Carrier IQ, the Electronic Communications Privacy Act, and the Digital Millennium Copyright Act

Image titled Android Virus by Charliesalima

In the same week that Facebook settled its dispute with the Federal Trade Commission (“FTC”) over allegedly deceiving consumers about its privacy practices, an Android developer, Trevor Eckhart, discovered that Android phones run software that logs keystrokes and hides its presence on the phone. The discovery of Carrier IQ (CIQ) software embedded in the Android (and over the following days, other smartphones) raises legal questions that might expose both smartphone vendors and customers to liability.

The Electronic Communications Privacy Act, 18 U.S.C. 2510 et. seq. (2006)(ECPA) expanded the Federal Wiretap Act to prohibit interception of electronic communications through any “system affecting interstate or foreign commerce” without the consent of at least one of the parties to the communication. The Digital Millennium Copyright Act prohibits circumvention of effective measures designed to prevent unauthorized access to copyrighted material. 17 U.S.C.A. 1201 (2006).

Much of the analysis of Carrier IQ misunderstands the ECPA, so some discussion of what the ECPA does and does not cover is in order. The ECPA has been interpreted to allow keystroke logging which intercepted signals sent between the keyboard and the computer, because until an email or other message is actually sent, the computer is not “a system affecting interstate or foreign commerce.” U.S. v. Ropp, 347 F. Supp. 2d 831(C.D. Cal. 2004). The bulk of CIQ’s spying does not violate the ECPA. As Eckhart noted in his criticism of CIQ, when he dialed a phone number, the software logged the number before he made the call. Some states may have privacy laws prohibiting CIQ’s conduct, and certain consumers may have other claims (e.g. copyright infringement if any of their emails or texts contained material they owned a copyright to), but the ECPA does not prohibit keylogging.

Other portions of CIQ’s data collection may violate the ECPA. CIQ apparently also intercepts incoming text messages and emails. Incoming messages satisfy the “affecting interstate or foreign commerce” standard. Whether the manufacturers or carriers who installed CIQ violated the ECPA would then depend on whether they had valid contracts which allowed them to intercept their customers’ messages, a factual question specific to each carrier. Carriers’ recent panicked statements to the media indicate that most do not, as carriers have generally claimed either that they do not collect the data Carrier IQ collects, or that they only collect some less offensive subset of it. Carriers have put themselves in a precarious position by making such assertions, which smartphone manufacturers claim are false. The claim that a carrier does not collect data is only believable if the carrier does not include a data collection provision in its contracts, or includes the provision in a manner designed to keep consumers from recognizing or understanding it. Carriers who try to avoid bad publicity now may find themselves estopped from asserting a contract defense to ECPA claims in a later lawsuit.

A lawsuit may be the only option consumers have. Self-help is available to copyright owners in many scenarios, but is denied to people who want to protect their privacy from their wireless carrier. CIQ cannot be turned off through normal means, at least on the phone Eckhart tested. It can be defeated by hacking the phone. However, because CIQ is protected by digital rights management (DRM) software, consumer attempts to turn CIQ off may violate the DMCA.

In 2010, the Librarian of Congress used its powers under the DMCA to create an exemption for “jailbreaking” smartphone handsets. However, the exemption only applies when the jailbreaking is for purposes of interoperability, offering consumers no hope for protecting their privacy.

The DRM technology in use does not need to be strong to make circumventing it illegal. In spite of the word “effective” in the statute, courts have held that the DMCA also prohibits circumvention of ineffective measures designed to protect copyrighted material, because effective measures don’t need legal restrictions on circumvention and the word “effective” would be mere surplusage if it didn’t also cover ineffective measures. See Universal City Studios v. Reimerdes, 111 F. Supp. 273 F.3d 429 (2d Cir. 2001). The DMCA applies even when no copyright is violated, and it carries criminal penalties.

The DMCA leaves customers of carriers who use CIQ no other option but to accept violations of their privacy, find a carrier which does not use CIQ, or sue. Given the number of misleading press releases put out by carriers in the last few days and the frequent use of adhesion contracts that lock customers in to long periods of service, option 2 may not be so easy. While the case for ECPA violations is not as strong as some have asserted, it is still viable, and may be consumers’ only hope.

Copyright Office Releases Discussion of “Mass Digitization”

Photo Titled "Kindle/Nook Hollow Book Holder" by Conduit_Press

Just this past month the Copyright Office released a forty page document entitled Legal Issues in Mass Digitization: A Preliminary Analysis and Discussion Document. The document is supplemented with multiple useful appendixes and comes in at just under one hundred pages total. What could possibly motivate the Copyright Office to go to such lengths? The answer is Google. More specifically, Google Books and a variety of organizations throughout the world that are attempting to compress as much printed or published material as possible into a digital medium. The problem is that the printed material, overwhelmingly books, is most likely under copyright with an owner who must grant permission for such copying. Hence copyrights.

