Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

By Ronnie London & Elizabeth Soja

On June 2, 2010, the FTC announced a settlement with a company that was selling and distributing spyware and providing customers with instructions for remotely installing that spyware on the computers of unsuspecting third parties.  The court’s final order requires CyberSpy Software, LLC and its owner to ensure that any download of “RemoteSpy” keylogger software now provides notice to the computer’s owner that the spyware has been downloaded onto the device.  The computer’s owner must also consent before the software can be installed.  Along those same lines, the order bans all advertising that says RemoteSpy can be installed surreptitiously on a computer without the owner’s knowledge.  The final order follows a preliminary order entered back in November 2008.

The FTC’s complaint against CyberSpy and its owner, filed in federal court in Florida in November 2008, alleged that the defendants provided “customers with instructions on how to disguise the software as an innocuous file, such as 'photos' or 'music' attached to an email, in order to send the software to another computer."  When the recipient clicked on the attachment, the software downloaded onto the device without the owner's knowledge.  Once the software was installed, it sent information regarding all activity from the computer to CyberSpy's servers via the Internet.  RemoteSpy customers could then “access this information by going to remotespy.com and typing in a password that they selected when signing up for Defendants' service,” according to the complaint.

The FTC alleged that these practices violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Ronnie London & Micah Ratner

The FTC announced on May 19, 2010, that on April 8, a Northern District of California judge issued a permanent injunction shutting down an ISP—Pricewert LLC—that primarily hosted spam, botnets, trojan horses, viruses, child pornography, and spyware.  ICANN and other industry standards bodies have shut down ISPs that host illegal content, but the FTC’s enforcement action against Pricewert LLP marked the first instance where a federal district court permanently shut down a “rogue” ISP.

The FTC’s June 2009 complaint alleged that Pricewert “recruits, knowingly hosts, and actively participates in the distribution of illegal, malicious, and harmful electronic content” and “actively colludes with its criminal clientele in several areas, including the maintenance and deployment of botnets.”  The FTC’s evidence included transcripts of instance messages that showed senior Pricewert employees colluding with bot-herders to create and configure a botnet.  Pricewert also allegedly marketed its services on chat rooms for spammers, ignored take-down requests from the online security community, and shifted IP addresses for its criminal clients to evade detection.  The same month, the federal court issued a TRO and then a preliminary injunction against Pricewert based on the FTC’s allegations of unfair and deceptive practices under Section 5 of the FTC Act.

Also on April 8, the district court appointed a permanent receiver and determined the amount of disgorgement of profits.  The FTC reports that the ISP’s servers and assets were seized and will be liquidated.  The court cut an award of ill-gotten profits from $2.16 million to $1.08 million because the FTC was unable to submit sufficient evidence to show the percentage of Pricewert’s legitimate versus illegal activity.

 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In our entry CAN-SPAM Complaint Mills - Time For A New Business Model? pointing to our advisory on the Ninth Circuit’s decision in Gordon v. Virtumondo, Inc., we noted the court’s holding that private suits to enforce the CAN-SPAM Act are limited to bona fide Internet access service providers who genuinely suffer “adverse affects” attributable to email that violates the law, its recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.”

Yesterday, the Ninth Circuit built on that foundation, issuing its decision in Asis Internet Services v. Azoogle.com, Inc., which affirmed dismissal of a similar plaintiff’s CAN-SPAM claims, and an award of costs against it. Citing Gordon v. Virtumondo for the proposition that Asis did not meet the requirement of being adversely affected by the unsolicited emails it received, the court held “the mere cost of carrying SPAM emails over Plaintiff’s facilities does not constitute a harm as required by the statute.” It also held that while Plaintiff also spent money on email filtering, the cost of email filtering did not increase due to the emails at issue, reinforcing that “such ordinary filtering costs do not constitute a harm.” The case thus maintains the high bar to CAN-SPAM complaints set in Gordon.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert J. Driscoll

