CART0669,CART0470

“Get a Personal Trainer for Your Computer!”©

 

 

 

 

THERE ARE MANY LAWS WHICH CONCERN THE USES OF COMPUTERS IN BUSINESS AND INDIVIDUALLY, FAR TOO MANY TO RECAP HERE.  HOWEVER, THOSE SET FORTH BELOW ARE THE BASIC FEDERAL LAWS, REGULATIONS AND ISSUES WHICH YOU SHOULD KNOW ABOUT.  WHERE THERE HAS NOT YET BEEN ANY FEDERAL PRONOUNCEMENT, CURRENT STATE LAWS ARE DISCUSSED. 

ANTICYBERSQUATTING CONSUMER PROTECTION ACT, a/k/a Truth in Domain Names Act [15 U.S.C. Sec. 1125(D)]

COMMUNICATIONS DECENCY ACT OF 1966 [47 U.S.C.  Sec. 230], a/k/a “CDA

*PRIVACY LEGISLATION - IS THERE A CONSTITUTIONAL RIGHT TO PRIVACY?

BLOGGERS MUST DISCLOSE PAYMENTS FOR REVIEWS

CHILDREN’S ON-LINE PRIVACY PROTECTION ACT OF 1998 (“COPPA”)[28 U.S.C. Sec. 1301]

ELECTRONIC COMMUNICATIONS PRIVACY ACT, a/k/a (“ECPA”) [18 U.S.C. Sec. 2701-2711 - STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS]

STORED COMMUNICATIONS ACT (18 USC 2701 (“SCA”)

DIGITAL MILLENNIUM COPYRIGHT ACT of 1998, a/k/a “DMCA” [17 U.S.C. Sec. 512]

THE STOP ONLINE PIRACY ACT (“SOPA”)

PROTECT IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011) (“PIPA”)

Online Protection and Enforcement of Digital Trade Act (“OPEN”)

NO ELECTRONIC THEFT (“NET”) ACT

COMPUTER FRAUD AND ABUSE ACT [18 U.S.C. 1030]

UNLAWFUL INTERNET GAMBLING ACT OF 2006

THE 1990 AMERICANS WITH DISABILITIES ACT (“ADA”)

CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT OF 2003 (“CAN-SPAM”) [15 U.S.C. Sec. 7701-7713]

FISMA: The Federal Information Security Management Act of 2002

REVISIONS TO FEDERAL RULES OF CIVIL PROCEDURE REGARDING DISCOVERY OF ELECTRONIC MEDIA RECORDS: 2006 Revisions to Rules 16,26,33,34,37 of FRCP Discovery Provisions

REVISIONS TO RULE 41 OF THE FEDERAL RULES OF CRIMINAL PROCEDURE

SARBANES-OXLEY ACT OF 2002, a/k/a the Public Company Accounting Reform and Investor Protection Act of 2002 (“SARBOX”)

U.S. PATRIOT ACT (P.L. 107-56)

USA FREEDOM ACT

Health Insurance Portability and Accountability Act [P.L. 104-191] (“HIPAA”)

Health Information Technology for Economic and Clinical Health Act (“HITECH”)

Gramm-Leach-Billey Act, also known as the Financial Modernization Act of 1999

PCI Data Security Standards

Federal Information Processing Standards (“FIPS”)

KYC Regulations

U.S. Federal Trade Commission “Red Flag” Rules

The Internet Tax Freedom Act Amendment of 2007

Internet Freedom and Nondiscrimination Act

Net Neutrality

RESTRICTIONS ON ISPs USE OF USERS’ INFORMATION

PRO-IP (Prioritizing Resources and Organization for Intellectual Property) Act of 2008

Transportation Safety Administration guides to air travel with laptops

Criminal laws prohibiting accessing any computer or network without the owner’s permission

Criminal Instrumentor theTool of a Crime” laws

CyberStalkingand “CyberBullying” laws

CYBERSECURITY LAWS:  Federal Personal Data Privacy and Security Act

Communications Assistance for Law Enforcement Act of 1994

“Robocalling” software

Security Breach Disclosure Laws

Software Compliance Audits

A NOTE ABOUT “COMPUTER FORENSICS”

Credit Card and Consumer Warranty Laws

Combating Online Infringements and Counterfeits Act (“COICA”)

THE TRUTH IN CALLER ID ACT OF 2009

FEDERAL AND STATE ELECTRONICS RECYCLING LAWS

WHY LAWSUITS ARISE AND HOW TO AVOID THEM

* IS SEXTING ILLEGAL?

* IS THERE GOING TO BE AN INTERNET SALES TAX?

* MANUAL ON INTERNATIONAL LAW APPLICABLE TO CYBER WARFARE

* APPLE VS. SAMSUNG PATENT DECISION

THE ORIGINAL APPLE vs MICROSOFT AND DoJ vs MICROSOFT LITIGATION

LAWS ABOUT CELL PHONE SEARCHES

U.N. International Telecomunication Union

* Cyber Intelligence Sharing & Protection Act (“CISPA”)

Computer Fraud and Abuse Act (“CFAA”)

* State Telemedicine Laws

* State Texting While Driving Laws

*State Texting While Walking (“Distracted Walking”) Laws

* DO NOT TRACK LAW

* Apple e-book Antitrust Litigation

* Revenge Porn Laws

* Online Eraser Laws

* Data Collection Laws

Keep Your Eye On Aero

* FTC Investigation About OnLine Ad Tracking

* The Innovation Act

* Akamai vs Limelight goes to Supreme Court

* Federal Patent Troll Law

* Google Privacy Cases

* LAWS ABOUT WHAT HAPPENS TO YOUR DIGITAL IDENTITY WHEN YOU DIE

* WHAT’S GOING ON WITH THE KIM DOTCOM/MEGAUPLOAD LITIGATION

* CELL PHONE UNLOCKING LAW

eSIGNATURES, eFILING, ETC.

*STALKING APPS

*HOTELS BLOCKING OUTSIDE WI-FI HOTSPOTS

*BIOMETRIC PRIVACY PROTECTION LAWS

*SECURITY AND PRIVACY IN YOUR CAR ACT

*PCNA ACT

*POCKET DIALING  PRIVACY

*CLOUD STORAGE OF E-MAILS - LEGAL PROTECTION

Google Copyright Lawsuit About Scanning All Books in Print

YES, YOU CAN SUE YOUR PRINTER COMPANY

*BLANKET GAG CLAUSE PROHIBITION

THE GOVERNMENT’S RIGHT TO COMPEL UNLOCKING CELL PHONES (and other devices)

THE GOOGLE DIGITAL LIBRARY LITIGATION

IS IT LEGAL TO RECORD AUDIO OR VIDEO WITH YOUR CELL PHONE?

THE GOOGLE - ORACLE JAVA LICENSE DISPUTE

*NAA COMPLAINT AGAINST AD-BLOCKING

*CONVICTIONS FOR SWATTING

* THE FCC’S SET TOP  BOX RULES

* THE FCC’S CLAIM AGAINST D-LINK

* WARNING TO COMPUTER TECHS

* =  Still in litigation, pending final legislative approval or Federal act, or differing by state.

PLEASE SCROLL DOWN...

ANTICYBERSQUATTING CONSUMER PROTECTION ACT, a/k/a Truth in Domain Names Act [15 U.S.C. Sec. 1125(D)]:  This federal law, enacted in 1999, makes people who register domain names that are the trademarks or tradenames of others or other individual’s names with the sole intent of selling the rights to that domain name back to the trademark or tradename holder or the named individual for profit, liable for civil penalties.  Of course, that didn’t stop Apple from paying $60 million to a Taiwanese firm for the rights to the iPad name in June, 2012.  Apparently, like many U.S. cyberlaws,  the law doesn’t apply to cybersquatters in countries outside of the U.S.

COMMUNICATIONS DECENCY ACT OF 1966 [47 U.S.C.  Sec. 230], a/k/a “CDA”:  The Government’s attempt to regulate pornography on the Internet.  There is a provision of this law that web hosting companies are not responsible for the materials users post on their sites.  The 9th Circuit Court of Appeals (CA) has ruled in 2014 and 2016 that, while ISPs don’t have an “unlimited get-out-of-jail-free” card, they are generally protected from legal liability for the content that third-parties publish on their sites.

PRIVACY LEGISLATION - IS THERE A CONSTITUTIONAL RIGHT TO PRIVACY?  This section became so long that I had to make an entirely separate page for its contents.  Click HERE for the discussion.

FTC RULES:  BLOGGERS MUST DISCLOSE PAYMENTS FOR REVIEWSStarting December 1, 2009, the FTC has unanimously approved guidelines for the first time regulating deceptive and unfair practices in on-line and blogging testimonials.  Consumer Reports states that almost 80% of on-line shoppers check user reviews first.  In order to gain consumers’ trust, many unscrupulous companies use their own employees or paid endorsements to masquerade their advertising.  Now, the FTC will require that bloggers and reviewers on the Web “clearly and conspicuously” disclose any freebies or payments they get from companies for reviewing their products and any association with those companies.  It also prohibits advertisers featuring testimonials that claim dramatic results from hiding behind disclaimers that the “results are not typical”.  Penalties for violations will be severe, including fines ($11,000 per incident) and injunctive relief against the blogger, or more likely, the advertiser.  (Lifestyle Lift was recently fined $300,000 because its employees published positive reviews and other deceptive actions.)  But these disclaimers may still be difficult to find.  So, if you only see positive reviews with no negative factors, or no mention of personal experience, question their credibility.  This also means that celebrities must make it clear that they are being paid for their product endorsements as well.  Personalities like Khloe Kardashian can get paid as much as $13,000 for a simple Tweet endorsing lip balm.IP

CHILDREN’S ON-LINE PRIVACY PROTECTION ACT OF 1998 [28 U.S.C. Sec. 1301] (“COPPA”):  Regulates unfair and deceptive practices in connection with the collection and use of personal information from and about children under the age of thirteen over the Internet as violations by web providers under the FTC Act.  For example, under this law, website hosts may want to prohibit membership applications or registration by users under the age of thirteen, absent written parental consent, in order to protect themselves from violation of this law.  In view of what the FTC calls “an explosion in children’s use of mobile devices, the proliferation of online social networking and interactive gaming,” on 9/15/11 the agency proposed regulatory changes, expanding the definition of “personal information” to include a child’s location, along with any personal data collected through cookies for the purposes of targeted advertising, which must be protected and held, then deleted, for only as long as reasonably necessary.  This immediately followed the FTC fine of $50,000 against W3 Innovations, a company which makes mobile phone applications, which collected personal information about children without parental consent over mobile phones. In 2014 the FTC found that Yelp and TinyCo also violated the act in part because they didn’t obtain parental consent before collecting information from children under 13.  See also the IoT page for possible violations of PDA devices under this lqw.

ELECTRONIC COMMUNICATIONS PRIVACY ACT, a/k/a “ECPA” [18 U.S.C. Sec. 2701-2711 - STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS]:  This 1986 law and its 2012 amendment was  enacted to extend restrictions on traditional wire taps of telephone calls to include transmissions of electronic data by computer, long before Internet use became mainstream.  That is, the days before e-mail, texting and cell phones, when communications were made by phone, letter and fax, and not routinely entrusted to third parties like Facebook and Google, and the legal myth that people “voluntarily” impart their private information to these third parties in the cloud. The ECPA, and the case law interpreting it, concern the extent of protection accorded e-mails, both stored and in transmission and records of ISPs. Following the basis of two cases (U.S. v. Miller (1976) and Smith v. Maryland (1979)), the Third Party Records Doctrine has traditionally been applied to mail.  Under this doctrine, a person cannot assert a Fourth Amendment protection interest in information knowingly provided to a third party.  Thus, you would have no expectation of privacy for bank records (Miller) or listings of your phone calls in the telephone company’s “pen register” (Smith).  Following this reasoning, the ECPA reasons that, if you use webmail like Google, Microsoft, Yahoo or AOL to retrieve your e-mail messages from your ISP’s server (as opposed to a program [Like Outlook] that downloads the messages onto your own hard drive and then deletes them from the server), you are not entitled to any Fourth Amendment protection.  Originally, In a loophole written by Congress, the ECPA allowed warrantless searches of stored communications on cell phones and computers and held by ISPs.  But, under the 2012 amendments, ECPA now requires that if an email was unopened and fewer than 180 days old, law enforcement would need to get a warrant to read it on a server. After six months or after the email was opened, however, the local police or the FBI would only need to swear out an administrative subpoena. They would essentially need to say only that the information in an email account was relevant to an investigation.

 So what about employers’ monitoring of employee e-mail and telephone calls? This would come under any of the three exceptions to the ECPA:  Employers are generally allowed to monitor business-related telephone calls, to monitor communications where there has been employee consent (e.g. by employment contract or signed separate agreement, and to retrieve and access stored e-mail messages.  See also, e-discovery, below, for the application of the Stored Communications Act (see below) provisions. Note that Google and others (e.g. Apple, Amazon, ACLU, Facebook and Twitter) of the Digital Due Process Coalition have pushed for reform of the ECPA to restrict the amount of access to stored e-mails by government investigators under the law.  See also FAQ #59 for a discussion of e-mail privacy laws applicable to individuals.  And click HERE for case law about Zip code collection.

STORED COMMUNICATIONS ACT (18 USC 2701 (“SCA”) [10/21/86]:  This law, which has been somewhat eroded by the Patriot Act (see discussion in ECPA, above), still has active civil provisions.  It regulates when an electronic communication service provider (“ECP”) may divulge information about or the contents of a customer’s electronic communications to private parties.  It forbids such disclosure in private circumstances, such as divorce or other civil proceedings, with the exception of communications that are already accessible to the general public.  As discussed above, while Section 2703 of the SCA requires the Government to obtain a warrant to obtain information from service providers, the ECPA and the Patriot Act have carved large loopholes past these SCA provisions.

DIGITAL MILLENNIUM COPYRIGHT ACT of 1998, a/k/a “DMCA” [17 U.S.C. Sec. 512]:  This is a U.S. copyright law, signed 1n 1998 by President Clinton, which implemented two 1996 World Intellectual Property Organization treaties and added stronger penalties for copyright infringement on the Internet.  The DMCA makes it a criminal offense to circumvent any kind of technological copy protection, even if you don’t violate anyone’s copyright in doing so.  Simply disabling copy protection is a federal crime.  Even if you “crack” DRM, without making or distributing illegal copies of the copyrighted material, it’s against this law, which applies to all sorts of copy-protected files, including music, movies and software.  Click HERE for a summary of the law.  In 2014, Congress is holding hearings on updating the Act.

THE STOP ONLINE PIRACY ACT (“SOPA”):  Introduced in October, 2011 by Rep, Lamar Smith (R-Tx) at the urging of the Motion Picture Association of America and the U.S. Chamber of Commerce, if adopted, will authorize the Justice Dept. to direct U.S. companies to stop hosting or providing payment services to foreign sites that illegally stream American content. It could order search engines to stop listing such sites and domain registrars to direct traffic elsewhere.  A similar bill known as the ProIP Act (“PIPA”), is being considered by the Senate.  Both are aimed at stopping the illegal streaming of movies in the U.S., which has become a big business.  [SHELVED; See discussion below]. UPDATE:  But it’s been rebranded as “notice and stay down” provision (i.e. SOPA 2.0) of the revisions to the DCMA being discussed in hearings before the House Judiciary Committee on Copyright Reform in 2014.

