I Only Do Major Agreements—And You Should Too

I often get inquiries in my inbox that sound something like this: “We are a small MSP operating out of Small Town, USA, looking for a short contract for our services. We don’t need a major agreement—just something that covers our liabilities. Can you help?”

My response is always the same: “No, I only do ‘major agreements’—and that is the only type of agreement that your MSP should be using.”

So, do I like turning away business? No. (Do you?) Am I crazy? Well, the voices in my head tell me I’m not—so, for now, I’ll listen to them. Is there a method to my madness? You’re damn right there is—and it goes to the heart of how every MSP should handle its service agreements.

Let’s dispense with a few misconceptions. First, there really isn’t such a thing as a “major agreement” versus a “minor agreement.” In fact, all MSP agreements are “major” agreements. Think of it this way: If it’s worth putting on paper in the first place, then it’s a “major” agreement that needs to be handled accordingly.

Second, a “short contract” isn’t always a good thing. In fact, it’s usually a very bad thing because short agreements often exclude provisions that would otherwise protect your MSP. I see contractual shortcuts taken all the time for the sake of brevity, and those shortcuts virtually always lead to disastrous results.

For example, one provision that often ends up on the cutting room floor is the so-called “attorneys’ fees” provision, i.e. “If a party is required to sue to enforce this agreement, the prevailing party is entitled to an award of its attorneys’ fees and costs.” If you exclude that provision, you’ll save yourself about two lines of text. Hooray! But you’ll lose far more than you gain, specifically, your ability to recover attorneys’ fees in cases in which your MSP is the clear-cut winner of litigation. You could spend tens of thousands of dollars in lawyers’ fees just to recover a few thousand dollars from your non-paying client. In other words, you lose in the long run. (The attorneys will win, but you will lose).

Third, there is no real warm and fuzzy way to “cover your liabilities.” Either you cover your MSP’s liabilities by specifically describing those liabilities, and then specifically describing how they are being limited, or you do not. There is no middle ground. You can’t be brief when it comes to this stuff, or you’ll end up with short, but unenforceable, limiting language.

For example, if you want to limit your MSP’s liability for negligence then you need to explicitly state that in your service agreement. (Want to save space? Try eliminating references to causes of action such as “negligence” and see what happens. Hint: You’ll save a few lines of text, but your MSP will be responsible for negligence, since you took a shortcut.)

Here’s the deal: Your MSP needs to implement the same strategy that the nation’s largest technology solution providers implement in their service agreements. Specifically, your MSP needs a master service agreement that protects your company from liability and simultaneously manages your customers’ expectations. This is done only through a comprehensive document, written in plain English, that acknowledges the following truisms:

(i) Your client and you are friends, until you’re not. And when you’re not, you’re going to wish you had a comprehensive agreement in place.
(ii) If your agreement doesn’t cover an issue, then your client will interpret the issue in the manner most favorable to your client.
(iii) You’re going to mess something up. Everyone does. And when you do, well, see truism number 1, above.
(iv) Your client isn’t always going to listen to you.
(v) Everything ends, and the transition won’t be easy. Plan for the best, but be prepared for the worst.

This type of service agreement may be slightly longer than you’d like, but it will protect your business, manage your customers’ expectations, and let you sleep better at night. It will also provide your company with a high degree of credibility, because potential customers will quickly realize that your MSP takes issues of liability and customer expectations seriously.

Let’s make 2018 the year of “major agreements” only. Don’t settle for less.

The Trump Transition Team Emails—Everyone Has It Wrong

Political pundits disagree about whether Robert Mueller “illegally” obtained thousands of Trump transition-related emails from the U.S. General Services Administration (or the “GSA”).   Each pundit’s opinion predictably falls along political lines: Pro-Trump pundits argue that Mr. Mueller acted “illegally”, while anti-Trump pundits defend Mr. Mueller’s actions with equal but opposite vigor.

Listen up: This issue has nothing to do with Mr. Mueller.  Nothing.  Nada.  And anyone who focuses on Mr. Mueller is missing the issue entirely—or, perhaps (and more likely) trying to make a political issue out of something that is inherently non-political.

The real issue involves privacy and the GSA.  More specifically, the question is whether the Trump transition team had any reasonable right to privacy in its emails that were both administered by the GSA and stored on GSA-owned equipment.  (Spoiler alert: No right to privacy existed.)  If the transition team didn’t have a right to privacy in its emails (again, read my spoiler above), then the GSA would have been well within its rights to release those emails to any investigatory agency—including  Mr. Mueller’s team.  No warrant required.  No formality required.  No Jacket Required.  (Ok, that was a Phil Collins reference.  I’m just making sure you’re still reading).

I’m going to cut through the political haze and tell it to you straight: If you (or Mr. Trump, or his transition team) store your email on a third party’s computer servers, and if that third party does not provide you with any guarantee of privacy, then generally that third party is free to disclose your information to law enforcement if requested to do so.  Again, no warrant required.

In this case, the GSA was in control of the Trump transition team’s emails.  Unless there was some agreement between the GSA and the Trump transition team that granted the transition team privacy in its emails—something that general counsel for the GSA has expressly denied–the GSA was under no obligation to keep the Trump team’s emails private, and did nothing wrong by turning them over to Mr. Mueller’s investigators.

Now, some pundits say that the disclosure of the emails violated the Presidential Transition Act of 1963.  To those pundits I ask, have you read the Act?  I have.  It has nothing to do with privacy.  All it says, in relevant part, is that the GSA is authorized to provide a presidential transition team with communication services.  (Want to read it yourself? Click here.  No privacy rights are guaranteed, provided, or required under that Act.)

Other pundits say that the disclosure violated the Stored Communications Act.  To those pundits I again ask, have you read the Act?  I have.  That Act only applies to stored electronic communications held by third-party internet service providers, and the GSA is not an internet service provider.  ‘Nuff said.

Not convinced yet?  Let me break it down for you another way.  Let’s say you give your buddy a manuscript and you tell him to hang on to it for a few days.  A short time later, the police ask your friend if you gave him your manuscript.  Your buddy replies, “yes.”  Then they ask your friend, “Mind if we take a look?”  Your friend says, “Sure, here you go,” and hands your manuscript over to the cops.  Have the cops done anything wrong?  No.  Has your friend broken the law?  No.  Might you be disappointed that he did that?  Sure enough—but that’s life.

Folks, this is not even a close call—this is settled law, which is being muddled by facts spun by political pundits with transparent agendas.  Enough already—let’s focus on the content of those emails and the merits of the investigation, and not the legal means by which the emails were obtained.

New Technology For Old Cable Television: The FCC Got it Right

If you have cable television, then you likely rent one or more set-top cable boxes from your cable company. These devices descramble cable television signals—you couldn’t receive most premium channels, such as HBO or Showtime, without them.

But the basic functionality of these devices hasn’t changed much in the past fifteen years—mostly because the cable companies maintain tight (and highly confidential) control over the algorithms that their devices use to descramble their cable signals.  This has prevented tech companies, like Apple or Google, from building a better mousetrap, i.e., a cable box that can do more than just descramble HBO.  To add insult to injury, for the privilege of using those plain ol’ cable boxes, you probably pay your cable company anywhere from $5 to $16 per device, per month.

But yesterday the FCC issued a “Notice of Rulemaking” that is going to change everything.

For the technical folks out there (don’t worry, plain English follows below), the Notice concluded that the FCC should adopt a rule requiring cable companies to “offer three flows of information using any published, transparent format that conforms to specifications set by open standards bodies.”  It also proposed that, in the future, cable companies should “support at least one content protection system to protect its multichannel video programming that is licensable on reasonable and nondiscriminatory terms by an organization that is not affiliated” with the cable companies.

Wow.  Seriously, wow.  That’s good stuff.  

For those of you who have no idea what that means, here’s the English translation:  In exchange for a reasonable licensing fee, cable companies will have to use standard methods to transmit their cable signals, which will allow third parties, such as Apple and Google, to understand and interpret those signals.  That will allow those third parties to develop set-top cable boxes that are far better than what you have now.  

How much better?  Well, maybe the new devices will merge cable and streaming services (like Roku or Chromecast), or allow game consoles (such as Xbox or PlayStation) to offer premium cable channels and video recording features. Maybe the new cable boxes will be compatible with home theater systems, or offer compatibility with other Internet-linked devices in your home. 

In fact, Google supposedly has something in the works already.  I’m sure other will be jumping on that bandwagon as well.  Potential advancements will be limited only by the imagination of the engineers at companies like Google, Apple, Sony and Samsung—so hang on to your hats, ‘cause this could be a really fun and exciting ride. 

