Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

Social Links: Facebook at Work; Google’s Allo messaging app; Snapchat’s Spectacles

Posted in Cyberbullying, Free Speech, Privacy, Wearable Computers

Facebook at Work, the on-the-job version of the web’s most popular social media platform, will launch in London on October 10th.

Add iHeartRadio to the list of Internet radio platforms that will be offering an on demand music streaming service.

California law will be updated to explicitly prohibit drivers from browsing social media or taking selfies (or other photos) while they’re behind the wheel.

Should you download Allo, Google’s new messaging app?

Florida appeals court: A student’s tweet stating that he “can’t WAIT to shoot up [his] school” is not a criminal threat under Florida law.

Available to consumers later this fall, Snapchat’s Spectacles are already raising the kinds of privacy concerns that plagued Google Glass.

Will artificial intelligence and robots eliminate millions of jobs? Not if these five tech giants can help it.

A tool is being developed to help law enforcement scan Twitter for signs of impending hate crime.

Meetup redesigned its mobile apps and website.

A rumination on cyberbullying, online anonymity and the dark side of human nature.

Social Media Safety Guide for Companies

Posted in Infographic, Social Media Policy

We’re delighted to publish our Social Media Safety Guide for Companies, which highlights key considerations to keep in mind in using social media to promote your company’s products and services and to engage with customers.

Social media has been referred to as the greatest development for marketers since the printing press, but the benefits of social media are not risk free; indeed, many companies have run into serious legal problems in their rush to take advantage of social media. Although not a substitute for advice from experienced legal counsel, our Guide is intended to highlight a number of emerging best practices for reducing U.S. legal risks in connection with corporate use of social media.


Social Links: Yelp’s Communications Decency Act claim; Twitter loosens its character limit; building a Snapchat audience

Posted in Cyberbullying, Data Security, Internet of Things, Litigation, Marketing, Online Reviews, Privacy

The California Supreme Court agreed to hear Yelp’s case arguing that requiring the company to remove a one-star review of a law firm “creates a gaping hole” in the immunity that shields internet service providers from suits related to user-generated content.

Images, videos and quoted tweets no longer count toward Twitter’s 140-charter limit.

Google is undertaking cutting-edge efforts to battle online trolls.

Only 28 websites are registered under North Korea’s top level .kp domain.

Chinese law enforcement agencies investigating criminal cases can now secretly request access to personal information posted on social media services.

Back here in the United States, Twitter’s bi-annual transparency report shows that between January and June the platform received 2,520 information requests from U.S. law enforcement agencies.

The Department of Transportation issued a 15-point list of safety expectations for driverless cars.

Relationship Science, a repository of information about influential people and their connections, is opening its database to everyone, a change that could put the company in competition with LinkedIn.

Content marketers need to publish how many articles a week to make a difference?! Sigh.

Building an audience on Snapchat seems pretty arduous, too.

Concerned that your identity may have been stolen in some of the major hacking attacks in the last three years? Take this quiz to learn your minimum level of exposure and what you can do about it.

The five most popular bots on Botlist last week.

5 Questions to Help Prepare for a Ransomware Attack

Posted in Data Security, Hacking

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker).

The news has been filled this year with reports of ransomware attacks against companies and government agencies, including even law enforcement. Ransomware refers to a type of malware that encrypts or otherwise restricts access to a machine or device. As part of the attack, the attacker will demand that the victim pay a ransom in order to receive the encryption key or otherwise recover access to the compromised machine.

The reality is that ransomware attacks have been proliferating against all types of companies and organizations. Ransomware is a profitable business for underground circles, and we expect to see continued targeting. Because these attacks may be isolated to a single machine, they frequently do not impact a company’s business continuity or result in a noticeable service disruption. In response to an infection, companies may be able to obtain the technical assistance needed to defeat the attack. Free online resources exist that will identify which ransomware infected your system and provide victims with known decryption keys. In other cases, companies may determine that the data loss is not significant and/or that backups exist, allowing them to rebuild the computer by reformatting the hard drive and reinstalling a clean operating system, applications and data. In other cases though, companies pay the ransom.

Ransomware attackers frequently use many of the same tools and tactics, such as spear phishing, as do other hackers. Unlike many hackers, however, ransomware attackers are not focused on stealing data that can be sold or used for illicit purposes (e.g., credit card information and trade secrets). Instead, ransomware is about economic extortion. The attackers prevent a company from being able to access its own system or data, and they make a demand. Usually, they want money, but that could change. Imagine a hacker who holds data and systems hostage in return for the company’s releasing a public statement, making a divestiture or a arranging for a senior executive’s departure? The distinction between routine malware and ransomware is important to manage the scope of the threat. While some companies may not maintain data that is of value to cyber thieves (although that is becoming less and less the case, as evidenced by the proliferation of W-2 tax information phishing attacks), every company is a potential target of a ransomware attack.

