Facebook doubles down on GDPR despite the risks

On April 17, 2018, Facebook’s Chief Privacy Officer – Erin Egan, proclaimed:  “[t]oday we’re introducing new privacy experiences for everyone on Facebook as part of the EU’s General Data Protection Regulation (GDPR), including updates to our terms and data policy.”  According to Ms. Egan, “people in the EU will see specific details relevant only to people who live there” yet “there is nothing different about the controls and protections we offer around the world.”  In her blog post, Ms. Egan also reaffirmed something said numerous times by Mark Zuckerberg during recent Congressional Hearings, namely “we continue to commit that we do not sell information about you to advertisers or other partners.”  Tellingly, the phrase “information about you” was never elaborated upon by Ms. Egan.

As is often the case, the devil is in the details.  First, the fact “controls and protections” found on a Facebook account may be similar around the globe – as was the case before Ms. Egan’s blog post, does not mean the privacy laws protecting Facebook users have remained the same.  Quite the contrary is true given that the choice of law provision applicable to Facebook’s users was just amended from Facebook’s low-tax home domicile of Ireland to the non-GDPR land of California  – expressly now leaving about 1.5 billion users potentially outside the purview of  the GDPR.  When asked by Ars Technica why the choice of law provision was changed, Facebook purportedly said “the change had been made in the name of the companies’ business interests. The company declined to elaborate further.”

Second, neither Facebook’s new Terms of Service nor its new Data Policy – both last revised on April 19, 2018, define the word “you” or “your”.  As well, the revised Data Policy expressly gives Facebook broad latitude in its use of undefined user “information”:

We use the information we have (including your activity off our Products, such as the websites you visit and ads you see) to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and understand the types of people who use their services and how people interact with their websites, apps, and services.

Indeed, apparently armed with this undefined user “information”, Facebook recently launched a program that analyzes user data sufficiently to purportedly predict behavior for advertisers.

If the undefined “you” in Facebook’s agreements differs from the composite “you” created by Facebook that is pseudonymized, repurposed and then sold to advertisers, one could never tell from any of Facebook’s agreements.  Interestingly, Recital 78 and Article 25 of the GDPR expressly consider “pseudonymising personal data” a best practice for companies developing Privacy by Design compliance initiatives.  Under the GDPR, pseudonymized data can even be processed for purposes different from which the data was originally collected.  The only problem with the GDPR’s exalting of pseudonymizing is that companies now oftentimes discover the sovereign identity “you” when provided information concerning the composite “you” that is pseudonymized by Facebook.

It would have been comforting if Facebook’s auditors were on top of this longtime “nudge wink” between Facebook and the advertising industry.  Unfortunately, they are not.  In an April 18, 2018 paper titled, “Understanding and Improving Privacy “Audits” under FTC Orders”, author Megan Gray points out that Facebook’s FTC audit assessments are circular – “Management asserts it has a reasonable privacy program. Based on management’s assertion, we certify that the company has a reasonable privacy program.”

In effect, this audit process ultimately renders Facebook’s assessments “almost indecipherable” and “requiring certified-auditor knowledge.”  As correctly summed up by Gizmodo, “[t]he current process essentially allows companies under consent orders to self-regulate.”  Accordingly, it is no surprise that PwC’s auditing cleared Facebook’s privacy practices “in an assessment completed last year of the period in which data analytics consultancy Cambridge Analytica gained access to the personal data of millions of Facebook users”.

Notwithstanding its aptitude for parsing words, Facebook will soon be in uncharted and unpredictable privacy waters where disclaimers and popup consent forms may not easily tread.  Even though no one can say with certainty how things will play out after the GDPR’s formal launch on May 25, 2018, one thing is sure – Facebook has very publicly committed to GDPR compliance.  And, to the extent there are failings in such compliance, there are more than a handful of class counsel and global governmental agencies ready to pounce on Facebook and its partners.

Did Facebook close the door to self-regulation?

On April 10, 2018, Facebook’s CEO began his two-day testimony before Senate and House Congressional committees in a quintessential US setting but may have brought with him a groundbreaking privacy regime from across the Atlantic in the process.  Mr. Zuckerberg testified:  “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation.”  The Net Neutrality regulations Zuckerberg  may have had in mind may not be what is ultimately in store for Facebook.

GDPR

By way of background, the EU’s General Data Protection Regulation (679/2016/EU) – which recognizes that the “protection of natural persons in relation to the processing of personal data is a fundamental right”, requires the implementation of an EU-wide regime of country-specific laws effective by May 25, 2018.   Despite its current Brexit status, the UK has also voluntarily implemented GDPR .

The GDPR harmonizes to a great degree the privacy laws of every EU country and broadly controls the use of personal data in connection with either the offering of any goods or services to persons in the EU or the monitoring of EU-based persons.  Companies must ensure that they only collect and process the minimum required personal data for the express use given under an unequivocal affirmative consent.  The new consent requirements found in the GDPR bring this privacy regime to compliance levels never before seen.

Companies that collect and use personal data must now clearly explain to data subjects the exact uses made of such personal data – with evidence maintained that demonstrate related processes are compliant and followed in each individual case. Persons must also be afforded the opportunity to easily withdraw their consent to this use of personal data at any time and without suffering any detriment as a result of their request.  Moreover, persons protected under the GDPR have a right to be forgotten, i.e., all their personal data deleted, and a right to reject any data profiling.

