Julia Angwin Attempts to Remain Anonymous Online and Proposes that We Reconsider Privacy Rights as Human Rights

On February 19, 2015, journalist Julia Angwin presented on her recent project as part of the BCLT Lunch Speaker Series. Angwin built her reputation as an investigative journalist in the world of privacy issues when she led a Wall Street Journal series called What They Know. She has also written two books, the latest of which, Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance, was the subject of her talk.

In today’s world, it seems no secret that parties are selling our data and the government is surveilling our behavior. The “free” apps we download on our smartphones are paid for by third parties who buy our data from the developers. Maybe users don’t have a problem with programs using the data necessary to run the app, but the situation might be more disturbing than people realize. First, the developers might be mining more data than necessary to run the apps. Second, the Snowden papers revealed that giant data aggregating companies like Google might have to turn over their data upon a secret request. Even worse, when the government can’t get access to the data they want from these companies, there is evidence that they can break into the servers to access the data without formally requesting it.

With all this in mind, Angwin sought to discover exactly what she could do to prevent the collection of her data; how could she evade surveillance in a world with pervasive tracking? Dragnet Nation illustrates Angwin’s quest for online privacy. Angwin used a plethora of techniques to try to remain anonymous. First, she quit using Google, and instead used a service called DuckDuckGo. She disconnected her LinkedIn and deleted all her friend connections on Facebook, leaving only a shell of a profile page to indicate that she was no longer using the service.

Through this process, Angwin encountered a few unexpected hurdles. For example, she created a new identity, taking the name of famous muckraker Ida Tarbell, responsible for exposing the abuses of the Standard Oil Company in the early twentieth century. (Angwin consulted a lawyer to make sure all her activities using this new name was legal.) Angwin emphasized that she simply wanted a way to conduct activities in public without using her real name. She soon abandoned this quest, however, partly because a friend reminded her that companies work by tracking behavior; because she hadn’t changed her patterns, it was actually easy for a company to link Ida’s activities with Angwin’s. She also had a hard time figuring out how to handle her phone. She tried just turning it off, but after hearing that the CIA can track phones even when turned off, she purchased a faraday cage to stop all signals to and from her phone.

She also tried to find an encrypted email service, but could only find one; Rise Up is a service run be a Seattle-based anarchist collective. Since the service was funded by donation, she would have to remember to download all her emails if she wanted to save them because the site would occasionally drop out. To save all this data, she signed up for an encrypted cloud service called SpiderOak. This service alone cost her $200 per year, which made Angwin realize that she was paying a significant amount of money for all these tools to shield her data.

In one year, Angwin totaled that she spent over $2,500. She also noted that this was likely on the low side of what it would cost for privacy protection, because she employed as many low cost services as possible. There are probably many services that can provide even more protection, but the prices start to spike. This made Angwin wonder: is privacy becoming a luxury good?

Angwin concluded that privacy is actually a fake luxury good – at the end of the day, she couldn’t even truly secure her privacy. In order to truly minimize any data collection, she would have to take steps such as convincing friends to also use encryption so as not to undermine her efforts, finding better security measures for her cell phone, and better identifying and avoiding data brokers who were still able to collect her data after all her efforts.

Against the backdrop of these struggles, Angwin came to realize that perhaps she wasn’t looking for privacy, but rather for assurances. She described the problem as a feeling of lack of control. “The more data is collected,” Angwin explained, “the more hopeless people feel. They don’t feel like they have the ability to do anything about it.” She proposed that society could address this problem by considering privacy rights as broader human rights over our data – the right to control what is collected and how it is used in a way that still allows us to use the amazing technology that pervades the market today. If we were able to recharacterize the way we think of privacy rights, this could allow the internet industry to innovate towards giving individuals the assurance they seek when using online services. Angwin’s story is proof that even money can’t buy perfect privacy – the solution will have to come from shifting the paradigm of what society expects will be done with our data.

For more information on Julia Angwin, see http://juliaangwin.com.

Tagged , , Leave a comment

Potential Copyright Dispute Between Bestselling Authors

In the midst of its recent film release, 50 Shades of Grey is raising eyebrows for a new reason: possible copyright infringement.  News outlets have begun to question whether the author of the best-selling Twilight series, Stephenie Meyer, ultimately holds the copyright to 50 Shades of Grey, written by E.L. James.  The issue turns on what constitutes a derivative work.

The novel 50 Shades of Grey originated as Twilight fan-fiction under the title “Master of the Universe.”  E.L. James, a pseudonym for Erika Mitchell, borrowed the characters of Edward and Bella from Twilight, set them in a city as humans, and created new escapades to chronicle.  “Master of the Universe” garnered an enormous following, which led Vintage Books, a subsidiary of Random House, to enter into a book deal with James.  100 million copies later, and with changes to the setting and characters’ names, 50 Shades of Grey is now one of the top 10 best-selling books of all time.

The problem is that 50 Shades of Grey is eerily similar to “Master of the Universe,” which was explicitly based on the Twilight characters.  One writer used plagiarism-checking software Turnitin to compare a passage of “Master of the Universe” with 50 Shades of Grey and found that the similarity index was 89%.  In fact, for much of the text it appears that the only differences were in the names of the characters.

Copyright protection

Section 101 of the Copyright Act dictates that a derivative work is based on “one or more preexisting works,” such as a motion picture version of a novel.  Meyer, the author of Twilight, has the original copyright of the series.  This means that, in general, Meyer owns the Twilight characters.  By extension, Meyer also holds the exclusive right – the “derivative right” – to prepare and authorize others to prepare derivative works based on her original novel under § 106(2) of the Copyright Act.  That is, Meyer controls the extent to which the Twilight characters may emerge in subsequent works.

