To many, the decision to open up the top-level of the Internet’s namespace has been a long time coming, creating a powerful tool to launch and/or expand brand marketing, promotion and overall recognition into a whole new realm.  However, taking advantage of these new opportunities will not be a simple process, and unfamiliarity with the complexity of registration and application protocols, as well as the array of technical, operational and legal issues that will arise, may be overwhelming to brand leaders and legal representatives alike.  Further, applying for and obtaining a new gTLD is not only time-consuming, but also extremely costly, with initial application fees of $185,000, coupled with overall integration and implementation fees, as well as ongoing yearly maintenance fees in the event that your application is approved at all.  

So what does this mean for you, and your company or association?  Below is a brief overview of the gTLD process, which should help you identify and analyze the associated benefits and risks that may present themselves. 

Navigating the gTLD Application Process

Many are familiar with the registration of a Second-Level Domain (“SLD”), the name, term or phrase to the immediate left of the “dot” in a web address.  For example, in digitalhhr.com, “digitalhhr” is the SLD.  The process for registering an SLD is simple, and in most instances, merely requires a brief search on the internet and payment of a small fee to one of several registrars like register.com or godaddy.com. 

The new gTLD application process is considerably more complex.  Unlike a simple SLD registration, any entity applying for and (if approved) operating a gTLD will ultimately become a registry itself.  ICANN has therefore established a comprehensive and lengthy approval process. 

As part of the submission, applicants are required to provide substantial background information, including information related to corporate and legal structure and financial resources.   In addition to such background screening, the initial evaluation period consists of two primary areas of review: (i) applicant review–where the entity applying for the gTLD (including all individuals named within the application) will be subject to assessment, including an overall examination of technical, operational and financial capabilities, and (ii) string review–where the applicant’s proposed gTLD string will be evaluated. The applicant review focuses on the applicant itself in order to assess whether it has the means necessary to operate a registry, and whether applicant’s registry services would adversely affect the security or stability of the Domain Name System (“DNS”).  The string review, on the other hand, focuses on the applied-for gTLD string in order to assess such issues as whether the proposed gTLD string would create a user confusion, adversely affect DNS security or stability, etc. 

According to ICANN, this initial period of evaluation may take up to 5 months or more and includes a public comment period.  Applicants who successfully complete this process (including surviving any formal objections that can be filed after publication of the completed application) will then be required to enter into a registry agreement with ICANN, as well as pass certain technical tests before the proposed gTLD is activated.  Overall the application process can take anywhere from 9 to 20 months, depending on the complexity of the application. In addition, all applicants will be required to pay a gTLD evaluation fee of $185,000, which shall be payable by the applicant as follows: $5,000 deposit upon applicant’s request for an application and the remaining $180,000 upon submission of the completed application.  Furthermore, applicants may be required to pay additional fees in certain cases, including where extended review is requested by those applicants that do not pass the initial evaluation. 

The New gTLDs and its Affect on Trademark Owners and Brands.

For many entities, the financial expenditure, coupled with the time, resources and personnel necessary to operate a gTLD registry may deter them from moving forward with the process at all.  But even if a decision is made not to affirmatively use the gTLD process to launch and/or expand a brand, companies must still be concerned with protecting their trademarks.

In the tangled web of major stakeholders, complex processes and potential pitfalls, companies are faced with the daunting task of assessing and implementing new protection and monitoring mechanisms in order to protect their trademarks and brands. ICANN itself has integrated several mechanisms within the gTLD program to help provide comfort to trademark owners, including:

• Formal Objection to gTLD Applications: At the close of the initial submission process in April, 2012, ICANN will publish a list of all applications to the general public, which will launch a period for filing formal objections to any application.  A formal objection may be filed on one of the following four grounds: (i) String Confusion Objection, (ii) Legal Rights Objection, (iii) Limited Public Interest Objection, or (iv) Community Objection. All properly filed objections will be subject to dispute resolution proceedings, which shall be administered by one of the following service providers, depending on the grounds for such objection: the Arbitration and Mediation Center of the World Intellectual Property Organization, the International Centre for Dispute Resolution, or the International Center of Expertise of the International Chamber of Commerce.  In the event that a gTLD is delegated, there will also be a post-delegation procedure to address issues that arise. Such objection procedures are set out in much greater detail in ICANN’s gTLD Applicant Guidebook.
•  Trademark Clearinghouse: The Trademark Clearinghouse is a centralized database, which will be provided, operated and maintained by ICANN, in order to store information in connection with third party trademarks. All trademark owners will be able to register their trademarks with the Trademark Clearinghouse. The Trademark Clearinghouse will be supported by individual registry operators through the establishment of individual Trademark Claims Services, as well as a “Sunrise” Process, as further described below.  
• Trademark Claims Service/Domain Name Registration During the “Sunrise” Period:  In accordance with ICANN’s procedures, all new registry operators must implement both Trademark Claims Services and a “Sunrise” Process during the initial period of general registration. The Trademark Claims Services will provide prospective gTLD registrants with notice of any third party trademark rights in and to the desired domain name, provided that such third party has registered with the Trademark Clearinghouse. However, such notice does not completely prevent the prospective registrant from registering such domain name. If the prospective registrant moves forward with the registration of such domain name, and it is registered in the Trademark Clearinghouse, the registrar will have to provide notice to the rights holder that such domain name has been registered.  In addition to such Trademark Claims Services, a “sunrise” period during the start-up phase for registration must be implemented in order to allow for eligible rights holders in the Trademark Clearinghouse first opportunity to register an SLD at the specific gTLD if a third party is seeking a sunrise registration thereof.  Notice to rights holders registered in the Clearinghouse will be provided by the registry operator upon requested registration by a third party. 

These are only some of the means that trademark owners, companies and brands can use in order to protect their marks. However, careful monitoring of ICANN’s application process and individual registrations, and prompt action, will ultimately be necessary on a moving forward basis in order to properly defend against the potential issues that may arise.     

What Now?

Whether you are an entity ready and willing to take on the challenge of registering a new gTLD, or simply looking to go on the defensive to protect your brand, devising the right strategy in response to the arrival of ICANN’s gTLD program is crucial for all brand owners.  

The DigitalHHR team has been working with clients to assist them in understanding the gTLD initiative, evaluating the potential benefits and pitfalls of moving forward with an application and assessing their brand protection needs, and are available to answer any questions you might have.  We will continue to monitor the progress of ICANN program as we near the start of the application window, particularly as details are made available regarding the Trademark Clearing House.

1)       Cartoon Network, LP v. CSC Holding Inc.

Among the most recent and important decisions impacting cloud-based storage and distribution of entertainment content was the Second Circuit’s 2008 decision in Cartoon Network, LP v. CSC Holding Inc. (“Cablevision Case”), which addressed the copyright implications of a cloud-based DVR system. Specifically, cable operator Cablevision Systems Corporation (“Cablevision”) announced plans in March 2006 to market a “remote storage DVR system” (“RS-DVR”) to allow subscribers without a stand-alone DVR to record cable programs on central hard drives Cablevision maintained at a “remote” location. In response, major networks and studios sued Cablevision in federal court, claiming that the RS-DVR would directly infringe their rights to reproduce and publicly perform their copyrighted works. The district court agreed and enjoined Cablevision from operating the RS-DVR system without additional licenses from the plaintiffs. Cablevision appealed and the Second Circuit reversed the decision on all three infringement counts.

The first claim rejected by the Appeals Court was that the brief caching of buffering data while Cablevision’s system queried whether the customer had actually requested the program be recorded on to the applicable hard drive violated the exclusive right of reproduction. The Appeals Court held that the buffering period was so negligible as to fail the Copyright Act’s requirement that a copy of work be fixed in a tangible medium “for more than a transitory duration.” This point is potentially significant for future cloud business models given that cloud-based services may enable the storage, manipulation and distribution of content in multiple formats across multiple devices, which will continue to no doubt further implicate transitory caching of content at multiple stages in the process.

The second claim reversed by the Appeals Court was that Cablevision was liable for direct copyright infringement for copying programs to the RS-DVRs. Here, the Appeals Court held that Cablevision did not evince the required “volitional conduct” that actually caused the copy to be made and found that Cablevision’s conduct in designing, housing, and maintaining a system did not amount to direct infringement.

