Tuesday, July 29, 2008

Stuff I Want to Blog About

Unfortunately, I'm about to leave on vacation, and the effort of trying to get my various work related projects in order before I leave has resulted in my not being able to write any kind of substantive blog post this week (and not much of a post last week either). Anyway, in lieu of a substantive post, I'll have to provide this: things I would blog about if I had time.

First, did you know that a major bug in the domain name system (it's the thing that actually makes the internet work) had been found? Did you know that the bug could be used by phishers to redirect people from trusted sites to data gathering or malware distribution sites without their knowledge? What kind of liability might attach to that situation? Products liability for DNS vendors? Negligence for sysadmins who don't patch? If I had time, I'd be blogging on those questions. However, as it is, I'll have to leave them hanging.

Also, Ecora actually has an interesting post on counterproductive effects of regulation. Normally, when people complain about regulation, it's something on the lines of whining about the cost of being forced to do things they should be doing anyway. However, Ecora's post discusses something a good deal more realistic - the cost of having to store data that you otherwise wouldn't. Normally, I'd like to address their argument (for example, would companies really purge their data if not for regulations like Sarbox?). However, as it is, I'll just link and leave the addressing for another day (assuming nothing happens while I'm on vacation, of course).

And now even this post is taking up more time than I realistically have. Oh well...I suppose I'm not that good at the non-substantive blogging thing. In any case, I'll be back the second week in August. While I might put something up between now and then, I wouldn't bet on it. Until then...

Monday, July 21, 2008

Fighting words

Disturbing cartoon about a dystopian surveillance which we, happily, don't live in (yet).

Wednesday, July 16, 2008


Unless otherwise limited by court order, the scope of discovery is as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense — including the existence, description, nature, custody, condition, and location of any documents or other tangible things and the identity and location of persons who know of any discoverable matter.

That's the text of the first sentence of rule 26(b)(1) of the Federal Rules of Civil Procedure. For the non-lawyers out there, I'll unpack it a bit. The first part, about obtaining discovery of any nonprivileged matter, means that, unless information falls into certain narrowly defined categories (e.g., attorney-client, doctor-patient, etc) it is subject to discovery. The next part, about relevant to any party's claim or defense, means (generally) that it has to have some bearing on the subject matter of the litigation. In practice, this means that during pre-trial discovery, litigants can request essentially any records maintained by a business, its principals, and their agents (e.g., vendors). The bottom line is that, if a lawsuit takes place, the parties can request virtually any information, that information has to be provided to them, unless it falls within the narrowly defined (privileged) categories.

While massive security incidents like the TJX breach generate more headlines, these pretrial discovery rules could represent an even bigger threat to consumer privacy. Two instructive cases in this respect are Viacom v. Google and MPAA v. Bunnell. In the Viacom case, Viacom requested, and the judge ordered Google to produce, records showing who watches videos on YouTube and what videos they watch (see article here). This release of data has the potential to be even more damaging to the affected users (including me, since I use YouTube regularly) than the release of information such as social security and credit card numbers, because YouTube viewing records can be used to make out a case for copyright infringement - a charge that can bankrupt all but the super-wealthy (for example, in the case described here the defendant was found liable for almost a quarter million dollars in damages for infringing copyrights on only 24 songs). In the MPAA case, the judge also ordered that user records be turned over - in that case the records showed what users had searched for using the popular bit torrent software. However, there, rather than take an act which it saw as betraying its users privacy expectations, the defendant blocked access to his web site from the U.S. - a radical solution, but the only way the defendant saw to protect his users' privacy.

The cases above showcase a trend which is, to me, highly disturbing. Instead of relying on black hat hackers, businesses can use litigation to obtain consumer information. In the cases above, that result in the exposure of (likely) millions of records from Google, and the complete shutdown of TorrentSpy in the U.S. Those are serious consequences, and they should be considered whenever people think of possible threats to their privacy.

Wednesday, July 9, 2008

FTC Clarifies CAN-SPAM Act

The Federal Trade Commission (“FTC”) has issued a Final Rule that adds four new provisions and provides clarification of some of the CAN-SPAM Act’s requirements. This Final Rule, effective July 7, 2008, is the culmination of work that was begun three years ago with a proposed FTC rule, and takes into account comment letters from 150 individuals, businesses, and organizations.

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) regulates the sending of unsolicited commercial emails, and became effective January 1, 2004. Although “spam” is generally defined as unsolicited commercial e-mail sent to a large number of addresses, the Act makes no distinction between solicited and unsolicited commercial e-mail. It defines commercial e-mail as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." Transactional or relationship messages are not subject to or regulated by the Act.

The CAN-SPAM Act outlaws certain commercial acts and practices with respect to commercial email, and imposes requirements on senders of commercial emails:

The transmission of any email that contains false or misleading header or “from” line information is prohibited.
The transmission of emails with false or misleading “subject” line information is prohibited.
The Act requires that a commercial email message contain a functioning return email address or similar Internet-based mechanism for recipients to use to “opt out” of receiving future commercial email messages.
The sender, or others acting on the sender’s behalf, is prohibited from initiating a commercial email to a recipient more than ten business days after the recipient has opted out.
A commercial email may not be sent without including three disclosures – a clear and conspicuous indication that the email is an advertisement or solicitation, a message and mechanism for the recipient to opt out of future solicitations, and a postal address for the sender.

Four specific practices are cited by the CAN-SPAM Act as “aggravated violations” which, when alleged and proven in combinations with certain other violations of the Act, will increase the statutory damages imposed upon the sender. These practices are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network.

