legal bootcamp for mobile developers - mudd law offices › materials › sxsw2013 ›...
TRANSCRIPT
Legal Bootcamp for Mobile Developers
SXSW Interactive March 12, 2013
Marcia Hofmann Electronic Frontier Foundation
Charles Mudd, Jr. Mudd Law Offices
#sxsw #bootcamp
Marcia Hofmann
Senior Staff Attorney
Electronic Frontier Foundation
https://www.eff.org
Charles Mudd Jr.
Principal and Founder
Mudd Law Offices
http://www.muddlawoffices.com
what we’ll talk about today
• Common legal issues developers should be aware of when creating mobile apps.
what we’ll talk about today
• Common legal issues developers should be aware of when creating mobile apps.
• When they are most likely to crop up.
what we’ll talk about today
• Common legal issues developers should be aware of when creating mobile apps.
• When they are most likely to crop up.
• How to reduce the likelihood that they’ll create big problems for you.
what we’ll talk about today
This is not intended to be legal advice.
Our goal is to help you innovate in the safest way possible, and be able to spot situations
when you should consult with a lawyer.
what we’ll talk about today
This is not an exhaustive catalog of every legal issue you might encounter.
I. contracts
when should you think about this?
• Any time you’re presented with an agreement.
when should you think about this?
• Any time you’re presented with an agreement.
• When you’re accessing a device, program, or service created by someone else in the course of developing your app—even if an agreement isn’t immediately obvious.
which agreements?
The documents that set out terms purporting to regulate how people can access and use a
device/program/service.
E.g., end-user license agreements, SDK licenses,
terms of use, carrier contracts
Be sure to check whether more than one agreement might apply to your situation.
Also see whether other agreements/policies are incorporated by reference.
Read them, too.
laws that might apply
Violating an agreement could involve
Breach of contract
Computer intrusion laws…?
what you can do
• Identify and read all agreements as soon as you learn about them.
what you can do
• Identify and read all agreements as soon as you learn about them.
• If possible, don’t agree to them.
what you can do
• Identify and read all agreements as soon as you learn about them.
• If possible, don’t agree to them.
• If possible, avoid violating them.
what you can do
• Identify and read all agreements as soon as you learn about them.
• If possible, don’t agree to them.
• If possible, avoid violating them.
• If you think you’ll need to violate them in the course of your app development, speak with a lawyer.
II. privacy
when should you think about this?
• In the earliest stages of planning, when you’re deciding what consumer data you’ll be collecting/handling/storing/sharing.
when should you think about this?
• In the earliest stages of planning, when you’re deciding what consumer data you’ll be collecting/handling/storing/sharing.
• When you’re writing terms of use, privacy policies, and other public representations.
when should you think about this?
• In the earliest stages of planning, when you’re deciding what consumer data you’ll be collecting/handling/storing/sharing.
• When you’re writing terms of use, privacy policies, and other public representations.
• When you add new functionality to your app or change your data practices.
laws that might apply
Federal Trade Commission Act
Children’s Online Privacy Protection Act
California Online Privacy Protection Act
others…?
FTC Act
Among other things, empowers the Federal Trade Commission to prevent
“unfair or deceptive acts or practices in or affecting commerce.”
what’s an unfair practice?
• Injures consumers • Substantial
• Not outweighed by countervailing benefits • Unavoidable
what’s an unfair practice?
• Injures consumers • Substantial
• Not outweighed by countervailing benefits • Unavoidable
• Violates public policy
what’s an unfair practice?
• Injures consumers • Substantial
• Not outweighed by countervailing benefits • Unavoidable
• Violates public policy
• Unethical or unscrupulous
what’s a deceptive practice?
• Representation, omission, or practice likely to mislead a consumer
what’s a deceptive practice?
• Representation, omission, or practice likely to mislead a consumer
• Viewed from the perspective of the reasonable consumer
what’s a deceptive practice?