The third and perhaps most controversial claim reversed by the Appeals Court was that the transmission of programming from the RS-DVR to subscribers who requested playback breached the public performance right. Here, Cablevision argued (and the Appeals Court found relevant) that, “because each RS-DVR transmission is made using a single unique copy of a work, made by an individual subscriber” only one subscriber is capable of receiving the transmission of that particular work and thus the performance is not “public”.

Ultimately, the holding in the Cablevision Case that individualized copies of content specifically streamed to subscribers from remote DVRs constitute private, as opposed to public, performances introduces a lack of clarity regarding the rights necessary for cloud-based transmissions of audio/visual content. Put simply, the question remains as to whether streaming of legally obtained content to an end user from the cloud (e.g., MP3 tracks stored in a digital locker, etc.) implicates the public performance right. As a result, purveyors of cloud-based business models are left considering whether additional authorization is required from copyright holders, and in the absence of obtaining that consent, whether the potential exists that another tribunal could later disagree with the Second Circuit’s holding in the Cablevision Case. Furthermore, the application of the holding in the Cablevision Case to alternate fact patterns and business models, as even the court itself acknowledged, provides limited guidance.

“This holding, we must emphasize, does not generally permit content delivery networks to avoid all copyright liability by making copies of each item of content and associating one unique copy with each subscriber to the network, or by giving their subscribers the capacity to make their own individual copies. We do not address whether such a network operator would be able to escape any other form of copyright liability, such as liability for unauthorized reproductions or liability for contributory infringement.”

2) Capitol Records, LLC et al. v. MP3tunes, LLC

Another recent and ongoing case potentially impacting the digital locker and cloud computing landscape is Capitol Records, LLC et al. (“EMI”) v. MP3tunes, LLC (See Initial Complaint, EMI Summary Judgment Memorandum and Response, MP3tunes Summary Judgment Memorandum and Response, and recent Summary Judgment Ruling). Here, multiple record companies and publishers affiliated with EMI have asserted, among others, various copyright infringement claims against MP3tunes, which operates two separate online services–specifically, MP3tunes.com and Sideload.com. MP3tunes.com allows users to store their music collections in online digital lockers, which they can then access from any computer or mobile device with an Internet connection. Sideload.com is a music search engine site that allows end users to search for links on the internet to downloadable music that can be uploaded (or “sideloaded”) to an MP3tunes digital locker. Once music is placed in an end user’s digital locker, the music becomes available for transmission to any IP-enabled device at the end user’s direction.

Based on the documents filed to date, EMI has asserted a series of both direct and secondary copyright infringement claims against MP3tunes, including claims that MP3tunes has forfeited its eligibility under the Digital Millennium Copyright Act’s (DMCA) Safe Harbor provisions for its illicit conduct in knowingly providing the means for end users to violate EMI’s copyrights via Sideload.com and failing to respond to takedown notices. In fact, the majority of EMI’s claims are based on the functionality and content made available via Sideload.com, which essentially aggregates URLs linked to digital music files that can be readily downloaded or sideloaded to an online locker. EMI has asserted that the infringing nature of the links posted on Sideload.com, as well as the corresponding files that are made available via the linked URLs that are then sideloaded into an MP3tunes digital locker violate EMI’s copyrights.

While a detailed analysis of the merits of EMI’s DMCA and contributory liability theories remain outside the scope of this post (and have yet to be entirely decided by the court), the district court, in its recent ruling on the parties’ summary judgment motions, did find that the MP3tunes was entitled to the Safe Harbor protections afforded under the DMCA, but further addressed a key issue emerging in the new cloud-based lockering environment. Specifically, upon receipt of a valid takedown notice from EMI, the court found that MP3tunes had a duty to not only remove links to infringing songs publicly displayed on Sideload.com, but also a duty to remove songs stored in users’ personal lockers which were downloaded from such links. In its defense, MP3tunes claimed that it was only required to remove the URL links on Sideload.com because only those links were listed on EMI’s takedown notices and that it might be subject to lawsuits by users if it actually removed personal property from users’ digital lockers. The court, however, rejected this argument, pointing to the DMCA’s immunity provisions for service providers acting on valid takedown notices (see 17 U.S.C. 512(g)), and stating that:

“Where service providers such as MP3tunes allow users to search for copyrighted works posted on the internet and store those works in private accounts, to qualify for DMCA protection, those service providers must (1) keep track of the source and web address of stored copyrighted material, and (2) take content down when copyright owners identify the infringing sources in otherwise compliant notices… [Accordingly,] MP3tunes was obligated to remove specific works traceable to users’ lockers .. [b]ecause MP3tunes keeps track of the source and web address for each sideloaded song in each user’s locker and EMI’s notices gave sufficient information for MP3tunes to locate copies of infringing song in users lockers.

