Who Will Protect Your Data?

Ever since service providers expanded to wireless and mobile coverage, the landscape for federal guidance has changed drastically.  In the past , the Federal Trade Commission (“FTC”) oversaw enforcement of privacy and data security issues, deriving their authority from Section 5 of the FTC Act, which allows them to pursue action against companies that they deem to be undertaking deceptive or unfair acts and practices in commerce.  Section 5 of the FTC Act, however, lists a key exemption for companies considered to be “common carriers.”

If a company is considered to a be a common carrier, the Federal Communications Commission (“FCC”) then typically has jurisdition.  While this made sense before broadband, cable, and wireless services became prevalent, the push for “net neutrality” has, ironically, opened the door to less protection and data oversight due to confusion over whether the FCC or the FTC must act on behalf of consumers.  In his support of net neutrality, the principle that Internet service providers (“ISPs”) should enable access to all content and applications regardless of the source, without favoring or blocking specific websites or applications, President Obama allowed the FCC to reclassify broadband providers as Title II common carrier service providers under the 2015 Open Internet Order.  This suddenly meant that companies that were previously under the FTC’s oversight suddenly became subject to FCC rules instead.

As a result, this has unfortunately created great confusion over how data security breaches and consumer information should be handled because the FCC typically did not handle such litigation.  Some experts have even gone as far as to question whether the FCC has the requisite expertise to handle such litigation against these technology companies when it has historically been the FTC who sued companies such America Online, CompuServe, and Prodigy on behalf of consumers.

Even more frustratingly, the confusion may have been avoided by better overall government planning.  These problems in overlap were foreseen as early as 2007 in a report filed by the Internet Access Task Force, which noted that “the common carrier exemption is likely to frustrate the FTC’s efforts to combat unfair or deceptive acts and practices and unfair methods of competition in these interconnected markets.”

And now, the confusion has only been further compounded by a 9th Circuit 2016 ruling that turned on whether the entity in question has the ‘status” of a common carrier.  While the FTC and FCC have long argued over whether exemptions are given based on status or activity, the 9th Circuit held that the “plain language” of the statute does not make any reference to activities, and therefore ruled against the FTC (and thus consumers) and in favor of technology giant, AT&T.

While consumers have urged the court to reverse the decision, which allowed AT&T to throttle the mobile Internet speed of its customers without explicit consent, the turmoil only continues as the FCC seems to have taken a step back from their new regulatory role.  Just this past March, the FCC issued a stay of rule that would have created new consumer privacy protection by requiring ISPs and phone companies to take ‘reasonable’ steps to protect consumer information (e.g., social security numbers, health information, web history, etc.) from theft and data breaches.  In their explanation, the FCC cited an interest in shifting authority back to the FTC to “avoid consumer confusion.”

While it remains to be seen which government entity will ultimately provide the best privacy protection for consumers, law practioners would be wise to follow the legal the two agencies and relevant court rulings until clear, brightline guidance emerges.




Are the ICANN Rights Protection Mechanisms Contrary to Trademark Law?

Most trademark practioners are familiar with the Internet Corporation for Assigned Names and Numbers (“ICANN”), an organization that is private sector and non-profit.  Assembled in 1998, ICANN has become responsible for overseeing coordination and management of several Internet databases in order to ensure uniformity and consistency among differing operations across the web.  Most notably, ICANN has become primarily responsible for overseeing the Internet’s global domain name system (“DNS”), which included the rollout of top-level domains (“TLDs”) and generic top-level domains (“gTLDs”); as well as the introduction of non-Latin characters in web domains.

Earlier this month, ICANN met in Copenhagen and were faced with an open letter from the Electronic Frontier Foundation (“EFF”) and co-signed by several trademark law practioners and academics.  In the letter addressed to the co-chairs of the ICANN GNSO PDP Working Group on the Rights Protection Mechanisms (“RPMs”), the EFF and friends denounced ICANN’s current RPMs as divisive and contrary to the fundamentals of trademark law.

In support of their arguments, the EFF argues that ICANN’s current RPMs and policies favor the rights of famous brand owners or large corporations due to its procedures and high pricing.  As such, the RPMs result in an unbalanced system that works against the competitors of famous brand owners and the public in general.

Moreover, the EFF takes particular issue with ICANN’s Trademark Clearinghouse.  Created to allow companies that own preexisting rights in a mark to have first shot at registering specific domains, the EFF argues that this process becomes a barrier to the free market as companies with big budgets can easily purchase a multitude of domains that have only tentative ties to their actual marks.