We recently blogged (here) about a new Maine law that would restrict the collection and use of personal information from minors for marketing purposes.  Shortly thereafter, a coalition of educational and industry groups filed a lawsuit in the U.S. District Court in Maine, challenging the law on the basis that it violates the First Amendment and the Commerce Clause of the Constitution.  On September 9, 2009, the court entered a stipulated order of dismissal.  While determining that the plaintiffs had established a likelihood of success on their claims, the judge noted that the Attorney General, acknowledging the substantial legal issues raised by the new law, had committed not to enforce it.  The judge also pointedly stated in the order that “third parties are on notice that a private cause of action [under the new law] could suffer from the same constitutional infirmities,” in an apparent attempt to discourage private individuals from filing a private cause of action to enforce the law.  The legislature is expected to revisit the new law and to consider amendments that would address these infirmities in the upcoming session.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert J. Driscoll

The state of Maine recently passed a new law restricting the collection and use of health-related information and personal information of minors.  We have published an advisory containing some of the details.  The new law, which takes effect in September, is substantially more limiting than COPPA and will significantly impact the ability of marketers to communicate with Maine residents under age 18.  Read more at www.dwt.com/LearningCenter, or click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Be sure to check out our advisory on Gordon v. Virtumundo, Inc.  There, you’ll find our review of the recent 9th Circuit decision clarifying that private suits to enforce the federal CAN-SPAM Act – apart from the FTC, state attorneys general, and other state/federal agencies statutorily authorized to bring claims – are limited to bona fide Internet access service providers, who genuinely suffer “adverse affects” attributable to email that violates the law.  We also discuss the 9th Circuit’s recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.”  Read more at www.dwt.com/LearningCenter, or click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The latest in the ongoing saga/delay with regard to the effective date for those subject to the Federal Trade Commission’s version of the Identity Theft Red Flag Rules is that the FTC has announced that the deadline by which affected businesses must comply has been extended – yet again – to November 1, 2009.  This is the third extension of the compliance deadline, for which the “mandatory compliance” date was originally November 1, 2008.  It was later extended – first to May 1, 2009, then to August 1, 2009, and now to November 1, 2009 – after confusion arose as to whom the rules applies and how to comply with them.  This raises the question, which the FTC itself has acknowledged, of whether Congress wrote the rules too broadly.

When the FTC announced the first extension, it stated it was stepping up outreach efforts to explain the rules to the various entities to which they apply.  With the second extension, the FTC released a “How-To Guide for Business” to assist those faced with complying.  Meanwhile, the FTC created a dedicated Red Flags Rule website, but rejected a request by the American Medical Association for clarification that the rules do not apply to doctors, which begat consternation over whether the rules could apply to lawyers as well.  With the ABA seemingly poised to take the FTC to litigation over the matter with the twice-extended compliance deadline nearly at hand, and confusion otherwise lingering generally, the FTC extended the compliance date again.

This time, the FTC stated it was extending the effective date yet again to “assist small businesses and other entities,” so that it could “redouble its efforts to educate them about … and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”  In particular, “redoubled” efforts are intended to assist small and low-risk entities who may face compliance concerns.  However, if it is truly “low risk” businesses on which the FTC is focused at this point, with three extensions (now totaling one year) needed to deal with any uncertainty among such “low-risk” businesses, does that validate previously-voiced concerns from the business community that the rules are too broad?  This may well be an area Congress should consider revisiting, and sooner, rather than later.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week came news that DISH Network LLC signed an Assurance of Voluntary Compliance (“AVC”) with the Attorneys General of 46 states, in which it agreed to pay nearly $6 million – plus, potentially, additional restitution – and to modify its sales practices to settle claims that it failed to follow telemarketing do-not-call laws and engaged in unfair trade practices.  The agreement, which DISH executed with regulators from every state but California, Illinois, North Carolina, and Ohio, notes that among the alleged violations were failure “to comply with federal, state and/or local laws regarding telemarketing,” but denies any wrongdoing.  The AVC also called for DISH to comply with such state laws going forward.

