The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Canada’s Anti-Spam Law (CASL) – New Guidance on Providing Apps and Software

Canada’s Anti-Spam Law (CASL) targets more than just email and text messages 

In our previous post, we explained that on July 1, 2014, Canada’s Anti-Spam Law (CASL) had entered into force with respect to email, text and other “commercial electronic messages”.

CASL also targets “malware”.  It prohibits installing a “computer program” – including an app, widget, software, or other executable data – on a computer system (e.g. computer, device) unless the program is installed with consent and complies with disclosure requirements.  The provisions in CASL related to the installation of computer programs will come into force on January 15, 2015.

Application outside Canada

Like CASL’s email and text message provisions, the Act’s ”computer program” installation provisions apply to persons outside Canada.  A person contravenes the computer program provisions if the computer system (computer, device) is located in Canada at the relevant time (or if the person is in Canada or is acting under the direction of a person in Canada).  We wrote about CASL’s application outside of Canada here.

Penalties

The maximum penalty under CASL is $10 million for a violation of the Act by a corporation.  In certain circumstances, a person may enter into an “undertaking” to avoid a Notice of Violation.  Moreover, a private right of action is available to individuals as of July 1, 2017.

CASL’s broad scope leads to fundamental questions – how does it apply?

The broad legal terms “computer program”, “computer system” “install or cause to be installed” have raised many fundamental questions with industry stakeholders.  The CRTC – the Canadian authority charged with administering this new regime – seems to have gotten the message.  The first part of the CRTC’s response to FAQ #1 in its interpretation document CASL Requirements for Installing Computer Programs is “First off, don’t panic”.

New CRTC Guidance 

The CRTC has clarified some, but not all of the questions that industry stakeholders have raised.  CRTC Guidance does clarify the following.

  • Self-installed software is not covered under CASL.  CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets.
  • CASL does not apply to “offline installations“, for example, where a person installs a CD or DVD that is purchased at a store.
  • Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g. in a family context) where that individual has the “sole use” of the computer.
  • An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version”, or a version change.
  • Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent until January 15, 2018 – unless the person opts out of future updates or upgrades.

Who is liable?

CRTC staff have clarified that as between the software developer and the software vendor (the “platform”), both may be liable under CASL.  To determine liability, the CRTC proposes to examine the following factors, on a case-by-case basis:

  • was their action a necessary cause leading to the installation?
  • was their action reasonably proximate to the installation?
  • was their action sufficiently important toward the end result of causing the installation of the computer program?

CRTC and Industry Canada staff have indicated that they will be publishing additional FAQs, in response to ongoing industry stakeholder questions.

See:  Step-by-Step: How CASL applies to software, apps and other “computer programs”

See also:  fightspam.gc.ca  and consider signing up for information updates through the site.

Advertisements


Leave a comment

Tributes and a Call to Action – Remembering Aaron Swartz

A year ago, on January 11, 2012, 26-year-old internet activist Aaron Swartz committed suicide while facing up to 35 years in prison and up to $1 million in fines. Charges against him included violations of the Computer Fraud and Abuse Act (CFAA) as a result of “unauthorized access” for downloading millions of academic articles while on MIT’s network. On this first anniversary of his death, a reinvigorated call to action is taking place. The Electronic Frontier Foundation (EFF) has launched a “Remembering Aaron” campaign and is reactivating efforts to reform the CFAA, activists are invoking his name for an upcoming day of action against NSA surveillance, “The Day We Fight Back” to be held on February 11, lawmakers are demanding answers from the Justice Department treatment of Swartz, and a host of articles and other tributes are appearing across the internet.