If you want to read the FCC’s Notice, you can find it here: https://www.fcc.gov/document/fcc-proposes-unlock-box

Quick aside: If you download the Notice of Proposed Rule Making, I recommend skipping to page 8, and start reading under the “Need for Rules” section. You’ll quickly find yourself saying, “The FCC got it right!”—and how often do you find yourself saying that about the government?

Government vs. Apple? This Former Prosecutor Backs Apple.

I was a prosecutor in two states, and I founded the Internet & Computer Crime Division of one of the largest prosecuting agencies in the country.  I have seen, and have been a part of, the advent and growth of the use of digital forensics in criminal investigations.  And although I applaud the government’s efforts to stay current with technology to fight cyber-criminals and terrorists both domestic and abroad, I cannot, and do not, agree with the government’s efforts to force Apple to circumvent the security protocols on the iPhone. The government’s efforts are, at best, overreaching; at worst, they are a desperate and unabashed attempt to completely undermine significant privacy and security efforts of the private sector—efforts which, ironically, were undertaken in response to governmental overreaching and misconduct.

Apple has stated that the technology sought by the government doesn’t exist.  So exactly when, in the course of modern American history, did the government obtain the power to force a private citizen (or a company, as the case may be) to create something that doesn’t exist?  Can someone tell me where, in the annals of federal law, it says that the government can tell a person to sit down and come up with an invention that no one has seen before, for the sole purpose of enabling the government to enforce a law, or to conduct a more comprehensive investigation?

Do not tell me that the government has the power to do so by subpoena or warrant. It doesn’t.  A warrant permits the search and seizure of existing material and property.  A subpoena can force someone to divulge information about which the person has knowledge.  But neither a warrant nor a subpoena can be used to force a person to create a new invention simply because the party issuing the warrant or subpoena desperately wants, or needs, the invention.

Similarly, a court has no inherent power to require a person to develop a new invention simply because the government would find the invention to be useful.  Such power has never been granted or delegated to any U.S. court, federal or state, under any legal doctrine.  Yet, the magistrate in California seems to believe he has such power—and that is extremely disturbing.

The government believes that the court has such power under the All Writs Act of 1789–a section of the law, written over two centuries ago, that grants federal courts with the somewhat ambiguous ability to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”  The Act is like artwork—different people will see different things in the language, and depending on your perspective, you may find that the Act supports the government’s position.  But it doesn’t, and it shouldn’t.

The Act is not intended to instill god-like powers in a court; it is intended to ensure that the courts have the ability to enforce current laws in a timely and efficient manner through the issuance of writs.  For example, if a necessary witness refuses to come to court, the Act gives a federal judge the ability to issue a writ of bodily attachment to force the person to appear.  If a person is being detained unlawfully by the police, a federal court can issue of “Writ of Habeas Corpus” to force the police to release the person.  There are a multitude of writs available to courts, but there’s no writ that can require Apple to make a programmer create never-before-seen and never-before-created code to break through its own security protocols.

The power of the government cannot be limitless, even if the purpose for which such power is sought is noble or righteous. And do not be misled by political pundits: This is not an issue of whether we need to do more to fight terrorism. Terrorism is simply the vehicle by which this important issue has been propelled into the limelight.  This is an issue of privacy.  It is an issue that forces us to question whether the government should have the power to compel the creation of intellectual property.  Such power has never existed—and for good reason. Let’s keep it that way.

Online Privacy Policies–Don’t Believe the Hype

The FTC just announced its agenda for its upcoming privacy-related conference, aptly named, PrivacyCon. The FTC hails the event as a first-of-its-kind conference “regarding important consumer privacy and security issues by leading academics from universities and think tanks from around the world.”

