Transcript

Legal Influences

on Web DesignConsiderations for Web Designers and Developers

Disclaimer

The views I express here today are my own opinion. They are not necessarily the views of my law

firm, Husch Blackwell LLP. These materials are for informational purposes only and are not legal

advice. This presentation and the information contained herein are intended, in part, to alert the

audience to some legal issues. Any information contained herein is not intended as a substitute for

legal counsel. Walter Kawula does not warrant this information for any purpose. This presentation

shall not constitute legal advice or create an attorney-client relationship. The laws referenced in this

presentation may have changed or could be affected by case law developments. Do not rely on these

presentations or your interpretation of same for any purpose. If you have a specific legal question you

should consult with a properly licensed lawyer. Do not send Walter Kawula or any person at Husch

Blackwell LLP confidential information until you speak with one of our attorneys and get authorization

to send that information to us. I may decline to answer questions posed to specific legal issues. Do

not take a refusal to answer specific legal questions personally. Speaking of “personally,” did you

know that I like coffee? Sure, we all do, but I mean I really, really like coffee. Probably more than

most folks. In fact, as I’m writing this, I’m on my third cup of the morning, and I’m about to go top off

again. But, hey, enough about me. How’s life been treating you?

Moving Right Along . . .

TL; DR

● I am not your lawyer

● Don’t tell me anything confidential

● This isn’t legal advice

2014 Highlights

"Snapchat agrees to settle FTC charges that it

deceived users"Washington Post, May 2014.

"Why Retailers Became a Top Target of Patent

Trolls"Wall Street Journal, July, 2014

"SFLC releases GPL Compliance Guide second

edition"Software Freedom Law Center, Nov. 2014

Influences on Web Design

Website Operator Website Developer

Requirements

Desired Functionality

Functional Website

FTC

NIST

Open Source

Community

Patent

Trolls

Why Should I Care (Part 1)

What does it mean to you if your web design gets

your client or your company into a lawsuit or

other legal action?

Bad Times.

Why Should I Care? (Part 2)

Software Development Agreements

Have you agreed to:

● Warrant Against Infringement?

● Assume Defense of Lawsuits?

● Pay Damages Incurred By Your Client?

Principles of Data Collection and Use

Fair Information Practice Principles (FIPP)● National Strategy For Trusted Identities In

Cyberspace

● National Institute of Standards and Technology

(NIST)

● Federal Trade Commission (FTC)

Information Technology Lab at NIST

● Sets principles, guidelines, and frameworks for data

security and data privacy.● Vetting the Security of Mobile Applications (S.P. 800-163)

● Cloud Computing Synopsis and Recommendations (S.P. 800-146)

● Sets data security requirements for entities that contract

with the federal government.● Security and Privacy Controls for Federal Information Systems and

Organizations (S.P. 800-53)

FIPP -- Fair Information Practice Principles

● Benchmark used by the DHS, FTC, White

House and others.

● Concerns Personally Identifiable Information

(PII)● Name, address, SSN, etc.

● Certain combinations of data.

● Not everything applies here, so we will

discuss a sub-set.

FIPP -- Fair Information Practice Principles

● Transparency

● Individual Participation

● Data Minimization

● Use Limitation

● Security

● Accountability and Auditing

FIPP: Transparency

● Transparency means notifying individuals

regarding collection, use, sharing, and

maintenance of PII.

● People writing the notifications need to know:● what PII is being collected and used

● what third parties have access to collected PII

FIPP: Individual Participation

● Individual Participation means:● involving the individual in the process of using PII

● to the extent practicable, seeking individual consent for

the collection, use, sharing, and maintenance of PII.

● Options must be effective!

FIPP: Data Minimization

● Data Minimization means collecting only that

PII that is directly relevant and necessary to

accomplish specified purposes of the app.

● Can you accomplish the purpose and collect

less information than originally

contemplated?

● Accumulation of PII = Accumulation of Risk

FIPP: Use Limitation

● Using PII solely for the purposes specified in

the notice.

● Any sharing PII should be for a purpose

compatible with the purpose for which the PII

was collected.

● Third party analytics, advertisers, etc.

FIPP: Security

● PII should be protected through appropriate

security safeguards against risks such as loss,

unauthorized access or use, destruction,

modification, or unintended or inappropriate

disclosure.

FIPP: Accountability

● Accountability includes:● complying with these principles

● providing training to all employees and contractors who

use PII

● auditing the actual use of PII to demonstrate compliance

with these principles and all applicable privacy protection

requirements

Case Study: Snapchat

Snapchat -- What did they do?

● "Snaps" were saved and accessed in ways

inconsistent with privacy policy.

● Security breach attracted FTC attention to

terms of service and privacy policies

concerning collecting and use of consumers’

data.

● Bad Times.

Federal Trade Commission

● Security Breaches involving consumer PII

● Insufficient Notice / Consent to Collect

Information

● False or Misleading Representations

Concerning Web App’s Use of Data

● Parallel concerns as FIPP

Basis for FTC Actions

● No explicit statutory authority to police web

applications.

● Relies on traditional authority to:o Protect Consumers

o Prevent Fraud, Deception and Unfair Business

Practices

Basis for FTC Actions

● Protect Consumerso Security breaches are harmful to consumers that

use the website.

