Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

Social Links: Yelp’s Communications Decency Act claim; Twitter loosens its character limit; building a Snapchat audience

Posted in Cyberbullying, Data Security, Internet of Things, Litigation, Marketing, Online Reviews, Privacy

The California Supreme Court agreed to hear Yelp’s case arguing that requiring the company to remove a one-star review of a law firm “creates a gaping hole” in the immunity that shields internet service providers from suits related to user-generated content.

Images, videos and quoted tweets no longer count toward Twitter’s 140-charter limit.

Google is undertaking cutting-edge efforts to battle online trolls.

Only 28 websites are registered under North Korea’s top level .kp domain.

Chinese law enforcement agencies investigating criminal cases can now secretly request access to personal information posted on social media services.

Back here in the United States, Twitter’s bi-annual transparency report shows that between January and June the platform received 2,520 information requests from U.S. law enforcement agencies.

The Department of Transportation issued a 15-point list of safety expectations for driverless cars.

Relationship Science, a repository of information about influential people and their connections, is opening its database to everyone, a change that could put the company in competition with LinkedIn.

Content marketers need to publish how many articles a week to make a difference?! Sigh.

Building an audience on Snapchat seems pretty arduous, too.

Concerned that your identity may have been stolen in some of the major hacking attacks in the last three years? Take this quiz to learn your minimum level of exposure and what you can do about it.

The five most popular bots on Botlist last week.

5 Questions to Help Prepare for a Ransomware Attack

Posted in Data Security, Hacking

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker).

The news has been filled this year with reports of ransomware attacks against companies and government agencies, including even law enforcement. Ransomware refers to a type of malware that encrypts or otherwise restricts access to a machine or device. As part of the attack, the attacker will demand that the victim pay a ransom in order to receive the encryption key or otherwise recover access to the compromised machine.

The reality is that ransomware attacks have been proliferating against all types of companies and organizations. Ransomware is a profitable business for underground circles, and we expect to see continued targeting. Because these attacks may be isolated to a single machine, they frequently do not impact a company’s business continuity or result in a noticeable service disruption. In response to an infection, companies may be able to obtain the technical assistance needed to defeat the attack. Free online resources exist that will identify which ransomware infected your system and provide victims with known decryption keys. In other cases, companies may determine that the data loss is not significant and/or that backups exist, allowing them to rebuild the computer by reformatting the hard drive and reinstalling a clean operating system, applications and data. In other cases though, companies pay the ransom.

Ransomware attackers frequently use many of the same tools and tactics, such as spear phishing, as do other hackers. Unlike many hackers, however, ransomware attackers are not focused on stealing data that can be sold or used for illicit purposes (e.g., credit card information and trade secrets). Instead, ransomware is about economic extortion. The attackers prevent a company from being able to access its own system or data, and they make a demand. Usually, they want money, but that could change. Imagine a hacker who holds data and systems hostage in return for the company’s releasing a public statement, making a divestiture or a arranging for a senior executive’s departure? The distinction between routine malware and ransomware is important to manage the scope of the threat. While some companies may not maintain data that is of value to cyber thieves (although that is becoming less and less the case, as evidenced by the proliferation of W-2 tax information phishing attacks), every company is a potential target of a ransomware attack.

There are a couple of reasons why this is such a challenging problem to overcome from a technology perspective. Once the files are encrypted, it is nearly impossible to decrypt them. This leaves the affected organization facing the difficult choice of either paying the ransom or losing their data. In many cases, downtime and data loss are more costly than the ransom, which is why many organizations opt to pay. The second major challenge is that ransomware is highly polymorphic. There are tens of thousands of malware samples and variants detected in the wild.

As a result, all companies should be mindful of the risk of such an attack and take steps to limit the impact of such an attack, including being prepared to respond.

Responding to a ransomware attack can be a stressful and unnerving experience. Not surprisingly, depending on the system that is the target of the attack, time is usually of the essence. As part of a company’s broader incident response preparation, it is worth anticipating what you would do in the event of a ransomware attack. The following five questions are a good starting point for companies, and in-house counsel might consider leading this review together with their information security managers. While the answers to these questions often differ depending on the nuance or nature of a given attack, the investment in planning related to these questions can reduce the stress and increase the agility and effectiveness of a company’s response to an attack.

Continue Reading

Cybercrime and Victim Shaming

Posted in Data Security, Hacking, Litigation, Privacy

Our Morrison & Foerster colleague and Socially Aware contributor Miriam Wugmeister has published a thought provoking and insightful op-ed piece in The Hill on how companies that are the targets of cyberattacks are too often treated as suspects, rather than victims, by regulators.

