IBLT Scholar in Residence Mark Zaid Speaks to Touro Law Cybercrime Students

On October 28, 2013, attorney Mark S. Zaid came to Touro College Jacob D. Fuchsberg Law Center as the first Scholar in Residence for the Center for Innovation in Business, Law and Technology ("IBLT"). As part of his visit, he spoke to the two sections of students taking the Cybercrime course:

You can also listen to audio from Mark's presentation to the Touro Law faculty here.

Warner Bros./DC Comics Win Another Superman Copyright Battle

 (https://www.facebook.com/superman)

On November 22, 2013, the Ninth Circuit Court of Appeals ruled that the estate of Joe Shuster has no claim to the copyright in the famed Superman comic book character, granting full rights to DC Comics and its parent company Warner Brothers.  Joe Shuster, along with his partner Jerry Siegel, created Superman in the early 1930s but sold their rights to the character in 1938 to Action Comics for a mere $130.  In 1947, the pair sued Action Comics in an effort to re-establish ownership of the intellectual property rights to Superman, claiming that the 1938 contract should be made void.  The court, however, disagreed and upheld the contract.   In 1973, Siegel and Shuster filed another lawsuit against the company (since renamed DC Comics) based on the Copyright Act of 1909.  This Act granted copyrights for 28 years, with allowance for an additional renewal for another period of 28 years.  Siegel and Shuster claimed that they had granted DC comics the copyright for only 28 years, without an allowance for renewal.  Again the court disagreed and ruled in favor of DC Comics.

A few years later, the Copyright Act of 1976 went into effect.  A key clause of the Act provided a window for former copyright holders to reassert their copyright interest in works they assigned prior to 1976.  Though the Act extended the copyright term from 56 years to 50 years beyond the death of the author, the Act stipulated that the original authors or their heirs could reclaim any assigned works once the copyright reached its 56th year, as long as the rights were reasserted within 5 years of that date.  For the Superman character, this meant the window for reassertion would open in 1995.  However, Joseph Shuster passed away in 1992.  That same year, DC Comics entered into an agreement with Shuster’s estate in which the estate would release any and all claims in the Superman copyright and re-grant all of Joe Shuster’s copyright claims to DC in exchange for a lifetime pension of $25,000 a year.  Jerry Siegel was not a member to that agreement.

In 1996, Jerry Siegel passed away.  His estate subsequently filed a copyright termination notice in 1997, with an effective date of 1999.  On October 16, 2001, DC offered the Siegel family a $1 million signing bonus and 6% royalties of DC’s gross profits from the use of the Superman copyright, as well as medical and dental benefits to the Siegel family.  However, DC then offered another agreement, which the Siegel’s promptly refused.  The Siegel estate and DC have since been embroiled in litigation as to which, if any, settlement was binding.  In 2008, the U.S. District Court issued a summary judgment in favor of the Siegel family, awarding them the copyright to Superman.  But, DC quickly appealed and obtained a reversal of this decision in the Ninth Circuit Court of Appeals, which found the October 16, 2001 agreement to be binding.  As a result, DC Comics has been assigned Siegel’s 50% interest in the Superman character and Siegel’s estate was awarded its monetary claims under the October 16, 2001 agreement.

In 2003, Shuster’s estate filed a copyright termination notice against DC Comics seeking to reclaim the copyrights to Superman that Shuster had assigned to DC Comics in 1938.  The claim was based on a clause of the Copyright Act, which permitted the filing of copyright termination notices to terminate assignments executed before January 1, 1978.  DC responded in court that the 1992 agreement between itself and Shuster’s estate rendered the termination notice invalid because it superseded the 1938 agreement.  In essence, DC claimed the 1992 agreement created a new assignment and left no pre-1978 assignment to terminate.  A California District Court agreed with DC and the Ninth Circuit Court of Appeals upheld the District Court’s ruling.

The Court of Appeals’ opinion on Shuster’s claims can be found here.

The settlement agreements between DC Comics and both the Shuster estate and the Siegel estate can be found here.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

GoldieBlox Backs Down From Beastie Boys' Copyright Claim

                            (www.beastieboys.com)                                              (www.goldieblox.com)

It appears that the legal battle between GoldieBlox and the Beastie Boys is over almost as quickly as it had begun.  The conflict began when GoldieBlox, a toy manufacturer that creates engineering and construction toys specifically targeted to girls, released a viral video parodying the Beastie Boys’ song “Girls.”  The video served as an advertisement for GoldieBlox toys while attempting to inspire young girls to become future engineers.  The parody included an elaborate Rube Goldberg machine with a parody of the song “Girls” playing in the background.  The song featured a new recording of the music and a revised set of lyrics declaring that “(Girls) can engineer that.” 

