Ninth Circuit Provides Important Protection To Bloggers

In an important victory for free speech advocates, the Ninth Circuit has joined other courts in establishing that authors protected by the First Amendment need not be journalists to have such robust protections.

In Obsidian Finance Group, LLC v. Cox, — F.3d —- (2014) (filed Jan. 17^th, 2014), the Ninth Circuit overturned a lower court decision that limited certain First Amendment protections to institutional journalists. The Court explained that “protections of the First Amendment do not turn on whether the defendant was a trained journalist, formally affiliated with traditional news entities, engaged in conflict-of-interest disclosure, went beyond just assembling others’ writings, or tried to get both sides of a story.”

In aligning the Ninth Circuit with other circuits which have addressed the issue, the court reaffirms that negligence is the minimum legal standard for any case involving matters of public interest (and possibly all cases). To receive general damages without suffering specific harm and to receive punitive damages, the plaintiff must establish that the defendant published the statements with actual malice, meaning intentional knowledge of falsity or reckless disregard of the truth.

In New York Times Co. v. Sullivan, 376 U.S. 254 (1964), the Supreme Court established the modern First Amendment framework. Public officials must prove actual malice to prove liability. Curtis Publishing Co. v. Butts, 388 U.S. 130, (1967), then extended this standard to public figures. A decade later, in Gertz v. Robert Welch, Inc., 418 U.S. 323, 350 (1974), the Supreme Court held that the First Amendment required a negligence standard for private defamation actions. Significantly less than the actual malice standard, it nonetheless established that there could not be liability without fault.

In Obsidian Financial Group, the Ninth Circuit does not suggest the defendant is blameless:

Crystal Cox published blog posts on several websites that she created, accusing Padrick and Obsidian of fraud, corruption, money-laundering, and other illegal activities in connection with the Summit bankruptcy. Cox apparently has a history of making similar allegations and seeking payoffs in exchange for retraction. See David Carr, When Truth Survives Free Speech, N.Y. Times, Dec. 11, 2011, at B1. Padrick and Obsidian sent Cox a cease-and-desist letter, but she continued posting allegations.

The accusations and statements, however, were difficult to view as factual assertions. Where there were assertions of fact, the court explains, the plaintiff must establish the negligence of the statements.

The Ninth Circuit also sidestepped the issue whether the Gertz negligence standard applies to matters of purely private concern. It noted the unresolved question, when it stated that “the Supreme Court has ‘never considered whether the Gertz balance obtains when the defamatory statements involve no issue of public concern.’” (quoting Dun & Bradstreet, Inc. v. Greenmoss Builders, 472 U.S. 749, 757 (1985) (plurality opinion)).

Instead, the Ninth Circuit noted that the blog was made available to the public at large, just as every blog does. Moreover, the court noted that “public allegations that someone is involved in crime generally are speech on a matter of public concern.” So instead of answering whether the negligence standard applies to private matters, the court expanded the realm of public discourse to almost any public accusation.

This strategy has the effect of expanding the negligence standard to almost any claim. It may leave certain personal matters personal, though this is unclear. It could also leave certain formats, such as personal emails, texts, and friends’ lists as matters of purely private concern, but undoubtedly many of allegedly defamatory posts on such platforms will also be matters of public concern.

The distinction between matters of public concern and purely private matters has less and less meaning, and the distinction is likely to continue to erode in the context of defamation, though perhaps remain relevant in some issues involving privacy.

Nonetheless, the case is an important victory for free speech interests. Of course, this does not mean anything can be published with impunity. Negligence is not a terribly difficult test to meet and those plaintiffs who have truly been harmed will still have their day in court. It is difficult to be the subject of online attacks, but the rules of law should apply equally to all speakers, journalists, bloggers, and citizens alike. In the Ninth Circuit, it now does.

Commission report warns U.S. is losing the spy race from lack of R&D, STEM-education

On Nov. 5, 2013, The National Commission for the Review of the Research and Development Programs of the United States Intelligence Community released an unclassified version of its assessment of U.S. research and development programs, finding that the U.S. is falling behind and highly uncoordinated. [The Report can be found here.]

The Commission making the review was originally constituted at the 9-11 Commission (properly The National Commission on Terrorist Attacks Upon the United States. In 2010, the Commission was reauthorized to serve more broadly on the Intelligence Community readiness.

The New York Times described the report as “blistering … charging that the intelligence world’s research-and-development efforts are disorganized and unfocused.”

The Commission said the lack of investment, coordination, infrastructure and foresight is putting the nation at risk.

U.S. technological superiority is diminishing in important areas, and our adversaries’ investments in [Science and Technology]—along with their theft of our intellectual property, made possible in part by insufficient cyber protection and policies—are giving them new, asymmetric advantages. The United States faces increasing risk from threats against which the IC could have severely limited warning, deterrence, or agility to develop effective countermeasures.

The report is not primarily an intelligence report. The Commission was not focused on the failures associated with the NSA massive – and in some cases unconstitutional – spying campaign. Nor was it tied to the Edward Snowden disclosures and the global embarrassment triggered by those disclosures.

Instead, the report identifies the need to treat intelligence as a global issue that needs broad reforms, such as STEM education and immigration/workforce reform. It identifies a wide range of concerns about the lack of investment in intelligence and the failure to be prepared.

The report calls for much greater data analytics, which will likely be the platform used by the NSA to justify its ongoing activities. Even a pro-intelligence report such as this, however, identifies the need for intelligent data analytics rather than the massive, undifferentiated and largely counter-productive methods currently highlighted by the NSA disclosures. Not surprisingly, the admonitions also demand better coordination, including “development of a new joint program plan between the Director of Science and Technology and the Deputy Director of National Intelligence for Intelligence Integration for Enhanced Integrated Intelligence, which it will use to track, prioritize, and coordinate Enhanced Integrated Intelligence R&D across the [intelligence community].”