“Master of the Universe” appears to fit under the definition of a derivative work, as its characters are drawn directly from the Twilight series.  When a derivative work is created without the permission of the copyright owner, “copyright protection will not extend to the work in which such material has been used unlawfully,” writes the United States Copyright Office, and “the unauthorized adaption may constitute copyright infringement.”  Applied to the present matter, when material from Meyer’s series Twilight is used without her permission to create a new work, the subsequent author (e.g. James) may not be able to obtain a copyright for the new work (e.g. “Master of the Universe” or, by extension, 50 Shades of Grey).

Potential litigation

There is “widespread disagreement about how far the derivative work right reaches,” as the Washington Post notes, so it is unclear whether a federal court would hold that James’s 50 Shades of Grey – a derivative work of James’s own “Master of the Universe” – qualifies as an unauthorized derivative work of Meyer’s Twilight.  While Meyer has not granted permission for James to create a derivative work from Twlight, she has not yet initiated any public litigation directed at the 50 Shades of Grey series.  Still, because Meyer’s copyright lasts for her lifetime plus 70 years, James and her heirs may face litigation down the road.

Fair Use

The Fair Use doctrine provides an affirmative defense to copyright infringement claims like the one that Meyer might allege.  This doctrine permits limited use of a copyrighted material without the permission from the copyright holder.  In determining whether a subsequent work is permissible under the Fair Use doctrine, Section 107 of the Copyright Act requires courts to consider four factors: “(1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purpose; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect of the use upon the potential market for or value of the copyrighted work.”

Under this doctrine, parodies and critiques often defeat copyright infringement claims because they sufficiently “transform” the original work in such a way that it may serve a new purpose.  James would likely argue that 50 Shades of Grey transforms Twilight completely, with a whole new set of characters, settings, and plot lines.  Without knowing that “Master of the Universe” was created in between the two, this argument might seem convincing.  Through all of the forthcoming sequels and new onslaught of fan-fiction, the potential for litigation remains uncertain.

Tagged , , Leave a comment

Here Comes Another One: Examining the Home Depot Data Breach Lawsuit

40 million; the number of credit and debit card numbers stolen in the Target data breach of 2013. 200 million; the number of dollars credit unions and community banks spent reissuing only half of them. 1-3 million; the estimated number of these cards’ data successfully sold on the black market and fraudulently used before their issuing banks cancelled them. 5; the number of months ‘clandestine’ malware on Neiman Marcus systems operated and stole newly issued credit card information. 47; the percentage of world credit/debit card fraud that takes place in the United States. 18; the number of people, on average, whose stolen credit or debit card information just made them victims of identity theft before you even finished reading this paragraph.

Data breaches like Target and Neiman Marcus have prompted numerous consumer lawsuits against companies alleged of not doing enough to protect collected information about their customers. The effect of the media coverage over these data breaches combined with legislator concern and filed complaints has thrown the issue of consumer data protection into the spotlight.

One such lawsuit was filed on September 24, 2014 as Shonna Earls and John Holt Senior filed a class action against The Home Depot, Inc. in the U.S. District Court for the Northern District of California. The complaint alleges breaches of the California Customer Records Act as well as a violation of the California Unfair Competition Law among allegations of negligence on the part of Home Depot in managing recorded information.

The Breach

Home Depot confirmed that on September 18, 2014, 56 million credit and debit cards were exposed by hackers in the breach. The data stolen apparently centered on customer information recorded by the stores’ payment card systems which tracked the magnetic strip of the cards swiped and included customers’ names, card numbers, expiration dates, and CVV security codes. This type of information was also the targeted information in the Target and Neiman Marcus breaches. The popularity of this information among hackers comes from the ability to use this information to create new cards or make fraudulent purchases over the internet.

Home Depot has also confirmed that 53 million emails of customers were stolen in the hacks too. Home Depot has warned customers that this information could potentially be used in phishing scams online when hackers pose as Home Depot giving away gift cards or the like to trick consumers into disclosing personal financial information.

KrebsOnSecurity reports that the hack happened due to a variant of the “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows. This was similar to the methodology used in the 2013 Target data breach. The investigation has yielded information that the attackers broke into Home Depot’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services a third-party provider of refrigeration and HVAC systems.

The New York Times has covered accusations from former employees who said that Home Depot was slow to install updated security mechanisms to prevent the breach in the first place. Furthermore, former employees wondered whether Home Depot did not meet industry standard guidelines for securing credit and debit card data – attributing the extent of the breach to lax security measures.

The Fallout

Following the news of the breach, multiple financial institutions reported a steep increase in fraudulent ATM withdrawals on customer accounts. Home Depot estimates the breach will cost the company $62 million. Higher estimates are projected by some sources whereas the breach cost Home Depot $43 million in the third quarter of 2014 alone. Those same sources point to the 2013 Target breach costing upwards of $1 billion.

In addition to the Earls lawsuit, there are also 43 additional civil suits being filed against Home Depot across the United States.

In addition to the security upgrades and legal costs, Home Depot informed customers that it would be providing free identity protection services to anyone who used their cards at Home Depot in 2014.

Shareholders have expressed concern that news of the breach may hurt Home Depot’s stock price looking at the 14% drop in Target’s price only a couple months out from news of its breach in 2013. However, according to Google Finance, Home Depot’s stock value has actually increased to close out the year nearly 12 points higher than in September when the news was announced.

The Lawsuit

Shonna Earls personally incurred $543.95 in unauthorized charges in September, 2014 after using her credit card at her local Home Depot. John Holt Sr. was notified by his bank that fraudulent activity was taking place on his debit card that he had recently used at Home Depot. The two plaintiffs are named in a nation-wide and California-wide class action suit.

