SoDA Says No To SOPA

The Society of Digital Agencies, an invitation-only consortium consisting of some of the best and most well-known digital agencies on the planet, today released its official position on the Stop Online Piracy Act ("SOPA") and the IP Protection Act ("PIPA").

You can read the position piece at the following link:

SoDA’s Stance on SOPA and PIPA.

If you don't feel like clicking, here's the text:

SoDA’s Stance on SOPA and PIPA
by Bradley Gross, Esq. & SoDA General Counsel / January 18, 2012

SoDA recognizes the very real problem of online copyright infringement. As producers and creators of some of the finest digital content in the world, SoDA’s members are often among the first to feel the sting of the unauthorized copying, use and manipulation of their creative works online. Protecting its members’ intellectual property, and ensuring that its members’ original, proprietary digital creations remain free from unauthorized use, is among SoDA’s highest priorities.

But freedom of speech is paramount to all. SoDA believes strongly that any legislation seeking to diminish online speech or curb online content must be both narrowly tailored and capable of being applied with precision. We have considered the Stop Online Piracy Act (“SOPA”) pending before the Senate, and its corresponding House bill, the Protect IP Act (“PIPA”), and believe that neither bill comports with these standards.

In addressing the vexing problem of online copyright infringement, we cannot allow ourselves to trample roughshod over the free speech rights of our colleagues, our neighbors and fellow citizens. SOPA and PIPA, however, do just that.

Among other things, the bills would empower individuals to extinguish entire websites merely by filing a unilateral notice in which it is alleged—but not proven—that the websites are “dedicated to the theft of U.S. property.” The person filing the notice would need only to state that he or she is “harmed” by the targeted websites; actual ownership of IP by the complaining individual would not be required. Notably, the amount of infringing material on a targeted website need not be particularly large or dominant; even minor acts of infringement could justify the termination of an otherwise lawfully operated site.

The bills would not require knowledge of infringing activity on the part of website owners, making innocent infringers vulnerable to attack. It is hard to see how social media sites, such as Facebook or Twitter, or content aggregators such as Google, could continue to operate effectively under those conditions.

Moreover, the number and scope of businesses impacted by the bills is neither limited nor clear. The bills would impact any website that “enables or facilitates” infringement by a third party–a category which, when taken to its logical end, could include a huge swath of innocent parties who might be only tangentially related to the business of an infringing website.

Finally, the bills would incentivize and encourage knee-jerk censorship activity by immunizing advertisers and payment processors from all liability if they discontinued their services based upon the suppositions and unproven allegations of persons claiming harm under SOPA or PIPA. Providing that type of immunity ignores the realities of online business. Simply put, business cannot be conducted in an environment where advertisers and payment processors have the unencumbered ability to withdraw their services based on the unproven harangue of a person claiming harm under SOPA or PIPA.

The time is ripe to address the issue of online copyright infringement, and we applaud Congress’ attention to the issue. However, neither SOPA nor PIPA pose viable solutions for the issues at hand. We implore Congress to start anew and create legislation that properly and fairly balances the principles of freedom of speech with the need to protect online digital content.

Apple Wins Patent Case Against Android. Well, Sort Of.

Steve Jobs vowed to go "thermonuclear" against Google and the Android interface. Today, the U.S. International Trade Commission (or "ITC") just helped Apple move one step closer to Jobs's dream of making the Android operating system a thing of the past.

Under a decision announced today by the ITC, Android phones made by HTC that incorporate "tapping" technology (more on that in a moment) will not be permitted to be imported into the United States starting on April 19, 2012.

What does that mean for HTC--one of the largest producers of Droid phones in the world? It's basic math:

No imports = no sales of most modern HTC Android devices in the U.S.

As I see it, HTC now has three choices: (i) license the technology from Apple (which is highly unlikely), (ii) make the technology work without using Apple's patented technology (somewhat likely), or (iii) remove the technology from HTC telephones (a possibility, but a last resort since it would make HTC's phone less feature-rich when compared to other Droid makers' phones).

