Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

Social Links: IoT Causes Web Outage; YouTube Makes Endorsement Disclosure Convenient; NFL’s Social Media Policy Imposes Fines

Posted in Cyberbullying, Data Security, Endorsement Guides, Internet of Things, Marketing, Social Media Policy

The Internet of Things is apparently to blame for the Web outage that paralyzed the online world earlier this month.

Justin Timberlake took down his “ballot selfie” from Instagram after Tennessee authorities made clear that it was illegal.

Presumably in order to help facilitate compliance with guidance from regulators in the United States, United Kingdom and elsewhere, YouTube is making available to video creators an easy-to-use “sponsored content” notification that they can opt to have appear during the first few seconds of their videos.

Will blockchain technology be the next big wave of disruption for the music industry?

With Tinder’s new feature, online daters can be sure their profiles feature the photos most likely to get right-swipes.

When the chief digital officer at New York’s Metropolitan Museum of Art lost his job, he turned to social media for advice.

The NFL’s new social media policy promises to impose hefty fines on member teams that post videos or animated GIFs of games, or use Facebook Live or Periscope to stream anything in the stadium.

When a Russian tech entrepreneur’s friend died, she used artificial intelligence and his old text messages to create a futuristic memorial.

Employed but curious about new job opportunities? Now you can change your LinkedIn profile to secretly signal to recruiters that you’re in the market for a new gig.

Guess what percentage of Americans one researcher predicts will own a virtual reality headset in 2016?

Could Google Flights be the ticket to finding the best possible fare to your 2016 winter holiday destination?

UK Consumer Protection Regulator Cracks Down on Undisclosed Endorsements and “Cherry Picking” Reviews on Social Media

Posted in Advertising, Influencer Marketing, Online Endorsements, Online Reviews, UK

Thumbs Up on Social Technology and Internet Set

Social media is reportedly rife with influencers promoting or reviewing products or services without disclosing compensation or other consideration that they’ve received for such endorsements. The Competition and Markets Authority (CMA), the UK’s consumer protection regulator, is stepping up efforts to combat such undisclosed endorsements.

Following a ruling against an influencer marketing company, Social Chain Ltd, the CMA has warned 15 companies and 43 “social media personalities” who used Social Chain to publish content on social media that they could be in breach of UK consumer protection laws.

As we have discussed many times in Socially Aware, the advertising landscape has undergone a dramatic transformation over the past decade. The rise of social media and ever-increasing levels of Internet access across the world have made social media advertising a strong challenger to more traditional—and expensive—advertising methods, such as television advertising.

Of course, there is nothing novel in companies seeking to use celebrities to attract attention to and create excitement for their brand messages. But what has changed is the medium; when a consumer follows a celebrity on YouTube, Instagram, Facebook, Snapchat or Twitter (especially a social media personality who has become famous as a result of being on YouTube, Instagram, etc.), it’s not always easy to distinguish between a genuine opinion and an advertisement. Continue Reading

Second Circuit: Email Stored Outside the U.S. Might Be Beyond Government’s Reach

Posted in Litigation, Privacy, Stored Communications Act

Abstract futuristic blurred background with envelope symbols (fast mail and modern communication concept)

As a result of the Second Circuit’s recent opinion in Microsoft v. United States, the U.S. government likely can no longer use warrants issued pursuant to the Stored Communications Act (“SCA”) to compel U.S.-based companies to produce communications, such as emails, that are stored in a physical location outside of the United States—at least for now. Instead, the government will likely need to rely on Mutual Legal Assistance Treaties, which provide a framework for states to, among other things, provide assistance to one another to obtain and execute search warrants in their respective jurisdictions.

Nevertheless, it is likely that the U.S. government will seek an alternative, which could include appealing the case to the Second Circuit en banc or pursuing legislation in Congress to amend and update the SCA in light of new digital realities.

Background on the SCA and the Microsoft Dispute

The SCA, which limits service providers’ disclosure of the user data they store, provides that a service provider may disclose to the government certain information, such as the stored contents of a customer’s emails, only if the government first obtains a warrant requiring the disclosure. Microsoft v. United States arose out of Microsoft’s dispute over the scope of one such warrant, which sought information about an email account that Microsoft determined was hosted in Dublin.

Microsoft moved to quash the warrant with respect to the actual emails in the account on the grounds that the SCA does not authorize a search and seizure outside of the territory of the United States, which is where the emails were stored.

