Homeland Security Gets Kansas City Panties In A Knot.

You might know that it would take an article on unmentionables to get me back on the blog horse. Well, thanks DHS, for just such a push. It is reported that Homeland Security raided a Kansas City store and confiscated several dozen pairs of panties with the Kansas City Royals trademark on them.

OK, several questions: (i) Panties?; (ii) Homeland Security?; and (iii) Why Kansas City and not my Cardinals in the World Series? Oh, and what does this have to do with law and technology? More on that later.

First, Panties? A Kansas City shop had hand drawn the KC logo and a crown and printed them on ladies panties. Apparently, it was too similar to the actual Kansas City logo and this brought down the wrath of Major League Baseball, which manifested itself in a raid by a division of Homeland Security set up to police intellectual property right infringements. In the past this has sometimes been handled on a local basis by interdictions on the part of local or state police on tee shirt sales at concerts or illegal use of music in bars. However, apparently this is now a national security matter.

You may ask if counterfeit drawers are of such importance that it justifies a diversion of resources such as this. I might ask the same thing. DHS has a division set up to police this type of thing, primarily at the behest of the movie industry. It would have made more sense if the panties were Ebola laden or carried the ISIL logo. Anyway, a word to the wise. If panties can be confiscated, it is apparent that software or hardware and bio-medical equipment or compounds, whether carrying a trademark or not, could become subject to this treatment. That's when technology and law intersect and you don't want to be in that collision.

Interfaces ("APIs") Are Subject To Copyright. No, They're Not! Are Too! Courts Continue To Muddy Up The Water.

There are a mere 37 pieces of computer code that are the subject of this face off between the tech titans, Oracle and Google.  We have followed this case since its inception and you can review the history here, here and here.

In the latest installment, Oracle appealed a lower court ruling that held that application programming interfaces ("APIs") were not subject to copyright.  We thought that the issue might be settled.  Not so fast, my friend.  A three judge panel in the Federal Court of Appeals for the Norther District of California has reversed and held that such APIs are indeed subject to copyright protection and the only question is whether Google's use is allowed under the "fair use" exception.  The panel remanded the case to the lower court for a determination of the possibility of such fair use.

After reading the very detailed opinion, the main facts to be gleaned are there was 7,000 lines of code involved, there were 37 different interfaces and the opinion is 69 pages in length.  There is much good discussion regarding the application of copyright law to interfaces and the fair use doctrine.  You should read it.  The law the court cites is extensive but some quibble with the application of such law.  Given past performance, the odds are even that the result will change on appeal.

Bitcoin, Everybody's Favorite Crytocurrency, Comes To A Bar Near You (Actually Near Us).

 We have flogged the Bitcoin phenomenon in this blog time and again (see here, here and here).  So when we learned that a bar (HandleBar) in the neighborhood of our office was installing the first ATM in the United States that handled Bitcoins, we were compelled to take a field trip to observe.  The ATM was turned on yesterday (Feb. 20 at 2 pm) so at 2:30 we took advantage of an 80 degree Austin afternoon to walk the short distance to HandleBar to see this miracle for ourselves.

When we arrived we found camera crews, on-lookers like ourselves, Bitcoin disciples and a queue of people seeking to use the technological wonder provided by Robocoin.  One of the Bitcoin disciples said that if I would open an account he would give me a part of a Bitcoin.  I downloaded the Android app Coinbase and he transferred 0.001 Bitcoin to me (apx. $0.64 based on yesterday's market).  I'm counting on a big upswing on this for my retirement.

While this all was interesting, we found we could not use Bitcoins directly to buy beer at Handle Bar.  We would have to have used the ATM to convert to dollars and then bought libations.  However, we could transfer money to Beirut almost instantly without fee or restrictions.  This failed to impress the smoking hot lady drinking and working in her Daytimer at the upstairs bar or maybe it was just me.

The ATM was located in the back of the bar in a dimly lit alcove.  The shape of the ATM and the activity of the people surrounding it was eerily reminiscent of the first monolith and ape scene (see above) in the movie 2001.  Maybe this is our guidepost to the next evolutionary step in money.  They are going to have to fix that beer purchase thing though.

Our Little Blog on LexBlog Gets Cited On LexBlog. How Meta Is That?

Following The "Silk Road". Where Exactly Was That Supposed To Go?

Originally, the Silk Road was a series of routes over which commerce traveled in Asia beginning over 2,000 years ago.  Silk, gold, technology, religion and diseases (e.g. bubonic plague) were carried and exchanged over the Silk Road.

Fast forward to the present day and the Silk Road was, until recently, a website accessible only in the deep web and only by TOR (The Onion Router), a network and browser designed to preserve your anonymity on the web.  Silk Road was the brainchild of fellow Austinite and former neighbor Ross Ulbricht.  Ross was a 2002 graduate of West Lake High, a school that I pass every day coming to work.  His Facebook page is still up and he seems like a pretty cool guy.  We even have a mutual Facebook friend.

However, when I visited Silk Road before the feds closed it in September and arrested Ross on Oct. 2nd of this year, I found that you could purchase most any kind of drug I had ever heard of and many that I hadn't.  Since I have a background in Pharmacy, that's a wide range of stuff.  Cocaine, Ecstasy, black tar heroin and 'shrooms were in abundance.  Apparently, you could also arrange for murder by hire and Ross is accused of that in regard to one of his clients on Silk Road supposedly threatening to expose everybody unless certain conditions were met.

The medium of exchange on Silk Road was Bitcoin, our favorite virtual currency.  When Ross was arrested, the FBI seized over $3,000,000 in Bitcoins belonging to Silk Road customers.  They were also trying to get an estimated 600,000 Bitcoins from Ross' personal Bitcoin wallet.  That's about five percent of all the Bitcoins presently in existence.

All in all, a very sordid story, including the allegation that Ross went by the pseudonym of the "Dread Pirate Roberts", which comes from my favorite movie "The Princess Bride".

So how does a 20s something, suburban, white bread guy go from wake boarding on Lake Austin to being one of the biggest drug dealers (or at least the facilitator) in the world ?

Apparently Ross is brilliant (degree in physics at the Univ. of Texas, graduate work at Penn State), a libertarian fan of Ron Paul and idealistic and naive.  On his Facebook page he wrote an essay on "Thoughts On Freedom".  On his LinkedIn page, he described an idealized version of Silk Road, when he wrote:   "Now, my goals have shifted. I want to use economic theory as a means to abolish the use of coercion and agression amongst mankind. Just as slavery has been abolished most everywhere, I believe violence, coercion and all forms of force by one person over another can come to an end. The most widespread and systemic use of force is amongst institutions and governments, so this is my current point of effort. The best way to change a government is to change the minds of the governed, however. To that end, I am creating an economic simulation to give people a first-hand experience of what it would be like to live in a world without the systemic use of force."

He apparently viewed Silk Road as beneficial because it was a place where people could obtain illegal drugs without the concomitant hazard of having to deal directly with a drug dealer.  Regardless of your view on drugs and their use, it would seem to be preferable if people didn't have to risk their life to obtain them.

In the end, despite his brilliance and perhaps because of his naivete, he got sloppy and used his real name and address in obtaining fake passports and made other mistakes that enabled his arrest.  This could have been a family member of any of us (assuming any of us has anybody that smart in our gene pool) and we would have been simultaneously amazed at  his drive, ambition and success and aghast at what he has wrought.

The Blog Gods Give Us The Winklevoss Twins Again.

We have devoted an inordinate amount of time and blog space to the exploits of the Winklevoss twins.  I won't take the time to do internal links to our posts but just type in Winklevoss in the search function on the side if you are interested.  However, when our creative (cue air quotes) juices run a little viscous, we can always do a Winklevoss post and for that, we thank the blog gods.

As you will recall, they are the guys that were unsuccessful in taking over Facebook, unsuccessful in suing their own lawyers when they failed and unsuccessful in overturning their unfavorable ruling in the Facebook lawsuits, even after several attempts.

Now they have been scooped again, in that someone else has beat them to the market with a Bitcoin investment vehicle.  They had made a filing to sell interests in a trust but because of the nature of their proposed investors, it has been slower going.  Hence, late to market.  However, in light of the Silk Road debacle (more to come on that soon) and its effect on Bitcoins, maybe that's not a bad thing for them.

So, in spite of the fact that they are excessively attractive, smart, educated, athletic, white, privileged and pampered, they have not reached their full potential.  Here's hoping they keep trying for the sake of the blog gods and us.

Hey, Bro! Can You Spare A Bitcoin? Digital Currency For The Homeless And Unemployed.

We have discussed bitcoins several times before, see here and here, for example.  We exulted in the fact that the Winklevoss twins of Facebook fame are starting a bitcoin investment vehicle.  We also talked about how the regulators were taking a bigger interest in how bitcoins were use or abused.

Now a Wired article shows how the unemployed and homeless are using sites such as Bitcoin Get, Bitcoin Tapper and Coinbase to get paid bitcoins for watching videos and tapping an icon, each a technique for driving traffic on the internet.  The Wired article then quotes some of the homeless as preferring bitcoins because it is much harder to steal (at least from them) and they can convert it to money or prepaid cards using their computers or smart phones.  Now, I can hear conservative heads exploding all over at the thought of homeless, unemployed people with computers and smart phones particularly if they are getting food stamps or other assistance.  Be that as it may, engaging in this activity provides them some small bit of assistance to help feed them.  That can't be all that evil.

Some day, you may be approached (or approach somebody) on the street and asked for a handout.  They then offer the internet address for their bitcoin wallet and you send them some from your smartphone.  Panhandling in the digital age.

Court Holds That Non-Present Texter Could Be Liable Along with Textee In An Automobile Accident.

In another case that involves a collision (in this instance a most unfortunate pun) between technology and law, a New Jersey court has held that a person sending a text to a driver, with sufficient knowledge that the driver would observe the text while driving, might be held liable for the driver's negligence when the driver does observe the text and because of the distraction, has a collision.

Oh my!  Consider this possibility.  You are ensconced in your office in San Francisco.  You are engaged in negotiations with a business rival in New Jersey.  Your New Jersey rival is in transit between Newark and Atlantic City and you know this because you had a telephone call with her earlier and she indicated that she would be driving but would appreciate a text if you had any further information or a change in your offer.  You update your offer and text it to her when you know she is in transit.  She has an automobile accident and either because of your crappy offer or her injuries, the deal does not go further.  A month or so later, you receive a demand letter or a complaint and summons from the lawyer of the other participants in the wreck, alleging that your sending of the text makes you liable for his client's injuries.  You say  WTF?

Far fetched, you say.  Yes.  Impossible? No, consider the decision recently in Kubert v. Best.  There, the court held: "The sender of a text message from a remote location can be liable under the common law if an accident is caused because the driver was distracted by the texting, but only if the sender knew or had special reason to know that the recipient would view the text while driving and thus be distracted."

In this case, Mr. Best was texting with Shannon and had been doing so off and on for most of the day.  During his texting, he crossed the center line and hit Mr. and Mrs. Kubert on their motorcycle and caused each of them to lose their left leg.  Very dreadful!  The Kuberts included Shannon in their complaint.  The court found that in this case Shannon was not liable because the plaintiffs had not proven that Shannon knew that Kyle (Mr. Best) would view the text while driving and consequently be distracted.  So, not liable in this case but the court held that if such knowledge and distraction had been proven, the court could have held Shannon liable for the Kuberts' injuries.

This raises several questions that are not answered in the opinion, e.g. (1) Does there have to be a special relationship between the texters?  Would liability be more likely if they were romantically involved or does the business relationship described above suffice?; (2)  Would the fact that the text came from a state that did not prohibit texting while driving have any impact?  Would it even matter if the state in which the accident occurred did not prohibit testing while driving?; (3) Would the automobile liability insurance of the non-present texter cover her negligence as if she had been present?; (4) What if the non-present texter is not an adult?; (5)  In states where parents are responsible for a minor's negligence if they sign to allow them to get a driver's license, would the parents be responsible for the texter's remote negligence?; (6) Could this be applied to other distractions like cell phone calls, the waving of signs on the side of the road for advertisement or in protest or the flashing of parts of the body.  Should cheer leader car washs worry? and (7) Have I given way too much thought to this?

Plaintiff's attorneys will now begin to check the defendant's cell phone and sue anybody that texted or messaged in close proximity to the time of the accident.  Maybe there should be an app for that.


 

A Copyright Claim Is Only As Good As Its Weakest (Hyper)Link.

It has long been assumed by the legal literati that the mere sending of a link in an e-mail or the embedding of a link in a blog post, which link directed the user to a copyrighted work of someone other than the linker, did not constitute direct infringement of the copyrighted work.  However, there was very little actual case law on the subject.  Last month, the federal district court for the Southern District of New York stated unequivocally that: "As a matter of law, sending an email containing a hyperlink to a site facilitating the sale of a copyrighted work does not itself constitute copyright infringement."

In Pearson Education, Inc. et al v. Ishayev and Leykina, the plaintiffs were publishing companies that sold educational material and manuals for which the plaintiffs owned the copyright.  Apparently, one the defendants uploaded such material to a cloud server controlled by the defendants.  Both defendants would then advertise the sale of the material.  When someone bought the material, the defendants would either e-mail the purchaser a zip file with the material in it or would e-mail the purchaser a hyperlink to the file on the server, which would allow the purchaser to download the file.

The defendants filed a motion for summary judgment on several of the counts, including the allegation that the act of sending a link to a copyrighted work that allowed the receiver to illegally access the material constituted infringement.

Although most of the other stuff that the defendants did obviously was an infringement (e.g. sending the works in a zip file), the court held that merely sending a hyperlink did not amount to infringement. 

The court likened a hyperlink to the "...digital equivalent of giving the recipient driving directions to another website on the Internet. A hyperlink does not itself contain any substantive content; in that important sense, a hyperlink differs from a zip file. Because hyperlinks do not themselves contain the copyrighted or protected derivative works, forwarding them does not infringe on any of a copyright owner's five exclusive rights..."

However, the court said that the result could be different if, in addition to sending the hyperlink, the defendant had actually uploaded the copyrighted material to the cloud server himself.  Since the court found that there was no evidence that would allow a jury to find that one of the defendants had uploaded the material, the court granted summary judgment to that defendant on that limited issue.

Whew!  So, everyone of my blog posts is safe to that extent.  We won't discuss issues relating to some of the pictures.

Insurance Company Gets Sloppy and Unlucky and a $1.2 Million HIPAA Penalty.

As is often the case, health care regulations and tech law overlap. 

Consider the unfortunate case of Affinity Health Plan, Inc., a not for profit managed care plan company in New York.  Affinity leased some copiers.  When the lease ran out on the copiers, Affinity let the copiers go back to the lessor.  The lessor stored the copiers in a warehouse in New Jersey.  As you may or may not know, digital copiers have a hard drive, much like the one in your laptop.  The copier makes a copy (hence the name) on its hard drive of each document run through the copier.  These copies on the hard drive remain until overwritten by other copies or until erased.  Most copiers don't have a readily available function that wipes the drive.

Now, Affinity either didn't know (probably) or didn't care about the copies on the hard drive and didn't take any action to delete them before turning them back to the lessor.  So, Affinity was either sloppy, negligent or uniformed, doesn't really matter.  What they were also, was really unlucky. 

Consider this further, there is a company called Digital Copier Security that is owned by a Mr. Juntunen.  Digital Copier Security markets a product to erase information from copier hard drives.  Mr. Juntunen of Sacramento and CBS News of New York somehow got together and decided to do a story on information left on copiers.  You can make your own assumptions as to how they got together and who profits from the arrangement.  Mr. Juntunen and CBS News went to a warehouse in New Jersey and purchased four copiers picked out by Mr. Juntunen.  Affinity's copier was one of the copiers selected.  When Mr. Juntunen removed the hard drive from the Affinity copier and printed out the images left there, several hundred pages of medical records were revealed.  CBS News notified Affinity about this and returned the hard drives to Affinity. 

If this copier hadn't been chosen, it is unlikely that anyone would ever have known about this and probably no records would have been revealed to anyone.  However, saddled with this unfortunate and unwelcome information, Affinity was required, under HIPAA/HITECH regulations, to file a breach report.  Affinity's breach report estimated that almost 350,000 people may have been affected by this breach.  A couple of weeks ago, Affinity settled with Health and Human Services.  The settlement required Affinity to pay a fine of $1,215,780, use best efforts to recover the hard drives from all other copiers they had similarly leased and discarded and to take certain other measures to safeguard all electronic protected health information.

To be fair, the other three copiers purchased by CBS all had sensitive information on them.  One was from the Buffalo, N.Y. Police Sex Crimes Division and it had detailed information on domestic violence complaints and a list of wanted sex offenders.  Another machine from the Buffalo Police Department had a list of targets in a major drug raid.  The other machine was from a construction company and had a number of pay records along with social security numbers.

However, Affinity was the only one that was regulated by HIPAA.  Most unfortunate.

Thus, lessons learned: Things that have digital storage devices, e.g. computers, copiers, fax machines, cameras, smart phones, etc. should be covered in a comprehensive policy that requires their storage to be scrubbed before disposal.  You do not want to be unlucky too.

Zappos Gets Zapped. Browsewrap Agreements Are Collateral Damage.

You know Zappos.  That's where you ordered those 5 inch stiletto clear heeled stripper shoes.  And some of you women bought from there too.  Zappos is a part of Amazon and a year or so ago, Zappos suffered a really bad security breach.  Exposed something like 24 million customers' information.  Well, as almost always happens when something like this occurs, our legal comrades descended in droves and many lawsuits ensued (I guess that's a pun).  These were consolidated in a court in Nevada and procedural motions were filed. 

Zappos claimed that class actions were not justified because Zappos' terms of use agreement specified that all claims by customers had to be settled by arbitration.  The result would have been that each individual customer would be required to have his or her claim settled by a separate arbitration and presumably actually appear at the arbitration rather than be represented in a class.  So, instead of one lawsuit with 24 million plaintiffs in a class, it would have required 24 million individual arbitrations with one claimant in each.  This would have been good for the tourism industry in Nevada but not good for the individual claimants (or their class representing attorneys).

Zappos' terms of use agreement stated that by using the web site, the users consented to the terms of the user agreement, which contained the aforementioned arbitration requirement.  While a link to the terms of use was included on each page, it was in the same font and same color as the rest of the page and nothing compelled the user to look at the terms of use nor take any action that indicated assent to the terms of use.  In addition, Zappos reserved the right to amend the terms of use at any time.

Zappos' terms of use agreement has been referred to as a "browse wrap" agreement or a "click through" agreement.  We discussed the differences in a "clickwrap" agreement (which requires some evidence of assent, such as clicking a box) and a browse wrap agreement in a prior post.  We indicated that some courts have upheld these agreements and that the trend might be toward their acceptability but this court says "Not so fast".  The Nevada court held that a requirement to arbitrate is strictly a contractual matter and therefore, to compel the plaintiffs to arbitrate would require a binding agreement between Zappos and the plaintiff.  The court failed to find such a creature in this situation.  They found: "...we cannot conclude that Plaintiffs ever viewed, let alone manifested assent to, the Terms of Use.  The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use.  No reasonable user would have reason to click on the Terms of Use...".  The court also found that because Zappos reserved the right to unilaterally change the Terms of Use, the contract Zappos sought to enforce was "illusory" and therefore unenforceable.

It is possible that if the issue was not the requirement for 24 million folks to arbitrate in Nevada and something less impactful, like whether you could return your stripper heels, the result might have been different.  However, the fact remains that this case makes the enforcement of such browse wrap agreements tenuous and therefore, we should all review our policy regarding how we get people to agree to our terms of use.  It could become very important.

Sh*t Just Got Real! Bitcoin Collides With The Non-Virtual World, Because Regulation and the Winklevoss Twins!

We have discussed the virtual currency Bitcoin on these pages before.  Also, we have mentioned the blog content gift of the Winklevoss twins (of Facebook fame) several times before.  Now, these favorite things combine to provide more blog content.

While existing completely in the virtual realm, Bitcoin is being treated very much like good old U.S. pesos, in that it is subject to regulatory bodies and to prohibitions against using it to scam folks.  The New York State Department of Financial Services has subpoenaed everybody in sight (22 companies, including the Winklevosses) to get an idea of what's going on in Bitcoin land.  A GAO report has suggested that virtual currencies are subject to the income tax laws, just in case you thought you escape Uncle Sam in the virtual world.  The SEC has filed suit against a Bitcoin dealer and a Bitcoin "Savings and Trust" company alleging that Bitcoins are real money and the defendants are using them to finance a Ponzi scheme.  And Thailand has declared Bitcoins to be unusable in Thailand until the Thai officials can figure out what to do with them.

Then, last but not least, the Winklevosses that we have talked about here, here and here have filed an application with securities regulators to allow them to market an exchange traded fund that invests exclusively in Bitcoins.  What could possibly go wrong?  Some people have taken a dim view of this, while others say, wait before judging.

In any event, Bitcoins are attracting a lot of attention both from regulators and from people seeking to use them in many creative ways, some of those nefarious.  Don't dispose of your Confederate money yet.  You may be able to use it to purchase bitcoins.

Massachusetts Imposes Sales and Use Tax On Computer and Software Services. Check Your Agreements With Your Massachusetts Customers.

Recently, Massachusetts amended its sales and use tax laws to include a tax on services relating to computer and software services.  In an act entitled "An Act Relative to Transportation Finance" (you might understand why it could be missed if all you were looking at was the title), effective July 31, 2013, a 6.25% sales and use tax is imposed on "computer system design services and the modification, integration, enhancement, installation or configuration of standardized software".

Computer system design services is defined as "the planning, consulting or designing of computer systems that integrate computer hardware, software or communication technologies and are provided by a vendor or a third party" and is imposed on any company "sourcing" such services in Massachusetts.  There are a hierarchical set of rules for determining where the sourcing occurs for tax purposes so some opportunity exists for reducing the tax by planning where the actual services take place.  There remains several undefined areas such as where the services would take place in a hosting environment, cloud computing or whether it applies to such services as staff augmentation.

However, it is plain that the tax applies to taxable services supplied under contracts that are in existence before the act became effective as long as the services are performed and billed for after  July 31, 2013. 

Therefore, if you have such contracts for the delivery of such services to an entity with a connection to Massachusetts, you should review your agreements and see if you need to begin collecting and remitting this tax.  Also, you should have your agreements reviewed to see if the tax impact can be reduced by thoughtful construction.

If You Use Bitcoin To Buy the "War Games" Home Computer, You Will Be Cool and From the Future.

Bear with me a little here.  All of this will supposedly come together.

First, when War Games came out in the 80s, a lot of us nerds coveted the home computer set up that Matthew Broderick used to almost start thermonuclear war but which was really only good for playing tic tac toe.  Much like the computers we now use at work for solitaire and FaceBook.  If you wanted to, you can now purchase the actual computer used in that movie.  The guy that helped design it for the movie still owns it and is considering auctioning it. The asking price is expected to be somewhere north of $25,000.   If you purchase it, that will make you the coolest dork on the block.

However, if want to really be cool and cutting edge, you could purchase the War Games stuff with Bitcoin, which has been called the currency of the future or a hacker's wet dream.  What is bitcoin, you ask?  That's a very good question.

Bitcoins are the world's most current currency.  This currency sprang from an open source cryptography released in 2008 by an anonymous source.  The source is presumed by some to be a developer named Satoshi Nakamoto but this could be a pseudonym.  Bitcoins are digital currency and has the backing of no government nor assets.  Because of the algorithm that created bitcoin, there can never be more than 21 million bitcoins issued (unless someone changes the code, but when has that ever happened?).

Bitcoins can be used to buy services if the provider will accept them.  You can also purchase bitcoins with standard money.  The value of a bitcoin can fluctuate fairly dramatically and no entity regulates its trading.  The value of a bitcoin as this is being typed is $93.88 USD according to Mt. Gox, a website that trades bitcoins.  The only other way to get bitcoins is to "mine" them.  This method is beyond the scope of this post (and frankly, beyond the capacity of the author to understand) but is principally carried on by people with high end computers that devote a great deal of their time and effort to the mining and essentially make it impossible for mere humans to actively participate in this.