The extent to which Attorneys General leveraged their states’ telemarketing laws in the settlement, and to require future compliance, is a troubling reminder that it has been more than half a decade that the Federal Communications Commission (“FCC”) has sat on petitions, declaratory ruling requests, and other calls for it to follow through on its promise to preempt the application of state laws to interstate telemarketing if they differ from federal standards.  Specifically, when it joined the Federal Trade Commission to update federal telemarketing rules in 2003, including creating of a National Do-Not-Call Registry, the FCC established certain limitations on application of state law thereafter.  It said its rules implementing the Telephone Consumer Protection Act (“TCPA”), which underlie the Registry, would serve as a “floor” with respect to all interstate and intrastate telemarketing calls.  That is, federal rules would govern all interstate calls, and with respect to intrastate calls, state rules that were less restrictive than their federal counterparts were preempted.  And, while the TCPA allows states to impose more restrictive rules to intrastate calls, the FCC said its rules would “almost certainly” preempt the application of such laws to interstate calls.  It also said that, rather than establishing blanket preemption (as with less-restrictive state laws), it would address preemption of such laws on a case-by-case basis.

In the ensuing years, in the related context of unsolicited fax ads, the TCPA’s preemption provision, which applies equally to the law’s telemarketing and fax provisions, was interpreted in accord with the FCC’s position.  At the same time, multiple petitions were filed, targeting sundry state laws, asking that the FCC preempt various state telemarketing prohibitions or requirements.  In other cases, trade associations asked the FCC to impose 50-state preemption with respect to certain state laws and rules.  Some of these petitions have languished since 2004, or even 2003, and while the FCC has sought comment, all these matters remain pending.

The AVC that DISH has entered with all but 4 states requires it to comply with state telemarketing rules that likely were preempted by federal law.  This is a significant reminder that the FCC needs to bring closure to this issue.  Indeed, it is likely that many of the calls at issue in the DISH enforcement action were interstate in nature and should not have been subject to state laws that differ from the TCPA rules.  The point is not that if preemption were clarified by the FCC, the issues surrounding DISH’s marketing practices would have disappeared.  Nonetheless, the settlement serves as a hefty reminder that telemarketers making interstate calls still face state laws that differ from – and as the FCC has said, are “almost certainly” preempted by – federal regulations intended to unify the rules in this area and to eliminate the patchwork of state requirements and prohibitions.  Perhaps, now that a new FCC installed by a new administration is poised to be at full strength, there is an opportunity to complete this last piece of long-unfinished business.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert J. Driscoll, Paul Glist and Jennifer Small

On July 2, 2009, a group of advertising industry associations published the Self-Regulatory Principles for Online Behavioral Advertising (PDF)—a set of guidelines concerning the collection and use of online behavioral data by advertisers, service providers, publishers and ad networks.

The principles, drafted by the American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB) and the Council of Better Business Bureaus (BBB), focus on the areas that the Federal Trade Commission (FTC) has identified as desirable for industry self-regulation.  The principles set forth recommended practices for providing consumers with greater control over online behavioral advertising.

These proposed self-regulatory principles arise against a backdrop of growing political and consumer awareness of privacy issues.  FTC Chairman Jon Leibowitz has twice warned the industry that it is facing the “last clear chance” to avoid specific governmental regulation.  The FTC has stepped up enforcement action in the area, recently proposing an order against Sears that treats formal notices of Web tracking buried in fine print as “unfair” or “deceptive” under current law.

This advisory provides a brief overview of the new principles.  Businesses involved in online behavioral advertising should be aware of them and consider taking steps toward their implementation.

