January 20, 2011
Okay, maybe I’m being a bit sarcastic with the title. But according to a recent article and study (i.e., the Sophos Security Threat Report), spam, phishing, and malware attacks on social networking sites doubled from 2009 to 2010. Not surprisingly, identity theft and third party use of personal information were primary goals of cybercriminals.
This is hardly shocking and it wouldn’t be surprising if these numbers doubled again from 2010 to 2011 given the increasing importance of social media—for better or worse—in our personal and business lives. But what do people really expect? Criminals go where the people are and when Facebook has 600 million users, that’s a big crowd to fleece. And criminals can do so in the comfort of their own homes and in foreign countries knowing full well that their chances of getting nabbed are about as likely as Apple stopping production of the iPhone. What do they really have to lose?
Not surprisingly according to the article, users want sites like Facebook to take stronger security measures. And while sites can certainly do so in some instances voluntarily, it may take a court ruling (as it often does) to force a company to implement more substantive protections. But first you have to get past those nasty contractual disclaimers that we lawyers put into practically all user agreements about not holding the site liable for almost anything that happens on it: “Identity theft be damned—so sorry, but it’s just not our problem!”
Remember when you clicked “I AGREE” on that user agreement? You can be sure Facebook does, because that’s an enforceable contract in most instances. (No need to thank us, by the way—the public’s opinion of lawyers is thanks enough!) Very tough to challenge, but not impossible if the right facts present themselves. Combined with the right judge, of course. Sometimes the lottery’s easier to win though.
The fact is that while social media sites have to do more, especially those that operate on the massive scale Facebook does, we have ourselves to blame also. How much personal information do we really need to disclose about ourselves? I’ve always believed that less is usually more, but perhaps because I’m over 40 (which is 95 in cyberyears), many young ’uns believe that more is more. And that even more is still not enough. I forget: Does TMI stand for “Too Much Information” or “Too Many Idiots” when we ”overshare?” Because cybercriminals count on both meanings to do their dirty work.
Do we really need to tell everyone when we won’t be home, thereby inadvertently notifying criminals when the best time to rob us is? Or are we so egotistical that we have to “friend” a ton of people so we can brag about how big our network is, only to unwittingly let in unsavory characters? Or to post a lot of personal details until the inevitable privacy breach thereby exposing all of that information to the world—and to sophisticated criminals who can then make use of it in all sorts of ways that decent law-abiding people have never thought of.
I often wonder where the proper practical balance is. Because if you’re expecting the law to catch up to address some of these informational privacy and security issues, we’ll be on Web 5.0 at that point … and on Cybercriminal 7.0. And do you really want to be the “test case” anyway?
January 19, 2011
Don’t get me wrong. I don’t mind the RIAA. As a technology and internet lawyer who makes my living in and out of court trying to protect the intellectual property rights of my clients, I generally support the RIAA’s efforts to keep people from stealing music and infringing the copyrights of others—although the organization can get a bit too overzealous at times. I’m starting to wonder, however, if perhaps the RIAA’s overzealousness is starting to cross the line into outright delusion, stupidity, or both. They certainly keep their lawyers busy though.
Now the RIAA is making veiled legal threats against ICANN over the introduction of a “.music” domain name. The RIAA’s deputy general counsel, Victoria Sheckler, informed ICANN that such a gTLD “will be used to enable wide scale copyright and trademark infringement.” Actually, “informed” is too nice a word given the rest of her letter:
We strongly urge you to take these concerns seriously….We prefer a practical a practical solution to these issues, and hope to avoid the need to escalate the issue further.
As you’re probably aware, “escalate” is legalese for “sue your ass.” But come again? How does a .music domain name ”enable” infringement? As I recall, the RIAA has sued an awful lot of people over the years who have downloaded music from sites with .com and numerous other extensions. So how does a .music gTLD change that in any way?