You can buy a lot of stuff with bitcoins on the internet but you can't use it to buy a beer at most of your local bars.  There is a lot of suspicion that bitcoins are being used to purchase illegal items at sites like Atlantis and Silk Road (not that I know anything about that).  There is also a fair amount of money laundering that goes on with bitcoins.  The DEA just seized bitcoins for the first time and the State of California is investigating whether the Bitcoin Foundation is a financial institution within the definition of California laws.  Apparently, bitcoins are getting prominent enough to start attracting the attention of regulators and law enforcement.

So, if you wanted to purchase the War Games computer set up and your winning bid at the auction was $30,000, you would need approximately 320 bitcoins to complete the transaction.  Actually, I would really like to see that happen.  If one of you can pull this off, please let me know.

Updates and Breaking News on Gene Patents, PHI in the Cloud, Class Actions on ClickWraps and SEC Disclosures On Cybersecurity.

Some recent developments in the great, wide world of technology include:

(i)  The Supremes, in a unanimous decision (what?) ruled that naturally occurring genes could not be the subject of patent protection.  However, if you can create a gene artificially, you might still qualify.  Therefore, the creative force described in the Hebrew bible, missed his or her chance when on the sixth day, he or she created all those man genes.  Further, the one year bar and the first to file things have cluttered up the claim.  Also, since man was supposedly created in the image of the creator, there's that pesky prior art issue.  See Assn. for Molecular Pathology v. Myriad Genetics, Inc

(ii)  The recently released rules under HIPAA provide that entities that store protected health information ("PHI") for a covered entity are business associates even if the storage provider does not routinely access the information.  [See 45 CFR Parts 160 and 164 IV(3)]On the other hand, a data transmission organization (such as the U.S. Postal Service or internet service providers) that serve as a mere conduit are not business associates even if they do access the information occasionally in order to provide the service.  So, cloud providers of storage of PHI must sign a business associate agreement.  It is not clear how long one must hold on to a piece of information to be a storer as opposed to a transferor or if encrypting the information in storage without the key would serve to exclude the storage provider from the definition of a business associate.

(iii)  In a recent decision by the Seventh Circuit in Harris v. comScore, Inc., the court allowed the certification of a class to stand.  The class was composed of entities that had downloaded comScore's software that gathered information on the user's activities and sent the information back to comScore's servers.  One of the basic allegations of the plaintiff class was that comScore's clickwrap license was ineffective.  We have discussed this before in this post.  The court did not make factual finding as to any issues and this is only a class certification hearing and comScore may have legitimate individual defenses to many of the allegations.  However, comScore will have to deal with this in the context of a class action.

(iv)  The Securities and Exchange Commission has regulations in place regarding a publicly traded company's obligation to disclose its controls for cybersecurity and is now considering increasing the stringency of those rules.  A recent study by Willis Fortune 500 finds that a substantial percentage of  reporting companies fails (in Willis' opinion) to adequately disclose such company's exposure to cybersecurity issues and the impact on the company if an event occurs.  Look for this to increase in importance as the supposed cybersecurity wars increase in intensity.

UPDATE: Circuit Court of Appeals Reverses Decision That Use of Rutgers Quarterback's Likeness Was "Transformative". Mr. Hart Is Back "In The Game".

We noted back in October of 2011 that a District Court in New Jersey had granted EA Sport's motion for summary judgment in a suit brought by Ryan Hart, a former quarterback at Rutgers.  EA Sports had used as a basis for its motion that even though the video game used Mr. Hart's likeness, including his height, weight, home town and commonly worn visor and arm bands that the mechanism of the video game allowed users to change these and as such was "transformative".  If a use is found to be transformative, usually the courts will find that the user's First Amendment rights prevail over the subject's privacy rights.  The District Court so found in this case and granted defendant's motion.  An appeal ensued.

The Circuit Court of Appeals reversed.  In a 2 to 1 decision, the Circuit Court rejected the idea that the ability to change the player's characteristics by the user rose to the level of transformative use. In fact, the appellant court held that the presence of interactivity, the ability to change the characteristics of the subject (the court noted that the player's unaltered image was the default image) and the presence of other creative elements did not tip the "balance" in favor of the First Amendment.

Thus, the granting of the motion for summary judgment was reversed and remanded for further hearings.  Mr. Hart is back "In The Game".

It's also nice to finally see someone from Rutgers win something.

eFax Scam - Look For This In Your Inbox.

From time to time we try to alert you to scams.  This morning I received an e-mail that looked like this:

 

 

 

Fax Message [Caller-ID: 310-293-1860]

You have received a 2 pages fax at 2013-05-17 10:09:12 .

 

* The reference number for this fax is min1_did71-9694455268-1026725108-89.

 

View this fax using your PDF reader.

 

Click here to view this message

 

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home Contact Login

Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

This is a phishing expedition.  See here and here.  Since we use an online faxing services here at the firm, and this looks really real, I was ready to click on the link.  In addition, eFax is a legitimate faxing service.  Thankfully, our friends at McAfee warned me off of this.  Apparently, going to the link would load malware or a virus on your system.  Be careful.

 

 

 

 

Court Becomes "Particular" About First Sale Doctrine and Therefore You Can Never Resell Your Digital Music.

I'm an old guy.  One of the first musical purchases I ever made was a 45 rpm (that's revolutions per minute for those of you that have never seen a phonograph) recording of Bobby Vee's "The Night Has A Thousand Eyes".  If I still had that physical record, I could sell it to you without fear of violating anyone's copyright because of a little something called the "first sale" doctrine.  We have mentioned that several times in this blog (see here, here and here).  The first sale doctrine says that after the first sale of a copyrighted work, the copyright holder loses its right to restrict further sales.  This is the reason that stores that sell used books, records, CDs, DVDs, etc. can exist.

Now, if I could find that particular song on ITunes, I could buy it, download it to my computer or MP3 player and listen to it all I want.  If I tired of that, I could use the services of a company called ReDigi.  In doing that, I would download an application called Media Manager  and then use that to upload the digital file of the recording to ReDigi's remote server in Arizona, which they call the "Cloud Locker".  Media Manager then prowls the hard drive of my computer and connected devices to determine if I have retained a copy.  If it detects one, it prompts me to delete it.  When that happens, only one copy of this particular recording exists and it exists only on the Cloud Locker.  I then can either continue to listen to it from the Cloud Locker or I can opt to sell it.  If I opt to sell it, ReDigi makes it impossible for me to continue to listen to it.  So, now I can use ReDigi to sell that particular recording to you.  The exchange is made for credits that you can get by uploading other music.  When it is transferred to you (automatically, without human intervention by ReDigi), you can store it, stream it, sell it or download it to one of your devices to listen to it.

In both instances, the result is the same.  I bought a copy of "The Night Has A Thousand Eyes" legally.  I have transferred it to you.  I no longer have a copy.  I can't sell it again.

Cool, right?  Everybody's happy.  I can buy more music with my credits.  You are in possession of a great piece of nostalgia and I have no more copies to sell to undercut the copyright holder's income stream.  The Southern District of New York says: "Not so fast, my friend".

In a case styled Capitol Records, LLC v. ReDigi Inc., the court held that the first sale doctrine can not apply to non-physical (i.e. digital) recordings.

The First Sale Doctrine is codified in Section 109(a) of the Copyright Act and states in pertinent part: "...the owner of a particular copy or phonorecord lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy or phonorecord."

The Court held that ReDigi had several problems under this provision.  First, it said that ReDigi had violated Capitol's reproduction rights (another right under the Copyright Act), therefore it was not "lawfully made under this title".  The Court also said that the Act only protects distribution by the owner of a particular copy or phonorecord...of that copy or phonorecord". (Emphasis added by Court).  So, the transfer of the files requires copying on ReDigi's server, which violates the reproduction rights and because the sale is not a sale of that particular copy, the first sale doctrine does not provide a defense.  The Court specifically said that the first sale defense is limited to "physical" items.  To comply with this, you would have to sell and transfer your computer or MP3 player with the file on it.

This ruling was part of an opinion resulting from Capitol's Motion For Summary Judgment and other matters still remain to be decided, but the Court left little doubt about where it stood on this issue.

The War Over "App Store" Continues. Amazon Wins One of the Battles.

We have previously written about the contentious nature of the battle among Apple, Amazon, Microsoft and others in regard to the use of the term "App Store".  See here and here.

One of the salvos launched by Apple in its suit against Amazon involved a claim for false advertising.  Amazon moved for summary judgment on this claim and on the first business day of the new year, the United States District Court for the Northern District of California granted Amazon partial summary judgment.

The Court found "..Apple has failed to establish that Amazon made any false statement (express or implied) of fact that actually deceived or had the tendency to deceive a substantial segment of its audience. The mere use of “Appstore” by Amazon to designate a site for viewing and downloading/purchasing apps cannot be construed as a representation that the nature, characteristics, or quality of the Amazon Appstore is the same as that of the Apple APP STORE."

The Court held that "...if an advertisement is not false on its face (i.e., if there is no express or explicit false statement), the plaintiff must produce evidence, usually in the form of market research or consumer surveys,showing exactly what message was conveyed that was sufficient to constitute false advertising."  Apple failed to do so in this case.  Round one to Amazon.

Bill Introduced In Texas Legislature To Prohibit Employer From Asking You About Your Social Media Password.

Having solved all the other problems in Texas, including the problem of gun violence (prayer) and the problem of uninsured citizens (cutting Medicaid) the Texas legislature has turned to the burning issue of employers requiring employees to provide access information to employee's private social media accounts.

House Bill 318 has been introduced to make it an "unfair employment practice" if an employer "...requires or requests that an employee or applicant for employment disclose a user name, password, or other means for accessing a personal account of the employee or applicant, including a personal e-mail account or a social networking website account or profile, through an electronic communication device."

This bill still allows "monitoring" employee usage of employer provided media and also allows employer policies prohibiting use of company provided resources for personal use.  It doesn't provide for a specific remedy or a damages cap and it will likely be amended substantially before it passes, if it passes at all.  This would make Texas one of a handful of states that has jumped on this burning issue.  Crisis averted.

We Are In The Midst Of a Hot Cyberwar, Make No Mistake About It. Iran Fires The Latest Salvo (That We Know Of).

In December of last year, several banks' (Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC) websites were inundated by DDoS (distributed denial of service) attacks.  DDoS attacks generally do not seek to penetrate the sites or to obtain information or steal anything but try to overwhelm the capacity of the website to respond to the traffic directed toward them.  The attacks in December were launched by an entity that had access to multiple computers, such as in a data center, and exceeded the capabilities usually found in your standard run of the mill hackers.

Today, the New York Times ran an article that lays the attacks at the doorstep of Iran.  An independent hacker group called Izz ad-Din al-Qassam Cyber Fighters has tried to take credit for the attack, saying it was retaliation for the anti-Muslim movie that prompted riots throughout the Muslim world and which was involved in the Benghazi consulate attack.  Izz ad-Din al-Qassam called it Operation Ababil, referring to Allah sending birds to drop bricks on elephants sent by the King of Yemen to Mecca.  However, U.S. officials think it is the work of Iran and is in retaliation for economic sanctions and the release by the U.S. and/or Israel of the Stuxnet, Flame and DuQu malware. 

Whatever it is, the DDoS attacks spewed 70 gigabits per second at the sites, which included a new wrinkle involving requests for encryption, and which adversely affected the sites' performance.  The attacks used a readily available malware toolkit called Itsoknoproblemobro

It is certain that the attacks that we have heard of are only the tip of the malware iceberg and it is probably as certain that these attacks and counterattacks will continue to escalate.  Warriors on the front lines of these wars will be keyboard commandos and may someday sport the malware marksman ribbon on their dress uniforms.  This is war.

FTC Concludes Investigation Into Google's Search Practices, Finds Nothing Much Wrong There. Hey, Google It If You Don't Believe It!

The Federal Trade Commission has been investigating Google's practices in regard to patent licensing, search results and other matters for about two years.  The FTC sought to determine if Google's practices in these regards were anti-competitive.  The FTC ended their investigation the first week of this year and entered into an agreement with Google in exchange for the FTC agreeing not to pursue the matter further.

Part of the analysis by the FTC was a investigation into whether Google manipulated its search algorithms such that websites that competed with Google's "vertical" results (i.e. sponsored Google sites) were moved down in the search results with concomitant  damages to the click through rate to such competing sites.  The FTC found that even though "...some of Google’s rivals may have lost sales due to an improvement (sic) in Google’s product...(t)he totality of the evidence indicates that, in the main, Google adopted the design changes that the Commission investigated to improve the quality of its search results, and that any negative impact on actual or potential competitors was incidental to that purpose."  The Commission went on to say "...these changes to Google’s search algorithm could reasonably be viewed as improving the overall quality of Google’s search results because the first search page now presented the user with a greater diversity of websites."

Needless to say, not all were enamored with the FTC's actions.  Microsoft, having been kicked around by the FTC for years, bemoaned the actions as "weak"Others found it to be totally justified.

Whatever your view, this is a win for Google and clears up their docket to proceed with their pursuit of world domination.  Not that there's anything wrong with that.

UPDATE: Ownership of Company's Twitter Account: Company vs. Employee

Almost a year ago, we mentioned the unusual case of PhoneDog v. Kravitz, where a former employee was sued by his former employer for $340,000, which amounted to $2.50 per Twitter follower that the employee took when he left the company.

We indicated that this was a gray area and developing.  So, how did PhoneDog v. Kravitz enlighten us on the rules for this situation?  Exactly none.  Mashable reports that the parties have settled after months of mediation.  Settlement terms are confidential but apparently Mr. Kravitz retained the Twitter followers and there was no indication of money changing hands.

Where does this leave us?  Back at square one but with some lessons learned.  For example, if ownership and control of Twitter accounts is important to your business, state in the employment contract or the employee manual that such accounts belong to the company.  Eliminate any drama by addressing the issue head on.  #commonsense

Having An Open WiFi Does Not Ipso Facto Make You Liable For Negligent Infringement.

Here's the scenario:  You have an open WiFi (i.e. no password required), someone (maybe you, maybe not), uses that IP address to download a copyright work, someone (probably a copyright troll) sends a subpoena to your internet service provider and finds that this happened, you receive a letter from a copyright troll attorney that says in basic terms:  "You are a horrible person.  A copyright protected work was illegally downloaded using your IP address.  It was entitled something that included "hot", "wet" and a bodily orifice in the title.  You should be ashamed and if you pay me $3,000 now, it will all go away and your wife/girlfriend/scout troop/sunday school class will never know.  Otherwise, we can sue you for negligence because your WiFi was not protected and we don't even have to prove you did the download."

Maybe this comes as a huge surprise to you, maybe it doesn't.  However, will the negligence claim fly and allow the trolls to tag you with liability even if they can't prove you actually did it?  A couple of courts have said no.  Last week the U.S. District Court for Northern California in a case styled AF Holdings LLC v. John Doe and Josh Hatfield held that the mere inaction of not protecting your WiFi was not negligence because the defendant did not owe a duty to the plaintiff to take an affirmative action to protect the plaintiff's intellectual property.  In addition, the court held that this was still a copyright case and state law of negligence was preempted by the federal copyright statute.  And to further make a point, the court found immunity for the defendant under Section 230 of the Communications Decency Act.

So, it seems to be the trending opinion that you aren't strictly liable for contributory infringement for just leaving your WiFi open.  Seems right to me.

New Top Level Domain Names. Coming Soon To A Browser Near You.

We have discussed before the new ICANN Top Level Domain scheme, whereby the initial regimen of .com, .net, .edu, etc. could be supplemented by any word to which an approved registrar gets the rights.  We joked that we were going to apply for the .law domain.  We came up a little short on our aluminum can drive to get the $185,000 necessary for the application but obviously someone is reading our blog because ICANN released a list of the applications today and six entities have applied for the .law domain name.  If that wasn't enough, there were two applications for .lawyer, two for .legal, one for .esq, one for .attorney and one for .abogado.

A review of the proposed strings probably provides a commentary on contemporary society, but you can make that evaluation.  The following are some of the applications and the number of applicants for such strings:

  1. 13 applications for .app
  2. 1 application for .bible, but none for .koran, although there is 1 for .catholic and 1 for .islam
  3. The applications are as divided as the country with 1 application for .democrat and 1 for .republican
  4. In the organized entity arena, there were 10 applications for .inc, 9 for .llc, 4 for .llp, 4 for .gmhd and 7 for .ltd
  5. There were 6 applications for .tech, 7 for .web and 7 for .cloud
  6. On the family front there were 3 applications for .mom and only 1 for .dad.  That sounds about right.
  7. For all the adults, there was 1 application for .porn (there already is a .xxx domain), 2 for .sex and 1 for .sexy
  8. There was 1 application for .gay and no applications for .straight
  9. There were numerous applications by corporations for the corporate extension, like .canon, .dell, .firestone and .csc
  10. And in the "I've got $185,000, I don't need right now" category, there was 1 application for .wtf and 1 for .unicorn.

There now follows a 60 day comment period and a 7 month window for filing an objection to any application.  Anyone want to oppose .cialis?  You can only do that after 4 hours.

"Best Efforts" Clauses In Contracts. What the Hell Do They Mean?

I have been negotiating contracts for a living for over 38 years.  During all of that time, when my client was asked to use "best efforts", I used my best effort to get that changed to some other standard.  I had always assumed, either because of urban legal legend or stupidity, that "best efforts" was a very high standards, even requiring in some states (New York was featured prominently) that you spend yourself into bankruptcy to achieve the result.

It is amazing what you can find when you actually look something up yourself.  I feel a little like Vizzini in "The Princess Bride" when Inigo tells him, "You keep using that word.  I do not think it means what you think it means."

A recent California case,  California Pines Property Owners Ass’n v. Pedotti, Cal. Ct. Appeal Case No. C066315 (May 24, 2012), found that a rancher's obligation to use "best efforts" to keep a reservoir full did not create a fiduciary duty but only required that the rancher “must use the diligence of a reasonable person under comparable circumstances”.

The court went on to say that (i) best efforts are viewed in the context of the particular case; (ii) the best efforts clause must be reconciled with other clauses to the extent possible; (iii) best efforts do not require every conceivable effort, nor does it require the promisor to ignore his own interests, spend himself into bankruptcy or incur substantial losses to perform; and (iv) best efforts does require diligence but within the bounds of reasonableness.  The court noted that these were the standards in California only if the term "best efforts" was not defined.

So, why have I been so pedantic on this subject all my life?  It seems that it only means to use reasonable efforts with some more diligence.  And I say, not so fast, my friend.  A review of several states reveals some disparity in the interpretation.  What amounts to best efforts generally is very subjective and can vary from court to court.  Therefore, to merely rely on the general term "best efforts" (or "reasonable efforts", "practicable efforts", "industry standard efforts" or the like) is to invite the court to rewrite your standards for you and probably not to your liking.  The answer is, when possible, put objective standards in place for the the efforts.  The rancher in the California Pines case above could have been required to keep the reservoir above a certain level or in line with some other standard other than best efforts.

Technology contracts often incorporate the "best efforts" standard, as in, installing the latest version of software, providing bug fixes for severe problems,etc.  In all of these, if you are the one being asked for best efforts, you would be advised to include objective standards that you can meet, rather than risk being held to some other standard.

 

 

Cyberwar Enters The Next Phase. Move Over Stuxnet and DuQu, Here Comes Flame.

We have written on several occasions about the new wave in malware that are probably the products of nation state(s) because of the complexity or the code and the resources required to write and deploy such creations. (See here, here and here).

These nasty creatures go by the name of Stuxnet and DuQu and so now appears their cousin who has the moniker "Flame" because that name appears in its code.

Stuxnet caused the Iranian nuclear centrifuges to spin out of control and self destruct and DuQu extracts information and sends it to an unknown site. 

Flame apparently can eavesdrop on users by recording their e-mail or instant messaging via a screen shot and  can snoop on audio using the computer's microphone or via video conferencing programs. To top it off, it may be able to use near field communications to monitor near by devices.  Flame does not appear to be destructive but is apparently the most complex system yet to invade the privacy of the unwitting recipients.  To date, it apparently has been deployed mainly in the middle east with about half of the reports coming from Iran.

It is incredibly complex with a file weight of about 20 times the size of Stuxnet, but in spite of its large file size, it has gone undetected for at least 2 years.

If war is just the continuation of politics by another means, this could be political.

Oracle v. Google. Did Anybody Win?

Avid followers of this blog will clearly remember our discussion of the initial filing of the lawsuit involving the clash of the Larrys (i.e. Ellison [Oracle] and Page [Google]).  For a quick refresher, Oracle claimed that Google infringed on Oracle's Java related intellectual property (which Oracle obtained by buying Sun) by, among other things, violating some patents and copying application program interfaces ("API") in the development of the Android operating system.  There has been some question as to whether APIs are subject to protection by copyright but Oracle claims that the ones in Java are sufficiently complex  that they should be protected.  A recent case in Europe has held the other way.

The jury in this case held that Google did violate Oracle's copyrights but could not reach a decision as to whether the use was "fair use", a defense under the copyright act.  Therefore, this is not very conclusive.  The case is divided into three phases and this was the end of the first phase.  The case went directly into the patent phase of the case and the subsequent phase will be the damages phase.  So, a lot of work to do until this is finally decided but it is evident that this will have far reaching effects however it comes out.

Update: Website Operator Still Has "Complete Immunity" Even When They Are "Appalling"

In another of a series of victories for website operators, a Florida appellate court has found that a website operator enjoys (that truly is the right word) "complete immunity" for anything posted on their website. 

You will remember that we reported on a similar case involving PissedOff.com,

The defendants in the instant  matter operated a similar enterprise called "The Ripoff Report", which similarly encouraged people to post disparaging remarks about people and businesses.  In this situation, a graduate of an addiction treatment facility alleged that the owner was a felon, the facility was dangerous and they disbursed illegal medications.  The proprietor of the site consistently refused to take down the offending post and even when the poster was the subject of an injunction which forbade her to leave the complaint on the site and the poster begged the site to take it down, the website operators refused.

In spite of all this, the court found that Section 420 (how appropriate for today, pot joke to follow) of the Communications Decency Act ..."creates a federal immunity to any cause of action that would make service providers liable for information originating with a third-party user of the service."

This is true even though the court  thoroughly disapproved of the website's business practices (they offered reputation cleanup services for a large fee, much akin to PissedOff.com).

So, you have to do more than just be "appalling" to remove yourself from the CDA's umbrella of protection.

Update: You Can Now Look At Facebook At Work Without Committing A Crime.

About a year ago, we posted on a case that held that misappropriation of computerized informationin violation of a company's computer use policy could be a crime.  The defendant had received stolen confidential information from former coworkers.  The court held that this exceeded the employer's written use policy as as such violated the Computer Fraud and Abuse Act, which criminalizes "exceed(ing) authorized access" and using this to further fraud.

On April 10, 2012, the Ninth Circuit, sitting en banc, reversed, holding that because the pilfering co-workers did have authority to access the information they stole, this did not violate the CFAA.  The Court reasoned that the intention of the legislation was to prohibit hacking and not the kind of day to day activities that most slacker employees engage in (i.e. exceeding their company's policy) by surfing the web.

This doesn't get Mr. Nosal and his friends out of the woods, however, as the government is still able to pursue counts of mail fraud and theft of trade secrets.

Congress Agrees On Acronyms for JOBS and CROWDFUND. Astonishment Is Rampant.

Given the present state of partisan hostilities in Washington these days, it is big news when the Senate and Congress can agree on anything.  However, that is exactly what they did on March 27, when Congress agreed with a Senate amendment to an act that established once and for all, the acronyms JOBS and CROWDFUND.  Oh yeah, they also passed an act to go along with the acronyms, which is the most astonishing of all and which is designed to stimulate the market for initial public offerings ("IPOs") and, inter alia, contains provisions allowing for "crowdsourcing" or "crowdfunding".  President Obama has expressed his support for this bill and is likely to sign it in the near future.