PROTECT IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011) (“PIPA”)  The Senate counterpart of SOPA.  [SHELVED; See discussion below.] 

Online Protection and Enforcement of Digital Trade Act (“OPEN”) A draft act by a partisan group of House members supported by the tech industries as a compromise to SOPA and PIPA. [SHELVED; See discussion below.]

A discussion about DCMA, SOPA, PIPA and OPEN Anti-Piracy Laws: DCMA has protected against copyright infringement since 1998.  For example, if a YouTube posting violates an author’s copyright, the author may post a “takedown notice” with YouTube demanding that the infringing materials be removed from the site.  YouTube, in turn, sends the alleged infringer a notice, allowing him to counter file if he believes he has not infringed and, if the allegations are not settled, the issue may ultimately go to court for resolution.  The problem is that this works fine for U.S. based infringers, but not well at all for overseas infringers (such as, for example, torrent hub The Pirate Bay).  Because of this, the SOPA was introduced in the House in October, 2011 and PIPA was approved by a Senate committee in May, 2011.  Both of these bills tackle the issue by moving up the Internet chain.  While the U.S. can’t force overseas sites to take down copyrighted work, it could at least permit companies to obtain a court order to stop U.S. companies from providing their services and links to those sites, making it much harder for U.S. internet users to find and access them by delisting them in search results and refusing to connect to the servers and requiring advertising companies (like PayPal) to cut off payments to it.  Moreover, SOPA potentially puts site operators on the hook for the content their users upload, deeming it responsible if it fails to take “deliberate actions to avoid confirming a high probability” that its service will be used for copyright infringement.  It is this language which scares legitimate U.S. technology companies to new and uncertain liabilities and impossible mandates requiring monitoring of websites.  Many tech companies have supported the compromise of OPEN, which offers accused sites greater protection and allows cases to be brought before the U.S Int’l Trade Commission, which is more qualified than civil courts to deal with such issues. January 18, 2012 has been designated “Internet Blackout Day” on which certain Internet sites (Wikipedia, Google, Boing Boing, Firefox, Wired, etc.) will go dark or show home pages protesting the two pending privacy bills for a 24 hour period. Both of these laws were shelved in early 2012 and it is unclear whether they will be proposed again, at least without lengthy public comment. [See CISPA below for the  2011, 2013 and 2014 introduction of new legislation about cybersecurity.]  See also NET NEUTRALITY, below.

Meanwhile, while it is not a law, an industry workaround dubbed “Six Strikes” which uses software by MarkMonitor is an escalating warning system used by ISPs which identifies those engaged in copyright infringing activities and informs the ISPs, which are then able to take action.  The action would start with a warning and then escalate up to termination of service if ignored.  Initial participation includes AT&T, Verizon, Comcast, Cablevision and Time Warner Cable and is scheduled to start in late December, 2012.  But Six Strikes is more engaged in locating users who are hogging bandwidth to presumably download or distribute movies and other copyrighted materials in the U.S., which isn’t the major problem.  And many of those people may reside in locations like apartment buildings or office complexes which will only show MarkMonitor the “public” IP address of the modem or router, not the specific user on the network, so how effective will this be and who will be penalized?  {See also, Aaron Swartz.}

Congress didn’t give up.  By 2016, the proposed legislation has been recycled into back-room negotiated trade deals (e.g. the Trans-Pacific Partnership’s 6,194 page agreement) and court cases (ClearCorrect Operating v. ITC, possibly giving the ITC the power to demand the ISPs to block websites, restricting the flow of information over the Internet).  The music and movie industries are trying to rewrite the “notice and takedown” provisions of the DCMA and replace them with “notice and stay down”.  DCMA Sec. 512 currently protects online service providers from legal liability for activity which takes place on their networks or hosted websites, provided they meet certain “safe harbor” requirements like takedown requests, which have increased exponentially (some say filed due to prompting by music and movie industry sources) recently (almost a billion by Google alone). As a result, industries have requested a stronger notice and stay down provision, completely removing the offending sites from participating on the Internet.  The civil libertarians argue that this guilty-until-proven-innocent approach goes too far in the opposite direction, unfairly penalizing, for example, a YouTube post of an infant’s first steps while protected music is playing in the background.  Fair Use be damned, they say.  Stay tuned....

On 10/13/2008 President Bush has signed an intellectual property enforcement bill into law, after near unanimous approval by Congress.  The new law, named the PRO-IP (Prioritizing Resources and Organization for Intellectual Property) Act of 2008, establishes within the executive branch a position of intellectual property enforcement coordinator (copyright enforcement “czar”), who will be appointed by the President.  The law also heightens the penalties for intellectual property infringement and provides the Dept. of Justice with greater resources for handling piracy issues, such as seizure of houses, cars, boats, computers, etc. allegedly involved in the commission of a crime.  For my own personal take on this law, see the RANTS page. See also, SOPA, for the House version of this bill. 

NO ELECTRONIC THEFT (“NET”) ACT: This law was also passed during the Clinton administration and is the basis for the familiar “FBI Warning” at the beginning of most DVD movies. The NET Act made copyright infringement itself a federal criminal offense (prior to that it was a civil issue), regardless of whether the circumvention of the copy-protection was made for any gain or commercial benefit. Just making a copy of a copyrighted work for a friend can make you subject to up to five years in prison and $250,000 in fines.  Click HERE for more.

COMPUTER FRAUD AND ABUSE ACT [18 U.S.C. 1030]: This law was passed by Congress in 1986 to reduce hacking of computer systems.  It was amended in 1994, 1996 and 2001 by the U.S. Patriot Act (see below).  Because it includes the element of “scienter” (knowledge) that one is breaking into a computer directly or indirectly, the penalties are quite severe, starting at 10 years maximum penalty for even a first offense.

UNLAWFUL INTERNET GAMBLING ACT OF 2006: This Federal law criminalizes acceptance of funds from bettors, but does not criminalize the bettors themselves.  However, many states have gone the additional step to make gambling on the Internet a felony. For example, Washington state makes on gambling a Class C felony punishable by up to five years in prison and a fine of $10,000.  Check your own state’s laws on this subject. 

THE 1990 AMERICANS WITH DISABILITIES ACT, 42 USC  Sec, 12101 (“ADA”):  Section 508 of the “ADA”  requires that Federal agencies’ electronic and information technology be accessible to people with disabilities.  While most web sites are designed for persons with disabilities to access them regardless of limitation, the same cannot be said of the huge number of available plug-ins.  The W3C has compiled a list of guidelines and standards that a website should meet for ADA compliance.  Click HERE for more information.

CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT OF 2003 (“CAN-SPAM”) [15 U.S.C. Sec. 7701-7713]:  Establishes the U.S.’s first national standards for the sending of commercial e-mail.  The success of the act has been debated, and the anti-spam activists commonly refer to it as the YOU-CAN-SPAM law because it doesn’t require the e-mailers to get permission before they send marketing messages.  There are also state versions (e.g. VA) of the Federal CAN-SPAM law.  At least the law opened the door for the big providers like AOL, Earthlink and Microsoft to sue the biggest spammers (like Sanford Wallace, the “Spam King” - 16 yrs in prison + $2 million fines; plus Facebook’s $711 million judgment!).

FISMAThe Federal Information Security Management Act of 2002, a federal law enacted as part of the Electronic Government Act of 2002, the purpose of which is to protect government information, operations and assets against natural or manmade threats.

REVISIONS TO FEDERAL RULES OF CIVIL PROCEDURE REGARDING DISCOVERY OF ELECTRONIC MEDIA RECORDS [E-DISCOVERY]: 2006 Revisions to Rules 16,26,33,34,37 of FRCP Discovery Provisions:  You should be aware of these provisions, which govern cases filed after 12/06.  Essentially these rules say that businesses must be able to quickly find data when required by the federal court in litigation.  That means that every electronic document - - including e-mails, instant messages, financial documents, computer logs, voice mail and all text and graphical documents -- must be easily retrievable.  As the result of the Stored Communications Act, a part of the Electronic Communications Privacy Act of 1986 (“ECPA”), above,  (way before the concept of “cloud” storage), you may discover that your “cloud” service provider may not be particularly cooperative, useful or even obligated to help you retrieve your stored data or return it to you, so be very choosy in setting up your cloud data storage and backup.  Also, any scheduled destruction may be the subject of a “Litigation Hold Order” issued by a court.  Enterprises must also be able to show that they have a repeatable, predictable system in place to handle (maintain, archive, retrieve, restore) this data, including a data recovery system in the event of loss or failure.  Note that case law allows the use of an “adverse inference” instruction if a party fails to produce requested e-mails.  This can be quite expensive:  Ask Morgan Stanley, which (originally) had to pay investor Ron Perelman a total of $1.45 billion due to their failure to provide requested e-mails pertinent to the suit.  Or ask the Office of Federal Housing Enterprise Oversight how it spent 9% ($6 million) of its 2009 budget complying with an e-discovery order from the D.C. Court of Appeals.  If you are a business of any size, you should immediately consider developing a Legal Response Plan, which means preserving any information that’s pertinent to litigation, audits or investigations.  You must identify relevant time ranges, people and the location of the relevant data so that you can separate it from everything else.  Also, eliminate all useless data, you are permitted to do this.  FRCP 37(e) recognizes that data destruction is a routine part of standard IT operations and that relevant documents might be destroyed during that process without any malicious intent.  Even if you can’t produce every relevant document, good and responsible preparation for e-discovery will be sufficient for most judges.  They’re not necessarily interested in perfection, just a reasonable plan which has been followed.  For more see FAQ #37.For a discussion about the dangers of texting and e-mailing and how they may be used in investigation and litigation, see the discussion in SOCIAL NETWORKING.  UPDATE:  In early 2015 the Dept. of Justice set in motion a proposal to change Rule 41 of the FRCP which governs how judges issue search warrants on electronic devices.  Under the updated rule, the FBI could obtain blanket wrrants entitling it to to remotely examine computers located anywhere without specific justification and without being required to provide users notice of its searches.  The current rule lets judges approve warrants only for specific material within their judicial district.  Privacy groups like EPIC and others like Google strongly oppose the revisions.

REVISIONS TO 41 OF THE FEDERAL RULES OF CRIMINAL PROCEDURE: Effective 12/8/16, this change will allow federal investigators to seek permission from a magistrate judge to plant hacking software on a computer that is disguising its location. Such “hacking” allows prosecutors to use this tool to identify suspects in financial crimes and child porn cases, who typically use anonymizing tools to hide their computer’s IP addresses.  The rule allows investigators to use a single warrant to access the computers of hacking victims in some cases.

SARBANES-OXLEY ACT OF 2002, a/k/a the Public Company Accounting Reform and Investor Protection Act of 2002:  In response to various well publicized scandals such as Enron, Tyco and Worldcomm, congress passed this law, and following regulations (e.g. SAS 70 Type I and II Certifications) which apply to U.S. public (not private) companies, their boards, management and public accounting firms.  The law establishes policies for internal corporate control of data, including storage and electronic media protection. If you think you are within the purview of SarBox, call us to develop procedures for you.

U.S. PATRIOT ACT (Stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (P.L. 107-56):   This Act, passed in response to 9/11, increases the ability of U.S. law enforcement agencies to search telephone and e-mail communications, among other things.  Click HERE for more about it’s effect (Sec. 215) on the 4th Amendment and NSLs (see discussion in the Privacy section of this site and above).  Related is the Foreign Intelligence Surveillance Act, passed after the 2005 disclosure of the Bush administration’s secret program to wiretap international communications of people inside the U.S. without obtaining court warrants (see Privacy, above).  This act was amended in 2008 to retroactively grant U.S. companies immunity from being sued by their customers as a result of warrantless wiretaps and providing information to the government without the users’ consent.  On August 5, 2007, the Protect America Act added to FISA by extending the government’s (warrantless) surveillance powers against foreign intelligence agents inside the U.S.  The FISA Amendments Act in 2008 reauthorized the PAA into Title VII of FISA.  In February, 2013, the U.S. Supreme Court (Clapper v. Amnesty International, No. 11-1025) turned back a challenge to FISA on the grounds that the advocates could not show that they had been harmed by the law, that future harm was too speculative to prove, and that therefore the journalists, human rights activists and lawyers had no standing to bring the suit.  On June 1, 2015, Section 215 of the Act expired, putting some (temporary) restriction on the NSA’s bulk collection of metadata from U.S. Citizens, ending the governmant’s bulk collection of phone records.  But two days later, Congress passed the USA Freedom Act, below.

CLICK TO GO BACK TO INDEX...

USA Freedom Act: On June 2, 2015, Congress passed the USA Freedom Act by a 67-32 vote, the first legislative overhaul since the Snowden revelations about bulk data collection.  It places some curbs on the collection, specifically by mandating a 6 month transition to a system in which call data would remain in private company hands but could be searched on a case-by-case basis under a court order.

Health Insurance Portability and Accountability Act [P.L. 104-191] (“HIPAA”):  Under this law, health information may not be disclosed without a patient’s express written consent unless it is necessary to administer benefits, payment or health careAll healthcare providers (including doctors, dentists, nurses, hospitals, mental health providers, rest homes, nurse assistants, paramedics, etc.) must comply with this Federal law, passed in 1996.  Moreover, it applies to both “covered entities (health insurance companies, HMOs, company health plans, etc.) as well as their business associates, i.e. those vendors or subcontractors who have access to PHIs (“protected health information”) who may not even be in the healthcare industry, such as an all-flash storage company or medical transportation provider.  Further, providers must regularly disclose their privacy practices to their patients, have a designated security or privacy Officer and conduct annual risk analysis assessments, among other requirements.  Click HERE for the HHS guidelines.  Showing how far this reaches:  In an landmark case in late February, 2014, the U.S. Court of Appeals for the Eleventh Circuit, reversing U.S. District Court for the Southern District of Florida was the first court to allow damages to consumers in a class action against a company (AvMed) for data breaches absent proof of actual damages.  Traditionally, such class-action lawsuits are dismissed because of the speculative nature of the damages, but the USCA allowed the claims (and remanded) primarily on the grounds of unjust enrichment against the Florida-based health insurer, approving a $3 million settlement plus additional compensation to those customers who could prove actual direct damages.  You’ve got to be very careful to see if you or are your actions are covered by the law:  In this time of constant sharing of all types of personal information, the NY Times published an article describing how a pediatrician (Mark V. Sauer of Manhattan) had to remove a wall of (unidentified) baby photos from his waiting room in order to comply with the law. 

Health Information Technology for Economic and Clinical Health Act (“HITECH”):  This act, effective February, 2010, expands the security and privacy provisions of HIPAA to encompass “business associates” such as a billing company or cloud provider and strengthens enforcement, penalties and audits. It was passed as part of the Federal stimulus package, and requires hospitals and health care providers to comply with the “meaningful use” requirements, i.e. they must validate a meaningful use for the electronic records (“EMRs”) or they will not receive the stimulus funds, outpatient physicians receiving up to $44,000 from Medicare and $63,000 from Medicaid if they meet requirements.  Not to be confused with the much abused Patient Protection and Affordable Care Act of 2010 (dubbed “Obamacare”) upheld by the U.S. Supreme Court in 2012, which also provides incentives for doctors to keep patients healthy and use EMRs.