“Exacerbating these challenges are U.S. policies that weaken the U.S. R&D talent base,” the report warned.  “As scientific and technical knowledge and the resulting economic growth spread around the world, the competition for R&D talent is increasingly global.”

This is just one of many reports highlighting the continued disarray of the intelligence community, an infrastructure struggling to keep up with cyber-threats and embarrassing the U.S. with political follies.

The report opens with a powerful juxtaposition of quotes that should help guide future discussions:

Failure to properly appraise the extent of scientific developments in enemy countries may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—Task Force Report on National Security Organization (the Eberstadt Report) (1948)

Failure to properly resource and use our own R&D to appraise, exploit, and counter the scientific and technical developments of our adversaries—including both state and non-state actors—may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—National Commission for the Review of the Research and Development Programs of the United States Intelligence Community (2013)

Report of the National Commission for the Review of the Research and Development Programs of the United Sta…

Sam Moore loses publicity rights dispute with The Weinstein Company while the use of the Transformative Use Test is applied again

Publicity Rights continue to vex courts and counsel. An October 31^st decision of the Sixth Circuit in Moore v. Weinstein provides yet another unfortunate twist to the judicial approach to balancing publicity rights with free speech rights.

The litigation stems from the 2008 film Soul Men produced by The Weinstein Company starring Samuel L. Jackson and Bernie Mac. Grammy winning artist, Sam Moore claimed the movie was an unauthorized life story because of the title, story-line, and music used in the film. Having lost on appeal, Moore took his fight to the Sixth Circuit where the court again sided with The Weinstein Company.

The problem with the decision is not the outcome. Instead the concern is that the court interpreted a state law which relied on the Restatement (Third) of Unfair Competition to determine the scope of publicity rights but still insisted on adding an additional opportunity for plaintiffs to stop communicative works if the defendants could not prove the works were transformative.

State law protection of publicity rights are constrained by free speech concerns.[1] Publicity rights are protected as a common law extension of privacy,[2] but like other common law doctrine affecting speech, many aspects have been constitutionalized.[3] Publicity rights are properly considered a form of limitation on commercial speech and should be subject to legitimate content regulation as is allowed by the FCC and FTC, namely intermediate scrutiny.[4] Traditional publicity rights doctrine first asks whether the use of the name or likeness involves a commercial transaction.^[5] The commercial transaction may be the sale of a commercial item or an endorsement of a good or service.[6] If the use of the publicity rights constitutes an endorsement, then the FTC endorsement guidelines offer further liability for unauthorized use.

In theory, formulations such as that embodied in the Restatement (Third) of Unfair Competition should provide clear breathing room between expressive works and their commercial cousins. As the Sixth Circuit recently stated, “A viable right-of-publicity claim usually requires (1) defendant’s use of plaintiff’s identity; (2) the appropriation of plaintiff’s name or likeness to the defendant’s advantage, commercially or otherwise; (3) lack of consent; and (4) resulting injury.”[7]

Section 47 of the Restatement sets an explicit limit on the scope of publicity rights:

The name, likeness, and other indicia of a person’s identity are used “for purposes of trade” under the rule stated in § 46 if they are used in advertising the user’s goods or services, or are placed on merchandise marketed by the user, or are used in connection with services rendered by the user. However, use “for purposes of trade” does not ordinarily include the use of a person’s identity in news reporting, commentary, entertainment, works of fiction or nonfiction, or in advertising that is incidental to such uses.[8]

The scope of publicity rights explicitly excludes news, entertainment, and creative works.[9] The limitation embodied in the Restatement is written to be categorical, which provides for greater certainty and reinforces the importance of free speech rights and avoidance of a chilling effect caused by fear of litigation involving a person’s identity in a communicative work. Comment d. to the Restatement recognizes this concern by stating “[b]roader restrictions on the use of another’s identity in entertainment, news, or other creative works threaten significant public and constitutional interests.”[10]

Nonetheless, in practice, publicity rights are tested under a variety of inconsistent court-fashioned doctrine which do not balance commercial and speech interest nearly as cleanly as does the Restatement. “Various commentators have noted that right of publicity claims—at least those that address the use of a person’s name or image in an advertisement—are akin to trademark claims because in both instances courts must balance the interests in protecting the relevant property right against the interest in free expression.”[11]

The Rogers test[12] most squarely distinguishes between commercial works and communicative works. Under that test, a court should not “permit the right of publicity to bar the use of a celebrity’s name in a movie title unless the title was ‘wholly unrelated’ to the movie or was ‘simply a disguised commercial advertisement for the sale of goods or services.’”[13] This test most closely mirrors the FTC commercial endorsement guidelines, particularly if the recognition of disguised commercial advertisements extends to the various undisclosed endorsements.

The Predominant Use test loosely balances the free speech rights of the publisher against the economic goals of that publisher.[14] Works that predominantly exploit the commercial value of identity must certainly include all celebrity magazines, ESPN, and the Sunday section of the New York Times. The fact that a work is published under a profit motive does not transform the content into commercial speech.[15] The Predominant Use Test is ineffectively under-inclusive and over-inclusive, making it unhelpful for jurisprudential guidance.[16]

The third common test flows from copyright law rather than trademark law. Based upon the Supreme Court jurisprudence involving fair use, the California Supreme Court adopted the transformative test from the first factor of copyright fair use to determine the right of publicity free speech doctrine.

