The Tip of the Iceberg – ‘Do Not Track’ Kids Bill Proposed

After several months of anticipation, Rep. Ed Markey (D-Mass.) released his Kids “Do Not Track” discussion draft bill. At face value, this bill appears to have a narrow focus of online behavioral activities toward children, which we normally define under the Children’s Online Privacy Protection Act (“COPPA”) as any individual younger than 13. However, such is not the case. This bill would amend COPPA to expand some marketing provisions to teens under age 18, and may, in effect, require better age screens, given teen savvy (and their propensity to lie about their age).

If enacted, this bill has the potential to create complications when marketing to the crucial college age and young adult market as more sophisticated age screens will require all to enter information that they might not want to share online.

To read the entire Rimon Alert and find out more, just check out Rep. Markey Releases a Kids Do Not Track Discussion Draft Bill.

ILO Publishes ‘Twitter Settles with FTC – Gets 20 Years’ Probation!’

On April 5, 2011, the International Law Office published a customized version of the March 14, 2011 blog on Legal Bytes, Twitter Settles with FTC – Gets 20 Years’ Probation! You can read it online or download your own copy of the ILO posting here: ILO Posts Twitter Settlement news.

Italian Courts Order Yahoo! Italia To Keep the Links Missing

I picked up an interesting article published today in the International Law Office, and since the article is listed in the category of Information Technology, I thought some Legal Bytes readers with international interests and activities that are "content," "search" or "link" related might not see it.

The article summarizes a case in which Yahoo! Italia was held responsible for failing to remove links to infringing versions of a motion picture – thus, in the court’s view, resulting in contributory liability. What is also of interest is that the Italian court ordered Yahoo! in Italy to not only remove links to websites that "served" the allegedly infringing content, but also to remove any other websites that contained links to the websites serving that content – even if those websites had other links or provided other legitimate content, features and functions. Such a decision could have far-ranging implications since it goes to the heart of the ripple effect that linking has on legitimate content-sharing. It also raises the chilling specter of restricting access to otherwise legitimate, non-infringing content, features and functions based on a finding that there is a link to infringing material.

While one can make the case that such strong enforcement helps deter and ultimately prevent infringement, the breadth of the decision and the fact that a rights-holder can simply send a notice without requiring formal "proof" of infringement, means every link to every website that connects to an offending website could potentially be forced to de-link, and arguably bears some liability for contributory infringement. Think of the connections on social media, embedded players and links on the web – Wow!

If you want to read the entire article, you can access it right here Yahoo! Italia liable for searchable content. And as always, if you need advice from a U.S. lawyer who has done work with Italian companies and legal colleagues in Italy, call me, Joseph I. ("Joe") Rosenbaum, or any of the Rimon attorneys with whom you regularly work.

Darwin Was Right. It’s All About Biology!

I have been stupid. It’s everywhere and I couldn’t see it. I’m looking at trying to invest my hard-earned dollars and wondering about the future of mobile and social media and technology. Hmmmm, maybe I should pour some money into that sector of the economy. But how to decide – price-to-earnings ratio, market multiple, return on equity, assets, sales? Then it dawned on me. Shhhh .. . I’ll let you in on a secret I discovered. It’s biology – natural selection, evolution, survival of the fittest – Charles Darwin was right.

Think about it. Sony says "It’s in our DNA." Twitter is for the birds. Social media is in your Face(book). Think it stops there? No way. Apple – the original sin. Gone viral – my anti-virus software has been in use for years. Make a firewall to stop it from spreading. Cookies? Baked to perfection! Who gives a Hoot(suite)? Oh and if you think the Droid or Android are not part of the mix, just watch Star Wars for those artificial parts, artificial intelligence and artificial sweeteners. 

My blog has gone viral along with YouTube videos. Word of mouth marketing – even the blog conjures up images of Steve McQueen in a very old movie ("The Blob"– who remembers, raise your hands). Hear the buzz – not the sound of bees, but rather the web browsers. Firefox? How about the wireless photographic memory cards from Eye-fi? Did I mention cloud computing – is that cloud 9 or should I get off my cloud as the Rolling Stones asked me to do many years ago?

Not convinced yet? Just the other day researchers at IBM announced that they have developed a nanoparticle that has the ability to target and destroy bacteria that has otherwise proved to be resistant to antibiotics. Now I originally thought a nanoparticle was something harvested from Ork, the planet made famous by Robin Williams in the television series "Mork & Mindy." But apparently, nanoparticles are itsy bitsy particles, so small you could fit tens of thousands of them on the head of a pin.    