There are a couple of reasons why this is such a challenging problem to overcome from a technology perspective. Once the files are encrypted, it is nearly impossible to decrypt them. This leaves the affected organization facing the difficult choice of either paying the ransom or losing their data. In many cases, downtime and data loss are more costly than the ransom, which is why many organizations opt to pay. The second major challenge is that ransomware is highly polymorphic. There are tens of thousands of malware samples and variants detected in the wild.

As a result, all companies should be mindful of the risk of such an attack and take steps to limit the impact of such an attack, including being prepared to respond.

Responding to a ransomware attack can be a stressful and unnerving experience. Not surprisingly, depending on the system that is the target of the attack, time is usually of the essence. As part of a company’s broader incident response preparation, it is worth anticipating what you would do in the event of a ransomware attack. The following five questions are a good starting point for companies, and in-house counsel might consider leading this review together with their information security managers. While the answers to these questions often differ depending on the nuance or nature of a given attack, the investment in planning related to these questions can reduce the stress and increase the agility and effectiveness of a company’s response to an attack.

Continue Reading

Cybercrime and Victim Shaming

Posted in Data Security, Hacking, Litigation, Privacy

Our Morrison & Foerster colleague and Socially Aware contributor Miriam Wugmeister has published a thought provoking and insightful op-ed piece in The Hill on how companies that are the targets of cyberattacks are too often treated as suspects, rather than victims, by regulators.

In her op-ed, titled Stop Victim Shaming in Cyberattacks, Miriam points out that defending the American people and economy from hostile state or state-sponsored actors is critical for both economic and national security reasons. However, while our state and federal law enforcement agencies vigorously protect people from criminals and assist victims of crimes, companies that publicly disclose that they have been the victim of a cybercrime are not treated like a typical victim by federal and state regulators. Instead, they are investigated by numerous agencies, including the Federal Trade Commission, the State Attorneys General, and the Security and Exchange Commission, while often simultaneously sued by consumers, business customers, and shareholders. In the face of the onslaught of cyber threats, U.S. companies are charged with defending themselves in cyberspace or facing legal liability.

How did we arrive at holding those victimized by a cybercrime liable for the damage inflicted upon them? You can read Miriam’s The Hill op-ed here.


Social Links: Instagram’s “offensive comment” filter; Twitter’s TV app; YouTube’s “Community” feature

Posted in Advertising, Cyberbullying, European Union, First Amendment, Litigation, Livestreaming, Marketing, Privacy

Instagram now allows users to hide offensive comments posted to their feeds. Take that trolls!

Soon you’ll be able to watch Twitter content like NFL Thursday Night Football on a Twitter app on Apple TV, Xbox One and Amazon Fire TV.

“Ballot selfie” laws—laws that prohibit posting online photos of completed election ballots—are being challenged in Michigan and New Hampshire.

Google may be recording you regularly.

YouTube content creators can now communicate with their followers in real time.

AdBlock Plus has launched a service that allows website operators to display “acceptable” ads to visitors using the popular ad blocking software. Irony, anyone?

The EU might soon require the same things of chat apps like Skype that it requires of telecom businesses.

A controversial proposal aims to give the EU’s 500 million consumers more digital streaming content choices.

An Austrian teen whose parents overshared on social media looks to the law for recourse.

Baltimore County officials warned government employees to watch what they say on social media.

With so many alternative content providers around these days, why do we still watch so much TV?

Here’s a list of 50 Snapchat marketing influencers who Mashable says are worth following.

Interest-Based Advertising Disclosure Requirements Become More Clear—and Potentially More Burdensome

Posted in Advertising

Recent enforcement decisions within the digital advertising industry indicate a shift in—and a clarification of—the required disclosures for companies engaged in interest-based advertising (IBA).

In particular, these decisions, taken together, indicate that an app developer’s link to its privacy policy at the point of app download may be deemed insufficient, unless the link points directly to the IBA disclosure section of the policy, or there is a clear link at the top of the policy that directs the user to that section.

Further, these decisions suggest that companies that comply with the digital advertising industry’s IBA self-regulatory principles should expressly affirm such compliance in their privacy policies.


Some quick background: IBA is the collection of information about users’ online activities across different websites or mobile applications, over time, for the purpose of delivering online advertising to those users based on those activities. Although IBA is an important part of the online eco-system, if not done right, it can raise privacy concerns among consumers, who may feel that they are being spied upon by advertisers.

