Post on 17-Jul-2015
Disclaimer
The views I express here today are my own opinion. They are not necessarily the views of my law
firm, Husch Blackwell LLP. These materials are for informational purposes only and are not legal
advice. This presentation and the information contained herein are intended, in part, to alert the
audience to some legal issues. Any information contained herein is not intended as a substitute for
legal counsel. Walter Kawula does not warrant this information for any purpose. This presentation
shall not constitute legal advice or create an attorney-client relationship. The laws referenced in this
presentation may have changed or could be affected by case law developments. Do not rely on these
presentations or your interpretation of same for any purpose. If you have a specific legal question you
should consult with a properly licensed lawyer. Do not send Walter Kawula or any person at Husch
Blackwell LLP confidential information until you speak with one of our attorneys and get authorization
to send that information to us. I may decline to answer questions posed to specific legal issues. Do
not take a refusal to answer specific legal questions personally. Speaking of “personally,” did you
know that I like coffee? Sure, we all do, but I mean I really, really like coffee. Probably more than
most folks. In fact, as I’m writing this, I’m on my third cup of the morning, and I’m about to go top off
again. But, hey, enough about me. How’s life been treating you?
Moving Right Along . . .
TL; DR
● I am not your lawyer
● Don’t tell me anything confidential
● This isn’t legal advice
2014 Highlights
"Snapchat agrees to settle FTC charges that it
deceived users"Washington Post, May 2014.
"Why Retailers Became a Top Target of Patent
Trolls"Wall Street Journal, July, 2014
"SFLC releases GPL Compliance Guide second
edition"Software Freedom Law Center, Nov. 2014
Influences on Web Design
Website Operator Website Developer
Requirements
Desired Functionality
Functional Website
FTC
NIST
Open Source
Community
Patent
Trolls
Why Should I Care (Part 1)
What does it mean to you if your web design gets
your client or your company into a lawsuit or
other legal action?
Bad Times.
Software Development Agreements
Have you agreed to:
● Warrant Against Infringement?
● Assume Defense of Lawsuits?
● Pay Damages Incurred By Your Client?
Principles of Data Collection and Use
Fair Information Practice Principles (FIPP)● National Strategy For Trusted Identities In
Cyberspace
● National Institute of Standards and Technology
(NIST)
● Federal Trade Commission (FTC)
Information Technology Lab at NIST
● Sets principles, guidelines, and frameworks for data
security and data privacy.● Vetting the Security of Mobile Applications (S.P. 800-163)
● Cloud Computing Synopsis and Recommendations (S.P. 800-146)
● Sets data security requirements for entities that contract
with the federal government.● Security and Privacy Controls for Federal Information Systems and
Organizations (S.P. 800-53)
FIPP -- Fair Information Practice Principles
● Benchmark used by the DHS, FTC, White
House and others.
● Concerns Personally Identifiable Information
(PII)● Name, address, SSN, etc.
● Certain combinations of data.
● Not everything applies here, so we will
discuss a sub-set.
FIPP -- Fair Information Practice Principles
● Transparency
● Individual Participation
● Data Minimization
● Use Limitation
● Security
● Accountability and Auditing
FIPP: Transparency
● Transparency means notifying individuals
regarding collection, use, sharing, and
maintenance of PII.
● People writing the notifications need to know:● what PII is being collected and used
● what third parties have access to collected PII
FIPP: Individual Participation
● Individual Participation means:● involving the individual in the process of using PII
● to the extent practicable, seeking individual consent for
the collection, use, sharing, and maintenance of PII.
● Options must be effective!
FIPP: Data Minimization
● Data Minimization means collecting only that
PII that is directly relevant and necessary to
accomplish specified purposes of the app.
● Can you accomplish the purpose and collect
less information than originally
contemplated?
● Accumulation of PII = Accumulation of Risk
FIPP: Use Limitation
● Using PII solely for the purposes specified in
the notice.
● Any sharing PII should be for a purpose
compatible with the purpose for which the PII
was collected.
● Third party analytics, advertisers, etc.
FIPP: Security
● PII should be protected through appropriate
security safeguards against risks such as loss,
unauthorized access or use, destruction,
modification, or unintended or inappropriate
disclosure.
FIPP: Accountability
● Accountability includes:● complying with these principles
● providing training to all employees and contractors who
use PII
● auditing the actual use of PII to demonstrate compliance
with these principles and all applicable privacy protection
requirements
Snapchat -- What did they do?
● "Snaps" were saved and accessed in ways
inconsistent with privacy policy.
● Security breach attracted FTC attention to
terms of service and privacy policies
concerning collecting and use of consumers’
data.
● Bad Times.
Federal Trade Commission
● Security Breaches involving consumer PII
● Insufficient Notice / Consent to Collect
Information
● False or Misleading Representations
Concerning Web App’s Use of Data
● Parallel concerns as FIPP
Basis for FTC Actions
● No explicit statutory authority to police web
applications.
● Relies on traditional authority to:o Protect Consumers
o Prevent Fraud, Deception and Unfair Business
Practices
Basis for FTC Actions
● Protect Consumerso Security breaches are harmful to consumers that
use the website.
● Prevent Fraud, Deception and Unfair
Business Practiceso Insufficient notice of collection and use of data
o Misleading assurances of data security
o False representations regarding web app operation
FTC Expectations
● 2012 Report Protecting Consumer Privacy in an Era of
Rapid Change: Recommendations for Businesses and
Policymakers.
o Privacy by Design
Data Security
Reasonable Collection Practices
Retention Limits
o Simplified Consumer Choice
o Transparency
FTC Complaint -- False Representation
8. From October 2012 to October 2013, Snapchat disseminated, or caused to be
disseminated, to consumers the following statement on the “FAQ” page on its
website:
Is there any way to view an image after the time has expired?
