Presented at the March 24, 2015 meeting of the downtown Joomla Chicago users group by Walter Kawula
In this presentation, top Chicago IP attorney Walter J. Kawula of Husch Blackwell provides legal insights on software development, patents and the rapidly evolving regulatory environment, addressing GPL compliance, software release problems and "legal bugs" that might trip up your software and SaaS business efforts. Discover the developing standards of the Federal Trade Commission and other organizations which affect developers' due diligence and application of fair principals for online identification and authentication.
2. Disclaimer
The views I express here today are my own opinion. They are not necessarily the views of my law
firm, Husch Blackwell LLP. These materials are for informational purposes only and are not legal
advice. This presentation and the information contained herein are intended, in part, to alert the
audience to some legal issues. Any information contained herein is not intended as a substitute for
legal counsel. Walter Kawula does not warrant this information for any purpose. This presentation
shall not constitute legal advice or create an attorney-client relationship. The laws referenced in this
presentation may have changed or could be affected by case law developments. Do not rely on these
presentations or your interpretation of same for any purpose. If you have a specific legal question you
should consult with a properly licensed lawyer. Do not send Walter Kawula or any person at Husch
Blackwell LLP confidential information until you speak with one of our attorneys and get authorization
to send that information to us. I may decline to answer questions posed to specific legal issues. Do
not take a refusal to answer specific legal questions personally. Speaking of “personally,” did you
know that I like coffee? Sure, we all do, but I mean I really, really like coffee. Probably more than
most folks. In fact, as I’m writing this, I’m on my third cup of the morning, and I’m about to go top off
again. But, hey, enough about me. How’s life been treating you?
3. Moving Right Along . . .
TL; DR
● I am not your lawyer
● Don’t tell me anything confidential
● This isn’t legal advice
4. 2014 Highlights
"Snapchat agrees to settle FTC charges that it
deceived users"
Washington Post, May 2014.
"Why Retailers Became a Top Target of Patent
Trolls"
Wall Street Journal, July, 2014
"SFLC releases GPL Compliance Guide second
edition"
Software Freedom Law Center, Nov. 2014
5. Influences on Web Design
Website Operator Website Developer
Requirements
Desired Functionality
Functional Website
FTC
NIST
Open Source
Community
Patent
Trolls
6. Why Should I Care (Part 1)
What does it mean to you if your web design gets
your client or your company into a lawsuit or
other legal action?
Bad Times.
8. Software Development Agreements
Have you agreed to:
● Warrant Against Infringement?
● Assume Defense of Lawsuits?
● Pay Damages Incurred By Your Client?
9. Principles of Data Collection and Use
Fair Information Practice Principles (FIPP)
● National Strategy For Trusted Identities In
Cyberspace
● National Institute of Standards and Technology
(NIST)
● Federal Trade Commission (FTC)
10. Information Technology Lab at NIST
● Sets principles, guidelines, and frameworks for data
security and data privacy.
● Vetting the Security of Mobile Applications (S.P. 800-163)
● Cloud Computing Synopsis and Recommendations (S.P. 800-146)
● Sets data security requirements for entities that contract
with the federal government.
● Security and Privacy Controls for Federal Information Systems and
Organizations (S.P. 800-53)
11. FIPP -- Fair Information Practice Principles
● Benchmark used by the DHS, FTC, White
House and others.
● Concerns Personally Identifiable Information
(PII)
● Name, address, SSN, etc.
● Certain combinations of data.
● Not everything applies here, so we will
discuss a sub-set.
12. FIPP -- Fair Information Practice Principles
● Transparency
● Individual Participation
● Data Minimization
● Use Limitation
● Security
● Accountability and Auditing
13. FIPP: Transparency
● Transparency means notifying individuals
regarding collection, use, sharing, and
maintenance of PII.
● People writing the notifications need to know:
● what PII is being collected and used
● what third parties have access to collected PII
14. FIPP: Individual Participation
● Individual Participation means:
● involving the individual in the process of using PII
● to the extent practicable, seeking individual consent for
the collection, use, sharing, and maintenance of PII.
● Options must be effective!
15. FIPP: Data Minimization
● Data Minimization means collecting only that
PII that is directly relevant and necessary to
accomplish specified purposes of the app.
● Can you accomplish the purpose and collect
less information than originally
contemplated?
● Accumulation of PII = Accumulation of Risk
16. FIPP: Use Limitation
● Using PII solely for the purposes specified in
the notice.
● Any sharing PII should be for a purpose
compatible with the purpose for which the PII
was collected.
● Third party analytics, advertisers, etc.
17. FIPP: Security
● PII should be protected through appropriate
security safeguards against risks such as loss,
unauthorized access or use, destruction,
modification, or unintended or inappropriate
disclosure.
18. FIPP: Accountability
● Accountability includes:
● complying with these principles
● providing training to all employees and contractors who
use PII
● auditing the actual use of PII to demonstrate compliance
with these principles and all applicable privacy protection
requirements
20. Snapchat -- What did they do?
● "Snaps" were saved and accessed in ways
inconsistent with privacy policy.
● Security breach attracted FTC attention to
terms of service and privacy policies
concerning collecting and use of consumers’
data.
● Bad Times.
21. Federal Trade Commission
● Security Breaches involving consumer PII
● Insufficient Notice / Consent to Collect
Information
● False or Misleading Representations
Concerning Web App’s Use of Data
● Parallel concerns as FIPP
22. Basis for FTC Actions
● No explicit statutory authority to police web
applications.
● Relies on traditional authority to:
o Protect Consumers
o Prevent Fraud, Deception and Unfair Business
Practices
23. Basis for FTC Actions
● Protect Consumers
o Security breaches are harmful to consumers that
use the website.