The "JumpStart Our Business Startups" Act or the JOBS Act changed in a very significant manner, the rules relating to funding for small business startups.  It even changed the definition of a small business to an "emerging growth company" that had less than $1,000,000,000 (yes, that's a billion) of revenue in the last 12 months.  According to some sources, this would have covered more than 91% of the IPOs in 2011.  The JOBS Act eased many of the rules for IPOs and instructed the Securities and Exchange Commission to revise and adopt other rules pertaining to these types of equities, including determining whether it makes sense to allow trading in one cent increments.

The most notable effort in acronyming, however, goes to the drafters in coming up with the "Capital Raising Online While Deterring Fraud and Unethical Non-Disclosure Act of 2012".  Rolls off the tongue, right?  Or you can just call it the "CROWDFUND" Act.  This allows the collection of investments from large numbers of people in small amounts through brokers or registered websites.  It restricts the amount that can be raised to $1,000,000 annually and restricts the amount that can be raised from any one individual to the greater of $2,000 or 5 percent of their net worth or annual income if less than $100,000 or the lesser of 10% or $100,000 if annual income or net worth is greater than $100,000. 

The JOBS act also exempts most of the crowdfunding activities from state securities act registration requirements but still provides oversight by such state commissions for fraud and misrepresentation.

The Act provides for much registration and restrictions on advertising and generally has most securities lawyers in a state of moderate arousal.  A thorough summary of the act has been done by the firm of Andrews Kurth and can be found here.

Time will tell if this has the desired effect on increasing capital markets for "small" companies.  Some of the provisions may actually encourage the delay of IPOs but it is an ambitious effort if for nothing else than the advancement of acronym art.

Flea Market Landlord Found Liable For Contributory Infringement of Louis Vuitton Trademark.

Eisenhauer Road Flea Market is a large indoor flea market in San Antonio, Texas.  Some of the tenants of booths there sold fake Louis Vuitton products. 

Louis Vuitton notified the owner/landlords of the flea market and asked them to stop renting to people who sold such knock offs.  The landlords said that it was not their responsibility to do Louis Vuitton's work of policing the use of their brands. 

Louis Vuitton sued the landlords alleging that the landlords engaged in contributory infringement.  A jury agreed after the judge gave a jury instruction that a landlord/tenant relationship could lead to contributory infringement. 

The jury returned a verdict for $3.6 million dollars and the court issued a far reaching injunction.  The injunction provided that the defendants were prohibited from (i) engaging in further acts of contributory infringement; (ii) leasing to tenants who the landlords knew, had reason to know or have been presented with credible evidence about their dealing in counterfeit Louis Vuitton items; (iii) manufacturing or dealing in counterfeit Louis Vuitton products; or (iv) engaging in conduct that contributes, directly or indirectly to counterfeiting by a tenant.

In addition, the defendants are required to : (i) periodically inspect the booths for evidence of counterfeiting; (ii) promptly terminate the lease of anyone they find engaging in counterfeiting or if they are presented with credible evidence of such counterfeiting; (iii) include a provision in their leases prohibiting such counterfeiting; (iv) put warning signs at all entrances indicating that counterfeit material can not be sold on the premises; and (v) allow representatives of the plaintiffs to make periodic inspections for counterfeit material.

We have not yet had the opportunity to review the transcript of the case, but this seems to indicate either a case of run away jury or of egregious behavior by the defendants that does not appear in the order. This is a case of first impression in Texas and should give all landlords reason to reassess their situations. 

It is also not a large step to find internet service providers, web designers and operators or others involved, directly or indirectly, in the on-line sale of counterfeit merchandise to be in the same situation.  We had reported on one before but if this decision stands, it is likely that we will see more cases of this sort, at least in the Western District of Texas.

Better To Be Pissed Off Than ... Well, You Know.

PissedConsumer.com is a website that encourages consumers to complain about companies and products.  When a complaint is lodged, PissedConsumer creates subdomains and metatags using the name of the product or company complained about in the name, e.g. productname.com/titleofpostedcomplaint.html.  PissedConsumer then uses a third party to post advertisements on the complaint pages for competitors of the product or company complained about.  Opinion Corp. is the company that owns and manages PissedConsumer.com.  As an additional service, Opinion Corp. offers to help remedy the negative impact of the complaints in a number of ways and for a substantial amount of money.

Ascentive, LLC (software company) and Classic Brands, LLC (mattress manufacturers) were the victims of negative comments on PissedConsumer.com and separately brought suit against Opinion Corp. and some of its officers individually.  Their suits were consolidated for the purpose of this action.

The plaintiffs (Ascentive and Classic Brands) alleged a number of causes of action, including a request for a preliminary injunction to disable the offending pages, counts under the Lanham Act and counts under the Racketeer Influenced and Corrupt Organizations Act ("RICO"). 

The counts under the Lanham Act centered around the plaintiffs' claims that the use of their trademarks in the subdomains and in metatags constituted trademark infringement, unfair competition and false designation of origin.

For the RICO allegations, they allege that the defendant's "Reputation Management Services", which allow companies (for a large fee) to respond to the reviews and alter the format in which the reviews appear were tantamount to bribery and extortion prohibited by the RICO Act.

The Court applied the preliminary injunction standard, which requires that such an injunction issue only if the plaintiffs have demonstrated a likelihood of success on the merits.

Applying this standard to the facts, this Court found that there was no likelihood of confusion as any reasonable user would understand that this was a gripe site and not a competing site and that the use of plaintiffs' marks as described did not result in such confusion.  In addition, the defendant plead that they were insulated from liability under Section 230 of the Communications Decency Act because they were an "interactive computer service" and therefore not liable for the defamatory comments of their users.  The Court agreed.

Consequently, the Court found that the plaintiffs had not demonstrated a likelihood of success and denied the motion for preliminary injunction even though the Court expressed some uneasiness about the defendant's business practices and ethics, e.g. eliciting (some say creating) complaints, advertising such complaints, engaging in search engine optimization to cause the complaints to appear higher in the search rankings and then charging fees to cure the situation they had created.  "Ethical obligations that exist but cannot be enforced are ghosts that are seen in the law but that are elusive to the grasp."  Lyrical, but little consolation to the plaintiffs.

Defending Your Sensitive Information Against Hacker Attack.

What’s a lawyer’s worst nightmare? Well, we’ve all awoke in a cold sweat at 3 am and wondered if we had missed a deadline, but near the top is the possibility that all our clients’ confidential information and our confidential and privileged communications with them become public. If we left our office doors and file room inadequately secured and someone extracted our paper files and printed them, we would lose our client’s trust and potential clients would think twice before engaging us.

Now, think what this might mean if a firm represents high profile clients in controversial matters that stir emotions, and the person or persons mucking with the firm’s files is highly motivated, sophisticated, and infamous. However, instead of just paper files, the intruder obtained all the firm’s e-mails and other electronic records. Such is the plight of the law firm of Puckett and Faraj, PC; a multi-office firm specializing in military defense. One of their highest profile clients, Marine Frank Wuterich, was involved in the much publicized incident in Haditha, Iraq in 2005 in which 24 Iraqi civilians were killed. Mr. Wuterich plead guilty to dereliction of duty and his worst penalty could be his demotion to the rank of Private without other significant penalty.

In early February, without warning, the hacktivist group that goes by “Anonymous” hacked into Puckett and Faraj’s website, defaced it and left behind a headline that read: “ANONYMOUS HACKS PUCKETT & FARAJ – EXPOSES 3GB OF PRIVATE EMAILS DETAILING SSGT FRANK WUTERICH WHO MURDERED DOZENS OF UNARMED IRAQI CIVILIANS AT HADITHA”. You can see the entirety of the screen grab here. Anonymous also stole a large number of e-mails, trial exhibits and other confidential information that related to Mr. Wuterich but also to a large number of other clients. Anonymous has made the information available on Pirate Bay.  Gawker has reviewed a small part of the information provided and has found embarrassing and sensitive material relating to defendants and persons unaffiliated with Mr. Wuterich, including the identity of some sexual assault victims.

Texas Lawyer asked us to write an article on this subject and we were glad to do so.  The same article was picked up by Law Technology News.  You can see the articles here and here.

Now, regardless of politics, views on the Iraq war or what a person may believe would be adequate justice for Mr. Wuterich, one of the most honored notions of our society is that everybody should be afforded the opportunity for an adequate defense and that attorneys that provide such defenses are performing a useful societal function. To be swept up in a broad brushed approach to retaliating against perceived injustices and perhaps having their reputation, firm and livelihoods decimated, seems to be undue punishment for such deeds. Also, for other people to have embarrassing and sensitive information divulged is perhaps unintended but nonetheless most unfortunate.

 

Anonymity On The Internet. What a Concept!

You will recall that we have discussed a few cases regarding anonymity on the internet.  In one, which involved a potential securities scam, the court removed the anonymity from some people that were involved in the alleged scheme. 

In another, the court allowed the anonymity of some detractors of The Art of Living Foundation to continue for a while.  After publishing the post, we received a call from the attorney for The Art of Living Foundation, who indicated that he thought our post was more even handed than some regarding this subject, but he would like to send us a letter from the president of The Art of Living Foundation explaining their position.  We were amenable to that and a copy of that letter follows.  We reproduce it without comment nor endorsement.  When we asked about the progress of the case, the attorney indicated that he felt the judge would rule in a manner that would allow them to obtain the identity of their detractors in the near future.  Any updates from any of the participants would be appreciated.

 

The "Safe Harbor" Provisions of the DMCA Become Safer and More Harbory.

Two recent decisions have provided context for the DMCA's "safe harbor" provisions and have given an expansive reading to such provisions.

In the Ninth Circuit Court of Appeals, the decision in a case called UMG v. Veoh (even though there are dozens of parties) has affirmed a district court's decision that a video sharing site (Veoh) qualified for the safe harbor provisions and therefore was not liable for copyright infringement.  This case was decided on December 20, 2011.

In the Southern District of New York, summary judgment was entered for Photobucket.com and the Kodak Imaging Network against Sheila Wolk, an artist that claimed that Photobucket was liable because several of her works had appeared on Photobucket.  For example, see here for examples on the day this post was written.  The case is styled Wolk v. Photobucket and was decided on December 21, 2011.

 In UMG v. Veoh, Veoh allows people to share video content over the internet.  The service is free and Veoh makes its money through related advertising. 

The Digital Millennium Copyright Act ("DMCA") allows "service providers" "safe harbor protection" if the service provider: (i) does not have actual knowledge that the material on the system is infringing; (ii) is not aware of facts or circumstances from which infringing activities are apparent; (iii) upon obtaining actual knowledge acts expeditiously to remove or disable access to such infringing material; or (iv) does not receive a financial benefit in cases where the service provider has the right and ability to control such activity.

Veoh employed the standard methods of having its customers agree not to upload any infringing material and the customers give Veoh a license to use and display such material.  When a video is uploaded, the software resident at Veoh's site automatically (i.e. without human intervention), breaks the video into 256 kilobytes chunks that facilitates streaming and converts the video into Flash 7 format.  If the customer is a "Pro" user, the software further converts the files to Flash 8 and MPEG-4 formats.  The software also extracts metadata to aid in the search function for the videos.  No Veoh employees review videos before they are posted.

However, Veoh uses “hash filtering” software. When Veoh is aware of an infringing video and disables access to it, the hash filtering software automatically disables access to any identical video and prohibits any subsequently submitted duplicates. Veoh also used another filtering system that compares audio on a video to a database of copyright content and if it finds a match, the video never becomes available for viewing. After obtaining this software, Veoh applied it to their catalog of previously uploaded videos and as a result, removed more than 60,000 videos, including some that supposedly infringed on UMG’s copyrights. Despite the precautions, UMG and Veoh agree that some UMG copyrighted material is on Veoh’s site. The parties also agree that UMG never gave Veoh notice of any infringing material before UMG filed this suit.
Veoh asserted as an affirmative defense that it was entitled to protection under the safe harbor provisions of the DMCA. UMG alleged that Veoh was not entitled to such safe harbor because its activities were not “infringement of copyright by reason of the storage [of material] at the direction of a user”, that Veoh had actual knowledge of infringing acts or was “aware of facts or circumstances from which infringing activity [wa]s apparent and that Veoh “receive[d] a financial benefit directly attributable to …infringing activity” that it had the right and ability to control.
The court disagreed with UMG on all three issues.
UMG had asserted that the language required that the infringing conduct be limited to storage and that Veoh’s facilitation of access to the material went beyond “storage”. The court said the statute language was “by reason of storage” and that the language was clearly designed to cover more than “mere electronic storage lockers”. The court reasoned that if Congress had intended the safe harbor to extend only to web hosts, it would not have included the language “by reason of storage”.
The court followed a line of other cases that said that just because a defendant had been notified of some infringing activities that this put it on notice for other infringing activities. It was undisputed that Veoh removed all material for which it was put on notice and that it could identify from such notices, even though UMG had not provided any such notices.
The court further stated that the “right and ability to control” requires control over specific infringing activity that the provider knows about. “A service provider’s general right and ability to remove materials from its services is, alone, insufficient. Of course, a service provider cannot willfully bury its head in the sand to avoid obtaining such specific knowledge.” The court found that Veoh had not acted in such manner.
In the Wolk v. Photobucket case, Ms. Wolk is an artist that depends on her paintings and sculptures as her sole source of income. She alleges that Photobucket facilitates the infringing of her copyrights and is not entitled to the protections of the safe harbor.
In its analysis, the court found that Photobucket met the definition of a service provider because the court believed that the definition of service provider includes a “broad set of Internet activities”. Photobucket also had a policy that allowed copyright holders to submit a takedown notice, had made that policy available on its website and had acted to remove infringing material when given notice. It also found that Photobucket met the other requirements for safe harbor and dismissed Ms. Wolk’s pro se complaint.
Both of these cases allowed immunity from activities that go substantially beyond the mere storage of materials. Decisions of this type, which most likely accurately apply the legislative intent of the DMCA, would probably come down differently under the recently proposed SOPA legislation.
This will not be the last we’ve heard of these issues.
 

 

Who Owns Your Social Media Account? You Or Your Employer?

Here's the situation:  You establish a Twitter, Facebook, LinkedIn, etc. account while you are employed and use the account to tweet, post, blog, etc. about your employer.  Then your employer falls out of love with you and you are no longer employed.  Who owns your followers on Twitter or your Facebook or LinkedIn account?  That's a really good question and one that the courts are dealing with right now.

Rich Sanchez was an anchor on CNN and has a Twitter account with the handle: "richsanchezcnn".  Rich was rendered unemployed because of some ill advised statements he made.  So, does CNN own the account or was Rich popular with the Twitter followers because of his good looks and sex appeal or because he was on CNN?  Should he have to change his handle?  This was settled out of sight, so we don't know what happened there.

On another front, a company called PhoneDog LLC filed a suit against former employee Noah Kravitz.  Noah tweeted while an employee of PhoneDog under the name "PhoneDog_Noah" but then changed it to "noahkravitz" after the break up.  PhoneDog alleges that Noah's 17,000 followers are worth $2.50 per month for 8 months and are asking for a $340,000 judgment against our friend Noah.  PhoneDog has, for the moment, survived a motion for summary judgment with the judge finding enough question of fact about "trade secrets" in the account to let the case go on for a little longer.

Then there's the strange case of Dr. Linda Eagle, who was one of the original founders of Sawabeh Information Services.  As is the case sometimes, all the founders were fired and Sawabeh alleges that it owns Dr. Eagle's LinkedIn account and that she has somehow "misappropriated" her own  account.  As you know, most LinkedIn accounts (as was Dr. Eagle's) are in the employee's name alone and refers to the company in the employment history and in the connections established.

We have explored the issues of who owns clients of an LLC and whether a toxic ex-spouse might have some rights in a patent in a community property state, but this is an area of the law that is developing.

In most instances, this is probably not a huge issue but employers who want to have control over these accounts (and the wisdom of this should be evaluated thoroughly), should provide guidelines in the social media section of their employment rules.  If stated clearly, there seems to be no reason why the employer would not be entitled to control and ownership of such accounts if they fall into the parameters set out in such policy.  Otherwise, it's pretty gray.

Weekend Smorgasbord: Faceporn and Copyright Porn.

Here is a couple of technology law related things that happened this week and they are only marginally connected.

1.  Facebook sued a site called Faceporn in a federal court in California.  They are aggressive about this.  See here and here.  Faceporn is in Norway but uses a .com website.  They also have 250 users in California and 1000 users in the U.S.  Faceporm failed to file an answer and Facebook moved for default judgment.  The Court denied the motion, finding that it did not have personal jurisdiction over Faceporn in that personal jurisdiction requires more than "simply registering someone else's trademark as a domain name and posting a web site on the internet".  Hence, no default judgment.

2.  In a recent  case in Massachusetts involving the claim of copyright infringement for an adult film, the judge wondered aloud in a Footnote 2 whether there was actually any copyright protection available for a pornographic product.  A couple of cases had refused to provide such protection (beginning in the early days of Broadway, see Martinetti v. Maquire, 1867) but basically on the grounds that scant dialog and nude women were not a dramatic composition and therefore not entitled to copyright protection.  A 1979 case allowed for such protection because found that the concept of decency and pornography is constantly changing and "denying copyright protection to works adjudged obscene by the standards of one era would frequently result in lack of copyright protection (and thus lack of financial incentive to create) for works that later generations might consider to be not only non-obscene but even of great literary merit".  It seems incongruous that porn is not entitled to any copyright protection but cases as late as 1998 found that hard core porn that was "bereft of any plot and with very little dialog" was not entitled to injunctive relief against copyright infringement.

So, lack of personal jurisdiction just because you have a .com domain and a question raised about copyright protection for pornography.  How do these affect technology and law?  Well, the internet issue for personal jurisdiction will continue to develop over the years, copyright issues for any medium is a hot item in technology protection and any mention of porn lights up the search engines and gets us more readers.  Reasons enough?

Scam Alert! Especially For Attorneys.

Suppose you are hard at work doing your lawyer stuff one day and you get this e-mail:

"Greetings Counsel:

I need your legal assistance. I provided a friend of mine Mr Philip Anderson a business loan in the amount of $350,000. He needed this loan to complete an ongoing project he was handling in 2009. Mr Anderson is well based in your city and the loan was for 24 months and interest rate of 7.85%. The capital and interest were supposed to be paid on April 15th, 2011 but Mr Anderson has only paid $50,000.

Please let me know if this falls within the scope of your practice so that I can provide you with the loan documents and any further information you need to know.

Thanks,

John .F.Chao"

You think "Whoopee! New business. Just what I need."  At least that's what I thought today, when I got this very e-mail.

You should wait a minute.  It's a scam.  See here for a description.  Apparently, this has been circulating for some time.

Here's how it works, courtesy of AvoidAClaim Blog:

"In this type of scam a lawyer is contacted to help an overseas lender collect on a business debt from a purported borrower in the lawyer’s jurisdiction. The fraudster will provide documentation about the loan. A retainer agreement will be signed, but the fraudster will delay in paying the retainer fee. Instead, the lawyer will be asked to deduct any fees from the debt payment.

When the lawyer has sent a demand letter (or sometimes, before any letter has been sent) a cheque will arrive. The lawyer will be asked to deposit the cheque in the trust account and wire the balance (after fees are deducted) to an overseas account. Of course, the cheque is fraudulent and the lawyer will be left with a shortfall in the trust account."

And then, sure enough, something that sounded too good to be true, was.

OK, Maybe You Can Be Anonymous And Your Scream Can Be Heard In Cyberspace.

Hard on the heels of the Doe v. SEC case discussed in the immediately preceding post, another case where anonymity is sought comes through the Northern District of California.  In Art of Living Foundation v. Does 1 - 10, the plaintiff seeks the identity of one of the defendants in an action for copyright infringement, among other things.

The plaintiff is an international foundation that teaches the philosophy of Ravi Shankar, the spiritual leader, not to be confused with famed sitarist, Beatles confidant and Norah Jones' father of the same name.

One of the defendants goes by the online pseudonym of Skywalker and has been critical of the teachings of the Art of Living Foundation.  In addition, Skywalker put one of the manuals used by the Foundation online.  The Foundation sued Skywalker and others for defamation, copyright infringement, trade libel and misappropriation of trade secrets.  The Foundation moved for a subpoena to Skywalker's blog host seeking Skywalker's identity.  Skywalker, anonymously, through an attorney, moved to quash.  The magistrate allowed the subpoena and Skywalker brings this appeal.

The magistrate applied the standard of Sony Music Entertainment Inc. v. Does 1 - 40, 326 F. Supp. 2d 556 (S.D.N.Y., 2004) and found that Plaintiff had alleged a prima facie case of copyright infringement due to the online publishing of the manual, the subpoenas were targeted to obtain information to identify the defendant, Plaintiff had no other means to identify Skywalker, without such identity, it would be prohibitively expensive to conduct discovery and even if Skywalker had engaged in protected speech, he had no expectation of privacy because "the First Amendment does not shield copyright infringement".

On appeal, Skywalker alleged that because his speech concerned a matter of public interest, the Court should apply the more rigorous standard used by Highfields Capital Management L.P. v. Doe, 385 F. Supp. 2d 969, 975-76 (N.D. Cal. 2005).

The Court of Appeals stated that the more rigorous standard in the Highfields case required (in addition to the factors considered by the magistrate) that the court balance "the magnitude of the harms that would be caused to the competing interests" by their ruling.  The Court held that because of the nature of Skywalker's speech (i.e. more political, religious or literary rather than commercial), the Highfields approach balances the parties' interests better than the Sony approach.  The Court also found that evidence of copyright infringement does not automatically remove the speech at issue from the scope of the First Amendment.

The Court found that, to the extent that Skywalker's anonymity facilitates free speech, the mere disclosure of his identity is itself an irreparable harm and that the plaintiff can continue its case, in view of the fact that Skywalker has been participating in the case through his attorney.  The Court quashed the subpoena.

It is possible that the Court would have reached a different result if Skywalker had not removed the manual from his blog because of a DMCA take down notice or if Skywalker had not been actively involved in the lawsuit.  In any event, Skywalker remains anonymous for a while.

In Cyberspace, No One Can Hear You Scream, But They Can Get Your Identity.

The Securities and Exchange Commission thought that a particular individual was engaged in a
"pump and dump" scheme, which is where bloggers, commentators, anonymous "experts" or others tout a small cap stock on line in forums, chat rooms, etc. and often with false or deceptive material and then when the price gets a bump as a result, the persons doing the touting sell the stock for a profit.

The SEC wanted the identity of the person behind jeffreyhooke@gmail.com and subpoenaed Google to get the information.  Google notified the person and the person (using the clever pseudonym "John Doe") moved to quash the subpoena.  The lower court denied the motion to quash and Mr. Doe appealed. 

The Court found that Mr. Doe had made a prima facie showing that his First Amendment right of free speech was implicated and therefore, the burden shifts to the government to show: (i) the information sought was rationally related to a compelling governmental interest and (ii) the disclosure requirements are the least restrictive means of obtaining the desired information.  The Court found that the government's interest in disclosure (being ancillary to a fraud investigation) trumped Mr. Doe's private interest in anonymity and that the information requested was the least restrictive means available.

Mr. Doe argued that the standard in Anonymous Online Speakers should be applied here instead of the Brock standard.  The Court held that in Anonymous Online Speakers, there was no government interest at issue (i.e. it was between private parties) as there was in Brock and therefore the Brock standard should be applied, i.e. the government did not have to present evidence sufficient to overcome a summary judgment.

The Court overruled the motion to quash and John Doe is anonymous no more.

 

Move Over Stuxnet, Here Comes DuQu - Son of Stuxnet, Stuxnet 2.0 or Demon Spawn?