The complaint alleges Home Depot violated multiple sections of California law by failing to implement reasonable security procedures and practices to protect consumer credit and debit card information. Additionally, the complaint alleges Home Depot violated California law by failing to promptly notify class members that their personal information had been compromised.

California Civil Code § 1798.80 requires any business that owns or licenses personal information about a California resident to maintain reasonable security procedures appropriate to the nature of the information. The complaint alleges that Home Depot violated this section by keeping customers’ personal data within its custody longer than necessary and by failing to properly and adequately dispose or make customers’ data undecipherable.

The complaint further alleges Home Depot violated California Civil Code § 1798.82 by failing to promptly notify all affected Home Depot customers that their personal information had been exposed by hackers.

The second cause of action alleges that Home Depot violated California Business and Professions Code § 17200 by failing to take reasonable security measures to protect its customers’ data, and because they didn’t notify customers of the breach in a timely manner. It further alleges that Home Depot engaged in unfair business practices and conduct that undermines or violates the stated policies underlying the California Customer Records Act.

The third cause of action alleges that Home Depot owed Plaintiffs and members of the class a duty to exercise reasonable care in safeguarding and protecting that information – a duty underscored by the California Customer Records Act. Plaintiffs allege that timely disclosure was necessary to alert plaintiffs and allow them to, among other things, monitor their bank accounts, undertake appropriate measures to protect their identify and avoid unauthorized charges, and otherwise prevent or mitigate the risk of fraudulent cash withdrawals or unauthorized transactions.

The class requests that Home Depot submit itself to a third-party security audit and testing regimen, update its data security policies, destroy all non-necessary customer information, better educate its personnel on the need for data security, and better educate its customers about the risks they now face in light of the breach and how they may protect themselves.

The Adventure Continues

The Earls lawsuit is just the latest chapter in the saga of retail data breaches and the public prioritization of consumer information privacy. Former employees have filed a lawsuit against Sony over the recent hack by the “Guardians of Peace”. On December 4, 2014, U.S. District Judge Paul Magnuson ruled to allow a lawsuit by financial institutions against Target for allowing their computer systems to be breached to proceed. In January, Nieman Marcus was hit with a proposed class action lawsuit in federal court seeking to hold the retail chain accountable for separate data breaches that put customer payment information at risk. The Michaels craft store chain was hit with a similar lawsuit by Michael and Jessica Gouwens in Illinois alleging the retailer has failed to sufficiently step up security measures following a three-year-old security breach.

Responses to recent data breaches are not limited to judicial action. In the wake of the 2013 Target data breach, ranking members of Congress called for committee hearings to explore how to better protect consumers and ensure private companies are held accountable for failures to secure their customers’ data. This is reflective of polling information that indicates stolen credit card information tops the list of crimes Americans worry about the most. The public conscience, legislative priority, and judicial focus are all fixed upon how to secure consumers’ information in the twenty-first century. Regardless of the outcome of any single case, the issue remains. While the twenty-first century may be the century of big data; the courts, federal and state officials, and the general public will also take measures to ensure it is also the century of big data protection.

Tagged , , Leave a comment

Could Your Technology Be Incriminating You?

Earlier this week, we wrote about how the government can lawfully compel a person to unlock their smart phone with the Touch ID feature (if the feature is enabled). Recently, Fitbit has been in the news because the popular fitness tracker device is being used as evidence in a Canadian civil court in a personal injury lawsuit. According to Forbes, in this landmark case, Fitbit data was volunteered by the owner of the device (the plaintiff) to support a claim that her activity level had decreased following an alleged injury.

This, one again, raises issues about the juncture between modern technology and consumers’ Fifth Amendment rights. So far, it appears that Fitbit data, or data from other wearable devices, have not been subpoenaed or used against the will of the device’s owner in the United States (or Canada). However, this case has opened Pandora’s box to the question of technology and self-incrimination.

 

What does this Mean for Tech Users?

Let’s say that you are accused of robbing a bank. There is no evidence against you, and your alibi is that you were at home taking a nap at the time of the crime. A judge may be able to compel you to produce your wearable technology to account for your heart rate at the time of the crime. In this case, elevated heart rate would equal incrimination.

 

What’s Next?

Some savvy prosecutor or plaintiff’s attorney may attempt to compel the production of wearable technology data in the near future. Using the analysis from the previous blog post on this topic, the pertinent question will be whether the production of data from one’s wearable technology is a “testimonial communication.” If producing one’s Fitbit, for instance, is not a testimonial communication, than the wearer may invoke her Fifth Amendment privilege against self-incrimination to stop production (or use) of the data in court.

 

For more information on this topic see coverage from Forbes and The Atlantic.

Tagged , , Leave a comment

Aereo’s Next Chapter in Bankruptcy

On the heels of a business-crushing Supreme Court decision, television-streaming giant Aereo announced in November that it would be filing for Chapter 11 bankruptcy.  Founded in 2012 with nearly $100 million in venture funding, the company allowed users to live-stream 30 different television channels for a low monthly subscription fee.  Aereo accessed these networks through its own micro antennas, which pulled the signals necessary for re-broadcasting from the television channels’ nearby towers.

The parent companies of the effected networks  – ABC, CBS, NBC, and Fox – initiated a civil suit in the Southern District of New York in 2012.  The broadcasters alleged that Aereo violated federal copyright law by failing to pay retransmission fees, which generate a significant portion of the networks’ revenues.  In response, Aereo argued that its technology is no different from a TV antenna on an individual user’s roof that connects to the TV through a wire; here, the wire connecting the antenna with the TV is the internet.