The cases that led to this report and raised most of these concerns are Authors Guild v. Google Inc., 770 F. Supp. 2d 666 (S.D.N.Y. 2011), and the companion case American Society of Media Photographers, Inc. v. Google Inc., Civil No. 10-2977 (S.D.N.Y.). Google has been scanning books, many copyrighted, since 2004 and made full copies available to users of partner academic libraries and samples available to the general public via the internet. The report notes that the court was concerned “that exclusive rights afforded by copyright law should not be usurped as a matter of convenience, and that policy initiatives that redefine the relationship between copyright law and new technology are in the first instance the proper domain of Congress, not the courts." Google attempted to settle the matter at one point but he Department of Justice was concerned that Google’s behavior would continue and have negative long-term implications. Though settlements are expected, future litigation is almost inevitable.

The document goes on to describe how books are being mass digitized and who the interested parties are. Google is obviously one of these parties. A conglomerate made up of twelve well-known universities, Google, Microsoft and the Internet Archive created the HathiTrust Digital Library that contains three billion pages of scanned content. European governments have also partnered with private organizations to digitize as much cultural and scientific resources as possible. The Library of Congress, the Smithsonian Institution, and the National Archives all have detailed digital plans for the future as well. It is definitely worth noting that there is already a vast amount of literary work available online throughout the world. The EU, France, Germany, and China are all working on government funded projects to digitize books that are considered imperative to the preservation of history.

The fourth part of the report analyzes how copyright laws, specifically licensing, interact with book digitization initiatives. Under the Copyright Act a copyright owner possesses a “bundle of rights” that includes the right to exploit the digital rights of their work however they see fit. The Copyright Act also grants a limited exception to libraries and their ability to make copies of books. The report also notes “it is difficult to imagine an exception to copyright applying to the commercial partners of libraries.” The Fair Use exception is discussed but no concrete predictions for its application can be arrived at. Fair Use is employed as a defense once the court finds infringement, which analyzes the motives and individual circumstances of the infringer on a case-by-case basis. The last issue raised in the fourth part of the report is “orphan works.” The term orphan work is used to describe a copyrighted work without a locatable owner to obtain permission from. Congress has discussed a “safe harbor” for certain organizations that are using orphan works as long as the work is no longer used if the copyright owner reappears and objects to its use.

Licensing schemes are discussed in the last part of the report covering both direct licensing and collective licensing. Collective licensing would encompass voluntary (direct negotiation between licensee and licensor), extended (requiring some form of legislation to allow groups to bargain on behalf of licensee and licensor), and compulsory (basically forcing the copyright holder to license the use of the work) methods.

Many of the concerns brought up in this document are analogous to the concerns society and business had with the invention and rise in popularity of copiers/Xerox machines and videocassette recorders/VCRs. The use of digitized books by members of non-profit organizations like universities and public libraries does not seem to be the main problem here because the library will most likely be a good faith partner that can be negotiated or renegotiated with. The long-term concerns seem to be centered on what framework needs to be put in place to protect copyright owners from technology that isn’t “here” yet. If you told an author twenty years ago that their most lucrative royalties would come from tablets, Nooks, or Kindles they would try to have you committed. But, many if not most people’s lives now revolve around digital content. It would not be fair if that stick in copyright owner’s bundle of rights is compromised; it may ultimately prove to be the most valuable stick.

The full document can be found here: OFFICE OF THE REGISTER OF COPYRIGHTS, LEGAL ISSUES IN MASS DIGITIZATION: A PRELIMINARY ANALYSIS AND DISCUSSION DOCUMENT, (2011), available at http://www.copyright.gov/docs/massdigitization/USCOMassDigitization_October2011.pdf

Cloud Computing: Terms of Service and Risks

Image Courtesy of Wikimedia Commons

Cloud computing is an increasingly used buzzword among IT departments, businesses, advertisers, and individuals. Without even knowing it, many of us use cloud computing daily. For example, the emails I receive, sent to various addresses, are all forwarded to GMail (www.gmail.com), where I’m allowed a free 7 gigabytes of storage – provided that I allow Google to search and read my email, determine what I’m most likely to buy, and serve up advertisements accordingly. Nearly all of my important documents are stored in DropBox (www.dropbox.com), a cloud computing storage drive. It’s installed on my work computer and laptop, and synchronizes with both. Documents are also accessible via the DropBox website. I can pay for more storage, or refer others to get more storage for free. Wherever I am, I have a copy of my important documents. I don’t have to worry about my hard drive crashing or spilling coffee on my laptop (well that’s still a worry but at least I can still access my materials if it happens).

What is cloud computing? There are many definitions, but generally it is a system where resources are accessed remotely from a dedicated internet-based service. In this respect, cloud computing is not a new concept; it’s core functionality has been around in one form or another since the early days of computing.