Not unlike rights under 15 U.S.C. § 1681c of the Fair Credit Reporting Act when it comes to credit information, persons will also have the right to have their personal data amended and rectified and the right to be informed as to what personal data is currently being retained or used.  Unfortunately, getting Facebook to comply with these subject-access requests has previously been a difficult task.  Some have argued that the right to be forgotten – which is actually now more properly termed a “right to erasure”, can only work when GDPR becomes a global privacy regime having “globally connected legislation to ensure that information stored outside of the EU also underlies similar strict privacy regulation.”

A “serious breach” of GDPR requirements may result in a fine of up to 4% of the annual worldwide revenue of the impacted company – with the minimum fine set at €20 million. Disregarding the potential lack of enforceability for this extra-jurisdictional law, companies have been prepping for the GDPR privacy regime for years.   Indeed, given the potential downside, multi-national companies based in the US have not surprisingly spent millions of dollars on their GDPR compliance efforts.

Under the GDPR, the EU is for the first time in line with the US as regards data breach notification – but with a uniform and much stricter obligation to notice regulatory authorities within 72 hours of a breach.  Given Alabama has recently enacted its own data breach notification law – one that requires notification within 45 days of a breach if the breach is reasonably likely to cause “substantial harm” to the individual to whom the information relates, all fifty US states now have a data breach notification law.  Nevertheless, the current patchwork standard for breach notice in the US is far from uniform and certainly much less onerous than the blanket one set forth in the GDPR.

GDPR and Facebook

As set forth on its website, “Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. . . Facebook may serve as a data processor.  When Facebook acts as a data processor, businesses are responsible for ensuring data they share with us complies with the GDPR.”  As a data processor who employs more than 250 persons, Facebook is obliged under GDPR to keep detailed records of all of their processing activities.  In other words, GDPR opens up the door to accessing Facebook’s vast data mining activities only hinted at by the recent Cambridge Analytica brouhaha.

On April 11, 2018, Mark Zuckerberg testified before the House Energy and Commerce Committee that GDPR “will be positive” and that requiring companies obtain “affirmative consent” makes sense.  According to Mr. Zuckerberg, there are a few parts of GDPR that are “important and good”.  For example, users should know what data companies have and users should be able to control this data.   When asked if GDPR got anything wrong, however, he could not answer the question and simply said he would have to “think about it”.  He was asked to provide his response to the House Energy and Commerce Committee at a later date.

GDPR, Facebook and Congress

Free-market Republicans who typically shy away from regulatory intervention gave more than passing nods to potential legislative intervention as regards Facebook.  Sen. John Kennedy (R., La.) bluntly recognized that Facebook’s “user agreement sucks.”  And, Senate Commerce Committee Chairman John Thune (R., S.D.) said:  “I’m not convinced that Facebook’s users have the information they need to make meaningful choices.” He also said that while Washington has “been wiling to defer to tech companies effort to regulate themselves. . . this may be changing.”  Mr. Kennedy was again more blunt: “There’s some impurities in the Facebook punch bowl. . . I don’t want to have to vote to regulate Facebook.  But by god, I will. That depends on you.”

Not waiting for Senators Kennedy and Thune to act, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) – two longtime privacy advocates, announced on April 10, 2018 their Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act – proposed legislation requiring the Federal Trade Commission (FTC) to establish specific privacy protections “for customers of online edge providers like Facebook and Google.”  Among other things, the CONSENT Act would require that these “edge providers” obtain opt-in consent from users “to use, share, or sell users’ personal information” as well as notify users about “all collection, use, and sharing of users’ personal information.”  Although on its face the proposed law is not nearly as onerous as the GDPR privacy regime, there is nothing stopping the FTC from promulgating future regulations that not only include opt-in consent and use disclosures but also GDPR requirements that would never had been on the table before Mr. Zuckerberg began his unsworn testimony before Congress.

In a prior interview with the Washington Post, Senator Markey said:  “I think that this [Facebook] privacy spill is politically the equivalent of the oil spill in the Gulf of Mexico.  Because it involves our very democracy, I think [it] is going to draw more attention of the American public to this issue.”

GDPR, Facebook, Congress and the Monetization of Consumer Data

On the heels of recent comments from Facebook’s COO regarding the possibility Facebook might one day charge users a fee, Zuckerberg left the door open to the possibility of charging consumers for use of its social media platform.  During his April 11, 2018 House testimony, Zuckerberg again denied that Facebook sells its user data, saying: “That’s not how advertising works.”  A day earlier Zuckerberg repeated numerous times that Facebook did not sell consumer data – prodding Sen. John Cornyn (R-Texas) to exclaim:   “You clearly rent it!”  No matter how Mr. Zuckerberg perceives advertising as working or whether or not Facebook actually “sells” consumer data, one takeaway from these hearings is that perception can quickly morph into reality.

Not surprisingly, California is not waiting for the federal government to act and has percolating its own mini-GDPR.  The proposed California Consumer Privacy Act of 2018 ballot initiative would give consumers the right to ask businesses what of their personal data is collected and how it’s being used.   It will be voted on in November 2018 and already faces opposition from Facebook and other California companies standing to lose significant revenue because there is a private right of action under the proposed law.  Given there is no “opt-in” requirement in this ballot initiative, GDPR will remain the gold standard when it comes to protecting consumer data from unregulated monetization.

Apple’s Tim Cook jumped for higher ground during Zuckerberg’s testimony and publicly said Apple – unlike Facebook, does not monetize its customers and would welcome legislative solutions.  Specifically, Cook said:  “The truth is, we could make a ton of money if we monetized our customer — if our customer was our product. We’ve elected not to do that.”