According to the Supreme Court as applied by the California Supreme Court,

the central purpose of the inquiry into this fair use factor ‘is to see … whether the new work merely “supercede[s] the objects” of the original creation, or instead adds something new, with a further purpose or different character, altering the first with new expression, meaning, or message; it asks, in other words, whether and to what extent the new work is “transformative.”[17]

To the first factor of the copyright test embodied in Transformative Test, the California Supreme Court obliquely reintroduced the copyright fair use test’s fourth factor: the effect on the potential market for the work.[18]

Virtual worlds and video games may trigger the most direct conflict between publicity rights and free speech jurisprudence.[19] The communicative nature of video games highlighted in Brown v. Entm’t Merchs. Ass’n should require the medium be treated like any other.[20] Nonetheless, both video game manufacturers and the courts tend to continue to treat these works as if they are commercial products rather than works of expression protected by the First Amendment.[21] As products, they are commercial works subject to the Transformative Test or another of the balancing tests rather than excluded from the limitation in publicity rights that such rights only apply to commercial products or the advertisements for such goods and services.

The communication in a video game generally is not a proposal of a commercial transaction or the sale of a product, so rights of publicity simply do not apply.[22] If instead, the media is used to make an endorsement or advertise a commercial product, then the FTC endorsement guidelines and the state publicity rights come back into play.[23]

This distinction should guide the behavior and social media policies of employers. To the extent they are creating content as media broadcasters, there are no publicity rights constraints and no endorsement concerns.[24] If instead the content is designed to promote commercial transactions, serve as advertisements, or sell merchandise, then permission is required from the endorser and the endorser must be providing factual, honest information.

The confusion surrounding publicity rights raises serious chilling effects. As reported in the Hollywood Reporter, the NCAA is trying to take up an appeal in Keller v. EA Sports despite the settlement in the case following a ruling unfavorable to EA based on an application of the Transformative Use Test. The NCAA petition for cert (read here) provided:

[T]he interplay between right-of-publicity claims and the First Amendment is an issue on which the lower courts are badly divided. It is also important, affecting the fundamental rights of a wide array of speakers—from movie and television producers (e.g., The Social Network) to biographers and songwriters (Bob Dylan’s Hurricane), to videogame makers, like one of the defendants here.

Something must be done to restore to return the presumption of free speech and eliminate the chilling effect of publicity rights claims against communicative works. Publicity rights are very important economic and personal rights which should be enforced against commercial theft of identity, but that does not mean they should be used to stifle the ability of other authors and artists. A Supreme Court decision in Keller will be unlikely to develop the balance needed to restore the law. Instead federal legislation is a more likely tool to get the balance correct.

---

[1] See, e.g., Donahue v. Warner Bros. Pictures Distributing Corp., 272 P.2d 177 (Utah 1954) (publicity rights statute limited to the use of name or likeness in advertising, or the sale of “some collateral commodity.”); Cal. Civ. Code § 3344(a) (West 1997) (limiting protection to use “on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of, products, merchandise, goods or services, without such person’s prior consent.”).

[2] See Samuel Warren & Louis Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890). See also William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 383–85 (1960).

[3] Zacchini v. Scripps-Howard Broadcasting Co., 433 U.S. 562, 577 (1977) (In distinguishing between defamation, false light and publicity cases, the Court explained that the “Constitution does not prevent Ohio from … deciding to protect the entertainer’s incentive” to perform.)

[4] See Sorrell, 131 S. Ct. 2653, supra note 53 at 2663; Cent. Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n, 447 U.S. 557, 562 (1980); Ohralik v. Ohio State Bar Assn., 436 U.S. 447 (1978) (upholding state lawyer advertising regulation); Virginia State Bd. of Pharmacy v. Virginia Citizens Consumer Council, Inc., 425 U.S. 748, 771-772 (1976) (establishing First Amendment protection for commercial speech and recognizing right of recipients of commercial speech to have access to the content).

[5] See, e.g., Comedy III Productions, Inc. v. Gary Saderup, Inc., 21 P.3d 797, 802 (Cal. 2001).

[6] Id. at 802 (although the speech was not an “advertisement, endorsement, or sponsorship of any product,” defendant nonetheless “used the likeness of The Three Stooges on . . . products, merchandise, or goods within the meaning of the statute.”).

[7] Moore v. Weinstein Co. LLC, 12-5715, (6^th Cir. Oct. 31, 2013) (unreported) quoting Restatement (Third) of Unfair Competition.

[8] Restatement (Third) Unfair Competition §47 (1995).

[9]  Id.  at cmt. c. (“the use of a person’s name or likeness in news reporting, whether in newspapers, magazines, or broadcast news, does not infringe the right of publicity. The interest in freedom of expression also extends to use in entertainment and other creative works, including both fiction and nonfiction.”).

[10] Id. at cmt. d.

[11] Hart v. Elec. Arts, Inc., 717 F.3d 141, 155 (3d Cir. 2013).

[12] Rogers v. Grimaldi, 875 F.2d 994 (2d Cir.1989).

[13] Id.  at 1004.

[14] Doe v. TCI Cablevision, 110 S.W.3d 363 (Mo.2003) (en banc).

If a product is being sold that predominantly exploits the commercial value of an individual’s identity, that product should be held to violate the right of publicity and not be protected by the First Amendment, even if there is some “expressive” content in it that might qualify as “speech” in other circumstances. If, on the other hand, the predominant purpose of the product is to make an expressive comment on or about a celebrity, the expressive values could be given greater weight.

Id.  at 374.

[15] See New York Times v. Sullivan, 376 U.S. 254, 265 (1964). See also Valentine v. Chrestensen, 316 U.S. 52, 55 (1942) (commercial speech cannot evade regulation by appending protected first amendment content).