Gramm-Leach-Billey ActAlso known as the Financial Modernization Act of 1999:  Includes provisions to protect consumers’ personal financial information held by financial institutions; three principal parts to the privacy requirements are the Financial Privacy Rule, the Safeguards Rule, and pretexting provisions (prohibiting the access of private financial information using false pretenses).  Also requires banks to provide written privacy notices.

PCI Data Security StandardsApplicable to those organizations processing credit, debit and cash card transactions to protect cardholders against misuse of their personal information.  See the Glossary for additional information.

Federal Information Processing Standards (“FIPS”): These are issued by the National Bureau of Standards, Computer Systems Laboratory and specifies standards and procedures for document processing, encryption and other tasks for use within government agencies or by those interfacing with those agencies through computers.  There are also similar standards for some states as well.

KYC: Stands for “Know Your Customer”.  This refers to the enhanced due diligence (so-called “EDD”) and bank regulation that financial institutions and others must perform to identify their customers and ascertain relevant financial information about them.  It is typically a policy implemented to conform to a customer identification program mandated under the Bank Secrecy Act and the Patriot Act.

U.S. Federal Trade Commission “Red Flag” RulesAccording to the FTC, companies are now on the hook for their business dealings, even small or internet companies, should what they sell be used for criminal or terrorist activities or identity theft.  The punishments include six-figure fines and even jail time.  The new standard is known as the FTC’s “Red Flag” rules (implementing sections 114 and 315 of the Fair & Accurate Credit Transactions Act (“FACT”) of 2003), which went into law on December 31, 2010.  The rules require businesses to develop, implement and update a program (and train its employees to use it) that will identify potential identity theft through suspicious activities.  The patterns of suspicious activities are called “red flags”.  Since small businesses are most likely to be unaware of these rules or have the ability to implement the required programs, they could be a frequent target by criminals.  If your business involves any type of financing, advances or credit for your customers “in the regular and ordinary course of business,” you must check out the requirements for these rules.  If, for example, you finance a vehicle, or a computer perhaps, that is used later in a crime, you could be held liable if you should have known of a “red flag” that would have required you to report the transaction to the Government.  For more information about who the law applies to and how to comply, click HERE for more information from the FTC.

Congress has passed and the President has signed a law titled “The Internet Tax Freedom Act Amendment of 2007:  This law extends the present ban on certain Internet taxes for another seven years.  It prohibits state and local governments from imposing taxes on Internet access services, and also on independent e-mail and instant messaging services.  This does NOT, however, prohibit SALES taxes on Internet service or on purchases of goods sold over the Internet, which you are already paying in many states (e.g. New York, as of 6/1/08).  For more see LINK below.  NOTE:  On December 12,2016 the U.S. Supreme Court rejected a case that could ultimately result in states collecting billions of dollars in sales taxes lost to those increasingly popular internet retailers, a/k/a The Amazon Tax.  Although previous laws and a 1992 Supreme Court decision holds that retailers must have a physical presence in a state before officials may make them collect sales tax, this decision is that Colorado and inferentially other states (Louisiana, Oklahoma and Vermont) which have laws which requires sellers to notify customers and the state how much they owe in taxes, now have a green light to proceed with tax collection.  While the Supreme Court didn’t specifically endorse the Colorado law, they didn’t strike it down, either. But this is a reporting law, requiring online retailers to notify customers to pay sales tax and report purchases to the state, but not to collect those taxes and turn them over to the state. Click HERE for a state guide to internet sales taxes.

NET NEUTRALITY:  This definition got so large and filled with history that it merits is own page, so click HERE for the full discussion...

RESTRICTIONS ON ISPs USE OF USERS’ INFORMATION:  Related to the above, the FCC, in a 3-2 vote on 10/27/16, adopted privacy rules requiring that fixed and mobile broadband providers obtain users’ (“opt in”) permission to access their web browsing history, app usage, health & financial information, geolocation info, children’s info and the content of online communications. Of course, these rules will only be effective 1 yr after publishing in the Federal Register, by the end of the year.

If you travel with your laptop, you might want to be sure that you don’t have anything on it that may hurt you, even if it’s got nothing to do with terrorism.  You might think that the luggage inspector can only look to see if the laptop is, in fact, a computer and not a bomb, but that’s not all.  According to the 9th Circuit Court of Appeals, customs agents can search your laptop on what amounts to nothing more than a whim, because a laptop is no different to them from a suitcase.  In 2013, U.S. District Court Judge Edward R. Korman of N.Y. ruled that the government does not need reasonable suspicion to examine or confiscate a traveler’s electronic devices.  The Fourth Amendment to the Constitution does not, in the Court’s view, require customs agents to have reasonable suspicion before searching the contents of laptops or other digital devices.  Ask Michael Timothy Arnold, a 43 year old California resident facing charges of transporting child pornography after customs officials seized his laptop at LAX and examined the contents of his laptop hard drive for no particular reason.  Now, I’m not condoning child pornography and certainly not terrorism; but I do question the apparent  and growing lack of constitutional rights guaranteed our citizens.  Also, recent changes to U.S. Customs & Border Protection regulations allows officers to seize, examine and destroy electronic devices (cell phones, laptops, disks, drives, etc.) For links to Transportation Safety Administration guides to laptops, click HERE.  See also, Tip #26 for more.

In addition to federal statutes, you should be aware of state laws (e.g. Florida, Illinois, Washington, Alaska) applicable to computers.  For example, many states have criminal laws prohibiting accessing any computer or network without the owner’s permission.  The penalties range from misdemeanor to first degree felony (on a par with murder), and depend upon the action taken by the trespasser (intention, benefit, harm, defrauding, etc.).  Most states require “scienter,” i.e. knowledge that you are connecting to someone else’s computer.  So, if your computer accidentally connects to another wireless network without your knowledge, you’re o.k.  But if you intentionally hack into their wireless network, even if it’s unsecured, you could be convicted.  See FAQs for more on this.

Some states also have enacted laws making it a crime to possess a “criminal instrument” or the “tool of a crime”.  If you are involved with the use of a computer or a network that later becomes involved in the commission of a crime, you may be prosecuted.  Right here in Florida, I was once questioned by the police about a computer which I had sold to a customer who then used it to embezzle funds from her boss.  Of course, nothing happened to me, but I was still questioned.

And then there’s “CyberStalking” and “CyberBullying” laws. 

Cyberstalking:  In the U.S., these laws are left to the states as there are as yet no comprehensive Federal statutes, although there are some Federal laws which provide tools to combat cyberstalking. For example, under 18 U.S.C. 875(c), it is a federal crime, punishable by up to five years in prison and a fine of up to $250,000, to transmit any communication in interstate or foreign commerce containing a threat to injure the person of another. It applies to any communication actually transmitted in interstate or foreign commerce - thus it includes threats transmitted in interstate or foreign commerce via the telephone, e-mail, beepers, or the Internet.  But there are shortcomings:  It is construed to apply only to communications of actual threats; thus it does not apply in a situation where a cyberstalker engages in a pattern of conduct intended to harass or annoy another (absent some threat). Also, it is not clear that it would apply to situations where a person harasses or terrorizes another by posting messages on a bulletin board or in a chat room encouraging others to harass or annoy another person.

Certain forms of cyberstalking also may be prosecuted under 47 U.S.C. 223. One provision of this statute makes it a federal crime, punishable by up to two years in prison, to use a telephone or telecommunications device to annoy, abuse, harass, or threaten any person at the called number. The statute also requires that the perpetrator not reveal his or her name. See 47 U.S.C. 223(a)(1)(C). Although this statute is broader than 18 U.S.C. 875 -- in that it covers both threats and harassment -- Section 223 applies only to direct communications between the perpetrator and the victim. Thus, it would not reach a cyberstalking situation where a person harasses or terrorizes another person by posting messages on a bulletin board or in a chat room encouraging others to harass or annoy another person. Moreover, Section 223 is only a misdemeanor, punishable by not more than two years in prison.

The Interstate Stalking Act, signed into law by President Clinton in 1996, makes it a crime for any person to travel across state lines with the intent to injure or harass another person and, in the course thereof, places that person or a member of that person's family in a reasonable fear of death or serious bodily injury. See 18 U.S.C. 2261A. Although a number of serious stalking cases have been prosecuted under Section 2261A, the requirement that the stalker physically travel across state lines makes it largely inapplicable to cyberstalking cases.

Finally, President Clinton signed a bill into law in October 1998 that protects children against online stalking. The statute, 18 U.S.C. 2425, makes it a federal crime to use any means of interstate or foreign commerce (such as a telephone line or the Internet) to knowingly communicate with any person with intent to solicit or entice a child into unlawful sexual activity. While this new statute provides important protections for children, it does not reach harassing phone calls to minors absent a showing of intent to entice or solicit the child for illicit sexual purposes.

As a result of some degree of federal inaction on the subject, many states have found it necessary to pass their own laws, mindful of those who have abused modern technology to stalk others. (Click HERE for a listing of statutes.) Connecticut considers harassment a felony, depending on the severity of the threats, and includes not only in-person contact, but also contact via the Internet, social media and telephone.  And the language, you should be aware, is often very broad.  It may be a crime to send a message via e-mail or other computerized communication system (Instant Messenger, Web chat, IRC, etc.) that uses obscene, lewd, or profane language with the intent to frighten, intimidate, threaten, abuse or harass another person.  You might want to watch out what you say in your angry communications to companies, dissatisfaction with help desks, flaming discussions in chat rooms, etc., as you may get more than you bargained for in return. 

When it comes to cyberbullying, the toughest Antibullying Bill of Rights (2011), that of New Jersey, requires that all public schools adopt comprehensive antibullying policies (some 18 pages of “required components,” increase staff training and adhere to tight deadlines for reporting episodes).  This was the direct result of the suicide of Rutgers University freshman Tyler Clementi (see above, at Privacy legislation.)  Forty-nine states in the U.S. (Georgia being the first in 1999, Montana and Colorado the exceptions) have enacted school anti-bullying statutes, but not all of them can be applied to cyberbullying (Click HERE for the listing).  In the State of Florida, where we are located, there is a bullying law named after Jeffrey Johnson, a teenage “techno geek” who was bullied for two years before hanging himself in his closet at age 15.  Amended July 1, 2013 to cover cyberbullying, the law leaves punishment to schools, but law enforcement free to seek more traditional charges.  The law evidently didn’t help Rebecca Sedwick of Lakeland, Florida, the 12 year old who killed herself after being bullied by Guadalupe Shaw (14) and Katelyn Roman (12), as attorney Jose Baez easily got the charges dismissed against them.  Still, prosecutions are rare.  For example, in the aftermath of the Connecticut elementary school shootings in December, 2012, social media messages about the shootings, including one posing as the (dead) shooter, probably won’t be prosecuted, although they were in terribly bad taste.  However, in the U.K., in October, 2012, a man was sentenced to 12 weeks in jail for posting what the judge called “despicable” comments on a Facebook page about a missing 5 yr. old girl.  And A Missouri woman was convicted in 2008 after she created a fake MySpace profile to befriend and then abandon a 13 yr. old neighbor girl, leading the girl to hang herself.  A Toronto man was arrested and charged with criminal harassment after sending a woman a continuing series of offensive Twitter messages.  In this country, at least, the difference between free speech (however offensive) and criminal conduct appears to be whether the memes, tweets or posts cross the line from disgustingly bad taste to threatening.  But often the identification of the perpetrators is difficult and the victim must also have saved the evidence.

CYBERSECURITY LAWS46 states have passed some sort of cybersecurity law protecting personal data.  Apparently, this issue will be left to the states.  In an effort to unify these laws, the Federal government had proposed the Personal Data Privacy and Security Act of 2009.  In December, 2009, the bill was approved by the U.S. Senate Judiciary Committee, but never came up for debate and therefore never became law.  The Act called for government and private entities to follow stricter rules for protecting sensitive and personally identifiable information.  Entities would have had to execute detailed risk assessments and susceptibility tests, and be required to implement safer approaches to accessing sensitive data, detecting and recording illegal access to the data, and protecting data at all times. Once again, Congress didn’t get enough votes to pass the Cybersecurity Act of 2012, which would have established voluntary security standards for certain businesses deemed critical to the nation’s infrastructure, citing concerns about privacy and giving too much power to Homeland Security.  In any event, don’t expect any privacy laws to apply to the Government, which is pretty much exempt from penalties against snooping on the Internet, which it regards as a public domain (see immediately below).  For further discussion, see Social Networking; also Echelon, Carnivore, Prism, Privacy, How the  NSA Does It, Are You Being Watched?         

Communications Assistance for Law Enforcement Act of 1994 [and related regulations issued by the Federal Communications Commission]:  Telecommunications, information and internet service providers must provide a means (a so-called “back door”) for U.S. federal agencies, usually the FBI, to view the ostensibly private data of their subscribers when lawfully ordered to do so.  Notice the trouble that RIM, the Canadian company that manufactures Blackberry smart phones, got into in 2010, when the United Arab Emirates banned the phone service in that group of countries because RIM refused to modify its information architecture in such a way that would enable UAE authorities to intercept the communications of select subscribers.  The federal government also has the means to lawfully intercept and monitor real-time and stored electronic data as part of its counter-terrorism policy, in ways that are not explained to the public for obvious reasons.  The Obama administration, through federal law enforcement and national security officials, are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone.  Officials want Congress to mandate that all services that enable communications (including encrypted e-mail transmitters such as BlackBerry, social networking sites such as FaceBook and direct peer-to-peer messaging such as Skype) be technically capable of complying if served with a wiretap order, so that they will immediately able to intercept and unscramble encrypted messages.  This bill should be submitted to Congress in 2013, so stay posted.

If you are using your computer for telemarketing because of the low cost and availability of so-called robocallingsoftware, you should be aware of the FTCs new TSR (“Telemarketing Sales Rules”), effective 9/1/09, prohibiting such calls without express written permission, at a penalty of $16,000 per call.  In 1991, it was codified into the Telephone Consumer Protection Act. Think twice before using this type of marketing unless you fall under one of the exceptions.  The rules can be found at http://www2.ftc.gov/opa/2008/08/tsr.shtm.  For more see TELEPHONE.  Also Opinion.  It hasn’t been particularly effective in stopping unwanted solicitations.  UPDATE: In 2014, Sprint agreed to pay $7.5 million (on top of $400 million in 2012) in the largest Do Not Call list settlement so far, for making unwanted telemarketing calls and sending texts to consumers.  UPDATE: July, 2015, NY court awarded woman $230,000 for 153 Time-Warner robocalls.  UPDATE 7/5/2016: The FTC ruled that government employees and any contractors working on their behalf (e.g. congressional fund raising in the guise of  surveys, debt collectors for student loans) are free to robo-call sincethey aren’t a “person” under the law and are therefore exempt.

And while we’re discussing state laws, be aware of some states (such as California) that have passed so-called Security Breach Disclosure Laws, requiring any company doing business in the state to notify their California customers if they discover or suspect that nonencrypted data about them has been accessed without authorization.  This applies even if the company is physically outside of California, or is a small business.