In addition to the foregoing claims, EMI also claimed that MP3tunes directly infringes that right of public performance by allowing end users to stream music from their online digital lockers to personal devices. Relying in part on the holding in the Cablevision Case, EMI asserted that MP3tunes violates the public performance right because it uses a “single master” to play songs to multiple users, as opposed to Cablevision which maintained a separate copy of each program for each subscriber who recorded it. In response, MP3tunes replied that it does not utilize a “single master” storage system, but rather a common open source distributed file software system that eliminates redundancy and enables MP3tunes to efficiently store and retrieve the millions of audio files uploaded by its users without employing a duplicative file storing method.

Ultimately, the district court held that MP3tunes does not in fact use a “single master” system, but rather a standard algorithm known as “Content-Addressable Storage” to store music files which uses hash tags associated with each uploaded song that ultimately allows for the reconstruction of the exact file the user originally uploaded to the service (i.e., there is no “master copy” of any EMI songs stored on MP3tunes’ servers). Still, this determination does not entirely address EMI’s infringement claim regarding the right of public performance as the court’s holding solely relates to the nature of the specific file storage technology employed by MP3tunes. This is in part due to the fact that EMI’s arguments on the public performance issue were largely based on distinguishing the file storing technology used by MP3tunes from the technology employed by Cablevision. In other words, EMI did not address the public performance question by looking at the intended audience of the transmissions enabled by MP3tunes, but rather whether MP3tunes used a “single master” to transmit music to end users.

Ultimately, the take away from both the Cablevision Case and the MP3tunes case is that cloud-based delivery, storage and consumption of entertainment content, whether overtly and implicitly, implicates many of the exclusive rights afforded copyright holders and stakeholders need to remain vigilant about allocating risk when the laws in the US and overseas have yet to suitably address the contours of these services and the corresponding technologies at play. We will obviously keep an eye on future developments in connection with cloudifcation of entertainment content and any case law potentially impacting the future deployment of related cloud-based products and services.

OpenLogic reviewed 635 leading mobile Apple iOS and Google Android apps in a license compliance assessment.  The results show that about 10 percent of the apps contained code that was subject to an open source license (either the General Public License, Lesser General Public License (GLP/LGPL) or Apache license), and over 70% percent of these were apparently using the open source code in a manner that violated key obligations required by the open source licenses. 

While certain of the violations found by OpenLogic related to requirements for attribution and/or provision of copies of the underlying open source license with the new works, in certain instances some of the apps may have required the developers to provide the source code for the app itself (that is, the open source code caused the app to go “viral”).  OpenLogic did not identify specific apps in its review but states that it targeted the “top paid and free apps for iPad, iPhone and Android across a variety of categories,” including apps from the top 20 companies in the Fortune 500.  The apps at issue included banking, sports and game applications, as well as apps from household brands and media organizations.

Perhaps this result isn’t surprising.  Many developers–and the publishers that retain them–often don’t have a complete understanding of the open source license requirements and how they may impact the actual use of the code in a specific app.  Other confusion may arise from the proliferation of outsourcing or the inadvertent bundling of original source code with protected source code.  Even when developers were aware that their app contained open source, the End User License Agreements or documentation accompanying the apps may not have been properly drafted to fully comply with the open source license requirements.

It is unclear what the ultimate impact of these findings will be.  Violation of an open source license can form the basis of a copyright infringement claim (exposing the entity using the code to statutory damages, as well as the possibility of an injunction).  Jacobsen v Katzer, an open source copyright infringement case, established that violators of open source software may be subject to claims under copyright law, including statutory damages up to $150,000 per infringing work and injunctive relief.  Injunctive relief was granted in Software Freedom Conservancy, Inc. and Erik Anderson v Best Buy Co., Inc. et al., a case where the defendant allegedly sold and distributed electronic products embedded with firmware that contained either a copy or derivative work of the plaintiff’s open source software, BusyBox, without complying with the open source license.  In addition to awarding treble statutory damages ($90,000) for willful copyright infringement and attorneys’ fees and costs, the court entered a permanent injunction against the defendant prohibiting distribution of its infringing HDTVs and ordered the forfeit of infringing HDTVs in its possession to the plaintiff, to be donated to charity.