Changes to Definitions

The FTC made some changes several changes to the definitions found in the Act:

It modified the definition of “sender” to clarify that for single emails promoting the products, services or Internet website of multiple persons, each of the persons whose products or services are promoted will be deemed to be a “sender” of the email, except that such emails will be considered to have only one sender if: (1) one person is within the definition of “sender” under the Act, (2) that person is identified in the “from” line as the sole sender of the email, and (3) that person complies with certain provisions of the Act that are applicable to initiators of emails.

This change provides a more flexible approach for email marketers, and is more logical from a consumer perspective since the consumer is likely to focus on the “from” line to identify the sender. It is this sender that must honor “opt out” requests, and is responsible for the email’s compliance with the CAN-SPAM Act requirements. It is important to realize, however, that liability for compliance with the Act does not shift exclusively to the sender, since certain other requirements and prohibitions imposed by the Act upon “initiators” of emails, will continue to apply to all persons identified in the commercial email.

It added the new definition of “person” to mean any individual, group, unincorporated association, limited or general partnership, corporation, or other business entity. Despite strident calls by commentators to exempt non-profit entities, the FTC refused to do so, stating that consumers were deserving of the protections provided by the Act against all forms of spam, no matter the nature of the sender’s enterprise.

The Act requires senders to include a “valid physical postal address” in any commercial email. The FTC broadened the definition of this term to allow senders to use post office boxes that have been accurately registered with the U.S. Postal Service, or a private mailbox accurately registered with a commercial mail receiving agency operating according to the U.S. Postal Service regulations.

Transactional or Relationship Messages

The FTC considered whether to change the statutory definition of “transactional or relationship messages,” to address various types of messages such as legally mandated notices, debt collection email communications, and employment-related messages. It ultimately declined to make any changes to the statutory definition, since none of the types of messages put forth in the Notice of Proposed Rulemaking met the statutory standard for modifying the definition. Some of the issues raised by the commentators with respect to a particular type of message could be resolved using the “primary purpose test”, as in the case of legally mandated messages, messages concerning copyright infringement or emails messages for the purpose of conducting market research. In the case of others, such as messages from debt collectors, including third party agents, or in the case of most employment-related email messages, the overwhelming majority of such messages will likely fall within the existing definition of “transactional or relationship messages.”

However, the FTC did provide guidance on the interpretation of some particular forms of communication:

Email messages to effectuate or complete a negotiation will be considered “transactional or relationship messages” if issued in connection with a commercial transactions. However, where an unsolicited email delivers an offer to purchase goods or services, and attempts to launch a negotiation as part of the message, it would not fall within the definition of “transactional or relationship messages.”

Email messages facilitating, completing or confirming registration with a “free” internet service where there is no exchange of consideration are likely to be “transactional or relationship messages,” but the FTC was not willing to preclude the possibility that such a message may be commercial even if there is no exchange of consideration.

Where a recipient subscribes to a newsletter or other periodical to be delivered by email, or to which the recipient is entitled as a result of a prior transaction, the FTC would consider such an email to be a “transactional or relationship message,” as opposed to an unsolicited newsletter or periodical to which the recipient has not subscribed, which would likely be considered a commercial message.

Forward-to-a-“Friend” Messages

The FTC was persuaded by the commentators to modify its earlier position on forward-to-a-“friend” messages. This type of message could arise under two different scenarios – where the content of the email message encouraged the recipient to forward the message to others, and where the seller’s web site encouraged visitors to supply others’ email addresses. Rather than attempt to refine the definition based upon the nature and method of forwarding, the FTC established a bright line test that turns on the presence or absence of consideration for the act of forwarding. A seller would not have liability under the Act for the forwarding of these types of email messages so long as the seller did not offer consideration for the forwarding. No matter what the nature (coupons, discounts, rewards) or amount of consideration – even an offer of de minimus consideration – an offer of consideration will be sufficient to cause the seller to be an “initiator” of the forwarded message, and subject the seller to liability under the Act.

No Fee for Opting Out

The FTC adopted a rule prohibiting a sender of commercial emails from imposing a fee upon a recipient for opting out of future unsolicited emails, or from requiring the recipient to provide any information other than a recipient’s email address and opt out preferences.


The CAN-SPAM Act gives the FTC enforcement authority for the Act. In addition, the Act gives the state attorneys general the authority to bring an enforcement action in federal court after giving advance notice to the FTC where possible. Finally, internet service providers may bring a federal court action to enforce certain of the Act’s prohibitions. The enforcement authority given to the FTC is the same as that afforded the FTC under its trade regulation rule authority, meaning that each violation is subject to fines of $11,000 per day, with additional penalties where “aggravated violations” are proven.

Sunday, July 6, 2008

The Other Side of Consumer Data Collection

While I generally consider myself an advocate of strong consumer privacy protection, even I have to admit that there are generally two sides to every invasion of consumer privacy. For example, shopper loyalty programs are criticized for raising consumers' fraud risk, and for leading to a proliferation of annoying telemarketer and junk mail contacts (e.g., here). However, sometimes, the information gathered by grocery stores is used in ways which are unarguably beneficial to consumers. Case in point: product recalls. Before my fourth of July barbecue, I got a call from Kroger's. Apparently, the ground beef I'd purchased earlier in the week had been recalled, and should be thrown away rather than eaten. Of course, they knew who I was and what I'd purchased, because I used my Kroger card to buy the meat, which meant they were tracking my purchases and storing the data.

The bottom line is that the same data type of data collection which leads to annoying circulars and telemarketer calls led to Kroger being able to provide me with information that I really needed. Of course, consumer data collection isn't an unalloyed good, but it isn't an unalloyed evil either. The trick is to find ways to deal with (or regulate) the data collection that maximizes the good while minimizing the harm.