In her op-ed, titled Stop Victim Shaming in Cyberattacks, Miriam points out that defending the American people and economy from hostile state or state-sponsored actors is critical for both economic and national security reasons. However, while our state and federal law enforcement agencies vigorously protect people from criminals and assist victims of crimes, companies that publicly disclose that they have been the victim of a cybercrime are not treated like a typical victim by federal and state regulators. Instead, they are investigated by numerous agencies, including the Federal Trade Commission, the State Attorneys General, and the Security and Exchange Commission, while often simultaneously sued by consumers, business customers, and shareholders. In the face of the onslaught of cyber threats, U.S. companies are charged with defending themselves in cyberspace or facing legal liability.

How did we arrive at holding those victimized by a cybercrime liable for the damage inflicted upon them? You can read Miriam’s The Hill op-ed here.

 

Social Links: Instagram’s “offensive comment” filter; Twitter’s TV app; YouTube’s “Community” feature

Posted in Advertising, Cyberbullying, European Union, First Amendment, Litigation, Livestreaming, Marketing, Privacy

Instagram now allows users to hide offensive comments posted to their feeds. Take that trolls!

Soon you’ll be able to watch Twitter content like NFL Thursday Night Football on a Twitter app on Apple TV, Xbox One and Amazon Fire TV.

“Ballot selfie” laws—laws that prohibit posting online photos of completed election ballots—are being challenged in Michigan and New Hampshire.

Google may be recording you regularly.

YouTube content creators can now communicate with their followers in real time.

AdBlock Plus has launched a service that allows website operators to display “acceptable” ads to visitors using the popular ad blocking software. Irony, anyone?

The EU might soon require the same things of chat apps like Skype that it requires of telecom businesses.

A controversial proposal aims to give the EU’s 500 million consumers more digital streaming content choices.

An Austrian teen whose parents overshared on social media looks to the law for recourse.

Baltimore County officials warned government employees to watch what they say on social media.

With so many alternative content providers around these days, why do we still watch so much TV?

Here’s a list of 50 Snapchat marketing influencers who Mashable says are worth following.

Interest-Based Advertising Disclosure Requirements Become More Clear—and Potentially More Burdensome

Posted in Advertising

Recent enforcement decisions within the digital advertising industry indicate a shift in—and a clarification of—the required disclosures for companies engaged in interest-based advertising (IBA).

In particular, these decisions, taken together, indicate that an app developer’s link to its privacy policy at the point of app download may be deemed insufficient, unless the link points directly to the IBA disclosure section of the policy, or there is a clear link at the top of the policy that directs the user to that section.

Further, these decisions suggest that companies that comply with the digital advertising industry’s IBA self-regulatory principles should expressly affirm such compliance in their privacy policies.

Background

Some quick background: IBA is the collection of information about users’ online activities across different websites or mobile applications, over time, for the purpose of delivering online advertising to those users based on those activities. Although IBA is an important part of the online eco-system, if not done right, it can raise privacy concerns among consumers, who may feel that they are being spied upon by advertisers.

The Digital Advertising Alliance (DAA) has worked to ensure that IBA is done right. The DAA is a consortium of media and marketing associations that, in an effort to ward off legislation, has designed and implemented a self-regulatory compliance regime that seeks to address the Federal Trade Commission’s (FTC) IBA notice and choice expectations. The principles underlying this compliance regime are set out in the DAA’s Self-Regulatory Principles (“DAA Principles”). The DAA enforces these principles through the IBA accountability program, run by the Council of Better Business Bureaus and the Direct Marketing Association.

The DAA self-regulatory program is, at its heart, a notice-and-choice regime. In short, to facilitate such notice and choice, the DAA provides an advertising option icon to be placed in or near an online interest-based ad. By clicking on the icon, a consumer is sent to a landing page that describes the data collection practices associated with the ad and provides an opt-out mechanism.

Importantly, however, the DAA Principles have also been interpreted by the IBA accountability program to require “enhanced” notice on any website where information is collected for IBA purposes. In response to this interpretation, website publishers typically provide such notice in the form of an “Our Ads” or similarly named link in the site footer, separate from the privacy policy link, that clicks through to the same landing page as the advertising option icon, or to similar notice and choice information.

The Recent Decisions

In its recent enforcement actions, the IBA accountability program appears to have exported this manifestation of the enhanced notice requirement to mobile applications, notwithstanding the provisions of the DAA’s guidance on the Application of Self-Regulatory Principles to the Mobile Environment, first published in 2013.