The latest addition to the family of badass malware is DuQu.  DuQu was born sometime in the near recent past but only became obvious to the world on September 1, 2011 when the Laboratory of Cryptography and System Security (CrySyS) notified the world of its birth. 

If the proud parents were to issue a birth announcement it would read something like:

"The Stuxnet family is proud to announce its latest variant, DuQu, named after its propensity to create files with DQ as a prefix.  Born: Sometime lately.  Weight: Heavy.  Breadth: Remains to be seen.  The bouncing baby malware shares a good portion of its mother's (Stuxnet) source code.  Its father is undetermined but likely is a good looking roving nation state with sabotage or corporate espionage on its mind, like Mossad or the CIA, who are also related to Stuxnet, so birth anomalies are possible.  DuQu shares its likely father's fondness for stealth and trickery."

Most experts like Symantec would agree with the announcement's statement on DuQu's lineage but Dell's SecureWorks doesn't necessarily buy it.

Stuxnet has been used to infect the Iranian nuclear program by causing the centrifuges used to purify uranium to exceed their design for spinning speed and destroy themselves.  DuQu seems to extract information and send it to an unknown site.  Although not proven, this blog along with others have surmised that the sophistication of Stuxnet, the targets and the amount of programming resources required point to the involvement of a group of people more technically advanced and well funded than the average virus creator.  We also chronicled Stuxnet's move from being merely menacing to becoming a military weapon.

Anti virus groups are moving to address the issues, Microsoft says it will address the zero day defect that DuQu exploits when it gets around to it but proposes an emergency fix and the "whitelisting" folks like CoreTrace say that they've been ahead of this all along.

As this new arrival grows and spreads, the real purpose and the damage it may do can be assessed but if malware continues to be more sophisticated than some of the applications we regularly use, problems will abound.

UPDATE: Supreme Court Allows Autodesk "License" Decision To Stand.

You will recall that we reported on a case styled Vernor v. Autodesk, which held that because of some "magic words", the distribution of used software was subject to a license and was not a sale and consequently, could be prevented by Autodesk.

Mr. Vernor (actually one or more of the multitude of entities that filed amicus briefs in the lower court, see here) sought an appeal to the U.S. Supreme Court but the Supremes denied cert on Oct. 3.  This means that the ruling stands in the Ninth Circuit (Washington, Oregon, California, Arizona, Nevada, Idaho and Montana) and if the proper words are used, the "first sale" doctrine doesn't apply.

Because this makes the operation of e-Bay and others more difficult, look for further developments.

Winklevoss Twins Not Particularly Enamored With Legal System, Lawyers nor Results.

We have chronicled the saga of the Winklevoss twins in these pages before (see here, here, here and here) and frankly, we're a little embarrassed we have spent so much time on this.  As you will remember, the twins succeeded beyond most mere mortals wildest expectations when they settled their claim against mighty Mark for a portion of Facebook now estimated to be worth more than 9 figures.  That definitely made them a member of the one percent.  They then decided that they had been scammed and tried a number of times to set the settlement aside.  As indicated in the posts described above, they have been singularly unsuccessful in that endeavor.

They engaged the firm of Quinn Emanuel to pursue the initial law suit against Facebook.  The arrangement with Quinn Emanuel provided for a contingency fee based on the amount ultimately recovered through suit or settlement.  They signed an engagement letter that they had reviewed by independent counsel.  After the settlement with Facebook, the twins decided not to pay Quinn Emanuel the $13 million in legal fees that Quinn Emanuel claimed under the engagement letter.  Quinn Emanuel instituted arbitration in accordance with the engagement letter.  The twins sought a court order enjoining the arbitration proceeding.  That was denied.  An arbitration panel awarded Quinn Emanuel the $13 million dollars.  The twins appealed again to the New York Supreme Court seeking to set aside the award because of the law firm's alleged malpractice.  Denied again.

The Winklevoss twins entered into a settlement that made them even wealthier than they already were.  They then decided that they didn't like what they had agreed to and have set out to avoid anything relating to that settlement.  They are zero for career in that category.  I wonder if the law firm representing them in the matter against Quinn Emanuel asked for up front payment.  They would be guilty of malpractice on their own behalf if they didn't.

EA Sports - Your Likeness is "In The Game"!

EA Sports is a video game maker that annually produces a game entitled NCAA Football.  Ryan Hart was a college football player that played for Rutgers.  EA Sports incorporated Mr. Hart's likeness into several versions of its video games, including matching his height, weight, home town, commonly worn arm band and helmet visor and other matters that pretty much matched Mr. Hart and his playing style at Rutgers.  Mr. Hart filed a complaint seeking class action status for himself and other college football players similarly situated.

EA Sports filed a motion for summary judgment, alleging that EA's first amendment rights trumped any of the claims that Mr. Hart had, including New Jersey's recognition of a common law right to prevent unauthorized, commercial appropriation of names and likenesses.

The Federal District Court of New Jersey granted EA's motion and dismissed the complaint.  In a long and detailed decision, the Court discussed several likeness cases including those involving Paris Hilton on a Hallmark card, Edgar Winters and his brother portrayed as giant worms in a comic book and the band No Doubt.

The Court relied on principles of copyright law and found that the defendant's use of the image was "transformative" and as such, was entitled to First Amendment protection that trumped any damages that the plaintiff had experienced.  The Court conceded that EA licensed likenesses of pro football players and licensed colors and logos of college teams from colleges and paid for those, but refused to pay for likenesses of college players.  They further conceded that this might seem "unfair" (You think?) but that the unfairness of the situation did not give rise to a different decision.

The Court found that a player of the video game could alter the player's likeness and playing attributes but that was not what was transformative.  The transformative feature was EA's creation of the mechanism by which the virtual player could be altered.

So, EA Sports incorporates Mr. Hart's unaltered image in the game but provides a mechanism to alter it, so First Amendment rights triumph.  "It's In The Game"

Update: The Acquisition That Keeps On Giving. SAP Agrees To Pay Criminal Fine of $20 million For TomorrowNow's Transgressions.

 In 2005, SAP acquired TomorrowNow, a company designed to provide third party maintenance for Oracle software.  Unfortunately, TomorrowNow chose to reduce its operating costs by pirating a bunch of Oracle software and then using it in its business.  

Oracle found that to be somewhat offensive and sued TomorrowNow and SAP and originally obtained a judgment against them for $1.3 billion dollars.  We recently noted that a judge had reduced this amount to a mere $272 million.

During the civil trial, federal prosecutors listened and then filed criminal charges against TomorrowNow.  TomorrowNow is basically defunct and has fewer than ten employees and no individuals were named in the indictment.  This was done as part of a plea bargain and SAP worked out a deal where they would pay a $20 million dollar fine for TomorrowNow, even though SAP was not named in the indictment either.  One would have to assume that some individual actually performed the criminal act of stealing the software, although in this case, it appears that Mitt Romney is correct in that: "Corporations are people, my friend."  At least for plea bargains.

Lawyers Have An Ethical Duty To Inform Clients That Electronic Communications May Not Be Confidential.

Once again we stand at the intersection of Ethics Street and Technology Avenue and notice that the traffic signals are insufficient to avoid multiple mishaps here.  Florid prose aside, attorneys must understand that certain methods of electronic communications may put them in an ethical problem if they don't warn their client that using such method may harm the confidential nature of the communication.

You will recall that we wrote recently on a court holding that using a computer or network provided by your employer to communicate with your attorney about a potential complaint against the employer could waive the attorney-client privilege.  Now the ABA has issued a formal opinion on the subject and the gist is that the attorney has an affirmative duty to warn the client about such an eventuality.  In Formal Opinion 11-459 issued August 4, 2011 the Committee on Ethics and Professional Responsibility states that if a client communicates with an attorney about "substantive" issues and such communications originate from an employer owned computer, device (e.g. smart phone) or network (even if from a private e-mail address), the attorney must assume that the employer has a right to access such communications and therefore, the attorney has a duty to warn the client about the risk.  Also, if the client does not heed the risk, the attorney should refrain from communicating with the client via the suspect method.

This duty arises as soon as the attorney-client relationship arises and the attorney knows or should know that the client is likely to send or receive attorney-client communications where there is a significant risk that the communications will be read by the employer or another third party.  This would appear to be particularly applicable in disputes with the employer and in matrimonial issues where the other spouse may have access to the device used for communications.  It also can arise from the use of public computers like libraries or hotels or the use of borrowed devices.

So, the question then arises: What is sufficient notice/warning to comply with this requirement?  The opinion doesn't specifically state but does mention that "reasonable" efforts must be made.  Would a standard tag line on your e-mail signature such as the following be enough?

"Anyone communicating to or from this office by means of an electronic device (including computers, smart phones, tablets or others) and using electronic communication (including e-mail, text messages, instant messages, chat rooms, comments on blogs or websites or others) are advised that such communications may not be confidential, particularly in instances where you are transmitting personal information using your employer's devices or networks or where you are using you are using public computers (such as libraries or hotels) or using a public wireless internet connection.  The effect of the loss of confidentiality will be the loss of attorney-client privilege and the possibility that such communications may not be protected from disclosure in any legal procedure in which you are involved.  You are cautioned to act accordingly."

Using such language as a part of your common electronic communication signature may be advisable and probably doesn't hurt but good practice would indicate an additional communication (such as the engagement/fee arrangement letter) in which the client acknowledges that they have received and understand the warning.  Also, we run the danger of having our e-mail signatures become documents in and of themselves that require our clients to have other attorneys review (hyperbole alert).

We would be interested in any measures that other attorneys have instituted to address this issue.

Court Reduces Oracle's Judgment Against SAP From $1.3 Billion (With a B) to $272 Million (With a M).

Once upon a time, SAP purchased a company called TomorrowNow.  TomorrowNow apparently downloaded Oracle software thousands of time in an effort to get the software cheaply (free) and obtain some of Oracle's customers.  Oracle sued and SAP did not contest the fact of the downloads but alleged that the damages to Oracle should be equal to the profits that Oracle would have realized from the pirated software.  The Court allowed the jury to find damages based on a "hypothetical license" that would have existed between Oracle and SAP if Oracle allowed SAP to use the software in question.  This allowed the jury to find damages in the amount of $1.3 billion, the largest copyright infringement verdict in history.  However, today, in the U.S. District Court for the Northern District of California, the judge found that there was no evidence that Oracle would have ever granted such a license and that damages must be based on evidence and not speculation or guesswork.  The judge then said that the judgment could be reduced to $272 million and if the parties could agree on that, then it would be settled.  If they do not agree, then a new trial will be ordered.

It's an interesting world when a $272 million dollar verdict is considered a victory for the defense.

Zediva's Cord Is Too Long. Court Considerably Shortens It.

You know our friends at Zediva, the entrepreneurs that used DVD players in a data center and DVDs they had bought to rent the DVDs and the players to individuals and stream movies over the internet to subscribers.  We chronicled their launch and subsequent encounter with the legal system here and here.  Zediva had thought their arrangement would be legally equivalent to renting a DVD and player to an individual in their home, a situation that is legally acceptable.  They reasoned that the only difference was a little longer cord, i.e. the distance through the cloud from Santa Ana, California to the respective user.

The Federal District Court, Central Division, of California recently disagreed.  In a decision that has been roundly criticized by some and lauded by others (no surprise there), the Court granted a preliminary injunction, which effectively shut down the Zediva enterprise.  Their website now shows the following:

The Court reasoned that the Zediva service constituted a public performance and that the method of providing the movies constituted a transmission, both violations of the exclusive rights of a copyright holder.  Consequently, the Court found that the plaintiff had shown a likelihood of success on the merits, a requisite of the granting of an injunction.  Another requisite is the showing of irreparable injury.  The Court solved this by reasoning that the provision of the movies by the unlicensed provider deprived plaintiff of its ability to control the use and transmission of their copyrighted works and deprived the plaintiff of revenue (the crux of the matter).  The Court also decided in a rather conclusory manner that the balance of hardships weighs sharply in favor of the plaintiffs and the public interest is best served by the issuance of the injunction.

The Court seemed to think that some kind of physical act on the part of the user, such as recording on a DVR or physically inserting the DVD in a player owned by the user on the user's premises, was required to remove the transaction from the "public performance" and transmission arenas.  Zediva maintained that this was a distinction without a difference.

This area of the law continues to evolve, although more slowly than the technology driving it.  Although it looks like it probably will not happen, it would be helpful if Zediva were to proceed to trial on this so that we could get a more complete consideration of all the issues and some judicial instruction in this cloudy area (pun intended).

Winklevosses Lose Again. Massachusetts Court Dismisses New Lawsuit Against Facebook.

We have covered the Winklevoss twins versus Zuckerberg/Facebook legal struggle on way too many occasions (see here, here, here and here).  We rejoiced when we found out that the Winklevosses would not go away as we felt it would make for easy blog posting.  Well, this is one.  About a month after the Winklevosses decided not to take their appeal to the U.S. Supreme Court and instead pursued a suit in District Court in Massachusetts, that court has dismissed their claim on the grounds that other courts had already considered and rejected their substantive claims (res judicata).  The twins' attorney will file a motion for post judgment relief and we can only hope that this continues until we need another easy post.

 

The Seven Things The FTC Thinks You Need To Know About The CAN-SPAM Act.

If you use e-mail as advertising, you could be subject to the CAN-SPAM Act.  The FTC wants you to know how to comply.  Give it a look:

 

New Top Level Domain Name Scheme Approved By ICANN

You will recall that we mentioned in February that the Internet Corporation for Assigned Names and Numbers (ICANN) was proposing opening up the top level domain game to everybody.  ICANN has now approved that move by a vote in Singapore on June 20.  Applications for positions as new top level domain registrars will be accepted for a three month period beginning on January 12, 2012.

So, anyone with $185,000 and an infrastructure for doing registration acceptable to ICANN can get their own top level domain registration business.  As we mentioned before, this will greatly expand the present .com, .edu, .net scheme to anything you could imagine and that ICANN will approve.  This could include names relating to common interests (.badminton, .skiing or .coins), society segments (.democrats, .gay or .baptist), individual company or brand names (.ford, .ibm or .dell), professions (.doc, .law or .cpa) or any else that can be envisioned and approved.

Get your applications ready.

Hallelujah! We Spoke Too Soon. Winklevosses Strike Back. More Easy Blog Posts Ahead.

Yesterday we announced prematurely the cessation of combat operations in the Winklevoss v. Zuckerberg saga/soap opera/high grossing movie plot.  It seems that even though the twins had decided to forgo their appeal to the U.S. Supreme Court, they are pressing the attack in an existing suit in Boston.  Thank you, whatever deity is responsible for providing material for blog posts.  Our faith in you is renewed.

 

Our Long National Nightmare Is Over. Facebook/Winklevoss Lawsuit Comes To An End.

This blog has been in sort of a TMZish mode regarding the unfolding drama of the Winklevoss twins vs. Zuckerberg.  See here, here and here.  Apparently the era of easy blog posts is coming to an end as the twins have announced through a filing that they will not pursue an appeal to the U.S. Supreme Court.

 

Do You Use An iPad In Your Legal Practice? Maybe You Should And Give These 20 Apps Due Consideration.

Our friend, Judith Leeson, the proprietor of a blog called Law Degree, has gone to the trouble of searching, reviewing and recommending the top 10 free iPad apps and the top 10 paid iPad apps for attorneys.  If you use an iPad in your practice or are considering it, you should look this list over.  Thanks, Judith for bringing this to our attention.

ATLB Mentioned In "Top 50 Up And Coming Blogs"

Our newest and best friend Rachael Davis, proprietor of Dr. IT, PhD, has graciously included us in her list of Top 50 Up and Coming Blogs.  We appreciate that and applaud Ms. Davis' perception and taste.

Hear All That Screaming and Gnashing Of Teeth? It's World IPv6 Day!

OMG!  It's already World IPv6 Day and you forgot to buy gifts.  What are you doing to celebrate?  Who has the day off?

University of Texas Investment In Patent Company Questioned.

Our partner, Luke Stanfield, was quoted in the most recent issue of the Austin Business Journal In an article written by Christopher Calnan, the activities of The University of Texas Investment Management Co. ("UTIMCO") in investing in Intellectual Ventures Management LLC ("Intellectual Ventures") were called into question.

Intellectual Ventures is referred to as a patent troll or a hedge fund that defends valuable intellectual property, depending on the person doing the assessment.  The article cited above mentions that Intellectual Ventures has acquired rights to more than 30,000 patents and its principal business is licensing such patents and litigating the alleged infringement of such patents.

The article questions whether this is something in which the University of Texas should be investing.  Some say such firms do not foster innovation and in fact, divert the resources of the targeted companies.  This was Luke's focus when he was quoted in the article as saying: "If companies are forced to spend money on lawsuits instead of research and development, it can stifle innovation".  Sounds right to me.

The Rapture or World IPv6 Day, Which One Is Likely To Cause More People To Disappear?

Well, the Rapture came and went and apparently everyone I know is a dirty, rotten sinner.  Now, we get another chance to be elevated into something greater than ourselves.  You will recall that we warned you that the Internet ran out of numbers a month or so ago and it had about as much impact as last Saturday's event.

Now, the Internet Society is tempting fate by calling for a World IPv6 day on June 8, 2011.  We are less likely to see billboards and covered cars extolling this day than we did for the Rapture and we certainly will see less media coverage although this touches far more people than 144,000.

On June 8, several hundred websites and a few large companies will provide their content in IPv6 compatible mode to remind people of the coming apocalypse when all websites and devices with IPv4 numbers try to switch over.  Talk about your Armageddons!  Just wait until the internet and cell phones don't work.  At that point, not even one of the major deities could save us.

To determine your browser's ability to be screwed up by this change over, you can go here to check now.  To prepare for IPv6 day and the return of Y2K, please fasten your seat belt and return your browser to its full uptight and locked position.  Your pilot has been advised of some choppy air ahead.

(To be clear, this is this Blog's lame attempt at sarcasm.  We believe the IPv6 changeover is beneficial and necessary.  Really, we do.)

Cookies, COPPA and Contracts

Alliteration abounds.  Reports today concern the EU Directive on the use of cookies, a settlement with a Disney subsidiary for violation of COPPA (Children's Online Privacy Act of 1998) and why paying attention to the construction and organization in the drafting of a contract can be extremely important.

1.  The European Union has issued a directive that will go into effect on May 26 of this year that basically reverses the way cookies are handled.  In the past the regulations required that the user be advised of the way that cookies are used and be given the opportunity to opt out of receiving them.  The new regulations requires the same advising but requires "consent" before cookies can be placed.  This is the so-called "opt in" provision.  The regulations recognize that enforcement of this will be a phased in approach with the most intrusive cookies getting the most attention.  The Information Commissioner's Office has issued advice about how to deal with this.  If your website attracts significant traffic in the European Union, you would be well advised to read the ICO's advice and plan accordingly.

2. COPPA has requirements about what information can be collected from children online and what use can be made of such information.  The Federal Trade Commission accused Playdom, an online game provider, of violating COPPA by collecting information from children without parental consent and by violating its own stated privacy policy.  Playdom is a subsidiary of the Disney company.  The FTC filed a complaint against Playdom that resulted in a consent decree, which among other things, required a $3,000,000 civil penalty.   This is the largest penalty yet assessed for such a violation.

3.  The placement (or misplacement) of a single word recently made a $1,000,000 difference in a Maryland case.  In Weichert Co. of Maryland, Inc. v. Faust, an ex-employee of a real estate firm was sued for violation her obligation of  loyalty and the non-solicitation clause of her employment agreement.  The Court found that she violated the obligation of loyalty but not the non-solicitation clause.  Her contract had an attorneys' fee provision where the prevailing party is entitled to its fees.  The real estate firm prevailed on the breach of the duty of loyalty but the employee prevailed on the issue about non-solicitation.  The attorneys' fee provision was included in the non-solicitation clause and gave fees to the party that prevailed "hereunder".  Since the "hereunder' was in the particular clause, the Court reasoned that it applied only to that clause and not the contract or the relationship as a whole.  Hence, the employee was entitled to her attorneys' fee, which were approximately $1,000,000, even though she had "prevailed" on only half of the issues.  In the lessons learned department for us attorneys, if you intend to make a provision apply to the contract as a whole and not just a specific clause, move the provision into a section of its own or make it very clear that it is applicable to the whole contract.

Ninth Circuit Denies Winklevoss v. Facebook Motion For Rehearing. Winklevosses Change Status To: "It's Complicated".

You will remember that the Winklevoss twins had tried to get their settlement with Facebook overturned.  The Ninth Circuit had decided that the settlement should stand and that litigation should end at some point.  The Winklevosses did not take the hint and asked for a rehearing en banc (i.e. that all the judges of the Ninth Circuit hear it as a panel rather than the three judge panel that originally sat on the case).  That motion was denied without comment.  The only option left for the twins is to appeal to the U.S. Supreme Court.  In order to decide to grant certiorari (i.e. the decision to put the case on the Supreme Court docket), the Supremes will have to believe there is some constitutional issue to be decided.  That will not be easy in this case as the issues deal primarily with contract law and the allegations of fraud.

We had mentioned before that we hope the Ninth Circuit granted a rehearing for no other reason than it gave us fodder for further posts.  We now wish the same for the Supreme Court.

Whole Bunch of Folks Gang Up On Apple To Try To Make "App Store" Available To Everybody.

We had written a couple of times (here and here) about the on-going battle among Apple, Microsoft and Amazon about the use of the term "App Store" as a trademark. 

Now, Microsoft, Nokia, Sony, HTC and Amazon have all registered opposition to Apple's exclusive use of such term in Europe.  Most of these companies announced yesterday that they have filed or will file opposition to Apple with the Office of Harmonization in the Internal Market, the body responsible for trademarks in the European Union.

Apple has already obtained a mark for App Store with the OHIM but this new gang of opponents are seeking to have this reversed on the grounds that such term is generic and has been used by everybody for a long time.

If Apple is able to hold on to the right of exclusive use of this mark, it would be huge.  The price of poker just went up.

Updates And Comments: Posting On Facebook At Work Is Criminal?, Past Notice Doesn't Create Obligation To Police Site, Use of Competitor's Trademark As Keyword Is Infringement But No Damages, and Red Soles In The Sunset.

A few comments and updates:

1.  The Ninth Circuit recently held in U.S. v Nosal (9th Circuit No. 10-10038) that exceeding your employer's computer use restrictions could be criminal under the Computer Fraud and Abuse Act, 18 U.S.C. 1030 et seq.  Sec. 1030 (a) (4) states: "Whoever... knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.." violates this statute.  The Defendant had authority to access the computer in question but exceeded his employer's written use policy and obtained some confidential information.  The Court reasoned that this satisfied the statutory requirement of "exceeds authorized access" and if coupled with furthering fraud and obtaining something of value that was sufficient to avoid dismissal.  Was the headline about accessing Facebook at work being criminal hyperbole?  Yeah, a little, but it caused you to look, didn't it?  A lesson to be learned from this is that a well crafted computer use policy will be another tool for employers to use to protect their trade secrets.  Employees' rights groups are not thrilled.

2.  We noted recently that continuing to provide certain services after actual knowledge of infringing activity could lead to liability for contributory infringement but that prior received notices were not necessarily actual knowledge. This principle was confirmed in Wolk v. Kodak Imaging Network Inc., Southern District of New York, March 17, 2011.  The Court in Wolk held that previous takedown notices from the same artist did not give rise to actual or apparent knowledge nor the obligation to police the site for infringement.

3.  Suits relating to use of competitor's trademarks as search terms continue to show up.  We had discussed a couple here and here.  In InternetShopsInc.com v. Six C Consulting, Inc. the defendants conceded liability but the Court failed to award any damages because they could not find a single sale that resulted from the infringement.  The Court did enjoin the defendant from using the trademark as a search term going forward.

