The Broader Benefit of Benefit Corporations

leave a comment

Ello, an ad-free social network, recently closed another round of venture funding, raising $5.5M. Exciting right? Another social media start-up getting some Series A funding. While $5.5M is surely nothing to sneeze at, perhaps the more interesting feature of this next stage of Ello's life is that it's registered itself as a public benefit corporation, enshrining in its corporate charter as a "public benefit" that it will never show ads or sell user data. To date, 27 states have enacted legislation recognizing "Benefit corporations," entities that give directors legal protection to pursue social and environmental goals over maximizing investor returns. According to benefitcorp.net, a defining characteristic of benefit corporations is that "they are required to create a material positive impact on society and the environment." One of the largest early adopters of the benefit corporation form was outdoor clothing and gear company Patagonia. In doing so, Patagonia sought a structure that would prevent shareholders from suing it in the pursuit of costly environment initiatives, such as donations to environmental organizations and support of renewable energy sources, that allowed it to serve the welfare of the global community. Warby Parker, with its initiatives ranging from staying carbon neutral, to providing lost cost eyewear to those in need, and even sponsoring a local Little League team, similarly sought the insulation of its directors through the benefit corporation structure. In both examples, the benefit corporation produces a direct, measurable and concrete positive impact on their communities and the environment. Ello's election to benefit corporation status brings with it a tweak to what we've seen so far. Even though Ello has registered as a public benefit corporation, their mission is in many ways fundamentally different from more well-known predecessors. Whereas Patagonia and Warby Parker have employed the benefit corporation as a way to protect their support of immediate and material benefits to the public good outside of the scope of their direct relationship with their consumers, Ello seems to have stretched the breadth of the defining characteristic of benefit corporations to protect what it believes to be the intrinsic value of its product. Is protecting users from ads a public benefit in kind with what we've seen from Patagonia and Warby Parker? In allowing Ello to register as a benefit corporation, Delaware state law seems not to see a distinction. Whatever the limits of the definition of public benefits, one thing Ello has shown about benefit corporations is how useful they can be in insulating directors from investor interference. Whether or not Ello's mission can truly be said to be in pursuit of the public good, they have succeeded in securing the pursuit of their vision. In effect then, perhaps it makes more sense to refer to Ello as a "mission" corporation, protecting the discretionary judgment of it leadership beyond its fiduciary duties to investors, than a benefit corporation. To all of the entrepreneurs of the world, be aware of this broader benefit.

Written by

November 25th, 2014 at 10:37 pm

SOPIPA: A first step towards national standards for student data protection

leave a comment

In recent years, school districts have begun incorporating computers and tablets in the classroom to instantly deliver personalized content and interactive technologies to enhance student learning.  However, the increasing use of technology in classrooms coupled with the expanding market for targeted advertising has sparked major concerns over third-party collection and use of student data. Children are particularly vulnerable because, unlike adults who generally understand the implications of consumer privacy policies, children are unable to give any sort of meaningful consent to the type of collection scheme utilized by education technology companies.  While the federal law does offer some protection to the online privacy of children, these laws were written before the information era of smartphones and cloud storage. On Sept. 29, California became the first state to pass a sweeping law that protects the use of student educational data by third-party vendors.  The Student Online Personal Information Protection Act (SOPIPA) prohibits online education service companies from selling and/or using student data for purposes of targeted advertising.  Specifically, it prohibits the use of "information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a K-12 student, except in furtherance of K-12 school purposes."  The law also requires online service providers to implement security procedures to protect student data and requires that these providers delete data at the request of a school. In response to SOPIPA, certain key industry players signed onto a pledge to adopt similar student data protections nationwide.  By signing the pledge, the participating companies publicly promise not to sell information or conduct targeted advertising using data obtained from K-12 students. This pledge is not legally binding, but does leave the participating companies open to enforcement actions by the Federal Trade Commission.  Notably, Google refused to sign the Pledge, despite that fact that SOPIPA was pushed through largely in response to breaking news that Google was scanning student emails for advertising purposes. According to social media attorney Bradley Shear, “Google's refusal to sign the industry backed pledge appears to be an acknowledgement that if it signs the Pledge it will be in violation of Article 5 of the FTC Act regarding unfair and deceptive trade practices.” A lack of federal standards allows companies like Google to continue questionable data collection practices.  The lack of federal standards also makes compliance with SOPIPA and other state-implemented privacy laws extremely difficult for online education companies that provide services in multiple states. While SOPIPA has the potential to serve as a template for federal reform, there are some ambiguities in the law that should be addressed.  First, it is unclear what is encapsulated by the phrase “K-12 school purposes.”  Should it be read narrowly to cover services used solely for instructional and educational purposes or more broadly to cover products used for administrative functions like storing student records?  Arguably, the provision could be interpreted to include social media sites that have some educational connection but are not exclusively used for K-12 purposes.  Furthermore, because SOPIPA does not include any user control provisions, a school might elect to retain student records for educational analytics purposes for an unlimited amount of time.  In addition to clarifying the definition of K-12 purposes, federal legislation should consider including such user control provisions in order to give students and parents some ability to decide how their data is collected, used, and stored. Regardless of these ambiguities, SOPIPA represents an admirable first step towards establishing national standards for student data protection.  