Apple’s perspective is either surprisingly narrow or deliberately pinched.  Obviously, the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day.  Accordingly if Facebook loses revenue due to legislative intervention, Apple will likely not be far behind.

There is hope for both platform providers and device manufacturers even if that happens.  As recognized by the Project Director at the Georgetown Center for Business and Public Policy, “If the [internet’s] grand bargain unravels, entrepreneurs will no doubt innovate new ways to make money and continue developing disruptive products and services.”

Unbridled data consumption and privacy protection can successfully coexist when immutable and transparent data is bound by a secure and continuous unequivocal affirmative consent.  In essence, user data must be treated like a protected commodity that can actually benefit the owner.   Indeed, Congresswoman Debbi Dingell (R., Mi.) ended her April 11, 2018 questioning of Zuckerberg by opining that data protection was no less important than having “clean air and clear water”.   A company that is able to keep “pure” a user’s data while feeding such data into various digital media ecosystems and compensating the data owner in the process will have found the middle ground previously consciously avoided by existing billion-dollar platforms.

Sometimes all it takes is one door to close for another one to open.

Utility tokens are not a “bad idea”

In his February 8, 2018 opinion piece, Santander’s Julio Faura suggests that “utility tokens are a bad idea” because it would be a “lie to ourselves” to suggest ICOs were not actually selling securities.  Rather, in Mr. Faura’s opinion “we should collectively work on a framework to build a clearly defined scheme for ICOs, recognizing from the very beginning that they are securities.”  And, this “ICO process should be designed in collaboration with regulators to comply with securities law.”  Mr. Faura’s opinion piece does not exist in a vacuum.  In a report dated February 5, 2018, Goldman Sachs Group Inc.’s global head of investment research suggests that investors in ICOs could possibly lose their entire investments – which ties to Mr. Faura’s underlying premise that ICOs should be regulated “to protect investors”.

It is not clear how his proposed hybrid solution would ever get implemented given it requires complete buy-in from capital markets and regulators so would be a non-starter from day one – why would existing financial institutions and regulators scuttle existing methods of raising capital or attempt to squeeze ICOs under traditional securities law even if considered a sale of securities?  Answer:  They would not.  Ripple – a company partially funded by Santander InnoVentures, offers a glimpse on how traditional financial markets will compete using blockchain technology.

Mr. Faura paints all sales of cryptocurrencies with the same brush by claiming each one of them actually offers securities subject to SEC scrutiny.   That is simply not the case.  Indeed, does Mr. Faura wonder why the SEC has not knocked on Ripple’s XRP “digital asset” door even though it trades on numerous exchanges?  Even though there was no formal ICO to launch that centralized token, it now trades on 18 platforms where “individual purchases” of the XRP coin can be made.  Indeed, after raising over $93 million by September 2016, no ICO was needed.

One ICO left untouched by the SEC was “gate keeped” by Perkins Coie and involves an ICO for a utility token that raised $35 million in under a minute’s time.   This “BAT utility token” creates a digital advertising ecosystem tied to consumer attention – which is why it is the “Basic Attention Token”.  Such ecosystem would certainly be an upgrade from the current digital advertising scheme wedded to the Web ecosystem of 1995.

All told, it seems that the SEC and other regulatory bodies have actually taken a very measured approach in this area – aggressively focusing on obvious fraudsters first in order to deter subsequent fraudsters while letting the technology play out a bit in the wild.  Not surprisingly, the plaintiff’s bar has been doing a good job picking up the slack in those instances when the SEC has not yet moved.   See Davy v. Paragon Coin, Inc., et al., Case No. 18-cv-00671 (N.D. Cal. January 30, 2018) and Paige v. Bitconnect Intern. PLC, et al., Case No. 3:18-CV-58-JHM (W.D. Ky. January 29, 2018).

Recent public SEC statements seem to back this interpretation of their ICO position. On February 6, 2018, SEC Chairman Jay Clayton recently testified that the potential derived from blockchain was “very significant” – his co-witness, CFTC Chairman Christopher Giancarlo, went so far as to say there was “enormous potential” that “seems extraordinary” for blockchain-based businesses.  Yet, during his testimony, Chairman Clayton said the SEC would continue to “crack down hard” on fraud and manipulation involving ICOs offering an unregistered security.  This is consistent with prior messaging given that Chairman Clayton requested on December 11, 2017 that the SEC’s Enforcement Division “vigorously” enforce and recommend action against ICOs that may be in violation of the federal securities laws.  The fact some 2017 ICOs raising hundreds of millions of dollars were not addressed by the SEC, however, provides a clear “nudge wink” that not all ICOs come under SEC regulatory control.

As with BAT, in the future, there will likely be many more utility tokens built on disruptive blockchain initiatives that escape SEC scrutiny given they are not perceived as securities.  The fact that the SEC has not yet moved on them – despite moving against Munchee, Inc. weeks after the Munchee MUN offering, signals the SEC will temper its enforcement activities when faced with a disruptive blockchain initiative that begets true intrinsic value.   In other words, utility tokens may very well be a good idea after all.

Do ICOs have any future?

On February 6, 2018, the Senate Committee on Banking, Housing, and Urban Affairs met in open session to conduct a hearing entitled, Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission.  The Honorable Jay Clayton, Chairman, U.S. Securities and Exchange Commission and The Honorable J. Christopher Giancarlo, Chairman, U.S. Commodity Futures Trading Commission provided lengthy and thoughtful prepared statements.  In his statement, Chairman Clayton explained why the SEC was devoting significant resources to ensure ICO founders do not skirt SEC’s regulatory oversight of security offerings and Chairman Giancarlo reaffirmed that the CFTC will similarly enforce its regulations on commodities.

Their testimony provides helpful insight regarding the enforcement direction these agencies will take in the coming months.  According to Chairman Clayton, in 2017 there was $4 billion raised in ICOs -with an unknown amount being sold in the US.   He was generally “very unhappy with ICOs” and mentioned that the SEC was “working the beat hard” to crack down on them.  Accordingly, ICOs are in the “crosshairs of enforcement” and tellingly he testified that “every ICO [he has] seen is a security” subject to enforcement.  This testimony is consistent with prior SEC pronouncements given that  Chairman Clayton previously requested that the SEC’s Enforcement Division “vigorously” enforce and recommend action against ICOs that may be in violation of the federal securities laws.   During his testimony, Chairman Clayton repeated several times that the SEC would continue to “crack down hard” on fraud and manipulation involving ICOs offering an unregistered security.

According to Chairman Clayton, the definition of a security is broad and will turn on whether someone can profit from efforts going forward by buying the token and then trade it with someone else for further profit.  Both Chairmen recognized that no one agency has any direct oversight of virtual currencies and welcomed efforts from Congress to draft new legislation that would help with their coordination efforts.

In probably the most interesting exchange during their two-hour testimony, Senator Mark Warner of Virginia recognized that the SEC went after certain ICO promoters but not others so directly asked Chairman Clayton whether the SEC “will go back [to scrutinize prior ICOs]?”  Correctly avoiding that question – given it requests insight as to future SEC enforcement efforts, Chairman Clayton instead offered that the SEC is counting on lawyers and accountants to also act as “gatekeepers” for future ICOs.

Chairman Clayton’s testimony came on the heels of the SEC’s Cease and Desist Order in the Munchee, Inc. matter that may have closed the lid on many planned 2018 ICO’s given the stringent standard set forth in that SEC Order.  By way of background, Munchee created an iPhone application for people to review restaurant meals.  In October and November 2017, Munchee offered and then sold purported utility tokens issued on the Ethereum blockchain.  “Munchee conducted the offering of MUN tokens to raise about $15 million in capital so that it could improve its existing app and recruit users to eventually buy advertisements, write reviews, sell food and conduct other transactions using MUN.”  Order at 1.

In deeming the MUN utility token a “security” subject to SEC oversight, the SEC made the following finding of fact in its December 11, 2017 Order:

Purchasers had a reasonable expectation that they would obtain a future profit from buying MUN tokens if Munchee were successful in its entrepreneurial and managerial efforts to develop its business. Purchasers would reasonably believe they could profit by holding or trading MUN tokens, whether or not they ever used the Munchee App or otherwise participated in the MUN “ecosystem,” based on Munchee’s statements in its MUN White Paper and other materials. Munchee primed purchasers’ reasonable expectations of profit through statements on blogs, podcasts, and Facebook that talked about profits.

Order at 5.

There remains hope for future ICOs given that the SEC is certainly not going after them all.  One ICO left untouched by the SEC was “gate keeped” by Perkins Coie and involves an ICO for an Ethereum utility token that raised $35 million in under a minute’s time.   See FAQ (“We and our counsel at Perkins-Coie are confident that the Basic Attention Token is properly classified as property with utility on the platform we are building, and not a security.”).  Given the subsequent Munchee C&D Order, it is unclear why the SEC does not “go back” to this ICO as suggested by Senator Warner.

The founders of Brave Software launched the “Basic Attention Token” in May 2017 seeking to improve on the current digital advertising ecosystem:   “Digital advertising is broken [with] unprecedented levels of malvertisements and privacy violations.”  The BAT token looks to fix this broken system by creating an ecosystem tied to consumer attention – which is why it is called the “Basic Attention Token”.  Such ecosystem would certainly be an upgrade from the current digital advertising scheme based on the Web ecosystem of 1995.  BAT tokens can only derive long term value by way of the Brave® Browser.   As set forth by a marketing blogger, “If Brave isn’t adopted, the new advertising structure won’t work.”

By successfully obtaining registered trademark No. 5,362,328 for BRAVE – a mark used to distinguish Brave Software’s “web browser software”, the founders of the BAT token demonstrate ownership rights in the Brave browser, that they are the source of such product, and that they will be the direct cause of the browser’s success.  In other words, buyers of the BAT ICO would necessarily profit from the efforts of Brave Software, Inc.   On the other hand, there remains utility to the BAT token.  Moreover, a utility token will likely always be at least remotely tied to the efforts of its founders – there is little reason to believe a token left in the wild would hatch into anything of value.  The fact that the SEC has not scrutinized the BAT ICO is actually an encouraging sign the SEC will temper its enforcement actions when faced with a disruptive blockchain initiative that begets true intrinsic value in the token.

State and Private Enforcement of ICO schemes

In addition to existing federal enforcement, state agencies are also cracking down on ICOs.  For example, on January 17, 2018, the Massachusetts Securities Division filed an administrative complaint against a Cayman Islands company given that the company operated out of Massachusetts and its ICO offered for sale “a security without such security being registered or exempt from registration.”  Complaint at 2.

And, to the extent state regulatory oversight may be lacking, states will try and enlarge regulatory reach by enacting new laws.  For example, California introduced a year ago the Virtual Currency Act (A.B. 1123), which would have required those involved in a “virtual currency business” within the state to register with California’s Commissioner of Business Oversight.  Even though this attempt at regulating cryptocurrencies died on January 31, 2018 due to political pressure, it may come back in a different from.    Interestingly, there was a carve out in the bill for any “virtual currency business” when it uses “[d]igital units that are used exclusively as part of a consumer affinity or rewards program”.

Class action counsel has also impacted ICOs by directly suing ICO founders in order to recoup millions for class participants.  One recent case is Davy v. Paragon Coin, Inc., et al., Case No. 18-cv-00671 (N.D. Cal. January 30, 2018).  Plaintiff class counsel sued Paragon based, in part, on the Paragon white paper characterizing its PRG token as potentially increasing in value simply based on the reduction of supply and an increase in demand.  Moreover, the paper suggests that “PRG is designed to appreciate in value as our solutions are adopted throughout the cannabis industry and around the world.”  Id. at 31.  In other words, the efforts of the founders would directly generate a more profitable investment result from the ICO.

Another ICO class action fraud case was filed in Paige v. Bitconnect Intern. PLC, et al., Case No. 3:18-CV-58-JHM (W.D. Ky. January 29, 2018).  The plaintiff’s claim of a Ponzi scheme was so strong it resulted in a TRO from the Court a day after filing suit.  Any future ICO that results in a loss in value to “investors” will likely trigger class counsel to spring into action.

The future of ICOs remains viable

Where does this trifecta of enforcement efforts – federal, state and private, leave ICOs?  If bankers are to believed, there is currently not much “there”, there.   In a report dated February 5, 2018, Goldman Sachs Group Inc.’s global head of investment research suggests that investors in ICOs could possibly lose their entire investments.  Goldman’s Steve Strongin said that while he did not know a timeframe for total losses in existing coins and tokens, he ruminated:  “The high correlation between the different cryptocurrencies worries me. . . Because of the lack of intrinsic value, the currencies that don’t survive will most likely trade to zero.”

Given the disruptive nature of ICOs on the IPO and private equity markets, it is not surprising that the global head of Goldman downplays the future of ICOs – even if he is correct in pointing out  the lack of intrinsic value in most every utility token and coin offered in an ICO.  Notwithstanding current enforcement actions and competition from traditional markets, the future for ICOs should remain viable.  Moving forward, the key to a viable and “compliant” ICO will be whether the ICO is conducted for a utility token having  demonstrated intrinsic value connected to the activities of those other than merely the ICO’s founders.

Blockchain in 2018 and beyond

Buoyed by Bitcoin’s latest price and a steady supply of Initial Coin Offerings (ICOs), the blockchain ecosystem in 2018 resembles the Web ecosystem of 1995 – an ecosystem that eventually disrupted advertising and marketing models by having companies such as Amazon, Google and Facebook outplace traditional retail sales and marketing companies.  This time around, however, the financial levers presently held by banks and related financial services firms will be retooled – as well as the present centralized server model so very important to the same companies who previously benefited from the Web ecosystem, namely Amazon, Google and Facebook.

Speculation vs. Utilization

in September 2017, Bitcoin was famously derided by the financial titan Jamie Dimon as “a fraud”.  The JPMorgan CEO went so far as to say he would fire anyone on his trading team who bought Bitcoin.  His gratuitous digs at Bitcoin did not temper the rise of Bitcoin and became noteworthy – and a likely source of friction with his traders, because the Bitcoin cryptocurrency went on to increase in value over three-fold a mere 1Q after Dimon’s public derision.   As of December 31, 2017, Bitcoin sits at a price of near $14,000 whereas when Mr. Dimon’s bold pronouncements were made Bitcoin “only” had a price of $4,115.

Similarly, another banker – Vitor Constancio, the vice president of the European Central Bank, said in July 2017 that Bitcoin “is not a currency but a mere instrument of speculation” – comparing it to tulip bulbs during the 17th century trading bubble in the Netherlands.

In the same way that the World Wide Web was never defined solely by Pets.com, the benefits of blockchain technology should never be defined solely by the latest price of Bitcoin.  Even Mr. Dimon acknowledges as much given during his tirade against the speculative nature of Bitcoin he also said “he supported blockchain technology for tracking payments.”

By way of background, a blockchain is nothing more than an expandable list of records, called blocks, which are linked and secured using cryptography, namely cryptographic hashes that point to each prior block and result in an unbreakable “chain” of hashes surrounding the blocks.  More accurately referred to as a distributed ledger of accounts, a blockchain ecosystem will disrupt more than one industry beginning in 2018.

The inevitable changes that will occur in 2018 spring from several unique attributes of the blockchain ecosystem.  First, because a blockchain ledger is distributed it takes advantage of the vast amount of compute power available in most every computer device.  Similar to how the Mirai botnet distributed denial of service (DDos) attack became the largest DDoS attack by simply using unsecured IoT access, blockchain technology harnesses secure unused compute power in powerful and productive new ways.  Our new IoT ecosystem – which itself is an outgrowth of the Web ecosystem, will only feed into that result.

Secondly, blockchain ledger transactions are the closest thing to an immutable form of transaction accounting we have given the transactions have been verified and cannot be changed once written to the blockchain without evidence of obvious tampering – which was always the reason Bitcoin derived any actual intrinsic value.  In other words, the promise of blockchain coupled with pure speculation has solely driven Bitcoin pricing.  By buying Bitcoin and other cybercurrencies, it is almost as if people were given a chance to turn back the clock and bet on the Web ecosystem in 1995.  Without usage for its intended purpose, namely being a trusted and immutable listing of Bitcoin transactions, Bitcoin would most certainly go to the zero valuation postulated by Morgan Stanley.  The logic is pretty straight forward – without an actual intrinsic store of value, there is no actual intrinsic store of value.  And, without some sort of intrinsic store of value there is no reason to consider Bitcoin an asset.  Accordingly, unless utilized by choice or forced to be used by a government, speculation will never be a sustainable impetus for the pricing of Bitcoin – or any other cryptocurrency for that matter.  Without utilization, tokens/app coins/cryptocurrencies will all die on the vine given external utilization will always be needed to create a store of value.

Utilization under the Ethereum protocol

Disregarding the unlikely scenario of governmental adoption, the future of any blockchain/cryptocurrency ecosystem necessarily ties directly to utilization.  Even though there are several protocols with smart contracts amendable to utilization, there is only one founded by a visionary who understands the issue of scalability and why scalability is the sine qua non of a successful blockchain ecosystem – in the same way a non-scalable Web ecosystem was always a non-starter.  An early December 2017 presentation given by that visionary – Vitalik Buterin,  talks to scalability as being the most important new initiative of Ethereum going forward in 2018.   Mr. Buterin – who will likely take the blockchain ecosystem where Gates took the PC ecosystem and Bezos took the Web ecosystem, suggests that “sharding” using a Validator Manager Contract –  a construct that maintains an internal proof of stake claim using random validators, will eventually solve the problem of scalability.  Simply put, not all blocks/shards will need to be placed under the main chain.  This is a natural evolutionary progression given as it stands now everyone seeking an Ethereum wallet needs to download Ethereum’s entire trove of over four million blocks – hardly a scalable solution for the many app tokens or coins running the Ethereum protocol.  Moreover, each Ethereum block currently also takes about 14.70 seconds to promulgateIn 2014, Buterin anticipated the feasibility of a 12 second block time so has certainly been moving in the right direction.  Given security and propagation issues, work on this remains in the infancy stage with a great deal of work necessary in 2018.  Nevertheless, in 2018 and beyond, smart contracts such as those available under Ethereum will allow for the utilization necessary for the blockchain ecosystem to thrive.

Adoption by financial markets and the Ripple Effect

Ripple/XRP surged at the very end of 2017 and quickly became a rumored stealth initiative by the regulated banking industry to combat unregulated cryptocurrencies.  Ripple promises “end-to-end tracking and certainty” for those banks using its RippleNet closed-loop network.  More than anything, this initiative demonstrates that unregulated ICOs and unregulated “currencies” may have spooked the world’s financial markets sufficiently to justify taking sides by investing in a Ripple contender – a “blockchain-like” service seeking to displace existing cryptocurrency mindshare.  Indeed, Ripple just replaced ETH/Ethereum as the second largest market cap cryptocurrency.   Even though only three financial institutions are listed as investors, that does not mean other financial institutions would not want to prop up use of this “currency” on the open market – the list of “advisory board members” is telling in that regard.  This bank-sponsored cryptocurrency certainly looks like it has more legs than most given there exists budding utilization – banks are currently already using the RippleNet network, coupled with massive speculation given its ballooning market cap.

In 2018, acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry or even the server sector represented by the likes of Google – who has invested in Ripple.  More than likely, upcoming technology developments under the Ethereum protocol will beget future tokens with smarter utilization and even greater potential upside than either Bitcoin or Ripple.  In other words, the blockchain ecosystem in 2018 will be no different than the Web ecosystem as it existed in 1995.

Carpenter may prod monetization of consumer data property rights

On November 29, 2017, the United States Supreme Court heard oral argument in U.S. v. Carpenter – a case involving robbery suspects who were convicted using cellphone tracking data obtained without a probable cause warrant.  Subpoenas and warrants available under the Stored Communications Act (“SCA”) allow for access to such records without any probable cause showing.    As previously pointed out, the ACLU is looking to push the Supreme Court into making a technology-forward decision by stressing how data collection methods have improved since the 2011 arrest of Carpenter.

According to Law360, Justice Samuel Alito said at the hour-long oral argument:  “I agree with [Carpenter] that this new technology is raising very serious privacy concerns, but I need to know how much of existing precedent you want us to overrule or declare obsolete.”  Justice Alito referenced the third-party doctrine that offers no added protections to material freely given to third parties given such material is generally provided without any expectation of privacy.

At oral argument, Law360 reports Carpenter’s counsel Nathan Wessler of the ACLU said that the bank records and dialed phone numbers found in third-party doctrine cases were “more limited” and freely given to a business as opposed to cellphone location records, which many users don’t understand can “chart a minute-by-minute account of a person’s locations and movements and associations.”

Law360 also reported that Justice Sonia Sotomayor raised doubt that the third-party doctrine found in prior precedent was applicable given there are instances when sensitive data freely given to third parties – such as medical records, still require consent.  According to Law360, Justice Neil Gorsuch said:  “It seems like your whole argument boils down to if we get it from a third party we’re OK, regardless of property interest.”   And, finally according to the SCOTUS Blog, Justice Stephen Breyer recognized at oral argument: “This is an open box. We know not where we go.”

Despite the third-party doctrine, it seems the Court is leaning towards carving out Constitutional exceptions to the SCA based on data gathering technologies that may give rise to an expectation of privacy.   As often done, the Justices will likely come up with a result that takes into consideration stare decisis while meshing with new technological capabilities far removed from earlier cases.   As recognized by Justice Sotomayor in the U.S. v. Jones case of 2012, “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

To that end, the most interesting aspect of this case involving robberies in Detroit will be how far the decision goes in helping define property rights for consumers of digital services.  In a nod to Justice Breyer’s Pandora’s Box allusion, this decision might eventually give rise to a newfound consumer awareness mandating a change in how consumer data is used by companies.  In other words, property rights acknowledged in this case may help prod consumers into seeking compensation for their consumer data property rights – something the tech amicus might not have envisioned when filing their brief in U.S. v. Carpenter.

Supreme Court will decide Microsoft privacy case

On October 16, 2017, the United States Supreme Court granted the Justice Department’s petition for a writ of certiorari and will hear an appeal from a Second Circuit decision barring the government from accessing user data stored overseas by Microsoft.   As previously suggested, this case brought under the Stored Communications Act (“SCA”) has significant implications for transnational companies who maintain or store data outside the US.

By way of background, the Second Circuit ruled that data stored overseas was not subject to the SCA – which typically allows the government to access the contents of stored communications – including emails, that are more than 180 days old, using a subpoena, court order, or warrant.  Ultimately, the Court of Appeals agreed with Microsoft’s position that absent congressional authorization statutes such as the SCA are presumed to have no extraterritorial effect and given the lack of such statutory authorization, the warrant should have been quashed.

Given that there were a flurry of amicus briefs filed – as well as an animated government brief suggesting that the Second Circuit’s decision was “highly detrimental” to criminal law enforcement, it will be interesting to see which argument the Court ultimately adopts.  Microsoft certainly fought an aggressive PR battle opposing Supreme Court review – seeking instead that its lobbying firms wage war in Congress.  In fact, Microsoft suggests in a blog post that the momentum for a legislative solution continues in Congress despite the Court taking on the case.

In keeping with the Halloween season, Microsoft’s Chief Legal Officer tries to scare up some support for a legislative solution:  “If U.S. law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?”

Even though his analogy obviously falls flat, the Court’s docket – between this Microsoft case and the SCA location data case previously taken up by the Court in June, may very well ultimately generate a scary result for one or more advocacy groups located on the privacy continuum.

UPDATE:  April 18, 2018

Turns out the Supreme Court will not be deciding this case after all.  On April 17, 2018, the U.S. Supreme Court dismissed U.S. v. Microsoft, ruling that the recently enacted Clarifying Lawful Overseas Use of Data Act (CLOUD Act) that was passed as part of the Omnibus budget act rendered the case moot.   Not completely happy with the result, Microsoft blogged that the “journey continues”.  Despite a thoughtful presentation on the topic, Microsoft does not really state what makes for a successful conclusion to that journey.

Will Equifax be a boon for the security industry?

According to a statement issued on September 15, 2017, Equifax, noticed “suspicious activity on July 30, 2017” and “took offline the affected web application that day.”  The impacted web application was a web application supporting framework, Apache Struts, ultimately used to create java-based web applications.  After patching, Equifax brought the application back online.

Equifax claims it first became aware of the vulnerability sometime in May 2017.

By way of background, this vulnerability was widely disclosed on March 13, 2017.  At that time, both the United States Computer Readiness Team and NIST issued “high vulnerability” warnings.  More importantly, Apache actually released its open source Struts 2.5.10 General Availability release that fixed this vulnerability a month earlier on February 3, 2017.

All of this is significant given that many mid-sized and large enterprises run Open Source Software (OSS) products and unless they hire staff or retain an outside vendor specifically tasked with tracking security announcements of their deployed software products – including any OSS web-facing tools, these products will likely not be promptly patched and scenarios like what befell Equifax will continue.  In other words, what happened to Equifax can very easily happen again to any number of large enterprises.  There are ways to mitigate this risk that may likely prove a boon to the security industry.

In addition to relying on a battle-tested CIO, CISO, and IT team, there are numerous ways companies can mitigate against an Equifax sort of incident from knocking on their boardroom door.

For example,  companies can hire inside staff or an outside vendor who considers patch management not merely a compliance check off item; evaluate how OSS is deployed and confirm who has final responsibility for patching known vulnerabilities; deploy tools to scan source code on an application level; and most important of all – trade up security priorities from being compliance driven in favor of a proactive security risk management approach that takes into account the type and amount of sensitive data processed,  maintained, and transferred.  There are many other ways of mitigating an Equifax risk but the above approach tends to be the one that best follows a cost-effective 80/20 approach that also satisfies regulators.  Information security funds can also be wisely spent deploying a kill chain approach that  actually works given it deliberately considers the evolutionary nature of security threats.

And finally, be mindful that when going out to market for new technical vendors, firm size has little correlation to the beneficial capabilities of the vendor.   Some smaller security vendors have the capacity to deploy unique skills and tools unavailable to larger vendors – that has always been a little known secret of the security industry.  The most effective players in this industry prefer working in small packs so it is no surprise vendors employing them often lose them within the first year after getting gobbled up by a larger vendor.

CA lawmakers do not pass AB 375 – The California Broadband Internet Privacy Act

Succumbing to the pressure of heavy lobbying, the proposed California Broadband Internet Privacy Act was shelved early this morning by the California Senate:

If enacted, the law would have beginning in 2019 barred ISPs from monetizing consumer browsing data without first obtaining consumer consent.  In essence, large ISPs such as AT&T and Verizon would have been barred from refusing to provide service or limiting service if customers did not waive their privacy rights.  It would have also barred them from charging customers a penalty or offering discounts in exchange for waiving privacy rights.

By way of background, the FCC earlier this year pulled back on those Obama-era regulations that impacted ISPs – regulations that completely ignored the data collection practices of companies such as Google and Facebook given they were not subject to FCC regulation.  The “Net Neutrality” Red Herring previously used by lobbyists to protect those tech companies alleged ISPs deserve different treatment because they curtail broadband usage for certain segments of society – alleging that ISPs closed out the Internet for many in poorer rural communities.

Current FCC policy, however, maintains rules that protect the “openness” of the Internet.  And, the stated intent on the FCC’s May 2017 pullback was a desire to implement a “light-touch regulatory framework” that immediately leveled the field, allow the FTC to continue enforcing privacy infractions, and ultimately defer for a later date the exact parameters of any  federal consumer privacy consent law.

Currently, the privacy infractions of companies like Google and Facebook are policed by the FTC and not the FCC so having the FTC also focus on ISPs is perfectly natural within our current regulatory scheme.  After all, the only reason large ISP’s such as AT&T, Cox and Verizon even came under the FCC’s purview was because they are also telecom and cable operators.  To use this FCC front door to regulate the backdoor Internet businesses of telecom and cable operators was always forced and unnatural.  Indeed, this very public dispute between ISPs and website owners was itself s a subterfuge.  Not surprisingly, AB 375 was also opposed by Google and Facebook because “expanded privacy regulations could indirectly affect the websites’ own ability to gather and monetize user data.

As accurately stated by a libertarian blog:  “By framing this as a dispute between ISPs and websites — instead of accurately presenting it as a struggle between Internet users and anyone who would mine and sell their data, the powers that be (including lawmakers, bureaucrats, corporations, and the media) have muddied the waters to conceal a simple fact: This is actually a struggle between those who value their privacy and those who would profit by violating it.”

Perhaps fearing the demise of AB 375, a California ballot initiative proposed on September 1, 2017 would allow California consumers to know what personal information businesses are collecting from them as well as how that information is used.  As it stands, consumers obviously have no clue who ultimately processes, uses or outright purchases their data.  The California Consumer Privacy Act of 2018 will be placed on the November 2018 statewide ballot if it obtains 365,880 valid voter signatures.  This ballot initiative goes further than AB 375 given it would apply to any business that collects and deals in data for commercial purposes and not just ISPs.

The apparent premise behind this ballot initiative is that there is no longer any such thing as anonymous data – it only takes about 10 visited URLs in total to uniquely identify someone, and there certainly is no difference between what a Google or an AT&T  ultimately do with consumer data.  As it stands, relatively few use a Firefox browser set to its highest privacy setting or a Privacy Badger extension to keep Google scripts from running Google Analytics.  Even fewer users forgo Google in favor of the donation-funded DuckDuckGo search tool that allows users to browse the web without storing search results.

As suggested years ago:  “It may one day be determined, however, that an even more effective means to satisfy all constituent needs of the [online behavioral advertising] ecosystem (consumer, merchant, publisher, agency, etc.) will be to find a means to directly correlate between privacy rights, consumer data, and a merchant’s revenue.”

Until such direct financial correlation takes place – with the ensuing compensation to consumers, the true value of consumer data will never be known.  Very likely, companies who continue pilfering something consumers do not properly value will never do as well as companies that actually pay for what they want.

Given any present mass consumer education necessary to prod these issues forward will rely on online tools provided by companies with the most to gain or lose, the only immediately viable solution necessarily requires agreement from the likes of Google and Facebook.  Unfortunately, given current circumstances, there simply is no financial incentive for these companies to rock a very lucrative boat.

 

 

 

 

AG’s move against Google’s latest cy pres settlement

Without tackling the underlying merits of the case, the Attorneys General of Alaska, Arizona, Arkansas, Louisiana, Mississippi, Missouri, Nevada, Oklahoma, Rhode Island, Tennessee, and Wisconsin asked the Third Circuit to reverse approval of a $5.5 million settlement involving consumer privacy claims against Google.   Relying on Fed. R. Civ. P. 23(e)’s prohibitions against unfair settlements, the AG’s argued in their July 5, 2017 brief, the proposed cy pres settlement fund would be unfair given consumers would not receive a dime from these settlements.

In their brief, the AG’s point out that because “class members extinguish their claims in exchange for settlement funds, the funds belong to class members.”  Brief at 5.  And, simply giving these proceeds to various privacy rights groups chosen by Google and class counsel would be unfair to the actual class members.

The underlying multidistrict lawsuit – which was previously before the Third Circuit (In re: Google Inc. Cookie Placement Consumer Privacy Litigation), was filed in 2012 and alleges that Google deliberately circumvented default privacy settings used to prevent advertisers from tracking the browsing activities of persons using Safari and Internet Explorer.

Google is no stranger to cy pres funds pegged at $5.5 million.  In August 2016, Google settled a privacy suit by paying $5.5 million into a cy pres fund benefiting some of the same privacy groups looking to benefit from this latest settlement.  And, years earlier Google and Quantcast settled yet other privacy matters by way of a cy pres fund.

A cy pres fund provides the best of both worlds for defendants such as Google – it allows resolution of costly disputes while being able to fund non-profit organizations that ultimately help their cause.  Moreover, they have willing partners in class counsel given it really does not matter if an unnamed class plaintiff sees compensation so long as the settlement is approved and counsel’s fees are paid.  Hopefully, the United States Court of Appeals for the Third Circuit issues a well-reasoned opinion that guides courts around the country on this very troublesome practice.

Intellectual property and data breach counsel