No, snaps disappear after the timer runs out. …
9. Despite these claims, several methods exist by which a recipient can use tools
outside of the application to save both photo and video messages, allowing the
recipient to access and view the photos or videos indefinitely.
FIPP: Security, Transparency
FTC Complaint -- Easily Defeated Security
14. Snapchat claimed that if a recipient took a screenshot of a snap, the sender
would be notified. On its product description pages, as described in paragraph 7,
Snapchat stated: “We’ll let you know if [recipients] take a screenshot!”
15. However, recipients can easily circumvent Snapchat’s screenshot detection
mechanism. For example, on versions of iOS prior to iOS 7, the recipient need
only double press the device’s Home button in rapid succession to evade the
detection mechanism and take a screenshot of any snap without the sender being
notified. This method was widely publicized.
FIPP: Security, Transparency
FTC Complaint -- Over Collection
20. From June 2011 to February 2013, Snapchat disseminated or caused to be
disseminated to consumers the following statements in its privacy policy:
We do not ask for, track, or access any location-specific information from
your device at any time while you are using the Snapchat application.
22. Contrary to the representation in Snapchat’s privacy policy, from October
2012 to February 2013, the Snapchat application on Android transmitted Wi-Fi-
based and cellbased location information from users’ mobile devices to its
analytics tracking service provider
FIPP: Transparency, Individual Participation, Use Limitation
FTC Complaint – Misleading Collection
25. . . . During registration, the application prompts the user to “Enter your mobile
number to find your friends on Snapchat!,” implying – prior to September 2012 –
through its user interface that the mobile phone number was the only information
Snapchat collected to find the user’s friends . . .
26. However, when the user chooses to Find Friends, Snapchat collects not only
the phone number a user enters, but also, without informing the user, the names
and phone numbers of all the contacts in the user’s mobile device address book.
FIPP: Transparency, Individual Participation, Acountability
Snapchat Take-Aways
Notice and Consent must be in sync with what
the application actually does.● Collecting geolocation information is OK
● Collecting address book information is OK
● Providing third party access via API is OK
IF:You provide appropriate notice of collection and the use of
the data is reasonably related to the use of the application.
Snapchat Take-Aways
Make life easier for your website operators:
● collect only the information necessary for the
application
● communicate to website operator what information
the application collects and how it is used
● advise website operator of any third party access to
collected information
o including extensions
● read the website’s privacy policy
Patent Lawsuits Against Retailers
The Actors that bring nuisance lawsuits against broad
swaths of an industry go by various names:
● Non-Practicing Entities
● Patent Assertion Entities
● Patent Trolls
● [Redacted]
Just some of the cases
● Lodsys Group LLC v. Bed Bath & Beyond, Brooks Sports, John Wiley &
Sons, and J&P Cycles
● Lodsys Group LLC v. B&H Foto & Electronics, Charter Communications,
Corbis, Lamps Plus, and Nordstrom
● Lodsys Group LLC v. MakeMyTrip.com, Meijer, Musician's Friend, Nuance
Communications, Sandisk, and Sirius XM Radio
● Lodsys Group LLC v. Burberry Ltd., Dover Saddlery, Freescale
Semiconductor, Godiva Chocolatier, and Hanna Andersson
● Lodsys Group LLC v. Crocs, Oriental Trading Company, Somerset
Investments and Saks
Shopping Cart
• eDekka sued more than 100 companies for
patent infringement.
• Suits alleged that "making and/or using one
or more websites that include 'shopping cart'
functionality" as the infringing activity.
The Tide is Beginning to Turn
• Patent Office Review• Covered Business Method patent post-grant review.
• Inter Parte Review
• "Patent Death Panel"
• Legislative Efforts• Increase pleading requirements.
• Cost shifting onto losing party.
The Tide is Beginning to Turn
• Alice v. CLS Bank• Supreme Court case from 2014 holding "abstract
idea" computer-related patents ineligible.
• Hundreds of computer-related patents are being
invalidated, lawsuit filings are down.
• Law still coalescing around what claims are ineligible
"abstract idea" claims, and which are sufficiently
definite for patent protection.
SFLC on Compliance
"Non-compliance with GPLv3 in the distribution
of Javascript on the Web is becoming more
frequent, and although no disputes have so far
resulted, in the absence of more careful
compliance activity in this area they are
eminently foreseeable."Software Freedom Law Center
Guide to GPL Compliance 2nd Edition
GPL Concerns
• Joomla (and many extensions) are licensed
under GPLv2.
• If website is non-compliant, the GPL license
terminates automatically.
• Unlicensed website -> copyright infringement.
• Bad times.
GPL Compliance
• What triggers obligations under GPL?• Distribution of program
• Modification of program
• Conflicting requirements are not an excuse.• "If you wish to incorporate parts of the Program into
other free programs whose distribution conditions
are different, write to the author to ask for
permission."
Distribution
• Purely internal use does not trigger source
code sharing and attribution requirements.
• Code downloaded into a browser might be a
a "distribution" of "non source" form
program.
Questions?
Contact Info:
Walter Kawula
walter.kawula@huschblackwell.com
312-526-1516
© 2015 Walter J. Kawula, Jr.