• Representation, omission, or practice likely to mislead a consumer
• Viewed from the perspective of the reasonable consumer
• Must be material
enforcement action: FrostWire
Mobile app developer designed file sharing app so that it would publicly share users’ photos, videos, documents, and other files by default.
enforcement action: FrostWire
FTC said it was likely to cause consumers to inadvertently disclose personal files stored on their phones and tablets.
COPPA
Applies to commercial online services
directed at children under 13, or
COPPA
Applies to commercial online services
directed at children under 13, or
that have actual knowledge that children under 13 are providing them personal information.
main COPPA requirements
• Notice to parents and verifiable parental consent before collecting, using or disclosing personal info from children under 13.
main COPPA requirements
• Notice to parents and verifiable parental consent before collecting, using or disclosing personal info from children under 13.
• Maintain children’s info securely.
main COPPA requirements
• Notice to parents and verifiable parental consent before collecting, using or disclosing personal info from children under 13.
• Maintain children’s info securely.
• Can’t condition children’s participation in activities on collection of more personal info than necessary.
COPPA safe harbor
An operator of an online service may qualify for a safe harbor by following self-regulatory
guidelines approved by the FTC.
http://business.ftc.gov/content/safe-harbor-program
recent COPPA update
• Collection of geolocation, photos, videos, and persistent identifiers triggers COPPA protections.
recent COPPA update
• Collection of geolocation, photos, videos, and persistent identifiers triggers COPPA protections.
• Rule applies to operators of child-directed sites who integrate plugins or advertising networks that collect personal information.
recent COPPA update
• Collection of geolocation, photos, videos, and persistent identifiers triggers COPPA protections.
• Rule applies to operators of child-directed sites who integrate plugins or advertising networks that collect personal information.
• Third parties collecting children’s info with actual knowledge that the site/app is child-directed must comply.
enforcement action:
• Path’s social networking app automatically collected personal information from users’ address books without knowledge and consent.
enforcement action:
• Path’s social networking app automatically collected personal information from users’ address books without knowledge and consent.
• User interface was misleading and provided no meaningful choice about collection of personal info.
enforcement action:
• Path’s social networking app automatically collected personal information from users’ address books without knowledge and consent.
• User interface was misleading and provided no meaningful choice about collection of personal info.
• Also, privacy policy misrepresented data collection practices.
enforcement action:
Path also violated COPPA rule by collecting info from about 3,000 kids until 13 without first
• explaining collection, use and disclosure policy for children’s personal info
• giving parents direct notice of any such policy
• obtaining verifiable parental consent before collecting children’s info
CA Online Privacy Protection Act
A commercial web site operator or online service that collects personally identifiable information about California consumers
must conspicuously post a privacy policy.
CA Online Privacy Protection Act
The privacy policy must:
• Identify categories of personal information collected and third-parties it’s shared with.
CA Online Privacy Protection Act
The privacy policy must:
• Identify categories of personal information collected and third-parties it’s shared with.
• Explain any process for consumers to review and request changes to personal information collected about them.
CA Online Privacy Protection Act
The privacy policy must:
• Identify categories of personal information collected and third-parties it’s shared with.
• Explain any process for consumers to review and request changes to personal information collected about them.
• Explain how consumers will get notice of material changes.
enforcement action: Delta
California State Attorney General pursuing legal action over the Fly Delta app, claiming it doesn’t comply with the California OPPA.
App collects extensive personal info, but doesn’t have a privacy policy.
what you can do
• Bake in privacy from the start.
what you can do
• Bake in privacy from the start.
• Write a privacy policy, and present it to users up front.
what you can do
• Bake in privacy from the start.
• Write a privacy policy, and present it to users up front.
• Make sure the policy accurately describes your consumer data collection, use, and disclosure practices.
what you can do
• Bake in privacy from the start.
• Write a privacy policy, and present it to users up front.
• Make sure the policy accurately describes your consumer data collection, use, and disclosure practices.
• Do not misrepresent or gloss over what you do with user data.
what you can do • Use terms that are understandable to normal
people.
what you can do • Use terms that are understandable to normal
people.
• Be especially cautious about sensitive information such as location, photos, address book data.
what you can do • Use terms that are understandable to normal
people.