4.  Louboutin is a luxury shoe retailer who started marketing shoes with red soles in 1992.  Yves Saint Laurent recently marketed shoes with the same color uppers and soles. One of these was red and therefore had a red sole.  Others were blue and green with correspondingly colored soles. Louboutin has filed an infringement action relating to the red soled variety in the Southern District of New York.  A pivotal issue in this case will be whether consumers will be confused.  Would you be confused if you were going to pay more than $1,000 for a pair of shoes?  I mean confused as to the identity, not the wisdom of paying that much for shoes.

Five Things That Web Hosters and SEO Providers Should Avoid Like The Plague (Other Than Cliches).

Companies hosting web sites and providing search engine optimization (SEO) services generally enjoy safe harbor protection from copyright infringement under the Digital Millennium Copyright Act and protection from liability for information provided by third parties under Section 230 of the Communications Decency Act, but does that protection extend to protection from contributory trademark infringement liability?  Courts increasingly have answered that question in the negative.

Let's examine one such instance.  Christopher Prince operated several websites, one of which was called "copycatclubs.com".  Through these websites (all of which resolved to a single online store), Mr. Prince sold golf equipment, accessories and apparel.  The online store was described as a "wholesaler" that was a "...one stop shop for the best copied and original golf equipment on the internet".  A shopper working for Roger Cleveland Golf Company, Inc. (Cleveland) ordered several clubs described as "Cleveland" clubs from the online store.  The shopper received the order and the clubs were branded as "Cleveland" clubs.  Cleveland determined that the clubs were counterfeit and brought suit against Mr. Prince and some of his affiliates.  During discovery, it was determined that Mr. Prince employed Bright Builders, Inc., a web site designer and SEO consultant to create and support the web sites and the business model.  Cleveland amended its complaint to include Bright Builders as a defendant and allege that Bright Builders had contributorily infringed Cleveland's trademarks.

Bright Builders moved for summary judgment with a one and one-half page motion with no supporting citations or reference to the record as is required by court rules.  The gist of Bright Builders' defense was that it was merely a "web hosting entity" and was not "...aware that Mr. Prince was engaged in illegal activities...".  Cleveland strongly disputed this and cited evidence in the record that Bright Builders created the website, assured Prince that he would make at least $300 a month from the online store, took $10,000 to provide coaching and mentoring services, provided a Project Advisor and had discussions with Prince about developing copycatclubs.com.  In fact, the Court said that the name (copycatclubs) should have alerted Bright Builders to possible infringement (even though copying is not necessarily illegal).  Bright Builders did not bother to reply to Cleveland's response.

Perhaps due in no small part to the nonchalant manner in which Bright Builders approached the lawsuit and the pleadings, the Court found that there was a genuine issue of material fact as to whether Bright Builders participated in Prince's business to such an extent that Bright Builders could be held liable for trademark infringement and denied the motion for summary judgment.  This was in December of 2010 and the case proceeded to trial.  On March 10, 2011 the jury found infringement by both Prince and Bright Builders and returned a much larger verdict against Bright Builders (the secondary infringer) than it did against Prince (the actual infringer).

So, here we are again in the Lessons Learned Department.  What steps should website developers and SEO consultants take (or not take) to minimize their exposure to a verdict for secondary liability?

Consider these principles:

1.  If the developer exerts sufficient control over the website and knows or had reason to know of infringement, the developer must not fail to take appropriate actions.  The developer does not have to reasonably anticipate that infringement will occur and generalized knowledge is not sufficient to impute knowledge of any and all instances of infringing activity.

2.  Demand letters and other notices from potential plaintiffs are not sufficient to establish a duty to act but when the developer has knowledge of specific infringing activities, it must not fail to take action to eliminate the infringing activities or it must cease to provide services to the infringer.

3.  The website hoster should have programs designed to detect possibilities of infringement and not fail to take defined steps to eliminate it when specifically found.

4.  Do not be "willfully blind" to infringement.  This means refusing to investigate when you fear the results of the investigation.  White heart and empty head is no defense.  Principles 1 through 4 above are discussed in great length and detail in Tiffany et al v. EBAY, Inc. 576 F. Supp. 463 (2008).

5.  You must not fail to do a better job of documenting your activities and responding to court pleadings than Bright Builders did.  While this might not be the developer's responsibility, the developer should be sure that it engages legal counsel knowledgeable in the area and that takes the potential liability seriously.

Therefore, the next time you are engaged to develop a website to sell Gucci bags and Louboutin shoes, do your due diligence to see if they are the real thing or you may end up taking a bigger hit than the actual culprit.  That's not optimization of any kind.

Yes, Virginia, A Compilation of Publicly Known Processes Can Still Be A Trade Secret

Trade secret law is not nearly as topical and sexy as some of the social media controversies we have been talking about lately, unless you are the one depending on trade secret protection. 

First, a primer: If something has independent value, is not generally known or readily ascertainable by proper means and has been subject to reasonable efforts to maintain its secrecy, it can qualify as a trade secret under Virginia (and most other states) law.  Software, in particular, is generally protected by a combination of copyright, trade secret and sometimes, patent law.  That's the reason that software vendors have to have non-disclosure agreements before they can allow you to review their software and the reason that most software licenses restrict the people and entities to whom you (as licensee) can provide information regarding the software.  That's part of the reasonable efforts to maintain the secrecy element in trade secret law.

The Fourth Circuit recently took up another of the elements, i.e. whether a compilation of publicly known processes combined in a way that is not publicly known or readily ascertainable can qualify for trade secret protection.  In Decision Insights, Inc. v. Sentia Group, Inc., the Court said that matter was already decided in Servo Corporation of America v. General Electric Corp. 393 F.2d 551 (1968) where it was held a trade secret "might consist of several discrete elements, any one of which could have been discovered by study of material available to the public".  In the Decision Insights case, there was testimony that although the contested part of the software was comprised largely of publicly known algorithms, the compilation and some of the methods used to cause the compilation to interact were not publicly known.  The Fourth Circuit thought that this testimony was sufficient to overcome a motion for summary judgment and reversed and remanded for further consideration of this issue and the other issues applicable in a trade secret case.

It is important to note that the Court did not say that the compilation in question was a trade secret but merely that such a compilation could be held to be if all the elements are present. 

This should eliminate (at least in Virginia) contentions that all parts of a formula or process have to be completely secret and unknown in order to qualify as a trade secret.

Winklevosses Ignore Part of Ruling That Says: "...litigation must come to an end..." and Ask For En Banc Rehearing.

Last week we talked about the Ninth Circuit refusing to set aside the Winklevoss/Zuckerberg/Facebook/ConnectU settlement agreement.  Yesterday, the famous twins decided to ignore the part of the opinion that said that now is the time for the litigation to come to an end and filed a Petition For Rehearing En Banc.  This means that they are asking all the judges of the Ninth Circuit to rehear the case rather than the panel that originally heard it. 

From the language of the Petition, the twins seem to take umbrage at some of the snarkier language in the original opinion.  They find issue with: "bested by a competitor", "backing out", "quite favorable", "enough" and allege that "sophistication is no defense".

We can only hope that a rehearing will be granted, if for no other reason than it will give us fodder for several more posts.  Stay tuned.

 

Amazon.com Seeks To Form "App Store". Apple says: "Not So Fast!"

You will remember that Apple has applied to the USPTO for registration of the mark "APP STORE".  Dedicated readers of this blog were informed in January that Microsoft was opposing the issuance of such mark for Apple.

Amazon.com is now allegedly using the term "APP STORE" to solicit software developers for future software development and distribution.  Apple is having none of that and has filed suit in the Northern District of California alleging that such use by Amazon.com constitutes trademark infringement and several other heinous sins.  The suit asks for injunctive relief, damages, a constructive trust and attorneys' fees.

It is evident that "APP STORE" has become part of the popular lexicon and if one party is entitled to use it to the exclusion of others, it is a very valuable property.  The holy trinity (Apple, Microsoft and Amazon.com) will continue to duke it out over this issue and the birds will just get angrier.

The Social Network II - The Facebook Legal Saga Continues.

We've all seen the movie.  Mark Zuckerberg versus the Winklevoss twins.  Uber-nerd versus uber-jocks.  Outsider versus the privileged and connected.  In the balance rests the right to violate the privacy of virtually everybody in the "civilized" world.

The movie shows some of the discovery proceedings in the lawsuit filed by the Winklevosses in Massachusetts alleging that Zuckerberg stole the Facebook idea.  Zuckerberg filed a countersuit in California (typical Facebook ploy, see here) against the twins and ConnectU, alleging that ConnectU had hacked into Facebook and stolen information and attempted to steal Facebook users by spamming them.  The California dismissed the action against the Winkelvosses, finding that there was no personal jurisdiction over them. The Court then ordered the parties to mediate to attempt to find a settlement to all their issues.

Then things start to get stranger.  With billions of dollars at stake, the parties mediate for one day, reach a settlement and document it with a one and a third pages of hand written notes with the title: "Term Sheet and Settlement Agreement".  This Agreement envisions the transfer of ConnectU to Facebook in exchange for cash and an interest in Facebook.  Facebook lawyers then present 130 pages of documents to flesh out the Agreement (merely 100 times the volume of the Agreement).  The deal then comes off the tracks for a number of reasons including the Winklevosses asserting that the value of the Facebook stock is less that they were lead to believe.  Facebook files a motion to enforce the Agreement.  The twins alleged that the Agreement is not enforceable because it lacks material terms and was procured by fraud.  The Court finds the Agreement enforceable and the Winklevosses appeal.

Then Ninth Circuit, in a decision released yesterday, upheld the enforcement of the Settlement Agreement.  The Winklevosses had alleged that the Agreement violated Rule 10b-5 of the Securities Act and as such was void.  The Ninth Circuit rejected this argument and found: "The Winklevosses are sophisticated parties who were locked in a contentious struggle over ownership rights in one of the world's fastest-growing companies. They engaged in discovery, which gave them access to a good deal of information about their opponents. They brought half-a-dozen lawyers to the mediation. Howard Winklevoss—father of Cameron and Tyler, former accounting professor at Wharton School of Business and an expert in valuation—also participated."

The Court also held: "The Winklevosses are not the first parties bested by a competitor who then seek to gain through litigation what they were unable to achieve in the marketplace. And the courts might have obliged, had the Winklevosses not settled their dispute and signed a release of all claims against Facebook. With the help of a team of lawyers and a financial advisor, they made a deal that appears quite favorable in light of recent market activity. See Geoffrey A. Fowler & Liz Rappaport, Facebook Deal Raises $1 Billion, Wall St. J., Jan. 22, 2011, at B4 (reporting that investors valued Facebook at $50 billion —3.33 times the value the Winklevosses claim they thought Facebook's shares were worth at the mediation). For whatever reason, they now want to back out. Like the district court, we see no basis for allowing them to do so. At some point, litigation must come to an end. That point has now been reached." (Emphasis added)

So, the poor Winklevoss twins are stuck with a deal that is only worth millions and not billions.  In the lessons learned department, we are struck by the fact that you probably couldn't turn around in the mediation room without tripping on a lawyer or a financial advisor and yet, they ended up with slightly over a page long, hand written document.  That either means you don't need lawyers at all or you really need them to do their job. 

Maybe we'll find the answer in the next sequel, "Social Network III, The Legal Grievance Phase".

 

Update On the Epsilon E-Mail Hack.

Last week we discussed the very large, very disruptive loss by Epsilon of a number of e-mail addresses and the identities of the companies with whom the e-mail owners did business. 

InfoWorld Tech Watch reports that it appears that the hack relied on the gullibility of Epsilon employees.  So, there was no midnight rappelling from the ceiling through banks of laser beam alarms like you see in the movies, but merely a "social engineering" attack using e-mails targeting Epsilon employees that contained some personal information about the employee and made them think it was from a personal acquaintance. 

The messages included links (bad idea to click links in a message) that took them to a site that downloaded one malware program that disabled the antivirus software, one that logged keystrokes and one that gave hackers remote access to the infected machines.  It also turns out that Epsilon was warned about such attacks several months ago.

In the "lessons learned" department or more appropriately, the "lessons we should already have known" department, it would be prudent for a company with large amounts of customer data (everybody on line?) to train their employees not to respond to personal e-mails at work, recognize the tell tale signs of a social engineering attack and not to click on links in a message the origin of which you do not know.

This is not hard to teach but apparently compliance is difficult.  This lesson will get expensive for Epsilon.

Well, That Didn't Take Long. Movie Studios Sue Zediva.

It seems like only last week (actually, it was) when we first talked about the Zediva launch, which allowed you to view streamed videos from the cloud via a DVD that you rent played on a DVD player that you rent.  Of course, you never see or possess either, given that they reside somewhere in a Zediva leased data center.

Wasting no time, several movie studios have sued Zediva.  The complaint can be found here.  The Motion Picture Association of America detailed their members' position in a press release.

As expected, the plaintiffs allege copyright infringement, specifically, the exclusive right of the copyright holder to publicly perform their movies.

Interesting times, these.

Massive E-Mail Hack. Phishing Season To Begin Early This Year.

On April Fools' Day, Epsilon (one of the largest on-line marketing firms) announced through a terse press release that their "...clients' customer data were exposed by an unauthorized entry..." but that the information obtained had been limited to names and e-mail addresses.  Unfortunately, it was not an April Fools joke.

Some of Epsilon's customers include Citigroup, JP Morgan Chase, Brookstone, Kroger, College Board, Walgreens, TiVo, Capital One, HSN Inc., Visa, Kraft, LL Bean, Best Buy and Verizon.

So, what you need to look out for and alert your clients about is the possibility of increased "phishing" attacks.  We have all had e-mails purporting to be from some bank or other entity and requesting us to go to some website (configured to look like the real entity's website) and enter information and  possibly pick up spyware or viruses.  Since most phishing attacks are just random broadcasts, the fact that these intruders have specific names, e-mail addresses and links to specific entities with whom the targets do business leads to a more pointed attack, which is referred to as "spear phishing".  Because of the more targeted approach, the success rate is likely to be higher.

How do you protect yourself?  PC World has some good advice.  As the PC World articles states, the best way to avoid this is never to go to a website from an unknown e-mail link and don't provide any sensitive information such as password, PIN, etc.  Common sense instructions but please tell your grandma about this.

New .XXX Top Level Domain Approved. The Steps You Need To Take Now To Insure That You Don't See a [yourname].XXX Domain In The Future!

You may have read recently that ICANN (Internet Corporation For Assigned Names and Numbers) has approved the new top level domain (TLD) of .XXX.  Obviously, this is intended for the adult entertainment industry and TLDs with that extension will begin to be issued in the near future.  However, aside from any passing prurient interest you may have in mentioning this factoid in social chatter, does this affect you in any way?

It does if you would not want to Google your name, trademark or tradename in the future and find that name with a .XXX extension.  So, if  you are concerned that this might happen either because someone might want to take advantage of the popularity of your name or you have a really sick friend that might want to hold this over you as a pathetic practical joke, here is what you need to do now.

ICM Registry has obtained the rights to act as the registrar for the .XXX domain.  They have set up a procedure to address your concerns about having your name or tradename associated with a .XXX domain.  The procedure is referred to as Sunrise A, B and C and offers you two avenues to avoid the result we describe above.  Obviously, one avenue would be to apply for all the domain names you want to protect with the .XXX extension and then just not use them for anything.  However, you would still show up in a search on WHOIS as the owner.  This is the Sunrise A procedure.  The preferred route would be Sunrise B, which allows domain holders and trademark holders to apply to block use of those names with the offending extension.  This is the explanation from the ICM website:

"Sunrise B is for rights owners from outside the [adult entertainment industry]. Names secured through Sunrise B will not result in the registration of a conventional, resolving domain name at the .xxx registry. Instead, these names will be reserved and blocked from live use. The applied for string will resolve to a standard plain page indicating only that the string is reserved from use through ICM’s rights protection program."

Since time could be of the essence, head over to this site or have someone do it for you and open an account and apply to reserve the appropriate names.  At some point in the process (after the original submission), you may be asked to prove you have the rights to the names so be prepared to do that. 

Now, don't you feel better?

Zediva Tries To Beat Netflix To The DVDs By Invoking Same Doctrine That Will Make It More Expensive For Netflix.

The many avid readers of this blog will no doubt remember our in depth discussion of the "first sale" doctrine as it relates to the inability of Netflix to rely on such doctrine for the streaming of videos, since there is no "sale" involved.  We surmised that this would increase costs because Netflix would have to license the videos from the copyright holders rather than just buy the DVD and rent it out.

Now, another service is trying to side step the issue and offer streaming DVD videos in a time frame well in advance of when Netflix can offer the video.  Zediva went from beta to production last week and is offering streaming videos as soon as the DVD is available for purchase.  Zediva's legal reasoning on this (we believe) is that they are buying the DVDs and physically taking delivery of the DVDs and actually playing them on a DVD player somewhere in their data center.  The particular DVD and the player on which it is playing are leased to the subscriber for four hours, during which no other subscriber can access either that DVD or that player.  The technology employed by Zediva allows that DVD and player to stream the video over the internet to the subscriber's device.  So, according to Zediva, it is like renting the DVD and player and the player just has a really long cord (with the cord serving as a metaphor for the cloud).  Surely, says Zediva, that must be allowed under the "first sale" doctrine.   If DVD copyright holders take umbrage at this arrangement, they might say that the "first sale" doctrine requires physical transfer of the medium and "Don't call me Shirley".  (gratuitous Leslie Nielsen homage)

The roll out of this bears watching.  Zediva's website today says it is down while they get more capacity.  Recently, another company thought they fit into an exception of the Copyright Act. ivi TV was retransmitting television broadcasts and claimed they were a virtual "cable company" and therefore entitled to transact their business under Sec. 111 of the Copyright Act, although they didn't get retransmission consent nor qualify as a cable company under the Communications Act.  The US Court for the Southern District of New York granted a preliminary injunction that ceased their operation until further adjudication.

As new technology challenges the present state of the law, we close this post as we almost always do.  Stay tuned.

LinkedIn Reaches 100 Million Users. First Million Get Thanked Personally.

Sometimes referred to as the Facebook for the business set, LinkedIn provides a multitude of information and contacts to its members.  Last week, LinkedIn notched its 100 millionth user.  According to the metrics on my LinkedIn page, I'm connected to about 4 percent of them.  That's a lot.  I hope they don't all decide to come over to the house at once.

In a nice touch, the founder of LinkedIn sent a personal letter of thanks to the first 1 million adopters, specifically citing their order of signing up.  I didn't get a letter as I missed being in the first million by a mere 16,915,876.  If you are looking for your letter, you can determine if you are going to get one by looking at your full profile URL.  Your order in the LinkedIn hierarchy is listed after the "id=__" in the URL.

I'm probably not going to get a letter from Mark Zuckerberg either.

Syracuse Goes For the Orange and Google Scan Settlement Gets Stopped.

Syracuse University once were known as the "Orangemen".  This arose from a hoax in the student newspaper about the fictional remains of an Indian chief being found during the excavation of a university building.  Because of the racist stereotype, Orangemen was eventually changed to "Orange" and the mascot now is a rotund citrus fruit known as Otto.  Now, Syracuse has moved to trademark the "Orange" .  After all, the Fifth Circuit has held that a color scheme can be part of a identifying mark if likely to cause confusion.  Other universities that embrace orange as a team color and use the term orange as part of their identifying marks and slogans have objected, including Tennessee and Auburn but surprisingly not Texas.  Maybe burnt orange is sufficiently different so as to not cause confusion.  After all, school buses, road cones, citrus fruit and pumpkins are different colors, right?

In Google's quest to rule the world, it entered into agreements with several large libraries to scan books, include "snippets" of such books in a database and allow searches of such scans.  In 2005, Google predictably was sued for copyright infringement and just as predictably raised fair use as a principal defense.  The suit was in the nature of a class action and Google had entered into a settlement of this case, which would have allowed Google to continue the scanning with the payment of certain fees.  The settlement was subject to approval by the courts but the District Court Southern District of New York said "not so fast" and rejected the settlement.  The reasons stated by the Court include that the settlement "...would grant Google significant rights to exploit entire books, without permission of the copyright owners. Indeed, the [settlement agreement] would give Google a significant advantage over competitors, rewarding it for engaging in wholesale copying of copyrighted works without permission, while releasing claims well beyond those presented in the case."

Back to the drawing board.

Company Buys Competitor's Trademark as Google AdWord. Another Scuffle Ensues.

We recently reported on a case where competing law firms were involved in a tussle over the use by one of the law firms of the other law firm's name as a Google AdWord.  The California court in that case found trademark infringement.

Now, another case from the Ninth Circuit comes along where one software company bought the name of the other company's product as a Google AdWord.  Advanced System Concepts licensed a product under the registered trademark "ActiveBatch".  Network Automation (whose own product is called "AutoMate")  bought ActiveBatch as a Google AdWord (doesn't anyone own a space bar?).  Advanced System Concepts brought suit against Network Automation and was granted a preliminary injunction prohibiting the use of ActiveBatch in this way by Network Automation.  Network Automation appealed to the Ninth Circuit.

The District Court applied the Sleekcraft test first espoused in AMF Inc. v. Sleekcraft Boats,
599 F.2d 341 (9th Cir. 1979), which set out eight factors in determining infringement.  The District Court held that the three most important factors in the Sleekcraft test in cases relating to the internet were: (1) the similarity of the marks; (2) the relatedness of the goods; and (3) the marketing channel used.

The Ninth Circuit held: "Mindful that the sine qua non of trademark infringement is consumer confusion, and that the Sleekcraft factors are but a nonexhaustive list of factors relevant to determining the likelihood of consumer confusion, we conclude that Systems’ showing of a likelihood of confusion was insufficient to support injunctive relief."  (Emphasis added)

The Court then went on to say:

"Given the nature of the alleged infringement here, the most relevant factors to the analysis of the likelihood of confusion are: (1) the strength of the mark; (2) the evidence of actual confusion; (3) the  type of goods and degree of care likely to be exercised by the purchaser; and (4) the labeling and appearance of the advertisements and the surrounding context on the screen displaying the results page.
The district court did not weigh the Sleekcraft factors flexibly to match the specific facts of this case. It relied on the Internet “troika,” which is highly illuminating in the context of domain names, but which fails to discern whether there is a likelihood of confusion in a keywords case. Because the linchpin of trademark infringement is consumer confusion, the district court abused its discretion in issuing the injunction."

It's important to note that the Court did not say that there was no infringement here, merely that the factors to be considered were not limited to those in the Sleekcraft case and they had to be applied in a flexible manner and therefore, the Ninth Circuit remanded for further consideration in line with these factors.

In my conversations with communications and advertising people, it is apparent that purchasing competitor's trademarks and names as SEO enhancers is a common and accepted practice.  Therefore, this emerging area of the law will be developing for several years.  So, as usual, stay tuned.

Stanfield Hiserodt To Present Discussion On Cloud Computing At RISE Tomorrow.

We will be leading a discussion on "Ten Things You Should Know About Cloud Computing Agreements" at Austin RISE Week 2011 tomorrow at 4:00 pm at the PeopleFund offices at 207 Chalmers Avenue in Austin.  If you need something to do during that awkward time between afternoon coffee break and happy hour, come on out and share it with us.

U.S. Wants Governments To Be Able To Veto Proposed Generic Top Level Domain Names. Other Countries Not So Much.

You may remember that we recently described the new procedure for obtaining generic top level domain names.  ICANN (The Internet Corporation for Assigned Names and Numbers) has proposed a new procedure to allow additional entities to act as domain registrars.  Included in this was the opportunity to propose an infinite variety of domain extensions and not be limited to the ones heretofore approved (and originally suggested) by ICANN. 

Now, the U.S. government has proposed that each member of the Governmental Advisory Committee (GAC) to ICANN have the right to object to any proposed extension and if a "consensus" of the GAC members is obtained, then ICANN will not approve the domain extension and will refund the fees paid by the applicant.  This supposedly is designed to limit the award of "objectionable" domain names such as .gay or .xxx or anything else that any GAC member's citizens feel runs counter to some aspect of their society or religion.  So, in addition to .gay, a really depressed nation might object to .cheery, .jolly or .festive.  And, in addition to .xxx, a nation might find .xoxox objectionable if they hate football coaches, tic-tac-toe players or post script huggers and kissers.