Further, the EFF alleges that the Trademark Clearinghouse extends protection far beyond what is normally allowed by traditional trademark law.  For example, in its current form, the Trademark Clearinghouse allows for the inclusion of some design marks which are arguably not normally protectable without accompanying designs.  Similarly, the EFF complains about a lack of transparency when it comes to how ICANN maintains its trademark registration records.  Noting that national trademark registries have been traditionally open to public search and review, the EFF argues that ICANN’s decision to keep its registry private is misguided, especially in light of the search technology that exists today.

In its defense, ICANN notes that, as with many of its procedures, the Trademark Clearinghouse and its RPMs came as a result of several years of planning that included a wide variety of stakeholders, not just famous brand owners.  Likewise, they argue that their decision to recognize the aforementioned design marks merely aids in providing uniform trademark law guidelines on the Internet in the face of opposing standards of registration among differing countries and jurisdictions.  Lastly, in response to the EFF’s criticisms private recordkeeping, ICANN argues that this practice deters bad-faith actors from trying to capitalize on domain-squatting.

While only time will tell whether ICANN’s policies will evolve enough to balance out the needs of both famous brand owners and small business owners alike, ICANN, in the meantime, has noted that it currently uses a RPM Review Working Group to constantly review and restructure the current RPMs in place.



Can You Be Prosecuted for a Tweet?

Last December, well-known Newsweek journalist Kurt Eichenwald suffered a seizure in Dallas after opening a flashing animation he received via Twitter.  After it was clear that the message was an attack and not mere happenstance, law enforcement became involved.

In his public profile and writings, Eichenwald has made it clear that he not only suffers from epilepsy but that he is also extremely sensitive to light.  In fact, just weeks before the December 15th attack, Eichenwald had posted publicly about a similar attack directed at him via Twitter.  Just weeks before the attack, Eichenwald had received a similar flashing animated message with strobe lights via Twitter but had escaped harm because he had dropped his iPad just in time.

Police have no had difficulty in determining the motive of alleged perpetrator, John R. Rivello.  Rivello’s Twitter profile is rife with ultra-right musings and postings, and he has even boasted about targeting Eichenwald in the past because he believes Eichenwald to be an overly harsh critic of President Trump.

With the assistance of Twitter, who agreed to expedited court-ordered subpoenas, law enforcement was able to determine that Rivello sent Eichenwald a flashing image of Trump along with the message “You deserve a seizure for your post.”

Although Rivello has no previous criminal history, legal experts consider the Twitter message to be digital equivalent of a mail bomb.  With the advent of social media and smart devices, experts note that terrorists now have unfettered access to potential victims than ever before.  Because social media and the Internet fail to have specific protection and safeguards in place, in contrast to traditional brick-and-mortar handlers like the U.S. Post Offices, dangerous messages can be sent directly to victims without any preemptive screening.

Further, the evidence against Rivello is stacking up.  Law enforcement has evidence of Rivello boasting about targeting Eichenwald in the past.  And because not all epilepsy can be triggered by flashing lights, law enforcement experts note that Rivello’s message would only make sense in the context of knowing that Eichenwald was light-sensitive.

Despite the unique nature of the crime, cybersecurity experts note that this is not the first time that technology has been leveraged against medically-vulnerable victims.  It may, however, mark the first time that law enforcement will bring criminal charges against the perpetrator.

As the case becomes one of the first crimes committed via flashing-message, many have pondered whether Rivello’s actions are considered protected speech under the Constitution.  This defense is doubtful, however, as Rivello’s comments do not have the necessary “expressive value” that would trigger protection under the First Amendment.  Specifically, as it can hardly be said that Rivello’s taunts are contributing to the “marketplace of ideas,” experts believe that the law will come down hard on Rivello.  As the Internet becomes more widespread, and as the Internet of Things is on the verge of becoming a reality, consumers with social media accounts or hackable smart devices (e.g., pacemakers, insulin pumps, etc.) may be especially vulnerable.  We can only hope that the courts and Congress will provide strong protection and helpful guidance in the future as a means of deterring such criminal attacks.


Privacy Laws Done?

Advocates of online privacy have been concerned with the latest privacy law changes voted on by Congress.  As many recall, rules passed last year by the Federal Communications Commission (“FCC”) required Internet service providers (“ISPs”) to request permission from their consumers before collecting, using, or selling any information deemed personal.  Specifically, these FCC rules prohibited the selling of personal user data without explicit consent from the consumer.

Now, under a new Congressional Review Act, Congress has decided to forego these resolutions.  In a very close vote, 50-48, the Senate voted to overturn last year’s privacy laws, which would have prohibited ISPs from selling consumer data to third parties that include, but are not limited to, ad buyers, search engines, and analytics companies.