• Be especially cautious about sensitive information such as location, photos, address book data.
• Give users meaningful choices about their privacy, and respect their preferences.
what you can do • Use terms that are understandable to normal
people.
• Be especially cautious about sensitive information such as location, photos, address book data.
• Give users meaningful choices about their privacy, and respect their preferences.
• Design your user interface so that data practices are transparent to the user.
what you can do • Give users plenty of notice about plans to
change your data practices, and give them an opportunity to opt out.
what you can do • Give users plenty of notice about plans to
change your data practices, and give them an opportunity to opt out.
• Disclose any processes for users to review and correct personal information and let them know how they can learn about material changes to policies.
what you can do • Give users plenty of notice about plans to
change your data practices, and give them an opportunity to opt out.
• Disclose any processes for users to review and correct personal information and let them know how they can learn about material changes to policies.
• Make sure you know if you need to comply with the requirements of the COPPA rule.
resources
FTC, Marketing Your Mobile App http://business.ftc.gov/documents/bus81-marketing-your-mobile-app
FTC, Revised COPPA Rule: Five Need-to-Know Changes for Your Business
http://business.ftc.gov/blog/2012/12/ftcs-revised-coppa-rule-five-need-know-changes-your-business
resources
California AG, Mobile Privacy Factsheet https://oag.ca.gov/system/files/attachments/press_releases/n2630_updated_mobile_apps_info.pdf
California AG, Privacy on the Go http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf
resources
EFF, Best Practices for Online Service Providers
https://www.eff.org/wp/osp
EFF, Who Has Your Back? https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back
III. security
when should you think about this?
When you’re transmitting or storing users’ sensitive personal information.
laws that might apply
Federal Trade Commission Act
Children’s Online Privacy Protection Act
Potentially state consumer protection and data breach laws
enforcement action: HTC
HTC failed to take reasonable steps to secure software in its phones and tablets, introducing security flaws that put consumer data at risk.
enforcement action: HTC
Also, user manual representations and user interface for Tell HTC app were deceptive.
what you can do
• Collect only consumer data that you need to provide your service.
what you can do
• Collect only consumer data that you need to provide your service.
• Keep consumer data no longer than necessary to provide your service.
what you can do
• Collect only consumer data that you need to provide your service.
• Keep consumer data no longer than necessary to provide your service.
• Encrypt data whenever possible.
what you can do
• Collect only consumer data that you need to provide your service.
• Keep consumer data no longer than necessary to provide your service.
• Encrypt data whenever possible.
• Hash, obfuscate, or otherwise anonymize.
what you can do
• Set up a system for receiving and responding to reports of security vulnerabilities.
what you can do
• Set up a system for receiving and responding to reports of security vulnerabilities.
• Protect against threats from insiders as well as outsider attacks.
what you can do
• Set up a system for receiving and responding to reports of security vulnerabilities.
• Protect against threats from insiders as well as outsider attacks.
• Have your systems independently tested and verified.
resources
Mobile App Developers: Start With Security http://www.business.ftc.gov/documents/bus83-mobile-app-developers-start-security
EFF, Mobile Privacy Bill of Rights https://www.eff.org/deeplinks/2012/03/best-practices-respect-mobile-user-bill-rights
IV. Copyright
The Basics
U.S. Constitution, Art. 1, Sec. 8, Cl. 8
Congress has the power to “promote the Progress of Science and the useful Arts” by granting authors and
inventors exclusive rights in their works for a limited time.
The Basics
United States Copyright
Exclusive Jurisdiction
The Basics
Copyright Manifests Upon Creation
Jon Lovitz and “I’m Picasso”
The Basics
Protecting Your Ideas
ideas not protected by copyright
Idea Must Manifest
when should you think about this?
When You Begin Your Project
When You Develop an Idea
when should you think about this?
When You Begin Your Project
Your Original Work
Works of Others
when should you think about this?
When You Begin Your Work
Be Cognizant of Works of Others
when should you think about this?