Written by

November 24th, 2014 at 1:18 pm

Posted in Commentary

Is Electronic Dance Music Illegal?

leave a comment

Bad news for music fans: Girl Talk is illegal[1], according to language put forward by the Sixth Circuit. This language applies to all “mash-up” artists and “sample artists” that use clips from other artist’s songs without permission. According to a 2008 New York Times, “Girl Talk’s music is a lawsuit waiting to happen.” Yet, to this date, not even one of the hundreds of artists sampled by Girl Talk has brought a lawsuit against him. Meanwhile, Girl Talk is paid handsomely to tour all around the world and even has his own day named after him in Pittsburgh. Girl Talk takes different elements from many diverse styles and decades of music—for example, a Rolling Stones guitar riff, an 80’s electronic drum beat, and an early 2000’s rap verse—and mashes them all into his own modern symphony. A four-minute Girl Talk track may have over thirty different artists on it. Girl Talk has released six albums, all of which you can download for free off of http://illegal-art.net/girltalk/. As one site put it “Girl Talk’s album Feed the Animals, which uses over 300 samples, would have never been made if he felt the need to do it legally.” Requiring that mash-up acquire licenses for all of his sound clips would eliminate mash-ups as a style of music. This all begs the question—is Girl Talk legally obligated to pay for licensing fees for all of the artists he samples? Or morally obligated? The answer may be different for each of these questions, according to some legal scholars. Some agree that the law, as it currently stands, bans mash-ups, but advocate for an alternative system of licensing for sampling due to the harshness of the Bridgeport decision. Girl Talk himself has always cited Fair Use as a protection for his art, which is a four-factored test which comes from the 1976 Copyright Act. Weighing in on this idea, law professor Peter Friedman states, “I would advise that client not to sue Girl Talk; [Girl Talk]’s argument that he has transformed the copyrighted materials sufficiently that his work constitutes non-infringing fair use is just too good.” Forbes notes that “it is telling that no artist that has been sampled by Girl Talk has ever complained.” Having seen “Girl Talk” live, my sincere hope is that he is allowed to continue to produce music and that sampling and DJ-ing are allowed to continue as musical styles. Given that all mash-up artists currently operate in a “legal purgatory,” it would be helpful if current laws were updated so that these artists could continue to produce music without the persistent fear of an industry-ending lawsuit.  

[1] According to the case of Bridgeport Music, Inc. v. Dimension Films, 410 F.3d 792, 801 (6th Cir. 2005), the rule could not be any clearer: “Get a license or do not sample.”  