If anything, a .music domain name might help consolidate all of the infringers in one place, kind of like a canyon with the snipers located above, and thereby allow the RIAA’s lawyers to pick them off as they see fit. Of course, outright infringers would likely avoid using such an obvious domain name anyway and stick to the names they’ve been using for—oh, I don’t know—maybe the last decade or so before a .music name was ever contemplated. (But then again, as an attorney I’ve learned never to underestimate the stupidity or chutzpah of people.) And of course, the RIAA seems to forget that there are a ton of amateur musicians and bands out there who have no problem with people downloading their music for free and would readily take the opportunity to register a .music domain name.
In terms of potential trademark infringement, I have no doubt that many cybersquatters would try to register the .music names of famous bands and musicians. But most won’t get very far given the ICANN domain name dispute resolution policy. Or the even more far-reaching Anti-Cybersquatting Consumer Protection Act. So the RIAA needs to chill. What they really seem to be trying to do is to get ICANN to somehow implement copyright protections or to police the .music name for infringers. But isn’t that the RIAA’s job? And haven’t they done it well over the years?
I can’t believe that ICANN would, could, or ever be forced to assume such a massive compliance burden. This isn’t a situation like Napster where there was a single website facilitating infringement (which had nothing to do with ICANN). The RIAA is essentially suggesting that ICANN monitor an entire gTLD for the infringing activities of, well, everyone who uses it. And even if that were possible or within the purview of ICANN’s official responsibilities (which it’s not), what’s to stop the RIAA from then trying to extend ICANN’s efforts into all of the the other gTLDs that exist…or will exist? Slippery slopes I can deal with, but slippery cliffs are another matter. In any instance, a lawsuit against ICANN is something that the RIAA may want to think carefully about before pursuing. Not that they will, mind you. Their lawyers are kept very busy indeed.
Shakespeare said it first: “A rose by any other name would smell as sweet.” And a domain name by any extension could smell as rotten as any other. And if people want to use it for illegal purposes, they’ll do it regardless. As for me, I can’t wait until that proposed ”.xxx” gTLD finally becomes operational. I just can’t find the porn I’m looking for without it.
January 18, 2011
A case involving a photographer who posted images of the Haiti earthquake to Twitter service Twitpic only to find others claiming rights to the images opens up IP issues. How far is an image allowed to go once posted? It can be retweeted, but what rights has the copyright owner retained?
Last summer, when I read about the Susan G. Komen Foundation’s aggressive enforcement efforts against other charities to protect its “FOR THE CURE” trademark used in breast cancer research, I thought back then that it could be problematic for the company. Not necessarily from a legal perspective, but from a public relations one. And that’s extremely important to keep in mind, because the sorts of issues the Komen Foundation are facing now are the things that keep trademark lawyers up at night. And when I read about the Foundation’s continued efforts last month, the story wasn’t going to die so quickly. Such is the nature of the internet.
Before you condemn the Komen Foundation, keep in mind that what’s smart from a legal perspective isn’t always the best PR strategy. The 2 areas can at times be mutually exclusive. I’ve had several instances over the years when advising clients that the way in which they’re using their trademarks could be problematic—just think back to trademarks that have become generic such as escalator, aspirin, and cellophane—to understand what I mean.
The companies which owned those marks failed to police and enforce the ways they were being used (both internally and by others), only to have the marks enter the English lexicon and become unprotectable. Remember, it’s not VELCRO, but VELCRO brand hook-and-loop fastener. So it’s not unusual for friction to exist between a company’s legal department and its marketing department, let alone its PR department. What makes sense legally sometimes translates into a poor PR strategy. And there’s no easy fix.
Just ask North Face when it pursued a teenager a couple of years ago who sold a line of clothing called “SOUTH BUTT.” North Face’s cease-and-desist letter not only circulated throughout cyberspace, but as a result of the company’s enforcement efforts, the story garnered a great deal of media coverage—with the theme being that a big, bad company was “bullying” a teenage entrepreneur. He garnered a lot of public support and sold a lot of clothes. North Face eventually settled with him. Like I said, it’s these sorts of stories that keep trademark lawyers up at night. You’re damned if you do and damned if you don’t.