While it is difficult to assess the litigation risk in the app space, a more critical concern for commercial application developers is the potential diminution of value that might result from the use of open source code (i.e. non-proprietary components) that might be included in their apps.  Strategic partners or potential acquirers might become concerned about hidden claims (either with respect to ownership of the app or for violation of an open source license).  Prudence would seem to compel developers and publishers to carefully scrutinize the code being incorporated into newly-developed apps and gain mastery over any open source license requirements.

These separate initiatives come on the heels of the issuance of a “Green Paper” on privacy by the U.S. Department of Commerce Internet Policy Task Force, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework”.  One of the Green Paper’s key proposals is ensuring “nationally consistent security breach notification rules” through a federal commercial data security breach notification law that sets national standards, addresses how to reconcile inconsistent State laws, and authorized enforcement by state authorities. 

In early December, 2010, California State Senator Joe Simitian (D-Palo Alto) introduced a bill that, if enacted, would establish requirements for any notice sent to consumers in the event of a security breach.  The legislation is intended to update Simitian’s landmark 2003 privacy protection which required any business or state agency that loses unencrypted personal information to send a security breach notification letter to consumers whose privacy was compromised and inspired more than 40 states to adopt similar legislation.  The proposed bill requires any breach notice to disclose to consumers details of the security breach, including the types of information that were subject of the breach and the date the breach occurred.  While the bill is intended to compel business or agencies to be more forthcoming with consumers regarding details of any security breach, former Governor Arnold Schwarzenegger vetoed similar proposals in 2009 and 2010, citing lack of proof that the bills would benefit consumers and would be overly burdensome on businesses.

Lawmakers in Virginia introduced legislation in January of this year to expand notification requirements following a breach of security with respect to medical information.  While under current Virginia law, the requirement to provide notice only applies to organizations, corporations or agencies “supported wholly or principally by public funds”, the amended bill would extend the state’s requirement to notify individuals of a breach of their medical information to all individuals and public and private entities.  The bill also allows the state’s Attorney General to impose a civil penalty of up to $150,000 per breach of the security of the system or a series of similar breaches of a similar nature that are discovered in an investigation.

The same day that the Virginia bill was introduced, lawmakers in Oregon proposed House Bill 2851 an amendment to the Oregon Consumer Identity Theft Protection Act.  Oregon is currently one of a majority of states whose breach notification laws do not apply to hard-copy records.  The newly-introduced legislation would close that gap by requiring notice of an unauthorized disclosure of data contained in such hard copies.

While not necessarily inconsistent, the recent proposals in California, Virginia and Oregon make it clear that state regulatory and enforcement schemes in the privacy area have not all achieved a uniform point of evolution.  For many years, California had a security breach notification requirement on its books.  Virginia’s regulation on medical information breaches didn’t cover private entities.  And Oregon did not provide protection for privacy breaches resulting from disclosure of information on hard copy documents.

While the federal government speaks of uniform standards, it is still too early to tell whether those standards will take the form of a detailed, robust notification system, be based on the lowest common denominator among the current state schemes or fall somewhere in between those extremes.  We will continue to follow the ongoing developments, at both the state and federal levels, as this debate will no doubt evolve in the coming months and years.

What exactly is “device fingerprinting”?  Every time a computer or other mobile device connects to the Internet, it broadcasts information about its properties and settings (such as which browser is running, screen resolution, speed of connection, etc) in order to interact smoothly with websites and other computers.  Device fingerprinting technology collects this information to build a profile that can identify the individual computer or device, and in some instances, the person using it. 

Before its adoption for online marketing, fingerprinting technology was primarily used to prevent software theft, providing a means to confirm that the subject application was only used on authorized computers.  Anti-fraud companies use the technology to identify devices that had engaged in fraudulent transactions to help them prevent similar occurrences in the future.  Privacy legislation proposed this July even advocated its use to identify consumers who had opted-out of online tracking.