Written by

November 11th, 2014 at 9:02 pm

Posted in MTTLR Journal

Is Genius.com the Next Napster?

leave a comment

Back in 1999, two tech nerds named Shawn Fanning and Sean Parker upended the entire music industry with the launch of their peer-to-peer music sharing service Napster. All of a sudden, music consumers could get any song they desired for the price of “free.” In less than a year, Napster had over 20 million users. Napster obviously facilitated copyright infringement and the music industry responded strongly, fronted by the RIAA (Recording Industry Association of America) and high-profile artists such as Lars Ulrich from Metallica and Dr. Dre. By July of 2001, the RIAA’s lawsuit successfully shut down Napster. While the music industry may have won the Napster battle, it looks like it's still losing the digital war over free distribution of copyrighted property. According to the RIAA, record sales in the US have dropped 47%, from $14.6 billion in 1999 to $7.7 billion in 2009. Some studies have found that music piracy worldwide accounts for an economic loss of $12.5 billion year. Other studies claim that economic loss to the music industry is beside the point of copyright protection. As the argument goes, copyright protection exists to incentivize the creation of new works, and according to some analysts, high quality musical creations are still produced at high volumes even since the “Napster Revolution.” While online piracy of digital music is a fairly obvious and high-profile example of intellectual property theft, artists and record labels stand to be highly compensated through means other than record sales. Whenever a bar plays a copyrighted song on a jukebox or a network covering a football game broadcasts a famous tune played by a marching band, royalties are owed to those that own the song’s publishing rights. But more recently, some in the music industry are waging a new war on a seemingly more innocuous strand of copyright infringers: lyric websites. Leading this charge are Camper Van Beethoven, The Cracker frontman David Lowrey and the National Music Publishers Association (NMPA). The NMPA claims that websites that post song lyrics on their sites make revenue through ad sales, but none of these lyrics are licensed and no money goes to the copyright holders. Lowrey compiled a list of the 50 worst offenders. Number one on the list: Genius.com. Genius, which was rebranded from Rap Genius in July of 2014 and raised $40 million in investor funding this spring, claimed that it stood apart from the other websites posting lyrics. As one of the founders Ilan Zechory put it “The lyrics sites the N.M.P.A. refers to simply display song lyrics, while Rap Genius has crowdsourced annotations that give context to all the lyrics line by line, and tens of thousands of verified annotations directly from writers and performers. These layers of context and meaning transform a static, flat lyric page into an interactive, vibrant art experience created by a community of volunteer scholars.” Now Genius is expanding their content beyond just music lyrics, hoping to be a forum for interactive annotation and discussion in the realms of literature, news, and scholarship. When first confronted by the NMPA and Lowrey’s “take down” notice, Genius implied through the press that their use of the lyrics constituted “fair use” since it was being used for the purposes of commentary and criticism. The NMPA and Genius, however, have yet to make their arguments in court. Currently, Genius has begun entering into licensing deals with a number of publishing companies, thereby staving off a potential collapse to their business model. But the bigger issue may be whether artists and publishers are well served by being “copyright maximalists,” going after every threat posed to their intellectual property. The music industry may be better served by allowing consumers to freely interact with some intellectual property in a meaningful way, and potentially reap the benefits of that heightened interest through other avenues of revenue. Perhaps sites like Genius can help resuscitate the music industry in a way Napster never could.

