Category:Law

The Latest Case Against Facebook

On May 5, 2010, The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC regarding Facebook’s privacy practices (or lack thereof).

The biggest two complaints, to my reading are that (1) Facebook unilaterally tried to convert some information previously designated as private to public; and (2) Facebook changed its developer data retention policy to allow developers to retain end user data indefinintely.

Neither of these changes benefits end users, no doubt. But, what I’m fascinated to see is that today, a mere 12 days after the complaint, the user experience is significantly different from the experience described in the complaint (notably, the experience is more protective of user’s data when compared against the experience described in the complaint).

The legal process is slow and cumbersome and using it to argue with a quick and nimble internet-based adversary is going to be frustrating, to say the least. However, where end users are concerned, perhaps the quick responsiveness of Facebook is a benefit. If enough people complain, they just roll out a fix, long before the Feds, or the courts order them to do so. Certainly, this means that the fix is likely to be on Facebook’s preferred terms, rather than what the court or Feds order, but isn’t a quick fix better than a long period of open sharing without a fix (when it comes to privacy)?

I’m not saying I approve of Facebook’s most recent blunders. But, I do applaud of their quick “opt-in” and “opt-out-of-all” additions after the complaint about the blunders. And, I’m fascinated to see how or where the law fits in this world where the facts upon which any legal claims may be based are so ephemeral.

The Real Risks of Open Source Software

Every software start-up company I’ve ever worked with uses (or did use) some form of open source software. And yet, high level executives and board members at many of these companies, when asked whether their company uses any open source software, would regularly answer, “No” without hesitation.

Where is this disconnect coming from? Open Source Software is often perceived as “risky” or “untested” or “a liability nightmare” or, in the worst case, “an infectious disease” by some business folks, while most technical software people believe the correct use of open source software to carry minimal risk.

Risky?

There are risks associated with using any third party’s software. When that third party is unidentified, not bound by a support agreement, based out of a foreign country, and/or impossible to get a hold of, then yes, it is fair to say that using it would be “risky” when compared with an established company with a business reputation to protect and an SLA to cover errors.

Untested?

In some case — it’s true. There are many untested open source projects out there. These tend to be associated with a handful of developers instead of an active community, and a little due diligence should be able to help a start-up understand whether this particular ill is a problem with the open source software they are considering using.

A Liability Nightmare?

This is, by far, the most complicated issue I face as an attorney who deals with open source issues. At its most basic, the liability equation associated with open source software is the same as that associated with any third party component. The third party would like to disclaim liability for your use of their product.

The benefit of many proprietary software licenses is that the licensor may provide limited coverage for Intellectual Property claims related to their software. But, most software publishers go to great lengths to limit the amount and type of liability they will cover relating to a third party’s use of their software.

The typical open source license expressly disclaims all liability associated with the use of the software — effectively, it comes “AS IS” on a pure “BUYER/USER BEWARE” basis. On the other hand, if you read the license agreements of proprietary software carefully, you will find that most software (unless you pay quite a bit for it), comes with an express limitation on liability that is on the order of magnitude of the purchase price. It is consistent with the approach taken by proprietary software publishers that open source authors are liable for damages related on the order of magnitude of the license fee they receive (e.g. $0).

An Infectious Disease?

One flavor of open source licenses places conditions of “freedom” upon the use of the licensed code. The most famous of these licenses are the GPL, LGPL, and the AGPL. Essentially, these licenses require, as a condition of some uses or distributions, that software code combined with code licensed under these licenses must also be made available under the same license.

These conditions make these types of licenses “viral” because they may extend the license terms to some of the additional code (e.g. the start-up’s code) that the licensed code touches.

The key word in the previous sentence is *MAY.*

Actual Risk

The thoughtful evaluation of the issues outlined above and a comparison of the likely downside against the monetary benefit of using an open source component brings a start-up to understand what I call the “Actual Risk.”

By far, the most complicated part of the Actual Risk evaluation is the technical and legal analysis related to viral licenses. However, a technical read of the license by a knowledgeable tech attorney and code review with an engineer is likely to provide a good engineer or architect with comfort that the start-up’s use of a particular open source component is not subjecting the start-up’s code base (or the portion of the code base that they care about keeping proprietary) to any “viral” risk.

The Resource Risk

Investors and potential acquirors will want their own attorneys or possibly even code auditors to assess the Actual Risk, regardless of how correct the start-up’s own analysis may be. This investigation and analysis is a time and resource drain that can be minimized by good record keeping, but can never be entirely eliminated. Even in the event of zero Actual Risk, a company will incur some Resource Risk in connection with their use of open source software.