[16] See Hart, supra note 73 at 154 (“By our reading, the Predominant Use Test is subjective at best, arbitrary at worst, and in either case calls upon judges to act as both impartial jurists and discerning art critics.”).

[17] Comedy III Prods., Inc. v. Gary Saderup, Inc., 25 Cal.4th 387, 404 (2001) (quoting Campbell v. Acuff–Rose Music, Inc., 510 U.S. 569, 579 (1994) (citations omitted).

[18] Id.  at 407.

Furthermore, in determining whether a work is sufficiently transformative, courts may find useful a subsidiary inquiry, particularly in close cases: does the marketability and economic value of the challenged work derive primarily from the fame of the celebrity depicted? If this question is answered in the negative, then there would generally be no actionable right of publicity. When the value of the work comes principally from some source other than the fame of the celebrity—from the creativity, skill, and reputation of the artist—it may be presumed that sufficient transformative elements are present to warrant First Amendment protection. If the question is answered in the affirmative, however, it does not necessarily follow that the work is without First Amendment protection—it may still be a transformative work.

[19] See Hart, supra note 73 at 152-53; O’Bannon v. NCAA, 2010 U.S. Dist. LEXIS 19170 (N.D. Cal. Feb. 8, 2010) (dismissing Keller v. Elec. Arts, Inc., 2010 WL 530108 (N.D. Cal. 2010) to substitute anti-trust claims for publicity rights claims); In re NCAA Student-Athlete Name & Likeness Licensing Litig., 2011-2 Trade Cas. (CCH) ¶ 77, 549 (N.D. Cal. 2011) (ongoing litigation emphasizing anti-trust implication of refusing to negotiate rights with former NCAA players).

[20] Brown v. Entm’t Merchs. Ass’n, supra note 37 at 2737 n.4.

[21] See Hart, supra note 71 at 148-49 (“Appellee [EA Sports] concedes, for purposes of the motion and appeal, that it violated Appellant’s right of publicity; in essence, misappropriating his identity for commercial exploitation.”)

[22] Cf. Comedy III, supra note 71 at 802; Hart, supra note 75 at 149.

[23] Garon, supra note 52 at 615, 624.

[24] See Facenda v. N.F.L. Films, Inc., 542 F.3d 1007, 1017 (3d Cir. 2008) (quoting U.S. Healthcare, Inc. v. Blue Cross of Greater Phila., 898 F.2d 914, 933 (3d Cir. 1990)).

The Estate contends that the program is commercial speech, and we agree. Our Court has “three factors to consider in deciding whether speech is commercial: (1) is the speech an advertisement; (2) does the speech refer to a specific product or service; and (3) does the speaker have an economic motivation for the speech.”

Rent-to-Spy Highlights Need for Diligence

(Photo Wikipedia)

Aaron’s Inc. a leading franchisee in the rent-to-own retail market has agreed to settle FTC complaints[1] that allowed Aaron’s franchisees to install and use software to spy on customers.

In announcing the proposed settlement, the FTC explained that “Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.”

Aaron’s, Inc. is a leading rent-to-own retailer focusing on “residential furniture, consumer electronics, home appliances and accessories with more than 2,000 Company-operated and franchised stores in 48 states and Canada.” Aaron’s reports 1,190 Company-operated Aaron’s Sales and Lease Ownership stores, 717 Aaron’s Sales & Lease Ownership franchised stores, 78 HomeSmart stores, one franchised HomeSmart store, 17 Company-operated RIMCO stores, and six franchised RIMCO stores.

The allegations focus on the franchisees rather than Aaron’s own operations. Nonetheless, the complaint highlights that Aaron’s “allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.”

A proposed consent agreement with the FTC has been approved 4-0 by the Commission. Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

Unfortunately the consent agreement still allows Aaron’s to install tracking technology, provided the customer gives consent. Given the history of such abuse, Aaron’s should be prohibited from using tracking software at all. Consent does little or nothing to affect consumer behavior; companies who have violated the public trust should be prohibited from seeking such illusory permission to continue to abuse their customers.

The risks of allowing opt-in consent are highlighted from another provision of the proposed consent decree:

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Under the agreement, Aaron’s will also be required to conduct annual monitoring and oversight of its franchisees and hold them to the requirements in the agreement that apply to Aaron’s and its corporate stores, and to terminate the franchise agreements of franchises that do not meet those requirements.

The proposed agreement will be subject to public comment through Nov. 21, 2013.[2] If opt-in consent is insufficient, the perhaps the Commission can be convinced.

---

[1] The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

[2] Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online by following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

2013 NKU Security Symposium tomorrow, Friday, October 18, 2013

The NKU Chase Law + Informatics Institute, the Center for Applied Informatics, and our event sponsors look forward to the 2013 NKU Security Symposium tomorrow, Friday, October 18, 2013.

The program is free, but you must register. This is your last opportunity.

The Legal Issues in Privacy and Security (Legal Track) will be in Development B of the NKU METS Center in Erlanger, KY.

Legal Track Speakers:

• John C. (Jack) Greiner, attorney, Graydon Head

• Scot Ganow, attorney, Faruki Ireland & Cox P.L.L.

• Jennifer Orr Mitchell, partner, Dinsmore & Shohl LLP

• Michael G. Carr, JD, CISSP, CIPP, Chief Information Security Officer, University of Kentucky

Click here for the CLE Materials for the maximum of 4.0 general CLE credits approved by KY, OH & IN (new lawyer credits in IN).