Shortly after the video was released, the Beastie Boys sent letters to GoldieBlox accusing the company of copyright infringement.  In response, on November 21, 2013, GoldieBlox filed suit against the Beastie Boys in California District Court seeking a declaratory judgment allowing the company to use the parody song under the Fair Use Doctrine.  Under 17 U.S.C. §107, the Fair Use Doctrine allows a copyrighted work to be reproduced for purposes such as criticism, comment, news reporting, teaching, or research.  Also according 17 U.S.C. §107, in determining whether the Fair Use Doctrine applies to a particular case, the following factors are to be considered:

1. The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes.
2. The nature of the copyrighted work. 
3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and 
4. The effect of the use upon the potential market for a value of the copyrighted work.

However, before the court could decide whether the parody was legal under the Fair Use Doctrine, GoldieBlox changed their position.  In an open letter to the Beastie Boys on the GoldieBlox website, the company apologized to the group and removed the song from their advertisement.

GoldieBlox's complaint can be found here.

GoldieBlox's open letter apology to the Beastie Boys can be found here.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

EU Calls for US to Restore Privacy Trust But Maintains Safe Harbor

On November 27th, 2013, the European Commission announced that it would not suspend the safe harbor agreement between the EU and the United States that has allowed cross-border personal data transfers between the two jurisdictions since 2000. The announcement followed the Edward Snowden revelations of U.S. surveillance activities, which prompted a number of public calls for suspension of the safe harbor by EU member states and statements by EU officials condemning the U.S.' reported practices.

In preserving (for now) the Safe Harbor, the EC nonetheless called for changes to U.S. governmental practices in order to "restore trust in EU-U.S. data flows." It released a Communication (strategy paper) on data flows between the regions, an analysis of how the Safe Harbor has functioned (and where it has failed), and other documents supporting its position. In the accompanying press release, the EC called for action in six key areas:

• A swift adoption of the EU's data protection reform: the strong legislative framework, as proposed by the European Commission in January 2012 (IP/12/46), with clear rules that are enforceable also in situations when data is transferred and processed abroad is, more than ever, a necessity. The EU institutions should therefore continue working towards the adoption of the EU data protection reform by spring 2014, to make sure that personal data is effectively and comprehensively protected (see MEMO/13/923). 

• Making Safe Harbour safer: the Commission today made 13 recommendations to improve the functioning of the Safe Harbour scheme, after an analysis also published today finds the functioning of the scheme deficient in several respects. Remedies should be identified by summer 2014. The Commission will then review the functioning of the scheme based on the implementation of these 13 recommendations. 

• Strengthening data protection safeguards in the law enforcement area: the current negotiations on an “umbrella agreement” (IP/10/1661) for transfers and processing of data in the context of police and judicial cooperation should be concluded swiftly. An agreement must guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic. Notably, EU citizens not resident in the U.S. should benefit from judicial redress mechanisms. 

• Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data: The U.S. administration should commit to, as a general principle, making use of a legal framework like the mutual legal assistance and sectoral EU-U.S. Agreements such as the Passenger Name Records Agreement and Terrorist Financing Tracking Programme whenever transfers of data are required for law enforcement purposes. Asking the companies directly should only be possible under clearly defined, exceptional and judicially reviewable situations. 

• Addressing European concerns in the on-going U.S. reform process: U.S. President Obama has announced a review of U.S. national security authorities’ activities. This process should also benefit EU citizens. The most important changes should be extending the safeguards available to US citizens to EU citizens not resident in the US, increased transparency and better oversight. 

• Promoting privacy standards internationally: The U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”), as it acceded to the 2001 Convention on Cybercrime. 

The complete collection of the EC's materials accompanying the announcement may be found here.

Innovative Smartguns May Trigger New Jersey Gun Law

Picture from- http://www.ohgizmo.com/2006/01/16/a-biometric-smart-gun/

Groundbreaking developments in firearm technology may set into motion a decade-old New Jersey gun law.  Several firearms manufacturers have successfully created a “smart gun,” a gun that can only be fired when in the right hands.  In December of 2002, New Jersey’s then governor James E. McGreevey enacted legislation requiring all handguns sold in the state of New Jersey to be smart guns within three years of the technology being readily available.  Now, with smart guns (also known as personalized guns) currently being manufactured and sold throughout Europe, it appears that smart gun technology is in fact readily available. 

