Facebook and the State of Washington Join Forces in Fighting Online Spam

Photo titled "Dislike" by Charlotte Road on Flickr

For the first time since the enactment of the federal CAN-SPAM Act, a state government and a private company joined forces in protecting consumers from spammers/scammers. On January 26, 2012, Facebook and the State of Washington filed two separate lawsuits against internet marketing company Adscend Media, alleging violations of the anti-spam law. Specifically, they claimed that Adscend Media tricked Facebook users into clicking deceptive links that appeared as recommendations from their friends. These deceptive links led users to disclose their personal information, direct them to advertising sites, and continued the cycle of spreading spam to their friends.

The CAN-SPAM Act was enacted by Congress in 2003, aiming to protect consumers from unsolicited commercial email. It requires that all commercial electronic mail must clearly and conspicuously identify the message as an ad in the subject line, clearly and conspicuously disclose to the recipient an opt-out right to not receive future emails in the text body, and cease transmission of commercial emails within 10 days of recipient of the opt-out request. The Act also establishes tough penalties of up to $16,000 for each separate email, it also grants the government and private parties the right to bring civil and criminal action against violators.

The Act covers all commercial messages, defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Courts have interpreted “electronic mail message” broadly, reasoning that such a broad interpretation is consistent with Congress’ intent to curtail the number of misleading commercial messages that overburden the infrastructure of the internet. In Myspace v. Wallace and Myspace v. the Globe.com, Inc., the Central District Court of California defined an electronic mail message as a message deliverable to a unique electronic mail address. An electronic mail address is a form of electronic communications, including a traditional email address, inbox, and other alternative forms. A message posted on a Facebook wall, news feed, or home page is an electronic mail message.

The Act grants a limited right to a private party (namely internet access service providers) to bring a civil action against alleged offenders in federal court. In order to have standing to bring such action, an internet access service provider must show an adverse effect by the violation of the Act. “An adverse effect” can be a very high standard in some jurisdictions, requiring an actual harm from specific messages, rather than a general harm from receiving messages. Despite the limited private right and high standard of proving an adverse effect, more and more private entities enjoy the success against spammers. For example, Facebook has been awarded millions of dollars in judgments under the CAN-SPAM Act since 2008, including a $873.3 million judgment against a Canadian-based site for illegally using Facebook user’s log-in information to distribute spam, and a $711 million judgment against “spam king” Sanford Wallace for fraudulently gaining access to Facebook accounts and using them to send spam throughout the Facebook network.

States have the right to bring a civil action on behalf of their residents if they reasonably believe that the interests of their residents has been or is threatened or adversely affected by commercial email senders. States can either seek to enjoin future violations, or recover monetary damage. The bar for the later is much higher than the former. A state must prove that an alleged offender had actual or implied knowledge for the alleged unlawful conduct in order to recover monetary damage which is not required in an enjoinment action.

In the current joint action against Adscend Media, it is likely that both Facebook and the State of Washington have a good chance of winning. Under the broad interpretations promulgated by the courts, messages Adscend Media sent to Facebook users were electronic messages because they reached destinations receivable by Facebook users. These messages were fraudulent, as they were not recommended by Facebook users’ friends as their outward appearance would suggest. The messages were deceptive and intended to direct unsuspecting Facebook users to third party commercial sites so as to obtain the user’s personal information. Facebook suffered damages because its rights were violated. The interests of citizens of Washington State were compromised because they were tricked into disclosing personal information and pay for unwanted subscription services through spam. Adscend Media’s alleged unlawful conduct is not likely unintentional, if their actual or implied knowledge can be proven. It is not only likely to pay damages to Facebook, but also to Facebook’s users in the Washington.

IP Kidnapping

Photo titled: "Obama propone penas de cárcel obligatorias con un mínimo de tres años para los hackers" by jediadame on Flickr

On February 6th, 2012, CNET.com confirmed that the Internet security giant Symantec offered to pay a hacker or hacker group $50,000 for a promise to not release its valuable security code on the Internet. Specifically, CNET reports that beginning in early January of this year, a hacker known as “Yamatough” reached out to Symantec in an extortion attempt. Yamatough claimed to be part of the “Anoymous” hacker group that has attracted headlines in recent months, both for their attack on local, state, and federal government websites and its support of the Occupy Movement.

