legal considerations for web designers and developers
Post on 17-Jul-2015
Embed Size (px)
Legal Influences on Web DesignConsiderations for Web Designers and Developers
DisclaimerThe views I express here today are my own opinion. They are not necessarily the views of my law firm, Husch Blackwell LLP. These materials are for informational purposes only and are not legal advice. This presentation and the information contained herein are intended, in part, to alert the audience to some legal issues. Any information contained herein is not intended as a substitute for legal counsel. Walter Kawula does not warrant this information for any purpose. This presentation shall not constitute legal advice or create an attorney-client relationship. The laws referenced in this presentation may have changed or could be affected by case law developments. Do not rely on these presentations or your interpretation of same for any purpose. If you have a specific legal question you should consult with a properly licensed lawyer. Do not send Walter Kawula or any person at Husch Blackwell LLP confidential information until you speak with one of our attorneys and get authorization to send that information to us. I may decline to answer questions posed to specific legal issues. Do not take a refusal to answer specific legal questions personally. Speaking of personally, did you know that I like coffee? Sure, we all do, but I mean I really, really like coffee. Probably more than most folks. In fact, as Im writing this, Im on my third cup of the morning, and Im about to go top off again. But, hey, enough about me. Hows life been treating you?
Moving Right Along . . . TL; DRI am not your lawyerDont tell me anything confidentialThis isnt legal advice2014 Highlights"Snapchat agrees to settle FTC charges that it deceived users"Washington Post, May 2014."Why Retailers Became a Top Target of Patent Trolls"Wall Street Journal, July, 2014"SFLC releases GPL Compliance Guide second edition"Software Freedom Law Center, Nov. 2014Influences on Web DesignWebsite OperatorWebsite DeveloperRequirementsDesired FunctionalityFunctional WebsiteFTCNISTOpen Source CommunityPatent TrollsWhy Should I Care (Part 1)What does it mean to you if your web design gets your client or your company into a lawsuit or other legal action?Bad Times.Why Should I Care? (Part 2)
Software Development AgreementsHave you agreed to:
Warrant Against Infringement?Assume Defense of Lawsuits?Pay Damages Incurred By Your Client?Principles of Data Collection and UseFair Information Practice Principles (FIPP)National Strategy For Trusted Identities In Cyberspace National Institute of Standards and Technology (NIST)Federal Trade Commission (FTC)
Information Technology Lab at NISTSets principles, guidelines, and frameworks for data security and data privacy.Vetting the Security of Mobile Applications (S.P. 800-163)Cloud Computing Synopsis and Recommendations (S.P. 800-146)Sets data security requirements for entities that contract with the federal government.Security and Privacy Controls for Federal Information Systems and Organizations (S.P. 800-53)FIPP -- Fair Information Practice PrinciplesBenchmark used by the DHS, FTC, White House and others.Concerns Personally Identifiable Information (PII)Name, address, SSN, etc.Certain combinations of data.Not everything applies here, so we will discuss a sub-set.FIPP -- Fair Information Practice PrinciplesTransparencyIndividual ParticipationData MinimizationUse LimitationSecurityAccountability and Auditing
FIPP: TransparencyTransparency means notifying individuals regarding collection, use, sharing, and maintenance of PII.People writing the notifications need to know:what PII is being collected and usedwhat third parties have access to collected PII
FIPP: Individual ParticipationIndividual Participation means:involving the individual in the process of using PIIto the extent practicable, seeking individual consent for the collection, use, sharing, and maintenance of PII. Options must be effective!
FIPP: Data MinimizationData Minimization means collecting only that PII that is directly relevant and necessary to accomplish specified purposes of the app.Can you accomplish the purpose and collect less information than originally contemplated?Accumulation of PII = Accumulation of Risk
FIPP: Use LimitationUsing PII solely for the purposes specified in the notice. Any sharing PII should be for a purpose compatible with the purpose for which the PII was collected. Third party analytics, advertisers, etc.
FIPP: SecurityPII should be protected through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. FIPP: AccountabilityAccountability includes:complying with these principlesproviding training to all employees and contractors who use PIIauditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirementsCase Study: Snapchat
Basis for FTC ActionsProtect ConsumersSecurity breaches are harmful to consumers that use the website.Prevent Fraud, Deception and Unfair Business PracticesInsufficient notice of collection and use of dataMisleading assurances of data securityFalse representations regarding web app operation
FTC Expectations2012 Report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.Privacy by DesignData SecurityReasonable Collection PracticesRetention LimitsSimplified Consumer ChoiceTransparency
FTC Complaint -- False Representation8. From October 2012 to October 2013, Snapchat disseminated, or caused to be disseminated, to consumers the following statement on the FAQ page on its website: Is there any way to view an image after the time has expired? No, snaps disappear after the timer runs out.
9. Despite these claims, several methods exist by which a recipient can use tools outside of the application to save both photo and video messages, allowing the recipient to access and view the photos or videos indefinitely.
FIPP: Security, TransparencyFTC Complaint -- Easily Defeated Security14. Snapchat claimed that if a recipient took a screenshot of a snap, the sender would be notified. On its product description pages, as described in paragraph 7, Snapchat stated: Well let you know if [recipients] take a screenshot!
15. However, recipients can easily circumvent Snapchats screenshot detection mechanism. For example, on versions of iOS prior to iOS 7, the recipient need only double press the devices Home button in rapid succession to evade the detection mechanism and take a screenshot of any snap without the sender being notified. This method was widely publicized.
FIPP: Transparency, Individual Participation, Use LimitationFTC Complaint Misleading Collection25. . . . During registration, the application prompts the user to Enter your mobile number to find your friends on Snapchat!, implying prior to September 2012 through its user interface that the mobile phone number was the only information Snapchat collected to find the users friends . . .
26. However, when the user chooses to Find Friends, Snapchat collects not only the phone number a user enters, but also, without informing the user, the names and phone numbers of all the contacts in the users mobile device address book.
Just some of the casesLodsys Group LLC v. Bed Bath & Beyond, Brooks Sports, John Wiley & Sons, and J&P CyclesLodsys Group LLC v. B&H Foto & Electronics, Charter Communications, Corbis, Lamps Plus, and NordstromLodsys Group LLC v. MakeMyTrip.com, Meijer, Musician's