While several companies have successfully created smartguns, each uses different technology and processes.  For example, Armatix, a Germany-based company uses radio frequency technology in its .22-caliber pistol.  The pistol only activates if the holder is wearing a corresponding radio controlled watch.  As soon as the gun loses radio contact with the watch, the gun automatically deactivates itself and cannot be fired.  The gun’s safety mechanism can be activated and deactivated with a PIN code entered through the watch, though the safety mechanism can also be activated and deactivated manually.  Similarly, an Ireland-based company called Triggersmart has developed a comparable radio technology that they intend to license to gun manufacturers.  Like the Armatix smartgun, the Triggersmart gun can only be fired if the holder is wearing a corresponding radio transmitter, in this case a ring.  However, the company also offers radio frequency chips for subdermal implantation.  Another company, Kodiak Arms, an American company based in Utah, manufactures a gun that uses a fingerprint locking system.  The gun, dubbed the “Intelligun,” has a thumbprint scanner on the gun handle, and can only fire when the owner’s thumbprint remains in contact with the scanner.  The gun owner can authorize others to be able to use the gun as well.  Kodiak Arms says the Intelligun will be in full production by the end of 2013.  Meanwhile, researchers at the New Jersey Institute of Technology are in the process of developing a smart gun that recognizes the size and shape of the hand holding the gun, as well as the pressure applied by the hand. 

For New Jersey’s ban on the sale of ordinary handguns to go into effect, New Jersey’s Attorney General must report to the Governor and the legislature that a manufacturer has delivered at least one production model of a personalized handgun to a registered firearms dealer in the U.S.  According to New Jersey statute a personalized handgun means “a handgun which incorporates within its design, and as part of its original manufacture, technology which automatically limits its operational use and which cannot be readily deactivated, so that it may only be fired by an authorized or recognized user.”  Also, “no make or model of a handgun shall be deemed to be a ‘personal handgun’ unless the Attorney General has determined, through testing or other reasonable means, that the handgun meets any reliability standards…” Twenty-four months after this initial delivery, New Jersey’s Attorney General must direct the Superintendent of State Police to compile a list of smartguns that may be sold in the state.  A copy of this list will then be made available to registered and licensed firearms dealers in New Jersey.  The Attorney General must also create rules and regulations for establishing a process for future handgun manufacturers to demonstrate that their handguns meet New Jersey’s statutory definition of a personalized handgun.  Six months after the compilation of the list of personalized handguns which may be sold in the state, no person, retailer, or wholesaler can sell non-personalized handguns in the state of New Jersey.  However, this ban on non-personalized handguns does not apply to federal, state and local law enforcement officers or members of the Armed Forces.  Also, New Jersey residents who obtained a non-personalized handgun prior to the enactment of this ban will not be required to vacate their firearms.

Though personalized handguns are available online from European manufacturers, they are not yet available through U.S. distributors.  However, with both Kodiak Arms and Armatix claiming that they will have a personalized handgun on the shelves at the end of this year, it appears that New Jersey’s ban on non-personalized handgun may soon go into motion, possibly culminating in 2016.

The entire text of New Jersey’s personalized-gun legislation can be found here.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

Samsung Fined by Taiwan’s Fair Trade Commission for Astroturfing

On October 24, 2013, Taiwan’s Fair Trade Commission announced that Samsung was being fined 10 million New Taiwan Dollars for paying others to post negative comments about a business competitor on the Internet.  This act of masking paid content under the guise of Internet comments, blog posts, tweets, and other "grassroots" communications is known as “astroturfing.”  The fine equals roughly 340,000 U.S. Dollars.

Taiwan’s Fair Trade Commission opened its investigation of Samsung in April of 2013 amid allegations that the company was implementing deceptive advertising practices.  In particular, Samsung was alleged to have hired students to post negative reviews of rival handset-producer HTC while posting positive reviews of Samsung’s products.  At the time the investigation was announced in April of 2013, Samsung posted the following statement on its Facebook page, apologizing for any illegalities possibly committed by the company:

Samsung Electronics remains committed to engaging in transparent and honest communications with consumers as outlined in the company’s Online Communications Credo. We have encouraged all Samsung Electronics employees worldwide to remain faithful to our Credo. The recent incident was unfortunate, and occurred due to insufficient understanding of these fundamental principles.

Samsung Electronics Taiwan (SET) has ceased all marketing activities that involve the posting of anonymous comments, and will ensure that all SET online marketing activities will be fully compliant with the company's Online Communications Credo.

We regret any inconvenience this incident may have caused. We will continue to reinforce education and training for our employees to prevent any future recurrence.