The object at issue is Symantec’s source code. Source code is the text written using the format and syntax of the programming language (computer language) that is specifically designed to facilitate the specific program it supports. Source code is significant because it is useful to a user, programmer, or system administrator to better understand how a program works, or more importantly, modify the program. Symantec identified the source code as that for Symantex Endpoint and Symantec Antivirus 10.2. Evidence at the time suggests that the hacker(s) may have obtained the code after breaking into servers run by Indian military intelligence.

Although Symantec publicly stated that its customers have no significant security threats due to this situation, a rational person would of course be worried. Although Symantec can and most likely has adapted its programs to this security threat, there is great reason for alarm. The source code obtained by the hackers can give them extra knowledge of Symantec projects and procedures, along with the ability to manipulate the code to best serve their interests. In addition, and perhaps most important, the threat to expose the source code to the Internet as a whole exponentially increases this risk because there will likely be no way to track the source code once it is released.

In fact, as of approximately 9:00 p.m. on February 6th, 2012, a 1.2 GB filed labeled “Symantec’s pcAnywhere Leaked Source Code” has appeared on The Pirate Bay, a large bit-torrent file sharing site. Symantec has not yet confirmed whether this is the source code at issue. What does this mean for your average attorney? Basically, its time to add another area of concern for attorneys, along with issues such as conflicts of interests, fiduciary duties, and professional responsibilities. If an Internet security giant is breached in this manner, then it may be time for attorneys, who are entrusted with confidential and sensitive personal and professional information, to be even more careful with this type of data. As technology becomes a more crucial part of an attorney’s arsenal of tools, events like this remind the profession why some times, having a simple lock and key safe may be the better bet in protecting a client’s information.

Major Record Company Brings Copyright Action Against Upstart Company Selling Used Digital Music

Photo titled "I love my music!" by Shiv Shankar Menon Palat

Last month, EMI, a top record company, alleged that ReDigi, an upstart company that sells used digital music, creates unauthorized copies of its songs through the operation of its business. EMI brought a copyright complaint against ReDigi, asking the United States District Court for a preliminary injunction to force ReDigi to shut down its business pending the court proceedings.

While the judge denied EMI’s request for the preliminary injunction, the resolution of the case will likely answer many of the questions facing the digital age. Some of the issues raised by the case include the meaning of “copy” for copyright purposes and whether transmitting copies of digital material count as a public performance. One of the biggest issues brought up with this case are what property rights does a purchaser of digital music through a source like ITunes really have?

Back before digital music existed through purchasing sites such as ITunes, people bought music the old-fashioned way—by going to the music store and purchasing a record, tape, or CD. Once someone purchased the music album, that particular copy was their album. The person could not duplicate the album and sell copies, but he or she could use it for a year and sell it to another individual or to a music store specializing in used music albums under the First Sale Doctrine.

ReDigi claims it does the same thing with digital music, since it scans the seller’s hard-drive and deletes the music file once the transaction of sale is complete. This act makes it impossible for the song initially purchased from ITunes and sold to ReDigi to be duplicated or transferred. Is this not the same thing as selling your physical album for some cash? Something the court may have to determine is whether ReDigi has really taken away the rights of the digital music holder when it deletes the song from their hard-drive, or if in this advanced technological age the seller could in actuality retain access; posing problems for companies like EMI.

Google’s New Master Privacy Policy

Photo titled: "Scary Google with Sauron Eyes" by dullhunk on flickr

Google, Inc. announced their new “master privacy policy” earlier this week, which will take effect on March 1, 2012. The new policy will replace 60 different privacy policies currently in place. Google’s goal of implementing the new policy is as follows; “Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google.”

One of the major changes stemming from the new policy is the relationship of the user to all of Google’s products. A user will be treated as a single user. Now information will be shared across Google products, including YouTube, Picasa, Calendar, and Gmail. Under the current policy, information is maintained by each individual Google produce, rather than consolidated. By sharing information across multiple products, Google has the ability to offer more innovative features for users, customize ads, and compete with Facebook.