When you’re accessing, copying, using, or hosting someone else’s copyrighted works.
When you’re enabling others to do the things above.
laws that might apply
United States Copyright Act
17 U.S.C. § 501, et seq.
laws that might apply
Accessing and making copies of someone else’s copyrighted code might involve:
• Copyright Act (copying)
• Digital Millennium Copyright Act (accessing/enabling others to access)
Copyright Act
• Protects expressive elements, but not underlying functional elements.
• Broadly prohibits infringement of copyrighted works, including code.
91
Copyright Act
Protects software from literal copying
Williams Elec., Inc. v. Artic Int’l, Inc.
Program in Written Form (Object Code) and Imbedded in ROM
92
Copyright Act
Protects software from literal copying
Apple v. Franklin
Operating System
93
Copyright Act
Apple v. Franklin
Proof:
“James Huston”
“Applesoft”
94
Copyright Act
Protects structure, sequence, and organization
Whelan v. Jaslow
What does this mean?
95
Copyright Act
Non-literal aspects of software potentially copyrightable
Not Ideas
Functional elements may be protectable by patent law
96
Copyright Act
Be Original in Writing
Do Not Copy (Infringe)
Ideas May Be Same
An important exception: fair use
It’s OK to use copyrighted material for purposes such as research, news reporting, commentary,
criticism, and scholarship under certain circumstances.
Fair use and reverse engineering
If reverse engineering is necessary to gain access to functional processes and ideas,
intermediate copies are fair use.
Fair use and reverse engineering
Be sure that you’re legitimately in possession of the software,
and don’t use someone else’s code
in your final product unless
absolutely necessary.
Secondary Liability
Not all liability must be direct infringement
Secondary Liability
Secondary Liability
Liability placed on an individual/entity that did not directly infringe the copyright but helped the infringer or benefited from the infringer
For secondary liability, there must be primary liability, i.e. direct infringement by someone else
Vicarious Liability
• Right and Ability to Control the Infringing Activity
• Must be actual control; not logical or theoretical
• Direct Financial Interest in the Infringement
Financial Interest must come from infringing activity
Attracting Customers
Revenue from Incidental Sales
Vicarious Liability
Fonovisa, Inc. v. Cherry Auction, Inc.
Defendant operated a market that rented space for vendors. Vendors sold musical recordings that infringed plaintiff’s copyrights.
Vicarious Liability
Fonovisa, Inc. v. Cherry Auction, Inc.
Vicarious liability because:
• Defendant had the right to supervise vendors and terminate vendors for
any reason.
• Defendant made money from incidental sales (parking and admission fees, refreshments) and, as the court concluded, the infringing activities “enhance the attractiveness of the venue to potential customers.”
Contributory Liability
When a defendant,
with knowledge of the infringing activity,
induces, causes or materially contributes
to the infringing conduct of another
Contributory Liability
Knowledge of infringing activity is key element
Often one party actively encourages another to infringe
Material contribution to infringing activity
Contributory Liability
Sony Corp. v. Universal City Studios, Inc.
Universal sued Sony for contributory infringement
Universal claimed a Betamax player allowed users
to make infringing copies of their TV shows.
Contributory Liability
Sony Corp. v. Universal City Studios, Inc.
No Contributory Infringement
Betamax was
“capable of commercially significant noninfringing uses.”
Contributory Liability
Sony Corp. v. Universal City Studios, Inc.
It was impossible for Sony to know whether any particular machine will in fact be used for infringing purpose.
Contributory Liability
Napster
Grokster
KaZaA
contracts revisited
Some agreements forbid reverse engineering.
Can they do that?
So far, the courts say yes.
512 Safe Harbors
17 U.S.C. § 512 gives service providers a few “safe harbor” protections against liability for copyright infringement.
512 Safe Harbors
17 U.S.C. § 512 gives service providers a few “safe harbor” protections against liability for copyright infringement.
One of them shields “conduit” service providers that transmit, route, or provide connections to infringing
material through their systems, as long as….