Continue Reading

Social Links: Facebook at Work; Google’s Allo messaging app; Snapchat’s Spectacles

Posted in Cyberbullying, Free Speech, Privacy, Wearable Computers

Facebook at Work, the on-the-job version of the web’s most popular social media platform, will launch in London on October 10th.

Add iHeartRadio to the list of Internet radio platforms that will be offering an on demand music streaming service.

California law will be updated to explicitly prohibit drivers from browsing social media or taking selfies (or other photos) while they’re behind the wheel.

Should you download Allo, Google’s new messaging app?

Florida appeals court: A student’s tweet stating that he “can’t WAIT to shoot up [his] school” is not a criminal threat under Florida law.

Available to consumers later this fall, Snapchat’s Spectacles are already raising the kinds of privacy concerns that plagued Google Glass.

Will artificial intelligence and robots eliminate millions of jobs? Not if these five tech giants can help it.

A tool is being developed to help law enforcement scan Twitter for signs of impending hate crime.

Meetup redesigned its mobile apps and website.

A rumination on cyberbullying, online anonymity and the dark side of human nature.

Social Media Safety Guide for Companies

Posted in Infographic, Social Media Policy

We’re delighted to publish our Social Media Safety Guide for Companies, which highlights key considerations to keep in mind in using social media to promote your company’s products and services and to engage with customers.

Social media has been referred to as the greatest development for marketers since the printing press, but the benefits of social media are not risk free; indeed, many companies have run into serious legal problems in their rush to take advantage of social media. Although not a substitute for advice from experienced legal counsel, our Guide is intended to highlight a number of emerging best practices for reducing U.S. legal risks in connection with corporate use of social media.

08_19-SocialMedia-SafetyGuide_v9_600wide

Social Links: Yelp’s Communications Decency Act claim; Twitter loosens its character limit; building a Snapchat audience

Posted in Cyberbullying, Data Security, Internet of Things, Litigation, Marketing, Online Reviews, Privacy

The California Supreme Court agreed to hear Yelp’s case arguing that requiring the company to remove a one-star review of a law firm “creates a gaping hole” in the immunity that shields internet service providers from suits related to user-generated content.

Images, videos and quoted tweets no longer count toward Twitter’s 140-charter limit.

Google is undertaking cutting-edge efforts to battle online trolls.

Only 28 websites are registered under North Korea’s top level .kp domain.

Chinese law enforcement agencies investigating criminal cases can now secretly request access to personal information posted on social media services.

Back here in the United States, Twitter’s bi-annual transparency report shows that between January and June the platform received 2,520 information requests from U.S. law enforcement agencies.

The Department of Transportation issued a 15-point list of safety expectations for driverless cars.

Relationship Science, a repository of information about influential people and their connections, is opening its database to everyone, a change that could put the company in competition with LinkedIn.

Content marketers need to publish how many articles a week to make a difference?! Sigh.

Building an audience on Snapchat seems pretty arduous, too.

Concerned that your identity may have been stolen in some of the major hacking attacks in the last three years? Take this quiz to learn your minimum level of exposure and what you can do about it.

The five most popular bots on Botlist last week.

5 Questions to Help Prepare for a Ransomware Attack

Posted in Data Security, Hacking

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker).

The news has been filled this year with reports of ransomware attacks against companies and government agencies, including even law enforcement. Ransomware refers to a type of malware that encrypts or otherwise restricts access to a machine or device. As part of the attack, the attacker will demand that the victim pay a ransom in order to receive the encryption key or otherwise recover access to the compromised machine.

The reality is that ransomware attacks have been proliferating against all types of companies and organizations. Ransomware is a profitable business for underground circles, and we expect to see continued targeting. Because these attacks may be isolated to a single machine, they frequently do not impact a company’s business continuity or result in a noticeable service disruption. In response to an infection, companies may be able to obtain the technical assistance needed to defeat the attack. Free online resources exist that will identify which ransomware infected your system and provide victims with known decryption keys. In other cases, companies may determine that the data loss is not significant and/or that backups exist, allowing them to rebuild the computer by reformatting the hard drive and reinstalling a clean operating system, applications and data. In other cases though, companies pay the ransom.