The Copyright Law of 1976 provides a copyright holder with the exclusive right to “perform the copyrighted work publicly.”  In other words, the copyright holder is the only body permitted to “transmit or otherwise communicate a performance or display of the work . . . to the public, by means of any device or process . . .”  As the networks note in their briefs, Congress enacted this provision in order to “bring within the scope of the public performance right” the retransmission of television broadcasts – ultimately, to protect the networks’ content.

The Litigation

In the early stages of the litigation, it looked as though Aereo might prevail.  The District Court ruled in Aereo’s favor, first denying the broadcasters’ request for a preliminary injunction and later denying their motion for summary judgment.  The Second Circuit then affirmed the lower court’s rulings, relying on Aereo’s technological make-up in its decision.  The Second Circuit reasoned that Aereo did not violate the federal copyright law because each customer viewed a unique copy of a broadcast, obtained through that customer’s specific micro antenna.  In this way, Aereo was engaged in thousands of “private” performances rather than the prohibited “public” ones.

The broadcast networks filed their petition for writ of certiorari in October 2013, asking the Supreme Court to decide whether a “company ‘publicly performs’ a copyrighted television program when it retransmits a broadcast of that program to thousands of paid subscribers over the Internet.”  Aereo also urged the Supreme Court to take the case.  The company reasoned that, as its business grew, one wide-reaching decision would be better than a variety of different rulings throughout the country. The Supreme Court swiftly decided to take up the issue in January 2014 and held oral arguments in April.

On June 25, 2014, the Supreme Court reversed the Second Circuit’s ruling and held 6-3 that Aereo violated the Copyright Act’s Transmit Clause because it “publicly perform[ed]” the networks’ copyrighted works.  The Court found that Aereo was doing more than acting as the “wire” that connects the antenna to the television; it was functioning “substantially similar[ly]” to a cable system and, thus, needed to obtain the networks’ permission to transmit their content. The majority decision was delivered by Justice Breyer, joined by Justices Ginsburg, Kagan, Kennedy, Roberts, and Sotomayor.  Justices Alito and Thomas joined Justice Scalia in his dissent.

“Viewed in terms of Congress’ regulatory objectives, these behind-the-scenes technological differences do not distinguish Aereo’s system from cable systems, which do perform publicly,” the decision reads. “Congress would as much have intended to protect a copyright holder from the unlicensed activities of Aereo as from those of cable companies.”  In the same breath, the Court took care to note that this ruling was specific to Aereo and should not impact other emerging technologies.

In a statement following the ruling, Aereo’s CEO Chet Kanojia lamented that the Court’s ruling is a “massive setback for the American consumer” and that it sends a “chilling message to the technology industry.”  He explained that Aereo “worked diligently to create a technology that complies with the law,” but, unfortunately, the Court’s ruling made it clear that “how the technology works does not matter.”  On the other hand, the CEO of the National Association of Broadcasters, Gordon Smith, explained that he was “pleased” that the Court upheld the idea of copyright protection that is “enshrined in the Constitution” by siding with the television channels.  He sees Aereo’s argument that the broadcasters were simply attacking its innovation as “demonstrably false.”

Three days after the Supreme Court decision, Aereo suspended its streaming service.  Meanwhile, broadcasters such as CBS have moved forward with plans to allow consumers to live-stream programs on the internet.

Bankruptcy

As Aereo CEO Kanojia explained in the company’s Chapter 11 announcement (appropriately entitled “The Next Chapter”), the June Supreme Court decision “effectively changed the laws that had governed Aereo’s technology, creating regulatory and legal uncertainty.”  Despite Aereo’s best efforts at circumventing this decision, “the challenges have proven too difficult to overcome.”  The CEO expects that Chapter 11 will allow Aereo to “maximize the value of its business” without the expense of protracted litigation.

When businesses are unable to service their debt, Chapter 11 permits them to undergo reorganization under Title 11 of the U.S. Bankruptcy Code.  Unlike in Chapter 7 where businesses cease operations, Chapter 11 debtors usually remain in control of their operations under the supervision of the court.  Companies have several mechanisms at their disposal as part of the restructuring process, including acquiring loans with favorable terms and canceling existing contracts.  Most importantly in the case of Aereo, companies who file for Chapter 11 bankruptcy benefit from an automatic stay, which halts pending litigation and prevents creditors from attempting to collect on their debts.

Aereo appointed Lawton Bloom of Argus to serve as the Chief Restructuring Officer, responsible for guiding the company through liquidation or restructuring. The company has already laid off 74 employees, leaving just 14.  In its papers filed with the court, Aereo claimed to have approximately $20.5 million of assets and to owe about $4.2 million of debts.  Aereo’s CFO Ramon Rivera explained that using Chapter 11 to gain protection from creditors would provide the “necessary breathing room” for Aereo to plot out next steps.

Tagged , , , Leave a comment

The Right of Publicity: Likeness Lawsuits Against Video Game Companies

What do actress Lindsay Lohan, former Panamanian dictator Manuel Noriega, and U.S. World War II General George S. Patton have in common? Each is involved in a right of publicity lawsuit brought against video game companies earlier this year. Lohan, Noriega, and Patton’s estate have each filed lawsuits alleging that certain video game characters illegally use their likeness and identity without permission. Before discussing the individual facts of each of these cases, it is important to understand the basics of the right of publicity.