ICE NoticeWinding its way through Congress is the Combating Online Infringements and Counterfeits Act (“COICA”), introduced by Senator Patrick Leahy (D-VT) on 9/10/10 which would allow the Government to shut down Internet sites which are “dedicated to infringing activities”.  Already, Immigration and Customs Enforcement (“ICE” - a division of the Dept. of Homeland Security) has seized and blocked several web addresses of sites known to facilitate illegal file sharing.  Browsers would see the page shown to the left.  Among the domains already seized were torrent-finder, and music sites onsmash, rapgodfathers and dajazi.  Of course the Recording Industries Association (“RIA”) and the Center for Copyright Information (“CCI”) have been behind this push and, predictably, opponents have claimed that the bill is Internet censorship and could affect sites which legitimately allow file sharing for other purposes.  The bill has passed the Senate already.  UPDATE:  The bill passed the Senate Judiciary Committee with a 19-0 vote but was blocked in the house. The Act has since been rewritten as the Protect IP Act (above), which has also been the subject of controversy, stalling the legislation.

FEDERAL AND STATE ELECTRONICS RECYCLING LAWS:  You should be aware that, as of 2010, 23 states and several individual cities have enacted electronic waste laws which dictate electronics disposal methods, controlling how manufacturers recycle and dispose of electronic waste, and also limiting how and where consumers may dispose of their electronics.  If you’re looking for an electronics recycler, look for an e-Stewards certified electronics recycler, which assures that it complies with all environmental mandates for electronics recycling.  For a somewhat up-to-date listing of the laws by state, click HERE to view the compilation by the Electronics Takeback Coalition.

Credit Card and Consumer Warranty Laws:  Just because your computer equipment, camera or other hardware dies just after the manufacturer’s warranty expires doesn’t always mean that you’re completely out of luck.  Don’t forget to check your credit card warranty provisions.  In many cases, if you purchased the product with a credit card, you automatically get the added benefit of an extended warranty, in some cases double the original warranty.   Also, many jurisdictions (Maine, for example) have “implied” warranties that may take precedence over the manufacturer’s warranty, stating that the article must be usable for the purpose intended for the length of time most such articles are useful.  Check HERE for a list of consumer protection offices.

Software Compliance AuditsAudits for contractual compliance by software providers as well as government audits for compliance with Sarbanes-Oxley and other laws and regulations, in addition to specific security requirements for companies awarded federal, state and local contracts can open your organization up to audits substantiating your company’s compliance in choosing, purchasing and operating various software.  Whether you are a small or a large business, the challenges and threats are essentially the same; non-compliance can subject administrators to personal liability, meaning fines, confiscated assets or even jail time if they knowingly have unlicensed software on their network.  Staying compliant with software licensing agreements is a must, given the prevalence of software and the ever-increasing complexity of IT infrastructures (virtualization, for example) and licensing agreements.  A combination of automated discovery technology, good policies and procedures and lots of oversight are imperative.  A dated spreadsheet just won’t survive an audit. For an understanding of compliance terms, click HERE.  We recommend, and implement, an external annual audit combined with an automated discovery tool to identify where software is installed in the enterprise, and a central source for all hard-copy information.  Call us for further information.

A NOTE ABOUT “COMPUTER FORENSICS”:  Electronic records have now reached the mainstream of the law, as shown by the revisions to the Federal Rules of Civil Procedure (see above).  You can no longer plead ignorance of your electronic, computer and e-mail records when faced with a dispute or litigation.  Associated with this trend is the field of “computer forensics,” the investigation of digital evidence.  Forensic investigators are professionals who ensure that evidence will be admissible in court, for defense or the assertion of claims.  If you have computer records that might be evidence in a court proceeding or other dispute (e.g. mediation), you must secure the evidence and preserve a dated digital copy, keep a manifest log of those who have handled the records, and provide a chain of custody for the media to prove that there was no tampering or alteration of the media or the data within.  It’s no surprise, then, that many of the SaaS vendors [e.g. Message One (Dell) and Postini (Google)] are offering e-mail archiving and search capabilities. For more about digital forensics, click HERE. With our legal background and experience, we are uniquely capable of assisting you with this protection, but you must call immediately, before data is compromised, otherwise it may be inadmissible! If you’re on the receiving end of a lawsuit, you could be charged with obstruction, also quite unpleasant.   [Of course, it’s always a good idea to plan ahead, and have a data archive and disaster recovery plan in place before litigation, and we can help you with this as well.]

WHY LAWSUITS ARISE AND HOW TO AVOID THEMOur court system is filled with disputes about computer hardware, software and systems that allegedly don’t perform as required (or at least up to customers’ expectations).  Why?  The single largest cause by far is that the parties to these disputes don’t read the contract between them, as it is solely that written agreement which codifies and controls the relationship between the parties and the promises and obligations between them. Not the pre-contract discussions, not the sales team’s representations, not the software vendor’s sales literature, it is the contract which finalizes and supersedes all of these negotiations and representations.  That is, none of the previous statements, whether oral or in writing, survive (at least unless there is a material ambiguity).  The contract even says so in virtually every case.  In my experience as both a litigator and an IT expert, I have found that, because the vendors are trying to sell their system by often telling the customers whatever they want to hear (leaving it to the poor souls in technical support to resolve specific “issues” later) and, conversely, because the customers are hearing what the reps are telling them while all the time trying to superimpose their own particular business demands on the software, the “meeting of the minds” that is supposed to result in a binding written contract really never occurs.  And the contract that does result is, as always, skewed in favor or the vendor, not the customer.  Contracts, as a whole, are drafted in a negative way, that is to favor the drafter, in this case the vendor, in the event of any possible disputes that may later result between the parties.  They are almost always “contracts of adhesion,” meaning that the customer doesn’t get to change any important terms in the agreement, and is forced to accept a take-it-or-leave-it deal.  Whether it is a loan agreement, real estate lease or software contract, it will almost always favor the vendor, not the customer.  Add to this the natural reluctance of many customers to consult attorneys to review contracts (mostly because of cost and sometimes because business owners believe that because they know their own business they are qualified to act as their own attorneys) and you have a predetermined disaster when the parties’ expectations are not met.  If the purchasers of computer software would think to ask who owns the underlying code for privately developed software (usually the vendor, not the customer) or how changes to the baseline are made and priced or how the sub-vendors licenses fit with the provider’s own licenses, or the responsibilities of the customer (yes there are some - e.g. sufficient electrical power or memory), down-the-road issues could be avoided. (Click HERE for more discussion about EULAs and IoT softeware.) Lawyers have a saying: “When all else fails, read the contract, stupid!”  Hopefully before you sign itIf you have any doubts about IT contracts, call us for a review and advice before you sign it...It could save you time, money and frustration later.

CLICK TO GO BACK TO INDEX...

IS SEXTING ILLEGAL?  No, not always.  For example, two adults sending each other naughty photos or using sexual language, not illegal at all.  It’s protected speech under the 1st Amendment.  But when sexually explicit content includes a participant who is under 18 years of age, state child pornography laws may apply.  Take the case of the boys in Chinook Middle School in Lacey, Washington who in 2011 circulated the photo of a naked 14 year old female student, posted by the boyfriend who just broke up with her.  They were all charged with child pornography, although later the charges were dropped to a telephone harassment misdemeanor charge with a lengthy probation involving student education of the dangers of sexting.  Although the girl in the photo wasn’t charged (the D.A. reasoned that she was a victim), the incident has caused her continuous pain even after she changed schools, as the Internet follows us everywhere.  It also illustrated the fact that parents had little idea about what their children were doing with their cellphones and that it might have been illegal or harmful.  Girls, by the way, are much more often the victim of forwarded sexts because boys are far more likely to forward sexts to their friends than girls are of their boyfriends.  UPDATE: As of 2013, at least 14 states have enacted anti-sexting laws and more are pending, click HERE for more.  Depending on the state, even teens convicted of  the mere possession of child pornography may face a mandatory minimum 3 year sentence (e.g. Wisconsin), although in some states (like Texas), judges have some discretion to fashion other sentences, like making the charge a misdemeanor or requiring community service for the first offense.  Either way, the mark of possession of child pornography or its distribution will result in a negative effect on teens’ records for life.  The fact that the sexting was between one consenting teen and another is irrelevant, despite what teens may think.  The Cyberbullying Research Center reports that while some 11 states (as of 2016) have legislated charges as misdemeanors, some states (like Colorado) still impose child pornography convictions, which many consider rather harsh.

THE TRUTH IN CALLER ID ACT OF 2009 [47 U.S.C. Sec. 227(e)(1)]:  Signed into law on December 22, 2009, this law amends the Communications Act of 1934 to prohibit manipulation (“spoofing”) of caller identification information for purposes of defrauding or otherwise causing harm.  (H.R. 1258, the House version originally proposed, simply made all caller spoofing illegal.  This was scaled back to “intent to defraud” in S.30 after heavy robocalling industry lobbying and then adopted that way.  Talk about “neutering” a law - who’s going to admit to their own fraudulent intention and how do you prove it otherwise?)  There are some exceptions, such as for law enforcement, medical communications and women’s shelters, where confidentiality and privacy allow the hiding of legitimate telephone numbers for public protection.  The FTC adopted rules implementing the Act, which subjects violators to penalties of $10,000 per incident and up to $1 million for repeated violations.  (Like other laws, I didn’t find any prosecutions here, what’s the point?) In 2016, changes to the law were proposed by the FCC for the protection of consumers, but nothing has been adopted yet.

IS THERE GOING TO BE AN INTERNET SALES TAX?  A federal internet sales tax has been talked about for years and proposed in Congress more than once.  It’s inevitable that some version will pass, probably soon.  Although the U.S. Supreme Court ruled in 1992 (Quill Corp. v. North Dakota) and National Bellas Hess v. Illinois (1967) that online retailers are exempt from having to charge sales tax in states where they don’t have a physical store or warehouse, the establishment of internet retailing as such a major market force has changed the game.  And no state wants to be the first to drive away businesses, so until a fair tax regulation comes about, it won’t happen.  Usually, states collect sales taxes in those states where a company is incorporated or has some sort of “nexus,” such as offices, sales teams or a warehouse.  If not, they’re supposed to collect a “use” tax, directly from the customer, but that’s hardly ever done.  But in the internet age, these distinctions don’t really work.  The old system of taxing a real-world exchange of tangible goods as opposed to the exchange of goods in a cyberspace marketplace that exists both everywhere and nowhere is more than difficult, and has resulted in states crafting tax regulations that don’t work or don’t work fairly.  Add to this the concept of cloud computing, where a company may no longer transact business through its own server computer in it’s own home office location, but through leased equipment somewhere inside or outside of the country (or, worse, in varying locations at various times, caused by it’s vendor’s “load balancing”), drop-shipping of goods from outside the country, or even the purchase of a company which may have existing tax obligations in other states where the purchaser didn’t do business, and you can get some idea of the problems to be solved.  Some of the larger companies such as Amazon, Verizon and Apple have been pushing the Fed for a limitation on the states’ authority to tax the cloud, but that hasn’t happened either.  As the amount of lost revenue increases (estimated at $454 billion), that day will come sooner.    UPDATE:  On 5/6/13 the Senate voted to pass “internet sales tax bill,” named the Marketplace Fairness Act of 2013. (S. 743)  It must go to the House for passage next before submittion to the President.  This is the third time this legislation has been proposed and it seems unlikely that it will be passed this term either.  The proposed legislation would require online retailers to collect sales tax on their wares in all states, not just where they have offices or warehouses.  But it contains a threshold that might make the law more palatable to small businesses, a key negative in previous proposals.  It would apply only to any online store grossing sales over $1 million annually the previous year.  After that, the retailers would have to remit taxes to those states where their goods are sold at the rates required of brick-and-mortar retailers in those jurisdictions.  So, in effect, we would be back to the states again, with all their differences and variations.  It is unsure how know how the law would deal with states like NH which have no sales tax.  I guess there wouldn’t be any tax in those states because the playing field would already be level between brick-and-mortar and internet stores. Also, on 7/15/14, Sen. Michael Enzy (R-WY) introduced S/ 2609, A Bill to Restore States’ Sovereign Rights to Enforce State and Local Sales and Use Tax Laws. INTERNET ACCESS TAXES: There is a moratorium, first enacted in 1998, which prevents state and local governments from taxing access to the Internet.  It does not, however, apply to those jurisdictions which had already enacted such taxes, usually added to customers’ telephone bills.  They are:  Hawaii, New Mexico, N. Dakota, S.Dakota, Ohio, Texas and Wisconsin.  In July, 2014, the House voted to make the moratorium permanent and, in addition, prevent these states from collecting taxes any longer.  Decemer 2016 Update: Click HERE for more...

MANUAL ON INTERNATIONAL LAW APPLICABLE TO CYBER WARFARE: On March 12, 2013, James R. Clapper, Jr., the Director of National Intelligence, told a Senate panel that the threat of cyberattacks was now more pressing than the risk of an attack by global terrorist networks.  Leon Panetta has previously stated that the next Pearl Harbor will be a cyberattack.  After the Stuxnet, Duqu and Flame virus attacks and the admitted hacking into U.S. companies and the Government by the Chinese, the concept of cyber attacks became became reality, and the important question has now become what sort of cyberattacks are the equivalent of a traditional armed attack, i.e. war. In February, 2014, South Korea openly admitted that it was developing a Stuxnet type virus for cyberwarfare against North Korea’s nuclear threat.  In an effort to define the answer to that question, after a three year effort, a group of experts in international law and armed conflicts is publishing the MILCW (Manual on International Law Applicable to Cyber Warfare), nicknamed the “Tallinn Manual” because of its sponsorship by the NATO Cooperative Cyber Defense Center of Excellence situated in Tallinn, Estonia (where the “CyCon” [Nato-sponsored cyberconflict conference] is held each year).  This manual is a nonbinding but authoritative restatement of the law of armed conflict as it relates to cyberwar.  That is, the Tallinn Manual is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity.  It does not represent the views of the Centre of Excellence in Tallinn, Estonia, any sponsoring nations or states, or NATO.  It is also not meant to reflect NATO doctrine.  The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labeled the law of war, the law of armed conflict, or international humanitarian law).  Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics. The overview of the manual is self-explanatory:  “Cyber incidents of the past years as well as the continuous speculation around potential future cyber catastrophes and cyber wars have repeatedly emphasized the need for a revised interpretation of existing law, be it national security law, criminal law, or as in this case, international law. Jus ad bellum (international law governing the use of force) and jus in bello (international humanitarian law) were not developed, having regard to contemporary security threats, including advanced cyber capabilities. Therefore, it is evident that a great need exists for a professional interpretation of the conventions and treaties of the previous centuries in order to demonstrate if and how they can be applied to the modern cyber conflict.  The objective of this Manual is to develop authoritative reference on the international law applicable to cyber conflict. The Manual is meant to address all legal issues deriving from the jus ad bellum and the jus in bello. In addition, it examines related issues such as sovereignty, state responsibility and neutrality.“ It is published in paper and electronic versions by Cambridge Press.  Click HERE for info about the Internet’s “reset” switch.