Of particular note is an enhancement of consumer notice and education about the collection and use of predictive profiling information, with new, easier-to-use tools for consumers to “opt out” of such collection and use by online ad networks.   In addition, the principles propose more significant restrictions on service providers—specifically, Internet service providers and providers of desktop application software such as browsers and tool bars—who would be permitted to engage in the collection and use of data for online behavioral advertising purposes only on an “opt in” basis.

The principles do not address display advertising or contextual advertising; rather, they focus on advertising targeted to the user based upon data regarding that user’s activities across various Web sites, a practice that has attracted considerable political attention.

The proposed requirements are summarized briefly below.

• Transparency.  Online behavioral advertising will be accompanied by enhanced notice to consumers.  Among other things, the principles contemplate that a uniform link or icon indicating that behavioral data is being collected will be displayed in or around behavioral ads.  In addition, ad networks and other entities that collect and use data from others’ Web sites would be required to include notices of their online behavioral advertising practices on their Web sites, along with a mechanism for consumers to opt out of the collection and use of behavioral data.  Service providers would also be required to provide online notices of their behavioral advertising practices, and Web sites at which behavioral data is collected would be required to display links to the ad networks’ notices.

• Consumer control.  The principles require entities involved in online behavioral advertising to provide users with a means of controlling the collection and use of data relating to them. Ad networks could satisfy this obligation by providing a means for consumers to opt out of such data collection and use.  Service providers, on the other hand, would be prohibited from collecting or using data for online behavioral advertising purposes without securing affirmative consumer consent, i.e., by deploying an opt-in mechanism.

• Data security.  Data will be reasonably secured and discarded when no longer necessary to fulfill a legitimate business or law enforcement purpose.  This principle extends to offer reasonable assurances that the anonymization process will prevent the re-identification of anonymized profiles.

• Material changes.  Consent is required for any retroactive material change in the use of collected data.

• Sensitive data.  Children known to be under 13 are provided additional protections, as is health and financial data.  The principles note that what is “sensitive” information may change over time.

• Accountability.  Enforcement of the principles will be handled principally by nongovernmental bodies, perhaps analogous to the Children’s Advertising Review Unit of the Better Business Bureau with respect to children’s advertising issues.  Enforcement mechanisms may include internal and third-party monitoring and self-reporting systems, and possible reports to the applicable government agencies in the event of an uncorrected violation.

• Education.  Participants are encouraged to educate individuals and businesses about online behavioral advertising.  It has been reported that industry groups expect to conduct a large educational campaign—on the order of 500,000,000 impressions—over the next 18 months.

Currently key House members are drafting new legislation on online privacy.  We expect that even if such legislation is pursued, it may still provide room for effective self-regulatory programs to operate.   In the meantime, the BBB will spearhead implementation of the Self-Regulatory Principles for Online Behavioral Advertising, with an implementation program expected to be launched by early 2010.
 

 

 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Did text-message advertising get more difficult after last week’s decision by the U.S. Court of Appeals for the Ninth Circuit in Satterfield v. Simon & Schuster, Inc.? Perhaps so, but not principally for reasons cited by many accounts and commentators reporting on the case.

Satterfield, the recipient of a text-message advertising a Stephen King novel sent by its publisher as part of an outsourced promo campaign, sued Simon & Schuster (and outsourcer ipsh!) under the Telephone Consumer Protection Act (“TCPA”), which prohibits (among other things) “calls” to numbers assigned to cellular and similar services sent by automatic telephone dialing system (or “ATDS”). Simon & Schuster defended on grounds the ad was not delivered by an ATDS as defined by statute, and that text messages are not “calls” as the TCPA requires. It also claimed the text fell under the law’s consent exception insofar as Satterfield received it after registering at Nextones.com (to allow her minor son to receive a free ringtone), where she agreed to terms and conditions (“T&Cs”) that included accepting on the registered cell phone promotions from the website’s affiliates and brands. Initially, Satterfield was turned aside on summary judgment when the trial court held the text was not sent by an ATDS and that Satterfield consented to its receipt (and thus did not reach arguments that text messages are not “calls” under the TCPA).

