MediaTech Law

By MIRSKY & COMPANY, PLLC

The Weird World of Open Source Software Licenses

I like to think that somewhere in America, at this very moment, a college kid has just agreed without reservation to accept five bucks from his friend to drink an entire bottle of hot sauce. Non-lawyers are often surprised to learn that, public policy concerns aside, such an agreement contains all the elements necessary to create a legally binding contract: Offer, acceptance and consideration.

Part of a lawyer’s job is to identify relevant legal issues lurking beneath factual scenarios. Issue spotting can be frustratingly difficult, however, because, as the absurd hot sauce agreement illustrates, the law is often counterintuitive. Counter-intuitions abound in the weird world of open source license agreements. License agreements have become commonplace in our tech-saturated lives. If you’re not sure what they are, jog your memory to the last time you downloaded an app for your laptop or smartphone. Remember being asked to read and agree to an endless list of terms and conditions? That contract that you “read” and agreed to was almost certainly an end user license agreement to use the app for a specific purpose.

Over the past twenty years or so, several copyright licensing movements have gained traction. In general, these new types of licenses challenge traditional notions of copyright protection by granting licensees the right to modify the original copyrighted material for future use free of charge so long as certain promises are kept and/or conditions are met.

One well-known movement is the Open Source Initiative, which reviews and approves open source software (OSS) licenses. OSS licenses typically provide licensees with the right to access the source code of the original software program (hence “open” source) and create new software programs subject to the terms of the license.

Read More

Legal Issues in Ad Tech: Who Owns Marketing Performance Data?

Does a marketer own data related to performance of its own marketing campaigns? It might surprise marketers to know that data ownership isn’t automatically so. Or more broadly, who does own that data? A data rights clause in contracts with DSPs or agencies might state something like this:

“Client owns and retains all right, title and interest (including without limitation all intellectual property rights) in and to Client Data”,

… where “Client Data” is defined as “Client’s data files”. Or this:

“As between the Parties, Advertiser retains and shall have sole and exclusive ownership and Intellectual Property Rights in the … Performance Data”,

… where “Performance Data” means “campaign data related to the delivery and tracking of Advertiser’s digital advertising”.

Both clauses are vague, although the second is broader and more favorable to the marketer. In neither case are “data files” or “campaign data” defined with any particularity, and neither case includes any delivery obligation much less specifications for formatting, reporting or performance analytics. And even if data were provided by a vendor or agency, these other questions remain: What kind of data would be provided, how would it be provided, and how useful would the data be if it were provided?

Read More

Legal Issues in Ad Tech: Anonymized and De-Identified Data

Recently, in reviewing a contract with a demand-side platform (DSP), I came across this typical language in a “Data Ownership” section:

“All Performance Data shall be considered Confidential Information of Advertiser, provided that [VENDOR] may use such Performance Data … to create anonymized aggregated data, industry reports, and/or statistics (“Aggregated Data”) for its own commercial purposes, provided that Aggregated Data will not contain any information that identifies the Advertiser or any of its customers and does not contain the Confidential Information of the Advertiser or any intellectual property of the Advertiser or its customers.” (emphasis added).

I was curious what makes data “anonymized”, and I was even more curious whether the term was casually and improperly used. I’ve seen the same language alternately used substituting “de-identified” for “anonymized”. Looking into this opened a can of worms ….

What are Anonymized and De-Identified Data – and Are They the Same?

Here’s how Gregory Nelson described it in his casually titled “Practical Implications of Sharing Data: A Primer on Data Privacy, Anonymization, and De-Identification”:

“De-identification of data refers to the process of removing or obscuring any personally identifiable information from individual records in a way that minimizes the risk of unintended disclosure of the identity of individuals and information about them. Anonymization of data refers to the process of data de-identification that produces data where individual records cannot be linked back to an original as they do not include the required translation variables to do so.” (emphasis added)

Or in other words, both methods have the same purpose and both methods technically remove personally identifiable information (PII) from the data set. But while de-identified data can be re-identified, anonymized data cannot be re-identified. To use a simple example, if a column from an Excel spreadsheet containing Social Security numbers is removed from a dataset and discarded, the data would be “anonymized”.

