Deceptive Software: Breaking Down VW’s Emissions Cheating Code Scandal

Posted December 7, 2015 by Rob Ellis 0

Introduction

After a university study uncovered code designed to cheat emissions testing standards, Volkswagen Inc. (VW) has been on the defensive, admitting wrongdoing and bracing for the onslaught of regulatory fines, class actions suits, and major repairs and recalls.

The code at the heart of the controversy places the car in one of two operating modes. When the car appears to be driving under conditions simulating an emissions test, the “cheat code” is enabled, delivering proficient emissions results and better gas mileage. When driving conditions denote real-world driving, cheat mode is disabled, delivering increased power and torque, but decreasing gas mileage and outputting a level of emissions 40 times greater than the legal limit as regulated by the Environmental Protection Agency (EPA).

Discovering the Cheat Code

Researchers at West Virginia University uncovered the higher emissions during a study funded by the International Council on Clean Transportation, a nonprofit with offices in the U.S. and Europe, to test the emissions of diesel vehicles while driving. Traditionally, emissions testing occurred in a stationary location by placing the front-wheels of a car on a rolling treadmill while the rear wheels remained static. Emissions that escaped through the tail pipe were then collected and measured. The WVU researchers took the tests to the open road by creating a mobile testing rig. Sensors attached to the tailpipe captured the emissions and fed the data to testing equipment stored in the trunk and backseat of the cars. The test results captured the greater emissions and lower fuel efficiency since the cheat code was disabled on open road conditions. Upon discovering the discrepancies and conducting multiple follow up tests, WVU contacted the EPA and the California Air Resources Board, who conducted their own tests and issued a citation to VW.

Budweiser Protects Its Throne From the Queen of Beer

Posted December 2, 2015 by Roman Vayner 0

Anheuser-Busch’s Budweiser brands itself as the king of beer and the company’s recent trademark defense shows it’s not willing to share the throne. A California craft beer company named She Beverage Company recently filed a trademark application with the U.S. Patent and Trademark Office (PTO) for THE QUEEN OF BEER for “beer,” and Anheuser-Busch quickly moved to oppose it.

Anheuser-Busch argued in its opposition that She Beverage Co.’s trademark would cause consumer confusion with several of its KING OF BEERS word and design marks, the oldest of which was registered in 1968 for “beer.”

Anheuser-Busch also argued that THE QUEEN OF BEER would dilute the distinctive nature of Budweiser’s famous trademarks. Famous marks are afforded heightened protection from similar marks because of the strong connection in the mind of the public between the source of the product and the mark. And there is little doubt that Anheuser-Busch’s marks, including Budweiser, qualify as famous considering the hundreds of millions of dollars that it spends annually on advertising, and its place as one of the world’s most valuable brands.

Appellate Court Upholds FTC’s Authority to Fine and Regulate Companies Shirking Cybersecurity

Posted November 30, 2015 by Rob Ellis 0

In a case determining the scope of the Federal Trade Commission’s (FTC) ability to govern data security, the 3^rd U.S. Circuit Court of Appeals in Philadelphia upheld a 2014 ruling allowing the FTC to pursue a lawsuit against Wyndham Worldwide Corp. for failing to protect customer information after three data breaches that occurred in 2008 and 2009. The theft of credit card and personal details from over 600,000 consumers resulted in $10.6 million in fraudulent charges and the transfer of consumer account information to a website registered in Russia.

In 2012, the FTC sued Wyndham, which brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge. The basis of the claim stated that Wyndham’s conduct was an unfair practice and its privacy policy deceptive. The suit further alleged the company “engaged in unfair cybersecurity practices that unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The appellate court’s decision is of importance because it declares the FTC has the authority to regulate cybersecurity under the unfairness doctrine within §45 of the FTC Act. This doctrine allows the FTC to declare a business practice unfair if it is oppressive or harmful to consumers even though the practice is not an antitrust violation. Under this decision, the FTC has the authority to level civil penalties against companies convicted of engaging in unfair practices.