As expected, the ensuing investigation found the allegations of astroturfing to be true with Samsung hiring a large number of writers to post negative comments about competitors in Taiwanese forums while heaping false praise on Samsung.  Taiwan’s Fair Trade Commission also levied fines on two Taiwanese marketing firms for a combined total of $100,000 for their part in the scheme.

This is not the first time Samsung has been implicated in astroturfing. In fact, this past August Samsung was accused of paying developers to promote an upcoming developer competition on the online community Stack Overflow.  However, Samsung claimed they were unaware that a public relations firm was offering cash on their behalf and the PR firm corroborated Samsung’s claim.

Via TheVerge.com

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

Proposed USA FREEDOM Act Seeks to Limit NSA’s Reach

Photo courtesy of Electronic Frontier Foundation 
(https://supporters.eff.org/shop/illegal-spying-eagle-sticker)

 On October 29, 2013, Senator Patrick Leady (D-VT) and Representative Jim Sensenbrenner (R-WI) introduced a new NSA reform bill into both the House of Representatives and the Senate.  As of this writing, the act has 16 co-sponsors in the Senate and over 70 in the House.  The bill is called the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act, or the USA FREEDOM ACT for short.  The goal of the act is to drastically limit the ability of the National Security Agency to collect information of United States citizens.  As stated in the bill’s official summary:

The bipartisan, bicameral USA FREEDOM Act will rein in the dragnet collection of data by the National Security Agency (NSA), increase the transparency of Foreign Intelligence Surveillance Court (FISA Court) decision-making, provide businesses the ability to release information regarding FISA requests, create an independent advocate to argue cases before the FISA Court, and impose new and shorter sunsets on controversial surveillance authorities.

Introduction of the bill comes amidst increasing concern of the NSA’s surveillance practices conducted on both American soil and abroad.   Prior to the leak committed by former intelligence analyst Edward Snowden last spring, the true scope of the NSA’s operations was unknown.  Now, it has been revealed that many of the NSA’s operations are being conducted with little judicial oversight and may even breach constitutional boundaries.  So far, Snowden’s leak has revealed that the NSA collects the metadata of millions of American citizens.  Metadata is information about the time and location of a phone call or email.  Though the contents of the call or email are not surveyed, it has been argued that collecting metadata infringes on Americans expectations of privacy and can reveal facts many citizens would not wish to disclose.  Also, pursuant to the 2008 FISA Amendments Act, these collections can be conducted without a warrant as long as one end of the communications is a non-US citizen, or if surveillance is sought over a US citizen located outside the country.  For matters concerning U.S. citizens at home, the NSA must request a warrant from a FISA (Foreign Intelligence Surveillance Act) court.  The FISA court sits ex parte- meaning that only the judge and the government are present at the hearings.  There is no attorney present to advocate against the granting of a surveillance warrant.  Since the court was established in 1978, the court has rejected only .03% of all government surveillance requests.

It has furthermore been revealed that through a program known as PRISM, the agency can collect data from major Internet companies such as Google, Facebook, Apple, Yahoo, and Skype.  Through PRISM, the NSA can collect content such as e-mail, videos, photos, file transfers, social network details, and even voice samples.  Many of these Internet companies claim that they are compelled by law to release this data in cooperation with the NSA, and have lobbied Congress for the right to disclose to the public exactly how many of its members are affected by the NSA’s data collection requests.  The goal of this transparency is to help the Internet companies regain the trust of its users and dispel any notions that the government has direct access to these companies’ servers.

Ironically, much of the NSA’s current powers were granted under the Patriot Act of 2001, which was written in part by Representative Jim Sensenbrenner, co-writer of the USA FREEDOM Act.  The USA FREEDOM Act seeks to limit the scope of the NSA’s powers by amending certain sections of the Patriot Act as well as the Foreign Intelligence Surveillance Act (FISA).  The act seeks to end the bulk collection of American metadata, place a “Special Advocate” to be present at FISA court hearings to dispute government surveillance requests, and allow companies to disclose an estimate of the number of FISA orders and National Security Letters they have received, the number they complied with, and the number of users and accounts impacted.  

