Information Law and Policy Blog

Prepared by Michael Lissner, Jessica Santana and Kentaro Suzuki

SUMMARY OF FTC POLICY STATEMENT ON DECEPTION
-Provide a concrete indication of the manner in which FTC will enforce its deception mandate.
(The FTC Act Section 5: unfair or deceptive acts or practices are unlawful. Section 12: specifically prohibit false ads likely to induce the purchase of food, drugs, devices or cosmetics. Section 15 : define a false ad for purposes of Section 12 as one which is “misleading in a material respect.”)

3 Elements of deception
(1)There must be a representation, omission or practice that is likely to mislead the consumer.
(2)Examine the practice from the perspective of a consumer acting reasonably in the circumstances. If the representation or practice affects or is directed primarily to a particular group, the ommission examines reasonableness from the perspective of that group.
(3)The representation, omission, or practice must be a “material” one. A “material” misrepresentation or practice is one which is likely to affect a consumer’s choice of or conduct regarding a product.

SUMMARY OF FTC POLICY STATEMENT ON UNFAIRNESS
- Delineate 3 factors of the concept of consumer unfairness;
(1) Unjustified consumer injury
The injury must satisfy 1)It must be substantial; 2)it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and 3)it must be an injury that consumers themselves could not reasonably have avoided.

(2) Violation of public policy
Ask whether the conduct violates public policy as it has been established by statute, common law, industry practice, or otherwise.

(3) Unethical or unscrupulous conduct
Ask whether the conduct was immoral, unethical, oppressive, or unscrupulous.

SUMMARY OF FAIR INFORMATION PRACTICE PRINCIPLES
-5 core principles of privacy protections common to all of fair information practice codes issued by government agencies in US, Canada and Europe.

(1)Notice/Awareness
Consumers should be given notice of an entity’s information practices before any personal information is collected from them.

(2)Choice/Consent
Consumers should be given options as to how any personal information collected from them may be used.

(3)Access/Participation
Consumers should be able to view the data in an entity’s file and to contest that data’s accuracy and completeness.

(4)Integrity/Security
Data should be accurate and secure. Entities must take reasonable steps to assure data integrity. Also, they should take managerial and technical measures to protect the data against loss and the
unauthorized access, destruction, etc.

(5)Enforcement/Redress
A mechanism in place to enforce the core principles is needed, such as self-regulation, private remedies and government enforcement.

-In terms of collecting personal information from children, parents should take an important role. Namely, parents should receive the notice and have the means to control the collection and use of
personal information their children. Also, with respect to choice/consent, access/participation and integrity/security, parents should take a role.

RESPONSE TO FTC PAPERS
(1 IP address and personal information)
Whether IP addresses are personal information or not is a complicated issue. The FTC decision against Sony BMG pointed out that “These facts (i.e. in order to listen CD with PCs, a consumer had to install software submitting IP addresses and a numerical key identifying the album to BMG’s server, etc) would be material to consumers in their purchase or use of the CDs. But the decision didn’t seem to clearly mention that IP addresses were personal information.

IP addresses could be used to identify a person in some cases, but not necessarily so. In addition, according to the FTC’s Online Privacy Protection Rule, IP address would not fall within the definition of “personal information” unless associated with other individually identifiers.

On based on these facts, the reason why submitting IP address was regarded as “material” seems not because the FTC regarded IP address as personal information, but because the fact that, in general, the DRM software was not expected to submit IP addresses, but the Sony BMG’s one did, and submitting not only IP address but also with a numerical key identifying a CD, would possibly “annoy” an “average” consumer who didn’t want to show personal preferences whenever they just only listened to a CD with his/her PC(even if it was actually difficult to identify who listened the CD with IP addresses.) and would possibly influence their purchasing decisions.

Maybe it was a reasonable decision in light of FTC’s concept of a “deceptive practice”. But it may be a little doubtful that a general web user, especially a child, recognizes that his/her IP address is
submitted to a web server when he/she browses web pages and the server administrator can recognize which user with a specific IP address saw when, and what pages.

(2 Used CD)
FTC’s order requires Sony BMG to distribute a patch to uninstall the malicious software “for a period of two years after the date that this order becomes final”. However, it is expected that someone will buy Sony’s CD including the malicious software though used CD stores or Ebay after Sony stopped to sell the CDs. Sony has no responsibility for those consumers to distribute a patch? Also, does a used CD store or a seller at Ebay who sells the CDs or Ebay have no liability?