• Jon M. Garon, NKU Chase College of Law

Data Security: Breach Notification Law Issues [pdf]

• Jennifer Orr Mitchell, Dinsmore & Shohl LLP

Attorneys and Other Contractors – HIPAA Business Associates in 2014 and Beyond [pdf]

For your convenience we have included directions below.

A detailed agenda can be found on the event website at http://cai.nku.edu/security2013/agenda.html

Directions to the NKU METS Center
From Downtown Cincinnati and Northern Kentucky:
I-71/75 South From the South: I-71/75 North … to I-275 West. Take first exit (Exit No. 2 – Mineola Pike). Left turn onto Mineola Pike crossing over I-275. Right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

From Indiana:
I-74 to I-275 South into Kentucky. Stay on I-275, which curves East in Kentucky and go about 22 miles all the way past the Greater Cincinnati Airport until you get to Exit No. 2 – Mineola Pike. Right turn onto Mineola Pike. Then right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

Special thanks to the sponsors of the legal track:  CincyIP and Frost Brown Todd. 

Industrial Internet reshapes the “Internet of Things”

In a term coined in 1999, the Internet of Things, relates to a world in which all objects are connected wirelessly to the Internet and therefore to each other. The model requires each device to have RFID or other near field communications technology to communicate, sharing information about the identity, status, activities, and other attributes of the device. Partnered with big data analytics, the information from these devices can paint a robust picture of how objects interact in the world and how people interact with them.

This week, the model was supercharged. According to a report in the New York Times, General Electric hopes to transform this model with what it terms the “Industrial Internet.”

The so-called Industrial Internet involves putting different kinds of sensors, sometimes by the thousands, in machines and the places they work, then remotely monitoring performance to maximize profitability. G.E., one of the world’s biggest makers of equipment for power generation, aviation, health care, and oil and gas extraction, has been one of its biggest promoters. … The executive in charge of the project for G.E. … said that by next year almost all equipment made by the company will have sensors and Big Data software.

Emerging technology allows devices to distribute usage and telemetry data, to receive instructions, to interact with other equipment, and to serve as the communications bridge extending network coverage so that the devices themselves expand the network on which the equipment communicates. The implications are quite interesting.

Perhaps the most important aspect of the development affects critical infrastructure – the fundamental systems operating our water, power, rail, and telecom infrastructure. Properly secured and interactive, the elements of our aging infrastructure could begin to trouble-spot and eventually provide small repairs without the need for 24-hour crews.

GE’s present equipment tends to be large devices, ranging from jet engines to MRI machines. But the concept could well extend to automobiles, bicycles, phones, cameras, and even clothing. Equipped automobiles, for example, could report mechanical efficiency for every system in the car. They could also share vehicle telemetry, providing a real-time map of how each car was driving in relation to every other car driving on the road. The information could be used to alert a driver to road hazards, to dangerous weather conditions, or to the driver’s weaving. The information could alert police to the same conditions and behaviors.

In the workplace, the Industrial Internet will improve atomization, which helps retain U.S. manufacturing but probably at the cost of fewer workers doing more specialized work. It should also be employed to improve worker safety but could easily be adapted to create a workplace in which every movement was tracked. With Industrial Internet name badges, doors would lock and unlock in response to the presence of authorized personnel, but the data analytics would also be able to see which employees spent the most time with which of their peers, and correlate such interactions with post-interaction productivity. Schools could similarly track student movements and behaviors, identifying which resources and faculty were actually utilized and which of those impacted learning outcomes – for better or worse.

Existing rules for workplace and education environments do not take the pervasive nature of the Industrial Internet into account. Assumptions that privacy is a zone around one’s home and person has little relevance to a cloud of data points broadcasting a picture of each person and how that person interacts.

The FTC has taken small steps to explore these issues and regulate obvious abuses, but legislators need to do much more. Absent legislation, current NSA practices will vacuum this data into its Orwellian data trove.

The Industrial Internet promises to translate the Internet of Things into very practical, valuable industrial improvements. Safer planes, smarter cars, more efficient homes all improve people’s lives. Proper regulation will encourage those uses while protecting civil liberties, privacy, and overreach. Perhaps we can craft the policies to avoid the outrage rather than in response to it.

Negligence might finally be actionable for breach of duty to protect customer data

Business relationships are often strained when a third party successfully breaches the data security of a target, creating profound negative consequences not only to the target but also to that company’s vendors, business associates, and customers. These damages are often costly but sometimes hard to identify or quantify.

In the majority of security breaches, the customers who have had their identity exposed have suffered no actual economic harm. The courts, therefore, are appropriately reluctant to give monetary damages to those injured customers and generally refuse to compensate for the time lost checking credit scores or otherwise dealing with the problems associated with the data breach.

The vendors and business associates, however, may incur substantially greater economic losses and more direct financial injury. Because this injury is exclusively economic loss, a question remains whether such loss is compensable under tort law or whether all remedies are limited entirely to contract claims.

In Lone Star Nat. Bank v. Heartland Payment Systems, No. 12-20648, 2013 WL 4728445 (5th Cir. Sept. 3, 2013), the Fifth Circuit reversed a dismissal of a tort claim based on the plaintiff bank’s assertion it suffered financial harm when it had to replace consumers’ compromised credit cards and to refund fraudulent charges as a result of the negligence of the defendant in securing against data breach. The case arose from a 2008 data breach of the defendant’s payment processor’s systems, exposing 130 million credit card numbers.

The Fifth Circuit focused on the law of New Jersey after establishing the jurisdictional basis for the claim. The court explained, “the economic loss doctrine generally limits a plaintiff seeking to recover purely economic losses, such as lost profits, to contractual remedies.” Economic losses are generally covered exclusively by contract remedies, unlike tort principles which “are better suited for resolving claims involving unanticipated physical injury, particularly those arising out of an accident.”

