademark infringement and dilution claims and California state law unfair competition claims.  These are subjects beyond the scope of the present discussion, although they do seem to raise the kinds of issues that the likes of Rockefeller Plaza in New York City deals with: Once a year, every year, the plaza is closed to public access in order to allow its owners to continue to assert their private ownership.   Perhaps Craigslist, too, feels some periodic necessity to remind its users that freedom of internet use is not free.

September 24: 3Taps files answer and counterclaim against CL.  Counterclaims:

  • Antitrust
  • Unfair competition
  • Interference with economic advantage

From 3Taps antitrust counterclaim complaint:

3taps is not alleging that craigslist acquired its widespread monopoly power improperly – far from it; craigslist should be applauded for bringing online classifieds into the modern age and achieving its initial dominance over various U.S. markets for the “onboarding” (i.e., the process of inputting and uploading factual content on the internet) of user-generated classified ads by those seeking a personal exchange transaction for various goods and services, including apartment rentals, jobs, personal services, general goods, and other sales.

What 3taps is complaining about is how craigslist has maintained (and continues to maintain) its monopoly power in these three related markets. Certainly, craigslist has not maintained this power by competing on the merits. Indeed, for years, craigslist has espoused the classic principles of a monopolist that believed it did not need to compete: a “strategy” of “unbranding,” “demonetizing,” and “uncompeting” —the epitome of a lethargic monopolist. And why not?  As an unchallenged monopolist across these various markets, craigslist has generated revenues somewhere between $100-$300 million per year, and that’s without sinking any significant costs into research and development or innovation.

September 24: Craigslist launches its own mapping capability.

Bruce Fryer, an intern with Mirsky & Company, PLLC, contributed to this post.

Read More

Please Don’t Take My Privacy (Why Would Anybody Really Want It?)

Legal issues with privacy in social media stem from the nature of social media – an inherently communicative and open medium. A cliché is that in social media there is no expectation of privacy because the very idea of privacy is inconsistent with a “social” medium. Scott McNealy from Sun Microsystems reportedly made this point with his famous aphorism of “You have zero privacy anyway. Get over it.”

But in evidence law, there’s a rule barring assumption of facts not in evidence. In social media, by analogy: Where was it proven that we cannot find privacy in a new communications medium, even one as public as the internet and social media?

Let’s go back to basic principles. Everyone talks about how privacy has to “adapt” to a new technological paradigm. I agree that technology and custom require adaptation by a legal system steeped in common law principles with foundations from the 13th century. But I do not agree that the legal system isn’t up to the task.

All you really need to do is take a wider look at the law.

Privacy writers talk about the law of appropriation in privacy. The law of appropriation varies from state to state, though it is a fairly established aspect of privacy law.

Read More

Pinterest: Fair Use of Images, Building Communities, Fan Pages, Copyright

When using Pinterest (and Flickr and YouTube and Facebook and on and on), what copyright, fair use, trademark and other issues weigh on building communities and fan pages and social media generally?  A hypothetical “Company” has plans for its Pinterest “community”, and in particular, wonders about these situations:

  • Using Images of Identifiable People
  • Fair Use and Images
  • Trademarks: When is a “Fair Use” Argument Strongest?
  • Why Attribution and Linking to Original Sources is Important

3 introductory questions:

Question #1: Someone used to be a paid Company sponsor or spokesperson.  They are no longer.  Can the Company continue to post a photo of the old sponsor to Pinterest?  Short Answer: If the contract with the sponsor expressly permits it, yes.  Ordinarily, the contract would specify engagement for limited time, and that would prohibit rights to use images beyond the contract period.  But it really depends on what the contract says.

Question #2: Can the Company post a photo of a fan of the Company?  Short Answer: Express consent is required, either through a release or the fan’s agreement (whenever the photo is submitted) to terms of service.  Exceptions are discussed below.

Question #3: Can the Company post a photo of a Coca-Cola bottle on its Pinterest page?  Short Answer: If the use of the image does not suggest (implicitly or explicitly) endorsement or association, then yes.

Read More

Privacy: Consent to Collecting Personal Information

Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added)

Read More