IN THE MATTER OF SONY BMG SUMMARY AND RESPONSE

In the Sony BMG Rootkit Incident, Sony was found by the FTC to have placed software on their music CDs that would use the Autostart function in Windows to install itself onto consumer’s computers. Once installed, the software would phone home to Sony, and report the user’s IP address and an ID of the song and album that was being played. Beyond this, the rootkit had two other major effects. One, it required that users install and use a certain media player for the CD. Two, it created an easily exploited vector that could be (and was) used by nefarious persons to take control of user’s computers. In some cases, this was all done without the user even having agreed to a EULA, or accepted in any way that software would be installed on their computer.

In the aftermath of the discovery of the rootkit, the FTC cited violations of the Federal Trade Commission Act, and routed Sony BMG through it’s legal apparatus. In addition to Sony BMG having to pay out the nose for its violation of the Act, this incident had disastrous results for the company’s reputation, that of many other companies using DRM, and on DRM itself.

There are a number of issues that are raised in the supplemental reading on this topic, such as the role the DMCA plays in protecting malicious code, the policy dilemma that would lead Sony to make such a decision, the intrigue of Elvis impersonators being hired by one of the top content producers in the world, and the ability of a EULA to give unchecked protection to a product.

Of these issues, a couple questions come to mind. Of course, one must wonder how MediaMax and XCP have survived thus far without Sony destroying them in court. As of the writing of “Magnificence,” Sony BMG and MediaMax were still duking it out. More germane to our class though, the power of the EULA and of the DMCA needs to be addressed. The EULAs used by MediaMax and XCP provided surprisingly good disclosure (all things considered), but is it OK to create a malicious program if it says it what it will do its EULA? So far, the courts seem to say, “Yes, that’s fine.”

With regards to the DMCA, the discussion is around what kinds of protection are granted to security researchers to perform their work. At current, the answer (as we saw in the Ed Felton case) is that security researchers are constantly risking their own livelihood, and that of their organization by running afoul of the DMCA. Are there ways we can change the incentives around this issue?

ANTI-SPYWARE COALITION BEST PRACTICES

“Anti-Spyware Coalition Best Practices”

It is ultimately up to the user to determine whether a technology’s behavior is wanted or unwanted, since it may be unwanted in one context and wanted in another.

Behaviors of potentially unwanted technology include:
-    Tracking
-    Advertising display
-    Remote control
-    Dialing
-    System modifying
-    Security analysis
-    Automatic download
-    Passive tracking

Best Practices for potentially unwanted technology include:
-    Value to the User

-    Notice

-    Consent and Control

-    Security
-    Redress

Prepared by Andy Brooks, Jeremy Whitaker, and Jonathan Yen

Copyright

Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417 (1984)

1975 – Betamax VTR released by Sony
1976 – Plaintiffs (Universal and Disney) seek monetary damages and injunction against Sony in California District Court
1979 – District Court denies Plaintiffs
1981 – Court of Appeals reverses District Court judgment and holds Sony liable for contributory infringement.
1982~1984 – Supreme Court orders a review, re-argument, and reversal of Court of Appeals judgment.

Facts: In 1975 Sony released the first video tape recorder(VTR) for the consumer market. Two major entertainment studios (Universal and Disney) brought suit over concerns that consumers would use the VTR to record copyrighted material and that empowering the home user with VTR recording capabilities would break important invisible philosophical boundaries that would result in lost control for the copyright holders.

A detailed investigation of consumer usage by the District Court uncovered two primary types of consumer behavior. While a fair number of users were found to be accumulating small collections of tapes, this usage was seen as limited by costs to the consumer and lack of real damage to the rights holder. Instead, the Courts focused on time shifting; the recording of programs not normally viewable in the confines of the consumers regular schedule. Neither of these uses were shown to decrease television viewing by the owners of VTR.

While the studios alleged that the device could be used for copyright infringement, they produced no evidence which illustrated “the transfer of tapes to other persons, the use of home recorded tapes for public performances, or the copying of programs transmitted on pay or cable television systems.” However, the studios alleged that by simply marketing the device Sony was liable for consumers’ infringing actions.