Written by

November 6th, 2014 at 11:02 pm

Posted in Commentary

Technology Companies Fight Back Against Government Requests For User Data

leave a comment

In response to privacy concerns surrounding data transmission and disclosure of information, the federal government has enacted a couple of laws, most notably the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act (“HIPAA”), in order to safeguard individuals’ private information. The Privacy Act of 1974 was enacted in reaction to the dawning age of information and was an attempt by the federal government to protect individuals’ privacy rights. The Act requires governmental agencies to do four things regarding the information they collect and store about private US citizens: 1) to, upon request, tell an individual what information they've collected about him or her, 2) to allow individuals to correct or amend that information, 3) to use certain principles when handling and using the information, and 4) to follow certain guidelines restricting how the individual’s information is shared with other agencies and people. HIPAA provides similar protections, specific to disclosures of personally identifiable information in the healthcare setting. However, despite the enactment of such federal laws, people like Steven Rambam, CEO of Pallorium, an international investigative agency, deliver lectures titled “Privacy is Dead – Get Over It”. The feeling that federal laws don’t protect individuals from unauthorized disclosures of private information is probably due in large part to the fact that neither the Privacy Act nor HIPAA, adequately protect consumers from US law enforcement agency requests for user information, such as requests from the National Security Agency.  Instead, providing safeguards from excessive government surveillance falls to the technology companies in possession of private individuals’ information. There has been a lot of push back from technology companies on both the concept that “privacy is dead” and the idea that the appropriate response to perceived breaches of privacy is to just “get over it”. Instead current and emerging technology companies are putting technological safeguards in place to protect their users against governmental breaches of privacy. For instance, as detailed in another post on this blog, technology companies like Apple and Google have recently updated their privacy policy and introduced passcode encryption technology that the companies themselves cannot bypass. This allows individual consumers to be protected against attempts by law enforcement to incriminate them based on the contents of their Apple or Google electronic devices. Additionally, Facebook is in the process of developing an app that allows anonymity. Users would be able to discuss topics using multiple pseudonyms.  These technological developments are arguably in response to public opinion reflected in a statement made by Jameel Jaffer, deputy director of the American Civil Liberties Union, that, “Technology companies have an obligation to protect their customers’ sensitive information against overbroad government surveillance….” Even before the creation of technological safeguards against unauthorized disclosure of information to US law enforcement, technology and internet companies have battled the US government openly and directly in court and in Congress. In fact, the battle between technology companies and the US government concerning governmental requests for user data continues, as on Tuesday, October 4, Twitter sued the FBI and the US Department of Justice on First Amendment grounds, in order to release a transparency report documenting the exact number of government requests for user information the company received. Twitter is not the first technology or internet company to sue the US government seeking to change the current rules surrounding data request disclosures. Companies, including Apple, Google and Microsoft, have fought for users’ privacy rights in court and in Congress. In fact, in December 2013, eight companies including Apple, Microsoft, Facebook and Google formed a coalition called “Reform Government Surveillance” to lobby Congress to place greater restrictions on governmental surveillance. The aforementioned coalition settled with the federal government and reached an agreement that would allow for companies to disclose how many government data requests they received in groups of one thousand. Twitter, however, did not participate in this agreement and instead pushes for further National Security Agency data request disclosure rights. For instance, Twitter not only wants to disclose the number of requests but also what types of data the government had requested. Surveillance law reform is slowly making headway, as companies with strong lobbying power like Apple, Microsoft, Twitter, and Facebook push for restrictions on the US government’s power to compel the disclosure of individuals’ information and engage in bulk, seemingly indiscriminate, data collection. In the meantime, according to the Electronic Frontier Foundation (“EFF”), there are a notable portion of technology companies that not only require a warrant before they disclose user information but also notify users about government requests, publish transparency reports and law enforcement guidelines, and fight for users’ privacy rights in court and in Congress. It might be useful for technology and internet platform users to note which technology companies have their backs when it comes to privacy rights and which technology companies do not.

Written by

November 4th, 2014 at 6:11 pm

Posted in Legal/Tech News

Yielding to FCC Pressure, Verizon Scraps Plan to Extend Data Throttling to 4G Customers

