Tagged:privacy

Year in Review

Wow!  That was fast.

I”ve been running my own law firm for over a year.  It’s been a blast and I’ve been very fortunate — quite a bit of exciting and interesting work came to my door last year.

Some of the highlights include:

  • Managing a dispute from initial demand letter to arbitration award — on my first day running my own firm, one of my clients received a cease and desist letter which we believed was invalid.  We pitched the case to litigators, hired them, and I was able to act as in-house counsel for the 7 month JAMS arbitration: editing and adding factual clarity to filings, attending all depositions and hearings, and eventually delivering the news after judgment.  In general, this is not my day-to-day practice, but it was very educational and modified my perspective on how contracts should be drafted and disputes relating to contracts should be approached.
  • Acting as on-site in-house technology counsel one day a week — sitting in the legal department of one of my larger clients gave me a very different understanding of the role that attorneys play within an organization.  I supported the third party inputs to software (reviewing both open source and third party proprietary licenses) and the enterprise licensing division and often witnessed first-hand the delicate balance that must be maintained between legal risk and business risk within a corporation.
  • Negotiating against the big guys — it’s part of the typical start-up experience.  Sure, you often negotiate and partner with other start-ups, but at some point, you will need something from one of the big established players.  It may just be Internet connectivity.  Or, large companies may be your sales targets.  Regardless, negotiating against a large company who insists that *we never change our forms*,  *everyone signs this without edits* and *this is completely standard* requires the expertise of someone who has seen many *standard* offerings in the applicable industry.  Over the years, I’ve dealt with Fortune 100 and Fortune 1000 companies in almost every industry, and this year was no exception.  Examples from this year include: Advertising Agencies, Amazon, Barclays, Blue Cross Blue Shield (of America and of various States), Bank of America, Chubb, Credit Suisse, CUNA Mutual Insurance, Discover, DOE Pacific, Earnst and Young, Experian, Facebook, Fidelity, Google, Honeywell, Horace Mann, Humana, JP Morgan Chase, KPMG, Lloyds, Lockheed Martin, Mass Mutual, Microsoft, Morgan Stanley, NBC Universal, Nationwide, PWC, Safeway, Samsung, State Farm, T-Mobile, Toys R US, Viacom, Walmart, and Warner Brothers.
  • Setting up the legal side of the business (forms) — a large portion of my job is limiting the amount of work I do.  I try to get my start-up companies into a position where their internal IP creation departments, online systems, sales forces, and business development teams can function with minimal legal input.  This involves an up-front investment of time to create forms that are correct for their business models.  I talk to my clients and truly understand their businesses before drafting, which avoids the extra legal fees companies often incur when their attorney starts with a square hole for a round peg.  Examples include:  Enterprise license agreements, Software-as-a-Service Agreements, trademark license agreements (branding/endorsement/certification programs), software development agreements, click-throughs (standard terms, privacy policies, API license agreements, payment obligations, revenue share, and more), commission agreements, reseller agreements, professional services agreements, master purchase agreements, NDAs, partner program agreements and technology assignment agreements.
  • Open Source — I went to law school because I was fascinated by the legal rights issues in Open Source Software.  I even wrote an award winning student note on the topic.  This year, I continued my commitment to Open Source legal issues with projects in several areas:  (i) aided a client in cleanly open sourcing a proprietary language they had developed (open source license evaluation and selection, branding issues, IP contribution agreements); (ii) performed open source audits of client codebases with the engineering teams and cleaned up any issues found; (iii) acted as special open source counsel in an Asset Purchase and Leveraged Buy-Out to help the acquirors become comfortable with the state of my clients’ open source uses; (iv) represented (and continue to represent) two clients whose business models are built around open source software projects that they manage (with monetization through professional services, support, maintenance, priority bug fixes, and bespoke development); (v) aided clients in the development of open source policies and approval processes to maintain the codebase in the proper state.
  • Everyday advice, counseling and communications — this catch all category is where the most surprises come.  Sometimes it’s just a phone call asking for a sanity check — Can we do this?  But sometimes there are more exciting issues such as requests from law enforcement, lawsuits that have been filed against clients, high level discussions about IP strategy (should we talk to patent counsel?  Should we file a TM?), letters hinting that lawsuits may be filed, formal letter writing in response to unfortunate situations, termination of contracts, privacy concerns, and much more.

Overall, last year was a great year full of good work, great learning opportunities and wonderful clients.  I can’t wait to see what this year brings.

The Latest Case Against Facebook

On May 5, 2010, The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC regarding Facebook’s privacy practices (or lack thereof).

The biggest two complaints, to my reading are that (1) Facebook unilaterally tried to convert some information previously designated as private to public; and (2) Facebook changed its developer data retention policy to allow developers to retain end user data indefinintely.