The EFF’s Remembering Aaron campaign includes a tribute to Swartz’s legacy and kicks off a month of action against censorship and surveillance, toward open access. The EFF is reinvigorating efforts to reform the CFAA, encouraging supporters to send a letter to their legislative representatives that criticizes the law for its “vague language” and “heavy-handed penalties,” and its disregard for demonstrating whether an act was done to further the public good. The letter calls for: “three critical fixes: first, terms of service violations must not be considered crimes. Second, if a user is allowed to access information, it should not be a crime to access that data in a new or innovative way — which means commonplace computing techniques that protect privacy or help test security cannot be illegal. And finally, penalties must be made proportionate to offenses: minor violations should be met with minor penalties.”

In addition to calls to change the CFAA, activists are also calling a protest against laws and systems that enable government surveillance to run unchecked. Specifically, a mass movement against government surveillance is being organized by a heavy-hitting group of organizations including  EFF; the organization Swartz co-founded, Demand Progress; Fight for the Future; Reddit; and Mozilla. Organized for February 11, 2014, “The Day We Fight Back Against Mass Surveillance” invokes Swartz’s legacy in its call for a day of mass protest against government surveillance: “If Aaron were alive, he’d be on the front lines, fighting against a world in which governments observe, collect, and analyze our every digital action.” In a show of support for the planned protest, on the day before the year anniversary of Swartz’s death, Anonymous defaced MIT’s SSL-enabled Cogeneration Project page, displaying a page that called viewers to “Remember the day we fight back.”

In addition to reinvigorating the fight against laws that are abusive and can be easily abused, the key players in Swartz’s prosecution are also coming under scrutiny: the DOJ and MIT. On Friday January 10, a bipartisan group of eight lawmakers, Sens. John Cornyn, R-Texas; Ron Wyden, D-Ore.; Jeff Flake, R-Ariz.; and Reps. Darrell Issa, R-Calif.; James Sensenbrenner, R-Wis.; Alan Grayson, D-Fla.; Zoe Lofgren, D-Calif.; and Jared Polis, D-Colo, sent Attorney General Eric Holder a letter calling out inconsistencies between the DOJ’s and MIT’s reports and the DOJ’s lack of forthrightness and transparency. Additionally, the letter issues this demand: “In March, you testified that Mr. Swartz’s case was ‘a good use of prosecutorial discretion.’  We respectfully disagree. We hope your response to this letter is fulsome, which would help re-build confidence about the willingness of the Department to examine itself where prosecutorial conduct is concerned.” In Boston Magazine’s Losing Aaron, Bob Swartz, Aaron’s father, voices his deep disappointment in MIT and articulates specific ways in which he believes the institution was complicit in the DOJ’s draconian prosecution contributing to Aaron’s suicide.

Additional tributes to Swartz this month include a documentary by Brian Knappenberger, The Internet’s Own Boy: The Story of Aaron Swartz, which will play at the Sundance Film Festival beginning this week. In Wired Magazine’s article, One Year Later, Web Legends Honor Aaron Swartz, author Angela Watercutter notes “Swartz’s fight for rights online has only been brought more intensely into focus in the year since his death, largely due to NSA whistleblower Edward Snowden. To see him talk about government spying in [Knappenberger’s] documentary at a time before the Snowden leaks is especially chilling now.”  Further, in Knappenberger’s forthcoming documentary  web visionaries, including founders of the World Wide Web and Creative Commons, speak of Swartz’s work and legacy:

“I think Aaron was trying to make the world work – he was trying to fix it…  he was a bit ahead of his time.” – Tim Berners-Lee.

“He was just doing what he thought was right to produce a world that was better.” – Lawrence Lessig

 


Leave a comment

Failure to Plead Loss Causation in Class Action Suit Against Amazon Leads to Dismissal

Judge Robert S. Lasnik from the Washington Western District Court granted last week Amazon’s motion to dismiss in the class action suit Del Vecchio et al v. Amazon.com, Inc. Plaintiffs may now file an amended complaint within 30 days.

