Facebook and the State of Washington Join Forces in Fighting Online Spam

Photo titled "Dislike" by Charlotte Road on Flickr

For the first time since the enactment of the federal CAN-SPAM Act, a state government and a private company joined forces in protecting consumers from spammers/scammers. On January 26, 2012, Facebook and the State of Washington filed two separate lawsuits against internet marketing company Adscend Media, alleging violations of the anti-spam law. Specifically, they claimed that Adscend Media tricked Facebook users into clicking deceptive links that appeared as recommendations from their friends. These deceptive links led users to disclose their personal information, direct them to advertising sites, and continued the cycle of spreading spam to their friends.

The CAN-SPAM Act was enacted by Congress in 2003, aiming to protect consumers from unsolicited commercial email. It requires that all commercial electronic mail must clearly and conspicuously identify the message as an ad in the subject line, clearly and conspicuously disclose to the recipient an opt-out right to not receive future emails in the text body, and cease transmission of commercial emails within 10 days of recipient of the opt-out request. The Act also establishes tough penalties of up to $16,000 for each separate email, it also grants the government and private parties the right to bring civil and criminal action against violators.

The Act covers all commercial messages, defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Courts have interpreted “electronic mail message” broadly, reasoning that such a broad interpretation is consistent with Congress’ intent to curtail the number of misleading commercial messages that overburden the infrastructure of the internet. In Myspace v. Wallace and Myspace v. the Globe.com, Inc., the Central District Court of California defined an electronic mail message as a message deliverable to a unique electronic mail address. An electronic mail address is a form of electronic communications, including a traditional email address, inbox, and other alternative forms. A message posted on a Facebook wall, news feed, or home page is an electronic mail message.

The Act grants a limited right to a private party (namely internet access service providers) to bring a civil action against alleged offenders in federal court. In order to have standing to bring such action, an internet access service provider must show an adverse effect by the violation of the Act. “An adverse effect” can be a very high standard in some jurisdictions, requiring an actual harm from specific messages, rather than a general harm from receiving messages. Despite the limited private right and high standard of proving an adverse effect, more and more private entities enjoy the success against spammers. For example, Facebook has been awarded millions of dollars in judgments under the CAN-SPAM Act since 2008, including a $873.3 million judgment against a Canadian-based site for illegally using Facebook user’s log-in information to distribute spam, and a $711 million judgment against “spam king” Sanford Wallace for fraudulently gaining access to Facebook accounts and using them to send spam throughout the Facebook network.

States have the right to bring a civil action on behalf of their residents if they reasonably believe that the interests of their residents has been or is threatened or adversely affected by commercial email senders. States can either seek to enjoin future violations, or recover monetary damage. The bar for the later is much higher than the former. A state must prove that an alleged offender had actual or implied knowledge for the alleged unlawful conduct in order to recover monetary damage which is not required in an enjoinment action.

In the current joint action against Adscend Media, it is likely that both Facebook and the State of Washington have a good chance of winning. Under the broad interpretations promulgated by the courts, messages Adscend Media sent to Facebook users were electronic messages because they reached destinations receivable by Facebook users. These messages were fraudulent, as they were not recommended by Facebook users’ friends as their outward appearance would suggest. The messages were deceptive and intended to direct unsuspecting Facebook users to third party commercial sites so as to obtain the user’s personal information. Facebook suffered damages because its rights were violated. The interests of citizens of Washington State were compromised because they were tricked into disclosing personal information and pay for unwanted subscription services through spam. Adscend Media’s alleged unlawful conduct is not likely unintentional, if their actual or implied knowledge can be proven. It is not only likely to pay damages to Facebook, but also to Facebook’s users in the Washington.

