Real World Implications of Cyber Warfare

Introduction

Amid all of the publicity and media attention of the December cyberattack on Sony Pictures Entertainment, a cyber-intrusion on a German steel mill received comparably scant notice. Unlike the Sony hack, however, it highlighted an important and disturbing trend in cyber warfare. Detailed in a German government report released in December, the hacking of the German steel mill signified the second confirmed instance in which a wholly digital attack resulted in the physical destruction of equipment. By initially gaining access to the plant’s business network, the intruders were able to successfully make their way to the production network and access the controls of the plant’s equipment. They were able to control the system to such a degree that a blast furnace could not be properly shut down, resulting in “massive” damage.

According to Wired’s coverage of the incident, much information about the attack is not detailed in the report, including the name of the steel mill, exactly when it happened, and how long the hackers were in the network before the destruction occurred. The report does relay that the hackers apparently had advanced knowledge, not only of conventional IT security, but of the applied industrial controls and the mill’s production processes.

The incident highlights what is possible with the increasingly prevalent networked nature of physical real-world systems, from critical infrastructure networks like electric grids and water treatment systems, to simple and increasingly networked household and personal items in the growing Internet-of-Things (IoT). Continue reading

Legal Threats Don’t Stop Growth of Textbook Pricing Application

OccupyTheBookstore, a Chrome browser add-on from Texts.com, has become the subject of legal threats from Follett Higher Education Group, one of the largest college textbook retailers in the U.S.  Textbook price comparison tools are not new, with websites like Chegg and SlugBooks, compiling textbook prices from retailers, university bookstores, and online retailers on their own websites.  What makes OccupyTheBookstore unique is that it is provided directly to the user as a downloadable plug-in and works immediately on top of a user’s browser to show cheaper options for print and digital rentals while the user browses a bookstore’s website.

The fact that the user is given the option to employ an immediate filter on top of Follett-affiliated websites rankled the company and prompted it to threaten Texts.com with legal action.  According to an email from Follett to Texts.com’s founders obtained by the Wall Street Journal, the add-on “effectively chang[es] the presentation of the information on the screen.”  Texts.com has not backed down.  In an interview with Red and Black, University of Georgia’s student newspaper, Texts.com says that it “determined that we are totally within our rights to manipulate information in the client’s browser. As it’s opt-in and doesn’t touch the bookstore servers at all….” Continue reading

A Simple Takeaway from the Recent Sony Hack

The hack of Sony Pictures Entertainment placed Sony Entertainment Pictures in the spotlight for the last two months of 2015, highlighting the company’s lax security protocols and placing international focus on the recently released James Franco/Seth Rogan comedy “The Interview”. For the uninitiated, a group calling themselves the “Guardians of Peace” (with the unfortunate acronym “GOP”) hacked into the Sony’s computer systems, gaining unauthorized access to a treasure trove of sensitive data, including: social security numbers of over 47,000 celebrities, freelancers, and Sony employees; several unreleased movie titles that were later released to file-sharing websites; and corporate files including email correspondence, film budgets and passport/visa information for movie casts and crew. The data breach appeared to be supported by North Korea, which denied responsibility. While the United States National Security Agency directly blamed North Korea for the attack, other industry insiders claim North Korea had nothing to do with the attack. Continue reading

Fertilizer by Any Other Name: District Court Denies Trademark Protection for Generic Term

Trademark law is designed to protect consumers from confusion as to the sources of products or services.  Strong trademarks are those that are distinctive – that is, they are capable of identifying the source of a particular good.  At the other end of the trademark spectrum are generic marks.  These marks are incapable of functioning as trademarks because they have come to be identified by the relevant purchasing public as common names for the goods or services with which they are associated.  A finding that a mark has become or is generic means that it has lost (or has never had) the ability to identify the source of a product or service, and thus cannot function as a trademark.  For this reason, a finding that a potential mark is “generic” presents a serious problem to a trademark application because it means that a mark has become synonymous in the public’s mind with a particular product or service as opposed to its source.

Dr. Earth, a California organic gardening company, learned this lesson after a lengthy legal battle in which its trademark application for PROBIOTIC was ultimately denied by the U.S. District Court for the Eastern District of Virginia.  Dr. Earth sought to register the word PROBIOTIC for fertilizers.  The U.S. Patent and Trademark Office (PTO) Examiner initially refused registration, stating that the term was generic in connection with fertilizer, and that at most, the term was merely descriptive and had not acquired a secondary meaning.  Merely descriptive marks are similar to generic marks and are considered “weak” marks because they simply convey information about a function, characteristic, or purpose of the goods or services.  As Jeffrey Davidson states in his IP Registration and Enforcement blog, “[d]escriptive terms by their very nature apply to all goods of a particular type, and therefore do not identify any single source.”  Nonetheless, merely descriptive marks can become distinctive of a source by achieving “secondary meaning.”  Daniel A. Tysver, of the comprehensive Bitlaw Legal Resource, notes that if evidence such as long term use or large amounts of advertising and publicity can show that a mark has achieved this “‘second meaning’” (the first meaning being the generally understood meaning of the term or phrase), a protectable trademark is developed.” Continue reading

Ubergate: Year-end troubles persist for the popular rideshare company

The rideshare and taxi service Uber has had a very public and turbulent end to 2014. From privacy abuse allegations and Congressional scrutiny, to public protests and all-out bans in certain countries, the San Francisco-based, mobile-app-focused company has managed to retain its valuation of $40 billion. The company, which provides its service in 45 countries and over 200 cities, ran into trouble after a Buzzfeed report detailed November 14th remarks by the company’s Senior Vice President Emil Micahel who spoke of his desire to dig up dirt on the personal lives of journalists critical of the company. In particular was the intent to spread the personal details of one Sarah Lacey, editor of the Silicon Valley website PandoDaily. The Buzzfeed report also detailed the examination of private travel records of a reporter by an Uber executive. The combination of the aggressively toned nature of the comments and the willingness of the company to access user’s personal data gave rise to the November trending hashtag #Ubergate. Continue reading