Plaintiffs alleged that Amazon, the famous online retailer, placed browser cookies on their computers against their wishes, by “exploiting” a shortcoming in Microsoft’s Internet Explorer browser s cookie filtering function, and that Defendant intentionally published a “gibberish” website policy to deceive Plaintiff’s browser into accepting Defendant’s cookies despite their filter settings.

Plaintiff also alleged that Amazon retooled flash cookies so that they would behave as traditional browser cookies in order to be accepted by Plaintiff’s browser, and that the online retailer used the personal information thus gathered and also shared it with third parties, despite the terms of its Privacy Notice.

Plaintiffs claimed being injured by Amazon’s misappropriation of their personal information, in which they have economic and property interests, and also damage to and consumption of their Computer Assets, leading to economic harms, including “devaluation of personal information, [and] loss of the economic value of the information as an asset” and diminution of the performance and value of their computer resources.

However, Judge Lasnik granted Amazon’s motion to dismiss as Plaintiffs failled to plead plausible losses.

Diminished Performance of Plaintiff’s Computer

Plaintiffs alleged that, by transferring cookies to Plaintiff’s computers, it thus diminished their  performance and constituted an interruption in service, but Judge Lasnik considered it merely “naked assertions.”

Monetary Value of Personal Information

The Computer Fraud and Abuse Act (“CFAA”) punishes unauthorized access to a protected computer, and provides for a civil remedy ”unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” Therefore, the issue of the value of the loss (more or less than $5,000) was one of the questions presented to the court.

According to Judge Lasnik’s order, the facts of the case cannot allow the Court “to reasonably infer that those losses plausibly occurred in this case, let alone that they totaled $5,000.” Plaintiffs argued, for example, that by acquiring their personal information, they were thus deprived ‘”of the opportunity to exchange their valuable information,” but such deprivation is “entirely speculative” according to Judge Lasnik.  However, Judge Lasnik did not shun entirely the idea that personal data may have value, as he adds: “[w]hile it may be theoretically possible that Plaintiffs’ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”

The issue of proving the value of personal dat is quite interesting…  How could one measure the value of one’s personal information? Is the personal information of a gold or platinum card member more valuable than those of a basic member?  Should sites like Klout, which uses algorithms to grade one’s reputation on several social media sites, be introduced as evidence? It will be interesting to read Plaintiff’s amended complaint in the next weeks.


Leave a comment

Recent Class Action Highlights Risk of Using Mobile Tracking “Cookies”

A class action lawsuit was filed on September 16, 2010, alleging that the lead defendant, Ringleader Digital, Inc., and several website operators utilizing Ringleader Digital’s technology have violated the plaintiffs’ privacy rights by illegally tracking individual’s mobile internet activity without their permission. This appears to be the first class action lawsuit involving tracking of mobile devices’ internet activity and is very similar to the series of class action lawsuits filed over the last few months focusing on “Flash cookies" (including Valdez v. Quantcast Corp., White v. Clearspring Technologies, Inc. and La Court v. Specific Media, Inc.), as covered by the Wall Street Journal and the New York Times.  (The Flash cookie cases were also covered in the Privacy and Information Security Committee’s July-August and September Updates, materials for which are available to committee members here)

 A main point of contention is Ringleader Digital’s use of HTML5.  HTML5 is a next-generation open standard currently under development by the World Wide Web Consortium, but it has already been adopted by companies such as Apple instead of Adobe Flash on its iPhone, iPod and iPad products.  The HTML5 standard provides website operators the ability to locally store information on a user’s computer or mobile device.  The local storage feature provides benefits, such as allowing users to use website features offline, but also allows a website operator to implement “cookie” functionality because large amounts of data regarding a user’s internet history can be stored. 

The complaint alleges that Ringleader Digital developed technology, known as Media Stamp™, utilizing HTML5 local storage databases to create the mobile equivalent of a third-party online cookie.  The complaint also alleges that the Media Stamp technology assigns users a unique identifying number and allows Ringleader Digital, advertisers, ad agencies and website publishers to create a local HTML5 database to track a mobile device’s internet activities over multiple websites. 