Originally, computing was prohibitively expensive and typically performed on large systems called mainframes. People would connect to, share time, and work on these systems via a ‘dumb’ terminal. As IBM, Microsoft, and Apple popularized the personal computer, the bulk of computing moved to individual machines with their own dedicated processing units. With the exponential growth of the Internet and increase in network speeds, we now see the proliferation of low (and high) cost ‘terminals’ that ultimately connect to a central resource for the bulk of computing power and storage needed. Cloud computing differs from mainframe computing in that the resources are typically spread across many datacenters and accessible from anywhere with an Internet connection. Cloud-based services can provide greater redundancy and reliability, while also offering elasticity – the ability to instantly scale as needed.

However, there are risks to moving to a cloud model. The most prominent risk is the possibility of data loss. For example, in April 2011 Amazon’s EC2 service crashed. Amazon quickly worked to restore all of their customer data, but their backups were insufficient and a small percentage of data was lost. The outage affected thousands of companies who had outsourced their web hosting and data storage needs to Amazon. The customers who lost data had little recourse; the Amazon EC2 terms of service, the terms that all users of the service must agree to, states that the customer is ultimately the one responsible for backing up his own data.

The terms of service agreements for cloud computing services, while rarely read or understood, highlight many of the risks involved, such as privacy. Data stored with a cloud vendor may physically reside on multiple servers. Any computer attached to a network is vulnerable to security intrusions. In their terms of service (TOS), companies typically do not guarantee against security intrusions. Generally, vague terms such as “Reasonable and Appropriate Measures” will describe the steps taken to secure your data. Having your files hosted and replicated across several data centers in different states and possibly different countries may also lead to some jurisdictional issues.

Another issue is ‘uptime,’ or the percentage of time that a cloud computing service is up and running. Cloud vendors should guarantee a minimum level of service, embodied in what are called Service Level Agreements (SLAs). This level is usually guaranteed to be in excess of 99.9%, with service credits or refunds offered if it dips below this level. However, there are few mechanisms available to monitor uptime for any service, and it is questionable whether the term covers service that is technically up and available, but the speed is frustratingly slow. Businesses that decide to migrate to cloud computing services should ensure that uptime is included in the agreement and determine means for enforcement.

While cloud computing typically offers redundancy, reliability and elasticity, people should be aware of the risks involved and plan on its use accordingly. Businesses should assess the potential reduction in costs by integrating cloud computing into their environments, and compare it with the loss of control inherent to using a cloud provider. However, for the general public, cloud computing storage and services are likely to be more reliable than the same services on a home PC – though having an extra backup couldn’t hurt.

Slash Not Welcome in the Jungle: Axl Rose Sues Activision Over Use of Slash's Image in Guitar Hero III

Axl Rose is suing Activision for $20 million for allegedly breaking its promise not to include images of Slash, his former band mate in Guns N’ Roses, in Guitar Hero III. Mr. Rose claims that this promise was a condition of his granting Activision a license to use the song “Welcome to the Jungle” in Guitar Hero III. This promise was allegedly in the form of a written agreement in a series of emails. An animated version of Slash appears on the cover of the videogame. The suit claims fraud and breach of contract amongst other causes for relief.

It may be difficult to prove breach of contract due to the parol evidence rule. The parol evidence rule concerns what can be admitted as evidence when the court considers a contract. California’s parol evidence rule states that “[t]erms set forth in a writing intended by the parties as a final expression of their agreement with respect to such terms as are included therein may not be contradicted by evidence of any prior agreement . . . .” Cal. Civ. Proc. Code § 1856(a) (2007).

A full parol evidence analysis is beyond the scope of this blog entry, and would require a copy of the contract, all relevant material, and the actual complaint; therefore this blog post will concentrate on just one limited aspect. If the court finds that the parties had a contract that was a “writing intended by the parties as a final expression of their agreement,” that will affect the admissibility of evidence of a prior agreement. If the email agreement to not use Slash’s image was made prior to the contract, that agreement will not be admissible as evidence to contradict the contract.

Prior agreements can, nevertheless, be admitted to show fraud. Under California law, the key language which defines fraudulent deceit is “[o]ne who willfully deceives another with intent to induce him to alter his position to his injury . . . .” Cal. Civ. Code § 1709 (2009). Deceit is defined as:

1. The suggestion, as a fact, of that which is not true, by one who does not believe it to be true; 2. The assertion, as a fact, of that which is not true, by one who has no reasonable ground for believing it to be true; 3. The suppression of a fact, by one who is bound to disclose it, or who gives information of other facts which are likely to mislead for want of communication of that fact; or, 4. A promise, made without any intention of performing it.

Cal. Civ. Code § 1710 (2009). In order for Mr. Rose to succeed with a fraud claim, he will have to prove that Activision purposely deceived him with the intention of getting him to license “Welcome to the Jungle” to Activision. Fraud cases are often difficult to prove, as there is rarely a “smoking gun” to show the fraudulent intention, and instead, must often rely on the fact-finder to impute intent based on circumstantial evidence. Yet, the fraud claim may wind up being stronger than the breach of contract claim because the parol evidence rule can absolutely bar evidence from even being considered at trial.