The right of publicity varies from state to state. As seen from California’s right of publicity statute, Cal. Civ. Code § 3344, any “person who knowingly uses another’s voice, signature, photograph, or likeness, without such person’s prior consent, shall be liable for any damages sustained by the person injured.” In 1992, the Ninth Circuit in White v. Samsung Electronics America, Inc. stated that, in bringing a right of publicity claim, one must show (1) the defendant’s use of the plaintiff’s identity, (2) the appropriation of the plaintiff’s name or likeness to the defendant’s advantage, (3) the plaintiff’s lack of consent, and (4) the plaintiff’s injury. In this case, Samsung released an advertisement that depicted a robot standing in front of a Wheel of Fortune board, wearing a blond wig, a gown, and jewelry, which was made to resemble Vanna White. Addressing Samsung’s argument that it did not use White’s actual name or person, the court held that White had a valid claim because “the common law right of publicity reaches means of appropriation other than name or likeness [alone].” The court noted that this right was designed to protect celebrities from the unauthorized commercial exploitation of their identity. However, the extent and strength of this right is hotly debated.

In July 2014, Lindsay Lohan filed a lawsuit in a New York state court against Take-Two Interactive and Rockstar Games, the creators of Grand Theft Auto V. Lohan alleged that an in-game character, Lacey Jonas, as well as promotional art and other merchandise depicting a young blond woman, use her image, likeness, and voice without her permission. In Grand Theft Auto V, Lacey Jonas is a blond celebrity who asks for your assistance in escaping from the paparazzi, during which she discusses the burdens of being famous. Lohan argued that the character’s image, voice, and clothing were very similar to her own, and that Rockstar Games, in designing the game’s promotional art, used a “look-alike model to evoke the persona and image” of Lohan in order to profit from her fame. Thus, Lohan alleged that such use falls squarely under her right of publicity and that these video game companies have commercially exploited her identity without her permission.

In the same month, former Panamanian dictator Manuel Noriega, who is currently serving a two decade prison sentence for drug trafficking, money laundering, and killing political opponents, filed a lawsuit in California against Activision Blizzard, the creator of Call of Duty: Black Ops II. Differing from Lohan’s situation, this game unambiguously includes Noriega as a character and even features a mission to capture him. Noriega argued that his portrayal “as a kidnapper, murderer and enemy of the state” damaged his reputation, and that the use of his image and name entitles him to a share of Activision Blizzard’s profits. In October 2014, a California court dismissed Noriega’s lawsuit, stating that “Noriega’s right of publicity is outweighed by defendants’ First Amendment right to free expression.” Interestingly, former New York mayor, Rudy Giuliani, spoke out in defense of Activision Blizzard, arguing that, if Noriega’s lawsuit was not dismissed, “[p]ublic figures, good ones, bad ones, who are included in books, movies and video games, all of these [people] would have a right to sue.”

There have been other of instances of similar lawsuits, such as one filed by the estate of George S. Patton against Maximum Family Games for the use of the WWII General in one of its games, as well as a successful case brought by Ryan Hart, a college football player, against Electronic Arts, Inc. for his portrayal in EA’s NCAA Football video game series.

Together, these cases shed light on the strengths and limits of the right of publicity. In Hart v. Electronic Arts, Inc., it was the fact that EA did not “sufficiently transform” Hart’s identity or appearance that contributed to the Third Circuit’s holding in favor of Hart. As the court stated, this “Transformative Use Test” helps dictate the balance between a video game publisher’s right of expression under the First Amendment and a celebrity’s right of publicity. The Third Circuit held that, because the “digital Ryan Hart [did] what the actual Ryan Hart did while at [college]: he play[ed] football, in digital recreations of college football stadiums, filled with all the trappings of a college football game,” this use was meant to be highly realistic and was not transformative. Because this use was not transformative, it was clearly an unauthorized appropriation of Hart’s identity for commercial profit.

Given this holding, it will be interesting to see, if Noriega appeals, how a California appellate court will deal with transformative use factors and First Amendment concerns. Although the digital Noriega is visually realistic and was a CIA informant, like Noriega was in real life, there may be transformative aspects in that the in-game character engages in fictional dialogues and events. Some, like Giuliani, fear that this “absurd” lawsuit will allow countless historical and famous figures to unjustly halt many films, books, and other works of art, impeding creative progress and free speech. The Lohan case presents an additional layer of complexity, in that the in-game character may not even be found to use Lohan’s identity and likeness. An analysis of the similarities between the in-game character and Lohan will be required before fully proceeding to a discussion of the balance between publicity rights and free speech. Through the medium of video games, these cases illustrate a growing tension between First Amendment concerns and celebrity publicity rights and have the potential to seriously affect future creative works, privacy rights, and free speech.

Tagged , , Leave a comment

Federal “Catfishing”: When Government Impersonation through Social Media Gets Caught

You rush into work one morning, coffee and briefcase in hand, barely making it into the cramped elevator as the doors close. You overhear someone in the back whisper “That’s her, she’s the one in the tank top in her profile pic.” You wonder who they’re gossiping about but are too preoccupied on your 9:30 presentation to care. After a successful presentation, your boss pulls you aside and offers a friendly reminder to be aware of how people might see a Facebook profile or Twitter post to be a reflection on the character of the company. You’re slightly puzzled, as it seems to be coming out of nowhere, but just nod and smile and thank him for the reminder. At lunch, your co-worker comes up and says how cute your son and niece look in the pictures you posted online last night. You ask her what she’s talking about since you don’t remember posting anything. Her only reply is that it was on your Facebook profile and thanks for adding her as a friend yesterday.

There’s only one problem – you don’t have a Facebook profile.