But first … what aspects or portions of data must be removed in order to either de-identify or anonymize a set?

But What Makes Data “De-Identified” or “Anonymous” in the First Place?

Daniel Solove has written that, under the European Union’s Data Directive 95/46/EC, “Even if the data alone cannot be linked to a specific individual, if it is reasonably possible to use the data in combination with other information to identify a person, then the data is PII.” This makes things complicated in a hurry. After all, in the above example where Social Security numbers are removed, remaining columns might include normally non-PII information such as zip codes or gender (male or female). But the Harvard researchers Olivia Angiuli, Joe Blitzstein, and Jim Waldo show how even these 3 data points in an otherwise “de-identified” data set (i.e. “medical data” in the image below) can be used to re-identify individuals when combined with an outside data source that shares these same points (i.e. “voter list” in the image below):

Data Sets Overlap Chart

(Source: How to De-Identify Your Data, by Olivia Angiuli, Joe Blitzstein, and Jim Waldo, http://queue.acm.org/detail.cfm?id=2838930)

That helps explain the Advocate General opinion recently issued in the European Union Court of Justice (ECJ), finding that dynamic IP addresses can, under certain circumstances, be “personal data” under the European Union’s Data Directive 95/46/EC. The case involves interpretation of the same point made by Daniel Solove cited above, namely discerning the “personal data” definition, including this formulation in Recital 26 of the Directive:

“(26) … whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person …”

There was inconsistency among the EU countries on the level of pro-activity required by a data controller in order to render an IP address “personal data”.   So, for example, the United Kingdom’s definition of “personal data”: “data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller” (emphasis added). Not so in Germany and, according to a White & Case report on the ECJ case, not so according to the Advocate General, whose position was that “the mere possibility that such a request [for further identifying information] could be made is sufficient.”

Which then circles things back to the question at the top, namely: Are Anonymized and De-Identified Data the Same? They are not the same. That part is easy to say. The harder part is determining which is which, especially with the ease of re-identifying presumably scrubbed data sets. More on this topic shortly.

Read More

Free Legal Documents!! (Sure, Why Not?)

Why would lawyers give away legal documents for free? Or better yet, why wouldn’t they do it? Daniel Doktori offered some good answers to these questions when he wrote recently in TechCrunch about Big Law’s answer to the Open Data movement.

But what’s most remarkable about the big lawyer giveaway – get there early, get your legal docs, we’re opening this year at 6pm on Thanksgiving Night! – may be how unremarkable it really is.

Doktori writes of law firms’ “mimic[ing] their small clients’ ‘freemium’ business development model”, suggesting that giving away free stuff is simply a way to get clients in the door where they (hopefully) will become paying clients. Perhaps. But it seems unlikely that a cash-strapped startup will hire a $700 per hour firm of attorneys simply because that firm gave away a generic founders’ subscription agreement. And with so many law firms offering the exact same documents – Doktori cites his own firm’s service as well and those of Cooley LLP and Orrick, Herrington & Sutcliffe LLP – there’s not much here to really differentiate the value of these documents in the first place. Not to mention the various non-law firm startups getting into the same game, including Founders’ Workbench (mentioned by Doktori) and low-cost services from Rocket Lawyer and others.

Read More

Contract Offers: You Receive an Offer, and You Propose Changes to the Offer. What Then?

Here’s an interesting question (at least interesting to me): When does a response to an offer constitute a counteroffer?  And if it does constitute a counteroffer, so what?  Does that counteroffer make the agreement binding or is it simply a rejection of the original offer?  In other words, is the counteroffer simply an offer for an entirely new contract?

This comes up frequently in employment situations, where for example a company might offer a severance package to an employee, and the employee might respond by asking for more money or other different terms.  Obviously, if the employee outright rejects the employer’s offer, that’s an easy case where the offer is dead.  But often that’s not what happens.  Instead, what often happens is that the employer offers a month or so of severance compensation, and the employee responds by asking for health care coverage as well.  Or asks for a letter of reference, or a mutual agreement of non-disparagement.  Or, for another couple of months of pay.

Read More