The USA FREEDOM ACT’s complete text can be found here.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

A Pair of Patent Reform Bills Seek to Deter Patent Trolls

Illustration by David Saracino/New York Observer

On October 23, 2013, Representative and chairman of the House Judiciary Committee Bob Goodlatte (R-Va.) introduced a patent reform bill to the House of Representatives. The legislation is known as the Innovation Act and is co-sponsored by Democrats and Republicans alike. The bill seeks to curb abusive patent litigation most commonly associated with patent trolls. A patent troll (also known as a non-practicing entity or a patent assertion entity) refers to a patentee that does not make products or practice its own inventions and instead files suit against infringers to recoup royalties. A patent troll acquires patents solely for the purpose of extracting payments from alleged infringers and its entire business model centers on patent litigation. These non-practicing entities use the high cost of patent litigation as a threat to demand quick settlements. According to a May 2013 press release by New York Senator Charles Schumer:

In 2011 alone, patent trolls cost operating companies $29 billion. Under current law, a company hit with a patent suit only has two options – pay to defend the suit or pay a licensing fee or settlement agreement to make the suit go away. Both options are highly costly – the average troll settlement costs a small or medium company $1.33 million, while an in-court defense would cost the same company an average of $1.75 million per case.
Specifically, this has been an enormous problem among technology start-up companies: 62% of patents asserted by trolls from 1990-2010 were software patents; 75% were in computer and communications technology. And this is a particular problem for small businesses: 82% of companies targeted by trolls of annual revenues less than $100 million.

Furthermore, according to the Electronic Frontier Foundation, patent trolls only win 9.2% of the cases that are brought to judgment.

To stymie patent trolls from filing frivolous suits the Innovation Act has several key provisions pertaining to patent litigation. One such provision seeks to implement fee shifting in patent cases. Under current patent laws, each party to a patent litigation pays its own legal fees, regardless of the case’s outcome. However, the Innovation Act will allow courts to order the losing party to pay the victor’s legal fees. This would encourage defending companies with little money to take on the patent-assertion entities in court.

The Innovation Act will also allow manufacturers to defend their customers in patent litigation. This is in direct response to a familiar tactic employed by patent-assertion entities: instead of filing suit against a major manufacturer with the funds and ability to respond to the patent trolls in court, a patent troll will file suit against the manufacturer’s less wealthy customers. By allowing a manufacturer to defend their customers in patent litigation, the extent of financial resources available to the original defendant becomes a non-factor.

In addition, the Act requires a patent holder filing a lawsuit to disclose the names of everyone who has a financial interest in the affected patents. Often, a patent assertion entity is a shell corporation that is part of a much larger entity. These larger entities use these shell corporations to shield themselves from bad publicity. Requiring full disclosure of all those who have a financial interest in the affected patents will promote transparency and may discourage companies from filing frivolous lawsuits.

Furthermore, the Patent Litigation Integrity Act, brought before the Senate on October 30, 2013 by Senator Orrin Hatch (R-Utah) seeks to place even higher financial burdens on patent-assertion entities. The main provision of the Patent Litigation Integrity Act takes the fee-shifting provision of the Innovation Act one step further. Under the Patent Litigation Integrity Act, the company being sued could ask the court to require the company bringing the suit to post a bond for the cost of the defendant’s legal fees.

The full text of the Innovation Act can be found here.

The full text of the Patent Litigation Integrity Act can be found here.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

FAA Now Permits Use of Electronic Devices During Takeoff and Landing

The Federal Aviation Administration ("FAA") announced on October 31, 2013 that it would revise its rules regarding passenger use of personal electronic devices ("PEDs") during takeoffs and landings of commercial flights. According to the FAA's press release, the new rules would permit airlines to themselves determine whether or not to permit passengers to use PEDs, although the timing and details could vary among the airlines. These new rules, though, do not include permitting passenger use of the cellular radios in PEDs; these remain prohibited during all phases of flights.

The FAA's release included some guidance for passenger as well:

Top Things Passengers Should Know about Expanded Use of PEDs on Airplanes:

1. Make safety your first priority.
2. Changes to PED policies will not happen immediately and will vary by airline. Check with your airline to see if and when you can use your PED.
3. Current PED policies remain in effect until an airline completes a safety assessment, gets FAA approval, and changes its PED policy.
4. Cell phones may not be used for voice communications.
5. Devices must be used in airplane mode or with the cellular connection disabled. You may use the WiFi connection on your device if the plane has an installed WiFi system and the airline allows its use. You can also continue to use short-range Bluetooth accessories, like wireless keyboards.
6. Properly stow heavier devices under seats or in the overhead bins during takeoff and landing. These items could impede evacuation of an aircraft or may injure you or someone else in the event of turbulence or an accident.
7. During the safety briefing, put down electronic devices, books and newspapers and listen to the crewmember’s instructions.
8. It only takes a few minutes to secure items according to the crew’s instructions during takeoff and landing.
9. In some instances of low visibility – about one percent of flights – some landing systems may not be proved PED tolerant, so you may be asked to turn off your device.
10. Always follow crew instructions and immediately turn off your device if asked.

The complete set of PED materials is available on the FAA Web site.