APPLE VS. SAMSUNG PATENT DECISION BATTLE:  The Apple v. Samsung saga began in April 2011, when Apple accused Samsung of "slavishly" copying the iPhone and iPad. Samsung replied by counter-suing Apple, accusing the Cupertino company of infringing on its software patents. On August 24, 2012, a California Federal court jury decided that Samsung had infringed on a series of Apple’s patents on mobile devices (such as double-tapping and scrolling), particularly the iPad, awarding Apple more than $1 billion in damages, the largest patent award in history. Later, because of “jury error,”  U.S. District Judge Lucy Koh reduced the award by more than $450 million due to jury error in calculations and refused to ban the eight Samsung smartphones at issue. Both Apple and Samsung have appealed the ruling.  On 3/1/13, the District Court struck more than $500 million off of the verdict, leaving about $600 million.)  The financial blow to Samsung, world’s largest electronics company, may not be as great as it appears, but the important effect of the decision was the chilling effect on other companies which design and build mobile products which might appear to mimic Apple, including Google’s Android operating system.  Microsoft, on the other hand, will have the opportunity to innovate its mobile hardware and software without much fear of infringement, as it doesn’t use the Android software which is at the core of the Samsung smartphones.  This decision may force innovation in the long run.   November 2013: On November 13, a damages retrial started (U.S. District Court, Northern Dist. of CA) with Samsung claiming it owes Apple $379.8 million but Apple requesting $52.7 billion. The jury’s verdict on November 21, 2013, awarded Apple $229 million (on top of the $550 million from the initial verdict). October 2012 UPDATE:  On the other hand, the High Court of Justice in the UK (similar to our Supremes) found that the Samsung Galaxy Tab 7.7, 8.9 and 10.1 did not infringe on Apple’s patented designs, and required Apple to publish the statements of the court both in national newspapers and on its own website.  Apple has also lost lawsuits against Samsung over tablet design in the Netherlands, Australia and the U.S. On the downside for Samsung, though, the U.S. International Trade Commission has made a preliminary ruling that Samsung infringed four Apple patents relating to the look and feel of the iPhone.  June 2013 UPDATE:  Now it’s turnaround time:  On June 4, 2013 the International Trade Commission ruled that Apple’s overseas assembly of the AT&T-compatible models of the iPhone4, 3GS and 3, as well as the AT&T 3G connected iPad and iPad2s infringed on Samsung’s so-called “standard-essential” patent for the technology that lets mobile phones, whoever makes them, communicate with wireless networks and other phones when sending data, and therefore banned Apple from importing or selling those products in the U.S.  The ruling did not affect the newer Apple products like the iPhone5 and the fourth generation iPad, which use different technology than the earlier devices. Apple will probably appeal to the Federal circuit court.  August 3, 2013 update:    But on August 3, 2013, President Obama granted Apple a reprieve, vetoing the decision, reversing the ban just short of the 60 day review period for ITC exclusion orders, the first time a president has done so in 26 yrs.  August 9, 2013 update: Apple wins this round:  The ITC upheld a 2011 decision which found that Samsung had infringed Apple patents (the so-called “Steve Jobs patent” involving touch screen technology and another patent relating to the audio socket), ordering that certain mobile phones, media players and tablets be banned from the U.S.  Four other patents were turned down by the ITC.  The President has 60 days to overturn the decision, which is unlikely after his action on the 8/3 decision.  STILL REMAINING TO BE DECIDED:  In February, 2012, Apple filed another lawsuit in the U.S. District Court in the Northern District of California (San Jose Division) accusing Samsung of infringing on utility patents in its newer products i.e. those introduced in the 2 1/2 yrs since Apple filed the original suit (including the Galaxy S3, but not S4), seeking $2 billion.  Samsung counter-sued, of course, claiming that all generations of the iPhone and iPad infringe Samsung patents.  The court denied Apple’s bid to add the Galaxy 4 to the suit.  Trial started in April, 2013 and on May 2, 2014 the jury ruled that Samsung had to pay $119.6 more to apple to cover the patent infringements.  Both parties will likely appeal the ruling.  The courts must be getting tired of this see-saw series of suits.  And consumers remain largely unaffected as the products of the suits are generally obsolete by the time the cases are decided.  At least the lawyers are busy.  SO LET’S RECAP:  In August, 2012, Apple won over $1 billion from Samsung for patent violations, which U.S.D.C. Judge Lucy Koh reduced to $450 million due to jury miscalculation, granting reconsideration in a new trial.  Both parties have appealed.  In November, 2013, Apple won another $290 million from Samsung, on top of the $640 million in damages that Judge Koh upheld from the original award.  Now, in May, 2014, Apple won another $119.6 million from Samsung.  Apple requested a new trial, Samsung appealed.  Only the lucky lawyers are winning so far in this battle.  UPDATE: In August, 2014, Apple and Samsung have agreed to end their patent litigation outside of the U.S.  There is litigation pending in no less than nine countries.  But the litigation will continue in the U.S., including two in the U.S. District Court for N.D. CA (see above).  The agreement does not involve licensing arrangements, and the companies are continuing to pursue those cses in the U.S. courts.  UPDATE: 9/8/14 - Judge Koh denied apple a new trial on damages, challenging the $119.6 million jury award on its $2 billion lawsuit vs. Samsung.  By the way, the rumor that Samsung paid Apple the award in nickels is NOT TRUE12/6/16 UPDATE: In a unanimous ruling written by Justice Sotomayer, the U.S. Supreme Court reversed the lower court decision that Samsung pay $399 million for violating three of Apple’s design patents on the iPhone’s shape and colorful icons.  The ruling, which was closely watched by companies like Facebook, Dell and Google, as well as designers in other fields, because it declared that the phrase “article of manufacture” is broad enough to embrace both a final product as sold to consumers as well as components of that product, whether sold separately or not.  The lower court decision entitled Apple to all of the profits from various products, which may not be the case now.  The issue resolved in the decision is that the relevant article of manufacture must not always be the end product, but may only be a component of that product.  As such, it eases the risk for all manufacturers of products which mimic other products.  As Samsung argued, a smartphone is smart because it contains hundreds of thousands of the technologies that make it work.  The case was unique because it is the first time the Supreme Court has considered a design case since the 1800s.  The case will now be returned to the U.S. Ct. of Appeals for the Federal Circuit, which has jurisdiction over patent cases, to determine what Samsung must pay.  Due to the lack of guidelines, this could take years.

CLICK TO GO BACK TO INDEX...

LAWS ABOUT CELL PHONE SEARCHESBecause of the avalanche of information contained in cell phones, law enforcement authorities are most interested in peering into them. In 2011, phone companies responded to 1.3 million demands from law enforcement for such information. At the moment, the states have different laws about when and how cell phones can be inspected and court decisions are inconsistent and quite creative in their arguments.  A Washington state court compared text messages to voice mail messages that can be overheard by anyone in a room, therefore not protected by privacy laws.  Rhode Island threw out cell phone evidence leading to a murder conviction, deciding that the police needed a search warrant.  Rhode Island courts said that text messages are protected because they contain intimate thoughts and emotions, but other courts compare a cell phone to a container (like a suitcase filled with contraband or cash) that can be searched.  Louisiana is deciding whether location records stored in cell phones deserve privacy protection or are business records that are the property of the phone company.  While California believes that police could search a cell phone without a warrant so long as the phone is in the suspect’s possession at the time of arrest, other courts like Ohio, Delaware, Maryland and Oklahoma believe that a warrant is necessary because of the large amounts of private data stored on it.  Montana was the first state to require a warrant for cellphone location data. Maine followed Montana’s law.  Cellphone privacy legislation has been proposed in both the Senate and House that would require law enforcement to obtain search warrants to obtain cellphone location records. 

In July, 2013 the NJ Supreme Court ruled that police need a warrant before they can obtain tracking information about suspects.  Privacy advocates claim that where people go is inherently private, while law enforcement argues that there can be no claim to privacy over phone signals which contain location information.  There has been no federal statute yet on the subject and neither a Federal appeals court or the Supreme Court has considered the issue, except to state in one ruling that police must obtain a search warrant to install a GPS tracking device on private property.  See, ECPA, above.  In the first higher court ruling, the U.S. Court of Appeals for the Fifth Circuit ruled on July 30, 2013 (No. 11-20884) that a warrantless search of cellphone historical location data stored by cellphone service providers is “not per se unconstitutional” because the location data stored by the cell phone provider was “clearly a business record” and therefore not protected by the Fourth Amendment. So in that circuit at least, LEOs can chronicle the whereabouts of a citizen with a court order that falls short of a search warrant based on probable cause.  The Court found a presumption that consumers voluntarily use their cell phones and  have an obligation to understand how cell phones work.   The ruling was based on the U.S. Constitution, while the N.J. ruling, above, was decided using the N.J. Constitution.  In July, 2015, the U.S. District Court for the Northern District of California (Judge Lucy Koh, again, see the Apple vs. Samsung case discussed above) ruled that law enforcement agencies must seek a warrant before acquiring historical allocation data produced by a cell phone, which is protected by the Fourth Amenement. At the moment, two other circuit courts of appeals have this issue pending (the Eleventh and Fourth Circuits), but the issue will have to be settled by the U.S. Supreme Court.  In 1983, the Supreme Court held that an individual’s movementsalong public thoroughfares could be tracked via beeper (in the days before cell phones became popular), although a year later, the Court restricted its decision, stating that it did not apply when the user was at home.  The case of U.S. v. Jones, decided by the Supreme Court in 2012, may be pertinent.  That decision found that the Fourth Amendment protects citizens against the long-term electronic monitoring of a person’s movements and locations.  On April 29, 2014, the Supreme Court will hear arguments on two cases testing the authority of police to conduct a warrantless search of an arrested person’s cell phone.  In one of the cases, after a warrantless arrest for a street sale of drugs, while booking Brima Wurie at the station, his cell phone rang and the police began searching the call log and photos, which used the information to obtain a warrant to search his house, where they found drugs and firearms. In the other, San Diego police pulled over David Leon Riley on 8/22/09, then impounded his Lexus because he had been driving with a suspended license, finding two guns inside.  Upon further investigation, police checked his cell phone and found video clips of gang initiation fights and of a red Oldsmobile used in an earlier gang shooting.  The 23 year old was sentenced to 15 years to life based in part on the evidence found through the cell phone search, which he appealed.  In Florida, you need a warrant for such a search.  But remember, if everything you store on your devices is in the cloud, a simple search, warranted or not, will disclose your entire life. But as the laws about cell phone privacy evolve, just as in other areas of U.S. law, the exceptions will begin to dominate.  For an example, see the “butt dialing” decision by the Cincinnati appeals court, finding that  there should be no expectation of privacy if you butt dial someone, as being overheard during a butt dialis a bit like “having an argument near an open window”.  UPDATE:  6/25/14 - In a unanimous decision, the Supreme Court ruled (Riley v. California) that police may not search the cell phones of criminal suspects upon arrest without a warrant.  The said that smart phones and other electronic devices were not in the same category as wallets, briefcases and vehicles, all of which are subjected to limited initial examination by law enforcement where there is “probable cause” that a crime has been committed, to ensure officers’ safety or prevent destruction of evidence.  BUT BEWARE: The Riley case doesn’t apply to everything.  Law enforcement officials like Customs can seize your cell phone or laptop at a border and make a comprehensive  “forensic search” of everything on it, even without a warrant or probable cause, only “reasonable suspicion” (U.S. v. Cotterman).  The likely test case involves Ali Saboonchi, who passed from Canada through Niagra Falls, NY, where U.S. Customs officials seized his iPhone, Android Phone and USB flash drives, made copies back in Maryland, then conducted an invasive search, eventually obtaining sufficient data to be charged with his connection to a plot to violate U.S.-Iranian trade restrictions.  Customs officials authority to seize electronic devices isn’t really new - see Tip #26 about traveling with your laptop.

U.N. International Telecomunication Union legislation:  Once again, in December 2012, the U.S., Canada, Australia and the U.K. have refused to sign a communications treaty.  The stumbling point was language in the UN treaty relating to “human rights”.  The treaty was last overhauled 24 years ago, long before the incredible influence of the Internet.  89 countries have signed the treaty and 55 others have reserved the right to do so later or refused to ratify it.  It was hoped that the ITU could reach consensus about issues such as spam and domain registration.  Better luck next year...

Cyber Intelligence Sharing & Protection Act: CISPA is a proposed law  (introduced in 2011,  failed the Senate, then reintroduced on 2/12/13 as H.R.624, where it also didn’t survive the Senate, then re-introduced in 2015 once again, going to vote in October, 2015 after which President Obama has vowed to sign it if it is passed) to replace SOPA (above) which provides for the sharing of internet traffic information between the government and various technology and manufacturing companies, so that the government can investigate cyberthreats and secure networks.  It is viewed by many organizations as one of the greatest threats to internet users since SOPA, it is running into strong opposition.  Contrary to its name, there is nothing in it that does anything to actually improve the effectiveness of security systems, instead concerning itself with increasing the amount and type of information that corporations share with the Government and protecting those same companies from liability for violating their customers’ privacy.  But those companies which comprise the Business Software Alliance and the Computer & Communications Industry Association strongly oppose the bill.  The primary objections are the granting of overly broad legal immunity to corporations and government’s use of users’ private data and communications and allowing the NSA (a military agency that operates secretly and without public accountability) to access and that data and communications.  As always, the European Union is ahead of the U.S., having already announced a new Cybersecurity Plan that could require companies to report data breaches to respective national regulatory bodies.  UPDATE:  Congress is at it again - Recycled as the “Cybersecurity Information Sharing Act” introduced by Senators Dianne Feinstein (D-CA) and Saxby Chambliss (R-GA) in June, 2014, it purports to “improve cybersecurity in the U.S. through enhanced sharing of information about cybersecurity threats, and for other purposes”.  Like that’ll ever happen in the federal agency arena.  And what exactly are those “other purposes”?  IRS prosecutions, child support collections, DHS investigations??  It’s way too vague and suffers from the same defects as previous bills. 2015 UPDATE: Called the “zombie bill” because it keeps coming back from the dead, it gets introduced each session.  And then denounced, as most believe that it’s a surveillance bill by any other name and will not prevent terrorism one bit.  The House bill (“PCNA”) is even worse, as it allows data collection about crimes that may not even be happening imminently or which threaten anyone’s life.

Computer Fraud and  Abuse Act (CFAA) 18 USC 1030:   A 1986 amendment to the Counterfeit Access Device and Abuse Act of 1984 which was intended to reduce the hacking and cracking of federal computer systems. It essentially states that anyone who intentionally accesses a computer without authorization (or exceeds their authorized access) and thereby obtains information from any “protected” computer shall be punished if the conduct involved interstate or foreign actions. Originally, the act provided protection for federal computer systems, but was then expanded to include “protected” computers, which was expanded to encompass financial institutions and banks used in interstate commerce. There are seven enumerated types of criminal activity covered by the statute, whether attempted or actually accomplished:  Obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain value, damaging a computer or information, trafficking in passwords and threatening to damage a computer.  Since its passage, critics of the law have been vocal about it’s overreaching scope, because the concept of “exceeding authorized access” can apply to many routing computer users, subjecting them to possible criminal penalties (the severity of which has increased every few years) as well as civil penalties (added in 1994, providing a private cause of action if the violation causes loss or damage).  In the past, the law has been used to prosecute Aaron Swartz and Andrew Aurnheimer and others, making potential felons of them and millions of other Americans by criminalizing technical website terms of service violations.