The technology at issue is pretty standard fare on smart phones: it enables users to tap data in one application on a device (such as a telephone number embedded in an email), and bring up another application that uses that data (such as a telephone dialer that dials the telephone number that was tapped). Without that technology, users would have to resort to the cut-and-paste method of transferring data between applications on a smart phone. Ugh.

With all of the heavy competition among Droid phone makers, I'm pretty confident that HTC will kick its R&D department into high gear and figure out a way to use data tapping technology without violating Apple's patent. And I have no doubt that Google will throw its resources into the mix as well: after all, it is Android that were talking about.

The decision definitely gives Apple some boasting rights and, temporarily, forces Apple's competitors to spend time and money researching a workaround to their current product offerings. In the long run, I'm not sure that the decision will have a major impact on the Android product lines, since a workaround will almost certainly be developed (did I mention that Google will likely get involved??).

But in a world where new technology is being developed everyday, the delay that the decision imposed on Apple's competitors may be important. If Apple can leverage that delay to its advantage and come up with the "next great thing" while its competitors are still trying to figure out how to make the "old stuff" work, then the delay may be the most valuable prize of all.

New Privacy Guidelines? Not So Impressive.

Most people don’t want their online activities to be tracked by advertisers.  So it should come as good news that the Digital Advertising Alliance just released new privacy guidelines governing the collection of consumer data for “non-behavioral advertising” purposes.

The FTC heralded the new guidelines as “an important step for consumers and for self-regulation.”  But are the new guidelines as important as the FTC claims them to be?

I don't think so. 

I don’t think the new guidelines say anything that we haven't seen before and, in many ways, simply re-state the obvious.  Historically, the Alliance has experienced only marginal success implementing privacy-related guidelines, and I’m not optimistic that the Alliance’s latest set of policies will fare any better. 

Some Definitions. 

“Behavioral advertising” is the art of tracking of a consumer’s online activities over time—including the searches the consumer has conducted, the web pages visited, and the content viewed—in order to deliver advertising targeted to the individual consumer’s interests.  (Think “big brother” meets “super cookies”). 

Most consumers find behavioral advertising surprisingly invasive—but it works.  In fact, studies show that behavioral advertising is at least twice as effective as non-behavioral advertising.  With that kind of ROI, we expect the use of behavioral advertising to increase exponentially over the next few years.

“Non-behavioral advertising” is everything else, i.e., no long term tracking of sites visited, and no cross-referencing a consumer’s online behavior across multiple sites.  It’s the type of relatively minor tracking activity that consumers have come to expect from commercial websites. 

The New Guidelines--An Improvement?.

A few years ago, the Alliance released a set of guiding principles for online behavioral advertising activities.  Those principles, which can be read HERE, were roundly criticized for failing to address the non-behavioral advertising side of the industry.

In response to that criticism, the Alliance released its latest set of principles which can be found HERE.  They are entitled, “Self-Regulatory Principles for Multi-Site Data”—which brings me to the first issue I have with the new principles. 

Why name them something that most people don’t understand?  What is “Multi-Site Data”?  Granted, the term is explained in the text of the principles themselves—but why not replace the term “Multi-Site Data” with “Non-Behavioral Advertising” or something similar?

But I digress.

The new “multi-site data” principles address the privacy issues raised by non-behavioral advertising activities by requiring ad companies to “provide consumers with transparency and consumer control.”

The funny thing, however, is that the Alliance doesn’t define the terms “transparency” and “consumer control.”  Now, one could argue that those are common phrases and, therefore, they are subject to common understanding and definition.  But remember: in advertising, nothing is common.  Advertising is about the uncommon.  It’s about the unique.  In the world of digital advertising, common phrases can easily elude common definition.

But again, I digress.

The new principles state that ad companies should comply with the federal Children’s Online Privacy and Protection Act (also known as “COPPA”).  They also state that ad companies should not collect and use data containing financial account numbers, Social Security numbers or medical records without the consumer’s consent. 