512 Safe Harbors
The transmission is automatic and doesn’t involve any selection by the provider;
The material is only temporarily stored on the provider’s system; and
The provider doesn’t modify the material in any way.
A Condition
To qualify for the safe harbor, you must have a policy for terminating service to repeat infringers in “appropriate
circumstances,” which you let users know about.
Takeaways
• If you’re relaying someone else’s packets, you’ve got some strong legal protections.
• But there are a few things to keep in mind.
Takeaways
• Be careful about modifying user content.
• Even when you’re not legally required to police or remove disputed content, you should have a plan for addressing complaints.
Takeaways
• If someone sends you a nasty letter for doing something protected by Sections 230 or 512, explain the situation, which may help avoid suit. You can work with an attorney to develop a form letter for such occasions.
• Be transparent.
resources
http://www.chillingeffects.org/dmca512/faq.cgi
http://creativecommons.org/about
what you can do
• Make sure that the copy of the software you’re studying is legally acquired.
• If you make a copy of someone else’s code for reverse engineering purposes, make sure that you need it to understand how the program functions, and don’t copy more than you have to.
120
what you can do
If you like code
explore permission and license
121
what you can do
Do your own coding or hire coders
Creative Commons
Open Source
122
what you can do
Creative Commons
Creative Commons is a nonprofit organization that enables the sharing and use of creativity and
knowledge through free legal tools.
123
what you can do
Creative Commons
Creative Commons licenses are not an alternative to copyright.
They work alongside copyright and enable you to modify your copyright terms to best suit your
needs.
124
what you can do
Avoid making copies of code for purposes other than analyzing how a program works
When studying others’ code, consider asking permission, even if you don’t think you’ll get it.
125
Digital Millennium Copyright Act
• Can’t circumvent technological measures that effectively protect or control access to copyrighted works.
Digital Millennium Copyright Act
• Can’t circumvent technological measures that effectively protect or control access to copyrighted works.
• No trafficking in tools that are primarily designed, valuable or marketed for (1).
when should you think about this?
When you need to jailbreak or root a mobile device for purposes of software
development/testing.
important exceptions to basic rule
• Reverse engineering
• Encryption research
• Security testing
• Disabling the collection of your own personally identifiable information
exemption process
• Library of Congress made clear in 2010 and 2012 that jailbreaking phones doesn’t violate the DMCA.
exemption process
• Library of Congress made clear in 2010 and 2012 that jailbreaking phones doesn’t violate the DMCA.
• Doesn’t apply to jailbreaking other devices (at least, not yet).
exemption process
• Library of Congress made clear in 2010 and 2012 that jailbreaking phones doesn’t violate the DMCA.
• Doesn’t apply to jailbreaking other devices (at least, not yet).
• Doesn’t authorize the distribution of jailbreaking tools.
V. Communications
Decency Act
when should you think about this?
When you’re publishing content provided by others.
“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information
provided by another information content provider.”
“No cause of action may be brought and no liability may be imposed under any State or
local law that is inconsistent with this section.”
“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information
provided by another information content provider.”
“No cause of action may be brought and no liability may be imposed under any State or
local law that is inconsistent with this section.”
elements
Section 230 immunity requires that
• You are a provider or user of an interactive computer service,
elements
Section 230 immunity requires that
• You are a provider or user of an interactive computer service,
• The legal action treat you as a publisher or speaker of information, and
elements
Section 230 immunity requires that
• You are a provider or user of an interactive computer service,
• The legal action treat you as a publisher or speaker of information, and
• The information be provided by someone else.
what’s a “provider or user of an interactive computer service”?
what’s a “provider or user of an interactive computer service”?
A broad variety of Internet users.
what’s a “provider or user of an interactive computer service”?
A broad variety of Internet users.
• Traditional ISPs
• Web site operators (including bloggers)
• App providers
• Social networking services
• Search engine operators
• Users of online services
what kinds of claims can 230 protect against?
what kinds of claims can 230 protect against?
All sorts of stuff.
what kinds of claims can 230 protect against?