Facebook Loosens Privacy Policy for Teens

On October 16, 2013, Facebook gave teenagers (age 13-17) the option of sharing their videos, pictures, and status updates with the general public. Previously, people aged 13-17 only had the option of sharing with people designated as “Friends” of their social network and “Friends of Friends.” In a statement on Facebook’s website, the company touted the new freedoms it was affording its teenage users:

Teens are among the savviest people using social media, and whether it comes to civic engagement, activism, or their thoughts on a new movie, they want to be heard. So, starting today, people aged 13 through 17 will also have the choice to post publicly on Facebook.

Teenagers will also be able to turn on the “Follow” feature for their profile, allowing any Facebook member (Friends or otherwise) to see the teen’s public posts in the main news feed. To balance these less strict settings, Facebook has implemented two new privacy protection measures for teenagers as well. Now, when a teenager signs up for a Facebook account, by default their posts will only be shown to their “Friends.” Previously, posts where shown to “Friends” and “Friends of Friends” by default. Also, when a teen chooses to share their posts with the general public, they will be presented with a pair of warnings. One warning reads:

Did you know that public posts can be seen by anyone, not just people you know?


You and any friends you tag could end up getting friend requests and messages from people you don’t know personally.

Following acceptance of the above warning, the user will be presented with another warning, which states:

Tip: Sharing with Public means anyone (not just people you know) may see your post.

It is likely that Facebook has opted to ease the privacy restrictions on teenagers to compete with other social networks such as Twitter and Tumblr, which allow teenagers to share with the public. In Facebook’s 10-K Report filed with the Securities Exchange Commission last February, the company expressed concerns that “younger users, are aware of an actively engaging with other products and services similar to, or as a substitute for, Facebook.”


Critics fear that Facebook’s new policy affords teenagers too much freedom and puts them at risk. Indeed, users who choose to share with the general public run the risk of being contacted and/or solicited by complete strangers. Also, teenagers that choose to share their images, statuses, and videos with the general public are burdened with the fact that any ill-advised posts may come back to haunt them, either professionally or otherwise.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

Ezor on Secure Times: Recent FTC Actions and Statements Show Continuing Focus on Privacy

IBLT Director Jonathan I. Ezor is blogging this week at the American Bar Association Privacy & Security Law Committee's Secure Times blog. His first contribution is below:

Recent FTC Actions and Statements Show Continuing Focus on Privacy

The Federal Trade Commission has long taken a lead role in issues of privacy and data protection, under its general consumer protection jurisdiction under Section 5 of the FTC Act (15 U.S.C. §45) as well as specific legislation such as the Children's Online Privacy Protection Act of 1998 ("COPPA") (which itself arose out of FTC reports). The FTC continues to bring legal actions against companies it believes have improperly collected, used or shared consumer personal information, including the recent settlement of a complaint filed against Aaron's, Inc., a national rent-to-own retail chain based in Atlanta, GA. In its October 22, 2013 press release announcing the settlement, the FTC described Aaron's alleged violations of Section 5:

Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes. According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.... The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software. The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.

The FTC's Consent Order Agreement with Aaron's includes a prohibition on the company using keystroke- or screenshot-monitoring software or activating the consumer's microphone or Web cam and a requirement to obtain express consent before installing location-tracking technology and provide notice when it's activated. Aaron's may not use any data it received through improper activities in collections actions, must destroy illegally obtained information, and must encrypt any transmitted location or tracking data it properly collects. The FTC is also continuing its efforts to educate and promote best practices about privacy for both consumers and businesses. On October 28, 2013, FTC Commissioner Julie Brill published an opinion piece in Advertising Age magazine entitled Data Industry Must Step Up to Protect Consumer Privacy. In the piece, Commissioner Brill criticizes data collection and marketing firms for failing to uphold basic privacy principles, and calls on them to join an initiative called "Reclaim Your Name" which Commissioner Brill announced earlier this year. Brill writes in AdAge:

The concept is simple. Through creation of consumer-friendly online services, Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if a data broker is selling her information for marketing purposes; and provide her the opportunity to correct errors in information used for substantive decisions. Improving the handling of sensitive data is another part of Reclaim Your Name. Data brokers that participate in Reclaim Your Name would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue. As the data they handle or create becomes more sensitive -- relating to health conditions, sexual orientation and financial condition, for example -- the data brokers would provide greater transparency and more robust notice and choice to consumers.