The FUD Risk

No matter what the final conclusion may be after the Resource Risk and the Actual Risk have been assessed and assumed by a start-up, there is the risk associated with the fact that a board member or a CEO will have to answer “Yes” to the question “Do your products contain open source?” A board member or CEO may not have the time to understand the outcomes and analysis of the folks who have willingly taken on the Resource Risk and the Actual Risk. If challenged, a board member or CEO need to feel confident that they can answer the question honestly, without incurring undue scrutiny or concern. In my opinion, the biggest risk associated with the use of open source software (assuming there is no Actual Risk that hurts the start-up’s business) is the FUD risk.

The best way to combat the FUD risk is to educate board members and CEOs so that they can comfortably speak about the company’s intelligent use of open source software as a cost reduction tool in areas where the Actual Risk is minimal or non-existent and the Resource Risks are less than the costs of the proprietary alternatives.

How To Find Your Start Up Lawyer

There are any number of ways to go about finding the lawyer that is the right fit for your new company. Matt Bartus recently posted his thoughts on some of the questions you should ask.

Overall, I agree with Matt, you should ask all of the questions he poses and evaluate the answers. However, I have a few additional points that you may wish to consider:

1. If you are bootstrapping your company entirely, and do not expect or intend to take any venture financing because you intend to build a successful cash business that you want to privately control, you may need to question much of the traditional “start-up” legal (and business) advice.

Specifically, if you are covering your own costs out of pocket, you will probably best served by finding two or three good specialized solo attorneys or attorneys at smaller law firms who specialize in the types of services you will need for small emerging businesses. These attorneys are likely to offer fast responses to your needs in the areas where you have issues, but they will have significantly less overhead (and thus significantly lower fees) than a traditional large law firm.

While many large law firms defer billing if they believe you will be getting venture capital funding or if you will be experiencing a liquidity event in the near future, if that is not your goal, it is likely that you will be asked to pay your fees to keep your account current.

2. The large law firm industry’s focus on “Senior Attorneys” “Junior Attorneys” and “Partners” is very different from the meritocracy within the start-up culture.

Rather than focus on how advanced an attorney’s skill set is, most large law firms categorize attorneys solely based on the number of years that each attorney has been in legal practice. This means, that in most firms, the titles are not related to how talented or how effective the attorneys are (with the exception of equity partnership, which often is an indicator of excellence as it is peer-selected).

It is possible that a Junior Attorney is actually a professional with 15 years of relevant business experience coupled with 2 years of legal training. In fact, at one law firm where I worked, an individual with a PhD and 18 years of relevant biotech experience started on day one as a “first year associate” in patent prosecution alongside his 24-year-old colleagues who hadn’t worked a day in the professional world. So, while I would agree with Matt that Junior Attorneys are often not more cost effective than attorneys with more experience, that is not always the case.

On the other end, it is possible in some law firms to earn a business card with the title of “Partner” after a set number of years (often 7 or more) so long as the attorney has billed the requisite number of hours each year. In these law firms, the partnership is often stratified between equity partners, income partners, partial equity partners, etc. An income partner may or may not be very talented, but the “Partner” title alone is not sufficient to guarantee that they will provide the skills you need. So, again I agree with Matt: ask for references and follow up.

3. A good solo or small firm attorney can act like in-house counsel — a cost-effective go-to first responder who evaluates the risks and, if necessary, can act as a gatekeeper to help manage the additional service providers who may be necessary to get the job done.

I work in many capacities with my clients, but the most common role I play is this — my clients have identified that the majority of their day-to-day legal needs fall into the category of “commercial contracts” that focus on intellectual property in all of its forms, services, and money. Because this is my specialty, I provide them drafting, editing, advice and legal analysis in this category, and when they ask for something outside of my expertise, I explain my relative inexperience, and let them know that I have a choice:

a) If I think it’s close to my practice area I can do the research and determine whether I think I can learn what I need to know to do a good job and then offer to do it while writing off my professional education time; or

b) I can refer them to someone I believe is a good fit for their needs.

In this way, my role as a solo practitioner is much more like the role a dedicated in-house counsel plays within larger companies (in-fact, I work on-site to support an in-house legal department of a public company one day per week, and in that capacity, I’ve been impressed by how important management of outside law firms is to running a successful legal department).

So, yes, a solo practitioner or small firm attorney who specializes in transactional work can’t walk down the hall and ask a litigation partner how to manage a dispute. But, if they are good, they should have a great network of qualified attorneys to whom they can refer. They can call litigators with whom they are currently working (I’m working with two litigation partners on a dispute for one of my clients right now), or with whom they’d like to work in the future (I’ve had several litigators take me out to lunch to pitch their expertise and desire to work with my clients) and ask for some professional courtesy advice.

A solo or small firm attorney can refer you to the best fit, no matter who they are, without fear of offending “the attorney down the hall.” And, if you do (and I hope you don’t) find yourself in need of a litigator, a good solo (like a good in-house counsel) can help you manage a competitive bidding process to ensure you get the best fit at the most cost effective price for your needs.