Neither of these changes benefits end users, no doubt. But, what I’m fascinated to see is that today, a mere 12 days after the complaint, the user experience is significantly different from the experience described in the complaint (notably, the experience is more protective of user’s data when compared against the experience described in the complaint).

The legal process is slow and cumbersome and using it to argue with a quick and nimble internet-based adversary is going to be frustrating, to say the least. However, where end users are concerned, perhaps the quick responsiveness of Facebook is a benefit. If enough people complain, they just roll out a fix, long before the Feds, or the courts order them to do so. Certainly, this means that the fix is likely to be on Facebook’s preferred terms, rather than what the court or Feds order, but isn’t a quick fix better than a long period of open sharing without a fix (when it comes to privacy)?

I’m not saying I approve of Facebook’s most recent blunders. But, I do applaud of their quick “opt-in” and “opt-out-of-all” additions after the complaint about the blunders. And, I’m fascinated to see how or where the law fits in this world where the facts upon which any legal claims may be based are so ephemeral.

Paul Ohm: Anonymization Has Failed

I recently had the privilege of attending a talk where Paul Ohm presented the main ideas behind his latest research paper.

I found his reporting on re-identifying users from supposedly non-personally identifiable information fascinating:

-87.1% of Americans can be uniquely identified by their 5-digit zip code combined with the date, month, and year of their birth.

-80% of anonymized Netflix users could be uniquely identified by 3 movie reviews (movie, date, review value).

His take-home message?

Data can either be useful, or perfectly anonymous, but never both.

The majority of laws and contracts dealing with personal information draw a line between “personally identifiable information” and “non-personally identifiable information” (aka aggregate, anonymous data).

But, if you can use non-personally identifiable information to derive personally identifiable information, then the two categories collapse into one.

It will be interesting to see how advertisers, social networks, governments, and end users respond to reality that the separate categories we’ve built into the laws and contracts may not actually exist.

Schools? Google? Who isn’t invading privacy?

Today was an interesting day in privacy lawsuit news.

First, there are the parents of a Pennsylvania high school student who filed a complaint against the school alleging that the school remotely activated a school-issued laptop and took a picture of the child. At home. Without his or their knowledge. And without his or their consent.

Then, there’s the class action lawsuit against Google regarding auto-activation of Buzz and the information that was necessarily shared in connection with that activation. Specifically,


Google turned Gmail “into a social networking service and that’s not what they signed up for, Google imposed that on them without getting their consent,” said Kimberly Nguyen, consumer privacy counsel with EPIC of Washington, D.C. “The bottom line is, users should have meaningful control over their information.”

I’d say these lawsuits show that not everyone agrees with Mark Zuckerberg’s statement that Privacy is no longer a social norm.

The *other* long tail (6 months? 9 months?)

There’s a debate going on right now. How long should the search engines be able to save your search data (associated with your IP address, or your cookie, or your unique identifier associated with your login to their services)? 6 months? 9 months? Less? More?

From a business perspective, this information is very useful. The longer, the better.  It helps potential business partners (service providers, product providers, advertisers, etc.) know what you are likely to want to see, buy, use, and potentially even contribute to the conversation. Of course, whether the search engines should be allowed to share this information at all is yet another conversation.

From a law enforcement perspective, the enforcers would prefer the everything be recorded in perpetuity, indexed, searchable, and admissable as evidence in prosecution. And let us not forget that in some scenarios, certainly, the pattern of behavior, searches, and information sought would be down-right bone chilling, and had someone been monitoring it, no doubt, they could have sounded the alarm prior to some horrific event.

The other side of the coin is that many of us have the occasional horrid thought, which results in the occasional questionable-looking search engine query, and really, we’d like that moment to be erasable instantaneously, not 6 or 9 months later. And why not?

From a privacy perspective, the preservation of and presentation of this information to third parties (even for *law enforcement reasons*) is quite scary.  If I searched for the failure rate of pregnancy tests a month ago, that’s a very indicative fact about me, as a person, or perhaps my friends and family. Should anyone have the right to know that I did that? If I searched for palliative treatments for a terminal medical condition, the search is similarly indicative and raises similar questions. Who truly deserves to know these intimate details about my thoughts and internal questions without my permission?

The EU, in general, has taken a stronger role in protecting the privacy of the individual on-line, than the U.S.

This results in situations like the recent decision by Microsoft to purge search data attached to IP addresses after 6 months, which is a significant improvement (from the end user “protect-my-privacy” standpoint) over Google’s policy of 9 months.

It’s an interesting thing to watch, because the current day-to-day operating privacy policy is being set far outside the world of the lawyers who litigate and fight for a living. And, as a lawyer who doesn’t fight, I think it’s a valid legal issue, but I’m observing that by the time the big companies deign to get the lawyers get involved (by buy-in and invitation), that very colorfully flagged ship will have sailed, most likely by necessity.

It will be a brave new world.