MediaTech Law

By MIRSKY & COMPANY, PLLC

MegaUpload – Where is my Data?

A not-insignificant consequence of the federal government’s move in January to shut down the popular file-sharing site MegaUpload is that customers are blocked from being able to access their files.

First, some background. In January, the government charged that MegaUpload and its founder Kim Dotcom operated an organization dedicated to copyright infringement, or in other words operated for the purpose of a criminal enterprise.  The site provided a number of online services related to file storage and viewing, which (among other things) allowed users to download copyrighted material.  The government also claimed in its indictment that the site was also used for other criminal purposes including money laundering.

Not surprisingly, the file-sharing activities caught the unpleased eye of prominent content ownership groups

Read More

Privacy: Consent to Collecting Personal Information

Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added)

Read More

Privacy For Businesses: Any Actual Legal Obligations?

For businesses, is there an obligation in the United States to do anything more than simply have a privacy policy?  The answer is not much of an obligation at all.

Put another way, is it simply a question of disclosure – so long as a business tells users what it intends to do with their personal information, can the business pretty much do anything it wants with personal information?  This would be the privacy law equivalent of the “as long as I signal, I am allowed to cut anyone off” theory of driving.

Much high-profile enforcement (via the Federal Trade Commission and State Attorneys General) has definitely focused on breaches by businesses of their own privacy statements.  Plus, state laws in California and elsewhere either require that companies have privacy policies or require what types of disclosures must be in those policies, but again focus on disclosure rather than mandating specific substantive actions that businesses must or must not take when using personal information.

As The Economist recently noted in its Schumpeter blog, “Europeans have long relied on governments to set policies to protect their privacy on the internet.  America has taken a different tack, shunning detailed prescriptions for how companies should handle people’s data online and letting industries regulate themselves.”   This structural (or lack of structural) approach to privacy regulation in the United States can also been seen – vividly – in legal and business commentary that met Google’s recent privacy overhaul.  Despite howls of displeasure and the concerted voices of dozens of State Attorneys General, none of the complaints relied on any particular violations of law.  Rather, arguments (by the AGs) are made about consumer expectations in advance of consumer advocacy, as in “[C]onsumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.”

Again, there’s little reliance on codified law because, for better or worse, there is no relevant codified law to rely upon.  Google, Twitter and Facebook have been famously the subjects of enforcement actions by the states and the Federal Trade Commission, and accordingly Google has been careful in its privacy rollout to provide extensive advance disclosures of its intentions.

As The Economist also reported, industry trade groups have stepped in with self-regulatory “best practices” for online advertising, search and data collection, as well as “do not track” initiatives including browser tools, while the Obama Administration last month announced a privacy “bill of rights” that it hopes to move in the current or, more realistically, a future Congress.

This also should not ignore common law rights of privacy invasion, such as the type of criminal charges successfully brought in New Jersey against the Rutgers student spying on his roommate.   These rights are not new and for the time being remain the main source of consumer recourse for privacy violations in the absence of meaningful contract remedies (for breaches of privacy policies) and legislative remedies targeted to online transactions.

More to come on this topic shortly.

Read More

Citizen Journalism: Vetting Quality Via Lessons from Gaming

Unlike traditional newsroom journalists, “citizen journalists” have no formal way to ensure that everyone maintains similar quality standards.  Which does not mean that quality standards are necessarily (or consistently) maintained at traditional newsrooms, but rather that a traditional hierarchical editorial structure imposes at least theoretical guidelines.

By definition, citizen journalism’s inherent difference from the traditional editorial process is the dispersion of responsibility for editorial choice.  Nonetheless, “trustiness” in journalism is a concept still heavily dependent on a reporter’s or editor’s reputation.  Is the New York Times trusted because it’s trustworthy?  Or is it trustworthy because it’s trusted?

The “Generated By Users” journalism blog recently reported the results of its reader poll, “Do you TRUST user generated content in news?”

Read More

Dropbox TOS – In Praise of Clarity

Earlier this month, Dropbox spawned a new kerfuffle in internet-land with changes to its Terms of Service (TOS).

The outrage was fast and furious.  A nice deal of blog and Tumblr and other commentary zeroed in on changes Dropbox announced to its TOS before the 4th of July holiday, and in particular how this or that provision “won’t hold up in court”.  See for example J. Daniel Sawyer’s commentary here.

Sawyer was referring to language in the TOS for cloud-server services granting ownership rights to Dropbox or other cloud services.

At least I think that’s what he was referring to, because the Dropbox TOS did not actually grant those ownership rights to Dropbox.  Dropbox’ TOS – like similar TOS for SugarSync and Box.net – granted limited use rights to enable Dropbox to actually provide the service.  Here is the offending provision:

… you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service.

To be clear, if Dropbox actually claimed ownership rights to customer files – and actually provided for the same in its TOS – there’s no particular reason such a grant “won’t hold up in court”.   There are certainly cases of unenforceable contracts – contracts that are fraudulently induced or in contravention of public policy, for example – but a fully and clearly disclosed obligation in exchange for a mutual commitment of service is enforceable.

Read More

BitTorrent Copyright Infringement: Trouble for DMCA?

BitTorrent has been in the (copyright) news lately – and not surprisingly – after the movie studios set their sites on bringing down yet the latest iteration of file-sharing technology.