Granting Access: Real and Imagined Threats Regarding Terms of Service

Introduction

The latest Nielsen data show that the average smartphone owner uses approximately 26 apps in a given month. (Median use is probably quite a bit lower, but the numbers are still impressive.)  Marketplaces for apps, like Apple’s App Store and Google Play, have standardized how apps are distributed. Users are informed of an app’s features, as well as the extent to which the app may function on a particular smartphone. From taking pictures and recording video, to collecting GPS and location data, to accessing contact lists, apps have access to larger and larger sets of personal information. For all practical purposes, each of those apps employs some type of Terms of Service (“TOS”) agreement and privacy policy outlining its required permissions before it may be installed and used.

Practically, it is oftentimes unlikely that users downloading an app fully read and comprehend the terms of service or privacy policy, but instead give the app’s list of requested permissions no more than a cursory glance. A 2008 study by Aleecia M. McDonald and Lorrie Faith Cranor found that – based on the median length of privacy policies and the standard reading pace of 250 words per minute – it would take an individual approximately 30 work days to read all of the privacy policies encountered on a daily basis. The study only accounted for privacy policies, and not terms of service agreements or user agreements. Due to the length and ubiquity of these terms and policies, it is reasonable to think that many users do not take the time to fully understand the terms and policies to which they agree. This explains why users may not know exactly what permissions and capabilities they’ve approved for the apps they use. Continue reading

What Should You Consider When Drafting a Privacy Policy?

Businesses are often faced with the challenge of collecting information about their clients in order to tailor and improve their products and services, while respecting their customers’ privacy and protecting their personal information.  But outside of a narrow set of specific state requirements mandating minimum content requirements for privacy policies (see, for example, this discussion of California’s Online Privacy Protection Act (CalOPPA)), and other than the Federal Trade Commission (FTC) Act, which prohibits deceptive or unfair commercial practices, there are no federal laws or regulations that explicitly say what should be included in a privacy policy.  Nonetheless, the statements a company makes in its privacy policy regarding use and disclosure of personal information are enforceable by consumer protection agencies under regulations such as the FTC Act and state laws that prohibit deceptive commercial activity. Continue reading

Google Ordered to Cull Both European and Global Search Indexes

Google & Europe’s Right to Be Forgotten

A recent round of court decisions has forced Google, the internationally known search behemoth, to shrink its search index, instead of expanding on it. This past May, a ruling by the Luxembourg-based Court of Justice of the European Union (CJEU) required Google to provide a means by which citizens of the EU could request the search provider to delete information collected on individuals where the search result(s) “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed. Continue reading

Privacy Roundup: 6/26/2014

Will the ECJ Kill the Privacy Safe Harbor for Facebook, Google and All Others?

Christie Barakat reports in SocialTimes that the ECJ, the European Court of Justice, will review the compatibility of the EU-US Safe Harbor with Europe’s Charter of Fundamental Rights.

The Safe Harbor is a legal convention under which US companies doing business in Europe may permissibly transfer the personal information of EU residents outside of the EU zone.  To qualify, the Safe Harbor requires that American companies commit to certain protections of that data in their processing and sharing practices, including stringent commitments on security of data.  The Safe Harbor is a self-certification process rather than a license or regulatory ruling process.  Although a little bit dated, see Henry Farrell’s nice primer on the Safe Harbor, here.

Barakat quotes from Farrell’s Washington Post blog, “Monkey Cage”, covering the immediate issue, which involves an Irish resident who sued Facebook in Ireland claiming that Facebook’s Safe Harbor self-certification status could not meet European Constitution standards for privacy protection due to Edward Snowden’s revelations of US government snooping of foreigners’ personal data.  As Farrell blogged in the Post, “the judge has presented the case to the ECJ in a way that seems designed to get the higher court to rule that the Safe Harbor is incompatible with European human rights standards, and hence invalid.”

Farrell describes the likely outcome of the ECJ’s review as “very hard to say”, at best.  Continue reading

Expanding Accessibility: UN Adopts Article 9, Raising Accessibility Standards

Introduction
In April 2014, the United Nations (UN) Committee on the Rights of Persons with Disabilities adopted its General Comment No 2 on the issue of Accessibility, which applies to member States within the UN that have signed the treaty. The General Comment to the Convention on the Rights of Persons with Disabilities (CRPD) seeks to provide guidance to all relevant stakeholders, such as states and international organizations, on how to ensure accessibility for persons with disabilities. The treaty serves as the first of its kind to address access to information and communication technologies (ICT) for users with disabilities, and may now serve as a basis for State parties to reinforce and regulate national legislative frameworks.

Notably the CRPD, Article 9, paragraph 13 places particular onus on public and private actors regarding ICT. “The focus is no longer on legal personality and the public or private nature of… information and communication, and services. As long as goods, products and services are open or provided to the public, they must be accessible to all, regardless of whether they are owned and/or provided by a public authority or a private enterprise.” This public and private distinction is a first of its kind. Prior regulations placed the requirements for accessible ICT solely on public or government entities. These entities were essentially held to be established in some way for the public good, and therefore had a right to be accessible to the public audience. The shift in language which now includes “all products and services open or provided to the public” places such accessibility requirements on private industry as well, and will set the tone for implementation of such standards by UN treaty members to the CRDP. Continue reading