The U.S. Supreme Court on Oct. 16, 2017, announced it had granted the government’s petition for certiorari in United States v. Microsoft and will hear a case this Term that could have lasting implications for how technology companies interact with the U.S government and governments overseas. At issue is a consequential Second Circuit decision from last year that held that warrants issued under the Stored Communications Act (SCA) do not reach emails and other user data stored overseas by a U.S. provider.

While no federal appellate court besides the Second Circuit has squarely addressed the issue, multiple district courts outside the Second Circuit have declined to follow the Second Circuit’s reasoning in similar fact patterns involving other technology giants. The result is that U.S. law enforcement has different authority to access foreign-stored user data depending on where in the United States a warrant application is made. Google, for example, has expended significant resources to develop new tools to determine the geographic location of its users’ data so as to be in accord with the Second Circuit’s approach. Yet the company currently faces a hearing on sanctions for its alleged willful noncompliance with law enforcement requests in the Ninth Circuit based on a district court ruling that parted ways with the Second Circuit.

Continue Reading SCOTUS to Resolve Lower-Court Dispute Over U.S. Warrants Seeking Foreign-Stored User Data

With much fanfare, the Federal Trade Commission (FTC) continues to take actions relating to so-called “social media influencers” who allegedly fail to disclose material connections to the products or brands they endorse. Recurring enforcement actions and guidance—and the FTC’s ongoing promotion of its own efforts, such as through Twitter chats—make it clear that the FTC believes that its message has still not been heard by all of the players in this advertising ecosystem, including influencers themselves.

In short, any endorsements in any medium where the endorser has a material connection of any kind to the endorsed advertiser must be disclosed.

The most recent developments include an enforcement action against a company—and two of its officers—in connection with endorsements of the company made by the officers in YouTube videos and in social media.  Before turning to this case, however, we provide a brief overview of how the FTC has gotten here. Continue Reading Brands Beware: FTC Continues Campaign on Social Media Influencer Disclosures

As part of a new tracking system, the Department of Homeland Security will be keeping records of immigrants’ social media handles and search results.

Russia to Facebook: Turn over user-information or risk being blocked.

Google is ending a policy that required news sites to allow users at least one free article-click.

A new social media platform called Steemit will pay users in cryptocurrency for posting, commenting, or liking content—and its market capitalization is around $294 million.

Not everyone is a fan of Twitter’s new 280-character limit.

A type of biometric payment system that identifies a checking or credit account owner based on the unique vein-pattern in his or her fingertip would allow consumers to shop without cash, cards or devices.

Initial coin offerings (ICOs) are allowing startups that develop applications for blockchain technology to raise money without giving up the equity or decision-making power they would have to surrender to venture capitalists.

In this Wired op-ed, a former prisoner argues that allowing inmates controlled social media use might reduce recidivism and help the cell phone contraband problem.

Young kids are the new social media celebrities—and the law isn’t clear on whether they’re owed any of the money that their parents collect as a result of the viral videos.

When a social media celebrity famous for posting photos of herself posing in fitness gear changed the direction of her Instagram account to one that promotes body acceptance, she initially lost 70,000 followers, but she ultimately wound up with more fans than ever.

Kudos to Netflix’s in-house counsel for crafting a cease-and-desist letter for brand marketing in the modern age.

In 2016, brands spent $570 million on social influencer endorsements on Instagram alone. This recode article takes a looks at how much influencers with certain followings can command, and whether they’re worth the investment.

And don’t overlook the legal issues associated with the use of social media influencers; the FTC just settled its first complaint against social media influencers individually. The case involved two online gamers who posted videos of themselves promoting a gaming site that they failed to disclose they jointly owned.

In a precedent setting opinion, the European Court of Human Rights held that the right to privacy of a Romanian man, Bogdan Bărbulescu, was violated when Bărbulescu’s employer, without explicitly notifying Bărbulescu, read personal messages that Bărbulescu sent from an online account that Bărbulescu had been asked to set up for work purposes.

In other European news, the attorney general for England and Wales, Jeremy Wright, MP, has begun an inquiry into whether that jurisdiction needs to impose restrictions on social media in order to help ensure criminal defendants there get a fair trial.

More than half of Americans 50 or older now get their news from social media sites, Pew Research Center’s 2017 social media survey shows.

Celebrities who promote initial coin offerings (ICOs) on social media risk violating laws that apply to the public promotion of securities.

Facebook developed an artificial intelligence robot that can express emotion by making realistic facial expressions at appropriate times.

