Law Across the Wire and Into the CloudRecent Developments in Internet Law

On Thursday, May 17, the House Subcommittee on Crime, Terrorism, and Homeland Security will hold a hearing on H.R. 2168, the Geolocational Privacy and Surveillance Act (“GPS Act”).

The GPS Act was jointly introduced in June 2011 by Sen. Ron Wyden (D-OR) and Rep. Jason Caffetz (R-UT) with the intent of creating a legal framework to give government agencies, companies, and individual citizens clear guidelines for when and how geolocation information can be accessed and used.  The Act is modeled on Federal Wiretapping statutes, and would require law enforcement agencies to obtain a warrant before acquiring an individual’s geolocation information from a private company.  It would also require warrants when law enforcement agencies want to directly monitor individuals’ movements, using installed tracking devices or similar tools.

The Act would also in effect implement the Digital Due Process Coalition’s principle for ECPA reform regarding location tracking, which states that a government entity may only access or require a covered entity to provide location information regarding a mobile device with a warrant issued based on a showing of probable cause.

In emergency situations, the Act would allow law enforcement officers to obtain the information that they need immediately and then seek a warrant later.  The Act would also contain exceptions to the warrant requirement in cases where the individual tracked is reasonably believed to be in danger or has requested help, the individual’s geolocation information is publicly available, a mobile device has been stolen, or the individual (or their parent/guardian in the case of minors) has consented to the tracking.

Although the Act would permit service providers to collect geolocation information in the normal course of business, it makes clear that they are only allowed to share or sell customers’ data with the customers’ consent.

According to press reports, the hearing will focus primarily on the circumstances in which acquiring geolocation information will be permitted.  The witnesses attending the hearing will include:  (1) John Ramsey, National Vice President of the Federal Law Enforcement Officers Association;  (2) Joseph I. Cassily, Past President of the National District Attorneys Association; (3) Edward J. Black, President and CEO of the Computer & Communications Industry Association; and (4) Catherine Crump, Staff Attorney at the American Civil Liberties Union.

The hearing will be held at 10 a.m., in room 2141 of the Rayburn Building.

A recent exchange of letters between Sen. John McCain and General Keith Alexander (Director of NSA and the Commander of USCYBERCOM) highlights the continuing tension between supporters of McCain’s SECURE IT Act of 2012 (S.2151) (“SECURE IT”) and those who, like the Obama Administration, support Sen. Joe Lieberman’s Cybersecurity Act of 2012 (S.2105) (“CSA”).  As has been widely reported, the two bills take very different approaches to cybersecurity.  SECURE IT calls for a voluntary information sharing regime that would apply to all entities and is focused on sharing of cyber threat information, with liability protection for those who participate.  It also contains provisions that modify criminal penalties for certain cyber activities and implement certain R&D efforts.  It is similar, in some respects, to the Cyber Intelligence Sharing and Protection Act (“CISPA”) (H.R. 3523), which passed the House at the end of April.  In contrast, the CSA focuses on “Covered Critical Infrastructure” (“CCI”) and mandates compliance with a minimum set of cybersecurity requirements by any owner or operator such CCI.  It also contains provisions addressing DHS authorities, education and workforce development, R&D, and other related topics.

The sparring began on March 29, 2012, when McCain sent Alexander a letter with pointed questions about Alexander’s March 27 testimony before the Senate Armed Services Committee, during which Alexander stated “that the U.S. Government needs no additional authorities to defer and defend against cyber attacks on our nation,” and his earlier testimony, in which he stated additional authorities were needed.  McCain then intimated that Alexander had bowed to political pressure, suggesting that his testimony “appears to have been more heavily influenced by White House policy, rather than your best military and technical advice and expertise.”

In his May 4 response, Alexander began by observing that the U.S. needs new cyber legislation that “removes existing barriers and disincentives that inhibit the owners of the critical infrastructure” from sharing information with the government.  However, Alexander also recognized the need for balance, stating that “[a]t the same time, it is important that legislative requirements not be too burdensome.”  Alexander also stated that the U.S. military needs to be ready to carry out “both offensive and defensive missions” (emphasis added).  In response to McCain’s accusation of political pandering, Alexander closed by saying that he “remain[s] committed to providing you my best military and technical advice and expertise.”

McCain responded on May 9, first noting the disparity between Alexander’s position in his May 4 letter and the “legislative proposal being supported by the Administration in the United States Senate,” and then expressing his belief that the current U.S. cyber strategy is “insufficient and overly reliant on defense.”  He also noted that a single policy tactic will not solve the cybersecurity debate.  McCain advocated instead for an approach that fosters a “cooperative relationship between the government and the private sector” (such as in his SECURE IT bill) as opposed to other proposals that would “establish an adversarial one” (such as that in Lieberman’s CSA).