So all you investment advisors, financial analysts, brokers and day traders, watch out. Pick the biologically named company of choice or, better yet, start a company, and watch it evolve, grow, mature and hopefully not crash before I sell. I personally am not surprised that Jim Beam has been around since 1795! 

Federal Grand Jury Seeks To Open Pandora’s Box

Knock Knock. Who’s there? Andover. Andover who? Andover those records Pandora.

So Pandora Media, Inc., the company that brings us the popular Pandora® Internet Radio, has reportedly received a subpoena from a federal grand jury looking into the practice of information-sharing involving smart phone applications. Pandora did indicate, however, it had been advised it was not a target of the grand jury investigation, and that it believed the legal request for the production of information had been served on an "industry-wide basis" to many other smart phone application publishers. Not much else is known about either the specific subpoenas (or is the correct Latin, "subpoenae"?) or the nature or focus of the federal investigation; but guessing that it relates to the sharing of information about location-based target-marketing practices, and the disclosure of information by and among ad publishing networks, can’t be far from the target.

The Advertising Technology & Media law practice group, in conjunction with our global regulatory practice and litigators when we need them, has experience in dealing with such subpoenae (or is the correct English "subpoenas"?). Think about knowing how to respond before you get served – with a subpoena or on a platter. OK. I’m still in the April Fool’s Day spirit. What can I say?

I See Paris, I See France: Google’s Street View Draws French Fine

On December 20, 2010, a Legal Bytes blog entitled Look! Out the Window! It’s a Peeping Tom! No, It’s Google Street View noted the problems Google was facing as a result of a faux pas in connection with its Street View automobiles roaming the streets equipped with cameras. As we reported earlier, Google’s picture-capturing vehicles appear to have accidentally gathered data over unsecured Wi-Fi systems in more than one country and city around the globe – including France.

Although Google agreed to delete the Wi-Fi data collected accidentally and has apologized, if one picture is worth a thousand words, France has apparently decided that Google’s pictures were worth about €100,000. This is reportedly the highest fine imposed by the CNIL (the National Commission for Information Freedom – the French data-protection regulatory body) since it was given the authority to levy financial penalties in 2004. The financial sanctions were levied because Google’s activities were considered to be "unfair collection" of data under French law, data that Google was able to collect for economic advantage. The "accident" resulted from some "sniffing" programming code that ostensibly carelessly found its way into the equipment capturing Street View data in the cars as they roamed highways and byways.

While other countries are considering fines and investigations that are on-going, some countries (e.g., the United States) have apparently dropped the investigations or are not considering penalties at this time. This is not the last we will hear of location-based or geo-targeted information raising an uproar, as people "check in" and the surveillance society becomes closer to reality than we often care to admit. The law and regulation are not harmonized around the globe, and many regulators and laws don’t even adequately address the problem – often created because, like so many other issues in our digital world, some information is being shared voluntarily, some is not, and some is a blend.

As always, if you need advice and counsel about your own advertising and marketing efforts, or privacy and data protection guidance from legal representatives who deal with these issues – in the United States and around the globe – every day, feel free to call me, Joseph I. ("Joe") Rosenbaum, or any of the Rimon attorneys with whom you regularly work.

Look! Out the Window! It’s a Peeping Tom! No, It’s Google Street View.

The recorded legal enforcement of privacy dates back to at least 1361, when Justices of the Peace Act in England provided for the arrest of Peeping Toms and eavesdroppers. In the 1760s, English Parliamentarian William Pitt wrote: “The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow though it; the storms may enter; the rain may enter – but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement.” Translation: One’s home is one’s castle.

The right to be free from unlawful searches and seizures and intrusions into one’s home is among the earliest expressions of the legal right to privacy. Today, privacy has been woven into the fabric of the laws and regulations of most countries throughout the world. The Preamble to the Australian Constitution states: “A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy. Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech. Privacy is a basic human right and the reasonable expectation of every person.” The 1948 Universal Declaration of Human Rights may well be the first multi-national, international legal document moving privacy to the level of a legally enforceable principle, noting that no one should be subject to arbitrary interference with privacy, family, home or communication, nor attacks on honor or reputation, and that each individual should have the right to legal protection against such interference or attack. In 1965, the Organization of American States proclaimed the American Declaration of the Rights and Duties of Man, which called for protection of numerous human rights, including the right of privacy.

We’ve come a long way. Today, Google’s Peeping Toms are roving street cars equipped with cameras and are allegedly violating privacy rights left and right as they roam through your neighborhood. If you hadn’t heard, Google reported earlier this year that in the course of its Street View automobiles roaming the streets of cities in more than 30 countries, its picture-capturing vehicles had also accidentally gathered data over unsecured Wi-Fi systems. Oops! Some of Google’s woes stem from mistakenly collecting data it allegedly should not have, although many privacy advocates and some regulators are protesting the actual picture-taking itself – even though the streets are public – not just the inadvertent capture of such data. Google has agreed to delete Wi-Fi data collected accidentally and has apologized (e.g., New Zealand, United Kingdom) for collecting personal data (e.g., personal emails, passwords) from wireless networks.