The Digital Advertising Alliance (DAA) has worked to ensure that IBA is done right. The DAA is a consortium of media and marketing associations that, in an effort to ward off legislation, has designed and implemented a self-regulatory compliance regime that seeks to address the Federal Trade Commission’s (FTC) IBA notice and choice expectations. The principles underlying this compliance regime are set out in the DAA’s Self-Regulatory Principles (“DAA Principles”). The DAA enforces these principles through the IBA accountability program, run by the Council of Better Business Bureaus and the Direct Marketing Association.

The DAA self-regulatory program is, at its heart, a notice-and-choice regime. In short, to facilitate such notice and choice, the DAA provides an advertising option icon to be placed in or near an online interest-based ad. By clicking on the icon, a consumer is sent to a landing page that describes the data collection practices associated with the ad and provides an opt-out mechanism.

Importantly, however, the DAA Principles have also been interpreted by the IBA accountability program to require “enhanced” notice on any website where information is collected for IBA purposes. In response to this interpretation, website publishers typically provide such notice in the form of an “Our Ads” or similarly named link in the site footer, separate from the privacy policy link, that clicks through to the same landing page as the advertising option icon, or to similar notice and choice information.

The Recent Decisions

In its recent enforcement actions, the IBA accountability program appears to have exported this manifestation of the enhanced notice requirement to mobile applications, notwithstanding the provisions of the DAA’s guidance on the Application of Self-Regulatory Principles to the Mobile Environment, first published in 2013.

That guidance expressly provides that app publishers (i.e., “first parties”) that permit third parties to collect information for IBA purposes must “provide a clear, meaningful, and prominent link to a disclosure that either points to a choice mechanism or setting that meets Digital Advertising Alliance specifications or individually lists such Third Parties.” This notice must be provided in two separate locations:

  • Either prior to download (e.g., in the app store on the application’s page), during download, on first opening of the app, or at the time cross-app data is first collected; and
  • In the application’s settings or any privacy policy.

The IBA accountability program appears, however, to be taking the position that a link to the privacy policy from the app store (or any other location) is not enough to meet this first prong.  That is, a “clear, meaningful, and prominent link” to the IBA disclosure must be a link directly to the IBA section of the privacy policy, in the same way that the “Our Ads” or similarly named link in the site footer clicks through to the IBA section of the privacy policy.

The IBA accountability program’s Spinrilla decision, for example, states that the accountability program could not find an “enhanced link notice separate from the privacy policy link” in the applicable app stores and affirmed that if only one privacy policy link will be used in the app store (where it is typically not possible to provide two separate links), “the link to the privacy policy must either go directly to the pertinent discussion of IBA or direct the user to that place through a clear link at the top of the privacy policy.”

The other accountability program decisions, Bearbit Studios and Top Free Games, reaffirm this interpretation. In light of these decisions, app publishers may want to revisit how they provide “enhanced notice” of their IBA practices.

Finally, the Mobile Guidance states that first parties should “indicate adherence” to the DAA Principles in their privacy policies. The accountability program decisions noted the absence of this language in the companies’ privacy policies, and the companies appear to have added language to their disclosures to comply with this obligation. Whether a company would want to affirmatively make this representation of its own accord is something that may warrant additional consideration, as the company’s failure to fully comply with such a representation could give rise to a charge of deception under Section 5 of the FTC Act or a similar state law.

The Upshot

In light of these developments, a company engaged in IBA should:

  • If engaged in IBA with respect to one or more of its apps, review how it discloses its IBA practices at the point of app download; and
  • Discuss with counsel the advisability of expressly stating adherence to the DAA Principles in its privacy policy.


*                      *                     *


For background information on the DAA program and its applicability to the mobile environment, please see our earlier Socially Aware blog post, Digital Advertising Alliance Focuses on Mobile Ads. For more on consumer privacy issues generally, please see the following posts: A Warning for Websites Allowing Data Collection for Online Behavioral Advertising; FTC’s Privacy Report Suggests Tightening of Privacy Regime, Provides Guidance to Business; and Tracking the Trackers: Social Media Companies Face Pressure for Tracking Users’ Browsing Habits.

Social Links: Snapchat ad revenue grows; the UK’s revenge porn problem; laws that enable control of digital assets after death

Posted in Advertising, Cyberbullying, Free Speech, Marketing, Privacy

Snapchat is on track to rake in an enormous amount of ad revenue by 2017.

Also, there’s mounting evidence that the company is working toward developing a Google Glass-like product.

We have written previously about the scourge of revenge porn; it turns out the UK has a serious revenge porn problem, too.

A new law in Illinois requires social media sites to give their users the opportunity to name a beneficiary who can access their accounts if they die. Only a few other U.S. states have laws that similarly protect social media users’ digital assets.

Baltimore police use Geofeedia to monitor citizens’ social media posts, raising concerns among civil libertarians.