Contract may be better than tort, but such a limitation oversimplifies the scope of tort law. Tort injuries occur in inchoate interests such as defamation and assault. Not all tortious harms are physical.

The New Jersey Supreme Court had earlier held the tort remedy applied when a duty was breach. It explained that when “a defendant owes a duty of care to take reasonable measures to avoid the risk of causing economic damages, aside from physical injury, to particular plaintiffs or plaintiffs comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct. . . .” People Express Airlines, Inc. v. Consolidated Rail Corp., 495 A.2d 107 (N.J. 1985).

Based on this line of reasoning, the Fifth Circuit reinstated the claim. It acknowledged that New Jersey law generally did not permit the tort claim if there was a contract between the parties, since the terms of their express agreement should govern the allocation of risk. But third party beneficiary law often provides that parties not directly negotiating the agreement may still be affected by it, and so to might a group of readily identifiable tort victims who are not party to the contract but affected by the duties created.

Since the defendant, Heartland “would not be exposed to ‘boundless liability,’ but rather to the reasonable amount of loss from a limited number of entities [then] even absent physical harm, Heartland may owe the Issuer Banks a duty of care and may be liable for their purely economic losses.” The decision merely allows the case to proceed and a great many additional defenses will be addressed. Nonetheless, the decision is an important reminder on the creation of contracts and the scope of those contracts as they affect third parties contemplated but not direct parties to the agreements.

COPPA updates go into effect today, if anyone is watching

The FTC revised the Children’s Online Privacy Protection Rule (COPPA) in December 2012 to take into account the rapidly expanding move to mobile applications, social media and the evolving nature of personally identifiable information. Those rules go into effect July 1, 2013.

COPPA is supposed to inform parents of data being collected about their children and provide opportunities for the parents to consent or opt out of the service.[1] Unfortunately, in application, COPPA has been applied as an either/or test – a site either caters to children and therefore complies with COPPA or prohibits use of services by children and therefore takes no steps to comply with parental notification and consent rules.

Many operators provide non-children services but do nothing to discourage use by children under 13, a practice which has obviated the impact of COPPA. Social media sites, in particular, tend to avoid compliance with COPPA and instead post disclaimers requiring that the users are over 13. But these sites have no verification procedures as to identity or age.

The FTC hopes to change this with the new rules. The amendments to COPPA are intended to minimize this gamesmanship by reducing the ability for a company to ignore actual usage by under-age customers and hide behind age disclaimers. Only time will tell whether the new rules will have that effect.

A second aspect of the new rule will likely have more impact. Self-regulatory associations can submit their certification program to the FTC for pre-approval. Provided members remain within compliance of the certified program, the approval serves as a safe-harbor, protecting members of the association from FTC enforcement actions. Examples of those applications include the following:

• Aristotle International, Inc. – Aristotle International Inc.’s Revised Integrity Children’s Privacy Compliance Program
• Children’s Advertising Review Unit (CARU), Council of Better Business Bureaus, Inc.- Children’s Advertising Review Unit of the Council of Better Business Bureaus’ (CARU) Revised Self-Regulatory Program for Children’s Advertising and Safe Harbor Requirements
• ESRB Privacy Online – ESRB Revised Safe Harbor/Kids Seal Program Guidelines
• TRUSTe – TRUSTe Revised Children’s Privacy Program
• Privo, Inc. – PRIVO Revised Safe Harbor Self-Regulatory Guidelines

The self-regulatory associations, particularly the ESRB, take member enforcement very seriously. The multi-billion dollar gaming industry has become the model for differentiating products based on market segment. It has a strong incentive to segregate its under-13 products from the other products. Of course, it remains to be seen whether this will result in fewer 10-year-olds sneaking onto 15+ (or 18+) platforms, but the video game industry has been more effective than most in reducing the casual avoidance of the age restrictions.

The biggest change under COPPA revisions is the type of information now covered as personally identifiable information. Mobile and social media have transformed the tools available to individually track a customer. Persistent identifiers such as unique IDs, computer or chip serial numbers, unique device identifiers, IP addresses, and geo-location tags all work individually or together to create unique identification. None of those tools include a name or address, yet serve to provide comprehensive, persistent information regarding the identity of each individual. COPPA therefore expands the definition of personally identifiable information to reduce personalized targeting of advertising at children.

As an example of how personally identifiable information has evolved, this paragraph describes the ESRB’s updated guidance on personally identifiable information:

Personally Identifiable Information means any information that can be used to identify an individual or which enables direct contact with an individual. This would include an individual’s name, online contact information (i.e. email addresses or other identifier that permits direct online contact with a person via instant messaging, video, voice over internet protocol or any other means not specifically defined herein), phone number, fax number, home address, social security number, driver’s license number, credit card number, photos, videos, or audio containing the image or voice of a child, persistent identifiers (such as a customer number held in a cookie or a processor serial number, a unique device identifier, or IP address), or geo-location information sufficient to identify a street name and name of town. Demographic information that is combined with personal information (including, but not limited to, gender, educational background, or political affiliation) also becomes Personally Identifiable information. Personally Identifiable Information does not include information that is encoded or rendered anonymous, or publicly available information that has not been combined with non-public Personally Identifiable Information (and has not been previously defined as Personally Identifiable Information.)

The expanded COPPA will take months to truly affect the marketplace. Even then, it will only be effective if companies take the obligations not to track seriously and treat their customers with respect – something missing from the past 15 years of COPPA compliance.

