Behavioral Advertising, Blockchain, Intellectual Property, Privacy, Social Media, Technology Law

Gilder’s Life after Google

Even though one online reviewer called it “[a] random walk through Silicon Valley without any goal, valuable information, conclusions or anything other than what would fit a gossip magazine”, Gilder’s book provides a grand thesis with very deliberate underpinnings.  There are certainly many other books and articles out there that better inform regarding blockchain.  Nevertheless, Gilder explains exactly why blockchain will in the future help cause Google lose its digital stranglehold.  For that, his book largely stands alone.

Gilder has had close access to the elite tech digerati for decades. There is no denying he knows what and who he is talking about. The writing style, however, will not be everyone’s cup of tea.  For example, applying a straw man style, he often builds up only to take down later in the book. This can easily be frustrating to readers.  Also, an imagined meeting with Satoshi Nakamoto – the pseudonymous founder of Bitcoin, can either be considered a highlight of the book or downright hokey based on one’s literary taste.

To Gilder, Google’s downfall largely rests on its giving away free products without fully understanding how this zero-sum system neglects the value and impact of consumer time on Google’s $30 billion dollar Siren Servers – a Jaron Lanier term used to convey the eventual death spiral of a company blinded by its 75,000 server farm.  Gilder reminds:  “Without prices, all that is left to confine consumption is the scarcity of time”.

Interestingly, Jaron Lanier as well as Peter Thiel feature predominately in this book as the existential fodder for much of Gilder’s musings. The true sparkle, however, remains pure Gilder – including his view that Google’s fall is precipitated on the behemoth’s not fully understanding true wealth can only be a product of knowledge.  As Gilder suggests, “wealth is not a thing or a random sequence. It is inextricably rooted in hard won knowledge over extended time.” How he eventually connects the many dots found in the book is worth the read despite the haphazard approach.  And, despite valid style criticisms, given so few are walking down this exact path, Gilder’s trailblazing can only be lauded.

Using pokes and outright direct digs on failed exercises of socialism and a “World Saving” Artificial Intelligence fealty pursued by Elon Musk, Gilder’s libertarian bent thankfully expresses a brighter vision where creativity and humanity win out.  He is on point – just ask Tim Berners-Lee about his startup, Inrupt to get additional perspective on Google.  And, the trust layers exemplified by Blockstack and Hashgraph are certainly aiming to tear down the current global ecosystems founded by the Tech Lords of Cali.  Ultimately, in futurist Gilder’s vision, individuals win when they can more easily trust and be secure in their interactions.

Those seeking an actual name for the specific Google killer app will be disappointed. This book does not tell its readers which business vision will launch the “killer app” required to actually break the status quo.  Readers are provided with an abstract roadmap lacking in specific directions because that specific app has not been publicly announced yet and will likely not be released for another 24 months.

Blockchain, Privacy, Risk Management

AT&T crypto theft case may hasten new insurance exclusions

On August 15, 2018, crypto-enthusiast Michael Terpin filed a 69-page Complaint against AT&T in the Central District of California.  This federal action – a fifteen-count missive from Greenberg Glusker, seeks compensation of $24,000,000 for stolen cryptocurrencies as well as punitive damages in the amount of $200,000,000.  Terpin’s counsel seeks to get around standard contractual limitations and arbitration language by claiming that AT&T violated every possible California consumer statute on the books.

At its essence, the lawsuit alleges AT&T did not “implement and maintain reasonable security procedures and practices” regarding personal information and protect it “from unauthorized access, destruction, use, modification or disclosure” as evidenced by a “January 7, 2018 SIM swap fraud” conducted by a criminal who was able to convince an AT&T store employee to give him Mr. Terpin’s SIM card.  Complaint ¶ 238.

In order to obtain recovery in federal court, Terpin’s counsel will have to get around standard ADR language and damages limitations typically found in mobile carrier agreements.  More than likely, the valiant efforts of Greenberg Glusker will be to no avail – with the eventual result this case will move down the well-traveled road of arbitration without any punitive damages or massive discovery in sight.  The Supreme Court authority for such a result is quite extensive and may be why the Complaint is written in such flowery and emotional prose.

No matter what forum eventually takes on this case, it raises numerous issues that percolate beyond the four corners of the Complaint.  For example, will AT&T’s insurer eventually defend or pay out on this claim?  If so, which coverage grants will be triggered?  And, if there is coverage, will ISO or major insurance carriers develop a standard insurance exclusion to bar cryptocurrency theft claims in the future?   As it moves through the California federal court system, this case will definitely have consequences for corporations well beyond AT&T.

Behavioral Advertising, Privacy, Risk Management, Social Media

EU-US Privacy Shield may soon be suspended

The EU-US Privacy Shield may finally be in actual jeopardy.  It was previously thought that given the high stakes, this data transfer accommodation implemented as a replacement for the judicially invalidated Safe Harbor program was too important an agreement to be withdrawn and that only another judicial ruling could render its death knell.  That is no longer the case.   A vote today by the European Parliament made sure of that.

As reported by the IAPP,  on July 5, 2018 the European Parliament passed a non-binding resolution by a vote of 303 to 223 votes and 29 abstentions to have the European Commission suspend the EU-US Privacy Shield “unless the U.S. is fully compliant” by September 1, 2018.    This is the second September review of the EU-US Privacy Shield.

Between the GDPR requirements left out of the EU-US Privacy Shield, the Cambridge Analytica fiasco that still dogs Facebook, the US’s adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – a statute that expressly allows access to trans-border personal data, the US’s pulling out of the Iran deal despite strong pressure from the EU, and the current tariff barbs being sent across the Atlantic, the long-term health of EU-US Privacy Shield can no longer be considered a given.   Companies who have been reliant on this data transfer accommodation should certainly consider alternatives as soon as possible.

Behavioral Advertising, Privacy, Risk Management, Social Media

New California law provides statutory damages for data incidents

With the June 28, 2018 signing of The California Consumer Privacy Act of 2018, data breach class counsel are rejoicing that they finally have a private right of action backed with statutory damages.  Even though there were previous statutory remedies for privacy violations, the recent California law has gone where no other law has gone before by expressly providing a private right of action for a data breach that also allows for a minimum statutory amount.  Not surprisingly given it was the first state to pass a breach notification law, the California legislature again led the way.

After certain data incidents involving the loss of consumer data, California consumers will have beginning on January 1, 2020 a private right of action that can also be brought on a class-wide basis.   Specifically, any consumer whose unencrypted or nonredacted personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages.”   Section 1798.150(a)(1).

Despite being groundbreaking, there are still numerous hurdles class counsel must surmount before a class can be certified.  For example, the private right of action may not be allowed unless the compromised information is subject to unauthorized use.  Section 1798.150(a)(1).   Accordingly, those incidents where unauthorized use is not in issue are not subject to the statute.

Moreover, the law can only be used against a business with “gross revenues in excess of twenty-five million dollars ($25,000,000)” or one that purchases personal data on “50,000 or more consumers, households, or devices” or one that “derives 50 percent or more of its annual revenues from selling consumers’ personal information.” Section 1798.140(c).

Curiously, the law allows a business to “cure” its security violation; and thereby avoid suit, but leaves to the imagination exactly how that curing process would play out.   Section 1798.150(b)(1).

And finally, this private right of action can be withdrawn if the California Attorney General files its own suit after being provided notice of a consumer’s lawsuit.  Section 1798.150(b)(3).   The AG’s office has 30 days to decide whether or not to file suit after being provided with the consumer’s lawsuit notice.

Notwithstanding the last-minute changes made to this last-minute statute, it still provides California consumers with the country’s most expansive statutory privacy rights– rights that will be immediately deployed by class counsel after 2020.   Most analysis on this new law, however, has focused on comparing it to the EU’s GDPR privacy regime – a recently implemented privacy regime that impacts many  US-based companies.    In addition to the privacy requirements, companies processing significant amounts of consumer personal data should also take the class action risk very seriously and if they do not already purchase insurance for that risk, they should at least evaluate transferring some of this liability risk by way of the privacy and data security insurance long been available to most any company.

Behavioral Advertising, Privacy

Supreme Court sides with privacy advocates in Carpenter

On June 22, 2018, the United States Supreme Court ruled that obtaining cell-site location information without a probable cause warrant violates the Fourth Amendment despite the fact there were no actual associated property rights in the data.   In writing for the majority, Chief Justice Roberts sided with the liberal wing of the Court and against those Justices looking to affirm the robbery conviction in question.  Justice Gorsuch’s Dissent correctly points out, however, that the “most promising line of argument” available to Carpenter was not well-developed by Carpenter, namely that he had positive property rights in his geo-location data.  Gorsuch, J., Dissent at 21.   Instead, the Majority ruled there was a reasonable expectation of privacy in the data in question despite the lack of any available property rights.

This decision could have been a potential clarion call regarding privacy rights well beyond that found in a Fourth Amendment context.  Instead of confirming the data’s true value – again, as a positive property right, the Majority determined that a third-party’s access and consent to use the data in question did not negate the data’s ability to give rise to a reasonable expectation of privacy – in effect, carefully distinguishing the so-called third party doctrine previously applied by the Court.  In so doing, the Majority carefully parsed precedent on this issue – now giving it a second tier analysis status, rather than outright reject it as apparently sought by Justice Gorsuch in his Dissent.  Gorsuch, J., Dissent at 5 – 8.

Recognizing the contortions taken by the Majority, Justice Alito fairly screamed for Congressional intervention given this perceived affront to existing Fourth Amendment precedent.  Alito, J., Dissent at 27 (“Legislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”).

On April 17, 2018, the Court previously dismissed another matter involving application of the Stored Communications Act and “rapidly changing technology” given Congressional intervention on the issue rendered moot the question before the Court.  Given that the Carpenter Majority’s Constitutional analysis may leave little room for future Congressional intervention, subsequent courts will have to grapple with deciphering the potential import of this decision – a decision with a remarkable four separately written dissents.

For example, what exactly constitutes a “a comprehensive chronicle” of defendant’s past movements or how will heretofore unknown future non-property “privacy rights” give rise to a reasonable expectation of privacy?  Justice Gorsuch was correctly very much concerned about the uncertainty springing from this decision.  See Gorsuch, J., Dissent at 12 (“In the end, our lower court colleagues are left with two amorphous balancing tests, a series of weighty and incommensurable principles to consider in them, and a few illustrative examples that seem little more than the product of judicial intuition.”).

Despite how the Court in Carpenter references location-based tracking as some sort of newfound innovation, location-based tracking has been a percolating privacy issue for more than seven years.  To that end, even though privacy advocates and criminal defense lawyers may very well bask in this decision for years to come, by the Court not clearly ruling how certain privacy rights can give rise to a positive property right under the Fourth Amendment, privacy advocates may have actually lost a more impactive battle they could have won.

More specifically, if the ACLU – on behalf of Mr. Carpenter, had fully argued the more appropriate positive law approach discussed by  Justice Gorsuch we may all be reading a 6-3 decision that found privacy rights in data can indeed give rise to property rights under the Fourth Amendment.  Gorsuch, J., Dissent at 21 (“Before the district court and court of appeals, Mr. Carpenter pursued only a Katz“reasonable expectations” argument. He did not invoke the law of property or any analogies to the common law, either there or in his petition for certiorari. Even in his merits brief before this Court, Mr. Carpenter’s discussion of his positive law rights in cell-site data was cursory. He offered no analysis, for example, of what rights state law might provide him in addition to those supplied by §222. In these circumstances, I cannot help but conclude — reluctantly — that Mr. Carpenter forfeited perhaps his most promising line of argument.”).  For now, privacy advocates will have to be satisfied with the actual ruling before them – one that leaves the door quite open to future expansions of the “reasonable expectation of privacy”.

Electronic Health Records, Privacy, Risk Management

OCR wins $4.3 million HIPAA Victory against MD Anderson

On June 18, 2018, the the Office for Civil Rights (OCR) posted a press release announcing its summary judgment victory against the University of Texas MD Anderson Cancer Center (MD Anderson) – a ruling that will require MD Anderson to pay $4,348,000 in civil money penalties to OCR.   According to the press release, this is only the second HIPAA summary judgment victory in OCR’s history and the $4.3 million is the fourth largest amount ever awarded to OCR for HIPAA violations.

The June 1, 2018 Administrative Law Judge’s decision ultimately hinged on a stolen unencrypted laptop and several lost unencrypted USB thumb drives containing “identifying information such as patient names, addresses, and Social Security numbers; and clinical information such as diagnoses, assessments, prognoses, and treatment regimes” of a total of 33,500 individuals.  Decision at 2.

The hefty fine was based on the fact MD Anderson knew encryption was an essential risk management tool since 2006 yet did not get around to fully deploying encrypted devices until after the losses in question.  According to the ALJ, MD Anderson before then made only “half-hearted and incomplete efforts at encryption”.  Decision at 5.

According to the ALJ:

The question is whether Respondent took the necessary steps to address the risk that it had identified – the potential for data loss due to the storage of ePHI on unencrypted devices. As I have explained, the failure to address that risk is the sum and substance ofRespondent’s noncompliance. Had it done so, then unauthorized acts by Respondent’s employees might be relevant to the issue of compliance. But, failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.

Decision at 14 (emphasis in original).

This latest OCR action may very well be appealed given the jurisdictional arguments made by MD Anderson.  No matter what the final appellate result, however, the ruling should slam the lid on any covered entity ever questioning again whether encryption is worth the cost of deployment.     Whether it is from a state enforcement action or OCR settlements based on vendor negligence, laptops stolen from a car, or a USB thumb drive improperly taken from an IT department, when it comes to encryption an ounce of prevention is definitely worth at least a pound of cure.

Behavioral Advertising, Privacy, Social Media

Facebook and Google face GDPR complaints on day one

Privacy activist Max Schrems is at it again.   Early morning on May 25, 2018, Mr. Schrems’ group – NOYB.eu (none of your business), filed complaints in four EU member countries claiming that the purported GDPR consents now obtained by Facebook and Google are impermissible “forced consents” given they provide nothing more than a take it or leave it proposition for users.  Facebook previously launched a campaign claiming that it was fully on board with GDPR despite the risks entailed in these “pop up consents”.

Max Schrems  should not be underestimated – he single-handedly forced a replacement to the former EU Safe Harbor regime.    The Safe Harbor regime previously governed data transfers between the US and EU but was invalidated on October 6, 2015 in a case brought by Mr. Schrems in the EU Court of Justice.

Mr. Schrems’ most recent actions go at the heart of the current online advertising duopoly and his actions against Facebook and Google should be taken seriously by them given Schrems’ prior successes and the fact he may very well be correct in his assessment of GDPR – a privacy regime that is purposefully ambiguous in the area of consent.

Blockchain, Technology Law

Consensus 2018 blockchain event exceeds expectations

After attending the largest early adopter tech conferences conducted over the past thirty years – from Internet World, VR World, COMDEX, CES, RSA, Game Developers Conference, etc., it is easy to say Coindesk’s recent Consensus 2018 Conference – the foundation for NYC’s “Blockchain Week”, was one of the largest gatherings of early technology adopters and backers ever packed in a single location.  Almost beside the point, Consensus 2018 was also easily the largest blockchain event to date.

Despite exceeding pretty much all expectations, it was not, however, without some controversy.  Noticeably absent from the event was Vitalik Buterin as well as any Ethereum presence other than a scheduled announcement and booth presence for the Enterprise Ethereum Alliance.  The visionary Buterin boycotted the event given disagreements with the sponsor and a purported grievance with the  $2,999 price tag  – despite the fact Mr. Buterin himself could have bought tickets for all 8400+ attendees if he wanted.  Buterin’s thought leadership and insights were certainly missed so hopefully next year there will be some sort of peace accord that brings him back into the fold.

According to the emcee for the event – a Brit anxiously pacing up and down with the obligatory iPad seemingly issued to all tech conference emcees, half of the attendees hailed from outside the United States.  In fact, meals and private meetings were enjoyed with folks visiting from South Korea, Australia, Finland, Switzerland, Portugal, Brazil, Berlin, Hong Kong, Vancouver, and Toronto – and that was only on the first of two attendance days.  Unlike what was shown by the early days of the web ecosystem, this gathering more than anything concretely demonstrates that any decentralized ledger future will be shaped by those outside the United States as much as by persons located within its borders.

The caliber of the audience – more so than the speakers, also demonstrates that the financial and professional institutions who missed out on the web ecosystem’s early brick laying are avoiding past mistakes.  Sensing just how disruptive things may soon get, they were out in full force – with Deloitte leading the Big Four charge and the purported naysayer JP Morgan having a sophisticated presence from New York and London.   Notwithstanding the fact the exhibit hall was stacked with ICO and ICO-wannabee companies that will likely go away in a few years, foundational companies were front and center promoting the tools and business models needed before blockchain can be digested by the masses in any meaningful way.

While companies wait to “cross the chasm”, investors are taking sides by investing in token economies and novel ramp up technologies.   And, after the speculative sheen has faded, the lasting result will be efficiencies in commerce one could only have dreamt about a few years ago.    Simply put, the “trust protocol” that will eventually be layered on top of our current digital ecosystem will create new opportunities for pretty much any company willing to listen and adapt.

Litigation Management, Privacy, Risk Management, Social Media

Supreme Court takes Google cy pres fund case

On April 30, 2018, the United States Supreme Court granted certiorari so that it could determine whether a settlement in a privacy class action against Google was “fair, reasonable, and adequate” when the roughly $5 million settlement only went to cy pres recipients rather than actual class members.  Specifically, the Court is to decide:

Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class members must be “fair, reasonable, and adequate.”

As previously recognized, the use of cy pres settlements has been a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to quickly file and resolve class actions before  actual damages can be made readily apparent.  Indeed, attorney generals have objected  to cy pres settlements given the lack of redress available to victims.  Given Justice Roberts prior pronouncement on the topic, it may very well be the case that cy pres funding  – which previously only took place in settlements after plaintiffs were actually compensated, may very well no longer be an acceptable means of quickly ending a privacy class action.

Behavioral Advertising, Privacy, Social Media

Facebook doubles down on GDPR despite the risks

On April 17, 2018, Facebook’s Chief Privacy Officer – Erin Egan, proclaimed:  “[t]oday we’re introducing new privacy experiences for everyone on Facebook as part of the EU’s General Data Protection Regulation (GDPR), including updates to our terms and data policy.”  According to Ms. Egan, “people in the EU will see specific details relevant only to people who live there” yet “there is nothing different about the controls and protections we offer around the world.”  In her blog post, Ms. Egan also reaffirmed something said numerous times by Mark Zuckerberg during recent Congressional Hearings, namely “we continue to commit that we do not sell information about you to advertisers or other partners.”  Tellingly, the phrase “information about you” was never elaborated upon by Ms. Egan.

As is often the case, the devil is in the details.  First, the fact “controls and protections” found on a Facebook account may be similar around the globe – as was the case before Ms. Egan’s blog post, does not mean the privacy laws protecting Facebook users have remained the same.  Quite the contrary is true given that the choice of law provision applicable to Facebook’s users was just amended from Facebook’s low-tax home domicile of Ireland to the non-GDPR land of California  – expressly now leaving about 1.5 billion users potentially outside the purview of  the GDPR.  When asked by Ars Technica why the choice of law provision was changed, Facebook purportedly said “the change had been made in the name of the companies’ business interests. The company declined to elaborate further.”

Second, neither Facebook’s new Terms of Service nor its new Data Policy – both last revised on April 19, 2018, define the word “you” or “your”.  As well, the revised Data Policy expressly gives Facebook broad latitude in its use of undefined user “information”:

We use the information we have (including your activity off our Products, such as the websites you visit and ads you see) to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and understand the types of people who use their services and how people interact with their websites, apps, and services.

Indeed, apparently armed with this undefined user “information”, Facebook recently launched a program that analyzes user data sufficiently to purportedly predict behavior for advertisers.

If the undefined “you” in Facebook’s agreements differs from the composite “you” created by Facebook that is pseudonymized, repurposed and then sold to advertisers, one could never tell from any of Facebook’s agreements.  Interestingly, Recital 78 and Article 25 of the GDPR expressly consider “pseudonymising personal data” a best practice for companies developing Privacy by Design compliance initiatives.  Under the GDPR, pseudonymized data can even be processed for purposes different from which the data was originally collected.  The only problem with the GDPR’s exalting of pseudonymizing is that companies now oftentimes discover the sovereign identity “you” when provided information concerning the composite “you” that is pseudonymized by Facebook.

It would have been comforting if Facebook’s auditors were on top of this longtime “nudge wink” between Facebook and the advertising industry.  Unfortunately, they are not.  In an April 18, 2018 paper titled, “Understanding and Improving Privacy “Audits” under FTC Orders”, author Megan Gray points out that Facebook’s FTC audit assessments are circular – “Management asserts it has a reasonable privacy program. Based on management’s assertion, we certify that the company has a reasonable privacy program.”

In effect, this audit process ultimately renders Facebook’s assessments “almost indecipherable” and “requiring certified-auditor knowledge.”  As correctly summed up by Gizmodo, “[t]he current process essentially allows companies under consent orders to self-regulate.”  Accordingly, it is no surprise that PwC’s auditing cleared Facebook’s privacy practices “in an assessment completed last year of the period in which data analytics consultancy Cambridge Analytica gained access to the personal data of millions of Facebook users”.

Notwithstanding its aptitude for parsing words, Facebook will soon be in uncharted and unpredictable privacy waters where disclaimers and popup consent forms may not easily tread.  Even though no one can say with certainty how things will play out after the GDPR’s formal launch on May 25, 2018, one thing is sure – Facebook has very publicly committed to GDPR compliance.  And, to the extent there are failings in such compliance, there are more than a handful of class counsel and global governmental agencies ready to pounce on Facebook and its partners.

Intellectual property and data breach counsel