State Telemedicine Laws:  Nineteen states in the U.S. have enacted telemedicine laws which mandate coverage of telemedicine services and prohibit the exclusion of health care service solely because it is provided through telemedicine.  Not only do the telehealth initiatives close the health care disparity gap for minorities, rural communities and emergency care instances, but they also require  consistent specified criteria so that insurers will reimburse those services at comparable rates to other covered health care visits. 

STATE TEXTING WHILE DRIVING LAWS: Many states and even localities have passed their own “distracted driving” laws.  This include cell phone and text message bans.  Doesn’t even consider the effect of emerging technology such as Google Glass.  Some states require “crash data” collection of such data on police accident report forms.  These laws change so much that we refer you to the following LINK at the Governors Highway Safety Association comparing the laws for each state.  But beware:  Florida passed its anti-texting law on 5/3/13 and it hasn’t shown up on the list yet.  And there’s the added qualification that drivers cannot be charged in Florida and other states as a “primary” offense; that is, only  if another charge, like an accident, leads to discovery of the cell phone data can it lead to a charge for phone or text violations.  So check each state’s actual law:  It may not be a blanket ban, but my contain pre-conditions!  As of May, 2013 the general stats are: 10 states prohibit all drivers from using hand held cell phones, there are no state bans cell phone use for all drivers, but 37 states ban them for novice drivers and 39 states ban messaging while driving for all drivers, all but 3 having primary enforcement.  August 29, 2013 update:  A N.J. appeals court has ruled that if you text someone you know is driving, you could also be held liable if they cause a crash while texting.  In that case a driver (Kyle Best) was driving while text chatting (62 for that day alone) with Shannon Colonna.  While texting, his truck swerved over the center line and hit David and Linda Kubert on their motorcycle, seriously and permanently injuring both. The appeals court agreed that the sender of texts can cause a distraction causing an accident just as if they were sitting in the car.  But in this case, the court didn’t find Colonna guilty, because she didn’t know Best was driving while texting.  The case has already resulted in the “Kulesh, Kubert and Bolish Law” which makes distracted driving a crime, punishable by fines for bodily injury up to $150,000 and incarceration for up to 10 years.  Also, new legislation introduced by N.J. Senator James Holzapfel would permit law enforcement to search drivers’ cell phones if they have reasonable grounds to believe that the driver was texting or talking when the crash occurred.  The ACLU and others have objections to these laws, in part because of privacy issues, also because it’s hard to define what use of a phone constitutes “distracted driving”.  For example, a California court has held that fiddling with the GPS feature of a smart phone while driving is included in the definition.  So what, then, to make of adjusting your radio, A/C or windshield wipers.  Or glancing at billboards, written directions not on a cell phone or changing a CD?  It’s hard to define where it stops.  Time reports that the West Virginia legislature has already introduced an amendment to a law banning operating a motor vehicle while wearing a head-mounted display, obviously aimed at Google Glass, which isn’t yet even on the market.  Taken to even a slight extreme, it appears that we need a different solution, like cars with built-in protection or software for devices that prevents their operation in moving vehicles (some already exist for cell phones, such as cellCONTROL or Scosche) or better driver certification.  Not more laws.  July, 2016 Update:  According to the Auto Insurance Center, 13 states have total cell phone bans while driving, while 4 more have partial bans as of this date.  More to come, most certainly. 

DO NOT TRACK LAW: While some browsers voluntarily have “do not track” elections, there is as yet no Federal or state law regulating the collection of tracking data by advertisers of users’ web browsing (at least in this country).  The installation of cookies, small bits of code that track computer users’ browsing history, is at the center of the debate.   And users have shown that they want the option to opt out of cookies:  It is estimated that as of March, 2013, some 11.4% of the 450 million people worldwide who use just the Firebox desktop browser have activated the Do Not Track setting.  Unfortunately, the “tracking protection group” of the W3C (World Wide Web Consortium, see Associations) seems to be unable to create any consensus for privacy mechanisms on browsers.  Advertisers are aligned in their desire to collect tracking data and use “big data” analysis in order to show relevant ads to consumers as well as to justify their immense expenditures, while consumers resent that their right to chose not to be tracked by companies that they don’t do business with or even know about or, for that matter, anyone.  And, of course, the U.S. Government has its own interest in piggybacking onto the data collected by the large ISPs for their own surveillance agenda.  The current W3C draft proposal would be for third parties not to collect tracking data on any browser where a user has actively turned on the privacy block.  BUT IT’S ALL AN ILLUSION:  In true U.S. legal fashion, there are multiple exceptions to the block, and no one said that they would make it easy to find out how to turn it on (i.e. if it would be on by default or part of the browser itself or an add-on to be enabled).  So, don’t look for any solution soon:  The longer the debate drags on, the better it is for big business.  The fact is that most websites don’t offer DNT.  It’s a voluntary system, and almost no one supports it for their own reasons.  If you turn on your browser, it immediately sends a signal in the form of an HTTP header to web companies’ servers, and it probably won’t really change what data they collect.  Moreover, while Facebook and other sites use cookies to track of how users navigate the site, third party ad companies like AppNexus, BlueKai and Conversant, which run “exchanges” which are also used by Google, Facebook and Yahoo are still unregulated, and that won’t likely change.

Apple e-book Antitrust Litigation:  After a year of preparation, the U.S. Department of Justice will attempt to prove its case that Apple conspired with publishers to raise prices across the e-book market, violating U.S. anti-trust laws.  The trial, which is scheduled to begin on June 3, 2013 in the U.S. District Court in New York City before Judge Denise L. Cote. The case was originally brought against five other publishers in addition to Apple of conspiracy, but four of them (Simon & Schuster, HarperCollins, Hachette, Penguin and Macmillan settled almost immediately).  It was alleged that the conspiracy, with Apple as the ringleader, was motivated to defend themselves against Amazon, which had become a dominant market force and was rapidly growing, now controlling about 60% of the e-book market.  Amazon was setting the price of most new e-books at a flat $9.99 using what was called the “wholesale model” used for print books, i.e. publishers charging retailers for about half the cover price for a book, then allowing retailers to set their own prices.  When Apple entered the e-book market in 2010 with the iPad, they were trying to persuade (some say coerce) publishers to agree to so-called “agency pricing” where publishers would set their own prices for the e-books, then giving Apple a 30% commission on the books sold in the Apple store.  The issue was this:  Apple included what is known as a “most favored nation” clause in its contracts with the publishers which required that no other retailer be allowed to sell the e-books for a lower price than Apple and that, if they did, the publisher would then have to match the Apple’s price.   The Justice Dept. says that this was an illegal anti-competitive practice that resulted in higher prices that was harmful to consumers.  They claim that when the five publishers re-negotiated their contract with Amazon to the agency model, Amazon’s prices for introductory e-books went up from $9.99 to $12.99 or more.  Testimony is expected from lots of important publishing people, including the late Steve Jobs, whose e-mails will be introduced by the government to support its case.  This will be a landmark decision, as it may affect the pricing structure for the sale of future e-books.  I only wonder why Amazon, which caused this situation by monopolizing the cost of new books for years, is skating away without any DoJ investigation.  UPDATE:  In a 160 page ruling issued on 7/10/13, the judge issued her decision, finding that “Apple not only willingly joined the conspiracy but also forcefully facilitated it.”  The judge found that, while the “most favored nation” clauses aren’t inherently illegal under antitrust laws, they were used to effect an unreasonable restraint of trade in this case in violation of Section 1 of the Sherman Antitrust Act.  The judge will schedule a separate hearing to discuss possible damages.  Apple appealed in February, 2014.  There will be minimal changes that will affect consumers, and Amazon is free to skate along freely.  However, Barnes & Noble’s Nook troubles will create problems with their e-readers (for more click HERE).  UPDATE:  Finally, on June 16, 2014, Apple reached an undisclosed out-of-court settlement with the U.S., 33 states and a class action lawsuit by a group of individual plaintiffs, subject to court approval.  However, the settlement is subject to the outcome of its appeal.  If Apple wins the appeal, it won’t have to pay.

Revenge Porn (a/k/a cyber revenge) LawsFor years, the concept of “revenge porn” or “cyber revenge” has been active. There are many websites that make a tidy living off the posting of images of sexually explicit and embarrassing videos of ex-lovers and ex-spouses.  But this practice may be quickly becoming illegal. As of 2015, the Cyber Civil Rights Initiative (see Associations) reports at least 26 states with revenge porn laws on the books. While Florida considered but rejected a bill that would have made the act a felony, other states are going forward.  California passed a law, signed on October 1, 2013 that would subject those convicted to 6 months jail time and a $1,000 fine.   In December, 2013, Kevin Bollaert, 27, of San Diego was arrested and charged with 31 felony counts as the result of his creation of website ugotposted.com (and later changemyreputation.com) which posted sexually explicit photos of people without their permission.  Noe Iniguez became the first person convicted of that law after posting a nude photograph of his ex to the Facebook page of her employer.  In January, 2014 Hunter Moore and Charles Evans, both of California, were arrested and charged with aggravated identity theft and conspiracy for posting nude photos of people who regretted having them taken before they broke up their relationships.   On 12/2/15,  Moore, who became  known as “the most hated man on the Internet” for his creation of IsAnyoneUp.com, where he publicly posted nude or compromising photos was sentenced to 2 1/2 years in prison, plus 3 yrs of supervised probation, a mental health evaluation and a $2,000 fine.  In November 2015, Evans was sentenced to 25 months in prison and a $2,000 fine. N.J. is the second state that has actually passed a law.  But there are pitfalls:  The laws have to be drafted so narrowly that they leave large gaps.  It’s hard to prove revenge as a motive when the injured party originally gave permission to be videotaped. So too when the posting is for bragging rights or ego, not to cause emotional distress. Privacy laws may not protect you from videos taken anywhere where there isn’t a reasonable expectation of privacy.  The California law requires that the poster must also be the photographer.  Also, the laws don’t cover sexting, or sharing of selfies,  where the injured party creates the video themselves.  True, child porn laws may cover participants under the age of majority, and cyberstalking laws may apply if there is a pattern of postings which cause the victim to fear for their safety, but the viral effect of a posted video can last forever and be impossible to stop, much less recover damages from the disclosure.  It hasn’t yet reached the point where any Federal legislation on the subject has been proposed.

Online “Eraser” Laws:  In an effort to protect minors, California has passed the first “Online Eraser Law” which will allow minors to erase their online posts to social network sites.  The law, which takes effect in January, 2015, only applies to minors and only in the State of California and, of course, depends on some degree of cooperation by social network sites and hosts.  Also, it can’t prohibit reposting of  the original posts by others.  Some protest the law as an impossible burden on ISPs.  More states (Illinois, NJ) have similar legislation in the works.  And in June, 2015, Sen. Edward Markey (D-Mass) introduced an online privcy bill that would make the underage eraser button federal law.  (See also COPPA, above, and Privacy.] Personally, I think that technology shortcomings should be met with technology solutions.  For example, I’d like to see an expanded version of Snapshot, which erases photos sent via smart phone after about 10 seconds after viewing, to include text as well if enabled.  There’s no permanent record, at least.

Data Collection Laws: As discussed in several items above, the law of the Internet is still evolving and in its infancy.  Therefore, state laws are as yet coherently defined and in many cases there has been no Federal legislation.  This is the case with the extent to which those companies which use rather sophisticated web monitoring tools can be governed.  For example, in March, 2013, the Massachusetts Supreme Judicial Court ruled (Tyler v. Michaels Stores) that collecting Zip codes violates that state’s consumer protection laws because, armed with a consumer’s name and Zip, a retailer can use the “personal identification” to reverse engineer the address and other information, in order to target consumers with mailings and other marketing data.  California ruled similarly in 2011 (Pineda v. Williams-Sonoma), but other states haven’t followed uniformly in the same way. It may be that retailers collect the Zips to better identify where their customers are located, but that may not be all that they do with the info.  You’re free to decline, but risk that the cashier may not know how to complete the transaction without it.  Expect disparate state laws for some time until some uniform legislation on this activity is passed.  The Government’s use of tracking data (see Privacy, above) may speed up overall legislation on this subject as the public becomes more outraged.  See also Quants, Big Data.

Keep Your Eye On Aereo:  The owners of Fox, ABC (Disney), NBC (Comcast) CBS, PBS and others have joined in a petition to the U.S. Supreme Court to stop AEREO, a 2012 startup from New York City from allegedly violating their copyright by using dime-sized antennas to record and then stream 28 channels of local TV stations and forward them to Aereo’s (paying) subscribers over their internet connection (plus cloud DVR storage) for a monthly charge of only $8 (in NY).  The service has expanded into 11 markets, including Atlanta, Boston, Dallas Detroit and Miami, with more planned pending the court decision.  Unlike cable or satellite connections, however, Aereo doesn’t pay “retransmission” fees, which can run into the millions of dollars.  Aereo founder and CEO Chet Kanojia claims that there is no copyright infringement because the company is free to air to consumers and that the location of the antenna is irrelevant.  Aero is backed by Barry Diller, co-creator of Fox Broadcasting, and operates in 11 major cities, where its customers pay only $8 to $12 per month.  The lower courts have generally favored Aereo, finding that a loophole in copyright law involving public performances applies.  Their case was argued in late April, 2014 before the U.S. Supreme Court, and it is hoped that a decision will be issued before the end of the 2014 term in the summer of 2014, maybe as early a June.  Big hitters are lined up on both sides:  Against, the networks, the NFL and Major League Baseball.  Supporting Aero, the Consumer Electronics Assn. and the Computer & Communications Industry Assn. (See Associations) If upheld, this would disrupt the broadcast business model, which allegedly uses the increased fees to finance the creation of new programs.  If the broadcasters win, they may feel empowered to continue to raise their prices, while if Aero wins, the consumer will benefit from the cost savings.  Either way, the future will be different.  UPDATE: 6/25/14 - In a 6-3 ruling, the Supreme Court ruled against Aero, finding that the streaming television startup violated the 1976 U.S. Copyright Act and that its rebroadcasting of freely available signals from local TV broadcasters qualified as a “public performance” for which rebroadcast fees were due. It dismissed Aero’s argument that it was privately streaming network shows which were already being broadcast for free over the air, by comparing Aero to a cable system, in part because the Aero cloud DVR system creates a subscriber specific version of the program(s).  Aero shut down two days later.  The pay TV and cable/satellite providers will now probably get to raise their fees with no real competition.  In many areas, though, you can still use an ordinary outdoor antenna or indoor rabbit ears to get at least some free local TV.  Click HERE for more.  UPDATE 7/18/14:  Meanwhile, with no other choice, Aero agreed with the Supreme Court that it was, indeed, a cable company and proceeded to petition the lower court (2nd Cir. Ct. of Appeals) where the action was still pending), that it be allowed to seek a “compulsory license” for broadcasting content and benefit from the license under the Copyright Act.  They can probably still make money, since the Supreme Court did not mention anything about the DVR portion of Aero’s service. But the U.S. Copyright Office says that Aero’s internet retransmissions of broadcast content aren’t covered by their content licensing system so that, the Supreme Court ruling to the contrary, Aero isn’t a cable company.  The Copyright Office threw the hot potato to the FCC, which can either determine that Aero isn’t a cable company (possibly creating a new category for their model) or that it is.  But if it is, this isn’t necessarily good for Aero, because then they would have to pay the broadcasters directly, effectively undermining the Aero business model, and obviating much of the discouhts that it was offering to customers. Pending the decision by the Second Circuit Court of Appeals, the FCC put its action on hold.  However, on 8/21/14, that court kicked it down to the District Court level for procedural reasons, so we’ll have to wait for that decision now.  On November 14, 2014 Aero filed for bankruptcy and thanked its subscribers, closing down.