leave a comment

Last week, Verizon appeared to cave to FCC pressure when it shelved a new network management policy which would have extended the controversial practice of “data throttling” to 4G customers with unlimited data plans.  Verizon’s decision put an end to its two-month spat with the FCC over whether the new policy would have violated the FCC’s Open Internet Order. To provide some background: Verizon has “throttled” (i.e. slowed) data speeds for some customers on its 3G network since February 2011.  This practice only affects customers on “unlimited” data plans whose data usage ranked in the top 5%, and only lasts for the duration that they are connected to a “congested” cell site.  On July 25 of this year, Verizon announced that, starting in October, it would extend this network management policy to its 4G network. Luckily for 4G customers on unlimited data plans, the FCC was paying attention.  In a letter sent less than a week after Verizon's announcement, FCC Chairman Tom Wheeler expressed doubts as to whether the new policy fit within the Open Internet Order’s definition of “reasonable network management.”  In particular, Mr. Wheeler found it “disturbing” that Verizon would “base its network management on distinctions among its customers’ data plans, rather than on network architecture or technology.”   Verizon responded swiftly to Mr. Wheeler’s criticism.  In a letter sent just two days later, Verizon explained that the policy targeted customers on unlimited data plans because they do not have an incentive to limit their data usage, which made them disproportionately responsible for network congestion.  On its face, this argument seems reasonable—after all, the FCC gives “mobile” broadband providers more leeway to manage their network than it does “fixed” broadband providers.  So why wasn’t the FCC satisfied? From the FCC’s point of view, the fatal flaw in the new policy was not that Verizon throttled data speeds for some customers, but that Verizon chose which customers it throttled based on their data plans.  If the new policy's purpose was to discourage or punish heavy data users, then it should not matter whether the customer being slowed had unlimited data.  Put another way, a customer with a 4G device who uses 5 gigabytes worth of data per month puts the same strain on Verizon’s network regardless of whether the customer is on a usage-based plan or an unlimited plan. Had the policy gone into effect, it would have effectively forced 4G customers on unlimited data plans to choose to either (a) put up with potential throttling, or (b) switch to usage-based data plans (which are more profitable for Verizon).  As both of these options would have resulted in customers receiving something less than “unlimited” data, the FCC was understandably skeptical of Verizon’s motive behind the new policy.[1] Regardless of whether the FCC’s concern was justified, Verizon’s decision to throw in the towel was likely influenced by other concerns.  For one, this dispute came at an awkward time between Verizon and its chief regulator.  Earlier this year, Verizon successfully challenged many of the FCC’s “net neutrality” regulations, which the FCC is currently in the process of rewriting.  Consequently, Verizon may have decided that it risked stricter regulations if it continued to fight.  (The fact that the FCC held a roundtable in September in which it discussed rescinding some regulatory exceptions for mobile broadband networks seems to reinforce this idea.)  It's also possible that Verizon decided it was unlikely to persuade the FCC in light of the FCC’s recent requests for information from other major wireless carriers’ regarding their own data throttling policies.  This move could signal that the FCC intends to more carefully scrutinize network management policies going forward, or even that the FCC will be less permissive of data throttling policies going forward. Whatever Verizon’s true reason was for ditching its policy, the significant number of customers who remain on unlimited data plans suggests this may not be the last we hear about “reasonable network management" practices.

[1] By contrast, when Verizon first began throttling speeds for 3G customers in 2011, customers on unlimited data plans still had the option to keep their plans without speed limits by upgrading to the higher-capacity 4G network. In fact, some industry experts speculated that Verizon began throttling 3G precisely to encourage customers to make the switch to 4G.

Written by

October 27th, 2014 at 6:56 pm

What will happen to biotech’s patent thickets after Myriad and Prometheus?