Eight House lawmakers already reacted to Google’s updated policy by writing a letter to Google Chief Executive, Larry Page, requesting a response by mid-February. The lawmakers, which consist of 5 Democrats and 3 Republicans, requested more information about the policy mainly regarding the collection and storage of information. Their main concern stems from a user’s ability to opt out of data collection. The lawmaker’s wrote, “Google's announcement raises questions about whether consumers can opt-out of the new data sharing system either globally or on a product-by-product basis."

Betsy Masiello, the company policy manager, responded to the letter on a blog post. She said, the company looks “forward to answering those questions, and clearing up some of the misconceptions about our privacy policies.”

A lot of the criticism stems from a lack of understanding of what information Google is currently able to obtain, and what they are going to be obtaining in the future. The information Google can access has not changed, however their process for handling the information has. In Google’s 2005 privacy policy, the company states, “We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience, and to improve the quality of our services.”

Users should be aware of the new effective privacy policy to understand what type of data Google is capturing. Check out the new privacy policy below:

Google Privacy Policy, available at https://www.google.com/policies/privacy/preview

SEC Sheds Light on Cyber Threat Disclosure

Photo entitled "cycber_security" by CongressCheck on Flickr

As public companies increase their use of digital technology in business operations, they increase their vulnerability to cyber threats. This risk is evidenced by the large number of high profile cyber attacks conducted against corporations including Sony, RSA, Comcast, Bank of America, and JPMorgan.

Current federal securities law does not explicitly address disclosure requirements for cyber risks and attacks but the SEC’s Division of Corporation Finance recently published guidance to aid companies in making that determination. It is unclear how the SEC will handle the disclosure issue in the future, but its recent publication emphasizes the importance the government places on cybersecurity.

Cyber incidents can come in many forms including, gaining unauthorized access to digital information, corrupting data, and disrupting operations both electronically and physically. The SEC explains that the obligation of disclosure regarding the risk or actual impact of such an incident hinges on “materiality” or what a reasonable investor would consider important in making an investment decision.

Specifically, companies should disclose information about the risk of a cyber incident if it is “among the most significant factors that make an investment in the company speculative or risky.” In making this determination, companies should consider severity and frequency of previous incidents, probability of future incidents, and expected impact of such incidents including costs and consequences.

Additionally, public companies may be required to provide information on previous cyber attacks to place the extent of risk in context. The SEC guidance suggests that merely addressing the existence of a risk after a cyber attack occurs would likely not be sufficient. A discussion of the specific method of attack and its known and potential consequences may need to be disclosed in order to capture the full extent of the particular cyber risk.

Experts have differing opinions as to whether the recent disclosure guidance will have any immediate impacts on public companies revealing information about cyber attacks. However, at the very least, the publication puts businesses on notice that the SEC is aware of corporate cyber risk and recognizes the critical impacts such threats pose to using technology in conducting business. The SEC has made it clear that, despite an absence of express language dealing with cyber incidents, disclosure may be necessary in certain circumstances.

Going beyond the potential issue of having to make cyber attack details public, the SEC’s message should help focus companies on their cybersecurity plans. This in turn will hopefully get public corporations to consider and plan for the full extent to which cyber threats impact all aspects of business. While disclosure is an important step, it is only part of a much larger process businesses must take to secure their electronic media and protect their customers and investors.

Nothing gets a company more concerned about cybersecurity than being a cyber victim. Hopefully, the SEC and other government entities bringing cyber issues to the forefront will get businesses to start taking adequate measures to protect themselves before becoming cyber attack victims.

Security and Exchange Commission, CF Disclosure Guidance, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

Carrier IQ – Has someone violated the Electronic Communications Privacy Act?