*FTC Investigation About OnLine Ad Tracking:  Senator Edward J. Markey (D-Mass) has asked the Federal Trade Commission to investigate on-line ad companies that track consumers across devices like their cell phones, showing them ads based on the web sites they have visited on their computer.  This is a new development.  While computers use cookies to track users browsing practices, cell phones do not have cookies, so there have to be other ways that advertisers can track down consumers to send them ads.  While opt-in sites like Facebook and browsers like Google have their own ways of tracking users across platforms to send them ads, there are now specialized companies (like Drawbridge) that exist solely to apply statistical modeling to data from ad exchanges and Web publishers to determine that several devices belong to the same person and then send ads based on their browsing history directly to their devices.  Markey’s letter, dated October 17, 2013, was directed to Edith Ramirez, the FTC’s Chairperson, in which he said that “Previous tracking technologies such as cookies are giving way to more sophisticated, surreptitous methods for monitoring users...The implications of this evolution are enormous for the privacy of millions of Americans.”  We’ll have to follow this development and see if it translates into laws or regulations.

*Innovation Act:  The White House has been trying to crack down on patent trolls, and has come out in support of a House bill that would begin to do just that. The bill, Representative Bob Goodlatte's (R-VA) Innovation Act, has passed through the House Judiciary Committee and will be put up to a vote by the entire House of Representatives on December 3 or 4, 2013.  Having seen strong, bipartisan support in the Judiciary Committee, the Innovation Act appears to have a shot at passing.  The Innovation Act aims to make it easier for businesses to fight back against patent trolls, which generally don't produce any products of their own and instead use patents to sue other companies. Under the act, the relevant patents, products, and demands would all have to be made more clear when a business initiates legal action. It would also make fighting patent lawsuits less expensive and allow defendants that win a case to potentially recover their court costs. A companion bill is currently in the works in the Senate too, which held a Commerce Committee hearing on the matter in October, 2013.  See also, Federal Patent Troll Law, below.

*On the Supreme Court Docket:  On 1/14/14 the Court agreed to hear an appeal by Limelight Networks of Tempe, AZ from a decision by the U.S. Court of Appeals for the Federal Circuit, declaring Limelight subject to suit for inducing infringement.  Akamai Technologies, Inc. and MIT sued Limelight over the alleged infringement of Akamai’s patented method for redirecting requests for internet content to ensure access during periods of high demand.  The companies are competitors in this field, and Akamai insists that Limelight has taken all of the steps, but induces its customers to make the final jump. The CAFC also said that the lower court was correct in setting aside Akamai’s $45.5 million jury award as well. Limelight has the backing of Google, Cisco, Oracle, Red Hat, Symantec and Xilink, as well as the Obama administration.

* Federal Patent Troll Law:  According to a 2014 PricewaterhouseCoopers study, patent trolls now account for 67% of all new patent lawsuits.  The number of suits filed in 1991 was about 1,000 for the year; in 2013 it was over 280,000.  And, while monetary awards are shrinking, awards to trolls aren’t. They’re three times higher than those of the non-NPEs (“Non-Practicing Entities,” which stockpile patents but never use them).   Moreover, studies by Harvard and U. of Texas have shown a negative impact on R&D and innovation on the part of those companies who ordinarily would spend on innovation, a disincentive to spend money to create products because they may have to spend too much money to defend against unwarranted lawsuits.  Suits from these NPEs have captured the interest of lawmakers.  Legislation aimed at curbing these patent trolls (those who use patent infringement lawsuits as their primary business model) was made into law in June, 2001 as the 2011 America Invents Act, which contains a provision re-examining the “covered business method” patents.  In effect, this provision provided a stay of the underlying patent in a patent troll lawsuit.  And awarded the winner to recover legal fees from the loser.  Members of the Business Software Alliance (“BSA”) [Microsoft, IBM, Xerox and others with huge patent portfolios, see Associations] fought to get this provision deleted.  [Although there is a push in the House to revive the legislation in a watered-down bill, known as the TROL Act, it’s unlikely that any law will result this session.  UPDATE:  In January, 2015, the bill was reintroduced as The Innovation Act, essentially the same act that passed the House by a 325 to 91 vote.  We’ll see what happens this session.]

CLICK TO GO BACK TO INDEX...

* Google Privacy Cases:  In 2010 Google admitted accidentally collecting personal data from unencrypted Wi-Fi networks while building its Street View program.  The data included e-mails, and possibly usernames and passwords between 2008 and 2010.  More than a dozen lawsuits were brought and, in 2011, all were consolidated into a single class action in the U.S. Federal District Court in San Francisco.  The basis was that Google has violated the U.S. Wiretap Act, which “regulates the collection of the content of wire and electronic communications,” and which restricts unauthorized interception.  In its defense, Google argues that the collected information fell under the “accessible to the public exception” which permits the interception of electronic communications if they are readily accessible to the general public. On June 30, 2014, the U.S. Supreme Court declined to hear Google’s petition to dismiss the class action suit against it.  Google v. Joffe, et al. will continue.  It may be settled, as the other investigations into the matter were, with U.S. and other countries agencies and 38 states and D.C.

* LAWS ABOUT WHAT HAPPENS TO YOUR DIGITAL IDENTITY WHEN YOU DIE.  This is an emerging area of law, with no consistent state or federal pronouncement.  See FAQ #62  for a detailed discussion and legal references.

* WHAT’S GOING ON WITH THE KIM DOTCOM/MEGAUPLOAD LITIGATION:  It’ll probably go back-and-forth forever.  Click HERE for more.

* CELL PHONE UNLOCKING LAW:  S.517, the Unlocking Consumer Choice and Wireless Competition Act was passed in July, 2014.  This means that your carrier can’t prevent you from unlocking your cell phone and porting your number to another carrier.  This sounds good, but there are a couple of problems here:  First of all, can you really unlock a phone which doesn’t have a SIM card (like most of Verizon’s) and where the lock is physically written into the phone’s circuit board?  Second, we’ll still have to wait for the Library of Congress to evaluate the rules for unlocking.  Why a Library?  Because Congress made the Library responsible for any exemptions under the DCMA (“Digital Millennium Copyright Act”; see above) .  It evaluates the exemptions every three years, next due in 2015.  From 2006 to 2012, the Library allowed cellphones to be unlocked from their original provider after the original contract for the device expired.  But in 2012, the Library changed its mind and decided that the rule wouldn’t apply to new phones purchased after January 26, 2013.  But if before the 2015 review, Congress takes cellphone unlocking away from Library jurisdiction, which may happen, the issue will be confused and further delayed.

*CELL PHONE KILL SWITCH LAW:  California is the second state to enact a law requiring cell phones manufactured after July 1, 2015 to have a “kill switch” that lets users remotely lock them and wipe their data in the event that the phone is lost or stolen.  It can be deactivated by users if they desire, but it will be enabled by default.  Most likely, if required to meet this law, manufacturers will simply put the feature on all phones rather than just for one state.  This has been in the works for some time:  Apple already has an “Activation Lock” feature in iOS 7, although it isn’t activated by default.  And both Google and Microsoft are expected to introduce the feature as well in upcoming O/S revisions.  The first state to pass such a law was Minnesota (June, 2014), but it doesn’t require the kill switch to be enabled by default. 

eSIGNATURES, e-FILING, ETC.:  As technology has changed, so have our daily lives.  Paper and traditional handwritten signatures have given way to eSignatures and electronic transmissions, which are now commonplace.  As authentication has become secure, digital transmissions are now quickly becoming the norm in most countries around the globe.  Courts, hospitals and businesses have adopted this procedure to save time, paper and authentication all over the world.  Whether transmissions are made using eSignatures, advanced encryption techniques or simple PDFs, electronic transmission is done daily.  [I remember the days when big law firms would file their motions at 4:59pm Friday, deliver them to opposing counsel by messenger (so they’d have to work all weekend) and stand on line at the Clerk of the Court to get their originals file stamped before closing.  Now, that’s history - just a click of the mouse at 4:49pm, Adobe Acrobat built in to MS Word, and it’s done!]  The legal basis for authenticating and enforcing electronic signatures had its start in the 1996 United Nations’ UNCITRAL Model Law on Electronic Commerce, Article 7.  By 2001, UNCITRAL had drafted its Model Law on Electronic Signatures, which has been accepted by over thirty countries and is continually updated, providing functional equivalence between electronic and handwritten signatures at the international level.  This work has filtered down to the national level.  In the U.S., the law of electronic signatures is contained in the Uniform Electronic Transactions Act (“UETA”), adopted by almost every state in the U.S. as the ESign Act of 2000 (NY, WA and IL have their own versions).  Not to be outdone, various federal agencies and courts have adopted their own regulations and procedures for the electronic process, such as  the FDA, CFTC and USPTO.  In addition, as usual, other U.S. and state laws further narrow this subject:  See, e.g. the Government Paperwork Elimination Act, HIPAA, and individual sections of other federal (and state) legislation concerning legal, business and medical records and their transmission. UETA defines an electronic signature as “an electronic sound, symbol or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record”.  Currently popular electronic signature standards include OpenPGP and S/MIME IETF.  But of all the definitions in the Glossary, I’ve never seen so many confusing sound-alikes as with eSignatures.  DEFINITELY NOT included in the definition of electronic signatures are “digitized” signatures such as scanned signatures, faxed signatures, telephone-authorized handwritten signatures, “digital certificates” and other signatures which are in some sense digital but do not meet the definition of “cryptographically secure,” although some current wannabes labeled “dynamic” or “biometric” signatures may, with appropriate software, reach the desired level of trust.  It can’t just be digital, it’s got to be capable of authentication and verification as well to be considered a true eSignature.

*STALKING APPS:  On the private side of surveillance, there has been a tremendous increase in so-called “stalking apps” like StealthGenie and MobiStealth. These apps have to be physically installed on a user’s smartphone, after which they will allow someone else to intercept the user’s phone calls, texts and other communications, as well as their location data.  While these apps claim to be useful for keeping an eye on your minor children or elderly parents with medical issues, the reality is that they are most often used to catch cheating spouses and other romantic partners.  Monitoring minor children for safety issues would be legal, as would monitoring the elderly, if they consent.  That’s how these apps are marketed.  But if it sounds like a violation of the federal Wiretap Act, it probably is, if it is installed without permission and surreptitiously gathers data without the user’s consent.  While an effort by Sen. Al Franken (D-MN) to outlaw stalker apps was not successful in 2014, there has been an investigation and arrest in October, 2014 of StealthGenie’s CEO, Hammad Albar, on grounds of advertising and selling a surreptitious surveillance device.

*HOTELS BLOCKING OUTSIDE WI-FI HOTSPOTS:  In January, 2015, Marriott and other hotels have petitioned the Federal Communications Commission to rule whether and under what circumstances hotels may block personal Wi-Wi hotspots inside their buildings, a practice that recently earned Marriott International a $600,000 fine.  Hotels claim that it is necessary to block such hot spots in order to protect their internal Wi-Fi services from being hacked, possibly revealing internal information such as credit card numbers.  (Illegal signal jammers were not used.)  But the request was met by resistance from tech giants Google and Microsoft, and Tom Wheeler, the FCC Chairman himself, blasted the chain for going against the Communications Act, which explicitly prohibits anyone from interfering with ratio communications, including Wi-Fi.  The FCC is expected to consider and rule on this issue.  UPDATE:  In what must have been the quickest policy reversal on record, at the end of January, 2015, Marriott announced that it was completely done trying to block guests’ personal Wi-Fi connections, and has even given up convincing the FCC to give it permission to do so.

*BIOMETRIC PRIVACY PROTECTION LAWS:  At least two states (Texas and Illinois) have introduced biometric privacy laws, legislating that such invasions as facial recognition are not allowed absent the individual’s consent.  But, for the most part, there are no laws governing government or private use of facial recognition (see definition for more) or, even more important, the use to which the gathered data may be applied.  Click HERE for more.

*SECURITY AND PRIVACY IN YOUR CAR ACT [a/k/a The Spy Car Act of 2015]:  A Bill introduced by Senator Ed Markey (D-Mass) to lock hackers out of Wi-Fi connected cars by having auto manufacturers to build in security into its connected cars.

*PCNA (“Protecting Cyber Networks Act”) ACT: An  act introduced by the House Permanent Select Committee on Intelligence to encourage businesses and the Federal government to share  information about known cyber threats.  It is rumored to have a provision for a “Kill Switch” that the President can use to disconnect the U.S. from the Internet at his discretion. It’s not the case, at least not now.  And in late 2013, the U.S. District Court for D.C. ruled that DHS must disclose its plans for such a kill switch.  However, wouldn’t it just be easier for the government to just make separate arrangements with cooperative ISPs, phone providers and the like?

*POCKET DIALING  PRIVACY:  Question - Does someone who “pocket dials”  (a/k/a “butt dials”) someone else have a reasonable expectation of privacy?  This question has been answered by the U.S. Court of Appeals for the 6th Circuit, which also addressed the issue of whether one would be violating laws against intercepting communications if they stayed on the line and even recorded the contents of the call.  The Cincinatti Court decided that, under Title III of the Omnibus Crime Control and Safe Street Act of 1968, 18 U.S.C. Sec 2510 et seq., one does not have a reasonable expectation of privacy, even if the call was placed inadvertently.  However, as to the issue of whether the recipient who records that call and passes on the contents to another (who were discussed as the subject of the conversation), there could be a possible claim against its dissemination if all other statutory requirements have been met.  (The case was complicated because the pocket dialed recipient was the caller’s wife.)  Other courts may affirm or differ from this conclusion.

*CLOUD STORAGE OF E-MAILS - LEGAL PROTECTION:  As more and more data is archived or stored in the Cloud, it is changing the way that the law treats that data.  This has a direct effect on how the U.S. or other governments have the right to access things like e-mail, Skype records, transactions and other data where they are stored by such global companies as Microsoft, Amazon, Apple and Google in server farms all over the planet.  In a conundrum worse than any law school exam question, we now have to consider the legalities of inter-continental electronic transfers.  For example, if a U.S. caller in Florida makes a Skype call to someone in Vienna, Austria, the data could be stored on a Google server in Italy.  If it becomes the subject of a criminal investigation in England, whose laws prevail?  This is a real issue.  At this moment, in fact, Microsoft is embroiled in a dispute with the U.S. government over subpoenaed e-mails stored in its servers in Ireland.  Microsoft claims that applying this law would result in a “global free-for-all,” while the government claims that the location of the server is irrelevant, only where the information was exchanged, and it doesn’t matter where Microsoft has to go to retrieve the data.  In both lower court appeals, Microsoft lost, the courts agreeing with the Government that it had the right to data stored by a U.S. corporation, wherever it may be stored.  The latest appeal is pending in N.Y. and Microsoft will appeal to the Supreme Court if it loses again.  Microsoft worries that if this decision becomes the law, foreign companies will no longer trust Microsoft to keep their private data from the prying eyes of U.S. intelligence wherever the data is stored.  Conversely, it could be argued that the law would provide no protection against a request from a foreign government for information held here by a non-U.S. provider within the U.S., even if that data was generated by a U.S. citizen or company.   The present law is antiquated and inapplicable and new specific legislation is necessary:  On October 6, 2015, the European Court of Justice invalidated the 15 year old agreement known as Safe Harbor, which was an attempt to bridge the differing approaches to data protection between the U.S. and Europe.  Although there some work-arounds, like “model contracts,” they are cumbersome and only practicable for larger enterprises, if they even remain legal.  The Electronic Communications Privacy Act of 1986 was enacted several years before the creation of the Internet, so it doesn’t address many important issues. And the Law Enforcement Access to Stored Data Abroad Act may or may not be applicable.  [The NY appeal decision is expected in November, 2015.]