            The lawsuit relies on similar legal bases as the Flash cookie lawsuits.  The main thrust of all claims is that Ringleader Digital and the other defendants violated privacy laws by tracking a mobile device’s internet activity with no disclosure that it was doing so and without authorization.  The plaintiffs also allege that the tracking databases created by the defendants would be recreated even after the plaintiffs deliberately tried to remove them, which is similar to the “re-spawning” or “zombie” aspect of Flash cookies. 

The claims asserted include violations of the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) and the following California laws: Computer Crime Law (Cal. Penal Code § 502), Consumer Legal Remedies Act (Cal. Civil Code § 1750), Unfair Competition Law (Cal. Bus. & Prof. Code §17200), Invasion of Privacy Act (Cal. Penal Code § 630), common law trespass to personal property, and unjust enrichment.  

A copy of the complaint is available here.


Leave a comment

Authorized computer access by departing employee not CFAA violation

A departing employee, who copied proprietary files while still having full access to his employer’s protected computer databases did not access information “without authorization” or otherwise "exceed authorized access" under the Computer Fraud and Abuse Act (CFAA). Diamond Power Int’l, Inc. v. Davidson, No. 1:04-cv-1708, 2007 U.S. Dist. LEXIS 73032 (N.D. Ga. Oct. 1, 2007). The court granted summary judgment to the defendant on the CFAA claims, but let stand other related trade secret and contract claims based upon the employee’s forwarding of confidential company information to his new employer. The court found that the employee could not be liable under the CFAA because there was no dispute that he was authorized to initially access the company computers and that his level of authorized access included permission to obtain the specific data in question. The court, in reaching its conclusion, recognized a split in the circuits as to the interpretation of this aspect of the CFAA. Nevertheless, the court rejected the plaintiff’s argument, based upon the Seventh Circuit opinion in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir 2006), that an employee exceeds his authorized access when he obtains company information for an allegedly improper purpose.

 


Leave a comment

Authorized Computer Access By Employee Not CFAA Violation, Despite Intent To Misuse Information


A departing employee, who copied client files while still having full access to his employer’s computers, did not "exceed authorized access" under the Computer Fraud and Abuse Act (CFAA), despite the defendant’s improper use of the files and alleged breach of company policy.  Brett Senior & Assoc. v. Fitzgerald, No.06-1412, 2007 U.S. Dist. LEXIS 50833 (E.D. Pa. July 13, 2007). The court granted summary judgment to the defendant on the CFAA and related state claims, but let stand the breach of fiduciary duty claim for the plaintiff’s telephone solicitation of clients while he was still in the plaintiff’s employ. The court found that the defendant could not be liable under the CFAA because there was no allegation that the defendant lacked authority or "exceeded authorized access" to view any information in the plaintiff’s computer system. The court rejected the plaintiff’s argument, based upon the Seventh Circuit opinion in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir 2006), that an employee exceeds his authorized access when he obtains company information for an allegedly improper purpose.

Opinion http://www.thelen.com/tlu/BrettSeniorVFitzgerald.pdf

 


Leave a comment

Allegation that payment processing software installed “spyware” states claim under federal and New Jersey Computer Fraud Statutes

An allegation that payment processing software installed unauthorized "spyware" on the purchaser’s server that diverted confidential customer data to the software developer makes out a claim under the federal and New Jersey computer fraud statutes. Slim CD, Inc. v. Heartland Payment Systems, Inc., No. 3:06cv2256, 2007 U.S. Dist. LEXIS 62536 (D. N.J. Aug. 24, 2007). The district court declined to dismiss the software purchaser’s claims under the New Jersey statute, rejecting the developer’s argument that the statute required a showing of how the developer had used the diverted information for its own benefit. The court also ruled that the purchaser had properly alleged damages in excess of $5,000 within one year under the federal computer fraud statute.