All sorts of stuff. • Defamation
• Unfair competition
• Negligence
• Invasion of privacy
• Breach of contract
• State criminal laws
• Infliction of emotional distress
do you have an obligation to police content?
do you have an obligation to police content?
Nope.
limitations
Immunity applies even if you select, withdraw, or edit user content, but may not apply if you significantly change or
contribute to the meaning of the content.
limitations
You may lose immunity if you supply unlawful content yourself or require users
to answer unlawful questions.
limitations
CDA 230 protects service providers who are treated as publishers or speakers—
but not those treated as promisors.
what’s left?
Alas, 230 has a few exceptions.
what’s left?
Alas, 230 has a few exceptions.
It doesn’t protect providers against
what’s left?
Alas, 230 has a few exceptions.
It doesn’t protect providers against
Federal criminal laws
what’s left?
Alas, 230 has a few exceptions.
It doesn’t protect providers against
Federal criminal laws
State/federal communication privacy laws
what’s left?
Alas, 230 has a few exceptions.
It doesn’t protect providers against
Federal criminal laws
State/federal communication privacy laws
Federal intellectual property laws (courts are split on state intellectual property laws)
what you can do
• Enjoy the very broad protection 230 gives you, but understand the contours.
what you can do
• Enjoy the very broad protection 230 gives you, but understand the contours.
• Let users supply information (rather than providing pre-populated answers).
what you can do
• Enjoy the very broad protection 230 gives you, but understand the contours.
• Let users supply information (rather than providing pre-populated answers).
• Decide in advance how you’ll respond to requests to remove content.
what you can do
• Enjoy the very broad protection 230 gives you, but understand the contours.
• Let users supply information (rather than providing pre-populated answers).
• Decide in advance how you’ll respond to requests to remove content.
• Don’t make promises you won’t keep.
VI. trademarks
The Basics
a design, phrase, symbol, or word that(or combination thereof)
identifies & distinguishes source of goods or services
from those of others
The Basics
Generic
Descriptive
Fanciful
Arbitrary
The Basics
Surnames
Other Nuances
when should you think about this
From the Legal Perspective:
Yesterday
when should you think about this
From the Legal Perspective (cont’d):
NO LATER THAN:
When you identify a design, phrase, symbol, or word
you want to use
when should you think about this
From the Business Perspective:
As soon as you begin branding discussions
laws that might apply
United States
Concurrent Jurisdiction
State and Federal Trademarks
laws that might apply
International
laws that might apply
Focus on United States…
laws that might apply
Why won’t you discuss state trademark law?
Interstate Commerce and the Internet
Federal Trumps State
laws that might apply
Unless you intend to be limited in one state,
there exists no incentive or need
to focus on State trademarks
laws that might apply
Example:
Apple App Store – Interstate Commerce
Internet Advertising – Interstate Commerce
laws that might apply
So…given focus of United States…
…next distinction…
“Prosecution” and Litigation
Trademark Prosecution
Like Patent Prosecution,
the filing of the application and the
registration process
Trademark Registration
So…let’s use Trademark Registration
(again, focusing on federal trademark registration)
Trademark Registration
Word versus Stylized Mark
Trademark Registration
In Use versus Intent to Use
Trademark Registration
Pre-Approved Descriptions
versus
Custom Descriptions
Trademark Registration
Classes of Goods and Services
Trademark Registration
Timing
Office Actions
Publication
Trademark Registration
Renewal
Presumptiveness
Trademark Registration
Exclusive Right to Use
in Class
Except for Use Prior to Registration
Trademark Registration
Publication in Register
Use of ®
Additional Remedies in Litigation
Trademark Litigation
Renewal
Presumptiveness
185
Trademark Litigation
• 15 U.S.C. §§ 1114,1125: Infringement
• 15 U.S.C. § 1125: Dilution (Tarnishment/Blurring)
• 15 U.S.C. § 1125: Unfair Competition Law
• State Unfair Competition Law • Passing off
• Reverse Passing Off
• Misappropriation
• Trade/Product Disparagement
Resources
www.uspto.gov
www.google.com
what you can do
Search USPTO
Search Engines
Due Diligence
what you can do
Avoid Similar Marks
Be Creative
Protect Your Marks
VII. patents
The Basics
U.S. Constitution, Art. 1, Sec. 8, Cl. 8
Same authority that gives congress the power to enact copyright protection gives Congress the
authority to enact patent protection
The Basics
Exclusivity with United States PTO
Except Internationally…
The Basics
Not everything is patentable…
New, Non-Obvious, Useful Inventions
The Basics
…some things once patented may be available…
The Basics
Due Diligence
Helps Avoid the Trolls
Advanced
America Invents Act
“…More than First to File…”
when should you think about this
From the Legal Perspective:
Yesterday
when should you think about this
From the Legal Perspective (cont’d):
NO LATER THAN:
As soon as you have an idea
when should you think about this
From the Business Perspective:
As soon as you have your idea
laws that might apply
United States
United States Patent Act
35 U.S.C. §§ 1, et seq.
United States Patent Act
Various types of patents
utility, process, plant, design
business method
United States Patent Act
…and software…
…but falls within one or more of other categories…
United States Patent Act
Owner of patent obtains
exclusive rights to patented material
for a limited period of time
United States Patent Act
Which means…
Right to exclude others from making, using, selling, offering to sell, distributing or importing
things that practice the patented invention
United States Patent Act
Not everyone agrees with software patents
…even among software developers
United States Patent Act
software inventions too incremental to justify costs
questions whether incentive exists for software patents
United States Patent Act
Remedies
On finding infringement of a valid patent…
…shall not be less than reasonable royalty…
United States Patent Act
Remedies
determination of “reasonable royalty”
United States Patent Act
Remedies
25% RULE
Reasonable royalty 25% of expected profits
…not so fast…
United States Patent Act
Remedies
Estimate made of profits
divided by expected net sales
resulting profit rate x 25% = royalty rate
United States Patent Act
Remedies
Critique of 25% Rule
United States Patent Act
Remedies
Together with interest and costs
Interpreting the Parent Act
Diamond v. Diehr, 450 U.S. 175 (1981)
Opened door to software patents
Interpreting the Patent Act
In re Bilski
Upheld software patents but w/ caveats
Some software-related inventions may not qualify as patentable subject matter
Some may lack sufficient novelty or are obvious (to a person skilled in the art of computer programming)
Resources
www.uspto.gov
www.google.com/patents
www.google.com
Resources
Real World Examples
what you can do
Search USPTO
Search Engines
Due Diligence
what you can do
NDAs
The Politics of NDAs
VIII. electronic
communications
why discuss?
Privacy
Background
Considerations in Development
why discuss?
Role as Employer
when should you think about this?
At concept level
At design and development level
At implementation level
what laws might apply?
Federal and State laws
International laws
Federal Statutes
Electronic Communications Privacy Act
Stored Communications Act
Computer Fraud and Abuse Act
224
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
§ 2511 criminalizes
Intentional interception oforal, wire or electronic communication
Discloses
Uses
225
Question: What is interception (……still debated…..)
Question: What is electronic communication?
•
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
226
Civil Remedies
generally any person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
227
Relief
Preliminary, declaratory and other equitable
Reasonable attorney’s fee and costs
Damages, either
(a) actual plus profits OR
(b) statutory ($100/day or $10,000)
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
228
Employers cannot:
use any devices to intercept wire, oral, or electronic communication use or disclose any information obtained through these methods disclose or obtain unauthorized access to stored communications
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
229
THREE EXCEPTIONS
If one party has given prior consent
Business extension exception Certain interceptions OK in the ordinary course of business
Provider exceptions Certain interceptions OK on internal communications systems
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
230
Consent
requires only that one party to the communication consent to its interception and access (but be wary of stricter statutes)
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
231
Providers
employers who own and provide their own e-mail or instant message systems are exempt
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
232
Not applicable if interception occurs in
“ordinary course of business.”
Electronic Communications and Privacy Act 18 U.S.C. § 2510, et seq.