But despite the FTC’s examination of the issue, online privacy is still a highly misunderstood (and highly abused) concept in online transactions. Having counseled hundreds of clients on privacy-related issues for the past fifteen years, I can tell you this: The laws (or lack of laws) related to online privacy aren’t going to change anytime soon.  Before I tell you why nothing is going to change, consider the following:

Consumers have a poor understanding of privacy policies—usually because they don’t read them.
When was the last time you actually read a site’s privacy policy? I know, you can’t remember.  Don’t feel badly—I write them, and I don’t read them either. I think there are three reasons why we don’t read privacy policies: First, we often believe that if a website’s owner is reputable and well-known, then our private information will be secure. (This, of course, is not based on anything in reality; however, research shows that reputation is a strong motivating factor for consumers who readily give up their private information.)  Second, we sufficiently crave whatever it is that the site is selling, such that giving up our private information is merely a speed bump on our way to getting what we want. (And after all, who slows up for speed bumps?) Third, we rationalize giving up our private information under the theory that the site will do whatever it wants with our private information anyway, so there’s really no reason to give much thought to privacy concerns. Unfortunately, this last reason is grounded in reality. More on that in a moment…

Privacy seals don’t mean as much as consumers (and companies) think they mean.
Privacy seals purport to certify that the owner of a website complies with certain minimum levels of online privacy and security. But how much do you really know about what it takes to get a “privacy seal”? For that matter, how do you know whether a website displaying a privacy seal actually complies with the seal’s minimum requirements? Here’s a scary (but true) revelation: Some site owners display privacy seals without taking any steps whatsoever to comply with any required privacy procedures. (Yes, it’s trademark infringement, but unfortunately, it happens.)

On the flip side, consumers don’t usually make decisions to divulge their personal information based solely on the presence or absence of a privacy seal. Case in point: Think about the websites from which you regularly buy things. Do those sites even have privacy seals? (Don’t look until you venture a guess). In my case, the first three sites I thought of did NOT have privacy seals—but I buy stuff from those sites all the time, and will continue to do so.  My point is this: If companies think that the presence of a privacy seal will be a game-changer for their online sales, then they are sorely misguided. Reputation-building activities, like improved customer service and support, will always pay higher dividends than privacy seals.

Government agencies can enforce an existing privacy policy, but can’t require a company to have one.
Contrary to popular thought, most companies aren’t required to post, or even have, a privacy policy. In fact, the few states that require companies to post privacy policies online simply require the impacted companies to disclose what information they collect and how they use it.  Notably, there are virtually no restrictions on what a company may do with information it obtains. (For example, see California’s law here.  It describes the circumstances under which a privacy policy must be posted, but doesn’t restrict the use of the information obtained.)

Certain government agencies, such as the Federal Trade Commission or each state’s Attorney General, are empowered to sue companies that post privacy policies and then fail to follow them; however, those lawsuits are few and far between.  In any event, those agencies cannot force a company to create or post a privacy policy if the company isn’t legally required to do so.

It wouldn’t be hard to require companies to post a privacy policy; California does it now, and a similar law, on a federal level, would probably enjoy bipartisan support.  But no law will (or even could) prohibit companies from doing what they want with the information they collect—there are simply too many types of commercial transactions to consider, and they can’t all be covered under a single statute.  Even the most stringent law would likely give an escape clause to companies that disclose how they consumer information—even if that use is ambiguous or vague.

For example, a privacy policy stating, “We reserve the right to divulge your information to our affiliates if we believe that such disclosure would be in your best interests, but before doing so, we will require our affiliates to keep your information confidential” likely complies with California’s current law. (That’s not legal advice, only an observation. Consult your attorney if you’re planning on doing business in California.)  However, this type of provision would allow a company to transfer your information to practically any third party as long as that party “promised” to keep the information confidential.  But what good are promises if you don’t know whether the promises are enforceable or monitored? You see the point, right?

Online privacy-related laws will always have exceptions enabling sufficiently initiated companies to circumvent the spirit and purpose of the law. So while I applaud the government’s efforts in confronting the pervasive online privacy problem, I don’t expect to see too many changes any time soon. Indeed, changes won’t come until we stop looking at the privacy problem from a (mostly) intellectual perspective, and start addressing the issue from a business-oriented perspective.

Until then, assume nothing is private.

EBay Sellers: Don’t Even Think About Suing Over Negative Feedback

With increasing frequency, online sellers are filing defamation lawsuits against consumers who post negative feedback about their online sales transactions.  Most of these lawsuits are baseless–often absurd–but they are filed anyway because the sellers (and their attorneys) know that buyers would rather pay to settle the litigation than fight.  But sellers beware: at least one court has had enough of the baseless lawsuits filed by disgruntled online sellers.  For more on this story, we turn our attention to the decision handed down by the Court of Common Pleas in Medina County, Ohio, and the case of Med Express, Inc. v. Amy Nichols, et. al.

