legal considerations for web designers and developers

Download Legal Considerations for Web Designers and Developers

Post on 17-Jul-2015




0 download

Embed Size (px)


Legal Influences on Web DesignConsiderations for Web Designers and Developers

DisclaimerThe views I express here today are my own opinion. They are not necessarily the views of my law firm, Husch Blackwell LLP. These materials are for informational purposes only and are not legal advice. This presentation and the information contained herein are intended, in part, to alert the audience to some legal issues. Any information contained herein is not intended as a substitute for legal counsel. Walter Kawula does not warrant this information for any purpose. This presentation shall not constitute legal advice or create an attorney-client relationship. The laws referenced in this presentation may have changed or could be affected by case law developments. Do not rely on these presentations or your interpretation of same for any purpose. If you have a specific legal question you should consult with a properly licensed lawyer. Do not send Walter Kawula or any person at Husch Blackwell LLP confidential information until you speak with one of our attorneys and get authorization to send that information to us. I may decline to answer questions posed to specific legal issues. Do not take a refusal to answer specific legal questions personally. Speaking of personally, did you know that I like coffee? Sure, we all do, but I mean I really, really like coffee. Probably more than most folks. In fact, as Im writing this, Im on my third cup of the morning, and Im about to go top off again. But, hey, enough about me. Hows life been treating you?

Moving Right Along . . . TL; DRI am not your lawyerDont tell me anything confidentialThis isnt legal advice2014 Highlights"Snapchat agrees to settle FTC charges that it deceived users"Washington Post, May 2014."Why Retailers Became a Top Target of Patent Trolls"Wall Street Journal, July, 2014"SFLC releases GPL Compliance Guide second edition"Software Freedom Law Center, Nov. 2014Influences on Web DesignWebsite OperatorWebsite DeveloperRequirementsDesired FunctionalityFunctional WebsiteFTCNISTOpen Source CommunityPatent TrollsWhy Should I Care (Part 1)What does it mean to you if your web design gets your client or your company into a lawsuit or other legal action?Bad Times.Why Should I Care? (Part 2)

Software Development AgreementsHave you agreed to:

Warrant Against Infringement?Assume Defense of Lawsuits?Pay Damages Incurred By Your Client?Principles of Data Collection and UseFair Information Practice Principles (FIPP)National Strategy For Trusted Identities In Cyberspace National Institute of Standards and Technology (NIST)Federal Trade Commission (FTC)

Information Technology Lab at NISTSets principles, guidelines, and frameworks for data security and data privacy.Vetting the Security of Mobile Applications (S.P. 800-163)Cloud Computing Synopsis and Recommendations (S.P. 800-146)Sets data security requirements for entities that contract with the federal government.Security and Privacy Controls for Federal Information Systems and Organizations (S.P. 800-53)FIPP -- Fair Information Practice PrinciplesBenchmark used by the DHS, FTC, White House and others.Concerns Personally Identifiable Information (PII)Name, address, SSN, etc.Certain combinations of data.Not everything applies here, so we will discuss a sub-set.FIPP -- Fair Information Practice PrinciplesTransparencyIndividual ParticipationData MinimizationUse LimitationSecurityAccountability and Auditing

FIPP: TransparencyTransparency means notifying individuals regarding collection, use, sharing, and maintenance of PII.People writing the notifications need to know:what PII is being collected and usedwhat third parties have access to collected PII

FIPP: Individual ParticipationIndividual Participation means:involving the individual in the process of using PIIto the extent practicable, seeking individual consent for the collection, use, sharing, and maintenance of PII. Options must be effective!

FIPP: Data MinimizationData Minimization means collecting only that PII that is directly relevant and necessary to accomplish specified purposes of the app.Can you accomplish the purpose and collect less information than originally contemplated?Accumulation of PII = Accumulation of Risk

FIPP: Use LimitationUsing PII solely for the purposes specified in the notice. Any sharing PII should be for a purpose compatible with the purpose for which the PII was collected. Third party analytics, advertisers, etc.

