Category:privacy

Year in Review

Wow!  That was fast.

I”ve been running my own law firm for over a year.  It’s been a blast and I’ve been very fortunate — quite a bit of exciting and interesting work came to my door last year.

Some of the highlights include:

  • Managing a dispute from initial demand letter to arbitration award — on my first day running my own firm, one of my clients received a cease and desist letter which we believed was invalid.  We pitched the case to litigators, hired them, and I was able to act as in-house counsel for the 7 month JAMS arbitration: editing and adding factual clarity to filings, attending all depositions and hearings, and eventually delivering the news after judgment.  In general, this is not my day-to-day practice, but it was very educational and modified my perspective on how contracts should be drafted and disputes relating to contracts should be approached.
  • Acting as on-site in-house technology counsel one day a week — sitting in the legal department of one of my larger clients gave me a very different understanding of the role that attorneys play within an organization.  I supported the third party inputs to software (reviewing both open source and third party proprietary licenses) and the enterprise licensing division and often witnessed first-hand the delicate balance that must be maintained between legal risk and business risk within a corporation.
  • Negotiating against the big guys — it’s part of the typical start-up experience.  Sure, you often negotiate and partner with other start-ups, but at some point, you will need something from one of the big established players.  It may just be Internet connectivity.  Or, large companies may be your sales targets.  Regardless, negotiating against a large company who insists that *we never change our forms*,  *everyone signs this without edits* and *this is completely standard* requires the expertise of someone who has seen many *standard* offerings in the applicable industry.  Over the years, I’ve dealt with Fortune 100 and Fortune 1000 companies in almost every industry, and this year was no exception.  Examples from this year include: Advertising Agencies, Amazon, Barclays, Blue Cross Blue Shield (of America and of various States), Bank of America, Chubb, Credit Suisse, CUNA Mutual Insurance, Discover, DOE Pacific, Earnst and Young, Experian, Facebook, Fidelity, Google, Honeywell, Horace Mann, Humana, JP Morgan Chase, KPMG, Lloyds, Lockheed Martin, Mass Mutual, Microsoft, Morgan Stanley, NBC Universal, Nationwide, PWC, Safeway, Samsung, State Farm, T-Mobile, Toys R US, Viacom, Walmart, and Warner Brothers.
  • Setting up the legal side of the business (forms) — a large portion of my job is limiting the amount of work I do.  I try to get my start-up companies into a position where their internal IP creation departments, online systems, sales forces, and business development teams can function with minimal legal input.  This involves an up-front investment of time to create forms that are correct for their business models.  I talk to my clients and truly understand their businesses before drafting, which avoids the extra legal fees companies often incur when their attorney starts with a square hole for a round peg.  Examples include:  Enterprise license agreements, Software-as-a-Service Agreements, trademark license agreements (branding/endorsement/certification programs), software development agreements, click-throughs (standard terms, privacy policies, API license agreements, payment obligations, revenue share, and more), commission agreements, reseller agreements, professional services agreements, master purchase agreements, NDAs, partner program agreements and technology assignment agreements.
  • Open Source — I went to law school because I was fascinated by the legal rights issues in Open Source Software.  I even wrote an award winning student note on the topic.  This year, I continued my commitment to Open Source legal issues with projects in several areas:  (i) aided a client in cleanly open sourcing a proprietary language they had developed (open source license evaluation and selection, branding issues, IP contribution agreements); (ii) performed open source audits of client codebases with the engineering teams and cleaned up any issues found; (iii) acted as special open source counsel in an Asset Purchase and Leveraged Buy-Out to help the acquirors become comfortable with the state of my clients’ open source uses; (iv) represented (and continue to represent) two clients whose business models are built around open source software projects that they manage (with monetization through professional services, support, maintenance, priority bug fixes, and bespoke development); (v) aided clients in the development of open source policies and approval processes to maintain the codebase in the proper state.
  • Everyday advice, counseling and communications — this catch all category is where the most surprises come.  Sometimes it’s just a phone call asking for a sanity check — Can we do this?  But sometimes there are more exciting issues such as requests from law enforcement, lawsuits that have been filed against clients, high level discussions about IP strategy (should we talk to patent counsel?  Should we file a TM?), letters hinting that lawsuits may be filed, formal letter writing in response to unfortunate situations, termination of contracts, privacy concerns, and much more.

Overall, last year was a great year full of good work, great learning opportunities and wonderful clients.  I can’t wait to see what this year brings.

The Best Part of Summer

Fresh Tomatoes Galore.

After an uncommonly cool summer, we’re finally getting some heat (it’s over 100F outside right now), and the plants are finally starting to produce like mad.

P1020914

In clockwise order in all of their gorgeous glory above, there’s green zebra, thessoloniki, white oxheart, ananas noir, and sweet horizon.

But wait, there’s more…

P1020929

…orange russian 117, thessoloniki, top sirloin, green zebra, ananas noir, and green giant.