In the Nichols case, Med Express, Inc. filed not one but two lawsuits for defamation against two consumers who posted negative feedback about Med Express on EBay’s auction site.  Scary stuff if you’re a consumer, right?

But if you’re like me and hate attorneys who file baseless litigation, and if you hate baseless litigation itself (like this was), and if you are a defender of free speech (like I am), then read on because you are going to love this.

One thing you should know is that both lawsuits in the Nichols case were voluntarily dismissed by Med Express after Med Express lost interest in pursuing the cases.  That’s right, dismissed.  So things end there, right?  Not exactly.

The other thing you should know is that despite the cases being dismissed, both defendants sought sanctions against Med Express for filing the baseless cases in the first place. (Yes, you read that correctly. The defendants pursued sanctions against Med Express for filing a nonsensical lawsuit, notwithstanding the fact that the cases had already been withdrawn. Now that’s cool, right? Like, superhero cool.)

So what did the defendants do that caused Med Express to file the litigation in the first place? It all started in 2012, when one of the defendants, Dennis Rogan, purchased a double pack of graduated cylinders from Med Express in an EBay transaction. One of the cylinders arrived broken, and Med Express provided Rogan with a full refund. Despite receiving a refund, however, Rogan allegedly “posted neutral feedback and negative comments on EBay’s website”, as well as “low dealer ratings in Ebay’s Seller Ratings Section.” According to Med Express, the “neutral” and/or “low” ratings “slandered the good name and reputation of Med Express.”  (Yeah, I know.  There are no words to describe the level of ridiculousness. here.)

A few months later, defendant Amy Nichols purchased a “microscope light source with shutter attachment” from Med Express in an EBay transaction. Nichols pre-paid for the product, and also pre-paid to have it delivered. When the product arrived, however, it had $1.44 postage due. Before giving Med Express a chance to reimburse her, Nichols posted negative feedback and negative comments about Med Express in the same EBay Seller Ratings Section utilized by Rogan a few months earlier.

Med Express filed lawsuits for defamation against Rogan and Nichols, and also included EBay as well to try to get EBay to remove Rogan’s and Nichols’s postings.  (Quick note: There was no chance of EBay losing that case.  In fact, EBay didn’t even respond–and it STILL won a dismissal.)  The court refused to force EBay to remove the postings, and Med Express dropped both cases.

But not so fast…Rogan and Nichols had incurred attorneys’ fees while the litigation was pending, and they weren’t about to let Med Express get away with filing baseless litigation against them. Both defendants continued the proceedings, and asked the court to force Med Express to pay the defendants’ attorneys’ fees and costs.

Now, I know some of you are probably thinking, “If the seller gave a refund to Rogan and offered to pay the postage due to Nichols, then they shouldn’t have filed negative feedback.” And to those people I say, perhaps you’re right.  But that’s not the issue. This is not about fairness. This is about statements of fact and opinions uttered by people who had the right to make such statements, and whose statements are protected by the First Amendment. Regardless of how “unfair” it may seem to sellers on EBay, consumers still have the right to make truthful statements, and to offer their opinions about their online experiences. The Internet may be both awesome and convenient, but the Bill of Rights trumps all.

Finding in favor of the defendants, the court acknowledged the defendants’ First Amendment rights, stating that the “Plaintiff’s suit was for an improper purpose. . . . The Defendants did absolutely nothing wrong. They simply participated in Ebay’s feedback component in exactly the manner in which Ebay intended. . . . The Defendants did nothing more than accurately recite a statement of facts and express their opinion.”  Game.  Set.  Match.

You can read the court’s order here.

So what’s the lesson here? Can a consumer say whatever he or she wants about an EBay or similar online transaction, even if the statements are patently or obviously false? No. You can’t trash someone’s reputation just for the sport of it. But the law protects you if you are making honest, truthful statements about an online sale transaction, even if those statements might hurt the seller’s reputation.

Remember: Truth has been, and remains, an absolute defense to defamation. Even if it hurts.

 

Managed Service Providers

We have been representing MSPs for more than 15 years—longer than most law firms have been in existence.  Our office represents well over 100 MSPs–more than any law firm that we have ever heard of.  So why is this important to you?