A college student has sued Snapchat and the Daily Mail for alleged defamation and invasion of privacy arising from the use of the student’s name and image on Discover, Snapchat’s social news feature, under the headline, “Sex, Drugs and Spring Break—College Students Descent on Miami to Party in Oceans of Booze and Haze of Pot Smoke.”

Is the threat of artificial intelligence disrupting a slew of industries less imminent than we thought?

Google created a website that uses fun illustrations to show which “how to” queries its users entered into the search engine most.

The popularity of online videos that viewers can appreciate with the sound turned off has led to striking similarities between early silent film and modern social video.

The number of consumers using multiple devices—from smartphones to tablets to laptop computers—has exploded in recent years and continues to grow globally. Companies are increasingly turning to new technologies in an attempt to ascertain that multiple devices are connected to the same person for a variety of purposes, such as preventing fraud, providing a more seamless user experience, and more effectively reaching their target audience. While such cross-device tracking provides a number of benefits, it also raises privacy concerns that have drawn increased regulatory scrutiny in the last few years.

Join Socially Aware contributors Julie O’Neill and Alja Poler De Zwart on Wednesday, Oct. 11, from 11:00 am until 12:00 pm ET for a practical, multijurisdictional look at cross-device tracking and best practices that companies can employ to achieve maximum commercial advantage while mitigating privacy risks. Topics that will be addressed include:

  • An overview of various cross-device tracking technologies and how they are used;
  • The privacy issues that cross-device tracking implicates and how to avoid common pitfalls;
  • Essential features of a compliant digital advertising program; and Recent U.S. and EU regulatory activity and trends, including self-regulatory guidance.

Register now.  There is no charge to attend the webinar.

As Socially Aware readers know, privacy and data security issues are among the most critical legal issues confronting companies that do business online. With ransomware attacks and hacking incidents on the rise, and with privacy and data security laws becoming increasingly burdensome, companies are spending more time and resources than ever before addressing privacy and data security issues. Indeed, Morrison & Foerster recently collaborated with ALM Intelligence to take an in-depth look at the types of privacy and data security issues with which in-house legal departments are wrestling, and how such departments are dealing with these issues. The resulting report is interesting and informative, and can be found here.

More and more often, the organizers of conferences, trade shows and events are taking advantage of beacon technology to track attendees’ movement throughout their conventions’ sessions and event spaces. Although no U.S. law specifically prohibits such tracking, the FTC has made it clear that companies need prior consent to engage in such tracking.

Find out how you may be able to monitor conference attendees’ movements throughout your event space without running afoul of the FTC Act. Read Convene magazine’s interview with Socially Aware marketing desk editor Julie O’Neill.

 

On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap. Continue Reading German Parliament Enacts Wide-ranging Surveillance Powers Allowing End User Devices to Be Hacked by Authorities

2015 11 30 DJV NAT 218Facebook’s four-year battle on behalf of its users, seeking to quash 381 warrants obtained by the New York County District Attorney’s Office, has come to a close. The decision of the New York Court of Appeals—which is New York’s highest court—leaves Facebook users exposed to wide-ranging and largely unchecked inquiries by New York criminal prosecutors into their Facebook accounts.

The story begins in July 2013, when the New York Supreme Court—which is the trial court in New York—issued 381 warrants arising out of the district attorney’s (DA) application for warrants under the Stored Communications Act (SCA). The DA was investigating an alleged Social Security Disability fraud scheme.

The DA’s request was extraordinarily broad. The warrants functionally amounted to a request for 381 users’ entire Facebook histories. The warrants compelled Facebook to produce not only any and all text, photos or videos a user had shared with his or her limited universe of friends, but also any private messages exchanged between the user and another individual (who could have been a spouse, doctor, religious figure or attorney) as well as information the user had chosen to no longer share with anyone, such as a previous email address, a deleted friend or a hidden post, and information the user had never intended to share with anyone, such as his or her searches and location.

The warrants also compelled Facebook to produce content shared by users who were not named in the 381 warrants, and may not even have known anyone named in the 381 warrants, but who had the misfortune of posting on the timelines of those users uploading photos of those users, or simply belonging to any one of the groups with which a named user was affiliated. At least several of the affected users were high school students who were highly unlikely to have been involved in a Social Security Disability fraud scheme. The issuing court also expressly prohibited Facebook from disclosing the existence or execution of the warrants.

While Facebook receives many such requests from law enforcement each year and often provides information in response, Facebook strongly objected to the wide-ranging requests in this case.