What exactly did Wyndham do to possibly merit the claim of unfair practices?

According to the FTC’s original complaint, the company:

allowed for the storing of payment card information in clear readable text;
allowed for the use of easily guessed password to access property management systems;
failed to use commonly available security measures, like firewalls, to limit access between hotel property management systems, corporate networks and the internet; and
failed to adequately restrict and measure unauthorized access to its network.

Furthermore, the FTC alleged the company’s privacy policy was deceptive, stating:

“a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

Wyndham requested the suit be dismissed arguing the FTC did not have the authority to regulate cybersecurity. The appellate court found otherwise, however, stating that Wyndham failed to show that its alleged conduct fell outside the plain meaning of unfair.

The appellate court’s ruling highlights the need for companies to take special care in crafting a privacy policy to ensure it reflects the company’s cybersecurity standards and practices. This includes staying up-to-date on the latest best practices, and being familiar with the ever-changing industry standard security practices, including encryption and firewalls.

Delayed Results of Google’s “Mobilegeddon” Show Small Sites Suffer on Mobile

Posted September 16, 2015 by Rob Ellis 0

On April 21^st online behemoth Google altered its search engine algorithm to favor websites it considered mobile-friendly. This change, dubbed “Mobilegeddon” by web developers and search engine optimization (SEO) specialists, sought to reward sites that used responsive design and other mobile-friendly practices to ensure sites display well on smartphones and other mobile devices. Conversely, sites that were not mobile friendly would ultimately be penalized by ranking lower on mobile search results.

At the time, it was unclear just how large of an impact this change would have on companies’ appearance in organic mobile search results. A recent report by Adobe Digital Index, however, shows that the impact has indeed been substantial. The report determined that traffic to non-mobile-friendly sites from Google mobile searches fell more than 10% in the two months after the change, with the impact growing weekly since April. This means that non-mobile-friendly sites have dropped sharply in mobile search rankings, while mobile-friendly sites have risen in rankings, showing up higher on the mobile search results page. This change has had the greatest impact on small businesses that likely underestimated the value of mobile search traffic, and also affected financial services and law firms.

In a recent article in the Wall Street Journal, Adobe analyst, Tamara Gaffney, found that companies which were unprepared for the impact on search results have tried to offset the decrease in organic traffic by buying mobile search-ads from Google. This tactic served to keep mobile users visiting their sites through paid ads. Substituting paid results for organic results may work in the short term but is usually not a sound long-term approach. A sustainable long term online add strategy over time usually consists of a balanced approach between building brand and consumer trust through organic search, and strategically supplementing that with paid ads.

What is a company adversely affected by Mobilegeddon to do?

One obvious course of action for a site that has suffered from Mobilegeddon is to become mobile friendly. This means putting in place a responsive theme, and implementing best practices that aid in mobile user experience. This includes using larger easier-to-read text and separating links to make them easier to tap on a smaller screen. Those who are unsure of how their site fares according to Google can use the company’s Mobile Friendly Test Tool to see what recommendations may be made to improve the mobile user’s experience.

With mobile search queries outpacing desktop, Google is sending a clear message that it is willing to reward sites that provide a good mobile experience, and businesses that fail to heed that message will suffer in the search rankings.

What’s Behind the Decline in Internet Privacy Litigation?

Posted September 8, 2015 by Roman Vayner 0

The number of privacy lawsuits filed against big tech companies has significantly dropped in recent years, according to a review of court filings conducted by The Recorder, a California business journal.

According to The Recorder, the period 2010-2012 saw a dramatic spike in cases filed against Google, Apple, or Facebook (as measured by filings in the Northern District of California naming one of the three as defendants). The peak year was 2012, with 30 cases filed against the three tech giants, followed by a dramatic drop-off in 2014 and 2015, with only five privacy cases filed between the two years naming one of the three as defendants. So what explains the sudden drop off in privacy lawsuits?