Although this past October (2010), the FTC in the United States indicated its inquiry into violations of privacy by Google’s Street View cars was ended – noting that Google had made efforts to increase its privacy and security processes and compliance procedures – Google is still facing a slew of questions, objections and government inquiries. Inquiries remain pending from attorneys general in a number of U.S. states, and at last count, about six or seven actual or putative class-action suits were pending.

In Germany, regulators have forced Google to agree to allow individuals to opt out of Street View and, when doing so, there will be computer-generated pixilation of their houses, instead of a photo, effectively blurring detail. Even with Google’s recent actions to bolster its compliance and sensitivity to privacy concerns, German investigators may still pursue investigations and violations. Indeed, investigations are also underway in Australia, France, Ireland, Italy and Spain.

In the “you can’t make this up” category on the subject, Legal Bytes recently saw a report that a woman in Japan is suing Google for about $7,000 for psychological damages because images of her underwear have appeared on the clothes washing/drying line outside her home displayed on Google Maps. Mainichi news service in Japan reports that part of her allegations state: “I was overwhelmed with anxiety that I might be the target of a sex crime. It caused me to lose my job and I had to change my residence.”

When do public photographs become grist for the Peeping Tom mills? What about government surveillance? Satellite photos? Drone imagery? I, for one, am giving up sunbathing on the roof from now on!

Privacy is a dynamic and evolving concept – one not uniformly dealt with or perceived around the world, or even within nations. Privacy is often blurred with identity issues or security principles, in some cases overlapping and in others just emotionally charged rhetoric. Witness the recent FTC and Department of Commerce reports, each ostensibly dealing with “privacy.” You can read about it on blogs posted by our Global Regulatory Enforcement Group, as well as right here on Legal Bytes (see, ‘Tis The Season To Issue Privacy Reports – NTIA Green Paper, Protecting Consumer Privacy – FTC Issues Staff Report and Privacy & Data Security Bills After the Midterm Elections), or search “privacy” in the search box in the left side navigation bar. But there is no substitute for getting the advice, counsel and guidance about your own particular situation from legal representatives who deal with these issues – in the United States and around the globe. So if you do need assistance, call me, Joseph I. (“Joe”) Rosenbaum, global chair of Rimon’s Advertising Technology & Media law practice, or any of the Rimon attorneys with whom you regularly work.

‘Tis The Season To Issue Privacy Reports – NTIA Green Paper

Just a few moments ago, in their own words: "The Commerce Department Office of the Secretary, leveraging the expertise of the National Telecommunications and Information Administration ("NTIA"), the Patent and Trademark Office ("PTO"), the National Institute of Standards and Technology ("NIST"), and the International Trade Administration ("ITA"), has created an Internet Policy Task Force to conduct a comprehensive review of the nexus between privacy policy, copyright, global free flow of information, cybersecurity, and innovation in the Internet economy." That introduction prefaced the release by the NTIA of its "Green Paper" (which you can download and read), Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The Federal Register notice of this paper will seek public comments, noting that they will be due on or before January 28, 2011. 

While Legal Bytes and Rimon will digest the report more thoroughly and report to you in the days and weeks ahead, the report at first blush focuses on four major themes:

  • Support for Fair Information Practices Principles (FIPPS), noting the need and importance of greater transparency, consumer control and data security
  • Support for self regulation
  • Creation of a national Privacy Policy Office to coordinate voluntary, enforceable, self-regulatory programs
  • The need for greater harmonization of privacy laws and self regulation internationally

Stay tuned for further information and analysis, but if you want to be part of the conversation; if you feel you should have a voice in the discussion and are considering submitting comments; or if you simply want to better understand the implications, the interplay between this report and the recently released FTC report (see Protecting Consumer Privacy – FTC Issues Staff Report)posted on Legal Bytes December 2, 2010), please don’t hesitate to contact me, Joe Rosenbaum, or any of the Rimon attorneys with whom you regularly work.

Protecting Consumer Privacy – FTC Issues Staff Report

This post was written by Paul Bond, Chris Cwalina, Amy Mushahwar and Fred Lah.

The FTC just released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This preliminary staff report proposes a major change in U.S. privacy law. The FTC is accepting comments on this report until January 31, 2011, and if you could be affected by these changes and would like to submit comments, or if you are considering submitting comments to the report (or perhaps you aren’t sure if you should), Rimon can help. While we are still reviewing the 123-page report in depth, we wanted to share a few thoughts from an initial reading.