2 great background sources on what BitTorrent is and how it works can be found here and here.  In short terms, BitTorrent is a file sharing technology, different from Napster and its peer-to-peer progeny in that it draws down pieces of large data files from multiple computers – rather than single computer to single computer peer-to-peer – based on a “community” structure of participating individual users.  The two biggest distinctions are (1) no single source for the compiled total file contributes more than a very small portion of the total file and (2) the distributive structure finesses the constant file-sharing problem of large data transfers demanding large broadband resources.

Why is bitTorrent in the (copyright) news?

BitTorrent is in the news not simply because Netflix’ CEO stated that “we’ve finally beaten bitTorrent.”  (“We”, by the way, presumably refers to Netflix’ full-file streaming capabilities.)

Read More

Who Needs a Privacy Policy?

A privacy policy?  Who needs a privacy policy?  Privacy is a mess.  You’re building an online business, and you figure you have to have a privacy policy.  But why?  Is “because everyone else has one” a good enough reason?  Ever wonder what you really need to know about privacy law?  I mean … what you have to comply with as a business operating in an online environment?

Here, then, the first of several Frequently Asked Questions about privacy policies.  Or to be more precise, here now some practical answers on privacy practices:

FAQ #1: Can I simply post a privacy policy and forget about it?  Short Answer: No.  Longer Answer: No, because as between posted statements and actual compliance, actual compliance is what’s required.  

Read More

Podcast #1: FTC’s recently issued privacy proposals

Podcast #1: December 30, 2010


In today’s podcast, we discuss the Federal Trade Commission’s recently issued privacy proposals. My guest is Karen Neuman, a founding partner of St. Ledger-Roty Neuman & Olson LLP, a Washington, DC law firm that focuses on regulation of information technologies and communications law, including privacy & data security, mobile communications, the Internet, media, telecommunications and related transactional matters.

At the core of the new privacy proposal is the idea that the current system of self-regulation does not provide enough consumer protection.  Basically, from the FTC’s perspective, people do not pay enough attention to the data-collecting activities of websites and not enough companies are up-front about the data they do collect from visitors to their sites.  The FTC says that while many companies detail their data collection through privacy policies, consumers bear too much of a burden in having to sort through such long, legalistic documents.

Among other proposals, the FTC’s new framework would require a “Do Not Track” option, much like the one we currently have to avoid telemarketers.  “Do Not Track” would essentially prevent companies from tracking things like your browsing history and buying habits, making it much more difficult for them to target consumers with personalized ads.  The proposal also aims to have companies incorporate more consumer protection into their business practices through simpler, more transparent options and by allowing consumers more access to the data being collected about them.  The FTC issued its proposed rules just last week, and requested public comment from both businesses and the public.

Please click play on the audio player below to hear the podcast.

Read More

Privacy Policies – Legal Significance? Enforceable?

What is the legal significance of a website’s privacy policy?

That question lingers when reviewing such policies for legal compliance and for consistency with a company’s actual practices.  Problem is, lawsuits involving claims of breaches of privacy policies have failed even in cases of clear and egregious violations by the service provider, where there was an absence of a showing of actual damages.

Eric Goldman cites a number of cases in his blog, including a prominent class action in 2005 against Jet Blue Airlines for voluntarily turning over passenger names to a government contractor, in clear violation of the airline’s stated privacy policy.  Policies commonly permit the service provider to disclose information in response to a government demand.  Yet, Jet Blue won dismissal despite any such disclosure right in its policy.

Read More

“Checking in” on the latest social media trend

Last week, Facebook joined the social media craze of “checking in,” with its new service called Places. The move indicates an increasingly popular trend, pioneered by services like Four Square. Whether at a famous historical landmark or their local Starbucks, people use location check-ins to let friends know where they are and earn badges for covering more ground.

Some think the next phase in the check in revolution is coming soon to a couch near you. Entertainment could be the next big thing that draws users to check in and share what they’re doing with others. Services like GetGlue, Miso, and Philo encourage you to share what you’re watching and engage with people doing the same. Besides the social networking incentive to interact with fellow fans of your favorite shows, these applications offer tokens and badges for every time you keep up with the Kardashians or tune in to see what Snooki will do next on Jersey Shore.

Read More

Cookies, Congress and Privacy: What’s the Problem?

Publishers are worried about cookies, specifically talk of regulatory action on the privacy front.  What’s the story here?

A Privacy Policy might typically say something like this:

“A ‘cookie’ is a small text file on your computer’s hard drive that our Web site uses to collect information about how you use our site.  The cookie transmits this information back to our Web site each time you visit a page on our site, thus allowing us to identify our most popular pages, features and data.”

To someone not working for an ad agency or at a publisher or for, say, Google, reading these terms, what they might read could be summarized like this: “Software … embedded in my computer … I have no choice … it stays there forever and ever … it will watch my every move and report back to its masters and possibly the government … my wife might find out.”

Read More

Who owns advertising data?

First, what data?  This comes up in various contexts.  First example: an agency contracts with an ad campaign client for marketing, issue advocacy, corporate branding, what have you.  It used to be that creative was a “work for hire” (or assumed to be) owned by the advertising client.  With some sort of understanding that the client wouldn’t end-run the agency.

In other words, expectations were governed by historical industry practice.  Copyright and contract law didn’t play much a part.

But what about campaign performance?  What about reports and research and metrics and all the “data” compiled by the agency to make its case?  Forrester and Gartner Group and Corporate Executive Board and their ilk have been selling research reports for years on these sorts of things, but agencies typically didn’t bother with industry best practices-type studies or reports.  Work was done for clients, and work product was owned by the clients (or again, was assumed to be).

Read More