But device fingerprinting could also allow for much more effective tracking of online behavior than other current technologies.  Where cookies can be blocked or deleted, it’s much more difficult to prevent fingerprinting or to delete a fingerprint after it has been collected.  One study, surveying 70 million website visits, found that a fingerprint of an applicable device could be generated 89% of the time whereas cookies could only be used 78% of the time.  One developer of device fingerprinting technology claims that it is even able to link the fingerprints of different devices that appear to be used by the same person.  Eventually, the company plans on adding offline activity to the individual’s profile, using email addresses and names the user entered while browsing the web to pull information from other databases.  By collecting, generating and selling this information to marketers, the device fingerprinting could become the basis to deliver targeted ads based on a consumer’s activity from their computer, mobile phone and other devices. 

Fingerprinting and other forms of digital tracking are currently legal but both federal regulators and several members of Congress have warned that the government will intervene if the online-advertising industry does not start doing more to protect consumer privacy.  Recently, the FTC recommended that a Do Not Track System be implemented if the industry doesn’t start coming up with its own solutions soon.  The FTC proposal would require web browsers to implement a do-not-track setting directly in the browser to enable end users to block web service providers, marketers and advertisers from monitoring their online behavior.  The FTC would then police companies that implement tracking technologies and tools to ensure that they comply with user requests.  The ad industry’s current opt-out system only allows consumers to opt-out of targeted advertising, not tracking altogether. 

The industry has taken notice.  Some marketing firms say that they will create an opt-out function if they adopt fingerprint technology, though the details of how that would work are still unclear.  Other initiatives include the “Open Data Partnership”, a service that would allow consumers to see what information has been collected about them, and opt out of being tracked by participating firms.  The service is intended to be a response to the government request for more transparency and consumer control.  Eight data and tracking firms have already committed for the service’s launch in January.  Microsoft has also revealed plans for a tool to block tracking in its next version of Internet Explorer.  The tool, once enabled, will allow users to block tracking attempts from specified web addresses used by tracking companies.  But in order to use the tool, users have to direct the browser as to which tracking attempts should be blocked by selecting from lists compiled by privacy groups and other outsiders.  There won’t be any default setting to block all tracking attempts.  Additionally, the tool will only block tracking by certain technologies, such as cookies and beacons.  It doesn’t address new technologies like digital fingerprinting and “deep packet inspection,” a form of monitoring which analyzes data as it travels from the internet to the computer. 

While support for consumer protections are gaining ground, the $23 billion online advertising industry warns that an end to tracking could also mean an end to the free web content that is currently subsidized and supported by targeted advertising.  And some members of Congress have expressed hesitation about any legislation that might hurt economic recovery.  Data tracking has also enabled the customized web experience that many consumers have come to rely on.  In order for any solution to be viable in the long-term, it will have to find some way to balance these competing concerns.  

In the coming months, we will continue to monitor this and other developments in the ongoing debate over privacy on the internet.

** Kathleen O’Donnell, who joined the firm in September, assisted in drafting this article.

As the public’s demand for “any content anywhere” grows, entertainment, media and technology companies are turning to the cloud for innovative ways to distribute and monetize content. Through initiatives like digital lockers, streaming to mobile apps, progressive downloading to tablet devices, and other forms of cloud-based storage and distribution, stakeholders are exploring new business models and ways to innovate without compromising the value of content or jeopardizing the rights of content owners to control how their content is consumed by the ultimate end user.

In this CLE-accredited Webinar, we will focus on the critical legal and business issues raised by the expansion of cloud computing and its impact on the distribution and consumption of entertainment content. We will analyze how cloud computing has led to new methods of distribution that give rise to an increased threat of copyright infringement and the recent case law impacting the cloud computing landscape. We will discuss new digital rights management tools, methods of end user, subscriber and purchase authentication. We will explore how stakeholders can balance complying with evolving standards, laws and regulations with the need to exploit new technological advancements that lead to improved services and enhanced end user experiences.

Our New Media, Entertainment and Technology Group at Hughes, Hubbard & Reed will be joined by our UK-based colleagues from the international Technology and Media focused law firm Taylor Wessing LLP. Taylor Wessing will address some key international and European issues that impact cloud models. These issues will include jurisdictional risks, different rights spanning different territories, advertising laws, collecting societies, the European laws on privacy, cookies and liability for cloud platform providers, as well as challenges related to format shifting/uploading consumers’ existing content into the cloud.