Paul Ohm: Anonymization Has Failed

I recently had the privilege of attending a talk where Paul Ohm presented the main ideas behind his latest research paper.

I found his reporting on re-identifying users from supposedly non-personally identifiable information fascinating:

-87.1% of Americans can be uniquely identified by their 5-digit zip code combined with the date, month, and year of their birth.

-80% of anonymized Netflix users could be uniquely identified by 3 movie reviews (movie, date, review value).

His take-home message?

Data can either be useful, or perfectly anonymous, but never both.

The majority of laws and contracts dealing with personal information draw a line between “personally identifiable information” and “non-personally identifiable information” (aka aggregate, anonymous data).

But, if you can use non-personally identifiable information to derive personally identifiable information, then the two categories collapse into one.

It will be interesting to see how advertisers, social networks, governments, and end users respond to reality that the separate categories we’ve built into the laws and contracts may not actually exist.

Non-Competition Agreements

California’s strong public policy against non-competition agreements is one of the reasons why Silicon Valley exists.

In most states, at the time of hiring or during employment, employers can require employees to sign an agreement not to compete with the employer’s business after termination of employment, so long as the agreement is *reasonable.* Each state has a different interpretation of what is *reasonable* but in general, in those states, the agreement must be limited in three ways:

1. The scope of the business that is considered competing,
2. The territory where the employee is not allowed to compete, and
3. The length of time during which the employee may not compete.

In California, however, Business and Professions Code 16600 expressly prohibits employers from requiring employees not to compete with them after their employment has ended, in any way (regardless of how employment may have ended):

Except as provided in this chapter, every contract by which anyone is restrained from engaging in a lawful profession, trade, or business of any kind is to that extent void.

This policy in support of “freedom of movement” of employees is very strong in California. In 1872, just seven years after the abolition of slavery and indentured servitude via the 13th Amendment, the legislature parted with the English common law “rule of reasonableness” standard for non-competition agreements and enacted Civil Codes 1673-75, the precursors to today’s Business and Professions Code 16600-16602.

The courts have applied these statutes and the public policy over the years to show that unless you fall into one of the narrow statutory exceptions (set forth in 16601-16602.5) where a non-competition agreement is acceptable, the contract is void, and, in fact, may be the basis of tort claims against the employer who required you to sign it.

This means that in California, an employee could leave Google and immediately start a software start-up in Mountain View, whereas in Boston, that same Google employee may be subject to a contract that would mean she couldn’t start a software company in the same location for a year, or possibly even longer.

This provision does not give employees permission to utilize their former employer’s trade secrets in their new businesses, of course, but it does give them the freedom to apply their generally applicable skills in a new venture that may be competitive with their former employer.

We can thank the California legislators of 1872 and the judges who have applied this law and the policy in support of each individual’s right to work in his or her chosen profession for helping to create an environment where so many new technology companies can be started and thrive.

Open Source Legal Docs?

Ted Wang, with the support of Andreessen Horowitz, recently posted some open source legal document forms for companies seeking seed funding.

It’s an interesting concept, and in the abstract, one that I’ve been thinking about for quite some time.

I think, in general, the open source software movement has changed the game.  Not by devaluing the skills of the individual developers, but by decentralizing the control of the software they write from the few corporations to the many of the masses.

This change has resulted in amazing progress in some areas, and, of course, ridiculous amounts of navel gazing in others.  But, at a high level, what it’s really done is to move the value associated with the software from the centralized control of powerful corporations to the decentralized control of the skilled individuals who contribute the copyrighted works.

And, in doing so, it’s shown that In many contexts, the value of open source software is not in the copyright to the code of a particular project, but rather in the goodwill of the community that is supporting, maintaining, and potentially following the direction of the steward of the code of that project.

By analogy, it’s not like posting documents that are freely available in the legal start-up space is a new move.  The National Venture Capital Association has made its standard forms available for many years.

But, the difference with Series Seed is the stated goal.  The open legal document movement, if it is to succeed where it applies to start up companies, is in desperate need of a dedicated community, and most likely, a community-trusted steward who will take this project on and protect it, preside over disputes, and act as a neutral third party when folks with an interest in the project have different goals.

It should be interesting to see if the Series Seed project moves in this direction and is able to play this role in the seed funding community.

Schools? Google? Who isn’t invading privacy?

Today was an interesting day in privacy lawsuit news.

First, there are the parents of a Pennsylvania high school student who filed a complaint against the school alleging that the school remotely activated a school-issued laptop and took a picture of the child. At home. Without his or their knowledge. And without his or their consent.

Then, there’s the class action lawsuit against Google regarding auto-activation of Buzz and the information that was necessarily shared in connection with that activation. Specifically,


Google turned Gmail “into a social networking service and that’s not what they signed up for, Google imposed that on them without getting their consent,” said Kimberly Nguyen, consumer privacy counsel with EPIC of Washington, D.C. “The bottom line is, users should have meaningful control over their information.”