While Congress has defended their decision by claiming that the current FCC rules are confusing and unclear, Congress has yet to offer alternate resolutions that would protect consumer privacy.  Congress is not alone in this argument, however, as the telecommunications industry has also argued that the FCC guidelines are unfair as written because they give unfair business advantages to technology companies that are not governed by the FCC.

Presently, it is unclear when the House of Representatives will review the bill, but if the House also decides to overturn the FCC privacy rules, the decision would then flow up to President Trump.  If the White House were to agree with overturning such rules, these changes would also prevent the FCC from reinstating similar privacy rules in the future.

Without strong consumer-privacy rules in place, technology giants such as Verizon, AT&T, and Comcast are not only free to track the personal user data of consumers, but they are also allowed to freely share the personal information with third parties.  Notably, however, web companies such as Facebook and Google are exempt from such restrictions.  Since mobile and broadband providers were reclassified as “common carriers” last year, these companies came under the supervision of the FCC instead of the FTC.

In response to such criticism, current FCC Chairman Ajit Pai explains that the main impetus in voting to overturn the regulations is because he believes that, as written, the current rules are unclear and make the FCC and FTC’s regulatory approaches too different to be effective.

Either way, if the consumer-privacy rules are rolled back, many experts in the field fear that it is only a matter of time before other legal regulations designed to ensure net neutrality are affected.  As such, in the meantime, practioners must ensure that clients have the proper privacy safeguards in place.  Similarly, practioners and business owners alike are encouraged to keep an eye on the everchanging legal landscape of FTC/FCC privacy guidelines.





ADA Lawsuits on the Rise

As more companies build online presences, few recognize the perils that often accompany the responsibility of maintaining an online website.

For example, most businesses fail to recognize that once their companies’ websites go online, these websites become subject to Title III of the American Disability Act (“ADA”).  Compliance with Title III requires that companies prohibit discrimination that would inhibit a consumer’s enjoyment of a public place due to a preexisting disability.

In the past, this meant that businesses had to ensure that they supplied accommodations for consumers with disabilities.  This usually came in the form of installing elevators that had braille or building parking lots that had handicap spaces and ramps.  Thus, if  ADA lawsuits were filed, they were generally brought against businesses that were regularly visited by the general public en masse (e.g., movie theaters, parking garages, supermarkets, etc.).

With the advent of the Internet, however, all of this has changed.  Now, because websites are also considered to be “places of public accommodation” under the ADA, new lawsuits can be brought against almost anyone who operates a website.  The most common types of website-based ADA lawsuits pertain to the lack of: text-to-speech options, closed-captioning of media, or screen readers for the visually-impaired.

What aggravates the issue even more is the fact that some law firms have teamed up with professional plaintiffs to bring class action or boilerplate ADA lawsuits against website operators, both big or and small, banking on the general public ignorance of Title III’s application to Internet websites.

And if anything, the federal government has only exacerbated the problem by refusing to issue official guidelines on website accessibility until 2018.  Originally, the Department of Justice had released an advance notice of proposed rulemaking back in July of 2010, but has remained relatively silent on the subject sans the issuance of two statements of interest in cases brought against Harvard University and the Massachusetts Institute of Technology.  In its statement, the Department of Justice stated that the two universities had preexisting obligations to make their websites accessible to those with disabilities.  In the absence of clear federal guidance, circuit courts currently remain divided over the issue of whether websites truly qualify as “places of public accommodation.”

As such, most legal experts agree that, until the federal government issues clear regulations regarding accessibility, website operators should follow the guidelines set forth by the World Wide Web Consortium (“W3C”).  Companies may also greatly benefit from consulting or hiring ADA web-compliance experts to help them build new websites or audit preexisting ones in order to avoid becoming the target of ADA web-compliance lawsuits.


States Lead the Charge in Protecting Internet Privacy

In light of recent changes to the federal Internet privacy law, state lawmakers have begun to draft and propose legislation aimed at creating broad protection and guidelines when it comes to protecting the personal data of consumers online.

Earlier this month, the Senate approved the rollback of certain protections in the “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” bill that would have protected consumers’ personal data (e.g., browsing history, app usage, etc.) online by making it more difficult for companies to collect, share, or sell such consumer data.  The House of Representatives is expected to vote to follow suit later this week.

As a result, and in response to growing concerns from their constituents, state lawmakers have begun to draft and introduce legislation in their home states as a means of filling the void.  For example, in Washington, lawmakers have already begun the process to introduce bills that would add privacy protection of sensitive online data to preexisting consumer-protection laws.  Washington’s bill specifically requires Internet service providers (“ISPs”) to acquire the consent of their consumers before collecting or sharing any of their personal information.