McCain then unleashed a scathing public criticism of DHS, the CSA, and the Administration’s support of both, stating that (a) he “do[es] not believe tying liability protection exclusively to sharing with the government should be characterized as voluntary, that it encourages better information sharing…or does enough to protect individual privacy” and (b) adding an additional layer of bureaucracy via the DHS is not in the best interest of either national security or private sector flexibility.  He then went onto note that he was “unaware of the Congress ever creating a regulatory regime in which it does not say what entities will be regulated, and simultaneously authorizes a government agency, an agency with few if any regulatory successes, to determine what needs to be regulated and how to regulate it.”

It is difficult to argue with Sen. McCain’s criticisms here.  The state of cybersecurity could actually get worse under a vaguely defined and adversarial regime.  Instead, we need a balanced approach to cybersecurity legislation, as Gen. Alexander has stated.  Taking a voluntary approach that is coupled with true incentives (and some appropriate disincentives) would seem to make the most sense.  Sen. McCain points out that his SECURE IT bill avoids a burdensome regulatory approach, allows a cooperative relationship between the government and private sector on cybersecurity, and “allows those who have the greatest capabilities to protect us to have the best opportunity to do so.”  Whether SECURE IT strikes the right balance, however, remains to be seen.

Spring is here and we’ve decided it’s time to unveil our brand new website.  Back in September we released our new logo, which we created to represent the evolving personality of ZwillGen.  Since then we’ve been working on a website that better represents the bold, driven, innovative, edgy, fiercely independent and confident personality of ZwillGen.  We hope our new website exudes these qualities while presenting our expanded service offerings and value-oriented philosophy.

So please, enjoy our new website and support it by liking us on Facebook, subscribing to our news feed or joining our mailing list.

Last week, the Association of National Advertisers (ANA) and the American Association of Advertising Agencies (4A’s) took a stance against pirated content sites by issuing a “Statement of Best Practices to Address Online Piracy and Counterfeiting.”  Combined, these two groups represent most of the major brands and ad agencies that ultimately fund online ads.

As a result, exchanges and data platforms may start to see provisions in media placement agreements and IOs that reflect these Best Practices – for instance, provisions requiring them to comply (or to have their network partners comply) with take-down requests, and even to offer advertisers refunds for ads placed on so-called “rogue” websites.

The Associations said that the Best Practices were designed to prevent the advertising industry from “providing financial support to, or otherwise legitimizing ‘rogue’ Internet sites” – which they defined as sites “whose primary and apparent purpose is to steal or facilitate theft of . . .  intellectual property.”  The Associations distinguished such sites from “legitimate social media or user-generated content sites,” even if those sites occasionally display infringing content.  The Best Practices arrive on the heels of an allegation earlier this year in United States v. Dotcom et al. that some $25 million of that site’s revenues (albeit a minority of total revenue) were from online ad sales.  And last year, GroupM announced a blacklist of some 2000 websites to be cut off from ad sales of its brand clients.

The Associations effectively are inviting content owners to identify such sites:  they noted that “in most instances such sites will initially – but not conclusively — be identified by intellectual property owners.”

The Associations specifically identity three specific “Best Practices” for the online advertising ecosystem to implement:

1. Contractual Measures:  Media placement agreements and insertion orders (IOs) between advertisers and ad placement networks and platforms (the Associations use the term “intermediaries”) must have language requiring commercially reasonable measures that prevent ads from being placed on “rogue” publisher sites;
2. Take Down Measures:  Networks and platforms that place ads must have a way to remove or exclude such sites from their services, and promptly terminate ad placements on these sites, when rights holders or advertisers provide reasonable, detailed notices;
3. Refunds:   Refunds or credits must be given to advertisers for “fees, costs and/or value associated with non-compliant ad placements.”

The Best Practices and accompanying announcement, is available in full, at http://www.ana.net/content/show/id/23408.

On May 30, 2012, the FTC will host a public workshop to discuss advertising disclosures in the online and mobile contexts.  The FTC is looking to update its “Dot Com Disclosures” guidance, which was issued in 2000, to provide better guidance for businesses in the current advertising environment.  Earlier this week, the FTC released the preliminary agenda for the workshop, which will include discussions of advertising disclosures in the cross-platform, social media, and mobile environments.  The agenda also includes a panel on mobile privacy disclosures, which the FTC discussed extensively in its recently released Staff Report on Privacy (See our analysis of the Staff Report here).