That guidance expressly provides that app publishers (i.e., “first parties”) that permit third parties to collect information for IBA purposes must “provide a clear, meaningful, and prominent link to a disclosure that either points to a choice mechanism or setting that meets Digital Advertising Alliance specifications or individually lists such Third Parties.” This notice must be provided in two separate locations:

  • Either prior to download (e.g., in the app store on the application’s page), during download, on first opening of the app, or at the time cross-app data is first collected; and
  • In the application’s settings or any privacy policy.

The IBA accountability program appears, however, to be taking the position that a link to the privacy policy from the app store (or any other location) is not enough to meet this first prong.  That is, a “clear, meaningful, and prominent link” to the IBA disclosure must be a link directly to the IBA section of the privacy policy, in the same way that the “Our Ads” or similarly named link in the site footer clicks through to the IBA section of the privacy policy.

The IBA accountability program’s Spinrilla decision, for example, states that the accountability program could not find an “enhanced link notice separate from the privacy policy link” in the applicable app stores and affirmed that if only one privacy policy link will be used in the app store (where it is typically not possible to provide two separate links), “the link to the privacy policy must either go directly to the pertinent discussion of IBA or direct the user to that place through a clear link at the top of the privacy policy.”

The other accountability program decisions, Bearbit Studios and Top Free Games, reaffirm this interpretation. In light of these decisions, app publishers may want to revisit how they provide “enhanced notice” of their IBA practices.

Finally, the Mobile Guidance states that first parties should “indicate adherence” to the DAA Principles in their privacy policies. The accountability program decisions noted the absence of this language in the companies’ privacy policies, and the companies appear to have added language to their disclosures to comply with this obligation. Whether a company would want to affirmatively make this representation of its own accord is something that may warrant additional consideration, as the company’s failure to fully comply with such a representation could give rise to a charge of deception under Section 5 of the FTC Act or a similar state law.

The Upshot

In light of these developments, a company engaged in IBA should:

  • If engaged in IBA with respect to one or more of its apps, review how it discloses its IBA practices at the point of app download; and
  • Discuss with counsel the advisability of expressly stating adherence to the DAA Principles in its privacy policy.

 

*                      *                     *

 

For background information on the DAA program and its applicability to the mobile environment, please see our earlier Socially Aware blog post, Digital Advertising Alliance Focuses on Mobile Ads. For more on consumer privacy issues generally, please see the following posts: A Warning for Websites Allowing Data Collection for Online Behavioral Advertising; FTC’s Privacy Report Suggests Tightening of Privacy Regime, Provides Guidance to Business; and Tracking the Trackers: Social Media Companies Face Pressure for Tracking Users’ Browsing Habits.

Social Links: Snapchat ad revenue grows; the UK’s revenge porn problem; laws that enable control of digital assets after death

Posted in Advertising, Cyberbullying, Free Speech, Marketing, Privacy

Snapchat is on track to rake in an enormous amount of ad revenue by 2017.

Also, there’s mounting evidence that the company is working toward developing a Google Glass-like product.

We have written previously about the scourge of revenge porn; it turns out the UK has a serious revenge porn problem, too.

A new law in Illinois requires social media sites to give their users the opportunity to name a beneficiary who can access their accounts if they die. Only a few other U.S. states have laws that similarly protect social media users’ digital assets.

Baltimore police use Geofeedia to monitor citizens’ social media posts, raising concerns among civil libertarians.

Now you can see when someone reads the direct message you sent on Twitter (unless, of course, the recipient disables read receipts).

According to a new study, positive comments from your friends on Facebook can bring you as much happiness as having children. Those results don’t necessarily contradict earlier studies, which found that social media users became depressed when they consumed a lot of content passively.

Are hashtags actually hurting your Twitter marketing campaigns?

Pinterest’s president predicts that media publishers eventually won’t care whether their content gets consumed on their own companies’ websites or within partner apps.

A new chatbot called Yala examines users’ time zones, social media histories and other factors to determine the most effective times to post to social media.

Will brands eventually have virtual spaces where consumers can test drive products or try on clothes?

App Developer Not Liable Under TCPA For User-Initiated Texts

Posted in Litigation, Mobile

80895353_SmallA recent decision out of the Northern District of California brings good news for developers of mobile apps that incorporate text messaging functions. Those functions may create the risk of claims under the Telephone Consumer Protection Act, which generally prohibits the delivery of a text message without the recipient’s express consent. But in Cour v. Life360, Inc., U.S. District Judge Thelton E. Henderson granted defendant Life360’s motion to dismiss a putative TCPA class action after determining Life360 could not be held liable under the TCPA for a text initiated by a user of Life360’s messaging and geolocation application.