The U.S. proposal has not been warmly received by the other GAC members and in a response supported by a majority of the other GAC members, the GAC has recommended that the GAC's role be limited to advisory only and if ICANN goes against a GAC recommendation, ICANN's only requirement is to explain its position.

It is plain that this will not be the last we hear of this matter and much more discussion will be had when the actual applications come rolling in.

Metadata "presumptively producible" in FOIA Requests.

Metadata is data about data.  Software programs such as Excel, Word, e-mail clients and others routinely produce such metadata. 

In the instant case, National Day Laborers Organizing Network ("NDL") lodged a Freedom Of Information Act ("FOIA") request with four government agencies including Integration and Customs Enforcement ("ICE").  The agencies generally resisted the requests, citing expense and burden and did not comply with a discovery agreement among the parties.  NDL then brought a action to compel discovery.  While awaiting a hearing on the matter, NDL sent ICE a proposal for the form of the production.  The proposal was based on the formats routinely requested by the SEC and the DOJ.  ICE then responded with a response that NDL complained was produced in an unsearchable format, was stripped of all metadata and paper and electronic documents were merged together in one PDF file.

The Court then held that while no federal court has yet ruled that metadata is part of a public record several state courts (i.e. New York, Washington, Arizona) have uniformly so held.  After discussing the relationship between civil discovery rules and FOIA requests, the Court then said: "...certain metadata is an integral or intrinsic part of an electronic record.  As a result, such metadata is 'readily reproducible' in the FOIA context.  The only remaining issue is which of the many types of metadata are an intrinsic part of an electronic record.  Unfortunately, there is no ready answer to this question.  The answer depends, in part, on the type of electronic record at issue (i.e. text record, e-mail, or spreadsheet) and on how the agency maintains its records.  ... The best way I can answer the question is that metadata maintained by the agency as a part of the electronic record is presumptively producible under FOIA, unless the agency demonstrates that such metadata is not 'readily producible'."  [Emphasis added by the Court]  National Day Laborer Organizing Network, et al v. United States Immigration and Customer Enforcement Agency, et al, No. 10 Civ. 3488 (SAS), US District Court, S.D. New York, February 7, 2011

The Court took the opportunity to chastise the attorneys in the case about failing to cooperate, stating: "While certainly not rising to the level of a breach of an ethical obligation, such conduct certainly shows that all lawyers...need to make greater efforts to comply with the expectations that courts now demand of counsel with respect to expensive and time-consuming document production."

This decision is sure to have ramifications in all areas of discovery.  Look for future cases to flesh out the requirements.  It would behoove all document custodians to review this case in view of their policies of retention and destruction and take actions that will reduce the burden that will accompany the next discovery request.

Updates: Stuxnet, Bilski, COICA, Arcade Fire (HTML5)

Updates on a few of our earlier posts:

<">

Law Firm Buys Another Law Firm's Name as GoogleAd Word. Scuffle Ensues.

Binder & Binder is a national law firm devoted almost exclusively to the representation of persons seeking Social Security benefits.  Disability Group, Inc. is a competing law firm involved in the pursuit of the same clients.  In 2006, Disability Group purchased the words "Binder and Binder" as a Google AdWord.  As a result, some Google searches for the law firm Binder and Binder resulted in having Disability Group appear high in the sponsored search rankings.  Binder and Binder had registered trademarks for the use of their name.  Binder and Binder brought suit against Disability Group alleging: (i) infringement of a registered trademark; (ii) false advertising; and (iii) unfair competition.

On January 25, 2011, the U.S. District Court for the Central District of California (Case No. 07-2760-GHK), found that the actions of Disability Group did in fact constitute trademark infringement.

The Court found that: (i) there was no dispute that the defendants used plaintiff's mark in their GoogleAd campaign; (ii) that plaintiffs were, in fact, the owners of the mark despite some reorganization from partnership to LLP and several assignments of the mark; (iii) according to the Sleekcraft test, there was a strong likelihood of confusion and also found actual confusion;  and (iv) plaintiffs had not given consent to such use of their mark.

Using testimony about plaintiffs average profit on a case and the number of clicks on defendant's site and some other algorithms, the Court assessed damages for lost profits in the amount of $146,117.60. 

The plaintiffs also requested an award for corrective advertising.  The standard for this is to allow the plaintiff to recover the cost of advertising undertaken to restore the value that plaintiff's trademark has lost due to the infringement.  While the Court was of the opinion that defendant's actions would have given rise to this kind of damages, they declined to award any such damages because of the limited period of infringements (a few months) and the passage of substantial time since the infringement (2006).

The Court then found that the infringement was willful and under the treble damages provisions of the Lanham Act "enhanced" the damages to double the damages for lost profits.

The Court also found that attorney's fees and costs should be awarded to plaintiff because the infringement was "exceptional", i.e. willful, deliberate, knowing or malicious.  The Court declined to award punitive damages because punitives are not available under the Lanham Act and the Court found the double damages already awarded to be sufficient.

Defendants raised several defenses including one that said basically if the plaintiffs had just put the trademark notice (the R in the circle) on their name, Google would not have let the defendants do what they wanted to do and we wouldn't have had this problem.  Basically, "if you had told on me, mommy wouldn't have let me misbehave".  The Court didn't give this much weight.

So, when lawyers litigate with each other, the rest of the world just bemusedly views it as karmic justice but this case provides good instruction about the use of trademarks as search terms.  Other cases may not be this blatant, but look for other litigation on this emerging area of the law.

 

S.E.O = Sinister Enhancement Option?

SEO is, of course, the acronym for Search Engine Optimization.  It's the practice of creating web sites, links, references and other mysterious arcana to enhance the chances that a particular web site will appear on the first page of results whenever you do a search (e.g. Google, Yahoo, Bing).  It is a well respected practice and something most everybody does.  The largest search engine, Google, has a trade secret algorithm that determines how such searches are ordered.

Google has a vested interest in appearing to present the search results in a rational order.  If it appeared that the system was materially flawed or gamed, then less importance would be placed on a search by Google and they might lose market share.  For that reason, they have a set of rules by which SEO purveyors are supposed to abide.  To violate these rules is to risk having Google take steps to cause your web site to appear lower in the Google results.

This brings us to the interesting case of J.C. Penney.  The New York Times reported on Saturday that during the recent holiday season, the rankings for searches for a number of things that J.C. Penney carries (e.g. dresses, bedding, area rugs, furniture, skinny jeans) routinely returned a number one ranking.   This raised the question as to whether this would have occurred without significant manipulation of the Google algorithm.  Turns out, probably not. 

J.C. Penney apparently engaged SearchDex, a SEO firm based in Dallas.  SearchDex supposedly used suspect methods, including placing links on unrelated, obscure, underused or dormant websites that pointed back to the J.C. Penney site.  Effective, definitely.  Ethical, matter of opinion.

SearchDex lists its ethical standards on its website and also lists its response to the Google standards for SEO activities.  According the New York Times article cited above, Google believes that SearchDex and J.C. Penney have violated the Google standards.  However, none of this appears to violate any laws and J.C. Penney has filed the obligatory "We Didn't Do Nothing" response.

One of the methods is to use services like TNX, which purports to raise website traffic by placing paid links on other sites that redirect the search to the target site.  The redirecting sites agree to allow the links in exchange for payment based on the number of redirects.

So, with sponsored links, Google AdWords, Google Places, TNX and really creative SEO operators, who's to know whether the searches are credible.  And, I would like to sign up somewhere to get our name on the first page of the listings.  Oh, wait, we are (today)!  (Search "Austin Technology Attorneys")

New Generic Top Level Domain Names Soon To Be Available. Do You Want To Be In The Domain Registry Business?

Top level domain names are the extensions that occur after the dot in URLs, such as the generic variety, e.g. .com, .edu, .org or the country code variety e.g. .AQ (Antartica), .CO (Columbia) or .VA (Vatican City).  There are presently 21 generic top level domains and approximately 250 country code top level domains.

ICANN (The Internet Corporation for Assigned Names and Numbers) is proposing to begin taking applications for a whole new series of generic top level domain names.  The new generic top level domain names will generally be limited only by the creativeness of the applicants and is, in fact, an application to become a registrar for the domain string for which you apply.  This opens up the possibility that a large corporation may become a registrar for entities within its corporate structure and a domain name like .walmart could be used to marshal all the company's domains under one domain name umbrella. 

Cities, states, areas, religions, professions or other organizations could conceivably obtain such generic top level domains.  However, the application process will be rigorous and the fees are designed to keep out the riff-raff.  Each application will have a fee of $185,000 of which $5,000 must be made as a down payment and the remainder must accompany the application.  There are some refund provisions where the applicants can get back from 20 to 70 percent but the price of cybersquatting will go up substantially under this procedure.  In addition, the applicant will be screened for prior acts of cybersquatting and will undergo extensive evaluation as to its operational, technical and financial capabilities.  There is also an ongoing quarterly fee and a per registration fee.

Trademark holders should monitor this procedure to make sure that their marks are not compromised by any applications.  The ICANN procedure provides for a trade mark clearinghouse and expedited dispute resolution.

So, plans are afoot in our firm to apply for the generic top level domain name: .law    When we obtain this and become the official registrar for this name, all the law firms will come groveling to our door and our goal of global domination will be complete.  Now, if we can just come up with $5,000.

The Internet Runs Out of Numbers. No Big Deal.

A couple of days ago, the Internet ran out of numbers.  How is that possible, you say?  Aren't numbers infinite? 

The numbers referred to are the internet protocol addresses (IP addresses) that are assigned to every device connected to the internet.  Each device has its unique number and the number is what allows the devices attached to the internet to talk to each other.  We humans deal in domain names like www.austintechnologylawblog.com but the computers convert these names into numbers that look like this: 192.0.2.53.  This numbering convention is called IPv4 and was developed in the early days of the internet and has been adequate until now.  IPv4 has a finite capacity of just over 4 billion addresses. 

IP addresses are administered by a non-profit entity known as ICANN (The Internet Corporation for Assigned Names and Numbers) and they allocate the numbers among 5 Regional Internet Registries (RIR).  What the exhaustion of numbers really means is that all available numbers have been allocated to the RIRs for further distribution and none remain in the ICANN central pool.  The RIRs will continue to distribute such numbers but even the end of that is in sight.

What happens now?  Complete shutdown, anarchy, the end of the Egyptian uprising and the demise of sexting?  Nope, luckily the folks looking after this have anticipated this (like Y2K) and have established IPv6, a new and improved IP address protocol.  IPv6 addresses are written in hexadecimal and have a 128-bit address space, which provides for 340 undecillion addresses.  Suffice it to say, that's a lot and should last into the foreseeable future.

IPv6 addresses will contain colons and will look something like this: 2001:0db8::53.  When you see two colons together it means that the segments between contain only zeros.  In the example above as given by ICANN, it really means: 2001:0db8:0000:0000:0000:0000:0000:0053

So, no need to panic just yet.  Supposedly, most existing devices we use today are compatible with IPv6.  Internet service providers will initiate roll out of the new numbers when needed and (supposedly) users will not have to take any real actions.  That remains to be seen but as of now, we've still got numbers.

 

Stuxnet Moves From Merely Military Malware To Military Malware Menace.

We have mentioned the virus/malware known as Stuxnet several time in this blog.  When it first burst onto the scene, we thought it was interesting and possibly a new and more sophisticated virus.  Then it appeared that it may be the actions of a nation or nations and we became more intrigued.  Now, it is surmised that it has capabilities of causing more than delays in the construction of nuclear power plants and may be capable of causing another Chernobyl.  For our younger readers, that's not a good thing and moves Stuxnet into the frightening category.

I'm pretty sure we haven't heard the last of this.

Digital Crannies. Six Places Data Hides That Most People Don't Know Exist.

As we have stated before, from time to time, we like to improve the content of this blog by getting input from subject matter experts in relevant fields.

Today, we are glad to include information from our friend Will Ambruzs, an attorney and computer forensics expert at Austin based Flashback Data.  Will graced the pages of this blog before with this post.

We asked Will to give us some inside information about where attorneys or others should look when they are seeking information for investigative or discovery purposes.

Here is what Will said:

Digital Crannies.

Unlike paper, electronically stored information is everywhere. Unfortunately, it’s our experience that most attorneys don’t appreciate exactly how much of it is recoverable from computers. It’s literally a Chinese food menu. Sure, it’s not always important or cost-effective to review all of it, say, for litigation or each time a company fires a bad employee. However, most folks don’t know the menu well enough to even know the sorts of things they can order. The digital world is bigger than General Tso’s Chicken!
 

Here are 6 random things on the menu you may find interesting:
 

Email vs. Correspondence
Lawyers commonly want to look at email, but more often than not it turns out that looking at all communication would be more helpful. Because it turns out a bad employee at Company X also did a lot of text messaging at work. And online chatting. And instant messaging. And she also sent messages to clients and coworkers through LinkedIn and Facebook. And she frequently used her internet browser to send webmail through Yahoo! and Gmail. Unfortunately, preserving Outlook files and Exchange mailboxes doesn’t get this material.


Don’t Forget the Phone!
iPhones and Blackberrys have fast become like third kidneys when it comes to conducting business in the 21st century. However, folks tend to overlook them when thinking about electronic storage. The truth is phones can be excellent sources of data, not only because they’re designed to hoard data and sync with just about everything under the sun, but also because the privacy expectations of their users tends to be high.
For example, on a phone, our bad employee probably gets right to the point when communicating. Unlike computers, she’s not typing out heavily-syllabled, Shakespearean text messages with her thumbs. Consequently, remnants of communication are likely to be closer to the first cut of her thoughts, not the second or third.
There’s also a good chance she configured her phone to sync with email accounts at the company. There’s an even better chance she connected the phone each day to her work computer to charge the battery and keep her contacts and calendar synced. If so, there may be a treasure trove of backup files sitting quietly on her work computer. And since each file would represent a snapshot of the data on her phone at a particular time, things that were deleted from her phone many months ago may still exist in one of the backups.


Speaking of iPhone... Dynamic Text
Let’s face it, Apple’s business model is building gadgets that know you better than you know yourself. Apple’s gadgets learn about you, and to do this their gadgets have to store data.
One of the lesser known features of iPhone is its dynamic text database. Dynamic text is basically a repository iPhone uses to keep track of words and phrases you like to use when you type. That way the phone eventually learns to quit autocorrecting Alavert to slavery when, say, you keep texting others that you love Austin, but so do your allergies.
This can be a goldmine. Especially if text messages on the phone have been deleted and can’t be recovered. Reading entries in the dynamic text database that have been chronologically preserved is like listening to a conversation through a wall. It’s muffled, and some common words are omitted, but you get the gist and all the interesting parts are preserved:

wow.hate.Kevin.can.you.believe.arrogance.ugh.how.did.ever.become.Director.wait.until.he.finds.out.copied.all. company.passwords.hahahahaha.sounds.great.yessir.talked.to.James.he’s.leaving.company.with.us.said.downloaded. company’s.client.lists.from.database.no.difficult.yes.took.thumbdrive.with.him.said.will.email.everything.you.from.home. not.work.so.don’t.get.caught.haha.call.if.can.next.few.minutes.something.urgent.tell.you

Internet History
When folks think of a computer, they tend to think of it as a collection of things that live on the computer. For example, the most common data recovery request attorneys make involves: (i) collecting all email and user-created files from a computer, (ii) processing them against an exhibit of keywords, and (iii) producing the responsive material to be reviewed by fellow attorneys.
Candidly, this is probably enough heavy lifting from an “80/20 rule” perspective, especially when processing large data sets. However, it’s created a mindset that gives little regard to activity on a computer. And sometimes that activity is interesting.
For example, say John receives a preservation letter from opposing counsel. Here we see it sitting in John’s My Documents folder. There’s nothing else interesting in the folder. However, looking at John’s activity on the computer, right after he gets the letter we see him go to Google.com and type “how to securely delete data” into the search bar. Then we see 20 minutes of John clicking a bunch of URLs. Uh oh, next he’s on a website selling a product called “Evidence Eliminator v4.0.” And next we see him buying Evidence Eliminator and downloading it. Oh snap – here he is running it! And here’s him poking around later in My Documents to confirm the files are gone.
Wow! You suspected the keyword searches of John’s computer came back a quart low. And while all of this activity may or may not explain it, it’s certainly interesting!


Recent Documents
Speaking of file elimination, another good source of data can be the repositories used by software programs to keep track of recent documents. Microsoft Word has such a repository. So does Windows Media Player. These repositories won’t help you recover a wiped file, but they may help you substantiate that the file existed on the computer at some specific time in the past, or when files were accessed.
Forensic examiners frequently draw from this well in criminal prosecutions involving possession of child pornography. Defendant swears up and down he wasn’t aware of the illicit material. Or, if he was aware, that he looked at it once by accident several years ago and, upon realizing its nature, never looked at it again. Unfortunately, that’s not the same story Windows Media Player tells. It shows Defendant playing contraband files from multiple locations on a regular basis (e.g., from the hard drive, from a thumb drive, from his Blackberry via a USB cable, etc.).
 

Thumbs.db
Keeping with the deleted file theme, don’t forget about simple hidden artifacts like Thumbs.db. You ever open a folder in Windows and view the contents as thumbnail images? Thumbs.db is the hidden file used by Windows to store those ‘thumbnail’ images. Importantly, the data in the Thumbs.db file tends to stick around even after someone deletes the actual file. So, while a folder in which you’re interested no longer contains the data you want, you may be able to demonstrate that what’s in there now isn’t what was in there before. (And, if so, what’s missing.)
 

 

Don't Talk To Your Attorney In A Loud Voice In Your Employer's Conference Room OR Use The Employer's E-Mail System Either.

A California Court has held that an employee's use of her employer's e-mail system to communicate with her attorney about a law suit against such employer waived attorney-client privilege and allowed discovery of such e-mails and the introduction of such at trial. Holmes vs. Petrovich Development Company LLC et al, Superior Court No. 05AS04356

The Court held that the employee was not entitled to the privilege because "(1) she had been told of the company’s policy that its computers were to be used only for company business and that employees were prohibited from using them to send or receive personal e-mail, (2) she had been warned that the company would monitor its computers for compliance with this company policy and thus might “inspect all files and messages . . . at any time,” and (3) she had been explicitly advised that employees using company computers to create or maintain personal information or messages “have no right of privacy with respect to that information or message.”

Then the Court said that using the e-mail system thusly was like taking the action described in the title of this post and neither would be accorded the privilege.

Lessons to be learned: Attorneys, tell your clients not to use the company e-mail especially if they are about a potential suit against the company.  It just makes the discovery process easier for the company.

Fifth Circuit Holds That Grant of Access to Licensee's Attorneys Breaches License Agreement

Licensors licensed database technology to Licensee to allow Licensee to prepare residential mortgage loan documents.  The license agreement explicitly allowed access to the technology by "Originating Lenders" and Licensee's general counsel, an outside law firm.  Licensee granted access to another law firm to prepare loan packages for Licensee.

Licensors claimed that the license agreement expressly prohibited any use of the licensed technology that was not specifically authorized and nothing in the license agreement gave explicit authority for access by the loan package preparing law firm.  The Licensee said that nothing in the license agreement prohibited such access when it was done exclusively for the benefit of and on behalf of the Licensee.

A lower court had relied on Geoscan, Inc. of Texas v. Geotrace Technologies, Inc., 226 F.3d 387 (5th Cir. 2000) and Hogan Systems, Inc. v. Cybresource International, Inc., 158 F.3d 319 (5th Cir. 1998) for the proposition that the use of a licensed property by a third party solely on behalf of and for the benefit of the licensee is not a transfer or sublicense of that property.

The Fifth Circuit reversed and said it disagreed with the district court that the Geoscan and Hogan decisions allowed a court to look past the actual language of a licensing agreement and absolve a licensee who grants third party access merely because that access is on behalf of, and inures to the benefit of the licensee.

The Fifth Circuit added that the agreement in the subject case did not contain a provision that generally permits the Licensee to grant third party access and in fact, expressly prohibited it except for the two express exceptions set out above.  "Because the licensing agreement in this case withholds rights not expressly given, Geoscan and Hogan Systems are of limited relevance, and we therefore decline to interpret the agreement to allow general third-party access on behalf of and for the benefit of (Licensee)."  Compliance Source, Inc., et al v. Greenpoint Mortgage, Docket No. 09-10726, Decided October 18, 2010  at page 13.

Licensors concerned about third party access (almost all of them) should review the language in this case and compare with their relevant documents. 

Apple Seeks To Trademark "App Store". Microsoft says "Not So Fast".

Apple filed a trademark application for the term "App Store" in 2008.  Microsoft is opposing such application and has filed a motion for summary judgment with the USPTO alleging, among other things, that the term is generic.  As you know, if a term or word merely describes what it is, then it is generic and will usually not be granted trademark protection.  Examples of generic phrases that were turned down as marks are cited in Microsoft's brief in support of their summary judgment motion and include "The Computer Store", "Shoe Warehouse" and "Discount Auto Parts Warehouse".

 

Want to know what the odds are that the USPTO is apt to axe "App Store"?  There should be an app for that.

UMG v. Augusto - "First Sale" Doctrine In Relation To Promotional CDs

UMG sends unsolicited, promotional CDs to potential reviewers, music critics and radio programmers to try to promote the sale, play and mention of such CDs. UMG does not charge for the CDs but it does put notices on the CDs.
One such notice reads:
"This CD is the property of the record company and is licensed to the intended recipient for personal use only. Acceptance of this CD shall constitute an agreement to comply with the terms of the license. Resale or transfer of possession is not allowed and may be punishable under federal and state laws."
Another, more terse notice reads:
“Promotional Use Only—Not for Sale.”

Defendant, Augusto, bought some of these CDs from the recipients and attempted to sell them on eBay. UMG sought to stop this by claiming copyright infringement and claiming that the language above and the acceptance by the recipient constituted a license rather than a sale under the provisions of Vernor v. Autodesk, which we discussed in length here. Therefore, the recipients could not sell the CDs without violating the copyright holder’s right of exclusive distribution.

Mr. Augusto claimed that the unsolicited delivery of the CDs constituted a “sale” for the purposes of our old friend the “First Sale Doctrine”. See our earlier discussions of this doctrine here, here and here.

The Court agreed with Mr. Augusto and stated that the mere receipt of the CDs without some other kind of action did not constitute an assent to the terms of the “license” and therefore, it had to be a sale. In addition, the Court also relied on the “Unordered Merchandise Statute” 39 U.S.C. § 3009(a), (b) (2006), which states that unsolicited merchandise may be treated as a gift. Hence, First Sale Doctrine applies and subsequent sales can be made without claims by the copyright holder. The Court’s opinion can be found here.

Lessons to be learned here are that in order to come under the license standards set out in Vernor v. Autodesk, the right kind of language has to be present and some overt act of acceptance of such language has to be displayed.

You are now free to buy those promotional Lady Gaga CDs you’ve had your eye on.
 

Senile Musings of the World's Oldest Baby Boomer Lawyer- How Technology Has Changed The Practice of Law.

Indulge me for a moment.  Today is my birthday.  I'm old.  I've been practicing law for a long time (parts of five decades).  I'm slightly nostalgic on this, the occasion of my becoming a ward of the state.  This blog talks generally about technology and the law.  This post will address technology in the law.

I know that most of you assume that the internet has existed forever.  At least since the nineties, which is forever for a lot of you.  Let me describe the technology of law when I first burst on the scene in the 70s: Lawyers dictating to secretaries (no one knew what an administrative assistant was) sitting at the end of the desk while the lawyer paced and talked, secretaries taking the dictation in shorthand on steno pads, secretaries typing on manual typewriters with carbon paper making one copy on onion skin paper, other lawyers dictating on Dictaphones (machines about the size of an old VCR with a circular magnetic tape), which was then given to a secretary for transcribing, no lawyer would have deemed to do his or her own typing even if they could.