Now you can see when someone reads the direct message you sent on Twitter (unless, of course, the recipient disables read receipts).

According to a new study, positive comments from your friends on Facebook can bring you as much happiness as having children. Those results don’t necessarily contradict earlier studies, which found that social media users became depressed when they consumed a lot of content passively.

Are hashtags actually hurting your Twitter marketing campaigns?

Pinterest’s president predicts that media publishers eventually won’t care whether their content gets consumed on their own companies’ websites or within partner apps.

A new chatbot called Yala examines users’ time zones, social media histories and other factors to determine the most effective times to post to social media.

Will brands eventually have virtual spaces where consumers can test drive products or try on clothes?

App Developer Not Liable Under TCPA For User-Initiated Texts

Posted in Litigation, Mobile

80895353_SmallA recent decision out of the Northern District of California brings good news for developers of mobile apps that incorporate text messaging functions. Those functions may create the risk of claims under the Telephone Consumer Protection Act, which generally prohibits the delivery of a text message without the recipient’s express consent. But in Cour v. Life360, Inc., U.S. District Judge Thelton E. Henderson granted defendant Life360’s motion to dismiss a putative TCPA class action after determining Life360 could not be held liable under the TCPA for a text initiated by a user of Life360’s messaging and geolocation application.


The plaintiff alleged that he received a single, unsolicited text message from Life360, which operates a mobile application that allows users to text and see the location of fellow users on their contact lists. According to the plaintiff, after users download the application and set up an account, the application requests access to their contact lists so they can invite their friends and family to join. Users choose those in their contacts they wish to invite and then press an “Invite” button on the screen to send the invitations via text message. Users are not told how or when those invitations will be sent.

Plaintiff filed claims under the TCPA and California’s Unfair Competition Law (UCL) on behalf of himself and a nationwide class of persons that received at least one text message from or on behalf of Life360. Life360 moved to dismiss both claims.

One Text Sufficient to Confer Standing Under Spokeo

Life360 first argued that the plaintiff lacked Article III standing because he failed to allege a concrete injury, as required under the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). But the Court rejected that argument, holding that even though the plaintiff received only one text, the invasion of privacy it caused was sufficiently concrete to confer standing.

Life360 Not Liable Under the TCPA or UCL

The key disagreement between the parties was whether Life360 or its user was responsible for “initiating” the invitational text message sent to the plaintiff. Relying on guidance from the Federal Communications Commission’s July 2015 declaratory ruling, the Court ruled that the user—and not Life360—initiated the text to plaintiff, and thus Life360 could not be held liable.

The Court reasoned that Life360’s users have to affirmatively choose which of their contacts will receive an invitation and then press the “Invite” button to actually send the invitations. Even though Life360 does not inform its users how or when those invitations will be transmitted, given the TCPA’s purpose of preventing invasions of privacy, “the person who chooses to send an unwanted invitation is responsible for invading the recipient’s privacy even if that person does not know how the invitation will be sent.” Consequently, Life360 could not be held liable for the text message under either the TCPA or the UCL.


As this case demonstrates, to mitigate the risk of TCPA liability, developers of messaging software or applications should ensure that any text messages sent through their platforms are initiated by the users themselves through their affirmative conduct.

*          *          *

For more on the Telephone Consumer Protection Act’s application to text messages, see FCC Rules That Opt-Out Confirmation Text Messages Do Not Violate the TCPA; G2G, Yo Quiero TB: Taco Bell Found Not Liable for Franchisee Text Message Campaign; Face Off: Consumer Sues Hockey Team Over Text Messages. For more on the TCPA in general, see FCC Clarifies Its Interpretations of the Telephone Consumer Protection Act, Provoking Strong Objections From the Business Community.


Social Links: Instagram’s & Pinterest’s new features; the per-post premium paid to top influencers; a successful social media investor shares his strategy

Posted in Advertising, First Amendment, Free Speech, Marketing, Mobile

Instagram now allows users to zoom in on photos in their feeds and at least 11 brands are already capitalizing on the new feature.

Pinterest acquired Instapaper, a tool that allows you to cache webpages for reading at a later time.

A social-media celebrity with 500,000 followers and a lot of people interacting with his or her content could bring in how much for a single post?!

Snapchat’s first investor shares his secret for identifying the next big app.

SEC steps up scrutiny of investment advisers’ use of social media.

As younger audiences’ primary source of news, social media has understandably affected photojournalism.

Should social media companies establish guidelines for when they will—and will not—heed police officers’ requests to suspend suspects’ accounts?

Meet the officer behind a small New England city’s police department’s viral Facebook page.

Wondering whether you should hit “reply all” when someone has mistakenly included you on an email chain? The New York Times has one word for you.