Some and perhaps a majority of people prefer to be served ads that are relevant and interesting, so they don’t mind the outcome of behavioral advertising even if they are squeamish regarding the methods used to select the ads. But Congress assumes that children have fewer defenses to advertising and these techniques can be manipulative and harmful. Targeting individual minors under 13 is therefore prohibited without the parents consent. Hopefully, the COPPA revisions will make this difference begin to matter.

For more information, see the additional guidance provided by the FTC:

The FTC has also released two new pieces designed to help small businesses that operate child-directed websites, mobile applications and plug-ins ensure they are compliant with upcoming changes to the rule.

The first is a document, “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, which is designed especially for small businesses and contains a step-by-step process for companies to determine if they are covered by COPPA, and what steps they are required to take to protect children’s privacy. The FTC also released a video aimed at businesses to help explain their obligations under the revised rule, including an explanation of the changes.

Finally, the FTC has updated a guide for parents, “Protecting Your Child’s Privacy Online,” that explains what COPPA is, how it works and what parents can do to help protect their children’s privacy online.

These new documents provide guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC, including an updated set of frequently asked questions about the rule. FTC staff will periodically update the FAQs.

In addition to the guidelines and frequently asked questions, FTC staff maintain a “COPPA Hotline” email address, COPPAHotLine@ftc.gov, where industry members can send questions on how to ensure they are compliant with the rule. Comments on the FAQs or suggestions for new FAQs may also be submitted through the COPPA Hotline email address.

---

[1] The COPPA rule requires that operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children.

Blame Congress’ Patriot Act not the NSA or FBI

When self-proclaimed whistle blower, Edward Snowden disclosed a PowerPoint presentation allegedly detailing the Prism computer system[1] at the heart of foreign data collection program, he set off a firestorm of debate over the role of  clandestine electronic surveillance on individuals outside the United States and the U.S. residents who communicate with them.

In the week that has followed, some clarity has emerged. First, the Prism system is not a code name for a clandestine operation, but the name of the computer system used to collect and store the data. According to the Director of National Intelligence, that computer system operates under Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a).

Section 702 provides that “the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” The reasonable belief focuses on the location of the target, not the threat posed by the target. Most of the other limitations emphasize that this should not be used if the purpose is to target someone inside the U.S.

Nowhere in Section 702 is there a requirement that the information is relevant to an investigation at some level – “specific articulable facts giving reason to believe,” or “reasonable suspicion.” Probable cause is likely not within the realm of possibility. The law allows and even encourages broad, general sweeping of data, which can then be analyzed for patterns and anomalies.

The Section 702 directives are the subject of quasi-judicial review. The FISA Court is comprised of 11 federal judges assigned this additional duty by the Chief Justice of the Supreme Court. This internally appointed judicial panel has operated since 1979. In that time, according to the Wall Street Journal, it has rejected 11 applications for various surveillance requests. During that time, the number of approved surveillance requests has been in excess of 33,900 or an approval rate of  99.97 percent. Without knowing anything more, it is inconceivable that any review process with over 99 percent approvals can constitute a meaningful review.

Harvard Law Professor and former U.S. District Judge Nancy Gertner highlighted the structural problem of the FISA Court.

It’s an anointment process. It’s not a selection process. But you know, it’s not boat rockers. So you have a [federal] bench which is way more conservative than before. This is a subset of that. And it’s a subset of that who are operating under privacy, confidentiality, and national security. To suggest that there is meaningful review it seems to me is an illusion.

The problem, therefore, is not a secret or rogue NSA plot but instead a widely supported provision of the Patriot Act designed to be used precisely as the NSA has been doing. It has executive, legislative and judicial support. But because it is operated by a close-knit association, the separation of powers has proven irrelevant as a limitation on its operation.

Moreover, the Patriot Act has other sections equally potent at eavesdropping on private information. As summarized by the ACLU, FISA Section 215 “allows the FBI to order any person or entity to turn over ‘any tangible things,’ so long as the FBI ‘specif[ies]’ that the order is ‘for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.’” Section 215 (50 U.S.C. 1801 et seq.)

A secret NSA phone wiretapping order was also released last week highlighting the scope of metadata collection within the U.S. under Section 215.

This FISA Court Order targeting Verizon, required Verizon on an “ongoing, daily basis” to give the NSA information on all telephone metadata in its systems. Since the Section 702 orders deal with foreign data, this Section 215 court order excluded “telephony metadata for communications wholly originating and terminating in foreign countries.” The court order explains the scope of the request:

Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. [Sec.] 2510(8), or the name, address, or financial information of a subscriber or customer.

Essentially this means that all of us with Verizon phones can be tracked anywhere in the U.S., our interaction with any other parties triangulated, our First Amendment rights of Association violated, and our notion of privacy eliminated. Non-Verizon subscribers likely are subject to identical orders. There is no reason to doubt that these orders are not routinely issued to track all phone and cell phone movement data.

Mary DeRosa summarizes the changes to Section 215 which led to the Verizon court order.

Previously, FISA required the FBI to present the [FISA Court] “specific articulable facts giving reason to believe” that the subject of an investigation was a “foreign power or the agent of a foreign power.” After section 215, the government is required only to assert that the records or things are sought for a foreign intelligence investigation or to protect against international terrorism or clandestine intelligence activities, although the investigation of a United States person may not be “solely upon the basis of activities protected by the first amendment to the Constitution.” There is no requirement for an evidentiary or factual showing and the judge has little discretion in reviewing an application. If the judge finds that “the application meets the requirements” of the section, he or she must issue an order as requested “or as modified.”