leave a comment

Changing patentable subject matter standards have been on the mind of biotech patent holders for the last few years. A wide range of biotech patents that were widely considered valid have been called into question by the decisions in Mayo v. Prometheus and AMP v. Myriad. Even if the number of patents that are actually ruled invalid proves to be low, the uncertainty could still dampen investment in new technologies. This uncertainty has been particularly acute in the area of personalized medicine, where the Myriad ruling left a large number of diagnostic patents in question. Since the ability to diagnose individuals based on genetic and other biological information are key to the idea of personalized medicine, the ability to patent tests for specific indicators is important for its long-term growth. Patent holders aren't giving up without a fight, but the weakening of their patents gives them less leverage in their negotiations. While diagnostics may be struggling to maintain adequate patent protection, some areas of personalized medicine research have more protection than they need. A recent article in Nature Biotechnology explored the patent landscape that is forming around induced pluripotent stem cells (iPSCs). iPSCs were the basis of a Nobel prize in 2012, and are an exciting area with the potential to completely change the way that some areas of medicine are practiced. iPSCs could theoretically give scientists and doctors the ability to take a person's existing cells and grow them into any cell type in the body, like new pancreatic cells for people with diabetes or new heart tissue for heart attack patients. Most of the patents on iPSCs focus on either culturing the iPSCs from other cells or on differentiating the iPSCs into other cell types, raising the question of whether key iPSC technologies may be forming a "patent thicket." This situation is common in computers and electronics, where different entities have patents on overlapping fundamental aspects of a technology. It is much less common in pharmaceuticals and biotechnology where a product is often protected by one or two patents. With Myriad and Prometheus upending the existing body of law about patent-eligible subject matter, the entire landscape around iPSCs is uncertain. Distinctions can be drawn between the underlying iPSC technology and those cases, but challenges to the fundamental patents have at least gotten new traction based on the decisions. iPSCs provide a unique problem for the patent system like many new inventions in biotechnology, but they also provide a challenge to typical conceptions of biological patents. Challenges to the validity of these patents could put some stakeholders in awkward legal positions defending both stronger and weaker patent rights. They could also clear some of the patent thicket around iPSCs. The uncertainty could slow down efforts to bring iPSC technology to market. Or it could prompt patent holders to merge or to work together in pooling their patents for ease of licensing. The conventional wisdom is that weakened patent rights hurt the biotech industry but, in the iPSC area, the effects may be far more complex.

Written by

October 21st, 2014 at 12:55 am

Posted in Commentary

Weighing Patent Versus Trade Secret Protection in the Prior User Rights Era

leave a comment

As part of the Leahy-Smith America Invents Act (AIA) signed into law on September 16, 2011, Congress expanded the Prior User Rights defense to patent infringement.  Initially only available for business method patents, the AIA expanded Prior User Rights to all classes of inventions, with the goal of harmonizing the US patent system with IP rights in the rest of the world.  Prior User Rights are defined in the Patent Act under 35 USC 273 and provide an affirmative defense to patent infringement.  In order to prevail on the defense, the accused party must prove that they were practicing commercial use of the invention at least one year before the patentee’s effective filing date.  Thus, Prior User Rights are not something that a company can apply for like a patent, but rather they are a defense available to parties who present evidence of prior use in a patent infringement suit.  The defense is generally unnecessary for parties that non-secretively practice an invention, since they may present their prior use as a form of prior art under 35 USC 102 to invalidate the patent.  However, parties that use an invention in secret (e.g., a “trade secreted” process) may not present their use as prior art, but rather under Prior User Rights may present evidence of prior use as an affirmative defense to infringement, thereby making Prior User Rights part of a combined IP strategy with trade secret protection. Many companies in industries and technologies where trade secret protection is a viable strategy must weigh the pros and cons of trade secret versus patent protection.  Patent protection offers the right to exclude others from making, using, and selling a patented invention for twenty years.  The potential to secure a legal monopoly for a valuable technology is naturally very attractive for many companies.  However, securing patent protection is costly and may result in narrow or no protection in crowded technological fields where there is a lot of prior art.  Just as importantly, patents require a detailed disclosure that teaches others how to make and use the invention.  For technologies where detecting patent infringement by competitors is difficult, enforcing a patent will also be difficult.  This lowers the value of the patent and makes the disclosure requirement highly undesirable.  Similarly, trade secrets come with their own set of pros and cons.  They have the advantage of being low-cost.  And their exclusivity will last as long as the technology is kept secret and is not reverse-engineered or independently developed, thereby giving potential exclusivity for longer than the twenty year patent term.   Also, trade secrets do not require disclosure (in fact they require the opposite: secrecy).  But trade secrets also come with the risk that the exclusivity will be lost if the proper protections are not followed or if the technology is reverse-engineered or independently developed.  And worse yet, the technology could be patented by another company resulting in a company being boxed out of its own technology.  This is where Prior User Rights change the equation.  With Prior User Rights, instead of being boxed out, the trade secret holder can continue to practice the invention based on a Prior User Rights theory. Before a company decides to rely on Prior User Rights, it should fully understand the limitations of Prior User Rights and the risks associated with relying on them.  First of all, Prior User Rights are a defense to patent infringement.  As such, companies will need to provide evidence of the prior use that meets legal evidentiary standards.  This requires companies to keep detailed records of the prior use, a process that presents difficult administrative challenges for any company.  Also, because the law is so new, there is a lack of clarity on limitations such as the ability of the prior user to expand the capacity of the use, the ability to implement improvements, the requirements of continuousness of the use, and what constitutes a “commercial use” as required by the statute.  These are questions that will not be answered until a body of case law is built around this new area of law. So how much do Prior User Rights really affect the considerations for a company’s forward-looking approach to pursuing patent versus trade secret protection?  In reality, in most technical fields Prior User Rights do not change the equation enough to make a difference.  But for companies and technologies where the strategic advantages of trade secret protection and patent protection were previously balanced, Prior User Rights may be enough to tip the scales in favor of trade secret protection.  Companies concerned about the cost of patent protection may choose trade secret protection and be satisfied to compete with a later patent-filer as long as they can continue to practice their invention.  Other companies concerned with the difficulty of detecting infringement, such as for a trade secreted manufacturing process, may also be swayed towards trade secret protection.

