Thursday, September 20, 2012

Two New IBLT Entrepreneurship Assistance Fellowships Created

We are pleased to share the following announcement of the newly created Entrepreneurship Assistance Fellowships, via Touro Law Center:


The Institute for Business, Law and Technology (IBLT) at Touro Law Center has established two new Entrepreneurship Assistance Fellowships. The Entrepreneurship Assistance Fellows will assist specially selected early-stage and start-up Long Island companies with faculty-supervised research about relevant legal issues and best practices, in order to better enable the companies to manage the risks they face and maximize their growth potential. Additionally, the Fellows will help create and publish blog entries and other informational materials on data privacy, intellectual property and other key legal issues for the broader business community. The Fellowships will be awarded each semester to two qualified students who demonstrate an understanding of business and intellectual property law and offer previous relevant experience. The inaugural recipients of the award for the Fall 2012 semester are Brett Alazraki and Jeffrey Wells.

“We are proud of both Brett and Jeffrey and look forward to their contributions as the inaugural Fellows of the Institute of Business, Law and Technology,” said Dean Patricia Salkin. “In this competitive market, the Fellows will not only gain valuable experience that will aid them upon graduation, but will make connections within the business community that will last a lifetime.”

Brett Alazraki is a full-time, third-year student who will graduate in May 2013. He is the Vice President of the Intellectual Property Law Society and has been both a legal extern and Canon Insights Legal Intern for Canon USA. He also worked for a summer as a legal intern with Sheldon May & Associates, P.C.

Jeffrey Wells is a dean’s list student and successful entrepreneur himself who received the CALI Award for Academic Excellence in Drafting Commercial Documents & Real Estate Transactions. He previously served as a District Court Bureau Legal Intern for the Office of the District Attorney of Nassau County and a Legal Intern at the Long Island Advocacy Center.

“This is a great new opportunity for the Institute and for our students,” said Jonathan I. Ezor, Assistant Professor of Law and Director of the IBLT. “From its launch, the IBLT has been dedicated to supporting entrepreneurship and economic development throughout our region. These fellowships are a natural extension of that support and an exciting way to provide new opportunities for Touro Law students who display qualities that best represent the goals of the Institute.”

The Institute for Business, Law and Technology (IBLT) at Touro College Jacob D. Fuchsberg Law Center is dedicated to advancing the state of understanding about the intersection of technology, business and the law both within and beyond the law school. It does so through a growing list of courses for Touro Law Center J.D. and LL.M. students, a privacy and technology law blog at http://tourolawiblt.blogspot.com, social media presences on Twitter (@TouroLawIBLT) and Facebook (http://facebook.com/tourolawiblt), continuing legal education seminars for practicing attorneys, and publications and events for the general business community. As part of its efforts, the IBLT frequently collaborates on programs and initiatives with other educational institutions, organizations and companies throughout Long Island and beyond.

Its mission is to improve the understanding of the legal issues of basic and developing technologies integral to the technology-driven business communities of manufacturing, electronic commerce, and high technology. In so doing it assists in the formation, attraction, and retention of new business and to the economic development for the region through the integrated processes of education, collaboration, outreach and research. More information about the IBLT can be found at its Web site at http://www.tourolaw.edu/iblt.


XXX
 

Touro College Jacob D. Fuchsberg Law Center’s 185,000-square-foot, state-of-the-art facility is located adjacent to both a state and a federal courthouse in Central Islip, New York. Touro Law’s proximity to the courthouses, coupled with programming developed to integrate the courtroom into the classroom, provide a one-of-a kind learning model for law students, combining a rigorous curriculum taught by expert faculty with a practical courtroom experience. Touro Law, which has a student body of approximately 750 and an alumni base of more than 5,000, offers full- and part-time J.D. programs, several dual degree programs and graduate law programs for US and foreign law graduates. Touro Law Center is part of the Touro College system.

About the Touro College and University System Touro is a system of non-profit institutions of higher and professional education. Touro College was chartered in 1970 primarily to enrich the Jewish heritage, and to serve the larger American and global community. Approximately 19,000 students are currently enrolled in its various schools and divisions. Touro College has branch campuses, locations and instructional sites in the New York area, as well as branch campuses and programs in Berlin, Jerusalem, Moscow, Paris, and Florida. Touro University California and its Nevada branch campus, as well as Touro College Los Angeles and Touro University Worldwide as separately accredited institutions within the Touro College and University System. For further information on Touro College, please go to: http://www.touro.edu/media/.