FIPP: SecurityPII should be protected through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. FIPP: AccountabilityAccountability includes:complying with these principlesproviding training to all employees and contractors who use PIIauditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirementsCase Study: Snapchat

Snapchat -- What did they do?"Snaps" were saved and accessed in ways inconsistent with privacy policy.Security breach attracted FTC attention to terms of service and privacy policies concerning collecting and use of consumers data.Bad Times.Federal Trade CommissionSecurity Breaches involving consumer PIIInsufficient Notice / Consent to Collect InformationFalse or Misleading Representations Concerning Web Apps Use of DataParallel concerns as FIPPBasis for FTC ActionsNo explicit statutory authority to police web applications.Relies on traditional authority to:Protect ConsumersPrevent Fraud, Deception and Unfair Business Practices

Basis for FTC ActionsProtect ConsumersSecurity breaches are harmful to consumers that use the website.Prevent Fraud, Deception and Unfair Business PracticesInsufficient notice of collection and use of dataMisleading assurances of data securityFalse representations regarding web app operation

FTC Expectations2012 Report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.Privacy by DesignData SecurityReasonable Collection PracticesRetention LimitsSimplified Consumer ChoiceTransparency

FTC Complaint -- False Representation8. From October 2012 to October 2013, Snapchat disseminated, or caused to be disseminated, to consumers the following statement on the FAQ page on its website: Is there any way to view an image after the time has expired? No, snaps disappear after the timer runs out.

9. Despite these claims, several methods exist by which a recipient can use tools outside of the application to save both photo and video messages, allowing the recipient to access and view the photos or videos indefinitely.

FIPP: Security, TransparencyFTC Complaint -- Easily Defeated Security14. Snapchat claimed that if a recipient took a screenshot of a snap, the sender would be notified. On its product description pages, as described in paragraph 7, Snapchat stated: Well let you know if [recipients] take a screenshot!

15. However, recipients can easily circumvent Snapchats screenshot detection mechanism. For example, on versions of iOS prior to iOS 7, the recipient need only double press the devices Home button in rapid succession to evade the detection mechanism and take a screenshot of any snap without the sender being notified. This method was widely publicized.

FIPP: Security, TransparencyFTC Complaint -- Over Collection20. From June 2011 to February 2013, Snapchat disseminated or caused to be disseminated to consumers the following statements in its privacy policy: We do not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application.

22. Contrary to the representation in Snapchats privacy policy, from October 2012 to February 2013, the Snapchat application on Android transmitted Wi-Fi-based and cellbased location information from users mobile devices to its analytics tracking service provider

FIPP: Transparency, Individual Participation, Use LimitationFTC Complaint Misleading Collection25. . . . During registration, the application prompts the user to Enter your mobile number to find your friends on Snapchat!, implying prior to September 2012 through its user interface that the mobile phone number was the only information Snapchat collected to find the users friends . . .

26. However, when the user chooses to Find Friends, Snapchat collects not only the phone number a user enters, but also, without informing the user, the names and phone numbers of all the contacts in the users mobile device address book.

FIPP: Transparency, Individual Participation, AcountabilitySnapchat Take-AwaysNotice and Consent must be in sync with what the application actually does.Collecting geolocation information is OKCollecting address book information is OKProviding third party access via API is OKIF:You provide appropriate notice of collection and the use of the data is reasonably related to the use of the application.Snapchat Take-AwaysMake life easier for your website operators:collect only the information necessary for the applicationcommunicate to website operator what information the application collects and how it is usedadvise website operator of any third party access to collected informationincluding extensions read the websites privacy policyPatent Lawsuits Against RetailersThe Actors that bring nuisance lawsuits against broad swaths of an industry go by various names:Non-Practicing EntitiesPatent Assertion EntitiesPatent Trolls[Redacted]Click for Live Chat

Just some of the casesLodsys Group LLC v. Bed Bath & Beyond, Brooks Sports, John Wiley & Sons, and J&P CyclesLodsys Group LLC v. B&H Foto & Electronics, Charter Communications, Corbis, Lamps Plus, and NordstromLodsys Group LLC v., Meijer, Musician's