The webinar will be held on Thursday, December 9, 2010 from 12:30 p.m. to 1:30 p.m. EST.  To register, please click here.

The Facebook disclosures were the result of a common Web standard called a referer.  As web users navigate from site to site, the referer tells the new site which page the user is coming from.  Most of the time, this is an innocuous tool used to help websites track the source of their traffic flow and customize user experience.  However, when user IDs are included in web addresses, as is the case with Facebook and other social networking sites, this practice could potentially expose the browser’s identity.  The user IDs can be used to look up public information on the user’s Facebook profile, which, depending on the selected privacy settings, could include anything from the user’s name to his age, hometown, or even photos.

Sharing any user information with advertising and data companies is a violation of Facebook’s privacy policy.  However Facebook has stated that it does not consider the sharing of IDs with application developers to be a privacy breach and that the disclosures by the applications to advertising companies were, for the most part, inadvertent and a “byproduct of how internet browsers work”.  Facebook has announced a proposed solution that would encrypt user IDs in referer headers to prevent inadvertent disclosure to third parties.  The encryption will be mandatory starting January 1, 2011.  However, the encryption only prevents accidental transmission.  Describing it as a “Web-wide problem”, Facebook states that they are looking forward to working with the Web standards community and browser developers in the future to develop a more complete fix.  

Facebook has had trouble with the disclosure of user IDs before.  In May, Facebook revealed that IDs were being sent to advertisers when users clicked on certain ads on Facebook pages.  In some cases, advertisers received the ID of the user who clicked on the advertisement, as well as the ID of the person whose page the user was viewing at the time. 

The disclosure of user IDs, which has always been a sensitive issue for companies doing business on the web, is becoming more of a hot-button issue as public awareness of the issue increases.  It has already attracted the attention of lawmakers who have asked Facebook to outline the steps it is taking to protect consumer information.  While there is no foolproof method to prevent widespread disclosures of personal information, a two-pronged approach, using both technological solutions and a careful framing of contractual protections may help mitigate the problem and avoid the possibility of increased legislative oversight or intervention.

One technological solution would be the increased use of encryption in connection with coding, storing and transmitting user IDs and other personal information.  However, while encryption could prevent unauthorized disclosures, such technological solutions must be coupled with clear contractual obligations on the part of the various stakeholders to ensure their proper use and implementation.  For example, publishers, ad service providers, search providers, developers and others who rely on the use, analysis and disclosure of user data could include in their various agreements provisions requiring that encryption and/or other data security technologies be implemented in connection with the transfer of data between the parties. 

The agreements could also include provisions that spell out how the parties may use personal data (for example, only for internal use in connection with fulfilling obligations under the underlying agreement), and more critically, include specific restrictions and prohibitions on use (for example, prohibiting the sharing of such information with third parties).  Additionally, the inclusion of provisions requiring the maintenance of records of data practices which would be available for audit might also lead to increased vigilence.  Although these measures place increased burdens on the various stakeholders, absent further technological developments, they may be the best way to convince regulators (and the public) that the industry is serious about protecting consumers’ privacy.

Websites can also take steps on their own to beef up their security policies.  In recent months, Facebook has been working to increase their protection of user data.  Following an investigation by the Canadian Privacy Commissioner, Facebook limited the access that applications have to private information.  Unless the user grants additional permission, the application can only view information in the user’s public profile.  (For our previous article on the Canadian Privacy Commissioner’s investigation, see here.)  In early October, Facebook implemented a new tool to help users control what information applications can access, in response to criticisms that its privacy settings were too complicated.  And, after these latest disclosures, Facebook announced a “clarified” privacy policy stating that user IDs cannot leave an application.  In the event that a developer needs to share information with an advertiser or content provider, they must use an anonymous identifier. 

Whether or not these revised policies actually provide more protection to users’ privacy is yet to be seen.  However, it is probably not a stretch to say that the coming months will bring similar revelations and changes across the Web.  We will continue to monitor this and other developments in the ongoing debate over privacy on the internet. 