Court Findings: Ultimately, the Supreme Court’s decision for Sony was based on several issues. First, the plaintiffs did not represent the concerns of all members of the broadcast industry. Notable copyright holders, including Fred Rogers of Mr. Rogers’ Neighborhood, most major sports organizations, educational broadcasters (PBS), and religious groups testified that they approved of consumers using the device to record broadcasts for later viewing. Second, the Court found that time shifting was considered fair use under copyright law because consumers were not capitalizing from the act, and the technology spread the benefits of information to a greater number of people. Third, the court noted that the studios maintained powerful methods of generating profit from different activities. Fourth and perhaps most importantly, the Court did not find that Sony was not promoting the device for copyright infringement and argued that an injunction would harm the larger consumer market that benefited from legitimate use. This is a major departure from the Court of Appeals who ruled the opposite, based on their interpretation that there were no non-infringing uses which might protect Sony from contributory infringement. In their argument, the Supreme court underscored these non-infringing uses and gave deference to Congress’  responsibility to find the balance between protecting creative ingenuity (copyright) vs. promoting social use.

Response: Collectively we were quite interested in the fair use portion of the Court’s decision. In his dissension, Justice Blackmun argued that fair use applies when the copyrighted work is modified to produce something with public benefit, such as “criticism, comment, (or) news reporting.” However, the majority of the court applies a creative interpretation of fair use seeing time-shifting as a kind of extension of functionality to the original work, with the user manipulating the time of broadcast to the time-slot that best fits their schedule. We expect this creative interpretation is buffeted but the reality that VTR is not a direct 1:1 copy and degradation does occur, and as we all know future cases involving digital copying are not given the same treatment.

Another point of interest is how the development of this technology ultimately shook out for Disney/Universal. In hindsight we know that video media has been a huge profit source for these studios, with some films making more money in retail sales of home media formats than total box office revenue. Likewise the economies of many countries have benefited significantly by the ubiquity of personal entertainment systems and home media consumption.

MGM Studios, Inc. v. Grokster, Ltd. 545 U.S. 913 (2005)

Facts: In 2005, MGM sued peer-to-peer (P2P) file sharing application manufacturers Grokster and StreamCast(Morpheus) who were similar to the defunct Napster file-sharing service. MGM acted on behalf of group of 28 copyright holders, alleging that these applications contributed to copyright infringement. MGM argued that Grokster created and promoted the software as a means to illegally acquire copyrighted material. Both the District Court and Court of Appeals ruled for Grokster, referring to Sony as precedent and affirming that Grokster’s software had legitimate uses, and that removing it from the market would infringe upon Grokster’s rights. Several software companies filed amicus briefs supporting Grokster, including Microsoft and Intel. The Court was tasked with reconsidering Sony in light of new technological developments that lowered the barrier to infringing copyright.

Court Findings: The Court weighed the “competing values” (p.450) of protecting creativity through copyright vs. promoting technological innovation, but ultimately reversed the appellate court’s decision and found for MGM. First, Grokster knowingly and purposefully promoted its software as an alternative to the defunct Napster, which was successfully sued by copyright holders. Second, Grokster was aware of how users perceived and used its software, made no effort to prevent copyright infringement, and actively induced/encouraged users to infringe upon copyrights. Lastly, Grokster generated revenue from users’ actions, by way of advertisements that displayed within the software. Grokster had economic incentive to promote copyright infringement, as any use increased advertising revenue, and was therefore liable for contributory infringement. Sony, by contrast, had never materially contributed to copyright infringement in the sales of its device and could not be held liable for contributory infringement, even if its device made it possible for the user to infringe copyrights.

Response: In Grokster, we find that the Court is building upon some of the issues raised in Sony with regard to the contributory promotion of infringing use. However, with Grokster, the promotion is so blatant and the collected strength of the industry so coordinated that it makes the Court’s interpretation a bit predictable. One issue with Napster/Grokster though is that these are flagrant abuses of copyright and there are many more fair use opportunities in the greater P2P community/technology. Legitimate usages such as Skype, large file distribution by companies like Blizzard, Valve, and Open Source community, and distributed media streaming (Miro, Livestation) make P2P a technology that will require use-by-use reviews from the court.

Privacy

18 USC 2512 (electronic communication interception devices)

18 USC 2512 states that all devices which are primarily intended to be used for wire, oral, or electronic communication interception are forbidden to be possessed, manufactured, sold, advertised, or transported interstate or internationally, unless the device is intended for use by a communications company or political agency.