IP Kidnapping

Photo titled: "Obama propone penas de cárcel obligatorias con un mínimo de tres años para los hackers" by jediadame on Flickr

On February 6th, 2012, CNET.com confirmed that the Internet security giant Symantec offered to pay a hacker or hacker group $50,000 for a promise to not release its valuable security code on the Internet. Specifically, CNET reports that beginning in early January of this year, a hacker known as “Yamatough” reached out to Symantec in an extortion attempt. Yamatough claimed to be part of the “Anoymous” hacker group that has attracted headlines in recent months, both for their attack on local, state, and federal government websites and its support of the Occupy Movement.

The object at issue is Symantec’s source code. Source code is the text written using the format and syntax of the programming language (computer language) that is specifically designed to facilitate the specific program it supports. Source code is significant because it is useful to a user, programmer, or system administrator to better understand how a program works, or more importantly, modify the program. Symantec identified the source code as that for Symantex Endpoint and Symantec Antivirus 10.2. Evidence at the time suggests that the hacker(s) may have obtained the code after breaking into servers run by Indian military intelligence.

Although Symantec publicly stated that its customers have no significant security threats due to this situation, a rational person would of course be worried. Although Symantec can and most likely has adapted its programs to this security threat, there is great reason for alarm. The source code obtained by the hackers can give them extra knowledge of Symantec projects and procedures, along with the ability to manipulate the code to best serve their interests. In addition, and perhaps most important, the threat to expose the source code to the Internet as a whole exponentially increases this risk because there will likely be no way to track the source code once it is released.

In fact, as of approximately 9:00 p.m. on February 6th, 2012, a 1.2 GB filed labeled “Symantec’s pcAnywhere Leaked Source Code” has appeared on The Pirate Bay, a large bit-torrent file sharing site. Symantec has not yet confirmed whether this is the source code at issue. What does this mean for your average attorney? Basically, its time to add another area of concern for attorneys, along with issues such as conflicts of interests, fiduciary duties, and professional responsibilities. If an Internet security giant is breached in this manner, then it may be time for attorneys, who are entrusted with confidential and sensitive personal and professional information, to be even more careful with this type of data. As technology becomes a more crucial part of an attorney’s arsenal of tools, events like this remind the profession why some times, having a simple lock and key safe may be the better bet in protecting a client’s information.

Major Record Company Brings Copyright Action Against Upstart Company Selling Used Digital Music

Photo titled "I love my music!" by Shiv Shankar Menon Palat

Last month, EMI, a top record company, alleged that ReDigi, an upstart company that sells used digital music, creates unauthorized copies of its songs through the operation of its business. EMI brought a copyright complaint against ReDigi, asking the United States District Court for a preliminary injunction to force ReDigi to shut down its business pending the court proceedings.

While the judge denied EMI’s request for the preliminary injunction, the resolution of the case will likely answer many of the questions facing the digital age. Some of the issues raised by the case include the meaning of “copy” for copyright purposes and whether transmitting copies of digital material count as a public performance. One of the biggest issues brought up with this case are what property rights does a purchaser of digital music through a source like ITunes really have?

Back before digital music existed through purchasing sites such as ITunes, people bought music the old-fashioned way—by going to the music store and purchasing a record, tape, or CD. Once someone purchased the music album, that particular copy was their album. The person could not duplicate the album and sell copies, but he or she could use it for a year and sell it to another individual or to a music store specializing in used music albums under the First Sale Doctrine.

ReDigi claims it does the same thing with digital music, since it scans the seller’s hard-drive and deletes the music file once the transaction of sale is complete. This act makes it impossible for the song initially purchased from ITunes and sold to ReDigi to be duplicated or transferred. Is this not the same thing as selling your physical album for some cash? Something the court may have to determine is whether ReDigi has really taken away the rights of the digital music holder when it deletes the song from their hard-drive, or if in this advanced technological age the seller could in actuality retain access; posing problems for companies like EMI.

Google’s New Master Privacy Policy

Photo titled: "Scary Google with Sauron Eyes" by dullhunk on flickr

Google, Inc. announced their new “master privacy policy” earlier this week, which will take effect on March 1, 2012. The new policy will replace 60 different privacy policies currently in place. Google’s goal of implementing the new policy is as follows; “Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google.”