**Kate O’Donnell, who recently joined the Firm, assisted in the preparation of this article.

This week the chair of the House Caucus on Privacy, Rep. Edward Markey of Massachusetts, criticized responses received by the Caucus from several large Web publishers admitting that keeping track of data collection on their sites is technically difficult, if not impossible.  Markey said that while the publishers detail their own privacy policies and opt-out procedures, these are often too complicated for the average consumer to follow.  He also pointed out that a single website may have dozens of firms collecting data through ads on the site and consumers would need to consult the policies of each of those firms to determine precisely what information was being collected and how it was being used.  (We recently wrote about this issue in a previous Digitalhhr post in connection with location-based advertising and Apple’s iPhone app policy.) 

Markey said that Congress will continue to look into enacting privacy legislation in the future and while he didn’t mention any specific proposals, as detailed in our recent CLE Webinar on Privacy in a De-Centralized Digital World, two pending privacy bills have been introduced.  The Boucher-Sterns Bill, proposed in May of this year would require that “covered entities” (defined as any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information) provide individuals with a privacy notice and an opportunity to opt-out before collecting, using or disclosing “covered information” about that individual.  Covered information is defined broadly and includes an individual’s first name or initial and last name, a postal address, a telephone number or an email address.  In addition, the bill would also require that covered entities obtain affirmative opt-in consent before: (i) collecting sensitive information such as medical records, sexual orientation and precise geographic location information or (ii) sharing covered information or sensitive information with unaffiliated parties. 

A similar bill known as the “BEST PRACTICES Act”, proposed two months after the Boucher-Sterns Bill, would permit a limited private right of action, allowing individuals to sue companies that violate the law for up to $1,000 in actual damages, plus punitive damages.  Both privacy bills would grant enforcement power to the FTC and the states but are not expected to pass this year.

Meanwhile, the FTC has held a series of public roundtables to discuss proposals for regulating consumer privacy as an increasing number of companies engage in the collection, storage and disclosure of end user data.  The last roundtable was held on March 17, 2010 and the FTC has been largely silent since then as to the findings for its much anticipated revised report on privacy guidelines, which is expected later this year.  That report is intended as the follow-up to the FTC‘s 2009 Staff Report, titled “Self-Regulatory Principles for Online Behavioral Advertising”, which was the subject of a previous Digitalhhr post.

However, recent public statements by Maneesha Mithal, the associate director of the FTC Division of Privacy and Identity Protection, suggest that the FTC’s new privacy report will include an emphasis on “consumer control”.  Mithal hinted that the upcoming FTC report may include findings of an increase in the collection, storage and use of data of which consumers are largely unaware particularly with respect to behavioral advertising and a blurring distinction between personally identifiable information and other types of data. 

More importantly, Mithal indicated that the yet-to-be approved report as currently drafted would recommend that all new technologies that involve the collection, storage, processing and/or disclosure of personal information should take into account end user privacy, including privacy reviews, as part of their design.  The draft report also contains a requirement that consumers receive “just in time” notices of collection practices (that is, a notice at the time data is collected), rather than the current practice of incorporating data collection and use provisions as part of a site’s terms of use/service and/or privacy policy.  “Just in time” notices are required under EU regulations, raising the question of whether requiring such new notice obligations might be a first step taken by the FTC to move towards the stricter and more uniform EU model for data protection and privacy regulation.  

In line with its recently stated focus on “consumer control” and in response to a 2007 push by a coalition of privacy groups , the FTC has also been considering improved opt-out mechanisms to online advertising such as a “do not track” list , similar to the National Do Not Call Registry, that would permit consumers to opt out of having their online activities tracked for advertising or marketing purposes. 

The FTC’s 2009 Staff Report proposed non-binding guidelines for an industry currently subject to self-regulation.  It remains to be seen whether the upcoming FTC report will propose actual regulations or seek guidance from Congress on whether to do so.  We will continue to follow the ongoing developments in this evolving discussion.

As we suspected, the response from the entertainment community has been swift, and the company has since received a barrage of cease and desist letters from television networks, movie studios, sports leagues, broadcasters, syndicators and others in the entertainment industry alleging that the operation of the service as currently conducted amounts to copyright infringement. In response, the company has now filed a complaint for declaratory judgment in Seattle district court alleging that by complying with the Act’s compulsory licensing scheme in Section 111 “it has not infringed any of the copyrights owned by the any of the Defendants.”

We will obviously keep an eye on future developments as this complaint now moves its way through the court system and the entertainment industry’s forthcoming response.