 

Arquiett v. DEA

This scenario is similar to what brought Sondra Arquiett to sue the Drug Enforcement Administration (“DEA”) for commandeering her identity and impersonating her for months through a fake Facebook profile. In the complaint, filed in the United States District Court for the Northern District of New York, Arquiett alleges that an agent of the DEA “appropriated [Arquiett’s] name and likeness to create a publicly available Facebook account that purported to be an account belonging to [Arquiett] . . . without [her] knowledge or permission.” The complaint further alleges that the DEA agent posted pictures belonging to Arquiett on the page including suggestive pictures of her in her underwear and others with her child and niece – both minors. The DEA agent additionally “utilized the Facebook page to initiate contact with dangerous individuals he was investigating with regard to an alleged narcotics distribution ring . . . [and] also initiated contacts with other persons known to [Arquiett].” Arquiett alleges that she suffered fear and distress from uncovering the impersonation because the DEA agent had, “created the appearance that Plaintiff was willfully cooperating in his investigation of the narcotics trafficking ring, thereby placing her in danger.” Arquiett is charging that this impersonation violated her constitutional rights to privacy afforded under the First Amendment, equal protection under the Fifth Amendment, and her Eighth Amendment right to be free from cruel and unusual punishment.

The U.S. Attorney’s Office acknowledges the events in Arquiett’s complaint that took place but argues that the use of the account was proper as it was “for a legitimate law enforcement purpose.” The government argues:

“Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”

The district court has since approved mediation to resolve the issue and both parties are currently attending.

 

Prior use of Social Media by Law Enforcement

This wouldn’t be the first time a law enforcement agency has utilized social media in a criminal investigation. LexisNexis published a report in 2014 stating that eight out of ten law enforcement agencies utilized social media in criminal investigations. Although it is unclear to what extent law enforcement agencies create profiles impersonating real people (as opposed to creating profiles of fictitious individuals). Such investigations include a 2008 gang sting operation in Cincinnati, OH where 71 people were arrested following a data mining operation on Facebook.

 

No “Likes” for the DEA

After BuzzFeed News broke the story, Facebook removed the account and rebuked the DEA for its violation of Facebook’s community guidelines and demanded it cease all activities relating to fake profiles.

We ask that you refrain from publishing the personal information of others without their consent. Claiming to be another person, creating a false presence for an organization, or creating multiple accounts undermines community and violates Facebook’s terms.

Joe Sullivan, Facebook’s Chief Security Officer, commented in an October 2014 letter to the DEA that, “Facebook is deeply troubled by the DEA’s claims and legal position . . . Facebook has long made clear that law enforcement authorities are subject to these policies.”

In an interview with CNN, he also stated actions like these, “[undermine] the integrity of [Facebook’s] whole service if we allow people to use false accounts.

U.S. Senator Patrick Leahy, Chairman of the Senate Committee on the Judiciary, wrote a letter to U.S. Attorney General Eric Holder late last month condemning the DEA’s impersonation of Arquiett on Facebook and calling the DEA’s decision to post suggestive photos of Ms. Arquiett and pictures of her minor son and niece ‘appalling’ and ‘dangerous’. Leahy condemned the danger to Arquiett’s life the DEA incurred when they initiated conversations with known dangerous criminals impersonating Arquiett and then linking that to the pictures they posted of Arquiett’s son and niece. Leahy concluded:

I hope the Justice Department will agree that creating an online profile using an unsuspecting person’s identity to communicate with criminals is unethical, potentially dangerous, and should not be condoned by our nation’s law enforcement agencies.

 

This Isn’t Something New to the Internet

Impersonation isn’t anything new to social media. We all remember the infamous Manti Te’o scandal where the football star’s dead girlfriend turned out to be a hoax complete with her own Facebook profile.

Then there’s $616,165 fine the Federal Trade Commission leveled against JDI Dating last monthfor allowing users to create profiles on their sites for free and then send them fake messages from people who supposedly lived nearby and wanted to meet.

However, neither of these is as disturbing as the case of Megan Meier – the one that first drew national attention to the issue of online impersonation. Megan lived in Dardenne Prairie, MO and began an online friendship-turned-romance over her MySpace.com profile with Josh Evans. That was until October 2006 when Josh began being mean to her even to the point where he messaged Megan “The world would be a better place without you.” Megan hung herself in her bedroom closet. She was 13. It also turned out that Josh Evans never existed. A 47 year-old neighbor had been impersonating the profile the entire time.

This infamous case of “catfishing”, where someone impersonates being someone else over the internet often used to trick people into romantic relationships, prompted state legislatures across the country to create laws against this kind of fraudulent behavior. In California and New York, online impersonation is a misdemeanor. In Texas, it’s a third-degree felony.

Former California State Senator Joe Simitian commented that these laws were created to prevent harm from coming to individuals who fall victim to online impersonation – just like identity theft. “There are many kinds of harm . . . Emotional distress is a harm. Financial damage is a harm. When someone both steals your identity and damages your reputation, there ought to be consequences.

But what about when it’s the government doing the “catfishing”?

 

A Novel Question for the Courts

Anita L. Allen, professor at University of Pennsylvania Law School, protests to the use of fake profiles by government agencies as “misrepresentation, fraud, and invasion of privacy.” However, she also pointed out that Arquiett’s case presents a novel legal issue that has not yet been tested in federal courts – how far is too far when the government impersonates a real individual over social media without their knowledge or consent? Ryan Calo, a professor at the University of Washington School of Law, says that what separates this kind of deceptive behavior from others in which law enforcement agencies have engaged in the past is that this case is an instance where the government assumed the identity of a real individual as opposed to a fictional one. Neil Richards, also a professor at Washington University School of Law, agrees that “There are a whole bunch of new things that are possible [with social media], and we don’t have rules for them yet.