Google Copyright Lawsuit About Scanning All Books in Print:  In 2005, Google announced that was going to scan all of the books in the Library of Congress, including those still within copyright protection.  Fifteen years later, in October, 2015, the Authors Guild v. Google lawsuit finally came to a conclusion.  The Second Circuit Court of Appeals agreed with Google, ruling that the scanning program was legal, in a decision issued by Judge Pierre Leval.  In actuality, while Google scanned the entirety of copyrighted books, it actually shows only small “snippets” of those creations until the copyright expires.  The dispute seemed far more monumental when it started, as there was no real digital book market to speak of.  No iPads, Kindles, smartphone readers.  Now, in 2014, 27% of Americans are reading e-books and those reading print books has fallen from 71% to 63%.  For those books in the grey area between old and new books, we’re lucky that the U.S. has the “Fair Use” doctrine, which provides exceptions for copyrighted materials where their terms have been repeatedly extended.  See HERE for the final ruling.

YES, YOU CAN SUE YOUR PRINTER COMPANY:  We’ve all had problems with our inkjet printers and have wished we could go after the printer manufacturers  (see Opinion).  Some of have done so.  For example, Canon customers sued after a significant number of printer-head failures occurred just after the expiration of the one-year warranty.  Although Canon denied wrongdoing, they did fork out $930,000. In another case, not yet completely resolved, Lexmark sued a patent-infringement lawsuit against one of its customers claiming that its patents limit certain cartridges to refilling only by Lexmark, and even then only once.

*BLANKET GAG CLAUSE PROHIBITION:  Lately, some hotels, retailers and other service providers are including “non-disparagement clauses” in their terms of service, specifically to deter customers from purchasing negative reviews online.  The U.S. Senate has recognized this restriction on free speech by introducing S.2044, the Consumer Review Freedom Act of 2015, prohibiting the use of blanket gag clauses in commercial transactions and also empowering the Federal Trade Commission for businesses which violate the law.  The House has its own version of the bill, introduced by Darrell Issa (R-CA). 

THE GOVERNMENT’S RIGHT TO COMPEL UNLOCKING CELL PHONES (and other devices):  The issue of cell phone privacy came before the courts once again in February, 2016 when the U.S. Dept. of Justice (a/k/a the “DoJ”) demanded that Apple write software cracking the password encryption algorithm on the iPhone 5c used by the San Bernardino gunman Sayed Rizwan Farook.  Apparently the FBI, which is part of DoJ, couldn’t or wouldn’t do it.  Actually, what the Government wants is for Apple to write a special version of it’s firmware to bypass the self-destruct feature of the phone’s data after 10 unsuccessful attempts at the password.  DoJ was successful in obtaining a court order from a federal magistrate in California compelling Apple to do it, that is, to develop a key to unlock a phone that wasn’t supposed to have a key to unlock it at all.  Apple’s CEO, Timothy Cook, considers this a basic consumer security and privacy feature and refuses to crack the phone.  DoJ relies on a 1798 law, the All Writs Act [28 U.S.C. Sec. 1651] , which essentially says that the courts can require people to do whatever is necessary or required to comply with their orders.  The case is, of course, under appeal.  Seems to me that all this is simply to get this recurring issue up to the Supreme Court for a final decision on the matter.  After all, there must be lots of people that would like to crack the phone.  John McAffee has already said he could do it, so why isn’t anyone letting him? It’s really a legal and political football, not a technological issue.  Maybe no one wanted a ruling on this issue - In late March, 2016, DoJ abruptly withdrew its case against Apple, claiming it had found someone else who could crack the terrorist’s iPhone.  Most think that Cellebrite broke into the phone. Would this have been a problem with a Samsung phone?  No, because it uses Google’s Android O/S, unless it has been optionally encrypted by it users.  Recently, Google has required phone manufacturing companies to offer encryption by default, but only if the phone meets certain technical requirements without degrading performance. So, basically, older Android phones or newer ones which run Marshmallow but don’t meet technical requirements aren’t encrypted by default.  Only about 1.2% of all Android phones are encrypted.  The Samsung Galaxy S6 and the upcoming Galaxy S7 are encrypted.  So, if the Government wanted to unlock a Galaxy phone, it would have to go to either the hardware or the software provider to demand entry.  Since Apple does both, the avenue of entry is severely restricted.  Unlike Apple, Samsung’s EULA specifically provides that, if ordered, it will respond to “compulsory legal process”.  However, Samsung has an encryption called Knox, which actually helped it to get approval to be used in government work and which is randomly generated for each user and password, and may not be capable of being broken by Samsung without additional work.  Don’t know about other Android phone manufacturers like HTC, LG or Lenovo, they’re on their own.

The law is still unsettled on this issue:  Farook aside, in December, 2016 the Florida Court of Appeals decided State v. Stahl, which ruled that the government could force an iPhone user to release his passcode to unlock his phone.  The police obtained a warrant to search Stahl’s iPhone5, which they believed was used to take voyeuristic photos of a woman with his cell phone, all of which was filmed on a store surveillance video.  When asked for his passcode, Stahl refused, citing the 5th amendment.  The lower court agreed that this would be self-incriminatory, but the appeals court reversed, couching it decision as a request for surrender, not testimony.  Of course, this conflicts with opposite rulings from Pennsylvania and Colorado on this same issue.  And, as of 2016, the ACLU states that there are 63 confirmed cases and 13 additional ones since 2008 where the government has applied tor an order to compel either Apple or Google to provide assistance in accessing stored data on a device.  On the legislative side, the NY District Attorney released a report asking legislation that would require smartphone manufacturers to create operating systems that allow easy acccess to data.  This is obviously far from over....

Of course, we saw this coming, didn’t we?  The problem with IoT devices isn’t just criminal hackers, but also Law enforcement reaching onto our on-line always-on Cloud devices like Amazon Echo to obtain recordings of what it heard or what Alexa commands are stored.  In a first case, on December, 2016, police in Bentonville, Arkansas requested that Amazon provide recordings potentially made by and Echo device in connection with a murder investigation.  Seems that Victor Collins was found dead in the hot tub of his friend James Bates on November 22, 2015, and Bates was charged with Collins’ murder by strangulation and drowning. Police are seeking the recordings in order to provide possible evidence from what Echo heard at the time of Collins death. Predictably, Amazon is refusing to consider release until it is presented with a binding legal document, and also claims that Echo only stores about 60 seconds of information until over-recorded (while not saying that the old recording isn’t archived for big-data analysis on a different server).

* State Texting While Walking (“Distracted Walking”) Laws: Hundreds of thousands of people routinely use their electronic devices while walking to listen to music, text or do other tasks as they walk outdoors.  Some, unmindful of their surroundings, cause injuries to other pedestrians, bicyclists and motorists.  Several states have attempted to introduce legislation to penalize those who cause injuries to others while using their electronic devices.  For instance, in a bill pending in Hawaii, there would be a fine of $250 for one crossing a street using an electronic device.  New Jersey has a pending law for distracted walking which could impose fines or even jail time, depending upon the severity of the infraction and resulting injury.  So far, no bills have passed, although similar legislation was introduced in Arkansas, Illinois, Nevada and New York.  But public and legislative pressure is steadily building.

THE GOOGLE DIGITAL LIBRARY LITIGATION:  For over a decade, since 2004,Google has been scanning millions of books from various research libraries and the Library of Congress in order to establish the largest digitized library on the planet.  Using this library, users can search for quotes or keywords, and Google Books will display the paragraphs or pages of context for the results from within the books.  For just as long, since 2005, the Authors Guild, which represents thousands of authors, has complained about the project on the basis that it has undermined writers by putting their books online without copyright compensation. The cases has gone back and forth for years.  Finally, in 2011, the U.S. Court of Appeals for the 2nd Circuit sided with Google, finding that it’s efforts amounted to a “transformative” use of the material and that snippets from searching the database didn’t amount to a “substantial substitute” for the original book.  The book scanning program, therefore, fell under the umbrella of “fair use”.  In April, 2016, the U.S. Supreme Court declined to hear the appeal, and the appeals court ruling now becomes final.

IS IT LEGAL TO RECORD AUDIO OR VIDEO WITH YOUR CELL PHONE?  The laws about this vary by state.  In Florida, where we live, the law is generally that every party to an audio whose voice is heard on the recording must agree to the recording.  Same generally for video recordings.  Public recordings where it is evident that this is being done are permitted.

THE GOOGLE - ORACLE JAVA LICENSE DISPUTE:  In 2010, Oracle filed suit against Google, claiming that Google needed a license to use Oracle’s Java programming language to develop Google’s Android operating system, now used in some 80% of the world’s mobile devices.  The case wound its way through the U.S. court system, until May 26, 2016, when a federal court jury in San Francisco rejected Oracle’s claim, concluding instead that Google made “fair use” of Oracle’s code under U.S. copyright law.  (There may be an appeal, but overturning the verdict will be difficult under the cirumstances.)  The sought-after $8 billion verdict, which would have been one of the largest in history, and have far-reaching effects for developers, establishing guidelines that companies can follow when they reuse functional aspects (in this case, APIs) of another company’s copyrighted work.  Weeks later, Oracle lost to HP to the tune of $3 billion in a case HP brought in 2011  about Oracle’s decision to stop developing database and other software for it’s Itanium chips, which were never popular in the market.  Oracle has vowed to appeal both of the above decisions.

*NAA COMPLAINT AGAINST AD-BLOCKING:  On Thursday, May 26, 2016, the Newspaper Association of America (which represents some 2,000 U.S. newspapers), filed a federal complaint with and request for investigation by the FTC, alleging that software companies which provide “paid whitelisting” ad-blocking software enabling users to block ads are misleading to the public.  Paid whitelisting is a practice where mostly large companies are required to make payments to “ad blockers” to ensure that their ads will reach consumers. NAA alleges that this is misleading and deceptive under Sec. 5 of the FTC Act as an unfair or deceptive practice.  The companies that offer paid whitelisting represent that, when a consumer downloads the app (usually to a smart phone) it will receive only ads that satisfy an objective quality standard (or no ads at all) but in reality they receive ads because the operator requires payment from an advertiser or sometimes even substitutes its own ads.  This loss of business on part of publishers, which are already losing revenue from print advertising, as they increasingly are relying on digital ads, which have a much lower margin.  Presently, users are blocking about 11.7% of ads, mostly on smart phones. 

*CONVICTIONS FOR SWATTING:   While “swatting” may seem like a game to some, it is nevertheless illegal and can cause players to be the subject of an FBI investigation leading to jail time and fines that will remain on your permanent record.  Click HERE for more about this....

* THE FCC’S SET TOP  BOX RULES:  For a discussion of the proposed rules, click HERE.

Internet Freedom and Nondiscrimination Act of 2006:  A proposed law which would make changes to the Clayton Antitrust Act by prohibiting certain kinds of discrimination by broadband network providers respecting their sending and receiving of lawful conduct and charging premiums for unrestricted access, as well as failure to disclose terms and conditions on the service they provide. It was just one of several bills about network neutrality (see above) proposed as part of a major overhaul ot the Telecommunications Act of 1996 (above).  It was approved by the House Judiciary Committee but never taken up on the floow of the House, therefore failing to become law.

* THE FCC’S CLAIM AGAINST D-LINK:  In January, 2017, the FCC took router manufacturer D-Link to court in the Northern District of California, charging the the company failed to take reasonable steps to secure its routers and IP cameras, potentially compromising sensitive consumer information, including live video and audio feeds from their cameras.  In a case that should be considered to have implications for all manufacturers of IoT devices, the FCC alleged that the company failed to take reasonable steps to address well known and easily preventable security flaws such as hard coded login credentials integrated into the camera software (such as the guest account), command injection that could enable remote-enabled attackers to take control of the routers, the mishandling of a private key code used to sign in to the D-Link software, which was openly available on the company’s website for six months, and leaving users’ login credentials on D-Link’s mobile app unsecured in readable text, even though free software was available to secure the login. Hackers could exploit these and other vulnerabilities to obtain access to other devices on the user’s network, potentially gaining access to their local network, computers, smartphones, IP cameras or IoT appliances.  After gaining access, attackers could directly monitor or redirect the consumer to a fraudulent website to monitor a consumer’s whereabouts, watch and record their personal activities and conversations, or obtain access to any stored data, such as tax returns.  As the IoT market is exploding, particularly among the baby monitoring devices, keep your eye on these issues to protect yourself against hacking via your router.

* WARNING TO COMPUTER TECHS:  We all know from other comment on this site that you’ve got to be sure when engaging a computer tech to repair your computer (link HERE), as they may scrape some of your content and post it on line.  Now, Best Buy’s Geek Squad has gotten itself in trouble for routinely searching devices brought in for repair for files that could earn them a $500 reward as informants.  This revelation came out in a court case, U.S. v. Mark A. Rettenmaier in 2017 filed in Orange County, CA.  Seems that Rettenmaier, a prominent Orange County surgeon, took his laptop to the Mission Viejo Best Buy in November, 2011, where Geek Squad tech Trey Westphal found an image of a prepubescent female on her hands and knees on a bed, with a brown choker-type collar around her neck, then informed the FBI.  While this case may be dismissed because of other illegal search issues (i.e. the reporting chain to the FBI), the computer issue is that the file was found in the unallocated “trash” space on the hard drive, which could only be retrieved by “carving” with sophisticated forensics tools rather than simply through the metadata, so ths issue is whether a file which has been deleted in the trash sector is “in plain view” or not.  Geek Squad actually had a reason to carve the drive, as the doctor had hired them to engage in data recovery to recover his drive.  But the thing to be aware of is Best Buy’s apparent policy to look for violations to pick up an extra $500 or so.

CLICK TO GO BACK TO INDEX...

NOTE:  The information on this page is provided only as a general reference, and not as legal advice.  No representation is made as to the accuracy or currency of the citation or description or its specific applicability.  You should always consult an attorney for advice about these or any other laws or regulations concerning your computer or internet activities.

CLICK TO SHARE THIS PAGE

MURPHY’S LAWS OF COMPUTING #14:  Whatever happens, behave as if you meant it to happen.

© Computer Coach.  All written materials are the sole property of Computer Coach (unless otherwise attributed) and no part of this website may be used in any format without the express written permission of Computer Coach.