I’d say these lawsuits show that not everyone agrees with Mark Zuckerberg’s statement that Privacy is no longer a social norm.

All the Administrative IT things…

So, getting ready to run my own law firm is full of all sorts of responsibilities I haven’t had to think about in years:

– MSFT Exchange server on your domain?  Gotta hire someone to manage that.

– Email (and Exchange calendar) synch’ed to the phone?  Gotta figure out how to manage that.

– Bookkeeping?  Yeah.  Turns out, March is really sub-optimal in terms of timing for searching for a qualified CPA…

– Taxes?  See above.  Same issues with the CPA, but more serious concerns about penalties associated with getting it wrong.

– Time Keeping (where not on a project or subscription plan) and Billing?  Ugghhh.  That’s going to be fun…

– And hardware?  My laptop is 7 years old.  But it works fine, and much like my car, I’ll probably just drive it into the ground.  My phone, on the other hand, is an entirely different issue… ‘Droid? HTC? What’s a verizon customer to do?

And yet, despite all of these issues pulling me away from the core business I’m trying to start — I’m excited.  It’s fun and interesting to figure out which offerings in the marketplace make the most sense.  I feel like the research to figure out how to run my own practice makes me more able to relate to my clients that need to run their own technology businesses.

Code as Speech

The most recent newsletter from Daniel Munitillo discusses U.S. export law as it applies to code, and determines that, for the most part, U.S. export restrictions do not apply to open source software.

Why? The First Amendment.

Specifically, he states:

. . . [a]ny and all computer code not considered classified by, or, not for official use only (FOUO) of the United States Government, which is open source, freely and publically available, exchanged for any non prohibited end use is protected under the case law cited as free speech. The case law is clear*.

Export compliance is a pain for small companies. The fact that open sourced software is protected speech and thus not subject to standard U.S. government export compliance is yet one more reason in a long list of reasons why small companies should consider open-sourcing some or all of their code when evaluating their business options.

*In accordance with Junger v. Daley, 209 F. 3d 481 (6th Cir. 2000); Bernstein v United States, 922 F. Supp 1426 (1996), 945 F. Supp. 1279 (1996), and at 176 F. 3d 1132 (9th Cir. 1997); and Karn v United States Department of State, 925 F. Supp. 1, 9-10 (D.D.C. 1996), remanded, 107 F. 3d 923 (D.C. Cir 1997), Code is protected as free speech under the First Amendment of the Constitution of the United States.

The *other* long tail (6 months? 9 months?)

There’s a debate going on right now. How long should the search engines be able to save your search data (associated with your IP address, or your cookie, or your unique identifier associated with your login to their services)? 6 months? 9 months? Less? More?

From a business perspective, this information is very useful. The longer, the better.  It helps potential business partners (service providers, product providers, advertisers, etc.) know what you are likely to want to see, buy, use, and potentially even contribute to the conversation. Of course, whether the search engines should be allowed to share this information at all is yet another conversation.

From a law enforcement perspective, the enforcers would prefer the everything be recorded in perpetuity, indexed, searchable, and admissable as evidence in prosecution. And let us not forget that in some scenarios, certainly, the pattern of behavior, searches, and information sought would be down-right bone chilling, and had someone been monitoring it, no doubt, they could have sounded the alarm prior to some horrific event.

The other side of the coin is that many of us have the occasional horrid thought, which results in the occasional questionable-looking search engine query, and really, we’d like that moment to be erasable instantaneously, not 6 or 9 months later. And why not?

From a privacy perspective, the preservation of and presentation of this information to third parties (even for *law enforcement reasons*) is quite scary.  If I searched for the failure rate of pregnancy tests a month ago, that’s a very indicative fact about me, as a person, or perhaps my friends and family. Should anyone have the right to know that I did that? If I searched for palliative treatments for a terminal medical condition, the search is similarly indicative and raises similar questions. Who truly deserves to know these intimate details about my thoughts and internal questions without my permission?

The EU, in general, has taken a stronger role in protecting the privacy of the individual on-line, than the U.S.

This results in situations like the recent decision by Microsoft to purge search data attached to IP addresses after 6 months, which is a significant improvement (from the end user “protect-my-privacy” standpoint) over Google’s policy of 9 months.

It’s an interesting thing to watch, because the current day-to-day operating privacy policy is being set far outside the world of the lawyers who litigate and fight for a living. And, as a lawyer who doesn’t fight, I think it’s a valid legal issue, but I’m observing that by the time the big companies deign to get the lawyers get involved (by buy-in and invitation), that very colorfully flagged ship will have sailed, most likely by necessity.

It will be a brave new world.