For more info contact:
Patti Desrochers
Director of Communications
pattid@tourolaw.edu
(631) 761-7062

The Havoc of a Device Identifier – Apple UDIDs

Most users of the iPhone are completely unaware that Apple has assigned their individual devices a Unique Device Identifier (UDID).  While such an identifier contains numerous privacy implications, it was not until recently that the general public became acutely aware of these UDIDs.  In a post on Pastebin, on September 4, 2012, the hacker group AntiSec announced that they had obtained a file containing over twelve million Apple UDIDs from a FBI laptop.  While the FBI quickly denied this, stating that the laptop was not hacked and that the FBI did not hold such a file, this event led to several articles by numerous tech and law blogs diving into the topic of UDIDs and what these identifiers actually means for iPod Touch, iPhone and iPad users. (In addition, it is possible that non-Apple devices also contain a similar identifier to the UDID and the public has not been made aware of this yet.)
   
One such article, featured on The Verge, focused on what one is capable of doing when they obtain a user’s UDID.  It should be noted before delving into the various privacy problems that results from UDIDs existing that Apple has announced that UDIDs will be replaced by “a new set of APIs” in iOS 6 (released on 9/19/2012), the newest operating system for iPhone and the iPad.  However, it is unclear just what sort of information these new APIs will contain.  The writer of The Verge article, Joshua Kopstein, points out that it is unclear what exactly someone could do with a UDID and industry experts disagree as to the extent of harm that can come solely from a UDID: 

In a recent article posted on CNET, Frank Heidt, chief executive of Leviathan Security claimed that with a UDID, a push token, and a device name, an attacker "could arbitrarily load an app on your phone." But Alex Radocea, a senior engineer at CrowdStrike, says that’s not true.

"There’s been a lot of misinformation," Radocea told The Verge over the phone. Just as AntiSec released their list of device IDs, he and his team posted the results of their examination of the iOS version of FinSpy Mobile, a strain of the infamous FinFisher spyware that was recently found targeting political dissidents.

In their report, CrowdStrike points out that the spyware is using ad-hoc distribution, a method usually reserved for testing which uses UDIDs to bypass Apple’s application signing process. But that doesn’t mean that a UDID is the magic bullet for remotely installing malware on a device without the user’s knowledge, Radocea says.

"The main thing is that user interaction is required to install these applications," he clarified. "They cannot be silently or arbitrarily installed, as the CNET article alleges." In a blog post written shortly after news hit of AntiSec’s release, the ACLU similarly suggested that UDIDs could be used to secretly infect devices with the spyware.

Kopstein goes on to further discuss how in the past UDIDs have been used to access the geographic information of an individual user.  In addition, the UDID is solely in the control of Apple, and the only way for an individual to get a new UDID is to get a new iPod Touch, iPhone or iPad. 

What exactly the release of these 12 million UDID truly means is still unclear, but if nothing else, this release has raised public awareness of the issue.  (There is also a large concern over whether or not the FBI actually had these 12 million UDIDs, what the FBI was doing with this data, and if they truly did have the file, why was it being stored on a laptop that was so easily hacked?) And, as discussed earlier, Apple is removing the UDID from the newest version of its operating system.  However, the fact remains that millions of iPod Touches, iPhones and iPads contain a unique identifier over which the user has no control and which can do uncertain things to a user’s personal device

Via The Verge
(Written by Brett Alazraki, Fall 2012 IBLT Entrepreneurship Assistance Fellow)

Wednesday, September 19, 2012

FTC Finalizes Privacy Settlement with MySpace


On 9/11/12, the Federal Trade Commission, in an effort to protect consumers and prevent fraudulent, deceptive, and unfair business practices, approved a final settlement agreement with the social networking site MySpace over charges that MySpace misrepresented its protection of user’s personal information, an alleged violation of Section 5 of the FTC Act. MySpace is a social networking site with 25 million users worldwide who create custom online profiles of themselves for other users to view. When a profile is created on MySpace a unique identifier is assigned to that user which MySpace calls a “Friend ID.” The Friend ID can be used to access a user’s age, gender, profile picture, display name, and even the user's full name. A user’s profile may also contain additional information such as pictures, video’s, music, hobbies, interests, and lists of users' friends.