Ransomware attackers frequently use many of the same tools and tactics, such as spear phishing, as do other hackers. Unlike many hackers, however, ransomware attackers are not focused on stealing data that can be sold or used for illicit purposes (e.g., credit card information and trade secrets). Instead, ransomware is about economic extortion. The attackers prevent a company from being able to access its own system or data, and they make a demand. Usually, they want money, but that could change. Imagine a hacker who holds data and systems hostage in return for the company’s releasing a public statement, making a divestiture or a arranging for a senior executive’s departure? The distinction between routine malware and ransomware is important to manage the scope of the threat. While some companies may not maintain data that is of value to cyber thieves (although that is becoming less and less the case, as evidenced by the proliferation of W-2 tax information phishing attacks), every company is a potential target of a ransomware attack.

There are a couple of reasons why this is such a challenging problem to overcome from a technology perspective. Once the files are encrypted, it is nearly impossible to decrypt them. This leaves the affected organization facing the difficult choice of either paying the ransom or losing their data. In many cases, downtime and data loss are more costly than the ransom, which is why many organizations opt to pay. The second major challenge is that ransomware is highly polymorphic. There are tens of thousands of malware samples and variants detected in the wild.

As a result, all companies should be mindful of the risk of such an attack and take steps to limit the impact of such an attack, including being prepared to respond.

Responding to a ransomware attack can be a stressful and unnerving experience. Not surprisingly, depending on the system that is the target of the attack, time is usually of the essence. As part of a company’s broader incident response preparation, it is worth anticipating what you would do in the event of a ransomware attack. The following five questions are a good starting point for companies, and in-house counsel might consider leading this review together with their information security managers. While the answers to these questions often differ depending on the nuance or nature of a given attack, the investment in planning related to these questions can reduce the stress and increase the agility and effectiveness of a company’s response to an attack.

Continue Reading

Cybercrime and Victim Shaming

Posted in Data Security, Hacking, Litigation, Privacy

Our Morrison & Foerster colleague and Socially Aware contributor Miriam Wugmeister has published a thought provoking and insightful op-ed piece in The Hill on how companies that are the targets of cyberattacks are too often treated as suspects, rather than victims, by regulators.

In her op-ed, titled Stop Victim Shaming in Cyberattacks, Miriam points out that defending the American people and economy from hostile state or state-sponsored actors is critical for both economic and national security reasons. However, while our state and federal law enforcement agencies vigorously protect people from criminals and assist victims of crimes, companies that publicly disclose that they have been the victim of a cybercrime are not treated like a typical victim by federal and state regulators. Instead, they are investigated by numerous agencies, including the Federal Trade Commission, the State Attorneys General, and the Security and Exchange Commission, while often simultaneously sued by consumers, business customers, and shareholders. In the face of the onslaught of cyber threats, U.S. companies are charged with defending themselves in cyberspace or facing legal liability.

How did we arrive at holding those victimized by a cybercrime liable for the damage inflicted upon them? You can read Miriam’s The Hill op-ed here.

 

Social Links: Instagram’s “offensive comment” filter; Twitter’s TV app; YouTube’s “Community” feature

Posted in Advertising, Cyberbullying, European Union, First Amendment, Litigation, Livestreaming, Marketing, Privacy

Instagram now allows users to hide offensive comments posted to their feeds. Take that trolls!

Soon you’ll be able to watch Twitter content like NFL Thursday Night Football on a Twitter app on Apple TV, Xbox One and Amazon Fire TV.

“Ballot selfie” laws—laws that prohibit posting online photos of completed election ballots—are being challenged in Michigan and New Hampshire.

Google may be recording you regularly.

YouTube content creators can now communicate with their followers in real time.

AdBlock Plus has launched a service that allows website operators to display “acceptable” ads to visitors using the popular ad blocking software. Irony, anyone?

The EU might soon require the same things of chat apps like Skype that it requires of telecom businesses.

A controversial proposal aims to give the EU’s 500 million consumers more digital streaming content choices.

An Austrian teen whose parents overshared on social media looks to the law for recourse.

Baltimore County officials warned government employees to watch what they say on social media.

With so many alternative content providers around these days, why do we still watch so much TV?

Here’s a list of 50 Snapchat marketing influencers who Mashable says are worth following.

Interest-Based Advertising Disclosure Requirements Become More Clear—and Potentially More Burdensome

Posted in Advertising

Recent enforcement decisions within the digital advertising industry indicate a shift in—and a clarification of—the required disclosures for companies engaged in interest-based advertising (IBA).

In particular, these decisions, taken together, indicate that an app developer’s link to its privacy policy at the point of app download may be deemed insufficient, unless the link points directly to the IBA disclosure section of the policy, or there is a clear link at the top of the policy that directs the user to that section.

Further, these decisions suggest that companies that comply with the digital advertising industry’s IBA self-regulatory principles should expressly affirm such compliance in their privacy policies.