In fact, now that they have the sun they’ve been waiting for, the plants will wait for no one.  Over the weekend, several of the wooden stakes I’d been using to support the tomato plants broke under the weight of the fruit that seems to grow while you watch it.  Yesterday, in an effort to limit my chores, after picking all of the cracked tomatoes for gazpacho, I picked only cucumbers and white oxhearts:

P1020933

With the addition of time, heat, spices and acid these became a lovely golden rosemary tomato sauce and pickles.

P1020935

And now, I just have to come up with a plan for the remaining hundred or so pounds of ripe tomatoes that need attention.

It’s a good problem to have!

The Latest Case Against Facebook

On May 5, 2010, The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC regarding Facebook’s privacy practices (or lack thereof).

The biggest two complaints, to my reading are that (1) Facebook unilaterally tried to convert some information previously designated as private to public; and (2) Facebook changed its developer data retention policy to allow developers to retain end user data indefinintely.

Neither of these changes benefits end users, no doubt. But, what I’m fascinated to see is that today, a mere 12 days after the complaint, the user experience is significantly different from the experience described in the complaint (notably, the experience is more protective of user’s data when compared against the experience described in the complaint).

The legal process is slow and cumbersome and using it to argue with a quick and nimble internet-based adversary is going to be frustrating, to say the least. However, where end users are concerned, perhaps the quick responsiveness of Facebook is a benefit. If enough people complain, they just roll out a fix, long before the Feds, or the courts order them to do so. Certainly, this means that the fix is likely to be on Facebook’s preferred terms, rather than what the court or Feds order, but isn’t a quick fix better than a long period of open sharing without a fix (when it comes to privacy)?

I’m not saying I approve of Facebook’s most recent blunders. But, I do applaud of their quick “opt-in” and “opt-out-of-all” additions after the complaint about the blunders. And, I’m fascinated to see how or where the law fits in this world where the facts upon which any legal claims may be based are so ephemeral.

Paul Ohm: Anonymization Has Failed

I recently had the privilege of attending a talk where Paul Ohm presented the main ideas behind his latest research paper.

I found his reporting on re-identifying users from supposedly non-personally identifiable information fascinating:

-87.1% of Americans can be uniquely identified by their 5-digit zip code combined with the date, month, and year of their birth.

-80% of anonymized Netflix users could be uniquely identified by 3 movie reviews (movie, date, review value).

His take-home message?

Data can either be useful, or perfectly anonymous, but never both.

The majority of laws and contracts dealing with personal information draw a line between “personally identifiable information” and “non-personally identifiable information” (aka aggregate, anonymous data).

But, if you can use non-personally identifiable information to derive personally identifiable information, then the two categories collapse into one.

It will be interesting to see how advertisers, social networks, governments, and end users respond to reality that the separate categories we’ve built into the laws and contracts may not actually exist.

Schools? Google? Who isn’t invading privacy?

Today was an interesting day in privacy lawsuit news.

First, there are the parents of a Pennsylvania high school student who filed a complaint against the school alleging that the school remotely activated a school-issued laptop and took a picture of the child. At home. Without his or their knowledge. And without his or their consent.

Then, there’s the class action lawsuit against Google regarding auto-activation of Buzz and the information that was necessarily shared in connection with that activation. Specifically,


Google turned Gmail “into a social networking service and that’s not what they signed up for, Google imposed that on them without getting their consent,” said Kimberly Nguyen, consumer privacy counsel with EPIC of Washington, D.C. “The bottom line is, users should have meaningful control over their information.”

I’d say these lawsuits show that not everyone agrees with Mark Zuckerberg’s statement that Privacy is no longer a social norm.

The *other* long tail (6 months? 9 months?)

There’s a debate going on right now. How long should the search engines be able to save your search data (associated with your IP address, or your cookie, or your unique identifier associated with your login to their services)? 6 months? 9 months? Less? More?

From a business perspective, this information is very useful. The longer, the better.  It helps potential business partners (service providers, product providers, advertisers, etc.) know what you are likely to want to see, buy, use, and potentially even contribute to the conversation. Of course, whether the search engines should be allowed to share this information at all is yet another conversation.

From a law enforcement perspective, the enforcers would prefer the everything be recorded in perpetuity, indexed, searchable, and admissable as evidence in prosecution. And let us not forget that in some scenarios, certainly, the pattern of behavior, searches, and information sought would be down-right bone chilling, and had someone been monitoring it, no doubt, they could have sounded the alarm prior to some horrific event.

The other side of the coin is that many of us have the occasional horrid thought, which results in the occasional questionable-looking search engine query, and really, we’d like that moment to be erasable instantaneously, not 6 or 9 months later. And why not?