One of the major changes stemming from the new policy is the relationship of the user to all of Google’s products. A user will be treated as a single user. Now information will be shared across Google products, including YouTube, Picasa, Calendar, and Gmail. Under the current policy, information is maintained by each individual Google produce, rather than consolidated. By sharing information across multiple products, Google has the ability to offer more innovative features for users, customize ads, and compete with Facebook.

Eight House lawmakers already reacted to Google’s updated policy by writing a letter to Google Chief Executive, Larry Page, requesting a response by mid-February. The lawmakers, which consist of 5 Democrats and 3 Republicans, requested more information about the policy mainly regarding the collection and storage of information. Their main concern stems from a user’s ability to opt out of data collection. The lawmaker’s wrote, “Google's announcement raises questions about whether consumers can opt-out of the new data sharing system either globally or on a product-by-product basis."

Betsy Masiello, the company policy manager, responded to the letter on a blog post. She said, the company looks “forward to answering those questions, and clearing up some of the misconceptions about our privacy policies.”

A lot of the criticism stems from a lack of understanding of what information Google is currently able to obtain, and what they are going to be obtaining in the future. The information Google can access has not changed, however their process for handling the information has. In Google’s 2005 privacy policy, the company states, “We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience, and to improve the quality of our services.”

Users should be aware of the new effective privacy policy to understand what type of data Google is capturing. Check out the new privacy policy below:

Google Privacy Policy, available at https://www.google.com/policies/privacy/preview

SEC Sheds Light on Cyber Threat Disclosure

Photo entitled "cycber_security" by CongressCheck on Flickr

As public companies increase their use of digital technology in business operations, they increase their vulnerability to cyber threats. This risk is evidenced by the large number of high profile cyber attacks conducted against corporations including Sony, RSA, Comcast, Bank of America, and JPMorgan.

Current federal securities law does not explicitly address disclosure requirements for cyber risks and attacks but the SEC’s Division of Corporation Finance recently published guidance to aid companies in making that determination. It is unclear how the SEC will handle the disclosure issue in the future, but its recent publication emphasizes the importance the government places on cybersecurity.

Cyber incidents can come in many forms including, gaining unauthorized access to digital information, corrupting data, and disrupting operations both electronically and physically. The SEC explains that the obligation of disclosure regarding the risk or actual impact of such an incident hinges on “materiality” or what a reasonable investor would consider important in making an investment decision.

Specifically, companies should disclose information about the risk of a cyber incident if it is “among the most significant factors that make an investment in the company speculative or risky.” In making this determination, companies should consider severity and frequency of previous incidents, probability of future incidents, and expected impact of such incidents including costs and consequences.

Additionally, public companies may be required to provide information on previous cyber attacks to place the extent of risk in context. The SEC guidance suggests that merely addressing the existence of a risk after a cyber attack occurs would likely not be sufficient. A discussion of the specific method of attack and its known and potential consequences may need to be disclosed in order to capture the full extent of the particular cyber risk.

Experts have differing opinions as to whether the recent disclosure guidance will have any immediate impacts on public companies revealing information about cyber attacks. However, at the very least, the publication puts businesses on notice that the SEC is aware of corporate cyber risk and recognizes the critical impacts such threats pose to using technology in conducting business. The SEC has made it clear that, despite an absence of express language dealing with cyber incidents, disclosure may be necessary in certain circumstances.

Going beyond the potential issue of having to make cyber attack details public, the SEC’s message should help focus companies on their cybersecurity plans. This in turn will hopefully get public corporations to consider and plan for the full extent to which cyber threats impact all aspects of business. While disclosure is an important step, it is only part of a much larger process businesses must take to secure their electronic media and protect their customers and investors.

Nothing gets a company more concerned about cybersecurity than being a cyber victim. Hopefully, the SEC and other government entities bringing cyber issues to the forefront will get businesses to start taking adequate measures to protect themselves before becoming cyber attack victims.

Security and Exchange Commission, CF Disclosure Guidance, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.