One theory, according to privacy litigators interviewed for The Recorder article, is that the decline reflects the difficulty in applying federal privacy statutes to prosecute modern methods of monetizing, collecting, or disclosing online data. Many privacy class action claims are based on statutes passed in the 1980s like the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), both passed in 1986, and the Video Privacy Protection Act (VPPA), passed in 1988. These statutes were originally written to address specific privacy intrusions like government wire taps or disclosures of video rental history.

License Plate Numbers: a valuable data-point in big-data retention

Posted August 6, 2015 by Rob Ellis 0

What can you get from a license plate number?

At first glance, a person’s license plate number may not be considered that valuable a piece of information. When tied to a formal Motor Vehicle Administration (MVA) request it can yield the owner’s name, address, type of vehicle, vehicle identification number, and any lienholders associated with the vehicle. While this does reveal some sensitive information, such as a likely home address, there are generally easier ways to go about gathering that information. Furthermore, states have made efforts to protect such data, revealing owner information only to law enforcement officials or certified private investigators. The increasing use of Automated License Plate Readers (ALPRs), however, is proving to reveal a treasure trove of historical location information that is being used by law enforcement and private companies alike. Also, unlike historical MVA data, policies and regulations surrounding ALPRs are in their infancy and provide much lesser safeguards for protecting personal information.

ALPR – what is it?

Consisting of either a stationary or mobile-mounted camera, ALPRs use pattern recognition software to scan up to 1,800 license plates per minute, recording the time, date and location a particular car was encountered.

Website Policies and Terms: What You Lose if You Don’t Read Them

Posted July 15, 2015 by Roman Vayner 0

When was the last time you actually read the privacy policy or terms of use of your go-to social media website or you favorite app? If you’re a diligent internet user (like me), it might take you an average of 10 minutes to skim a privacy policy before clicking “ok” or “I agree.” But after you click “ok,” have you properly consented to all the ways in which your information may be used?

As consumers become more aware of how companies profit from the use of their personal information, the way a company discloses its data collection methods and obtains consent from its users becomes more important, both to the company and to users. Some critics even advocate voluntarily paying social media sites like Facebook in exchange for more control over how their personal information is used. In other examples, courts have scrutinized whether websites can protect themselves against claims that they misused users’ information, simply because they presented a privacy policy or terms of service to a consumer, and the user clicked “ok.”

The concept of “clickable consent” has gained more attention because of the cross-promotional nature of many leading websites and mobile apps.

PII at the Center of RadioShack Bankruptcy Auction and Mediation

Posted July 6, 2015 by Rob Ellis 0

A recent New York Times article highlights the disconnect between a company’s privacy policy and the disclosure of user data when the company is sold. According to the Times, while a company, like Hulu, declares that it “respects your privacy”, should the company go up for sale, user names, birth dates, email addresses and unique subscriber information can be made available to the highest bidder. Often it is this very information that can be of most value to a struggling or defunct company. This very issue played out recently with the bankruptcy of RadioShack, the electronics retail store founded in 1921, and the recent sale of its brand.

The now-bankrupt RadioShack reached a mediated agreement with U.S. states on May 14^thover the sale of customer data, which barred the transfer of personal customer information; limited the number of emails to be included in the sale; and provided opt-out mechanisms to customers prior to transfer.

New York-based Standard General purchased 1,750 RadioShack stores and trademark and intellectual property, out of bankruptcy. The sale included personal customer information provided by customers to RadioShack over many years, including email addresses, postal addresses and phone numbers.

.SUCKS: Extortion or Free Speech?

Posted June 9, 2015 by Roman Vayner 0

Domain names are an essential part of modern commerce and convey important information about the website’s affiliation and legitimacy. Consumers may briefly glance at the .com or .edu at the end of the page they land on to make sure they’re on the right site, but soon they may see an unfamiliar suffix next to their favorite brand’s page – .sucks.