Written by

October 15th, 2014 at 6:55 pm

Posted in Commentary

New iOS and Android Encryption Protections Spark Privacy Debate

leave a comment

On September 17, Apple updated its privacy policy to reflect privacy enhancements added to its most recent iteration of its iPhone mobile operating system, iOS 8. Notably, the update highlighted iOS 8’s new protection for user phone data: out-of-the-box passcode encryption that the company itself cannot bypass. Similarly, Google recently related to the Washington Post that Google’s latest mobile operating system offering, Android L, would also include default user-end passcode encryption that cannot not be circumvented by Google. ALCU technologist Christopher Soghoian and Center for Democracy & Technology technologist Joseph Lorenzo Hall applauded the moves to enhance consumer protections in the wake of increased government surveillance stoked by Edward Snowden’s leaks last summer. But not all are pleased with the announcements. Notably, Ronald H. Hosko, President of the Law Enforcement Legal Defense Fund and former Assistant Director of the FBI Criminal Investigative Division, criticized the moves in a recent op-ed as protecting “those who desperately need to be stopped from lawful, authorized, and entirely necessary safety and security efforts.” Hosko’s point indicates a possible shift in the legal landscape of digital privacy rights. In its recent Riley v. California opinion, the Supreme Court weighed in on the digital privacy debate, holding that authorities generally may not search digital information on a cell phone seized from an individual without a warrant. However, even upon obtaining a warrant for user data, police now face an additional difficulty, as they can no longer can lean on Google or Apple to procure this data. As Apple itself pointed out in its revamped privacy policy, with the addition of these new encryption protections, “…it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.” The fact that Apple and Google together control about 95% of the U.S. smartphone operating system market only underscores the impact of these new policies. As Google and Apple customers update their devices to the latest versions of the companies’ operating systems, chances will be increasingly high that authorities will only encounter criminals with these new encryption tools enabled on their devices. One Forbes blogger has rightly pointed out that this only recasts the legal issue onto Fifth Amendment self-incrimination grounds. If the contents of a phone cannot be unencrypted by Apple and Google themselves, law enforcement must instead seek to compel defendants themselves to decrypt and hand over their user data. The Electronic Frontier Foundation (EFF), however, maintains that a court order to decrypt personal data for law enforcement violates the Fifth Amendment right protecting against self-incrimination. Specifically, the EFF argues that the act of producing encrypted personal data qualifies as privileged testimony under the Fifth Amendment. Many federal courts agree, with both a Colorado Federal District Court and the Eleventh Circuit having held recently that the act of decryption and production of contents of computers sufficiently implicates Fifth Amendment privilege. The question then turns on the application of the “foregone conclusion” doctrine to this type of user data. The doctrine essentially considers acts of production of decrypted phone contents not subject to Fifth Amendment protection if it can be shown with reasonable particularity that, at the time authorities seek to compel the production, they already know of the incriminating contents of the phone, thereby making any testimonial aspect a foregone conclusion. The trick for authorities, of course, will now be building a case to show with reasonable particularity that they already know of the incriminating contents of an encrypted phone. This may be no easy feat, if the Eleventh Circuit’s application of the doctrine is any indicator — absent an admission by a defendant that a phone contains incriminating data, “[i]t is not enough for the Government to argue that the encrypted drives are capable of storing vast amounts of data, some of which may be incriminating.” As such, only time will tell how Google and Apple’s new encryption policies limit the capacity of law enforcement to conduct investigations.