Other states like California and Connecticut already have laws that specifically restrict government access to online communications (e.g., email), while other states such as Nebraska and West Virginia limit the control a company may exert over their employees’ social media accounts.  Lastly, some states are also considering the extension of such privacy protection beyond employees, newly proposing laws that would also cover students and tenants as well.

Illinois, on the other hand, is considering a “right to know” bill that would allow consumers to find out what kind of personal information is being collected about them on the Internet or whenever they access specific online goods or services.  Supporters of the Illinois law point to the European Union’s current privacy laws as proof that such laws are not only prudent but possible.

Interestingly, Illinois has already become a trailblazer of sorts when it comes to protecting consumer privacy.  Over a decade ago, Illinois passed the Biometric Information Privacy Act, which regulates the collection of personal information in the form of data such as facial scans, voice data, and thumbprints.  Although the law passed years ago, such personal data (and its protection) has become increasingly relevant in today’s day and age; thanks to its ubiquitous use in smartphones and other smart devices.  Illinois has taken similarly strict stances on consumer privacy rights, passing laws that govern the collection and usage of consumers’ geolocation data, and a new bill has been proposed to limit the use of microphones on smart devices.

National organizations like The Electronic Frontier Foundation and the American Civil Liberties Union note that the government’s recent move to rollback consumer privacy protection gives the states a unique opportunity to step in and exert more control over the protection of such personal data.  Experts note that, not only are similar laws already being proposed in Hawaii, Minnesota, Montana, Illinois, and California, but these proposals enjoy widespread bipartisan support in their respective states.

Legal experts also note that there has been a recent trend in the use of class action lawsuits as a means of lobbying for privacy protection online.  In Illinois, some attorneys have helped found a new nonprofit group, the Digital Privacy Alliance, which advocates for the protection of consumer privacy online in Illinois.  In the absence of federal guidance, it seems like it will only be a matter of time before other states follow suit.



Amazon Fights ASIN Hijacking

As Amazon has experienced exponential growth since its inception, it has had to wrestle with new and emerging issues in technology and intellectual property law.

One of the more recent issues has been ASIN hijacking.  ASIN stands for Amazon Standard Identification Number.  The Amazon Standard Identification Number is a 10-character alphanumeric unique identifier assigned by Amazon and its partners to products for easy and uniform identification within the Amazon organization.  Other similarly used identifiers are the Universal Product Code, which is a twelve-digit bar code used in the United States or the European Article Number (“EAN”), which is a 12-13-digit product identification code used in Europe.

Amazon used to guarantee that the numbers used were unique internationally, but now ASINs can only be guaranteed to be unique within a specific country’s market.  This means that different ASINs may refer to the same product in different markets.  This practice contrasts with other identifiers such as the International Standard Book Number (“ISBN”), which guarantees identical number usage regardless of the marketplace.

ASIN hijacking refers to the unsanctioned use of intentionally attaching ASIN numbers to counterfeit products to make quick profits off of a pre-established brand owner’s goodwill.   While both large and small brand owners have been victim to the problem, technology giant, Apple, has brought renewed interest in the problem by filing a lawsuit against Amazon supplier, Mobile Star.

Mobile Star sells several Apple products through the Amazon Marketplace, marking their products with ASIN numbers that correspond with genuine Apple products.  In safety tests, however, Apple found that a large majority of the 100 iPhone chargers, devices, and Lightning cables purchased through Amazon failed routine safety checks.

In their lawsuit, Apple noted that the products were not only counterfeits but were also extremely dangerous.  The poor craftmanship and lack of adequate electrical insulation in some of the products could not only cause some of the devices to catch fire but were also of fatally shocking users as well.

Amazon’s seller portals are also filled with threads from smaller brand owners that request help or complain of ASIN hijacking.  Many brand owners note that, within 72 hours of listing a product, they often return to find that the product page, product descriptions, and product price of their products have been changed to reroute buyers to counterfeit listings.

In response, Amazon notes that they actively respond to requests for takedowns and provide several channels for brand owners to file complains.  Despite this, however, brand owners feel that the damage done by counterfeits renders Amazon’s response to be too little and too late.  With inventory often being time-sensitive, ASIN hijacking often results in lost profits and unjustified negative reviews on the bona-fide seller’s page.

In the meantime, until Amazon finds a better way to police ASIN hijacking, experts note that sellers should consult intellectual property counsel to determine how best to protect their brand and their assets.  For example, some brand owners may want to consider including watermarks in their official media shots or attempt to incorporate brand names into molds or as part of the manufacturing process.  Online retailers may also want to consider utilizing third-party watch services that track suspicious listings and alert the brand owners when new and unauthorizing listings come online.