The Komen Foundation must—not should, may, or could—but must police the use of its trademark by others or else it risks losing rights in it. That’s a legal question not open for debate. And the Foundation is no different than many companies, such as Intel, which also vigorously protect their marks. As to whether it’s being too aggressive by going after hundreds of smaller local cancer charities which incorporate some derivation of ”FOR THE CURE” into their marketing efforts, that’s both a legal and PR question, but when Steven Colbert makes fun of you like he did recently, you’ve got a PR problem.
Legally, how much enforcement is enough isn’t set in stone and is highly dependent on the facts of each case. If a company is taking reasonable steps to notify potential infringers and demands that they cease-and-desist their use of the mark in question, that’s an important first step—which is what the Komen Foundation is doing. Of course, whether they have to send out hundreds of letters to even small local charities trying to support cancer research in each and every instance is another matter, but such a strategy is sound from a legal perspective. And deterrence is an important part of enforcement too.
From a PR perspective, however, raising money for cancer research is quite a sympathetic cause—more so than a kid selling SOUTH BUTT jackets. And just because you have the legal right to do something doesn’t mean that you should. Or at least exercise it to such a degree that it could cost the Foundation more down the road, especially a charity which only exists due to the good grace and generosity of others. But I leave those questions to the PR experts.
January 17, 2011
We’ve had plenty of problems with Senator Patrick Leahy on this blog, as his push is to always make intellectual property laws worse, such as with ProIP and now COICA. However, sometimes he does things that deserve kudos, such as his plan to investigate the TSA’s new scanners, calling them “invasive.” Leahy apparently wants the Senate Judiciary Committee (which he heads) to examine whether or not the machines really make sense. Of course, perhaps we should withhold any kudos until we find out what comes out of that “review…”
Permalink | Comments | Email This Story
Techdirt Mike Masnick
Hopefully by now, most people who have upgraded to a smartphone (such as an iPhone, Blackberry, or Android) have realized that it’s not simply a phone, but a powerful mobile computer which just happens to be about the size of a 3″ x 5″ index card. And just like your big heavy personal computer or laptop, it contains all sorts of personal information—perhaps too much information—about you and what you do. If you haven’t come to that conclusion yet, the increasing police power of the state may soon force you to. It should also force you to take steps to protect yourself from what could become an overzealous police officer should you ever find yourself in the unfortunate situation of being arrested (even for a misdemeanor).
For me, a big part of being a technology and internet lawyer is privacy law. While privacy appears to have all but disappeared in this 24/7 networked world where everyone posts a whole lot of information about themselves, it’s easy to forget that not everything is everyone’s business—especially the police, who may seek to use such information against you for violations of laws that you may not have realized even existed. Think it can’t happen? As a lawyer, I’ve seen many overzealous police officers, state agents, and prosecutors looking to establish a name for themselves. Civil liberties be damned. (Of course, there are many good ones too, but it’s often the other ones we hear about.)
An insightful article by Ryan Radia discusses the recent California Supreme Court decision in People v. Diaz, which held that police officers can lawfully search a mobile phone on a person they arrest without first obtaining a search warrant. The court found that mobile phones, like cigarette packs and wallets, fall under the “search incident to arrest” exception of the Fourth Amendment. While the Supreme Court may have the final say as to whether this is legal, many state courts have come to the same conclusion as California has.
Most significantly, Radia discusses the importance of taking measures to make your smartphone as secure as possible, such as full disk encryption of all content on the device. He notes that password protection—which is certainly an important first step—may not be enough and is easy to bypass due not only to the rise of digital forensics, but the vulnerabilities in your smartphone’s own operating system that a forensic expert can exploit easily. While Radia notes that no mobile encryption system at the moment is perfect or especially secure, this will hopefully change.
If you have a few minutes, the article is definitely worth a read. Whether people realize it or not, privacy is one of the most daunting issues facing us (and lawyers) in this information age, and the law has difficulty keeping up. And as the Diaz case shows when the law does catch up, it’s usually not in our favor, but works to the benefit of the state’s police power. At least for now.