Information Law and Policy Blog

Prepared by Michael Lissner, Jessica Santana and Kentaro Suzuki

SUMMARY OF FTC POLICY STATEMENT ON DECEPTION
-Provide a concrete indication of the manner in which FTC will enforce its deception mandate.
(The FTC Act Section 5: unfair or deceptive acts or practices are unlawful. Section 12: specifically prohibit false ads likely to induce the purchase of food, drugs, devices or cosmetics. Section 15 : define a false ad for purposes of Section 12 as one which is “misleading in a material respect.”)

3 Elements of deception
(1)There must be a representation, omission or practice that is likely to mislead the consumer.
(2)Examine the practice from the perspective of a consumer acting reasonably in the circumstances. If the representation or practice affects or is directed primarily to a particular group, the ommission examines reasonableness from the perspective of that group.
(3)The representation, omission, or practice must be a “material” one. A “material” misrepresentation or practice is one which is likely to affect a consumer’s choice of or conduct regarding a product.

SUMMARY OF FTC POLICY STATEMENT ON UNFAIRNESS
- Delineate 3 factors of the concept of consumer unfairness;
(1) Unjustified consumer injury
The injury must satisfy 1)It must be substantial; 2)it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and 3)it must be an injury that consumers themselves could not reasonably have avoided.

(2) Violation of public policy
Ask whether the conduct violates public policy as it has been established by statute, common law, industry practice, or otherwise.

(3) Unethical or unscrupulous conduct
Ask whether the conduct was immoral, unethical, oppressive, or unscrupulous.

SUMMARY OF FAIR INFORMATION PRACTICE PRINCIPLES
-5 core principles of privacy protections common to all of fair information practice codes issued by government agencies in US, Canada and Europe.

(1)Notice/Awareness
Consumers should be given notice of an entity’s information practices before any personal information is collected from them.

(2)Choice/Consent
Consumers should be given options as to how any personal information collected from them may be used.

(3)Access/Participation
Consumers should be able to view the data in an entity’s file and to contest that data’s accuracy and completeness.

(4)Integrity/Security
Data should be accurate and secure. Entities must take reasonable steps to assure data integrity. Also, they should take managerial and technical measures to protect the data against loss and the
unauthorized access, destruction, etc.

(5)Enforcement/Redress
A mechanism in place to enforce the core principles is needed, such as self-regulation, private remedies and government enforcement.

-In terms of collecting personal information from children, parents should take an important role. Namely, parents should receive the notice and have the means to control the collection and use of
personal information their children. Also, with respect to choice/consent, access/participation and integrity/security, parents should take a role.

RESPONSE TO FTC PAPERS
(1 IP address and personal information)
Whether IP addresses are personal information or not is a complicated issue. The FTC decision against Sony BMG pointed out that “These facts (i.e. in order to listen CD with PCs, a consumer had to install software submitting IP addresses and a numerical key identifying the album to BMG’s server, etc) would be material to consumers in their purchase or use of the CDs. But the decision didn’t seem to clearly mention that IP addresses were personal information.

IP addresses could be used to identify a person in some cases, but not necessarily so. In addition, according to the FTC’s Online Privacy Protection Rule, IP address would not fall within the definition of “personal information” unless associated with other individually identifiers.

On based on these facts, the reason why submitting IP address was regarded as “material” seems not because the FTC regarded IP address as personal information, but because the fact that, in general, the DRM software was not expected to submit IP addresses, but the Sony BMG’s one did, and submitting not only IP address but also with a numerical key identifying a CD, would possibly “annoy” an “average” consumer who didn’t want to show personal preferences whenever they just only listened to a CD with his/her PC(even if it was actually difficult to identify who listened the CD with IP addresses.) and would possibly influence their purchasing decisions.

Maybe it was a reasonable decision in light of FTC’s concept of a “deceptive practice”. But it may be a little doubtful that a general web user, especially a child, recognizes that his/her IP address is
submitted to a web server when he/she browses web pages and the server administrator can recognize which user with a specific IP address saw when, and what pages.

(2 Used CD)
FTC’s order requires Sony BMG to distribute a patch to uninstall the malicious software “for a period of two years after the date that this order becomes final”. However, it is expected that someone will buy Sony’s CD including the malicious software though used CD stores or Ebay after Sony stopped to sell the CDs. Sony has no responsibility for those consumers to distribute a patch? Also, does a used CD store or a seller at Ebay who sells the CDs or Ebay have no liability?

IN THE MATTER OF SONY BMG SUMMARY AND RESPONSE

In the Sony BMG Rootkit Incident, Sony was found by the FTC to have placed software on their music CDs that would use the Autostart function in Windows to install itself onto consumer’s computers. Once installed, the software would phone home to Sony, and report the user’s IP address and an ID of the song and album that was being played. Beyond this, the rootkit had two other major effects. One, it required that users install and use a certain media player for the CD. Two, it created an easily exploited vector that could be (and was) used by nefarious persons to take control of user’s computers. In some cases, this was all done without the user even having agreed to a EULA, or accepted in any way that software would be installed on their computer.

In the aftermath of the discovery of the rootkit, the FTC cited violations of the Federal Trade Commission Act, and routed Sony BMG through it’s legal apparatus. In addition to Sony BMG having to pay out the nose for its violation of the Act, this incident had disastrous results for the company’s reputation, that of many other companies using DRM, and on DRM itself.

There are a number of issues that are raised in the supplemental reading on this topic, such as the role the DMCA plays in protecting malicious code, the policy dilemma that would lead Sony to make such a decision, the intrigue of Elvis impersonators being hired by one of the top content producers in the world, and the ability of a EULA to give unchecked protection to a product.

Of these issues, a couple questions come to mind. Of course, one must wonder how MediaMax and XCP have survived thus far without Sony destroying them in court. As of the writing of “Magnificence,” Sony BMG and MediaMax were still duking it out. More germane to our class though, the power of the EULA and of the DMCA needs to be addressed. The EULAs used by MediaMax and XCP provided surprisingly good disclosure (all things considered), but is it OK to create a malicious program if it says it what it will do its EULA? So far, the courts seem to say, “Yes, that’s fine.”

With regards to the DMCA, the discussion is around what kinds of protection are granted to security researchers to perform their work. At current, the answer (as we saw in the Ed Felton case) is that security researchers are constantly risking their own livelihood, and that of their organization by running afoul of the DMCA. Are there ways we can change the incentives around this issue?

ANTI-SPYWARE COALITION BEST PRACTICES

“Anti-Spyware Coalition Best Practices”

It is ultimately up to the user to determine whether a technology’s behavior is wanted or unwanted, since it may be unwanted in one context and wanted in another.

Behaviors of potentially unwanted technology include:
-    Tracking
-    Advertising display
-    Remote control
-    Dialing
-    System modifying
-    Security analysis
-    Automatic download
-    Passive tracking

Best Practices for potentially unwanted technology include:
-    Value to the User

-    Notice

-    Consent and Control

-    Security
-    Redress