Background

The plaintiff alleged that he received a single, unsolicited text message from Life360, which operates a mobile application that allows users to text and see the location of fellow users on their contact lists. According to the plaintiff, after users download the application and set up an account, the application requests access to their contact lists so they can invite their friends and family to join. Users choose those in their contacts they wish to invite and then press an “Invite” button on the screen to send the invitations via text message. Users are not told how or when those invitations will be sent.

Plaintiff filed claims under the TCPA and California’s Unfair Competition Law (UCL) on behalf of himself and a nationwide class of persons that received at least one text message from or on behalf of Life360. Life360 moved to dismiss both claims.

One Text Sufficient to Confer Standing Under Spokeo

Life360 first argued that the plaintiff lacked Article III standing because he failed to allege a concrete injury, as required under the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). But the Court rejected that argument, holding that even though the plaintiff received only one text, the invasion of privacy it caused was sufficiently concrete to confer standing.

Life360 Not Liable Under the TCPA or UCL

The key disagreement between the parties was whether Life360 or its user was responsible for “initiating” the invitational text message sent to the plaintiff. Relying on guidance from the Federal Communications Commission’s July 2015 declaratory ruling, the Court ruled that the user—and not Life360—initiated the text to plaintiff, and thus Life360 could not be held liable.

The Court reasoned that Life360’s users have to affirmatively choose which of their contacts will receive an invitation and then press the “Invite” button to actually send the invitations. Even though Life360 does not inform its users how or when those invitations will be transmitted, given the TCPA’s purpose of preventing invasions of privacy, “the person who chooses to send an unwanted invitation is responsible for invading the recipient’s privacy even if that person does not know how the invitation will be sent.” Consequently, Life360 could not be held liable for the text message under either the TCPA or the UCL.

Takeaway

As this case demonstrates, to mitigate the risk of TCPA liability, developers of messaging software or applications should ensure that any text messages sent through their platforms are initiated by the users themselves through their affirmative conduct.

*          *          *

For more on the Telephone Consumer Protection Act’s application to text messages, see FCC Rules That Opt-Out Confirmation Text Messages Do Not Violate the TCPA; G2G, Yo Quiero TB: Taco Bell Found Not Liable for Franchisee Text Message Campaign; Face Off: Consumer Sues Hockey Team Over Text Messages. For more on the TCPA in general, see FCC Clarifies Its Interpretations of the Telephone Consumer Protection Act, Provoking Strong Objections From the Business Community.

 

Social Links: Instagram’s & Pinterest’s new features; the per-post premium paid to top influencers; a successful social media investor shares his strategy

Posted in Advertising, First Amendment, Free Speech, Marketing, Mobile

Instagram now allows users to zoom in on photos in their feeds and at least 11 brands are already capitalizing on the new feature.

Pinterest acquired Instapaper, a tool that allows you to cache webpages for reading at a later time.

A social-media celebrity with 500,000 followers and a lot of people interacting with his or her content could bring in how much for a single post?!

Snapchat’s first investor shares his secret for identifying the next big app.

SEC steps up scrutiny of investment advisers’ use of social media.

As younger audiences’ primary source of news, social media has understandably affected photojournalism.

Should social media companies establish guidelines for when they will—and will not—heed police officers’ requests to suspend suspects’ accounts?

Meet the officer behind a small New England city’s police department’s viral Facebook page.

Wondering whether you should hit “reply all” when someone has mistakenly included you on an email chain? The New York Times has one word for you.

Court Upholds Enforceability of “Clickwrap” Employee Agreement

Posted in Electronic Contracts

Correct check box digital concept

As we have previously discussed, if you want your electronic contracts to be enforceable, it is a best practice to require the counterparty to affirmatively accept the contract by checking a box or clicking a button. A recent New Jersey district court decision, ADP, LLC v. Lynch, reinforces this point. Such issues most often arise in the context of website terms of use, but ADP v. Lynch involved a non-competition provision and forum selection clause contained in documentation presented to employees electronically in connection with stock option grants.

The employer, ADP, sued two former employees for taking jobs at a competitor in violation of certain restrictive covenants contained in the stock option grant documentation. The employees sought to dismiss the action on the basis of lack of jurisdiction, and ADP responded by pointing to a forum selection clause in the grant documentation. The employees argued, however, that they had not received adequate notice of the restrictive covenants and that the forum selection clause was unenforceable.