In 2014, the Internet Corporation of Assigned Names and Numbers (ICANN), a California-based nonprofit that manages and coordinates domain names, agreed to allow Vox Populi, a Canadian domain name registrar, to operate the registry for the new “.sucks” top-level domain (TLD).

Targeted Election Ads: New Frontier in Political Advertising

Posted March 19, 2015 by Roman Vayner 0

The next U.S. President won’t be sworn in for almost two years, but the jostling and positioning among likely candidates has already begun. When candidates consider how to reach potential voters, an increasingly sophisticated weapon in their arsenal will be targeted advertising to reach voters in-between commercial breaks of their favorite TV shows. These “addressable ads” allow advertisers – in this case political campaigns – to pay content providers, such as satellite networks, to reach specific homes. Addressable ads present a sharp departure from previous eras of political advertising that used a “shotgun approach” to appeal to as many potential voters as possible, regardless of demographics, previous political affiliation, or likelihood of voting.

Satellite television providers DirecTV and DISH Network have already embraced this technology by selling data about subscribers’ individual viewing habits to campaigns. Subscriber data are initially anonymized, but with addresses intact, and then matched to the addresses on voter-registration and canvassing databases. According to a USA Today report, once the targeted households are selected, the satellite provider sends the addressable ads to the home’s digital video recorder (DVR), and the ad airs in the next available commercial slot as part of whatever programming the customer is watching. After the ad plays, the remainder of the user’s TV show continues unaffected until the next ad slot opens.

Free Legal Documents!! (Sure, Why Not?)

Posted March 13, 2015 by Andrew Mirsky 0

Why would lawyers give away legal documents for free? Or better yet, why wouldn’t they do it? Daniel Doktori offered some good answers to these questions when he wrote recently in TechCrunch about Big Law’s answer to the Open Data movement.

But what’s most remarkable about the big lawyer giveaway – get there early, get your legal docs, we’re opening this year at 6pm on Thanksgiving Night! – may be how unremarkable it really is.

Doktori writes of law firms’ “mimic[ing] their small clients’ ‘freemium’ business development model”, suggesting that giving away free stuff is simply a way to get clients in the door where they (hopefully) will become paying clients. Perhaps. But it seems unlikely that a cash-strapped startup will hire a $700 per hour firm of attorneys simply because that firm gave away a generic founders’ subscription agreement. And with so many law firms offering the exact same documents – Doktori cites his own firm’s service as well and those of Cooley LLP and Orrick, Herrington & Sutcliffe LLP – there’s not much here to really differentiate the value of these documents in the first place. Not to mention the various non-law firm startups getting into the same game, including Founders’ Workbench (mentioned by Doktori) and low-cost services from Rocket Lawyer and others.

Real World Implications of Cyber Warfare

Posted February 19, 2015 by Rob Ellis 0

Introduction

Amid all of the publicity and media attention of the December cyberattack on Sony Pictures Entertainment, a cyber-intrusion on a German steel mill received comparably scant notice. Unlike the Sony hack, however, it highlighted an important and disturbing trend in cyber warfare. Detailed in a German government report released in December, the hacking of the German steel mill signified the second confirmed instance in which a wholly digital attack resulted in the physical destruction of equipment. By initially gaining access to the plant’s business network, the intruders were able to successfully make their way to the production network and access the controls of the plant’s equipment. They were able to control the system to such a degree that a blast furnace could not be properly shut down, resulting in “massive” damage.

According to Wired’s coverage of the incident, much information about the attack is not detailed in the report, including the name of the steel mill, exactly when it happened, and how long the hackers were in the network before the destruction occurred. The report does relay that the hackers apparently had advanced knowledge, not only of conventional IT security, but of the applied industrial controls and the mill’s production processes.

The incident highlights what is possible with the increasingly prevalent networked nature of physical real-world systems, from critical infrastructure networks like electric grids and water treatment systems, to simple and increasingly networked household and personal items in the growing Internet-of-Things (IoT).

MediaTech Law

By MIRSKY & COMPANY, PLLC