For more information on the FTC's privacy guidance and enforcement, see the privacy and security section of the FTC Web site.

via The Secure Times

Legal Aid Society of San Mateo CA Suffers Data Breach Including Health Info

On October 10, 2013, the Legal Aid Society of San Mateo County, California sent out a letter notifying potential victims of a data breach suffered by the Society. As the letter states,

On the night of August 12, 2013, our office was burglarized and ten of our laptops were stolen. The stolen laptops were used by our attorneys to assist individuals in getting services. We believe that your personal information may have been stored on the stolen laptops. The personal information believed to be stored on the stolen laptops includes your name, Social Security number, date of birth, medical and health information.

What makes this data breach particularly noteworthy is that, although it occurred at a legal aid organization, the information stolen reportedly included health information. The notice does not discuss how and why health information might have been collected and stored by LASSMC; it may relate to the Society's health advocacy services.

Beyond the immediate impact on the LASSMC clients and others whose stolen personal information may be misused, this incident serves as a reminder that even non-medical professionals may hold, and must keep safe, health information. Even where the formal privacy and security requirements of HIPAA may not directly apply, organizations may still need to comply with HIPAA's Business Associates rules as well as general consumer protection obligations. Attorneys in particular should be aware not only of these requirements, but of their ethical obligations to keep client information confidential, which may further be relevant in a data breach situation.

The California Attorney General's list of reported data breaches may be found here; the LACSSMC letter and information is at this link.

Got an Internet Business Law Question? Ask the IBLT!

The Touro Law Center for Innovation in Business, Law and Technology ("IBLT") proudly announces "Ask the IBLT," a new initiative to help entrepreneurs and others better understand the business-critical issues of Internet-related law and risk management. Anyone can e-mail a question to asktheiblt@tourolaw.edu. The IBLT will provide answers (prepared by Touro Law students and IBLT faculty affiliates) through its blog, YouTube channel, Google+ page, Facebook page, Twitter account and other channels.

Among the topics for questions for the IBLT are:

• Privacy and data breaches
• Social media use (and misuse)
• Intellectual property (copyright, trademark, patent, trade secrets)
• Online advertising and marketing
• Affiliate programs
• Sweepstakes, contests and other prize promotions
• Cybercrime
• Crowdsourcing
• Crowdfunding
• International law

"Ask the IBLT is just one part of our overall mission to educate our students and the business and legal communities about these new and evolving areas of law and risk," says Prof. Jonathan I. Ezor, director of the IBLT. "We can't answer every question, and we won't be giving specific legal advice. Instead, we're answering those questions that apply to the most organizations, and offering information and links to resources they can use to succeed and grow while avoiding the biggest pitfalls of doing business online."

Title II of the JOBS Act Goes into Effect: Golden Age of Venture Capital or the Opening of Pandora’s Box?

On September 23, a major legislative overhaul went into effect in an attempt to help entrepreneurs and start up companies raise money for new ventures.  The new legislation is Title II of the 2012 Jumpstart Our Business Start-Ups (JOBS) Act.  Title II permits start-ups and small businesses to publicly advertise their fundraising efforts and ask for equity investments without registering shares for sale.  Companies can use digital public media such as Facebook or Twitter to help spread the word as well as more conventional media like newspapers and radio.  However, only accredited investors (those making more than $200,000 a year or those with a personal net worth of more than $1 million) may actually invest in these companies.
Title II of the JOBS Act effectively gives companies access to a much broader array of potential investors than ever before.  For the past 80 years, it has been illegal for startups (or any private company for that matter) to notify the public that they are looking to raise investment capital.  The law forbidding public solicitation was enacted during the Great Depression to protect consumers from scams and fraud.  As of September 23, however, general advertising and solicitation of the public are fair game.  All a company must do to begin soliciting openly both online and offline is file with the SEC and disclose their fundraising methods within 15 days of soliciting.
There is much value to be had from the new law.  Indeed, the funding process will no doubt be accelerated, as companies can reach out to more potential investors than ever before.  This augmented process will also allow founders and CEOs to focus more of their time on the actual execution of their business as opposed to expending all of their energy on fundraising efforts.  Investors, too, will benefit from being exposed to more investment opportunities.
Some critics have argued that this deregulation of equity investment will unleash a plethora of swindlers and devious con artists looking to defraud the less savvy investor.  It’s true that restricting investments only to “accredited investors” acts as a safeguard to protect against potential fraud; the idea being that more savvy investors are less likely to invest in dubious ventures.  However, Title III of the JOBS Act, which is likely to go into effect sometime in 2014, will allow non-accredited investors to participate as well.
It remains to be seen whether the critics’ fears of rampant fraud will come to fruition or if Title II of the JOBS Act will herald a golden age for start-up companies.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