More information about the workshop can be found here.

On April 20, 2012, the Northern District of California dismissed two of three Video Privacy Protection Act (“VPPA”) claims brought against Sony Computer Entertainment America, LLC (“SCEA”) as non-actionable under the statute. In Rodriguez v. SCEA, et al., Plaintiff Rodriguez sought damages related to SCEA’s alleged disclosure and retention of his personally identifiable information (“PII”) to Sony Network Entertainment International LLC (“SNEA”), as a result of the transfer of SCEA’s assets to its successor company SNEA.

The Court dismissed Rodriguez’s first claim that SCEA failed to destroy Plaintiff’s PII as soon as practicable, but no later than one year from the date the information was no longer necessary in violation of the VPPA’s document destruction requirements.  In doing so, the Court found that Rodriguez did not have a cause of action, citing Sterk v. Redbox Automated Retail, LLC, 672 F.3d 535 (7th Cir. 2012), where the Seventh Circuit firmly established that a “plaintiff may only sue for damages under VPAA for unlawful ‘disclosure’ of PII, not for the purportedly unlawful ‘retention’ of PII.”

The Court also dismissed both of Rodriguez’s disclosure claims.  Rodriguez alleged that SCEA’s disclosure of Plaintiff’s PII to SNEI during the transfer of certain assets violated the VPPA’s prohibition against disclosure of consumer information.  However, the Court determined that the VPPA expressly permits disclosure of PII “’if the disclosure is incident to the ordinary course of business of’ the provider, with ‘ordinary course of business’ further being defined as a ‘transfer of ownership.’”  18 U.S.C. § 2710(a)(2); 18 U.S.C. §  2710(b)(2)(E).  Accordingly, Plaintiff’s claim based on disclosure made during such a transfer could not state a claim under the VPPA.

Additionally, Rodriguez alleged that subsequent to the transfer to SNEI, SCEA disclosed his PII to John Doe defendants “in connection with SNEI’s use and/or disclosure of plaintiff’s PII for marketing and advertising purposes.”   The Court dismissed this claim, but without prejudice, finding that Plaintiff had “fail[ed] to state that a disclosure has affirmatively taken place, identify with particularity the person(s) or entity to whom such disclosure was made, or state that any such disclosure falls outside the scope of disclosures permitted under the VPPA.”

In sum, the Court rightfully affirmed the Seventh Circuit’s finding in Redbox that a civil litigant does not have a cause of action under the VPPA for retention of PII and held that disclosures made as a result of the transfer of ownership do not violate the provisions of the Act.

 The Cyber Intelligence Sharing and Protection Act (“CISPA”), H.R. 3523, passed in the House yesterday (April 26) in a 248 – 168 vote, despite opposition from several groups and a veto threat from the White House.  The bill, which has been amended over the past couple of weeks in an attempt to address both security and privacy concerns, would allow private companies and the government to share “cyber threat intelligence” with each other.

In a joint statement, Rep. Rogers and Rep. Ruppersberger emphasized the balanced nature of the bill, stating that CISPA “gives the federal government new authority to share classified cyber threat information with approved American companies and knocks down barriers to cyber threat information sharing.  With strong provisions built in to keep individual Americans’ private information private, the bill allows U.S. businesses to better protect their own networks and their corporate customers from hackers looking to steal intellectual property.”

Critics of the law have raised concerns that the sharing of any cyber threat intelligence with the government will lead to illegal collection and exploitation of personal information by the intelligence community.  Despite amendments to address privacy concerns, privacy advocates still don’t believe the bill offers enough protection.  The White House was critical as well,  stating that “[c]ybersecurity and privacy are not mutually exclusive.”

While the White House position is correct that information sharing “must be conducted in a manner that preserves Americans’ privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace,” an emphasis on privacy at all costs could jeopardize security by stalling the passage of needed cyber legislation.  As Rep. Rogers observed yesterday, “we can’t stand by and do nothing as U.S. companies are hemorrhaging from the cyber looting coming from nation states like China and Russia.”

On April 20, Manhattan Criminal Court Judge Sciarrino issued an Order upholding prosecutors’ ability to seek the account information and public tweets of an Occupy Wall Street protestor, Malcolm Harris, which Harris posted both before and after his arrest last fall for disorderly conduct on the Brooklyn Bridge.