233
Email Monitoring - ECPA
Emails considered “communications” by the ECPA
Steve Jackson Games, Inc. v. United States Secret Service
816 F. Supp. 432 (W.D.Tex. 1993), aff'd,
36 F.3d 457 (5th Cir. 1994)
234
Email Monitoring - ECPA
Reading and deleting messages stored on employee’s computer was not an interception under the Wiretap Act.
Generally, for an employee to sue under the ECPA, the email must be intercepted while being transferred (and likely for everyone else)
235
whoever--
intentionally accesses without authorization a facility through which an electronic communication service is provided; or
intentionally exceeds an authorization to access that facility; AND…..
Stored Communications Act (18 U.S.C. § 2701)
236
thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished . . .
Stored Communications Act (18 U.S.C. § 2701)
237
(REMEMBER - CRIMINAL STATUTES)
Civil Remedy Very similar to ECPA except minimum statutory of $1,000
Punitive if willful determination
Stored Communications Act (18 U.S.C. § 2701)
238
Duty as Provider
Providers generally cannot disclose contents of communications except in certain instances.
Stored Communications Act (18 U.S.C. § 2701)
239
General Thoughts
Harsher penalties when done for malicious purposes or commercial advantage
Certain permission creates exceptions
Stored Communications Act (18 U.S.C. § 2701)
240
General Thoughts
Provides exception for “the person or entity providing a wire or electronic communications service.”
Thus, courts have been favorable to employers when e-mails occur on employer-created e-mail servers.
Stored Communications Act (18 U.S.C. § 2701)
241
General Thoughts
BUT BE WARY…..MISPERCEPTION
Stored Communications Act (18 U.S.C. § 2701)
242
City of Ontario, California v. Quon, et al.
SCA Question
In storing texts, was Arch Wireless acting as a “remote computing service” or an “electronic communication service”?
If remote computing service, it could disclose, as subscriber was the City employer.
Stored Communications Act (18 U.S.C. § 2701)
243
Impact of Quon on Use of Employer Devices
by Employees will continue….
Stored Communications Act (18 U.S.C. § 2701)
244
Email Monitoring - SCA
Provides exception for “the person or entity providing a wire or electronic communications service.”
A court has held that employers whose computer terminals and software were integral in the communications systems fell under this exception
Many other cases have also allowed access under this theory
245
Email Monitoring - Common Law
One MA case allowed invasion of privacy claim to go forward where
Employees could choose own passwords, no policy against personal emails, and the supervisor spent 8 hours reading through emails
Most challenges have not been successful
246
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Prevents Unauthorized Access or Exceeding Authorized Access
to Computers in a
Variety of Contexts
247
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Contexts
National Security
Financial Information
Information from Government…
…and…
248
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Contexts
Protected Computer
249
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Protected Computer
Financial institution or related
OR
Interstate or Foreign Commerce
250
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Protected Computer
…… and Causes Damage
251
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Civil Remedy
Anyone harmed BUT….
…one of 5 types of damages…
252
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Most Common
(I) loss to 1 or more persons during any 1-year period
aggregating at least $5,000 in value;
253
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Also…
affecting medical examination, diagnosis, treatment, or care physical injury to any person;
a threat to public health or safety;
damage affecting a computer used by or for an entity of US
254
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Must be
Unauthorized Access
Exceeding Authorized Access
Key Question….
255
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
Snap-on Business Solutions Inc. v. O'Neil & Assocs., Inc. (N.D. Ohio April 16, 2010)
(Examined Agreements, question of fact denied MSJ)
LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)
(access not automatically unauthorized if disloyal)
256
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)
(employee who violates duty of loyalty, no authorization)
US v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009)
(violation of TOS not enough)
257
Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
CFAA Post Aaron Swartz
EFF Proposal
Resources
www.eff.org
www.epic.org
what you can do
Privacy
Social Media Policy
Employee Internet Policy
what you can do
Consult an Attorney
Consult an Attorney
Consult an Attorney
feedback, please! http://sxsw.tv/d8e