Last week, the Ninth Circuit reversed. It found, given dueling expert testimony, a material fact question that needed to be tried, as to whether the equipment that sent the text was an ATDS. It also held, based on Federal Communications Commission (“FCC”) pronouncements, and on the law’s legislative history and intent, that text messages are “calls” under the TCPA. This part of the decision became the headline in much reporting and commentary on the case, not to mention speculation about what it means to marketers. But classifying text messages to phone numbers as ATDS transmissions is hardly news – the FCC said they were over five years ago, and reiterated as much in adopting rules under the CAN-SPAM Act (which govern mobile service commercial messages to email addresses, which differ from text messages to phone numbers), so that question was never in serious doubt. Rather, the more intriguing aspect of the Ninth Circuit’s decision (in my view), which received less attention, comes in its last few pages.

There, the court rejected claims that the text-message was allowed based on consent Satterfield gave at the Nextones’ website to receiving promotions from its affiliates and brands. Rather than viewing who could be an “affiliate” of Nextones in more colloquial terms – which is the tone for which many online T&Cs and privacy policies strive to make them more consumer-friendly – the Ninth Circuit construed “affiliate” as having “independent legal significance” so as to require a corporate relationship between the entities “by shareholdings or other means of control.” Since Nextones and Simon & Schuster are not commonly controlled, the court reasoned, the publisher could not be an “affiliate” of Nextones from whom Satterfield consented to receive texted ads. The court took a similarly narrow view of “brands,” holding they are “commonly defined” as “goods identified as being … of a single firm,” so since the text message advertised a product of Simon & Schuster, not Nextones, consent did not exist on this basis, either.

The decision thus begs the question how a company’s website (and other peripheral materials) must identify third-parties who may market to the company’s consumers, in order for consent, such as that contemplated by the TCPA, to encompass third parties. If describing them as “affiliates” will not suffice – and, one would think, the prospect exists of courts like the Ninth Circuit imposing legally-specific definitions on, or finding equally insufficient otherwise, other commonly used colloquialisms such as “partners,” “clients” or “co-marketers” – how are companies to describe such third-party marketers in a way that is both understandable and succinct, while still being meaningful to consumers? That, I believe, is among the principal challenges facing marketers in the wake of the Ninth Circuit’s Satterfield decision.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:

(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?

Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.

So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:

Rather than a long list of bloggers, you will be getting regular updates from just five of us – and henceforth there will be no more posts in this annoying third-person, royal we, voice. We may have some guest bloggers on occasion, but for the most part you can level any criticisms at the following:

Bruce Johnson, our Burgermeister-Meisterburger, who will be blogging on the topic of Personal Communications (blogging, employee/employer relations, etc.)

Randy Gainer, who will be captivating you with stories about the Government Surveillance (ECPA/CFAA, CALEA, REAL ID/travel issues, etc.)

Charlene Brownlee, who is by far the most stylish among us (and who will be blogging on the subject of Data Breaches and identity-theft laws)

Ronald London, who will endeavor to keep an eye on Congress and will be blogging about telemarketing, junk fax, CAN-SPAM, behavioral/advanced advertising, and CPNI (which we’ll call Marketing and Consumer Privacy)

Lance Koonce, who will try not to mangle any stories about Online Threats such as hacking, phishing, pharming, pretexting, malware/spyware, and offline versions such as dumpster diving and the theft/loss of data-containing devices.

We do not purport to be a source for all news that touches on privacy and security – the field has exploded and aggregating such information would be a full-time career. Rather, we hope to tease out interesting aspects of specific issues within our areas of coverage. We hope you’ll take a look, and keep coming back if what you see intrigues you.

Thanks,

The PrivSecBlog Team

And by the way:

The Lakers.
Ratings. And possibly bad karma.
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link