Photo Titled "Completely Taped" by Byung Kyu Park available on Flickr

141 Million handsets have a software program deployed on them which purports to only collect network diagnostic information for mobile phone service carriers. However, this software program is secretly running because is not easy for an average mobile phone user to see the program running on their phone because it does not appear as a “running application” on the applications list. Nor is there a clear disclosure of what data is being collected by the application, or a way to easily opt out of the application running on the mobile device. Nor is there any easy way to stop it from running on the Android phones. On November 28, 2011 Trevor Eckhart uploaded a seventeen minute video (shown above) exposing the extent of the data being captured by Carrier IQ, an application that mobile phone providers and/or carriers install on mobile phones. The video shows an Android developer searching his phone for privacy policy disclosures, and not finding any privacy disclosures related to the Carrier IQ program, he proceeds to show the type of data that is logged by Carrier IQ onto the phone’s debug log. For example, each time he presses a key that key press is logged, even when he enters information into a web page over his own local WiFi connection and the session is protected with SSL (which is an encrypted means of communicating between a client and host and forms the backbone of all secure communication over the Internet; as a standard and all data transferred within an SSL connection should be encrypted and protected after the SSL handshake). As of January 25, 2012, Eckhart’s video received over 1.9 Million views on YouTube.

In response, Carrier IQ sent Eckhart a letter threatening legal action unless he retracted his research, characterizing his analysis and posting of privacy policies as a breach of copyright which could expose him to an excess of $150,000 in damages. In response, Eckhart reached out to the E.F.F., who agreed to represent him; Carrier IQ has since backed off from its legal action and apologized for the cease and desist letter. The question remains now – has Carrier IQ, or the mobile phone manufacturers, or the mobile service carriers violated the E.C.P.A. by secretly running a software program on the mobile phones?

The Electronic Communications Privacy Act (E.C.P.A., 18 U.S.C.A. § 2510) was enacted to expand the scope of the Wiretap Act (which was focused on the interception of voice communication) to protect data transferred by computers. Title I of the Act protects messages that are in transit, and Title II of the Act protects messages that are in storage on a device. Within the E.C.P.A., it is unlawful for a person to distribute “any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications” (18 U.S.C.A. § 2512(1)(a)). However carriers do have an exception, where under the normal course of their business in maintaining their communication systems, they can use devices to intercept wire communications.

Senator Al Franken, who chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law, has requested more information regarding what data is being collected and where the data is being sent. Depending on the type of data that is actually collected and sent to the carriers, they may be able to claim that they were operating within their normal course of business in maintaining the stability of the wireless networks. A criminal or civil case under the E.C.P.A. may not be a guaranteed success in a court of law. However, the public surprise of the extent of data being captured, and the lack of notice and control that users are able to exercise over how much activity is being tracked has already made the carriers and Carrier IQ losers in the court of public opinion.

"If the Price is too Good to be True, it Probably is” - ICE Director John Morton

Photo by: mollyali's 

A coordinated government effort to crackdown on websites selling counterfeit goods is in full force, most recently seizing 150 websites on Cyber Monday 2011. The rationale for the seizures is based on the idea that these websites steal creative ideas, cost our economy jobs and revenue, and can threaten the health and safety of American consumers by selling inferior goods in the market. Opponents argue the seizures are unconstitutional because the government does not afford the site owners adequate due process protection prior to seizing the sites.

Operation in our Sites is the effort of DOJ and DHS/ICE to halt intellectual property crimes at the national level. ICE is leading the charge, and derives its authority from the seizure and forfeiture laws of 18 U.S.C § 981 and 2323. As Margaret A. Esquenet and Justin A. Hendrix explain, (http://www.ecommercetimes.com/story/72344.html) “Under Section 2323, property used to a commit federal crime, such as criminal trademark or copyright infringement, is subject to forfeiture to the U.S. government. Under Section 981, the government can apply to a federal court for a warrant to seize that property. To obtain the warrant, the government must show there is probable cause that the website violates federal criminal law. The owner of the domain name may challenge the seizure warrant in the district court that issued it. During a later forfeiture proceeding, the owner also may challenge the basis for forfeiture.”

To carry out the Operation, ICE agents make undercover purchases of various products covered by trademark, including professional sports jerseys, golf equipment, DVD sets, footwear, handbags, and sunglasses. Once the goods arrive and the trademark holders confirm that the purchased products are counterfeit, seizure orders are obtained. The intent of ICE is to protect the economy and consumers, and ensure that revenue is flowing to the rightful parties instead of to those who steal intellectual property. The objective is a good one, and the websites are property used to commit a federal crime, so the seizures and the process by which they are carried out are legitimate under federal statute.