Facebook moved to quash the warrants on the ground that they were overly broad, but the New York Supreme Court denied the motion, finding that Facebook did not have standing to assert any privacy or Fourth Amendment rights on behalf of its users. Facebook also challenged the nondisclosure provisions of the warrants, but again the court sided with the DA, reasoning that disclosure of the warrants could jeopardize the DA’s ongoing investigation.

The intermediate appellate court dismissed Facebook’s appeal. The court explained that the orders from the lower court denying Facebook’s motion to quash were unappealable because, under New York law, there is no authority permitting review of interlocutory orders issued in criminal proceedings.

Facebook took the fight all the way to the New York Court of Appeals. Facebook argued that an order denying a motion to quash an SCA warrant should be treated like an appealable order denying a motion to quash a subpoena, rather than like an unappealable order denying a motion to quash a traditional warrant. While a traditional search warrant authorizes law enforcement officials to enter, search and seize property, an SCA warrant, like a subpoena, requires the target of the warrant to compile and turn over its own digital data.

On April 4, 2017, Facebook lost that fight when New York’s highest court ruled that it does not have authority to hear appeals from motions to quash search warrants issued under the SCA.

In a 5-1 decision, the Court of Appeals concluded that, despite the similarities between the manner of responding to SCA warrants and the manner of responding to subpoenas, an SCA warrant is a warrant, not a subpoena. As with traditional warrants, SCA warrants are only issued in criminal proceedings to a government entity that has supported its request for a warrant with probable cause. The court explained that the difference between execution of traditional warrants and SCA warrants is due to “the nature of the material sought”—it “ensures efficiency and minimizes intrusion” for a service provider to search and compile its own digital information rather than for law enforcement to conduct the search. Accordingly, the Court of Appeals found that the order denying Facebook’s motion to quash was not appealable.

Further, the Court of Appeals suggested that Facebook may not have had a right to bring a motion to quash in the first place. For purposes of this case, the Court of Appeals assumed, without deciding, that a motion to quash an SCA warrant was proper. However, the court noted that the SCA discusses warrants, subpoenas and court orders requiring disclosure of information separately, and only expressly provides for a motion to quash court orders.

The Court of Appeals did express some sympathy for Facebook’s concerns regarding the privacy of its users. At the outset, the court stated that “[t]his case undoubtedly implicates novel and important substantive issues regarding the constitutional rights of privacy and freedom from unreasonable search and seizures,” and that it was “tempting for the court to address those issues.” The court also noted that “Facebook’s concerns, as a third party, about overbroad SCA warrants may not be baseless.”

Notwithstanding its expressed concerns, and over a strenuous dissent from Judge Wilson, the New York Court of Appeals has provided criminal prosecutors wide-ranging investigative powers without providing Internet service providers an ability to obtain appellate review. With New York’s high court having spoken, the online industry’s focus is likely to shift toward a legislative fix that will promote users’ privacy interests and limit overreaching SCA warrants.

*        *       *

For other Socially Aware posts addressing user data and the Stored Communications Act, please see the following: Google Ordered to Comply with Warrant for Foreign-Stored User Data; Second Circuit: Email Stored Outside the U.S. Might Be Beyond Government’s Reach; and We’ve Come for Your Tweets: Twitter to Appeal Denial of Its Motion To Quash District Attorney’s Subpoena.

 

Computer laptop with ransomware malware virus key icon on red display background. Vector illustration technology data privacy and security concept.

The global WannaCry ransomware attack should be a wake up call for all companies about the threat ransomware poses. While WannaCry was one of the first highly publicized attacks in which ransomware was weaponized and used against numerous companies at once, there will undoubtedly be future attacks.  Companies can take proactive steps to reduce their chances of being hit by the next ransomware attack, and our team is working with companies around the world to help them be more resilient in light of these evolving threats.

Here are some key steps you can take to help your company protect itself from the next attack:

  1. Make sure software patches are routinely applied.
  2. If possible, only use supported operating systems and other software.
  3. Utilize antimalware and antivirus software tools and services.
  4. Back up your critical data.
  5. Train your employees on how to spot phishing emails.
  6. Create a cross-functional incident response plan.
  7. Practice responding to a ransomware attack in a table top exercise to be able to hit the ground running when this type of event occurs.
  8. Establish or enhance relationships with law enforcement and other critical partners.

In addition, we’ve compiled several resources to help you prepare for and respond to a ransomware incident: