Full disclosure: I am a big fan of Airbnb. When I travel for pleasure, I like to have the ability to rent a home in a local area, versus a downtown hotel hub, where I can get a real feel for the city and its non-tourist culture. And I can’t complain about the fact that I am often pleasantly surprised by accommodations that rise to the level of a fancy hotel at a fraction of the price.

New York City’s rules against unlicensed hotels are ostensibly meant to protect consumers from getting ripped off by hotels that are not governed by any sort of licensing standard. That said, I cannot say that I have ever had a bad experience with Airbnb given that customer reviews are easily available on the site, and it is therefore very easy to limit your dealings to well-reviewed and “trusted” amateur hoteliers.

In other words, I don’t really buy the reasoning behind NYC’s rules. More likely, as it seems to be the case with most rules affecting internet innovation, these rules are meant to protect an ingrained lobby-heavy industry that suddenly finds itself threatened by the relative efficiency of tech innovation.

This ruling is unfortunate for New York’s tourist industry, and for a travelers, like myself, who are perhaps taking a risk when they purchase accommodations from an unlicensed seller, but who are otherwise willing to take that risk. This ruling if also unfortunate for New York home-owners who would have otherwise had an opportunity to realize some profit on their valuable real-estate.

Existing law currently requires the groups noted above to notify their clients or customers when they reasonably believe that an unauthorized person has acquired personal information that includes unencrypted social security numbers, driver’s license numbers, medical information, health insurance information and specific financial account information, such as credit card numbers with security codes.  Unfortunately, current law does not require similar customer notification when passwords, usernames or security questions / answers are changed.

So it would seem that the newly proposed SB 46 would even further expand California’s expansion on HIPAA, requiring data-holders to notify customers of breach regardless of the type of information accessed.

The proposed Unlocking Technology Act of 2013 provides, in relevant part:

“It shall not be a violation of this section to circumvent a technology measure in connection with a work protected under [the Copyright Act] if the purpose of such circumvention is to engage in a use that is not an infringement of copyright…”

Recall that the DMCA makes it illegal to circumvent digital locks in order to “get to” the copyrighted content beneath such locks. The Library of Congress (likely after some prodding from phone company lobbies) then interpreted this to mean that circumvention of digital locks is always illegal, no matter the reasons for circumvention, because there is, after all, copyrighted software content existing under those locks.

In my opinion, the proposed Unlocking Technology Act is right on the money in that it clarifies what the DMCA was intended to do in the first place — namely, to protect copyrighted content from being infringed. The DMCA’s anti-circumvention provisions were never meant to protect against activities such as smartphone jailbreaking where the circumvention was made in order to make innocent use, rather than make infringing copies, of the software content underlying the digital locks.

According to The National Law Journal, U.S. District Judge Otis Wright of Los Angeles has imposed five figure sanctions on attorneys from the law firm of Prenda Law Inc. whose attempt to sue various John Does for infringement of various pornographic films owned by shell companies set up by these attorneys has been categorized by the judge as resembling a RICO (Racketeer Influence and Corrupt Organizations) racket.

“Plaintiffs have outmaneuvered the legal system,” Wright concluded. “They’ve discovered the nexus of antiquated copyright laws, paralyzing social stigma, and unaffordable defense costs. And they exploit this anomaly by accusing individuals of illegally downloading a single pornographic video. Then they offer to settle — for a sum calculated to be just below the cost of a bare-bones defense. For these individuals, resistance is futile; most reluctantly pay rather than have their names associated with illegally downloading porn.”

…

The ruling came six months after Wright initially became suspicious of several cases before him filed by two companies, Ingenuity 13 LLC and A.F. Holdings LLC, which were represented by Prenda Law of Chicago. The cases were filed against “John Doe” defendants, alleging infringement of their copyrights to several pornographic films and seeking subpoenas to identify the perpetrators.

Wright raised questions about Prenda Law’s practice of identifying alleged infringers with only an Internet protocol address. He expanded his concerns after discovering that Gibbs, the lead attorney on the cases before him, may have stolen the identity of a Minnesota resident named Alan Cooper to validate a potentially sham client by holding him out as principal of Ingenuity and A.F. Holdings. On February 7, Wright issued an order to show cause why Gibbs, of Mill Valley, Calif., should not be sanctioned.