Because it means that we understand your business.  We understand the technology you offer, the services you sell (and resell), and the issues that your MSP faces on a daily basis.

We know, for example, that your master service agreement is a hodgepodge of legal terms, deliverable descriptions, and marketing fluff that was pieced together by someone in your company—maybe you—many years ago. You’re unsure whether it adequately protects your company—and it probably doesn’t.

Or maybe you fit into the category of MSPs that “borrowed” its contracts from another MSP or service provider.  In the back of your mind, however, you still have worries—and you should.  Who wrote that agreement?   How do you know it’s enforceable?  How do you know it covers everything it needs to cover?

Perhaps you received your master agreement from a template-type service, such as a “pre-paid legal” service, that purports to be staffed with “experienced IT attorneys.”   News flash: The experience level of many of the attorneys providing MSP-related advice, even some of the most highly touted pre-paid services, is low at best. These services are often staffed with real estate attorneys or corporate attorneys who understand computers, but have no significant experience dealing with the issues facing MSPs on a daily basis.

There’s a reason why we are asked to speak at dozens of MSP-related events throughout the country every year.  There’s a reason why we are the “go-to” law firm for hundreds of MSPs of all sizes.  There’s a reason why no law firm has written and spoken on topics directly impacting MSPs more than we have.


Call us, and discover the reason for yourself.

We All Own the Monkey’s Selfie.

(Source: Wikimedia Commons)
(Source: Wikimedia Commons)

A macaque monkey in Indonesia steals a photographer’s camera and then snaps a few selfies.  Really, that happened. (See picture left).

Sometime later, the photographer recovers his camera, publishes the selfies, and claims copyright ownership in the pictures.   Enter Wikipedia, which copies the pictures and makes them available through its free, worldwide image repository.  The photographer protests, claiming that Wikipedia is infringing his copyright in the pictures.

So, has Wikipedia infringed the photographer’s copyright in the pictures?  Not at all, says the U.S. Copyright Office.  And I agree.
In a 1200+ page report issued by the Copyright Officethis week, the U.S. government  brought the issue into focus (pun intended) by declaring that a work can be protected by copyright only if the work is the “fruits of intellectual labor” that “are founded in the creative powers of the mind.”  Moreover, the “mind” that does the “creating” must be a human mind; animal minds don’t count. To illustrate its position, the Copyright Office specifically cited a “photograph taken by a monkey” as an example of a work that could not be copyrighted.
(You can read the Copyright Office’s position yourself—it’s on page “Chapter 300: 8” of the report.)
So what happens to the pictures snapped by the monkey that were published by the photographer?  Answer: they are in the public domain, and can be distributed, for free, by Wikipedia.  And by you.  And by me.
This raises the question: how could the photographer have protected the pictures taken by the monkey?
First, let’s separate this case from situations in which nature photographers purposely position cameras in certain outdoor locales.  Here, the camera was stolen by the monkey, and the pictures were the serendipitous result of the monkey’s actions.  The images were notthe product of any degree of creative thought by the photographer.  Had the camera been purposely placed in a particular locale, the resulting images would have reflected the foresight and creativity of the photographer.  But that didn’t happen.  Instead, the monkey took control of the situation, and everything that occurred was the direct result of the monkey’s curiosity; the photographer had nothing to do with it.
Next, let’s remember the number one maxim of copyright law, namely, ownership vests in the author of the work.  (If you remember nothing else about Copyright Law, remember that.)  In this situation, who “authored” the work?  Answer: the monkey.  The photographer simply acquired the digital image from the camera.  He “authored” absolutely nothing.  So, under U.S. law, the monkey owns the work because the monkey authored the work.
Now, you may be thinking, “The picture was taken outside of the U.S.–so that changes things, right?” No, in most cases, it doesn’t.  Neither the U.S. nor any other country that is a member of the Berne Convention (which governs international copyright issues among its 167 members) allows animals to own copyrighted works.  So,  in this case, the monkey has no rights, and the selfies are in the public domain.
Back to my original question: what could the photographer have done to protect the pictures?  Well, he could have transformed the pictures into something other than the selfie authored by the monkey.  He could have enhanced the colors in an artistic manner, or applied filters to the picture to make the picture look like something other than the plain ol’ selfie snapped by the monkey.  In short, he could have–and should have–done something original to the photograph, in which case he would have owned the photograph as modified by his own creative efforts.