Background

Some quick background: IBA is the collection of information about users’ online activities across different websites or mobile applications, over time, for the purpose of delivering online advertising to those users based on those activities. Although IBA is an important part of the online eco-system, if not done right, it can raise privacy concerns among consumers, who may feel that they are being spied upon by advertisers.

The Digital Advertising Alliance (DAA) has worked to ensure that IBA is done right. The DAA is a consortium of media and marketing associations that, in an effort to ward off legislation, has designed and implemented a self-regulatory compliance regime that seeks to address the Federal Trade Commission’s (FTC) IBA notice and choice expectations. The principles underlying this compliance regime are set out in the DAA’s Self-Regulatory Principles (“DAA Principles”). The DAA enforces these principles through the IBA accountability program, run by the Council of Better Business Bureaus and the Direct Marketing Association.

The DAA self-regulatory program is, at its heart, a notice-and-choice regime. In short, to facilitate such notice and choice, the DAA provides an advertising option icon to be placed in or near an online interest-based ad. By clicking on the icon, a consumer is sent to a landing page that describes the data collection practices associated with the ad and provides an opt-out mechanism.

Importantly, however, the DAA Principles have also been interpreted by the IBA accountability program to require “enhanced” notice on any website where information is collected for IBA purposes. In response to this interpretation, website publishers typically provide such notice in the form of an “Our Ads” or similarly named link in the site footer, separate from the privacy policy link, that clicks through to the same landing page as the advertising option icon, or to similar notice and choice information.

The Recent Decisions

In its recent enforcement actions, the IBA accountability program appears to have exported this manifestation of the enhanced notice requirement to mobile applications, notwithstanding the provisions of the DAA’s guidance on the Application of Self-Regulatory Principles to the Mobile Environment, first published in 2013.

That guidance expressly provides that app publishers (i.e., “first parties”) that permit third parties to collect information for IBA purposes must “provide a clear, meaningful, and prominent link to a disclosure that either points to a choice mechanism or setting that meets Digital Advertising Alliance specifications or individually lists such Third Parties.” This notice must be provided in two separate locations:

  • Either prior to download (e.g., in the app store on the application’s page), during download, on first opening of the app, or at the time cross-app data is first collected; and
  • In the application’s settings or any privacy policy.

The IBA accountability program appears, however, to be taking the position that a link to the privacy policy from the app store (or any other location) is not enough to meet this first prong.  That is, a “clear, meaningful, and prominent link” to the IBA disclosure must be a link directly to the IBA section of the privacy policy, in the same way that the “Our Ads” or similarly named link in the site footer clicks through to the IBA section of the privacy policy.

The IBA accountability program’s Spinrilla decision, for example, states that the accountability program could not find an “enhanced link notice separate from the privacy policy link” in the applicable app stores and affirmed that if only one privacy policy link will be used in the app store (where it is typically not possible to provide two separate links), “the link to the privacy policy must either go directly to the pertinent discussion of IBA or direct the user to that place through a clear link at the top of the privacy policy.”

The other accountability program decisions, Bearbit Studios and Top Free Games, reaffirm this interpretation. In light of these decisions, app publishers may want to revisit how they provide “enhanced notice” of their IBA practices.

Finally, the Mobile Guidance states that first parties should “indicate adherence” to the DAA Principles in their privacy policies. The accountability program decisions noted the absence of this language in the companies’ privacy policies, and the companies appear to have added language to their disclosures to comply with this obligation. Whether a company would want to affirmatively make this representation of its own accord is something that may warrant additional consideration, as the company’s failure to fully comply with such a representation could give rise to a charge of deception under Section 5 of the FTC Act or a similar state law.

The Upshot

In light of these developments, a company engaged in IBA should:

  • If engaged in IBA with respect to one or more of its apps, review how it discloses its IBA practices at the point of app download; and
  • Discuss with counsel the advisability of expressly stating adherence to the DAA Principles in its privacy policy.

 

*                      *                     *

 

For background information on the DAA program and its applicability to the mobile environment, please see our earlier Socially Aware blog post, Digital Advertising Alliance Focuses on Mobile Ads. For more on consumer privacy issues generally, please see the following posts: A Warning for Websites Allowing Data Collection for Online Behavioral Advertising; FTC’s Privacy Report Suggests Tightening of Privacy Regime, Provides Guidance to Business; and Tracking the Trackers: Social Media Companies Face Pressure for Tracking Users’ Browsing Habits.