Harris was one of about 700 protestors arrested last October for walking in the roadway on the Brooklyn Bridge, despite police warnings not to do so.  In January, the Manhattan DA’s office sent a subpoena to Twitter asking for “any and all user information” related to Harris’ account from September 15 to December 31, 2011.

Harris then filed a Motion to Quash arguing, among other things, that the subpoena did not comply with the Electronic Communications Privacy Act (“ECPA”) because it could be interpreted as asking for all private messages between Harris and others, as well as e-mail addresses and phone numbers used by Mr. Harris, web pages he had visited and information about his physical location at various times, information which he argued would require either a warrant or a court order to obtain under ECPA.  He also argued that the subpoena sought information about an overbroad period of time, interfered with his privacy and free association rights, and would be used by prosecutors for investigatory purposes beyond just investigating the disorderly conduct violation.

In contrast, prosecutors argued that the Twitter information requested was directly relevant to the violation given that the protestors were aware of police orders not to walk on the roadways, and that the information contained in the Tweets would prove such advance knowledge.  They also emphasized that there should be no limit on their ability to obtain publicly sent messages, even ones that were no longer visible because new ones crowded them out.

Judge Sciarrino agreed with the prosecutors.  He first held that Harris did not have standing to challenge a subpoena directed at Twitter, not him, noting that the situation was analogous to subpoenaing bank records, which under NY law are considered third-party information for which account owners cannot stop a bank from divulging pursuant to a court order.  Judge Sciarrino also pointed to Harris’ acceptance of Twitter’s broad license in its Terms of Use, which essentially provides that all postings made are owned by Twitter, not by the poster, and gives Twitter the right to use and disclose such posts in any way it chooses.

As to the ECPA claims, Judge Sciarrino concluded that the subpoena complied with ECPA’s requirements for obtaining basic subscriber information, and that his Order now provides the appropriate level of process to compel Twitter to disclose the contents of the Tweets, given that the prosecutors have already shown “specific and articulable facts showing that there are reasonable grounds to believe” that the Tweets “are relevant and material to an ongoing criminal investigation.”  However, given Mr. Harris’ privacy concerns, Judge Sciarrino noted that he would review the requested material before the Manhattan District Attorney’s Office sees it.

On March 26, 2012, the FTC released its final Staff Report titled, “Protecting Consumer Privacy in an Era of Rapid Change,”  which proposes a three-part privacy framework that would apply to online and offline commercial entities that collect and use certain types of consumer data.  While the FTC was careful to state its proposals are only intended to provide a framework for congressional legislation, they are good indications of what the FTC considers acceptable privacy practices.  There are numerous items and recommendations in the report that, if implemented, could have a significant effect on many different types of businesses.  Our detailed analysis of the Report and its potential implications for businesses is available here.

The Third Circuit Court of Appeals issued an opinion on April 16, 2012, breathing new life into Free Speech Coalition’s challenge to Section 2257’s recordkeeping requirements on producers of adult content, ( Free Speech Coalition v. Attorney General of the United States).  Part of Title 18, Section 2257 is an anti-child pornography measure that requires that producers of adult content to maintain records of the names and ages of all participants or face criminal penalties.  Free Speech Coalition, and other plaintiffs, filed suit in the Third Circuit arguing that Section 2257 violates the First and Fourth Amendments to the Constitution.  In overturning the dismissal of both the as applied and facial challenges by the District Court, the Court of Appeals seemed most sympathetic to the possibility that the recordkeeping requirements, and the right of the government to inspect such records, may impermissibly impinge on the rights of citizens who are not engaged in the commercial pornography business, but may only produce adult content in the privacy of their homes for their own enjoyment.

The Court of Appeals remanded the case to the District Court to allow plaintiffs to develop the factual record to show how the record-keeping requirements may burden production of adult content where there is no risk of improper use of minors.  Particularly, in light of potential home production of adult content being covered by the statute, the court felt that the Fourth Amendment warrantless search issues should be re-examined at the same time, given that such private activities are unlikely to fall within the administrative search exception.

The government opposed the broad reading of Section 2257 pointing to implementing regulations that limit the scope of DOJ enforcement to production of adult content for business or trade purposes.  The Court of Appeals rejected this argument finding that regulations are insufficient to cure the potential over breadth of the statute.  The Court similarly rejected the government’s “constitutional avoidance” argument, finding that the clear language of the statute supported application to both non-commercial and commercial creation of adult content.

This is just the latest chapter in the long-standing litigation between the Free Speech Coalition and the Department of Justice over Section 2257 requirements.  There is clearly more to come.