Then the advancements starting coming in torrents (at least one or two every three or four years):

  • Electric typewriters, first with an arm and a head for each character and then followed by a rotating ball with all characters (Selectric typewriters)
  • Self correcting electric typewriters (mistakes were corrected not by erasing and retyping but by backing up and typing the incorrect character(s) again, which pounded a white material into the prior indentation.  This didn't do anything for the underlying copy, which still had to be manually corrected)
  • Copiers - big, clunky, expensive, slow moving machines
  • Fax machines - one line for the whole firm and it was used only on special occasions
  • Hand held dictation equipment, first with full sized cassette tapes and then later with mini-cassettes 
  • Mag-card "word processors" - the first "computerized" advance in office technology.  Machines about the size of small refrigerators, which had magnetic media (in the shape of old IBM punch cards) on which you put standard documents with blanks in the text for names, addresses, etc.  These large machines were attached to Selectric typewriters that would operate until it found one of these blanks indicated by a "stop code" at which point the typewriter would stop and the operator would enter the optional text manually.  These machines were hot and noisy and had to be enclosed in a room with sound absorbing material and were run overnight because of the long production time for large documents and the fact that there were only a few machines for the entire firm.
  • The advent of personal computers moved rudimentary word processing to the administrative assistants desk tops and Word Perfect ruled the legal world and only special Word Perfect gurus knew how to use the "codes".
  • Legal research by computer was introduced by Lexis-Nexis.  One large terminal tucked way back in the library with an exorbitant per minute search rate and a per line print rate with a printer as part of the terminal.
  • Desktops, then laptops with Microsoft Word and Westlaw and the internet and mobile phones evolving into pocket held computers, Microsoft 365, Google voice, Google docs, Twitter, LinkedIn, Avvo, social media, the cloud, etc., etc. and the torrent really has begun.

However, the more things change, the more they stay the same.  Even though technology has changed the face of law practice, the same basics remain: Lawyer competence, client contact and trust and good, old fashioned integrity still count.  Maybe now more than ever.

Thanks for indulging me.  I look forward to many more advances over the next five decades.

 

 

 

 

Stuxnet - Military Malware?

We hate to say we told you so (actually, we revel in it), but we surmised early on (without any real information) that the Stuxnet virus was the result of a nation state's activity to impact the Iranian nuclear development.  Now it appears that we were probably correct.  Stuxnet set back the Iranian nuclear program by several years by causing the centrifuges to rotate in excess of their capacity.  It has been hailed as being as effective as a military strike but in spite of being more sophisticated than any previous malware, it was messy in that it didn't really cover its tracks like some other malware. 

Kinda like a military strike.

Another Pop Quiz: Apple, Pimple Popper Lite and Reading Your Wife's E-Mail. What Do These Have In Common?

Pop quiz, hotshot! (Using the same Speed reference in two posts.  You would think it's the only DVD we have.)

What is the common element among Apple, an app called Pimple Popper and a guy in Michigan that read his wife's e-mail?  The answer is that they have all been accused of violating computer security laws. 

Of course, there's more to the story.

First, let's visit the Michigan defendant.  The guy in question was in the throes of a divorce.  He had suspicions regarding his wife's monogamous instincts.  She kept her passwords in a notebook (dead tree variety) next to a computer that was shared by the couple.  He "hacked" her account by opening the notebook, finding her password and using it to access her gmail account.  Supposedly he found that she was in fact, having an affair with her second ex-husband.  Our hero is hubbie number 3.  Hubbie number 2 (the one now getting the action) had been convicted of beating the wife in question in front of her child (the progeny of hubbie number 1).  Still with me?  Our hero (hubbie number 3) was concerned about the possibility of continued abuse and took the information he found to hubbie number 1.  The wife, of course, found out, contacted the prosecuting attorney and hubbie number 3 (our hero) is now charged with violating the following statute:

"A person shall not intentionally and without authorization...Access a computer, computer system or computer network to acquire...or otherwise use the service of a computer program, computer, computer system or computer network."  Michigan Statute 752.795

The prosecutor's justification is that the defendant is a computer technician and he used his "skills" like a hacker to access the e-mail.  Violation of this statute in Michigan is a felony with a potential jail term of five years.

What of Apple and the Pimple Poppers?

Continue Reading...

Partner And Business Cards Make The Social Scene

Our esteemed partner, Luke Stanfield, doing his best to further the social scene in Austin was noted and photographed recently in Out And About, a very informative daily feature in The Austin American Statesman.  The online version is cited above and the print version appeared in last Sunday's paper.  He is shown with our good friends Jude Galligan and Amber Gugino, who are the proprietors of the best blog relating to downtown Austin real estate, the Downtown Austin Blog.

Luke is also credited with introducing Michael Barnes, the columnist, to our business cards, which incorporate a QR code.  The code on our cards, shown here,

will take you to our Google page, website and blog when scanned with an appropriate program on a mobile phone.  Try it on screen here with your magic phone.  Just one more indication of our cutting edge approach to practice.

Key Points In Negotiating a SaaS Agreement

From time to time, we like to post the thoughts of other clear thinkers in the IT industry.  Our friend, Derek Singleton, over at Software Advice, has written the following article and has graciously given us permission to repost it.  We have previously written a post on the same subject and cover similar issues.  You can see that article here.
 

9 Key Points to Negotiate in a SaaS Agreement

By: Derek Singleton

ERP Market Analyst at Software Advice

derek@softwareadvice.com


Derek recently graduated from Occidental College with a degree in political science. He writes about various topics related to ERP software and covers the manufacturing, distribution, and supply chain management software markets. In his spare time he enjoys training in boxing and martial arts.
 

Article:

So you’ve decided to go with Software-as-a-Service (SaaS). It’s easy to implement, easy to use and has a friendly subscription pricing model. You’re psyched.

Then comes the contract.

While SaaS has simplified enterprise software in many ways, you will still need to review, negotiate and execute a fairly complex contract when subscribing to an “enterprise-class” system. In this post, we will walk you through the nine most important things to consider when negotiating your SaaS agreement.

1. Pricing and Discounts
By pricing software as a utility service, SaaS vendors have simplified software licensing considerably. Most SaaS pricing is based on a subscription – monthly or annual payments for using the system during that period. The subscription pricing is typically based on one simple metric (e.g. users, records, projects) that roughly ties subscription fees to the value of the system. Finally, SaaS vendors tend to publish their pricing openly.

Even with this simplicity and transparency, there is still a need to be vigilant as a buyer. For one, don’t assume that straightforward published pricing means there isn’t room for some negotiation. Many SaaS vendors will discount up to 20% to win your business. The bigger the deal, the bigger the discount. Moreover, if the vendor’s pricing metric doesn’t fit with your business model, you might be able to negotiate custom pricing. Of course, you’ll have to make a cogent argument that the standard metric fails to balance price paid and value received.

2. Additional Costs
Another key component to pricing is ferreting out any extra costs early in the process. Published pricing may appear to be a good value, but extra fees can add up quickly. Common additional costs include extra users, customizations, integrations, third-party services, training and set-up fees. Work with your sales rep early in the process to understand what additional charges might apply to your account.

By far the best way to keep the additional costs down is to avoid customizations to functionality and integration with other systems. The inherent complexity in custom development and data integration makes these services expensive. We recommend that you start with the base system, make use of its core functionality and then assess how important the custom features or integrations are to your success. Start small, think big, grow quickly.

3. Term
If you are negotiating with a vendor over pricing discounts, subscription metrics and additional fees, expect to give something in return. Oftentimes, this means committing to an extended contract term. Vendors like longer terms because it provides more predictability in their revenue forecasting. Terms can be as short as 30 days or as long as five years. If the vendor wants a long-term subscription, we recommend that you start with the shortest – probably one or two years.

If you do agree to a longer term of three to five years, make sure you have an out clause. Typically this would provide a window of opportunity to break the contract during a specific time window. For example, it might allow you to walk after one month of using the system but before 90 days. Another example might be the ability to break the contract if certain levels of service are not provided consistently.

4. Service Level Agreements (SLAs)
Regardless of what you pay for the system, reliability is paramount. The SLA is the vendor’s commitment to keeping the system up and running. It is typically expressed as a percentage of “up time.” You will almost always see the SLA represented as 99.9% or thereabouts. However, there is wide variation in how that number is calculated. Many vendors will simply start with 100% and subtract time during which their internal systems reported an error. Most of these SLAs leave far too much wiggle room for vendors.

If this new SaaS system is mission critical, push the SLA issue to see who is really ready to stand behind their service. The SLA topic is far too detailed to delve into all the considerations here, so we’ll refer you to this great blog post on SLAs. However, we’ll suggest you focus most on the penalty for breaking the SLA when negotiating. Usually these penalties are paltry discounts paid out against future purchases. Just pushing for bigger penalties will provide great insight into the reliability of the system.

5. Renewals
Hopefully, you will want to renew your contract. However, given that the renewal process provides an important exit opportunity from a bad contract, as well as an opportunity to re-negotiate, make sure you are still in control when the renewal date comes around. Be on the lookout for something known as an “evergreen” renewal. An evergreen automatically renews your term, usually 30 days prior to expiration.

If you spot an evergreen renewal, ask to remove it. When a company refuses to remove the clause, this is a red flag. The vendor should have to continue to win your business. Not the other way around. Vendors who offer quality services can be confident that their customers will renew based on value, not because the customer forgot to cancel in time.

6. Scalable Pricing
As your business changes, you may want to expand your use of the system; or, unfortunately, you might need to scale back your use if business deteriorates. It seems likely that your vendor will be more than happy to grow your account, but what if you need to downgrade? In the current economy, this is all too common. Present this scenario to the salesperson and know your options.

In most cases, the vendor will not let you downgrade until the end of your term – another reason to keep the term relatively short. However, if you get in a pickle, you might be able to offer to extend the term of your contract in return for lowering the scale of your subscription.

7. Support
No matter how good the system is, you will need a little help somewhere along the way. Knowing what help is included in your support package is very important. A key point you will want to know is how you will receive support. Is it delivered via the web, by email, phone, or chat? Also ask about the hours of support availability. Is support available 24 / 7 or only during business hours?

Moreover, you should know the quality of support included in your package. A valuable metric for support quality is the response time guarantee. The best support organizations guarantee a thirty minute response time for emergencies and two hours in all other cases. Having a dedicated support staff (i.e. a “customer success manager”) is also very helpful. Flesh these points out in the contract. Just keep in mind that high levels of support might cost a little extra.

8. Backups and Recovery
You’ve trusted someone else with valuable business data; you don’t want them to lose it. Luckily, almost every SaaS vendor performs regular data backups. However, some providers backup more frequently than others. Most vendors will backup data either on a daily or weekly basis. If you input valuable data every day, then you will want to ensure the provider performs a backup each day. Others might back up throughout the day.

The way the backups are performed is also important. Some vendors maintain numerous backups, while others maintain only one and overwrite the previous backup. Creating separate entries allows you to rollback to a prior date if necessary. This takes up a lot of space so you will probably have to ask for it specifically. The final consideration with backups is whether the data is backed up in a separate data center. Keeping it at a separate center will add a buffer against data loss in the event of a data center disaster.

9. Data export
Finally, you will want to include a clause about data export. Two things are key here: you should always retain ownership of your data and you should know how to get it back. This will be most important in two scenarios: 1) if you want to migrate to a new system because you are unsatisfied; or, 2) the vendor goes out of business and you need access to your data even before you select a new system.

The method for getting your data back will vary, but common methods include a XML, CSV, and HTML. For the very technical, a SQL export may be better. That’s all well and good but what happens if the company fails? Most SaaS vendors have prepaid the data center hosting company to “keep the lights on” for a couple months in case they go out of business. This will keep the doors open long enough to get your data exported.

In the comments section below, please share your personal experiences with contract neogtiations. Also, feel free to add other considerations that you feel are important.

 

Not Content To Wait On COICA, HSA and ICE Seize Domain Names

This notice did not appear on our site (yet), thankfully, but about 70 sites were hit with this over the holiday weekend.

We recently posted on the pending legislation called COICA and noted that the forces that be were quickly drawing lines in the sand and standing rather firmly on their side of the line.  Interestingly, Homeland Security and Immigration and Immigration and Customs Enforcement supposedly obtained warrants and seized the domain names of these sites that they alleged are infringing, either by committing copyright infringement or selling counterfeit items.  As noted by this article in Techdirt, the seizure was only of the domain names and not of the equipment or other assets so some of the sites merely changed their high level domains (e.g. .com to .info), put out the word on Twitter and continued business.

Some people are worried by the apparent lack of due process in this matter and the potential for abuse.  Others are worried by the level of infringement and counterfeiting and the loss of revenue as a result.  This would call into question the need for COICA if HSA and ICE already possess these powers.  There should be a serious discussion of this whole process as the COICA legislation progresses.

Combating Infringement, Defeating Piracy, Stifling Free Speech or Violating Due Process? Depends On Whom You Ask.

Last week, the Senate Judiciary Committee, in an unusual show of bipartisanship (obviously caused by the evident and overwhelming support of the electorate in the midterm elections for more copyright legislation), voted unanimously to refer out of committee the "Combating Online Infringement and Counterfeits Act" ("COICA").

 

 

 

 

 

 

 

 

 

So, is this merely a tool to give prosecutors an expedited process to combat the evils of online infringement and piracy or is it seeking to censor the internet and create a blacklist of websites and consequently stifle the free expression of ideas?

Opting for the first view are the owners and protectors of copyrighted material, like the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA),
Major League Baseball, the NFL, Nintendo, Viacom and the U.S. Chamber of Commerce.

Coming down on the other side of the fence are most of the bloggers in this area of the blogosphere, the Electronic Frontier Foundation and a group of law professors who wrote this letter to the Judiciary Committee warning that the legislation was potentially unconstitutional.
 

What are the controversial provisions of  this alternatively praised and vilified legislation? (If your Ambien prescription has run out, you can read this and achieve the same result.).  For those of you who have Ambien, this is the "short" version:

  • If an internet site is otherwise subject to forfeiture under statutes prohibiting infringement, or
  • Is "dedicated to infringing activities" (primarily designed to, is marketed as or has no real use other than to offer infringing or counterfeit goods or services), and
  • the internet site engages in such infringing activities and when taken together, such activities are central to the activity of the site or the sites accessed through a specific domain name, then
  • the Attorney General can commence an "in rem" action against the site, get an injunction and require the domain name registrar to suspend operations of the domain name and the internet service provider to "take technically feasible and reasonable steps...to prevent a domain name from resolving to that domain name's Internet protocol address".
  • The in rem action can be brought in any judicial district where the domain name registry for at least one of the involved sites is located or in D.C. if the domain name is not registered domestically.
  • Notice of this action is sufficient if notice is sent to the postal and e-mail address that the registrar has for the web site and notice is published as directed by the court (no indication as to what this might be).  It is therefore possible that the web site owners would not have any notice of the action until it is well under way.
  • The Attorney General may then obtain an order, which can be served on the domain name registrar or the registry and the domain name registrar or registry can suspend operation of and may lock the domain name.
  • The injunction may also be issued against any internet service providers who can then suspend the operation of any transmission to or from the subject website.  The act provides them legal immunity for doing so.

The Act seems to be suspect in that it could amount to prior restraint of free speech and could be issued before a final court determination of actual wrong doing is obtained.  Or, it could be that the courts find that this is a necessary tool in the battle against internet anarchy and lawlessness.

There is much yelling and cursing and accusing yet to be done before this becomes law.  Stay tuned.

 

 

The Empire Strikes Back: Facebook Files Suit Against Lamebook In California Court

It didn't take long.  You will recall that we discussed Lamebook's filing against Facebook here in an Austin court last Friday.  Yesterday Facebook struck back with a suit in the Northern District of California. 

Facebook will hope to get Lamebook's declaratory judgment action dismissed here and then proceed with their suit in California.  There will be much maneuvering and it will rapidly get expensive, particularly for Lamebook. 

As we said before, stay tuned.

Dallas Cowboys Are Having A Bad Couple of Months

The Cowboys can't seem to do anything right.  They have started the season with one win and seven losses after being picked pre-season to be a Super Bowl contender.  Their starting quarterback is injured.  They've fired their coach and now, they forgot to renew their domain name registration.  Their website dallascowboys.com went off line for a few hours early in the week after the registration period expired on Sunday.  I'm not sure how this is even possible.  The registration entities are very aggressive about notifying you to renew and they start many months in advance.  You might even get some bogus notifications from China.  You would have to studiously ignore them in order to actually forget. 

May be time to punt.

Lamebook Proves To Be Anything But Lame, As It Beats Facebook To The Courthouse

We have been chronicling the "cyber-bullying" of Facebook (see here and here) in its quest to dominate western civilization.  Facebook has sued Teachbook and Faceporn and asked for damages and ownership of the domain names. 

Facebook has been making noises about doing the same thing to a local parody site, LamebookAttorneys for Facebook and Lamebook have been discussing the issues for a while and when an apparent impasse was reached, Lamebook adopted the approach of another famous Texan and launced a preemptive strike.  It seemed evident to everyone that Facebook possessed weapons of mass distraction.  (Sorry. Should have, but couldn't resist.) 

Lamebook has filed for a declaratory judgment (a copy of the complaint and a good description in found here on TechCrunch) alleging that Lamebook is not a social site like Facebook and is a parody of Facebook and as such, is not infringing on Facebook's trademark.  For good measure, Lamebook throws in some First Amendment constitutional issues, claiming that it is engaging in protected free speech.  A declaratory judgment action just asks the court to rule (i.e. declare its position) on certain issues without necessarily providing any other remedies.

This seems like a pretty good move on the part of Lamebook.  It keeps the suit in a Texas court, at least for a while, it is great publicity for Lamebook and everybody loves a David vs. Goliath story.

If this works out well for Lamebook, look for Facebook to begin talking less and filing more suits.  Stay tuned.

Cyber Bullying: Facebook Picks On Everybody

You may recall that we recently discussed that Facebook had unleashed the dogs of war on a website called Teachbook, a social network for teachers.  Messing with teachers is one thing, but now Facebook has stepped up their game a notch and has filed a similar action against something called Faceporn.  Until recently, Faceporn unpretentiously called itself "the number one socializing porn and sex network".  Now, it just calls itself down due to "unforeseen circumstances".  Like the suit against Teachbook, Facebook is asking for all of Faceporn's revenue and ownership of its domain name.  Faceporn says it is redesigning its site and will come back with the "best porn site the world has ever seen".  It's nice to know that Faceporn retains its humility through trying times.

Look for more of these suits from Facebook and maybe from others.  YouTube is yet to take on YouPorn, but that may just be a matter of time.   

Supersize Your Legal Services With a Drive-Thru Window!

Connecticut law firm helps keep the legal industry classy.

 

View more news videos at: http://www.nbcconnecticut.com/video.

I'm thinking the Sonic method where the clients wait in their cars and the lawyers come out in roller skates would be much more effective. 

Texas Attorney General Investigates Google's Alleged Anti-Trust Activity

On September 3, Search Engine Land reported, and Google confirmed that the Texas Attorney General, Greg Abbott, inquired about and is currently investigating potential anti-trust activity by Google. It was reported Greg Abbott's office declined to answer any questions, and now everyone is just speculating on what the outcome will be. Well, I'm no better. 

This is not the first anti-trust inquiry Google has faced, and it likely won't be the last. According to Experian Hitwise, Google accounts for 71% of searches in the United States, and it's no surprise to anyone when you've got that kind of market share, you've got a lot of bulls-eyes on your back, as well as a lot of government officials making sure you don't go all anti-trusty on the rest of the market. Google has been in this position for sometime, and I'm sure I'm missing a few, but here are some of the Google antitrust highlights over the last few years:

Continue Reading...

HTML5 Video - Oh the possibilities!

Normally, we here at ATLB try and bring you legal issues relevant to the Austin tech world, but I recently stumbled across and my first interactive, multi-window HTML5 video, and despite the lack of legal issues, I had an overwhelming desire to share it. Showcased as a "Chrome Experience,"  Google and Chris Milk teamed up with the band Arcade Fire to produce an extremely creative music video to the song, "We used to wait" (a great track). The site, The Wilderness Downtown, provides a look into the future of not just music videos, but a videos across the board. An interactive multi-window experience allows the user to connect with the music, the story of the video, and provides some serious nostalgia for someone who hasn't been home in awhile (my then teary-eyed girlfriend can attest to that). 

I look forward to the next generation of videos and the creative music and film directors that will no doubt utilize this new format. I can already hear myself 6 months from now, "I can't believe I was so amazed by that Arcade Fire video."

 

Facebook Opens Fire on Teachbook

Once upon a time, most schools distributed annuals or pictures, names and some personal information about students so that other students could make connections. Then Mark Zuckerberg hacked into the Harvard computers and obtained private information of students and put that into a Hot or Not knockoff called “Facemash”.
Harvard threatened Zuckerberg with expulsion, charges for breach of security and copyright infringement. Harvard later backed off and the rest is history.
Fast forward to today and the behemoth that has now evolved from Facemash to Facebook is rigorously trying to keep anyone from using either “Face” or “Book” in their name if the entity is remotely associated with social media.
Facebook recently induced a site called Placebook to change its name to TripTrace and has now filed suit against a site called Teachbook, which is not even operable yet but purports to be an online information sharing vehicle for teachers (a large number of whom are prohibited from being on Facebook by school administrators).
Facebook is alleging in the suit against Teachbook that the term “Book” is highly distinctive and that most people associate it with social networking. Facebook throws in a claim of cybersquatting and wants the court to give it the domain name Teachbook. For good measure, they included counts of trademark infringement, unfair competition, and trademark dilution. Teachbook has only a couple of employees. Hello fly, meet cannon.
This indicates that Facebook will be aggressive against any online vehicle containing any variety of “Face” plus something or something plus “Book”.
No word yet on their stance on BookFace (actual trademark application made and abandoned several years before Facebook came around).
 

Malware Might Have Played A Part In Deadly Plane Crash

OK, now it's serious.  It's one thing to lose credit card information or for your Facebook account to be high jacked, but malware is said to have been instrumental in the cause of death and destruction in the crash of a Spainair flight two years ago.  Investigators have determined that ground computers were infected with malicious code that may have prevented the pilots from being warned that the flaps were in the wrong configuration for takeoff.

This blog has previously discussed the malicious code problem here, here and here.  Experts in virus protection are becoming increasingly pessimistic about the ability of reactive virus protection to be effective.

A video of the crash can be seen here.  Warning, this is unsettling in that it is video of an event where a large number of people lost their lives.

I told you this was serious.

Oracle vs. Google, Godzilla vs. Mothra, Perseus vs. The Kraken and other Titanic struggles

Consider this abbreviated time line:

November 5, 2007 - Google, T-Mobile, HTC, Qualcomm and Motorola announce the release of Android and announce the creation of The Open Handset Alliance comprised of 34 companies that will free the mobile world of all restrictions (the last part is made up).  Nowhere in the announcement does Java get mentioned.

Same day (almost like they knew it was coming) - The Chairman and CEO of Sun (possessor of Java) heartily congratulates Google et al on the release of Android and hails the salutary effect it will have on the Java community.  The blog entry goes out of its way to call Android a "Java/Linux phone platform" and "a Java based platform".

April 20, 2009 - Oracle buys Sun.  In the press release announcing the sale, Oracle calls Java "the most important software Oracle has every acquired."

 August 12, 2010 - Oracle files suit against Google alleging "In developing Android, Google knowingly, directly and repeatedly infringed Oracle's Java-related intellectual property. This lawsuit seeks appropriate remedies for their infringement."

Now what happens?  Google will claim that they aren't using Java but built their own version of this platform called Dalvik using approved clean room methods and therefore haven't infringed on anything.  Google hasn't filed an answer yet and probably won't for some time.  Then the fun will start.  This has the potential to be a very visible and influential suit with ramifications for years to come.  Google is not likely to be the last company with Defendant after their name in this matter.  There are millions and millions of devices with Android running on them.  Plus it involves some heavyweights.