MySpace promised under the privacy policy posted on its Web site that it would not share a user’s personally identifiable information or otherwise exploit such information in a way that was inconsistent with the purpose for which it was submitted without first giving notice to and receiving permission from the user. A user’s personally identifiable information is defined by MySpace’s privacy policy as the user's full name, email address, mailing address, telephone number, or credit card number. Furthermore, the privacy policy also promised that the means through which it customized ads would not allow advertisers to access personally identifiable information or individually identify users.


MySpace earns revenue by allowing third-party or affiliate advertising networks to place advertisements directly on its site. According to the FTC, MySpace misled users about what information third-party advertisers received about them. The FTC charged that MySpace provided advertisers with the Friend ID of users who were viewing particular pages on the site. The advertisers were then able to use the Friend ID to easily access a user's MySpace profile to obtain personal information publicly available on the profile to link broader web-browsing activity to a specific individual. Additionally, the FTC alleges that MySpace made false statements about its compliance with U.S.-EU Safe Harbor Framework which is in place to protect the transfer of personal information from the European Union to the United States.


The settlement proposed by the FTC prohibits MySpace from misrepresenting the degree to which it protects the privacy of users’ personal information or to which it complies with other programs such as the U.S.-E.U. Safe Harbor Framework. The settlement also requires MySpace to take immediate action to develop a comprehensive privacy program to protect consumers’ information, including mandatory biennial audits of that program for 20 years by an independent third party.


The FTC notes that the administrative complaint issued against MySpace that led to the settlement agreement is not a finding or ruling that MySpace actually violated a law nor is the settlement agreement an admission by MySpace that it violated the law. However, now that the FTC has voted to accept the settlement agreement it carries the force of law with respect to future actions and each violation of such an order may result in a civil penalty of up to $16,000.


What does this mean for businesses and their privacy policies? Companies that collect a consumer’s personal information have a legal responsibility to stand by what is promised in their privacy policies and may share personal information or otherwise use the information only after first giving notice and, if required by the policy or applicable law, receiving permission from the consumers. It is important for companies to make an effort to craft their privacy policies in a more transparent manner for consumers. The FTC is making sure that companies are living up to their privacy policies and will take legal action against a company that has violated consumers’ privacy rights. If a company violates a consumer’s privacy rights it could lead to an assessment of monetary damages and it may possibly have a damaging effect on a companies goodwill. Therefore, it is important for a company to regularly review their privacy policies and make sure it provides for the utmost protection of a consumer’s personal information and to be certain that the company is in full compliance with its policy.

(written by Jeff Wells, Fall 2012 IBLT Entrepreneurship Assistance Fellow)

Friday, September 14, 2012

Apple v. Samsung and an Actual Decision (Finally)


After over a year of legal maneuvers, a jury decision was finally handed down in the major smartphone/tablet patent case between Apple and Samsung on August 24, 2012.  The decision made by a jury of nine in the Northern California District Court ended what had become a contentious trial in which both parties angered the presiding judge, Lucy Koh, numerous times.  Apple had alleged that Samsung products had violated numerous patents, trademarks and trade dress and Samsung counterclaimed that Apple had violated numerous Samsung patents, but, the final claims were paired down significantly.  The final claims included Apple alleging over twenty Samsung products infringed three utility patents, four design patents and one registered trade dress and three unregistered trade dress.  Samsung’s final counterclaims included allegations that Apple infringed six utility patents.   

The jury verdict ruled overwhelmingly for Apple, awarding Apple over one billion dollars and deciding that the majority of the over twenty allegedly infringing Samsung products actually infringed on the three Apple utility patents.  In regards to Apple’s design patents most of Samsung’s allegedly infringing phones (and a smaller number of products were accused) were found to infringe Apple’s design patents.  In a small victory for Samsung, the Galaxy Tab 10.1 Tablet was not found to infringe Apple’s design patents. 

In terms of trade dress, the jury ruled that Apple’s registered iPhone trade dress is protectable and that only the iPhone 3G had unregistered trade dress that was protectable.  Apple’s biggest loss came from the jury decision that the unregistered trade dress of the iPad and iPad 2 was not protectable and therefore Samsung could not infringe it.  The jury ruled that of six of seventeen of Samsung’s allegedly infringing products infringed on the iPhone’s registered trade dress and five of Samsung’s products infringed the iPhone 3G unregistered trade dress.

The jury then ruled that none of Apple’s products infringed on any of Samsung’s patents, curiously including a 3G Essentials patent, which patents a method required for a phone to connect to a 3G network (as the iPhone does).  Since this was a standards patent, Apple would have had to infringe in order to make their products truly 3G capable, despite the jury ruling that there was no infringement. 