Written by

October 6th, 2014 at 6:29 pm

Posted in Commentary

Apple’s Canary Fails to Chirp

leave a comment

Recently, Apple updated the privacy section on its website. While this was likely part of their response to privacy concerns due to the recent iCloud controversy, and fortuitously timed with the release of the newest batch of phones from the company, it also contains the latest edition of their transparency report. This report is a collection of the requests made by governments around the world for information about Apple device users and account holders. Curiously though, the most controversial aspect of the report may be what is not included. As the Electronic Frontier Foundation reported Apple was one of the first major companies to make use of the device known as a warrant canary. A warrant canary is one of the methods that a company may use to alert the public of otherwise secret demands made by US government. Following the passage of the USA Patriot Act in 2001, the availability of secret subpoenas has been dramatically expanded, and may be used against anyone who may have information which the authorities consider relevant to their intelligence or terrorism investigations. Because of the nature of these subpoenas, criminal penalties may be assessed against individuals who reveal even the existence of the requests for information. To get around this, a company may publish a public statement that they have not received such a request. If that is no longer true, removing the statement, or refusing to make it again, signals the public that the government has asked for data. In the transparency report covering early 2013 Apple stated that it “has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” This language is missing from the more recent reports, instead stating “To date, Apple has not received any orders for bulk data.” This shift in language may be Apple’s signal that it has been forced to comply with an order under the Patriot Act. An alternative view is that Apple is just complying with the latest addition to the government’s scheme of actually reporting on these kinds of requests. Detailed in a January 2014 letter to the general counsel of major tech companies, there are essentially two options available. A company may publish the amount of requests for specific kinds of information in bands of 1000, or may publish total aggregate numbers in bands of 250. Apple’s latest report indicates that it currently sits in the 0-250 band. The major flaw in both of these reporting capabilities is that the starting number is in fact zero, which is where the warrant canary can do its work. The letter indicates that there is to be a significant time delay between the issuing of a request and when a company may report on it, ranging from six months to two years for a new government security product. A timely published warrant canary may also circumvent this requirement. The risk of the canary from the government's standpoint is that it undermines the nature of the secret orders and reduces the effectiveness of a major national security tool. Whether the absence of the canary language indicates Apple’s compliance with the new government reporting scheme or is an admission that Apple has actually received a secret order, the takeaway is clear: The government has an arsenal of methods to acquire information about users of Internet services without their knowledge. The validity of these secret orders is an issue of supreme importance in our increasingly interconnected world. Among the variety of ways for companies to advocate for their users, publishing transparency reports similar to Apple’s is probably one of the simplest, and subtlest, ways to bring the discussion into headline news once again. The warrant canary is a device with perhaps questionable legal heritage, but it promotes a vigilant and informed public discussing a question at the crossroads of national security and personal privacy.

Written by

October 1st, 2014 at 5:58 pm

Posted in Legal/Tech News

Search the Blog