In other words, the principles say that ad companies should follow the law. 

So, is that news?  Am I missing something here?  Since when do we celebrate a proclamation that companies should follow the mandates of HIPAA, or the Gramm Leach Bliley Act, or the Fair Credit Reporting Act, or several state laws (such as California’s Civil Code § 1798.85)?  Have we reached such a low point that we now need to applaud industry principles that merely re-emphasize the importance of acting both legally and ethically?

I understand that the Alliance is merely trying to reign in the improper and over-ambitious advertising schemes employed by some of its members.  But let’s not kid ourselves: the new principles don’t tread too deeply into the waters of consumer privacy.  They are suggestive, not mandatory.  There are no serious penalties for non-compliance.  For that reason, many companies will simply ignore the principles for the sake of increasing their customers’ ROI.

The new principles don’t go into effect until next year, so we will have to wait a while longer to determine whether they are effective or not.  My (early) prediction is “not". 

Discovery, Facebook & You

A few rules to remember:

1.  What you post on Facebook is for all the world to see.  You have no privacy rights in your Facebook content.  Never mind that you only let "friends" or "friends of friends" access your Facebook page.  If a court (or opposing party in a lawsuit) wants to see your stuff, then your Facebook page is an open book.

2.  If you claim that you were disabled in an accident, then you should probably avoid posting status updates like, "Going to the gym!!", or posting pictures of yourself engaged in physical activity.  Why?  See rule #1, above.

With that as a backdrop, let's visit a recent case out of Pennsylvania, Largent v. Reed.  In Largent, the plaintiff's (Largent's) motorcycle was struck by a minivan that was pushed into Largent's motorcycle by a car that the defendant (Reed) was driving.  Largent claimed that as a result of the accident, she had suffered serious and permanent physical and mental injuries.

During Largent's deposition, it was discovered that she had a Facebook page.  The page was "public" at one time, but Largent had subsequently made her page "private" so that only her friends could see her page.  (As we all know, the public/private feature of Facebook is an option that is user-controlled).

Reed wanted access to Largent's private status page, claiming that Largent had posted several photographs that showed her enjoying life with her family, and a status update about going to the gym.  (Hmmm...it's hard to claim you've suffered permanent physical disability if you're going to the gym, right?)

Largent refused to turn over her Facebook information, claiming that by making her Facebook page "private", she had a reasonable expectation of privacy in the information that she posted to her Facebook account.  (Ah, if life was only that simple, right?)

The court disagreed, and held that everything on Largent's Facebook page was required to be disclosed to Reed.  In a decision that will surely be quoted by other courts in the future, the court admonished Largent for attempting to hide relevant facts behind a "private" Facebook page, and stated that "only the uninitiated or foolish could believe that Facebook is an online lockbox of secrets."

So, dear reader, which are you: uninitiated or foolish?  (That's a rhetorical question.  Please, don't send me emails explaining why you are one or the other, or neither.)

The point is this: the whole "public" vs "private" thing on Facebook (or any other social media site) is a function of that website, and that website alone.  It doesn't translate into any real privacy rights in everyday life.  Information you post online in any social media site can (and likely will) be found by opposing parties in litigation, and is easily reachable through the power of a subpoena.

When It Comes to E-Discovery, E-Ignorance is Dead

At a recent conference in Miami, I spoke to several dozen in-house attorneys about what they need to do to meet their electronic discovery obligations. The presentation took an hour, but I'll sum it up right now in two words: Smarten Up.

That's right, smarten up. The days of pleading ignorance about how your business collects, uses and stores electronic data, are over. "E-ignorance" is dead and won't be tolerated by courts any longer. (Hey--I think I just coined a new term. E-ignorance. Not bad.)

With increasing frequency, courts (especially federal courts) are hammering litigants who fail to take appropriate steps to audit, collect and disclose relevant e-evidence to opposing counsel.