This is a big deal in what I consider to be “pointless” copyright litigation. As I have reiterated several times in previous articles, I have nothing against the sincere prosecution of intellectual property rights (I would not be a very good general counsel to my tech clients if I did not believe that their IP should be protected), but I do have problems with prosecution as a means to generate income on IP that has so little value that no real company exists to claim and enforce it.

Specifically, the White House recommends that the bill add the following principal provisions:

It’s important that any information shared under a new cybersecurity law must be limited to what’s relevant and necessary for cybersecurity purposes. That also means minimizing information that can be used to identify specific individuals. For example, if a utility company is looking for government assistance to respond to a cyber attack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government.

Cybersecurity legislation needs to preserve the traditional roles for civilian and intelligence agencies that we all understand. Specifically, if legislation authorizes new information sharing between the private sector and the government, then that new information should enter the government through a civilian department rather than an intelligence agency. That doesn’t mean breaking the existing mechanisms that already work. For example, victims of cyber crime ought to continue to report those violations to federal law enforcement agencies and public-private information-sharing relationships that already exist should be preserved.

Any new legislation ought to provide legal clarity for companies that follow the rules and appropriately share data with the government. But it should not provide broad immunity for businesses and organizations that act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information.

It is good to see that CISPA may be vetoed unless some serious changes are made to those nagging privacy issues. I will update on any development.

According to the Washington Post:

There is currently no way to wiretap some of these communications methods easily, and companies effectively have been able to avoid complying with court orders. While the companies argue that they have no means to facilitate the wiretap, the government, in turn, has no desire to enter into what could be a drawn-out contempt proceeding.

Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. A company that does not comply with an order within a certain period would face an automatic judicial inquiry, which could lead to fines. After 90 days, fines that remain unpaid would double daily.

This new development is likely in direct response to the fact that Apple’s iMessage encryption has made it impossible to intercept communications even where the government agency has a valid warrant. Thus it seems that the FBI has decided to fine tech companies into submission (e.g., pay hefty fines or alter your technology to make it less privacy-protective).

If seems to me that our law enforcement agencies have become exceedingly over-reliant on eavesdropping versus traditional detective work. Allow me to wax quixotic on a matter of criminal law (a topic in which I, admittedly, have no particular experience), but it seemed to me, even long ago in law school, that “probable cause” was an altogether too low a standard to allow government agents to listen in on private communications. Our society’s privacy values have become quite loose if we are okay with having a living, breathing human being, who we have never met, listen in on our private conversations just because a judge somewhere thinks we are probably committing a crime (just my personal opinion).

So we all dread the frustrating inefficiency of our healthcare system. Thankfully, there has been a recent increase in the number of healthcare-based software applications and other tech-based support services, such as Simplee, which “combines Mint.com and Paypal to bring medical bill payment, management to your smartphone.”

The new rules do the following:

1. Clarify when breaches must be reported to HHS’ Office for Civil Rights;
2. Establish new standards for the use of patient-identifiable information for fundraising and marketing;
3. Expand liability to “business associates” of hospitals and other “HIPAA-covered entities,” such as data miners and health IT service providers; and
4. Raise the maximum penalty for noncompliance to $1.5 million per violation.

1. Keep all healthcare patient data encrypted (easy to do these days); and/or
2. Install kill-switch software on data carrying devices so, if lost or stolen, the device can be remotely killed; and/or
3. Install GPS locator software functionality on data carrying devices… for the obvious reasons; and/or
4. Do not keep patient info in public places (less relevant to my tech company clients, but still common sense); and/or
5. Be sure to use employ a hierarchy of user permissions so that only employees (e.g., programmers) who must absolutely have access to patient data get that access… your sales team, non-essential interns, marketing team, etc… should not have access.

The above points are more or less no-brainers. The main thing to keep in mind is that, under the new rules, if your technology in any way touches the protected health information (as defined in the rule), then the above precautions should be taken.

I thought this was interesting because the 2nd Circuit seemed to imply that in order to assert the 512(c) safe harbor, the defendant had the burden of proving that it was not aware that its site was being used for intellectual property infringing purposes. This would obviously place a heavy and expensive burden on the user generated content (UGC) community which, apart from YouTube, is comprised mostly of start-ups.

Except then Viacom admitted that “[i]t has now become clear that neither side possesses the kind of evidence that would allow a clip-by-clip assessment of actual knowledge.” Woops.