Allen also brings up the point that the government admits that Arquiett did not give her express permission to use the private photographs stored on her phone on social media. Allen analogies, “I may allow someone to come into my home and search, but that doesn’t mean they can take the photos from my coffee table and post them online.” Elizabeth Joh, professor at UC Davis School of Law, said that for the government to glean ‘implied consent’ for use of the pictures on social media absent any express permission to do so, “[is] a dangerous expansion of the idea of consent, particularly given the amount of information on people’s cell phones.”

In the era of mass privacy breaches of commercial retail chains and ex-patriots exposing NSA domestic spying programs; technology has allowed federally-sponsored “catfishing” to be added to the mix of privacy concerns. Maybe you should just call next time instead of sending that Facebook message. After all, the face behind the profile might not be the one you were expecting.

Tagged , , , Leave a comment

The Smartphone versus the Fifth Amendment

For many smartphone users, passwords and passcodes have become a thing of the past. Since late 2013, Apple iPhone users have been able to access their phones by simply applying their stored fingerprint to the Home Button. Many Android devices offer the same feature. And now, Touch ID does more than unlock a phone. As of October 20, 2014, Apple’s Touch ID is fully integrated with Apple Pay, which allows users to make every-day purchases with a touch of their thumb.

However, in the aftermath of Virginia v. Baust, many smartphone users may soon reconsider their reliance on fingerprint ID technology.

In October, a Virginia trial judge ruled that unlike a passcode, the production of one’s fingerprint is not “testimonial communication”, and therefore, the Fifth Amendment privilege against self-incrimination cannot be invoked. Rather, the government may properly compel the production of a smartphone user’s fingerprint to unlock the user’s device. This force compulsion would ostensibly extend to any applications within a device that can be opened via fingerprint.

According to the Virginia court that decided the case, Fifth Amendment protection is implicated where the government demands the “(1) compulsion of a (2) testimonial communication that is (3) incriminating.” Virginia v. Baust. In its analysis, the Virginia trial judge relied on authority such as the 1967 case, United States v. Wade, where the Supreme Court found that biometrics such as height, weight, photograph, voice, and handwriting were not testimonial communication, and accordingly, could be compelled by the government.

The Court reasoned that the production of a passcode, on the other hand, is a “testimonial communication.” A cited authority United States v. Kirschner (2010), contrasted the hypothetical compellation of a passcode with the compellation of a writing sample. The court found in Kirschner that a defendant would not be revealing knowledge by giving a writing sample, but s/he would be revealing knowledge if s/he were compelled to recount the passcode.

Is All Smartphone Privacy Lost?:

As a trial court, the ruling in Virginia v. Baust is not mandatory law. However, as with any early caselaw in a novel and undeveloped area of the law, this opinion will likely be cited as a persuasive authority.

In the short term, we’ll have to wait to see what other jurisdictions will say about this burgeoning question. For now, the convenience of Touch ID may not be worth risk of lost privacy.

For more information on this topic see coverage from: Mashable; and Huff Post.

Tagged , , , , , , Leave a comment

Terms of Service: Didn’t Read? Might Not Be a Problem If It’s Browsewrap

As websites today develop increasingly complex relationships with visitors, the contracts that define those relationships have become more difficult for companies to impose as binding.  Recent litigation surrounding “Terms of Service” (ToS) agreements has put pressure on companies to draft agreements that courts will actually enforce.

Today’s ToS contracts generally come in two forms: clickwrap and browsewrap.  Clickwrap agreements require users to affirmatively review the terms and, at the end, to press the “I accept” or “I agree” button to indicate their assent.  Browsewrap agreements, on the other hand, are passive.  On most websites, the terms are connected to the main page via hyperlinks and do not require any affirmative action.  Instead, visitors signal their acceptance of the ToS by using the website.  Both types derive their names from “shrink-wrap agreements,” which were the extremely long, fine print ToS’s that appeared under the plastic wraps of prepackaged software.  Browsewraps, in particular, have fallen under heavy scrutiny in recent years.

In re Zappos.com, Inc., Customer Data Security Breach Litigation

In January 2012, Zappos.com suffered a security breach through which hackers obtained customers’ names and addresses, though not their financial information. Several plaintiffs independently filed suit against Zappos.com, alleging that the company failed to protect their valuable information.  The cases were consolidated in the District of Nevada where Zappos.com was headquartered.  Shortly thereafter, the company filed a motion to compel arbitration because, it argued, the ToS on its website had a clause that required all disputes to be “submitted to confidential arbitration in Las Vegas, Nevada.”

The clause appeared as part of a browsewrap agreement that customers were not required to affirmatively “accept.”  In fact, the company placed the “Terms of Use” hyperlink in left-hand column towards the bottom of its website, which, if you were to print it, would appear on page three of four. The District of Nevada Court concluded that plaintiffs never viewed, “let alone manifested assent to,” the Zappos.com’s ToS. The court pointed out that “[n]o reasonable user would have reason to click on the Terms of Use,” as the company never directs the user to review it, and “[a] party cannot assent to terms of which it has no knowledge or constructive notice.”

Thus, in October 2012 the court held that the arbitration provision contained therein was unenforceable, noting that “the advent of the Internet has not changed the basic requirements of a contract, and there is no agreement where there is no acceptance, no meeting of the minds, and no manifestation of assent.”  Indeed, the court found that a “highly inconspicuous hyperlink buried among a sea of links” does not provide the customer with adequate notice.  Without acceptance and a manifestation of assent, “no contract exists” and plaintiffs cannot be compelled to arbitrate.

Nguyen v. Barnes & Noble, Inc.