The report proposes a major change in the framework of U.S. privacy law, stating bluntly: “Industry must do better.” The report notes, among other things:

  • Notice-and-consent doesn’t work. People don’t read or understand privacy notices as now written. The Commission’s view is that privacy policies have become “long” and “incomprehensible.”
  • Waiting for harm to consumers isn’t an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Privacy harms include reputational harms and even the emotional harm of having one’s information “out there,” or “fear of being monitored.” The new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch, in his concurrence, notes “the Commission could overstep its bounds” if it were to begin analyzing these more intangible harms when assessing consumer injury.
  • Industry self-regulation is too little, too late, and has failed to provide adequate and meaningful protection.

The report challenges a number of privacy and security assumptions. The report:

  • Casts severe doubt on claims that de-identified information need not be protected, citing multiple instances and methods by which personally identifiable information (PII) can be culled from “non-name” information (e.g., IP addresses, other unique identifiers). The distinction between PII and non-PII is, the report says, “of decreasing relevance.” Consequently, the scope of the report is very broad and applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device.
  • Purports to apply in the online and offline world, and not only to companies that work directly with consumers.
  • Suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates no matter what the industry, universalizing the consumer notice requirements that previously only applied to certain highly regulated industries (e.g., telecommunications, education, health care, financial services), or certain types of sensitive data (e.g., credit data, bank accounts, medical records).
  • Distinguishes between “commonly accepted data practices” and all other data practices. Borrowing from GLBA and HIPAA, using data to aid law enforcement, or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers, but ALL other data practices (e.g., behavioral advertising and deep packet inspection that are explicitly named as not commonly accepted data practices) would require notice and consent in a form easy to read and understand, ideally provided to the consumer when the consumer enters his or her personal data. The report suggests opt-in consent be obtained prior to implementing any material changes to company policy that would apply to data collected under a prior privacy policy.
  • Suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers, and that consumers be given “reasonable access” to their data.
  • Notes that appropriate data-retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
  • Endorses a “Do Not Track” mechanism, recognizing that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self-regulatory efforts to develop a system whereby a consumer could opt not to be “tracked.” The FTC has expressed a distinction between “tracking” and “interest-based” advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but it recognizes a browser-based solution – similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not indicated if opt-in or opt-out would be the default browser setting for any browser privacy technology deployed.

So what should businesses do?

First, companies should carefully review the report and all the questions made open for public comment. These are listed in Appendix A to the report, but additional questions are posed in the Commissioner dissent statements.

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen and often address business concerns. But you must be heard. Trade associations are a good place to start, but individual company voices are important, especially if you have unique issues that should be addressed.

Third, now is a good time for you to pull back and consider your privacy policies, practices and programs, and the extent to which privacy is incorporated into your everyday business practices. The report suggests every company should adopt “privacy by design,” “building privacy protections into everyday business practices,” “assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services.”

You can read and obtain a copy of the FTC’s full report here.

If you need help, want more information, want to comment, or simply require some guidance – whether counsel or representation – in an area that is of critical importance to businesses and consumers, please don’t hesitate to contact Paul Bond, Chris Cwalina, Amy Mushahwar, Fred Lah or me, Joe Rosenbaum, or any of the Rimon attorneys with whom you regularly work.

Internet Communications – Encryption Is Not Enough

Most of us have come to enjoy the convenience of secure communications over the Internet, enabling us to feel comfortable that a broad range of commercial transactions, and remote access through virtual private networks (VPNs), as well as the transmission and retrieval of data from the Cloud, are secure – at least reasonably so. However, such communications may be less secure than people think. It has recently come to light that the processes used to authenticate the identity of the party (or organization) with whom one is communicating may actually be deeply flawed. In almost all cases, businesses and individuals alike unwittingly trust a large number of “certificate authorities” (so-called “CAs”) to essentially authenticate or vouch for the identity of the endpoints of secure communications over the Internet.

CAs hail from across the globe. Some are private entities while others are associated with, or operated by, governments – in some cases perhaps a government one may not wish to trust. Still other CAs may simply be incompetent. No matter which is the case, it is clear that these CAs have the power to facilitate man-in-the-middle wiretap exploits and “phishing” through imposter servers. Isn’t it time for general counsel and IT to work together to shore up the authentication processes, because Encryption is Not Enough

If you aren’t sure your communications are secure, or if you simply don’t know enough to determine the right questions to ask, contact Steven B. Roosa directly, or the Rimon attorney with whom you regularly work.