Response: As the defendants argue in Spy Factory, Congress is a bit unclear with its definition surrounding ESIDs. We can see instances were the definitions of “primarily” and “intended” can be argued. While “political agency” is a term that is easy to interpret, we consider “communications company” to be in need of clearer definition. Perhaps when the law was written communications companies were only telephone service providers, such as the “Ma Bell” version of AT&T. We see all sorts of communications companies today, from AT&T (land line, wireless, etc.) to Comcast (cable, VOIP) to Iridium (satellite). Could an email service provider, say Microsoft as the owner of Hotmail, be a communications company?

2512’s broad scope also makes us consider “what about…” questions. For example, what about parabolic microphones as often seen at sporting events and sold without 2512 restrictions? Would it be permissible to use such a device to listen in on your neighbors? What of an employer using these technologies to monitor your online chat conversations on their corporately controlled network? What if invasions of privacy are happening in conversations between employees and non-employees? What are employers allowed to monitor, with what tools, and what can they act on? Some of these questions may be covered in our Week 14 readings.

(c) J. Glover, Atlanta, Georgia

Examples: [link] [link]

United States v. Spy Factory, 951 F. Supp. 450, 1997 (S.D.N.Y. 1997) Background and § II

Facts: Biro, Alon, Arce, and Demeter were retailers and traffickers in surveillance devices(ESIDs) who were arrested in sting operations in Miami in the mid-90s. Their businesses’, Spy Shops and G.E.S Electronics, sold ESIDs shaped as everyday devices like pens, wall plugs, calculators, and lightbulbs which were in fact audio recording devices used for eavesdropping. Originally a district court found Brio et al. guilty on various charges, but they appealed and the case was reviewed by the Eleventh Circuit Court of Appeals. Brio et al. charge that they were aware of legal restrictions on the sale of these devices but claim they were allowed by law to sell the devices to law enforcement agents or for export, even though statute 2512 forbids the sale of such devices without an explicit contract to do so. Brio et al. further charged that because 2512 did not include examples it was unconstitutionally vague and failed to give “adequate notice to the public of the prohibited conduct”(p.458).

Court Findings: The Court of Appeals, taking guidance from the Supreme Court, reviewed the vagueness charge in-so-far as the statute must “define the criminal offense with sufficient definiteness that ordinary people can understand”(p.459). The Court of Appeals finds that “the statutory language expressly describes the nature of the prohibited items” and this is hinged upon the statutes use of the word “surreptitious”(p.461). Additionally, the court explores how a product’s designer express their intention for how the device will be used by giving certain “objective physical characteristics” and a user’s intention for how they will use the device can often be determined based by those “objective physical characteristics”(p.461). The Court differentiates products sold by Brio et al. as being singularly designed to conceal their true function as “transmitters for the purpose of secretly intercepting oral communications.”

Response: This seems like a fairly obvious case where the defendants were clearly bending their interpretation of the law to their needs. However their defense, as mentioned above in 18 USC 2512, underscores how statutes and the law need to be precise in their definition. We see a correlation between this issue and those raised later in Superuser.

Examples: Laser Audio Surveillance (only $38,000), Pen Camera, Cellular Interceptor, and Audio Transmitter.

FTC v. Cyberspy Software

11/5/2008 – Complaint for Permanent Injunction and other Amended Relief
11/6/2008 – Temporary Restraining Order, Order to Show Why A Preliminary Injunction Should Not Be Granted, a Notice of Hearing
11/25/2008 – Preliminary Injunctive Order

Facts: FTC v. Cyberspy is a very recent case that illustrates the FTC’s efforts to block the sale of spyware and keylogger software, RemoteSpy. The FTC begins by aggressively putting their full weight behind a request for a permanent injunction and equitable relief that would bar Cyberspy from distributing its software, while recinding all contracts, and disgorging CyberSpy of “ill-gotten gains”(p.480). The court responds quickly with a temporary restraining order which once received by Cyberspy forbids them from: “promoting, selling, or distributing…”(p.502) RemoteSpy and assisting others with doing the same. Cyberspy essentially has to go dark on RemoteSpy, and not do/say anything about it. The court then follows-up after hearing from the defendants, with the preliminary injunctive order to put a long term freeze on Cyberspy’s activities.

Response: Using the evidence provided by the FTC it seems we have a blatant case of criminal wrongdoing. Cyberspy unabashedly promotes software that intentionally enables users to spy on others and collect personal information about them. It is contributory infringement, as one party is assisting others by providing technology to do something illegal.