Similarly, in August 2014 the Ninth Circuit held that Barnes & Noble failed to provide adequate notice of its 2011 Terms of Use and, therefore, the plaintiff was not bound by the arbitration provision.  Nguyen filed a class action suit after the company canceled his order for two tablets because of “unexpectedly high demand.”  Barnes & Noble presented the ToS to its customers as a browsewrap agreement, which appeared on the bottom left-hand corner of every screen and did not require the customers to affirmatively accept.

The court explained that the central issue in cases with browsewrap agreements is whether users received actual or constructive noticed of the ToS.  Here, there was no evidence that the user had any actual knowledge of the agreement, let alone the arbitration clause. The validity of the agreement, then, turns on whether the website puts a “reasonably prudent user on inquiry notice of the terms of the contract.” The court considered the placement of the link, notices to users of the terms, and the layout of the website. Ultimately, the court held that “the proximity or conspicuousness of the hyperlink alone” is insufficient to give rise to constructive notice.  And because Nguyen did not receive adequate notice of the terms of the contract, the court held that he could not be bound by the arbitration provision therein.

Transparency

On the other side of the equation, some tech start-ups are working to make ToS agreements more transparent for consumers.  Terms of Service; Didn’t Read is one such project, aiming to fix “the biggest lie on the web: almost no one really reads the terms of service we agree to all the time.”  Indeed, this was confirmed by a 2008 study by Carnegie Mellon professors, which found that the average internet user encounters almost 1,500 privacy policies a year, most of them exceeding 2,500 words. With few people willing to spend time reviewing each and every ToS that comes their way, Terms of Service; Didn’t Read intends to fill that gap. The organization has generated a peer-review process to rate various companies’ ToS policies from “Class A,” signaling it is among the best, through “Class E,” warning that it is very troubling for consumers.

As courts such as the Ninth Circuit invalidate arbitration clauses in browsewrap ToS agreements, the pressure will be on companies to adapt their agreements so that courts will enforce them. Companies may well have a better chance with clickwraps.

Tagged , , , , Leave a comment

Virtual Marriage Equality: Nintendo’s Tomodachi Life is Behind the Times

“A celebrity might fall in love with your math teacher,” but, in Nintendo’s new Sims-like game, your characters cannot be gay.  In June 2014, Nintendo released Tomodachi Life, a 3DS social simulation game through which players import their avatars, or “Miis,” into what one game critic called a “digital dollhouse.” There, players can customize Mii characters for any person they wish – friends, family, or celebrities – and then watch as they all interact.  Despite what appears to be a game with limitless social opportunities, the Miis are only permitted to marry members of the opposite sex.

Tomodachi Life was first released in Japan in April 2013 where it received positive reviews and developed a strong following.  Nintendo set June 2014 as the release date for the U.S. market.  Just weeks before, U.S. fans started the Miiquality campaign to put pressure on Nintendo to create a gay marriage option in the game.  Tye Marini, the founder of the campaign, wanted to “be able to marry [his] real-life fiancé’s Mii,” but the game would not allow it. Marini went on to explain that his options were to “marry some female Mii, to change the gender of either [his] Mii or [his] fiancé’s Mii (and other male Miis) or to completely avoid marriage altogether and miss out on the exclusive content that comes with it.”  The timing of the campaign coincided with the 10-year anniversary of marriage equality in the U.S.

In response, Nintendo released the following statement: “We hope that all of our fans will see that ‘Tomodachi Life’ was intended to be a whimsical and quirky game, and that we were absolutely not trying to provide social commentary.”  The company later revised its comment, explaining that it was too late to revise the game and pledging to “strive to design a gameplay experience from the ground up that is more inclusive, and better represents all players.”  Despite the initial negative publicity, Tomodachi Life went on to receive positive reviews.

Nintendo’s failure to make the requested changes has left members of the LGBT community feeling excluded. And, as GLAAD national spokesperson Wilson Cruz told GamesBeat, Nintendo is signaling that it is “way behind the times.”  Cruz explained that it has “been over a decade since The Sims — the original ‘whimsical and quirky’ life simulator — allowed its users to marry any character they wanted, and many other mainstream and massively popular video games have followed their lead since.”  GLAAD urged Nintendo to do the same.

Civil rights issues in video games are not often litigated because the Supreme Court has held that video games qualify as protected expression under the First Amendment.  In 2011 in Brown v. Entertainment Merchants Association, the Court issued a 7-2 decision striking down a California law that prohibited the sale or rental of violent video games to minors.  The Court reasoned that “[l]ike the protected books, plays, and movies that preceded them,” video games communicate ideas, and that “suffices to confer First Amendment protection.”  The video game and entertainment industries applauded the decision which, in the words of the Entertainment Merchants Association’s CEO, “declared forcefully that content-based restrictions on games are unconstitutional; and that parents, not government bureaucrats, have the right to decide what is appropriate for their children.”

Ten years prior, Judge Posner of the Seventh Circuit made a similar comparison in American Amusement Machine Ass’n v. Kendrick: “Maybe video games are different. They are, after all, interactive. But this point is superficial, in fact erroneous. All literature . . . is interactive; the better it is, the more interactive.”  Judge Posner added, “Literature when it is successful draws the reader into the story, makes him identify with the characters, invites him to judge them and quarrel with them, to experience their joys and sufferings as the reader’s own.”  In that case, the Seventh Circuit held that there was insufficient evidence that exposure to violent video games actually caused harmful behavior and that young people had First Amendment rights to play these games.  These passages are frequently cited to argue that video games are no more threatening than other media forms.

Against this backdrop, civil rights groups would be hard-pressed to litigate issues of in-game marriage equality in U.S. courts.  It seems that the best strategy might be for activist organizations like GLAAD to provide support to campaigns such as Miiquality, which aim to mobilize what the game companies need most – players.

Tagged , , , Leave a comment