So now the District Court has, hopefully, decisively ruled that there is no evidence of YouTube’s complicity in IP infringement:

There is no evidence that YouTube induced its users to submit infringing videos, provided users with detailed instructions about what content to upload or edited their content, prescreened submissions for quality, steered users to infringing videos, or otherwise interacted with infringing users to a point where it might be said to participated in their infringing activity.

Therefore, YouTube is immune via 512(c) safe harbor. Of course Viacom has promised to appeal, again.

My colleague Eric Goldman wisely points out in his detailed analysis of the case that the Circuit rulings are making the 512 safe harbors increasingly messy to invoke by tacking on more and more factors that the courts must analyze. This does seem to cut a bit against what seems to be clear legislative intent to grant providers immunity, via the DMCA, against these sorts of claims (and to save them from wasting money on just this type of never-ending litigation).

The developments have been as follows:

1. The US Supreme Court ruled on March 19, 2013 that the First Sale doctrine applies to products purchased abroad but then resold in the US. Kirtsaeng v. John Wiley & Sons, 11-697 (Mar. 19, 2013).
2. BUT, the Southern District of New York noted that the First Sale doctrine does not apply to digital goods, in this case iTunes songs. Capitol Records, LLC v. ReDigi, Inc., 12-cv-95 (S.D.N.Y., March 30, 2013).

Now, seemingly building on New York’s limitation of the doctrine, Google’s terms of service on Google Glass products states that:

“[Y]ou may not resell, loan, transfer, or give your device to any other person. If you resell, loan, transfer, or give your device to any other person without Google’s authorization, Google reserves the right to deactivate the device, and neither you nor the unauthorized person using the device will be entitled to any refund, product support, or product warranty.”

Meaning, you may have thought that you purchased the $1,500 product, but really you are just paying that to license it from Google and Google may deactivate your device if you try to give or sell it to another user. Bye-bye, First Sale doctrine.

Of course, this limitation may only be relaxed by Google after the Google Glass is out of the beta phase, but it is nevertheless interesting how digital licensing law is being used by sophisticated companies to control the use and, yes, the resale of their products. To wit: “hacking” of the Google Glass to avoid deactivation in violation of the terms of use could potentially implicate a user who may simply want to resell his old hardware in a serious infringement of the DMCA anti-circumvention provisions.

Imagine a future where everything we think we own is, in fact, merely licensed…

Here’s what I read:

1. CISPA gives private entities (tech companies) the right to share with government agencies, namely the Department of Homeland Security, any “Cyber Threat Intelligence” they collect as part of their Cybersecurity protocols.

2. CISPA gives private entities the right to share the above information with other private entities.

3. CISPA gives government agencies the right to share the above information with certain approved private entities.

4. Private entities would be immune from any legal action arising out of the above sharing of information.

5. The government can be sued (for damages and reasonable attorneys’ fees) for certain improper uses of the above-shared information.

6. All of the above things that CISPA allows private entities and the government to do would trump any existing US laws.

Here’s what I foresee:

CISPA, as it is currently written, pretty much allows private companies to share whatever they want with the government.User logs, certain personally identifiable information, and (IMO most worrying) inter-user communications are all fair game for sharing so long as the company interprets them to be connected to some vague idea of a Cybersecurity threat.

The number one problem I see here is this idea that CISPA trumps all existing US laws. From the Act itself:

“Not withstanding any other provision of law….[a covered entity may share information with other covered entities as described above.]“

This is a BIG deal, because CISPA, according to the above, will essentially trump such privacy laws as the Electronic Communication Privacy Act (ECPA), the Stored Communications Act, the Wiretap Act, the Foreign Intelligence Surveillance Act, and the Privacy Act. All of the above laws restrict private companies, such as ISPs, from disclosing certain user communications, such as emails, without the proper warrant and/or court order.

The danger of CISPA, and the reason it poses a real risk to consumer privacy, is that it seems nullify the myriad of legal privacy protections we currently have in place.

I should also note: I see two reasons why large, established tech companies seem to like this law.

1. Larger companies, which these days do indeed seem to face an increase of denial of service attacks and other types of “cyber threats,” have a legitimate need to protect themselves. Whether or not CISPA fairly balances this legitimate need against consumers’ privacy rights is debatable.

2. The part where the US government opens itself up to lawsuits for improper use of the shared information (#5 above) seems to effectively create a potential defendant with deeper pockets (Uncle Sam) to be sued in the various privacy-based class actions we see spiking up from time to time. Certainly the larger companies, who are the traditional defendants in such class actions, would love it if plaintiffs had a bigger fish to fry.