ICE may need to revisit the effectiveness of some their procedures to reach that end, though. In February 2011, the department rightfully seized 10 sites before the Super Bowl that were accused of offering illegal streaming video of sporting events, and before Valentine’s Day, it seized 18 sites selling counterfeit luxury goods. But somehow along with those, it shut down 84,000 other legitimate sites and posted a notice that the reason was for “advertisement, distribution, transportation, receipt, and possession of child pornography.” Not good. The error may have had to do with linking sites, but the owners of the legitimate sites deserve a more robust due process procedure so as to avoid future errors.

Operation in our Sites is certainly a complicated technological effort without introducing administrative hurdles. But there is likely little harm (expense notwithstanding) in an email notice to domain name owners that their site is subject of investigation and will be shut down in 48 hours without further action on their part.

Carrier IQ: Cell Phone Data Snooping Revealed

Photo by: sam_churchill 

Earlier this week, a 25-year old security researcher named Trevor Eckhart posted a YouTube video detailing a program called “HTC IQ Agent” that was installed on his cell phone. Trevor showed that the program was recording every action taken on his phone, including key presses, text messages, and passwords - and then transmitting this data directly to the offices of the company Carrier IQ. The program started automatically with the phone, ran in the background, and could not be turned off. It wasn’t a virus, nor was it installed by an outside vendor; it came pre-installed on his phone.

The revelation that a company was extensively tracking cell phone users actions lit off a firestorm of controversy. Numerous technology blogs decried Carrier IQ's actions. Carrier IQ soon threatened Mr. Eckhard with legal action, but then apologized after Mr. Eckhard sought the protection of the Electronic Frontier Foundation.

In its defense, Carrier IQ claims that all of the recorded data transmitted is anonymous. The company provides a valuable service to many U.S. cell phone carriers, who contract with Carrier IQ to provide specialized diagnostic, trending, and troubleshooting data for the devices on their network. The issue is the sheer volume and depth of data being recorded, which seems unnecessary for purely diagnostic or reporting purposes.

Whenever I accept a terms of service or license agreement on a website, I assume that I'm giving up all of my rights related to content and privacy. However, even in this digital age, I still consider my right of privacy to extend to my personal belongings; the information in my wallet, my documents, and even information stored on my cellphone. As cellphones have become more powerful and increasingly connected, they have become personal organizers. My calendar, contact list, Christmas shopping ideas, and other personal information are all stored on my cellphone. Given that I've tapped all this information into my cell phone at some point, it is likely that this information is also now stored somewhere on Carrier IQ's servers.

So far, Carrier IQ software has been found on both Android and iOS cell phones for several U.S. carriers. Many guides and how-to documents have been posted with instructions on how to disable the software. The Senate has even gotten involved, giving Carrier IQ until December 14th to address privacy concerns. In addition, it's possible that Carrier IQ has violated federal wiretapping statutes, and already there are rumblings of class action lawsuits.

It's also quite possible that this story has been overblown. Many journalists have noted that the data stored are purely anonymized metrics that carriers use to improve their service, ultimately benefiting consumers. There is no evidence that personal, identifying information has been used in an improper manner. However, given the amount and type of data being recorded, I am uncomfortable with any company having this information on their servers. A line has been crossed, and thanks to Trevor Eckhart, the world knows.

Massachusetts Lawmakers Approve Human Trafficking Bill

Photo By: iragelb 

On November 15th, Massachusetts’ House and Senate approved a Human Trafficking Bill that has been urged by human rights advocates. The bill imposes life sentences for pimps and other traffickers found guilty of coercing children into sex and forced labor. The bill also confronts the important matter of treating children as well as adults forced into prostitution as victims and not as offenders. Additionally, the bill will create a panel to study approaches to prevent trafficking. The sex trade is an increasing problem in Massachusetts, yet the state is one of three states that have yet to enact an anti-trafficking law.

While slavery is often considered obsolete, the exploitation through forced sex and labor is estimated to include trafficking of 27 million people around the world. This modern slavery has evolved through the use of the Internet, which conveniently allows traffickers to recruit and sell victims over websites, taking prostitutes off of the streets and out of the view of the public and law enforcement and placing them into hotel rooms.