The grant documentation containing the restrictive covenants and the forum selection clause had been presented to the employees in electronic form and, based on the allegations in ADP’s complaint, the employees were required to acknowledge the documentation in order to receive the stock option grants. Specifically, ADP had presented the documentation in such a way that each employee was physically unable to click the required “Accept Grant” button unless he or she had affirmatively checked a prior box indicating that he or she had read the associated documents containing the restrictive covenants and forum selection clause.

The court also noted that ADP’s manager of its stock plan services “provided a step-by-step rundown” of the process that employees were required to follow to accept stock option grants, and that, “in order to accept those awards, an employee would have to affirmatively acknowledge that he or she reviewed the Restrictive Covenants before proceeding.” This illustrates another point we have noted previously: If you want your electronic contracts to be enforceable, you should not only make sure to implement them in a way that requires affirmative acceptance, you should also be prepared to produce evidence that the user at issue actually accepted.

In light of the above, the court analyzed the grant documentation containing the restrictive covenants and forum selection clause as an enforceable “clickwrap” contract similar to the website terms of use at issue in another case we have written about previously, Fteja v. Facebook, Inc.:

 “At this stage in the litigation, the Court finds that the forum selection clauses are encompassed by enforceable clickwrap agreements. The complaints unequivocally allege that an employee could not accept any stock grants until acknowledging that he or she reviewed all grant documents, including the Restrictive Covenants that contained the forum selection clauses. […] In order to accept those awards, an employee would have to affirmatively acknowledge that he or she reviewed the Restrictive Covenants before proceeding. […] Therefore, this case involves the type of clickwrap agreement that other courts have found to be enforceable.”

The court also found unpersuasive the employees’ argument that mutual assent was lacking because the acknowledgment box did not expressly state “I agree to the terms of the grant documents,” but instead merely required the employees to acknowledge that they had read those documents. According to the court, this was a “distinction without difference” because, in accepting the option grant, the defendants were required to represent as part of the grant agreements that they had read the restrictive covenant agreements.

Accordingly, as ADP sufficiently alleged that it had required the employees to affirmatively accept the restrictive covenants and forum selection clause as part of the electronic contracting process, the court denied the employees’ motion to dismiss.

While this case does not necessarily break new ground in terms of the enforceability of electronic contracts, it does illustrate that the same principle applies whether you are seeking to impose terms and conditions on users of your website or enforce restrictive covenants and a forum selection clause in an employment agreement: make sure the counterparty is required to take some clear and affirmative action to expressly accept the contract.

*          *          *

For more on what it takes for an online agreement to be enforceable, see Implementing and Enforcing Online Terms of Use; Three Steps to Help Ensure the Enforceability of Your Website’s Terms of Use; Clickwrap, Browsewrap and Mixed Media Contracts: A Few Words Can Go a Long Way; and Terms and Conditions Buried in Easily Ignored Scroll Box Don’t Cut It, the Seventh Circuit Holds.

Social Links: Google penalizes sites with pop-up ads; proposed Federal legislation to criminalize revenge porn; ad industry group questions Kardashians’ social media posts

Posted in Advertising, Employment Law, Endorsement Guides, Free Speech, FTC, Labor Law, Litigation, Marketing, Mobile, Privacy

Google is cracking down on mobile pop-up ads by knocking down the search-result position of websites that use them.

The National Labor Relations Board decided a social media policy that Chipotle had in place for its employees violates federal labor law.

A group of lawmakers plans to introduce legislation that would criminalize revenge porn—explicit images posted to the web without the consent of the subject—at the federal level.

The Truth in Advertising organization sent the Kardashians a letter threatening to report them for violating the FTC’s endorsement guides. This isn’t the first time the legality of the famous family’s social media posts has been called into question. If only Kim would read our influencer marketing blog posts.

According to one study, 68% percent of publishers use editorial staff to create native ads.

Twitter launched a button that a company can place on its website to allow users to send a direct message to the company’s Twitter inbox.

The Center for Democracy & Technology criticized the Department of Homeland Security’s proposal to ask visa-waiver-program applicants to disclose their social media account information.

UK lawmakers issued a report calling on the big social media companies to do more to purge their platforms of hate speech and material that incites violence.

Social media is playing bigger role in jury selection, Arkansas prosecutors and criminal defense lawyers say.

A day in the life of the Economist‘s head of social media.

Seven things smart entrepreneurs do on Instagram.

Four ways to get busy people to read the email you send them.

Want to know how Facebook views your political leanings? Here’s the way to find out.