● Prevent Fraud, Deception and Unfair

Business Practiceso Insufficient notice of collection and use of data

o Misleading assurances of data security

o False representations regarding web app operation

FTC Expectations

● 2012 Report Protecting Consumer Privacy in an Era of

Rapid Change: Recommendations for Businesses and

Policymakers.

o Privacy by Design

Data Security

Reasonable Collection Practices

Retention Limits

o Simplified Consumer Choice

o Transparency

FTC Complaint -- False Representation

8. From October 2012 to October 2013, Snapchat disseminated, or caused to be

disseminated, to consumers the following statement on the “FAQ” page on its

website:

Is there any way to view an image after the time has expired?

No, snaps disappear after the timer runs out. …

9. Despite these claims, several methods exist by which a recipient can use tools

outside of the application to save both photo and video messages, allowing the

recipient to access and view the photos or videos indefinitely.

FIPP: Security, Transparency

FTC Complaint -- Easily Defeated Security

14. Snapchat claimed that if a recipient took a screenshot of a snap, the sender

would be notified. On its product description pages, as described in paragraph 7,

Snapchat stated: “We’ll let you know if [recipients] take a screenshot!”

15. However, recipients can easily circumvent Snapchat’s screenshot detection

mechanism. For example, on versions of iOS prior to iOS 7, the recipient need

only double press the device’s Home button in rapid succession to evade the

detection mechanism and take a screenshot of any snap without the sender being

notified. This method was widely publicized.

FIPP: Security, Transparency

FTC Complaint -- Over Collection

20. From June 2011 to February 2013, Snapchat disseminated or caused to be

disseminated to consumers the following statements in its privacy policy:

We do not ask for, track, or access any location-specific information from

your device at any time while you are using the Snapchat application.

22. Contrary to the representation in Snapchat’s privacy policy, from October

2012 to February 2013, the Snapchat application on Android transmitted Wi-Fi-

based and cellbased location information from users’ mobile devices to its

analytics tracking service provider

FIPP: Transparency, Individual Participation, Use Limitation

FTC Complaint – Misleading Collection

25. . . . During registration, the application prompts the user to “Enter your mobile

number to find your friends on Snapchat!,” implying – prior to September 2012 –

through its user interface that the mobile phone number was the only information

Snapchat collected to find the user’s friends . . .

26. However, when the user chooses to Find Friends, Snapchat collects not only

the phone number a user enters, but also, without informing the user, the names

and phone numbers of all the contacts in the user’s mobile device address book.

FIPP: Transparency, Individual Participation, Acountability

Snapchat Take-Aways

Notice and Consent must be in sync with what

the application actually does.● Collecting geolocation information is OK

● Collecting address book information is OK

● Providing third party access via API is OK

IF:You provide appropriate notice of collection and the use of

the data is reasonably related to the use of the application.

Snapchat Take-Aways

Make life easier for your website operators:

● collect only the information necessary for the

application

● communicate to website operator what information

the application collects and how it is used

● advise website operator of any third party access to

collected information

o including extensions

● read the website’s privacy policy

Patent Lawsuits Against Retailers

The Actors that bring nuisance lawsuits against broad

swaths of an industry go by various names:

● Non-Practicing Entities

● Patent Assertion Entities

● Patent Trolls

● [Redacted]

Click for Live Chat

Just some of the cases

● Lodsys Group LLC v. Bed Bath & Beyond, Brooks Sports, John Wiley &

Sons, and J&P Cycles

● Lodsys Group LLC v. B&H Foto & Electronics, Charter Communications,

Corbis, Lamps Plus, and Nordstrom

● Lodsys Group LLC v. MakeMyTrip.com, Meijer, Musician's Friend, Nuance

Communications, Sandisk, and Sirius XM Radio

● Lodsys Group LLC v. Burberry Ltd., Dover Saddlery, Freescale

Semiconductor, Godiva Chocolatier, and Hanna Andersson

● Lodsys Group LLC v. Crocs, Oriental Trading Company, Somerset

Investments and Saks

Joomla! Chat Extensions

Shopping Cart

• eDekka sued more than 100 companies for

patent infringement.

• Suits alleged that "making and/or using one

or more websites that include 'shopping cart'

functionality" as the infringing activity.

Joomla! Shopping Cart Extensions

The Tide is Beginning to Turn

• Patent Office Review• Covered Business Method patent post-grant review.

• Inter Parte Review

• "Patent Death Panel"

• Legislative Efforts• Increase pleading requirements.

• Cost shifting onto losing party.

The Tide is Beginning to Turn

• Alice v. CLS Bank• Supreme Court case from 2014 holding "abstract

idea" computer-related patents ineligible.

• Hundreds of computer-related patents are being

invalidated, lawsuit filings are down.

• Law still coalescing around what claims are ineligible

"abstract idea" claims, and which are sufficiently

definite for patent protection.

SFLC on Compliance

"Non-compliance with GPLv3 in the distribution

of Javascript on the Web is becoming more

frequent, and although no disputes have so far

resulted, in the absence of more careful

compliance activity in this area they are

eminently foreseeable."Software Freedom Law Center

Guide to GPL Compliance 2nd Edition

GPL Concerns

• Joomla (and many extensions) are licensed

under GPLv2.

• If website is non-compliant, the GPL license

terminates automatically.

• Unlicensed website -> copyright infringement.

• Bad times.

GPL Compliance

• What triggers obligations under GPL?• Distribution of program

• Modification of program

• Conflicting requirements are not an excuse.• "If you wish to incorporate parts of the Program into

other free programs whose distribution conditions

are different, write to the author to ask for

permission."

Distribution

• Purely internal use does not trigger source

code sharing and attribution requirements.

• Code downloaded into a browser might be a

a "distribution" of "non source" form

program.

Questions?

Contact Info:

Walter Kawula

[email protected]

312-526-1516

© 2015 Walter J. Kawula, Jr.


Top Related