Much attention has been given to advertising websites and their “adult” sections, which are intended as a means for consenting adults to find other consenting adults. Inevitably, the advertisements have been used for soliciting sex and in some instances sex with minors. When Craigslist banned sexually related advertising in the US in 2010, a majority of this activity found a new home on BackPage.com. The site has recently received demands from anti-trafficking advocates, including the fifty-one attorneys general and an interfaith social justice group, to remove the section in order to stop the online advertising for prostitution, emphasizing the exploitation of minors made possible through listings.

The letter from the attorneys general states that efforts made by BackPage.com to reduce trafficking of both adults and children have been unsuccessful, and more than 50 instances of trafficking or attempting to traffic minors through the site have been discovered. The letter provides an example of how a trafficker, in Dorchester, MA used the site to exploit a minor by “forcing a 15-year-old girl into a motel to have sex with various men for $100 to $150 an hour” and found the customers by “post[ing] a photo of the girl on BackPage.com.”

While shutting down the advertising will put an end to trafficking on those sites, with the Internet’s infinite domains, any setbacks for traffickers will be minor and clients will merely be required to use some extra effort to find other sites. Sadly, if traffickers are capable of physically abusing, controlling and exploiting children, they are also capable of looking elsewhere and creating other means to continue making a profit off of forcing others to work for it.

The recent Massachusetts bill approval is a great start to shed light on the fact that there is a problem and treating the victims as criminals is not the solution. The bill places the blame where it belongs: on the trafficker. Arguments have been made that not all adult prostitutes are trafficked, and it is a nice theory that a consenting adult has a right to make a living selling their body. However, prostitution by choice is not the rule but the exception. Children are trafficked as young as eleven and twelve years old and often remain in the sex trade into adulthood, demonstrating that even adult prostitutes are unlikely to have chosen this life for themselves. The reality is that all trafficking victims are controlled by fear, coercion, and violence, and the Internet is allowing this activity to go unseen. By shifting the current social stigma surrounding prostitution to victimization, trafficked individuals are more likely to seek help from the medical community and from law enforcement.

The bill, which will more likely than not soon become law, is important in officially recognizing there is a problem that needs to be addressed. A significant part of the bill is the establishment of a panel to study ways to prevent trafficking. Educating young people at risk of being trafficked as well as the entire public is essential. Eliminating the role of the Internet in trafficking is to be expected as a major issue in prevention to be addressed by this future panel.

A Step Towards Anonymous Browsing on Mobile Devices

Photo by: jeffschuler 

As Americans we “get” our right to privacy through provisions of the 1st, 4th and 14th amendments. We have the 1st amendment right to free assembly, the 4th amendment right be free from unwarranted search and seizure and the 14th amendment right to due process. Through these provisions the Supreme Court has addressed and upheld birth control rights, abortion rights, marriage rights, and child rearing rights among other issues related to privacy.

With the surge of people using the Internet over the past 2 decades, from children to college students to baby boomers, there is endless amounts of personal information on the internet, some of it intentionally put there and some of it not intentionally publicized. It is harder to maintain ones privacy in this world of instant Facebook access and oversharing on Twitter. Adding to this dilemma is the advent of the smart phone, from Iphones to Blackberries, you can now remotely upload a picture to Facebook, you can browse the Internet on the train, and update your blog while out to dinner.

Using these devices can leave the user or others vulnerable to their privacy being invaded. Not only can others access public Facebook profiles and see content that 3rd parties in pictures or mentioned may not be aware of, but websites track browsing and respond with ads and suggestions, not to mention the dangerous problems of phishing, hacking and identity theft. For example Google scans emails and then advertises for things mentioned in “personal” emails. Anyone with access to your computer or device can check your history and see where you have been poking around on the Internet.

This week, Apple approved the use of an application that will now be offered in the App Store. This Covert Browser for Ipad will allow users to confidentially browse the Internet (a similar App is also available for the Iphone). Although there are kinks to be worked out, you can purchase the peace of mind of “completely” anonymous web browsing for just $2.99. The Covert Browser is a much more secure way to browse than other secure networks. The technology behind the application is Tor. Tor triple encrypts data and routes it through three computers whereas other secure browsing only route through one computer, leaving users vulnerable to the companies responsible for the routing. The Apple endorsed application is a much needed move towards privacy for mobile devices.