● Prevent Fraud, Deception and Unfair
Business Practices
o Insufficient notice of collection and use of data
o Misleading assurances of data security
o False representations regarding web app operation
24. FTC Expectations
● 2012 Report Protecting Consumer Privacy in an Era of
Rapid Change: Recommendations for Businesses and
Policymakers.
o Privacy by Design
Data Security
Reasonable Collection Practices
Retention Limits
o Simplified Consumer Choice
o Transparency
25. FTC Complaint -- False Representation
8. From October 2012 to October 2013, Snapchat disseminated, or caused to be
disseminated, to consumers the following statement on the “FAQ” page on its
website:
Is there any way to view an image after the time has expired?
No, snaps disappear after the timer runs out. …
9. Despite these claims, several methods exist by which a recipient can use tools
outside of the application to save both photo and video messages, allowing the
recipient to access and view the photos or videos indefinitely.
FIPP: Security, Transparency
26. FTC Complaint -- Easily Defeated Security
14. Snapchat claimed that if a recipient took a screenshot of a snap, the sender
would be notified. On its product description pages, as described in paragraph 7,
Snapchat stated: “We’ll let you know if [recipients] take a screenshot!”
15. However, recipients can easily circumvent Snapchat’s screenshot detection
mechanism. For example, on versions of iOS prior to iOS 7, the recipient need
only double press the device’s Home button in rapid succession to evade the
detection mechanism and take a screenshot of any snap without the sender being
notified. This method was widely publicized.
FIPP: Security, Transparency
27. FTC Complaint -- Over Collection
20. From June 2011 to February 2013, Snapchat disseminated or caused to be
disseminated to consumers the following statements in its privacy policy:
We do not ask for, track, or access any location-specific information from
your device at any time while you are using the Snapchat application.
22. Contrary to the representation in Snapchat’s privacy policy, from October
2012 to February 2013, the Snapchat application on Android transmitted Wi-Fi-
based and cellbased location information from users’ mobile devices to its
analytics tracking service provider
FIPP: Transparency, Individual Participation, Use Limitation
28. FTC Complaint – Misleading Collection
25. . . . During registration, the application prompts the user to “Enter your mobile
number to find your friends on Snapchat!,” implying – prior to September 2012 –
through its user interface that the mobile phone number was the only information
Snapchat collected to find the user’s friends . . .
26. However, when the user chooses to Find Friends, Snapchat collects not only
the phone number a user enters, but also, without informing the user, the names
and phone numbers of all the contacts in the user’s mobile device address book.
FIPP: Transparency, Individual Participation, Acountability
29. Snapchat Take-Aways
Notice and Consent must be in sync with what
the application actually does.
● Collecting geolocation information is OK
● Collecting address book information is OK
● Providing third party access via API is OK
IF:
You provide appropriate notice of collection and the use of
the data is reasonably related to the use of the application.
30. Snapchat Take-Aways
Make life easier for your website operators:
● collect only the information necessary for the
application
● communicate to website operator what information
the application collects and how it is used
● advise website operator of any third party access to
collected information
o including extensions
● read the website’s privacy policy
31. Patent Lawsuits Against Retailers
The Actors that bring nuisance lawsuits against broad
swaths of an industry go by various names:
● Non-Practicing Entities
● Patent Assertion Entities
● Patent Trolls
● [Redacted]
33. Just some of the cases
● Lodsys Group LLC v. Bed Bath & Beyond, Brooks Sports, John Wiley &
Sons, and J&P Cycles
● Lodsys Group LLC v. B&H Foto & Electronics, Charter Communications,
Corbis, Lamps Plus, and Nordstrom
● Lodsys Group LLC v. MakeMyTrip.com, Meijer, Musician's Friend, Nuance
Communications, Sandisk, and Sirius XM Radio
● Lodsys Group LLC v. Burberry Ltd., Dover Saddlery, Freescale
Semiconductor, Godiva Chocolatier, and Hanna Andersson
● Lodsys Group LLC v. Crocs, Oriental Trading Company, Somerset
Investments and Saks
35. Shopping Cart
• eDekka sued more than 100 companies for
patent infringement.
• Suits alleged that "making and/or using one
or more websites that include 'shopping cart'
functionality" as the infringing activity.
37. The Tide is Beginning to Turn
• Patent Office Review
• Covered Business Method patent post-grant review.
• Inter Parte Review
• "Patent Death Panel"
• Legislative Efforts
• Increase pleading requirements.
• Cost shifting onto losing party.
38. The Tide is Beginning to Turn
• Alice v. CLS Bank
• Supreme Court case from 2014 holding "abstract
idea" computer-related patents ineligible.
• Hundreds of computer-related patents are being
invalidated, lawsuit filings are down.
• Law still coalescing around what claims are ineligible
"abstract idea" claims, and which are sufficiently
definite for patent protection.
39. SFLC on Compliance
"Non-compliance with GPLv3 in the distribution
of Javascript on the Web is becoming more
frequent, and although no disputes have so far
resulted, in the absence of more careful
compliance activity in this area they are
eminently foreseeable."
Software Freedom Law Center
Guide to GPL Compliance 2nd Edition
40. GPL Concerns
• Joomla (and many extensions) are licensed
under GPLv2.
• If website is non-compliant, the GPL license
terminates automatically.
• Unlicensed website -> copyright infringement.
• Bad times.
41. GPL Compliance
• What triggers obligations under GPL?
• Distribution of program
• Modification of program
• Conflicting requirements are not an excuse.
• "If you wish to incorporate parts of the Program into
other free programs whose distribution conditions
are different, write to the author to ask for
permission."
42. Distribution
• Purely internal use does not trigger source
code sharing and attribution requirements.
• Code downloaded into a browser might be a
a "distribution" of "non source" form
program.