FBI Shuts Down Digital Black Market “Silk Road,” Seize Millions of Bitcoins

On October 2, 2013 the FBI arrested the alleged owner and operator of an illicit website that facilitated the sale of drugs, stolen bank information, hacking tools, firearms, and countless other illegal products and services.  The website, known as “Silk Road,” functioned as a black-market eBay, connecting buyers and suppliers through a seemingly untraceable underground website.  Before it was seized and shut down by the United States government, Silk Road was a massive criminal enterprise that generated $1.2 billion in sales over the course of only two years.  The site enabled several thousand drug dealers and other criminal vendors from over ten countries to conduct transactions anonymously over the Internet.  The alleged mastermind of Silk Road is 29-year old Ross Ulbricht, a former physicist who went by the username “Dread Pirate Roberts,” a reference to the movie, “The Princess Bride.”  Ulbricht made approximately $88 million by charging a commission for every transaction conducted on Silk Road.  As owner and operator of Silk Road, Ulbricht is accused by U.S. Attorneys of narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy.  It is also believed that Ulbricht had hired a hitman to execute two people, one a former employee, and the other, a man attempting to blackmail Ulbricht.

Silk Road operated on the “Deep Web,” an area that cannot be found using standard search engines like Google or Yahoo.  Silk Road operated on the “Tor” network, (a.k.a “The Onion Network”) a special network on the Internet designed to mask users’ IP addresses, making it nearly impossible to physically locate the computers hosting or accessing websites on the network.  To access the site, a user would first download the necessary Tor browser software, usually available for free.  From there a user would simply type in the Silk Road’s “.onion” address into their newly downloaded Tor browser.  However, one could not simply stumble upon Silk Road while using a search engine, even if they were using Tor browser software.  The actual Silk Road’s domain name had to be discovered, either through word-of-mouth or by searching Internet forums and chatrooms.

To further ensure anonymity, the only currency permitted on Silk Road was Bitcoins, a new form of virtual currency.  It is an anonymous, decentralized form of electronic currency, not backed by any government or bank.  The currency does not have any tangible form and instead exists only on the Internet.  Bitcoins are legal and can typically be purchased from Bitcoin exchanges, such as www.Mtgox.com.  These exchanges also allow users to exchange their Bitcoins for conventional currency, which is valued based on a fluctuating exchange rate. The number of Bitcoins in existence is limited, however, at 21 million (though only 11.7 million are currently in circulation), to protect its value from inflation.  Each individual Bitcoin is represented by a unique online registration number, 64 digits long.  To receive a Bitcoin a user must also have a Bitcoin address, a randomly generated string of 27-34 numbers and letters.  This address acts as a virtual mailbox to and from which Bitcoins are delivered.  There is no registry of these virtual Bitcoin mailboxes, which allows users to remain anonymous.  However, all Bitcoin transactions are recorded to a public ledger known as the “Blockchain,” although the ledger only illustrates the movement of funds between anonymous Bitcoin addresses.  This prevents a user from spending the same Bitcoin more than once.

As this investigation proves, however, maintaining anonymity on the Web, even the Deep Web, is no easy task.  The FBI was able to trace and finally arrest Ulbricht by scouring Internet forums.  After identifying the first ever mention of Silk Road in a forum, the Feds proceeded on a hunch that this initial post originated from or would lead to Silk Road’s founder.  The FBI was correct in its assertion and was able to uncover and track countless communications from Ulbricht regarding his operation of this digital black market.  This investigation also demonstrates that Bitcoins are not untouchable.  The FBI has thus far seized Bitcoins from Silk Road worth approximately $3.6 million as a result of this investigation.  In turn, the value of the Bitcoin dropped about 20% when the news of Silk Road’s shutdown was first announced, October 2, 2013.  It has since clambered back in value, though not to its previous levels.

 

The entire copy of the Federal complaint against Ross Ulbricht and Silk Road can be found here.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

Photocopier Hard Drives Cause Breach Yielding $1.2 Million HIPAA Settlement

On August 14, 2013, the Office of Civil Rights for the U.S. Department of Health and Human Services ("HHS OCR") announced a $1.2 million settlement with Affinity Health Plan for violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). According to the HHS OCR press release, the violation arose when Affinity disposed of photocopiers with built-in hard drives which still contained images of patient records that had been photocopied on the devices:

Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Afinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

The Affinity resolution agreement may be downloaded here.

Beyond the substantial size and number of individuals' records involved in this case, it is notable that the breach in question was from a device not typically thought of as prone to privacy problems: a photocopier with an internal hard drive. Most users don't consider the built-in storage in printers and photocopiers, but these devices can and do retain previously printed and scanned information. The FTC and NIST offer useful information for organizations on improving security and privacy of digital printers and copiers.