From a privacy perspective, the preservation of and presentation of this information to third parties (even for *law enforcement reasons*) is quite scary.  If I searched for the failure rate of pregnancy tests a month ago, that’s a very indicative fact about me, as a person, or perhaps my friends and family. Should anyone have the right to know that I did that? If I searched for palliative treatments for a terminal medical condition, the search is similarly indicative and raises similar questions. Who truly deserves to know these intimate details about my thoughts and internal questions without my permission?

The EU, in general, has taken a stronger role in protecting the privacy of the individual on-line, than the U.S.

This results in situations like the recent decision by Microsoft to purge search data attached to IP addresses after 6 months, which is a significant improvement (from the end user “protect-my-privacy” standpoint) over Google’s policy of 9 months.

It’s an interesting thing to watch, because the current day-to-day operating privacy policy is being set far outside the world of the lawyers who litigate and fight for a living. And, as a lawyer who doesn’t fight, I think it’s a valid legal issue, but I’m observing that by the time the big companies deign to get the lawyers get involved (by buy-in and invitation), that very colorfully flagged ship will have sailed, most likely by necessity.

It will be a brave new world.

No title

Right to Forget?

It appears that France is considering legislation that would require online data to be deleted/removed after a certain amount of time.

Ignoring the pragmatic implementation issues, assuming a government could actually make this law work — the debate raises several very interesting policy and culture issues.

-How long and how far should information about our former actions follow us?

-If it’s true, should anyone be allowed to say it? What if it’s their opinion, but it’s quite terrible as it concerns you? What if it was true at some point in the past but may not be so anymore?

-Are we, as an Internet culture, moving to being more forgiving of each other’s transgressions, because, hey, who doesn’t have some unfortunate party pictures available somewhere on the Internet?

-Or, are we, as an Internet culture, moving to a policed information state, where we have a right to control where our reputations are made and modified. Where we get to protect ourselves from the information related to our former transgressions, because, hey, at some point we all should be able to move on, overcome, and forget our past misdeeds.

-And how does this debate take into consideration the reality that most people find horrifically negative facts about a person to be much more interesting (and therefor higher on the search results) than any (and possibly all) counterbalancing healthy, normal, well adjusted facts?

It’s questions like these, and more, that have kept me for so long from being completely open with my identity on this blog.

Lately, though, I can’t help but feel that the ship has sailed. I feel as if the Internet has evolved to a place where I have 2 binary options — I can stay fully engaged in the culture and join the transparency, or I can continue to seclude myself and slowly remove myself from and miss out on many of its newer benefits.

Thoughts?
It’s a doozy.

[UPDATE: And, the same day I wrote this, Facebook’s Mark Zuckerberg claimed Privacy is no longer a social norm.]

No title

Losing my Anonymity

So, I’m considering joining the kids.

You know, the open, non-private, freakishly free kids.

And, I’m thinking of creating a non-fake account on facebook, where I admit who I am.

And, I’m thinking of linking to this blog. So, I’m scouring the last 7 years, to make sure I’m okay with this.

AND, IF YOU ARE A PRIVATE PERSON WHO I LINK TO WHO WOULD LIKE TO BE ELIMINATED FROM MY ARCHIVES BEFORE I GO PUBLIC — LET ME KNOW! ASAP!

Anyways — it turns out, all I’m really doing in cleaning up my old posts is tagging old posts with labels, because I’m actually okay with everything I’ve posted in the months I’ve encountered (so far).

But one of the more interesting things I’ve encountered is how much my current self agrees with my past self (duh!).

And I’m pleased that my 2003 self correctly predicted that the SCO lawsuit would still be going when I graduated (and 3 years later).

No title

On Privacy

Today, I attended a 3/4 day long conference on internet privacy. That wasn’t how they billed it, but that’s how it ended up playing out.

Many very smart people said many smart things, and most of them have my brain spinning and thinking and evolving. Perhaps if I collect my thoughts I’ll post something useful. Probably not, though.

Acknowledging that I probably won’t think, write, and post or be anything close to useful in that manner, I feel I should offer something. So, here it is:

Today, as counsel to many small cutting edge companies who struggle with many of the issues that were discussed, the most striking comment, to my ears, came from Lauren Gelman. She said (according to my notes),

Now, anyone can speak to the world about whatever they want — but our stories aren’t just about ourselves, they affect third parties.

I think, from the first person publisher privacy standpoint, that summarizes the whole ball of wax. Sure, you’ve always been free to tell your story from the street corner, but it used to require so much more effort. Now, it’s easy. And you can bring along your acquaintances’ reputations for the ride.

This is not to say that there isn’t a huge discussion to be had regarding the entities who are collecting data, combining it with other data, mining it, and introspecting into our lives. That is a different and immense issue.

This is just to say that on the harms we can do to one another by exercising this new and ridiculously free, unprecedented power to publish to anyone in the world without a governmentally imposed filter — I think Lauren’s got it.

We’ve never been so free to permanently speak to millions about our neighbors, acquaintances, exes, and so forth.

It’s a brave new world y’all…