If you think your company is up to par when it comes to this stuff, I've got a message for you: it's not. Really, it's not. But don't feel bad--you're not alone. Most companies aren't anywhere near a state of readiness when it comes to this stuff.

Read the following questions (but not out loud--people might think you've lost your mind.) If you can't answer all (or even most) of these questions in the affirmative, then you're suffering from e-Ignorance, and you probably need to change the way your company maintains and preserves (or destroys) its records.

1. Do you know what cloud computing is? Do you understand that cloud computing solutions can result in data being stored in locations far from your company's physical location? Do you understanding that data stored in the cloud is often replicated in various locations (IT people call this, "co-location")?

2. Do you know if any of your employees copy and remove information on their personal devices, such as laptops, iPads, mobile phones, etc.? Do you know if they sync those devices with other devices, resulting in multiple copies of information in multiple locations?

3. Does your company have any policy concerning mobile devices? Do you know if it's being enforced?

4. Where does your data go when you delete it? Does your company automatically archive data? (If it does, do you really want it to? You probably don't....more on that in a moment.)

5. Does your company have a document destruction policy? (Ok, let's be politically correct and call it a "document retention policy." But it's really all about the destruction, not retention, of documents.) Who wrote it? When was it last updated? Who enforces it?

Ok, enough questions. Here's the point: if you're in a business that has a reasonable chance of suing or being sued (and these days, who isn't?), you need to get your document management skills and procedures in order. And that begins with a document destruction policy. If you have one, follow it. If you don't have one, then call counsel and get one--then follow it. Having a destruction policy but failing to follow it is akin to not having a policy at all.

I know what you're thinking. You're thinking, "should I destroy my documents on a regular basis?" (If you weren't wondering that before, you are now. Ah, the power of the pen...)

Answer: Yes, with a few provisos. First, you must handle document destruction in accordance with a written policy. Note: it must be in writing. Not in your head. Not something you sort of follow. Write it down.

Second, if a law or statute says you can't destroy a document, then follow the law and preserve the document for the prescribed period of time.

Third, if you receive a preservation letter from counsel, then get your own counsel involved and preserve your documents.

Finally, if there's a reasonably likely chance of your company being sued (or suing someone else), preserve everything until your counsel tells you otherwise.

Questions? Let me know.

Super Cookies and FaceBook? It's Hammer Time.

A message to the FTC:  break out your (regulatory) hammers and start swinging. 

Late last month, a bi-partisan group of Congressmen (aptly named, the "Congressional Bi-Partisan Privacy Caucus") sent a letter to the FTC requesting that the FTC investigate certain allegations raised by an Australian technology blogger.  The issue?  The use by FaceBook of so-called "super cookies", which track users' activities after they log out of FaceBook.

Yes, you heard that correctly.  These uber cookies track what you do after you log out of FaceBook.

Normally at this point in a commentary, the speaker says something like, "If this were true, then..." or "If it turns out that FaceBook was using this technology, then..."  But we can dispense with the "if / then" scenarios.  We know that FaceBook was using this technology, since (i) it was proven by our Aussie friends, and (ii) FaceBook claims that it has stopped using super cookies.  (By definition, if they have stopped using them, then clearly then were using them in the past.)

So what to do?  What do you do with a company that has been accused repeatedly of playing fast and loose with its users' information, and then utilizes super cookies to track users' activities in clear violation of both its own privacy policy and the FTC Act (which expressly prohibits unfair and deceptive acts or practices by companies engaged in interstate commerce)?

You hammer them.  You hammer them in the way that only the government can.  You make them undergo an extensive analysis of what they did wrong, and why they did it.  You make the analysis a part of the public record.  And then you levy a fine (something that makes them go, "Ouch"), and enjoin them from doing it again.

Anything less would be ridiculous. 

"Your time is limited, so don’t waste it living someone else’s life. Don’t be trapped by dogma — which is living with the results of other people’s thinking. Don’t let the noise of others’ opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary."
-Steve Jobs