Neither the NSA nor the FBI are doing anything other than that approved by Congress. Indeed, were these departments found not to be using the authority granted by Congress, there would be outrage on Capitol Hill. Instead it is the law that has vastly over-extended the government’s reach into the movements and activities of the public, both domestic and foreign.

Moreover, the sweep of the law is growing broader by the day as more and more devices and technologies use remote communications to share information. While it might require a warrant to track a vehicle, the Internet enabled Pandora music player, the self-adjusting oil change settings, and the many other connected technologies are not subject to that warrant requirement. The movement of such cars will be routinely swept into the FBI’s database as part of the Section 215 orders.

The FTC has initiated a review of the ever-growing “Internet of Things,” which is to mean the “growing connectivity of consumer devices, such as cars, appliances, and medical devices.” Combine the power of the FBI and NSA to order metadata and tracking information on all digital data with the interconnectivity of medical devices, RFID-tagged products, installed devices on vehicles, and smart phone apps, a digital map emerges. Like ants in an ant-farm, every person’s digital trail will be on display before the government. Increasingly sophisticated data analytics will eventually enable the path of each individual ant to be highlighted and sorted from among the swarm.

The growing connectivity that has extended the Patriot Act’s reach into more and more aspects of our daily lives require that we revise the laws to reign in the power of government and create a meaningful, statutory right of privacy. These revelations add attention to the problem and highlight the lack of transparency over this tracking. Congress is not shocked at these revelations because they voted to create the programs and have been repeatedly brief on their use. It is the people who have been left in the dark. Given the growth of the programs and the power of the technology they employ, it is time for a more thoughtful, balanced statutory approach.

---

[1] Reddit.com provided the link to the 2002 New York Times article first describing what is now the Prism computer system. See http://www.reddit.com/r/technology/comments/1g3zqz/the_roots_of_prism_a_new_york_times_article_from/.

DNA Collection on Warrantless Arrests

DNA Collection on Warrantless Arrests: After Maryland v. King the U.S. Deserves neither Liberty nor Safety

Guest blog by Lindsey L. Jaeger, J.D., S.S.B.B.

Is the collection of DNA the same as collecting fingerprints and photographs, a legitimate police booking procedure under the Fourth Amendment? It is now. Yesterday, in a 5:4 decision the Supreme Court held that it is constitutional to collect DNA when officers make routine warrantless arrests supported by probable cause to hold the suspects for a serious offense.

Of course, we all want to live in a safer society. There is no doubt that DNA “may significantly improve the criminal justice system and police investigative practices…” District Attorney’s Office for Third Judicial Dist. v. Osborne, 557 U.S. 52, 55.

The Fourth Amendment provides that “[t]he right of the people to be secure in their persons…against unreasonable searches and seizures, shall not be violated.” The question is whether it is reasonable to make these intrusions. The Court seems satisfied that the Maryland DNA Collection Act meets this standard, because it takes the decision to collect DNA out of the hands of a magistrate or officer and instead requires all arrestees charged with serious crimes to be swabbed, and because the Act serves a number of legitimate governmental interests.

However, the Dissent penned by Justice Scalia, focuses on the unconstitutionality of suspicionless searches for the purpose of investigating crimes.  Justice Scalia provided a synopsis of the papers of the Founding Fathers and case history to support his point that “[n]o matter the degree of invasiveness, suspicionless searches are never allowed if their principal end is ordinary crime-solving.” See slip opinion page 36-37. “The Court’s assertion that DNA is being taken, not to solve crimes, but to identify those in the State’s custody, taxes the credibility of the credulous.” Id.at page 33.

All fifty states permit the collection of DNA from felony convicts.  Now, DNA samples are permitted to be taken after an arrest without a warrant. Obviously, an arrest does not equate to a conviction.

The Dissent doesn’t delve too deep into the invasion of privacy that a DNA test represents. Is there anything more personal than our DNA? The Electronic Frontier Foundation wrote in its amicus curiae in support of King:

Our DNA contains our entire genetic makeup – our most private information about who we are, where we come from and who we will be. DNA can be used to identify us in the narrow and proper sense of that word – “who is that?” – but it also tells the world who we are related to, what we look like, and how likely we are to get specific diseases.

Fortunately for Marylanders, the Act requires either consent or arraignment of the arrested individual before DNA can be processed or placed into a database. On its face, the Act also has a few other privacy saving graces, including a requirement that DNA samples be destroyed if there isn’t a conviction, or if the conviction is reversed or vacated and no new trial is permitted, or if the individual is granted an unconditional pardon. And fortunately for the rest of us, the Court’s holding limited the decoding of the DNA samples to identification purposes and any information collected about genetic traits are to be disregarded if discovered.

But do we trust that this is the main purpose of the Act?  Justice Scalia showed that “the entire point of [checking the DNA sample against the FBI’s] DNA database is to check crime scene evidence against the profiles of arrestees and convicts as they come in.”  After all, King was arrested in 2009 for “menacing a group of people with a shotgun”, but convicted of a rape that occurred in 2003 after his DNA matched the crime scene evidence from the John Doe aggressor. If King’s DNA was, in fact, to be used to protect the staff and the other detainees, then they would have rushed to identify King with his DNA as soon as possible, but as the Dissent points out under Maryland law, DNA cannot be processed until arraignment, which in King’s case was three days after his arrest.

So, how do you unring a bell? Can the government be trusted to destroy valuable information when it has significant interests in using it against the individual or in the aggregate against us all? We did just recently enact the Affordable Care Act. Do we have such a short memory that we don’t recall that free populaces once elected known supporters of eugenics? After Maryland v. King, we are just upstream of a “Gattaca”.

Benjamin Franklin once said, “Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.” The pendulum hasn’t just swung; it has swung off its axis.