Due to the case being decided by a jury, the implications of this massive lawsuit for businesses are not entirely clear.  What is clear is that Apple’s patents are valid (at least according to this jury) and Apple will be apple to use these patents against other companies who allegedly infringe on them.  In addition to the validity of patents, the jury decision shows two important trade dress related issues.  First, the jury showed that trade dress can be a viable intellectual property area to raise infringement claims against a company whose electronic products, both hardware and software, might have a similar look and feel.  This is the first ruling of its kind.  While there is no specific ruling of how to apply traditional trade dress to a cell phone, the jury decision shows that trade dress can be applied to cell phones.  Secondly, the jury ruled that the iPad (and iPad 2) do not have unregistered trade dress.  What this means is that barring Apple registering trade dress for the iPad, Apple competitors may use the iPad’s look and feel, barring it does not infringe on any other Apple intellectual property, in creating its own tablets. 

This decision will certainly be appealed by both sides and a decision by the appeals court might give better guidance on trade dress issues and precedence for all issues.  In addition, there will be an injunction hearing later this month to determine  which of Samsung’s infringing devices must be banned from being sold in the US, however, most of these products are either no longer being sold or close to the end of their product cycle.  The question of Samsung’s newer products possible patent infringement including, the Galaxy Nexus and the Galaxy S3 will be decided later this year.

In addition, there has been much made of whether the jury decision is valid.  These questions arise at least partially based on comments from the jury foreman, a patent holder himself.  Samsung will certainly appeal the decision and use the comments of the foreman and other jurors as evidence to hopefully invalidate the jury decision. 

(Written by Brett Alazraki, Fall 2012 IBLT Entrepreneurship Assistance Fellow)

Wednesday, September 12, 2012

Thoughts on Education and Compliance re: Cookie Consent Law from UK's Information Commissioner's Office

Dave Evans, the Group Manager, Business and Industry for the UK's Information Commissioner's Office ("ICO") has posted a new blog entry discussing the ICO's efforts in both education and enforcement regarding the use of cookies by companies. The UK's law on cookies, passed in compliance with Article 5.3 of the EU's Data Protection Directive as it was revised in 2009, places specific requirements for organizations to obtain consent for placing and using cookie files on users' computers, and the ICO has previously published guidance on how to understand and follow the law.

In his September 10, 2012 blog entry, Evans discusses the two-prong approach the ICO has taken in connection with implementing the cookies law and regulations:

Broadly speaking, there’s two ways we go about this: an education programme to inform the industry, and enforcement work to ensure compliance.

So we’ve issued guidance and press releases, spoken at conferences, held meetings and workshops and even written to 75 of the most visited websites, asking what steps they had taken to achieve compliance and offering our help. We are working through the intelligence we have gathered to see if websites are taking action to increase the visibility of information about cookies, and already a fair number have.

But we’re balancing that with enforcement: for example, some sites have failed to engage with us at all, and they’re now being set a deadline to take steps towards compliance, with formal enforcement action likely if they fail to meet this deadline. Failure to act on an enforcement notice is a criminal offence.
This mirrors the approach taken by the U.S.' Federal Trade Commission ("FTC") in its privacy and data security activities, as with the moving deadlines and business education program around the Red Flags Rule. Both agencies understand that laws and regulations cannot fulfill their purposes if those who must comply with them are unaware of the requirements. In the privacy and data security area, this challenge is especially great for the numerous small and mid-sized businesses which may not have the personnel or other resources to keep abreast of either legal mandates or best practices. To reach those audiences, governmental agencies do well to partner with regional and local trade groups and educational institutions (such as Touro Law's Institute for Business, Law and Technology) to help spread the word.

Tuesday, September 11, 2012

Welcome to the new privacy and technology law blog published by the Institute for Business, Law and Technology (“IBLT”) at Touro College Jacob D. Fuchsberg Law Center in Central Islip, NY. This blog will highlight legal developments and discuss best practices in business privacy, data protection, and the intersection of business, law and technology. Our posts, which will be written by faculty and students at Touro Law Center, including the IBLT’s director, Prof. Jonathan I. Ezor, and the IBLT’s student Entrepreneurship Initiative Fellows. We welcome your thoughts and comments at iblt@tourolaw.edu, and you can also follow the IBLT on Twitter and Facebook.