Continue Reading...

SXSWi Panel Picks: ATLB Selections (so far)

South by Southwest Interactive is just around the corner, coming March 11-15, 2011, and now it's time for the selection process to begin. For those of you who aren't familiar with the process check this out to get up to speed. There are three groups that vote on what panels will participate in the 2011 SXSWi: public (30%), SXSWi staff (30%), and advisory board (40%). There is a feeling here at ATLB that it's our duty to assist in crafting this year's event. I mean it's for the public, so why shouldn't we have a loud voice. This bog goes out to several different groups that have interest in a variety of things, so in order to provide a broad range of issues here are a couple that seem relevant to our readers: Bootstrapping, Entrepreneurism and Monetization, Funding, Web Apps, and our personal favorite Licensing, Fair Use and Copyright. Please check out these categories and see if a subject of interest pops up.

Additionally, there are a few individual panels this year that we'd like to suggest:

 

Apps vs. Mobile Web: Which to reach consumers?

Copyright Criminals

Download Illegally, It's the Right Thing to Do

Social Network Users' Bill of Rights: You Decide

Legal Frontiers In Social Networks, Blogs and Beyond

I.P. Fearlessly: Copyright, Contracts, and Clients

 

I'm sure there are many more that would do a great job of bring value to next year's event, but these were the ones that caught our eye on first go around. It would be a good idea to get on twitter and find some other good Austin Tech Sources to get a feel for some other good panels.

Enjoy the weekend!

"Wait! I deleted that. You can't see that! "- Computer Privacy and Data Recovery in the Age of Computer Forensics

In talking to our clients, our friends and the public at large, there seems to be a lot of confusion, misinformation, urban myths and lore surrounding the amount and kinds of data and material that is deposited on computer drives and that can be retrieved even though the user thinks that he has deleted it or covered it up. And by computer drives, we mean any electronic storage device including computers, flash drives, cell phones, DVRs, etc.

To attempt to get real live reliable answers to some of these questions, we turned to some local subject matter experts, Flashback Data. Flashback Data’s website is here. They were kind enough to lend us the expertise of Will Ambruzs, an attorney who is charge of the Forensics Division of Flashback Data.

ATLB: Will, please describe the services that Flashback Data can provide, particularly to an attorney involved in litigation.

FBD: Probably the best known aspect of forensics is the storytelling. A man dies mysteriously and the forensic examiners conduct two autopsies – one on the corpse, and one on the home computer. Toxicology confirms the man died of ethylene glycol poisoning (antifreeze). Forensic testing of the computer recovers 76 previously deleted Google searches made by his wife over the course of seven weeks for things like “symptoms of ethylene glycol poisoning,” “ethylene glycol toxicity” and “C2H6O2 ingestion and death.” That’s a compelling story.

Other times our involvement is less about developing evidence and more about logistics. For example, we’re commonly retained by attorneys to help identify all the places relevant information is likely to exist in a complex technical landscape, or to develop evidence collection strategies that minimize the impact on their client’s business.

Candidly, there’s quite an air gap between law and technology. At the end of the day, when it comes to electronic evidence, we’re the guys who fill it. Our case managers are attorneys and our forensic examiners are technologists with deep court room experience. We’re not vendors. We take pride in giving our clients access to the highest caliber forensics testing in the industry, and we’re presently the only private sector laboratory in the world accredited for digital forensics by the American Society of Crime Laboratory Directors under their International standard – same as FBI and DEA.

ATLB: That sounds like a lot more stuff than we can cover in one setting. Let’s discuss some general topics about what kind of data can be recovered and from which devices, and then, hopefully follow up with another session where we delve into some of the more complicated problems of forensic discovery and data retrieval.

FBD: OK

ATLB: I will give you some topics and you tell me how hard it is to recover this data:
• Internet history from a computer
Internet history is one of the most persistent types of data on the computer. It’s not uncommon for us to recover every URL visited on a computer from the time you first took it out of the box.
• Deleted videos from a DVR
It depends. If the DVR entries were manually deleted, the chance of recovery is high if the device can be forensically imaged before the data is overwritten. Many DVRs are set to overwrite data after a period of time, or when the device is near the limit of its full hard drive capacity. Overwritten data is unrecoverable. By anyone.
• Text messages from a cell phone
Candidly, it depends on the make and model of the phone and how the phone is used. That said, we are still seeing a strong trend of users adopting smartphones like the Blackberry or iPhone. One common thing folks do with smartphones is sync them with a computer. This creates backup files on the computer which, depending on when the backup was created, may contain data that is long gone from the phone. Alternatively, smartphones are essentially small computers, and often their data can be recovered in the same way we recover hard drives.
• Instant messages like gmail chat or AIM
These may be recovered from log files saved to the computer. Difficulty is a function of time. Bottom line is if the data you want gets overwritten with new data, it’s gone.
• Facebook messages or postings
One avenue of recovery is to extract these from internet history. Often this gives us multiple clues as to the content and recipients, and we can use the information to go looking for “shadows” of similar activity. Another thing we can do is attempt to recover the confirmation emails Facebook sends when new entries are made on a user’s wall or new messages are received.
• Twitter tweets on a cell phone or computer
This type of data generally fall into the same category as internet history and internet cache. The content itself will be recoverable for some time (until it is overwritten) and we can extract a fair amount of data simply by looking through the internet history.

• Standard files on a computer hard drive
In answering this, assume that the user has used the commonly available delete function available to the standard user.

FBD: Understanding the recovery of deleted files on a hard drive requires some understanding of how files are stored and referenced. A good analogy once provided to me is that of a school library. If we think of the hard drive as the library, then the files are analogous to the books on the library’s shelves. In a library, a book’s location is referenced in the card catalog. In a Windows environment, a file’s location on the hard drive is referenced in the Master File Table. When we delete a file, we’re not destroying the file’s data. Instead, what happens is the file’s location is marked in the Master File Table as being available to use for new data storage. That’s like pulling a card out of the card catalog and throwing it away – the reference to the book is gone, but the book is still sitting on the shelf (at least until someone takes it down and replaces it with a new book).

Having said all that, “recovering” the deleted file is like walking around the library from shelf to shelf and taking inventory of every book. At some point, we’d learn that there is a book sitting on a shelf in a space that’s supposed to be empty. And we’d find and recover the book.

In addition to above, there are multiple other ways to attempt to recover deleted files, such as through backup copies, temporary copies and/or copies embedded in another data file (e.g., a file attached to an email in an Outlook data file). These are all potential recovery routes.

 

Continue Reading...

More Sophisticated Spyware Hits Utility Systems - "Stuxnet" Gone Wild

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.
 

Trademark and Domain Name Scams from China

Recently, one of our clients received an email from Chinese domain registration company stating a foreign company was attempting to obtain their domain name. Our client, for purposes of privacy we’ll call them “CustomerName,” is a start-up in the process of obtaining a trademark registration for their company name. This email, although suspiciously spam-like, created some concern and confusion for CustomerName. Was this spam? What rights would they have if a foreign company was to use this domain name? What is my recourse?

 

First things first, it’s important to determine whether something like this is just a “Nigerian Prince” scam or something legitimate. A quick search turned up an article on the domain registration email our client received giving us serious pause. The article, by Happy Living with Hosea, provides a great analysis of the drafting of the email. Hosea pointed out things a Chinese company would have likely done differently if this was a legitimate operation. First, it was evident something peculiar was up based on the grammar and punctuation of the email. I’ll be the first to admit I send out letters with grammatical and punctuation errors on a daily basis. However, this one bereel badSo I feel “it is our duty to notice you” (a little example) of how this poor drafting is a good indicator of a scam. Additionally, had this been one carelessly drafted email that would be one thing, but after some research, it becomes clear this is not an isolated case (just read the comments to the Hosea article).

Continue Reading...

.XXX Top Level Domain: Will Porn Revolutionize Domains?

Yesterday I wrote about the new domain .CO and the likelihood of success. The .Co Internet S.A.S. (cointernet.co), through its new Top Level Domain .CO, is attempting to provide a potential answer for the shrinking number of available domain names. With today’s announcement that ICANN has given its initial approval of the .XXX TLD, it is interesting to ponder what effects this might have on the structure of how we view and access the internet.

It is no surprise there is no doubt an unbelievable amount of porn related traffic on the internet. In fact, according to Bevan Sabo‘s post “Top 4 Ways Porn Has Advanced the Internet,” Porn has played a large role in the advancement of internet technology. The consumer desire for porn not only increased the popularity of the internet, but this desire also was the stimulus for many technological advances. So why would Top Level Domains (.com, .org, and now .xxx) be any different? With new domain name availability on .XXX, there is a chance the porn industry might be the first industry to gain some traction in creating a popular and useful new Top Level Domains (TLD). As with the .CO, the marketing and launch plans of this new .XXX world could play a major factor in how the domain is perceived and visited. If the implementation of .XXX is done poorly then the TLD will be a joke, but if it's done with legitimacy then it might start and build some steam for a "divided internet". 

If this new .XXX TLD does gain traction, then other TLDs such as .CO could have their place in a newly market segmented internet. However, if history has anything to say about the subject, we know It’s not an easy feat to garner public attention to these TDLs. How many times have you used the .museum for anything? What about .aero for some website in the air-transport industry? What about .mobi or .tel for communications companies or .travel for the travel industry? Porn's .XXX TLD will need to do something none of these industries could do – get anyone to type something other than .COM.

If the .XXX TLD is successful, the .COM might take on a catchall TLD role, while other domains might help organize … well, everything. If these divisions occur, instead of just blindly typing in .COM after everything, we might start to think twice. Additionally, if the new domains gain popularity there might be a need for a domain specific search engine or other domain limiting technology.

In the alternative, will the .XXX be a vehicle for limiting free speech? This is not the first time the issue of the .XXX TLD has been visited by ICANN. In May of 2006, the Guardian reported that the ICANN board voted down the creation of the proposed .XXX TLD. Arguments from both sides have valid points and bring up great issues. Will “porn” be forced to the .XXX? Will it then be restricted to persons over 18? Who will enforce that? Would it be constitutional? Only time will tell, but it might be something to keep your eye on.  

Tags:

Is the .CO Domain Name the New Black? ...err Rather The New .COM

.cointernet.coUnless you’ve visited Godaddy.com, NetworkSolutions.com., or some other domain registrar, you might not have heard about the new .co domain about to open to the general public on July 20th. .Co Internet S.A.S. (cointernet.co), made up of Neustar, Inc. and Arcelandia S.A., obtained a license from Colombia to distribute their .co domain worldwide. Demand for the new domain is high. Twitter announced a new service that provides short links with t.co, TechCrunch for its Disrupt conference incorporated a Disrupt.co domain name, and the domain name e.co was purchased in an auction for $81,000. Domain Name Wire provides a great history and summary of the .co topic in their post, the .Co domain Is Coming and inWhere to get the best price for .Co Sunrise and Landrush,

Continue Reading...
Tags:

Contract Provisions That Should Be Considered In A Cloud Computing Arrangement

This is actually Chapter 4 in a rambling dissertation on why the "Cloud" is what it is.

In previous posts (see here, here and here), we have chronicled the evolution of the “Cloud”, Software as a Service and various permutations thereof and labels therefor. So, now that we think we know how we got here, what do we do now? If you are considering the procurement of cloud services and if you have the negotiating clout to request changes to the vendor’s standard contract, you need to consider some additional things to request.

In addition to the general considerations such as price, term, etc., the following are additional considerations to be discussed with the vendor and possibly included in the governing agreement:
1. In most cases, the vendor owns or licenses the software and the customer owns the data. The customer should always have the right to access and move its data, even in an alleged default situation. This is particularly true if the customer is in a regulated industry.
2. What happens if the vendor goes out of business, declares bankruptcy or is acquired? What happens if the acquirer is one of your competitors? The customer should have an exit strategy and the agreement should be compatible with such strategy.
3. How much responsibility or liability will the vendor assume if the systems are unavailable or if your data is lost? What are the backup procedures, business continuity plans and disaster recovery arrangements? Most vendors’ heads would explode if you requested that they be responsible for the value of your lost data but what are the procedures to recover the data, to back it up and protect it and who pays for that?
4. What kind of investment will the vendor make in software upgrades, enhancements and development? A company for which I once worked pledged 5% of its outsourcing revenue to software development and maintenance. Most companies won’t commit to a specified amount or percentage but a purchaser should review their plans and should have some input, through user groups or otherwise, into the direction of software development.
5. What will you use to determine if the software is functioning in the manner that you expected? What are the warranties surrounding such? Most software providers will warrant that the software will perform in accordance with its documentation but you should request that the basics of any functionality found in sales proposals, demos, RFPs or other material used to sell you on the software be part of the warranty.
6. A purchaser should consider whether the vendor routinely conducts a SAS 70 audit and makes the results available.
7. Since the purchaser has less control over the software used in a SaaS situation than in any on-site situation, a reputable vendor should be willing to provide an intellectual property indemnification that will pay for a legal defense (usually the biggest exposure for a user) and should provide an alternative if use of the subject system is enjoined or interrupted in any manner.
8. The escrow of source code, executables and other information necessary to carry on the processing if the vendor goes out of business or becomes unavailable should be considered. In most cases, this makes the user feel better but because of the long lead times involved, may be of marginal benefit.
9. Performance metrics, also called service level agreements (SLA) should be negotiated. Matters that are important to the user should be identified and reflected in the SLAs.
10. The foregoing are fairly standard components of most outsourcing contracts (which the delivery of cloud based software is, even if it is referred to as a software agreement). Perhaps the biggest divergence by Cloud based solutions from standard outsourcing situations is the question of security, the location of the data and the compliance of the system with Gramm Leach Bliley, HIPAA, Sarbanes Oxley and international data transfer restrictions. If the user is a financial institution or subject to HIPAA then the problem becomes particularly acute and addressing those issues in a manner that the benefit of Cloud computing can be realized by regulated entities is a difficult process.

Now that we've looked at the Cloud from both sides now, it may be the Cloud's illusions we recall and that we really don't know the Cloud at all.  Or it may be just that we are out of cheesy cloud references.

 

 

Federal Judge Says Maybe the Does Should Go.

The US Copyright Group is a group formed by a lawfirm in Leesburg, Virginia, which according to their website, is designed to "Save Cinema" from the evils of illegal downloading.  We have mentioned them before in relation to their attempts to involve the internet service providers.  They have filed many lawsuits, primarily in the DC Federal District Court, against multiple defendants, mostly described as "John Does" since they have not as yet definitively identified the defendants.  In a couple of the suits involving the movies The Steam Experiment and Far Cry, they have provided for 2,000 and 4,577 defendant Does, respectively.  They propose to obtain the identities of the alleged infringers through discovery in the suits by getting the "infringers' identities through ISP subpoenas", again according to their website.  They advertise that they do all of this on a contingent fee basis.

Although it has not been specifically determined yet, it is unlikely that all of the alleged defendants live in the DC area, so it would be very difficult for each defendant to appear and defend and conversely, it would be very difficult for each defendant to be sued individually in the area where they live.  You can see why the US Copyright Group has tried to join all defendants in a single case. 

The Rules of Civil Procedure for the DC Court states that defendants can be joined in a single suit if the actions giving rise to the suit arose from the "...same transaction, occurrence or series of transactions or occurrences..." and a question of law or fact common to all the defendants will arise in the case...".

The two cases mentioned above have found their way onto the docket of Judge Rosemary Collyer and she has decided to rule on the issue of joinder of all the defendants.  She has given the plaintiffs until June 21 to show cause why all but one defendant in each case should not be dismissed due to misjoinder.  This could result in the dismissal of 1,999 Does in one case and 4,576 Does in the other.  Hence the bad rhyme in the title of this post.

A couple of public interest groups, including the ACLU, have filed amici curiae briefs on the side of the defendants.  The ruling by the judge in this case will have major ramifications on the nature of these types of cases going forward. 

Incidentally, The Steam Experiment's plot line is "A deranged scientist locks 6 people in a steam room and threatens to turn up the heat if the local paper doesn't publish his story about global warming" and Far Cry is based on a video game.  This is not a commentary on the value of the thing allegedly stolen.

Tweeting in the Courtroom: Ex-Governor Edition

The federal corruption trial of Ex-Governor of Illinois Rod Blagojevich is set to start this week, but the judge first had to order Blagojevich not to use Twitter from inside the courtroom.  The shameless flamboyant Blagojevich had stated earlier that he planned to "live-tweet" the trial during the proceedings, but the judge was having none of it.

The judge told him that he is still free to tweet and talk to the media all he wants outside the courtroom, but with the warning that everything he says can be used against him in the trial.  No word yet on whether Blago will try to update his Facebook status or "check-in" on Foursquare in the courtroom.  Stay tuned. 

 

Virus Protection Using Whitelisting

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco


ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.
 

Viruses, Malware and Spyware, Oh my!

The recent McAfee debacle, which we detailed here, has once again brought into focus the problems inherent with protecting a computer or computer network from code designed to have a non-optimum effect on such computer or network.
Since the early 1970s, when a virus called Creeper was created and introduced into ARPANET, the precursor to the internet, anti-virus software and other means of combating viruses have been created. The code to combat Creeper was called Reaper and so, the dance began.
Viruses are probably better referred to generically as malicious code, which includes a broad range of things including attack scripts, viruses, worms, Trojan horses, backdoors, malicious active content, malware, adware, spyware and many other names.
Malicious code is designed to do a variety of things, including crippling or disrupting computer operations, stealing information, perpetuating pranks and allowing unauthorized intrusions.
As soon as viruses started creating havoc, people started looking for a way to combat them. Shortly thereafter, other people (particularly those who depended on some other people for computer resources or storage) begin to question such people’s response to the virus problem. Then, lawyers got involved (there’s always a silver lining) and suits were brought alleging that not enough was done to protect the computer resources against invasion, whether to steal information, create havoc, generally be a pain in the hard drive or a combination of all.
Although the law is still developing in this area, it is plain that the application of commonly applied negligence principles will require at least a reasonable amount of protection against intrusion and malicious code.
There are two basic approaches to combating such threats and they are generally referred to as “blacklisting” and “whitelisting”. Blacklisting is the most commonly used method and it involves developing a huge database of virus signatures and checking each transmission to and from a computer for such signatures and routinely scanning the storage areas of such computers for evidence of malicious code.  The database needs to be continually updated and entirely new stains of viruses must be recognized and negated after they are released into the wild.
Whitelisting takes the approach of initially scanning drives for their contents and then not allowing anything else to run on that computer unless it is specifically approved. This method does not depend on scanning after the initial scan and does not have to be updated. New virus strains are of no concern as they may reside on the computer but will not be allowed to execute.
You can expect that the issue will arise in some case as to whether one method is better than the other and if the other method is available, was it negligence not to employ such method?
In a subsequent edition, we will post an interview with CoreTrace, a local company that markets the “whitelisting” approach.
 

Apple Facing Potential FTC Inquiry

Here at ATLB, we have previously discussed Apple restricting the programming tools that could be used to create Apps for the iPhone and the iPad.  Most notably, Flash based programs were restricted which sparked a PR war between Apple and Adobe.  Now it appears that the FTC is seriously considering whether to look into these potentially anti-competitive practices.  

The Federal Trade Commission and the US Justice Department, which enforce US antitrust law, are each looking into Apple’s restrictions. No decision has been made to move forward with an official investigation.

“What they’re [Apple] doing is clearly anticompetitive ... They want one superhighway and they’re the tollkeeper on that superhighway,” said David Balto, a former policy director for the commission.

It should be noted that only an inquiry has been mentioned as opposed to a full-scale investigation.  There will still need to be hearings and further discussion before an investigation is launched.  But at the very least, this will provide Adobe with ammunition in its ever-escalating PR battle against Apple and Steve Jobs. 

"First Do No Harm" - McAfee Runs Afoul Of This Rule

UPDATE:  In an effort to calm the waters, McAfee has offered to be responsible for "reimbursing reasonable expenses" for the cost of repairing the problems caused by the release of their glitch.  They are also proposing free extensions to existing, affected subscriptions.  This comes from a posting on their website and they promise to post details soon.  Whether this will calm the hordes with the torches and pitchforks at Mcafee's doors, only time will tell.

Original Post:

"Primum non nocere" [First do no harm] is attributed loosely to the Hippocratic Oath that doctors are taught.  Antivirus creators should have it embroidered on their pocket protectors.

Yesterday I was heavily into the creative process of preparing another post for this blog, which, ironically (or coincidentally, I can never determine), was to be about an antivirus protection method called "whitelisting".  Theoretically, if I had been using whitelisting, this post would not be pertinent. But that is the subject of the post that I never completed but which will appear at a later time.

Suddenly, upon having to reboot, my task bar disappeared, my computer couldn't recognize my wireless card and all sorts of other mischief ensued.  Constant rebooting and repetitive cursing did not help. OK, I surmised, my trusty old Dell Latitude, circa 2004, had finally given up the ghost after many years of hard use and diligent service.

However, news soon surfaced that this was an inside job.

 

Continue Reading...

Red Flag Rule Appears In Your Town June 1

Although not strictly a technology related matter, all business and organizations that provide products and services to their customers and then bill them later should be aware that the Federal Trade Commission has a “Red Flag” rule that goes into effect (after several delays) on June 1, 2010.
You should first determine if your business is covered by this rule. If your business is covered, this rule provides that you must implement a written Identity Theft Prevention Program that is designed to detect the warning signs (hence “Red Flags”) of identity theft.
A copy of the rule may be found here. However, a shorter, more user friendly version may be found here.  Businesses that are at low risk for identity theft (e.g. you know your client individually, such as a neighborhood medical practice; you provide services around the home, such as a cleaning or lawn service; or your business has a low incident of identity theft) may implement a do-it-yourself program by following a FTC approved template that can be found here.
There is no private right of action under the rule (i.e. your customers may not sue you under the rule), however, they could complain to the FTC and the FTC can seek civil penalties (up to $3,500 per violation) and injunctive relief.
 

Adobe-Apple Feud Frustrates App Development

Apple has recently changed their license agreement to exclude Flash language programs and Flash to iPhone Compilers. This has created a great deal of buzz in the app development world. The i-Phone Developer Program License Agreement set out by Apple was modified to exclude such Flash related programs when the agreement was edited to include:

3.3.1 — Applications may only use Documented APIs in the manner prescribed by Apple and must not use or call any private APIs. Applications must be originally written in Objective-C, C, C++, or JavaScript as executed by the iPhone OS WebKit engine, and only code written in C, C++, and Objective-C may compile and directly link against the Documented APIs (e.g., Applications that link to Documented APIs through an intermediary translation or compatibility layer or tool are prohibited).

This added language has caused an uproar in the app development community. As John Gruber, at Daring Fireball explains,“… cross compilers, such as the Flash to iPhone Compiler in Adobe’s upcoming Flash Professional CS5 release, are prohibited."

Continue Reading...

"Unvarnished: Controversial Yelp for Individuals" - Anonymous

Almost everyone has a Michael Scott or a Dwight Schrute in their office, and if you’re not sure you do, just be glad there aren’t cameras following you around all day because you’re likely that guy. Everyone at one time or another has had a frustrating time with their boss or coworker. However, we’re not all clever enough to make that situation funny enough to watch on a Thursday night. Most of the time, if we want to relieve some of that job-related stress we go to a trusted friend or colleague to vent, but what if we could tell our boss what we think … and do it anonymously?

The folks at Unvarnished are working on giving you just such a venue. Unvarnished has been described as a Yelp for individuals, in that, you can leave comments and rate someone’s work performance. However, when a commenter leaves a remark on your page not only is the commenter anonymous, but good luck trying to get that comment taken down. The review by Mr. Anonymous will stay up on Unvarnished until he or she decides to take it down and because of web archives will be on the internet basically forever.

 

Continue Reading...