Sony is not the first, and unfortunately will likely not be the last, to be subject to such attacks.  To date, the largest data breaches include up to 130 million credit card numbers stolen from Heartland Payment System in 2009, up to 100 million accounts from retailer TJX in 2005 and 2006, and more than 4.2 million credit and debit card numbers from the grocery chain Hannaford Bros. in 2008. Recently, at e-mail marketing firm Epsilon, there was a significant data breach which affected about 50 of its business customers.  And just this week it was revealed that a software flaw may have enabled third party applications operating within Facebook to leak user account information.

These incidents have renewed concerns on Capitol Hill about how companies are responding to data breaches, especially in connection with notifying customers that their information may have leaked.  Both Sony and Epsilon sent written responses to questions posed by a House subcommittee on their handling of the breaches. 

Lawmakers appear to recognize that, although security measures may be in place, they are not always fully implemented. House Energy and Commerce Committee members have questioned whether U.S. businesses are taking the necessary steps to protect their data. According to Pablo Martinez, a deputy special agent in charge of the Criminal Investigative Division at the U.S. Secret Service, in nearly all data breaches, the subject company had not taken reasonable precautions. A 2010 report found that 96% of breaches were, in fact, avoidable through simple or intermediate controls”. 

In determining how to begin drafting a comprehensive and effective bill to regulate data breaches, several lawmakers said they planned to use the Data Accountability and Trust Act (2009)(DATA Act), as their starting point. Although introduced and passed by the House, the DATA Act was put to a vote in the Senate. If passed, the Act would have required organizations holding personal data to maintain security policies and to notify affected consumers after a data breach. It addressed the following three major concerns: information security requirements for personal information in general; information security requirements for personal information for ‘information brokers’; and breach notice obligations.

Although the majority of states have enacted data breach laws, the DATA Act proposed an allowance for civil penalties of up to $11,000 per violation (up to $5 million) and each failure to send the required notification to an affected individual would be treated, under the Act, as a separate violation. The risk of such considerable penalties set forth in the Act would surely encourage compliance. On the other hand, there seemed to appear to be certain clauses within the DATA Act that could have lead to even less breach reporting. With regard to breach notice obligations, the bill required that potential victims of identity theft be notified whenever their electronically stored personal information was exposed. Had it been passed, the law would preempt all state laws (not just state laws that are less stringent or contrary to the Act) and would be the first of its kind. All competing state law standards would therefore be eliminated, ultimately leading to less forum shopping. Furthermore, the standard (“risk of harm”) set forth in the DATA Act falls on the higher end of the spectrum as compared to the standards set forth in some state laws which would most likely lead to less frivolous lawsuits.

A major concern with the DATA Act was that it could only be implemented by the FTC. This was problematic as there are numerous companies and organizations that the FTC does not have jurisdiction over including banks, common carries and nonprofits. In order to be effective and worthwhile, the new bill will have to be drafted so that it is not only enforceable by the FTC but by other governmental entities as well. Other apprehension stemmed from the fact that the bill provided that breaches would not have to be reported if the organization in question determined that “there is no reasonable risk of identity theft, fraud, or other unlawful conduct”. The bill also granted an exemption if the breached information was encrypted or protected by any other technologies that, according to the FTC, renders data unreadable.

As expected, lawsuits over the Japanese electronics giant’s breach have started to come out of the woodworks. The first suit came a day after Sony acknowledged the breach. The complaint, filed in the Northern District Court of California, alleges that Sony failed to take “reasonable care to protect, encrypt and secure the private and sensitive data of its users” which prevented PlayStation Network users from being able to “to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions”.  The suit seeks monetary compensation and free credit card monitoring.

A second suit, which claims damages in excess of $1 billion (Canadian dollars), was filed by a Toronto-based law firm on behalf of a 21-year-old plaintiff and names Sony Japan, Sony USA, Sony Canada and other Sony entities as defendants.

The aftermath of these recent incidents may prove to be a useful lesson and may expedite the development of better security technology and practices in the private sector and perhaps even force Congress and the FTC to finally pass a bill that will afford sufficient protection to consumers’ personal data.  We will continue to monitor the ongoing developments in privacy and security legislation and its potential impact on our clients.

The Facebook disclosures were the result of a common Web standard called a referer.  As web users navigate from site to site, the referer tells the new site which page the user is coming from.  Most of the time, this is an innocuous tool used to help websites track the source of their traffic flow and customize user experience.  However, when user IDs are included in web addresses, as is the case with Facebook and other social networking sites, this practice could potentially expose the browser’s identity.  The user IDs can be used to look up public information on the user’s Facebook profile, which, depending on the selected privacy settings, could include anything from the user’s name to his age, hometown, or even photos.

Sharing any user information with advertising and data companies is a violation of Facebook’s privacy policy.  However Facebook has stated that it does not consider the sharing of IDs with application developers to be a privacy breach and that the disclosures by the applications to advertising companies were, for the most part, inadvertent and a “byproduct of how internet browsers work”.  Facebook has announced a proposed solution that would encrypt user IDs in referer headers to prevent inadvertent disclosure to third parties.  The encryption will be mandatory starting January 1, 2011.  However, the encryption only prevents accidental transmission.  Describing it as a “Web-wide problem”, Facebook states that they are looking forward to working with the Web standards community and browser developers in the future to develop a more complete fix.  

Facebook has had trouble with the disclosure of user IDs before.  In May, Facebook revealed that IDs were being sent to advertisers when users clicked on certain ads on Facebook pages.  In some cases, advertisers received the ID of the user who clicked on the advertisement, as well as the ID of the person whose page the user was viewing at the time. 

The disclosure of user IDs, which has always been a sensitive issue for companies doing business on the web, is becoming more of a hot-button issue as public awareness of the issue increases.  It has already attracted the attention of lawmakers who have asked Facebook to outline the steps it is taking to protect consumer information.  While there is no foolproof method to prevent widespread disclosures of personal information, a two-pronged approach, using both technological solutions and a careful framing of contractual protections may help mitigate the problem and avoid the possibility of increased legislative oversight or intervention.

One technological solution would be the increased use of encryption in connection with coding, storing and transmitting user IDs and other personal information.  However, while encryption could prevent unauthorized disclosures, such technological solutions must be coupled with clear contractual obligations on the part of the various stakeholders to ensure their proper use and implementation.  For example, publishers, ad service providers, search providers, developers and others who rely on the use, analysis and disclosure of user data could include in their various agreements provisions requiring that encryption and/or other data security technologies be implemented in connection with the transfer of data between the parties. 

The agreements could also include provisions that spell out how the parties may use personal data (for example, only for internal use in connection with fulfilling obligations under the underlying agreement), and more critically, include specific restrictions and prohibitions on use (for example, prohibiting the sharing of such information with third parties).  Additionally, the inclusion of provisions requiring the maintenance of records of data practices which would be available for audit might also lead to increased vigilence.  Although these measures place increased burdens on the various stakeholders, absent further technological developments, they may be the best way to convince regulators (and the public) that the industry is serious about protecting consumers’ privacy.

Websites can also take steps on their own to beef up their security policies.  In recent months, Facebook has been working to increase their protection of user data.  Following an investigation by the Canadian Privacy Commissioner, Facebook limited the access that applications have to private information.  Unless the user grants additional permission, the application can only view information in the user’s public profile.  (For our previous article on the Canadian Privacy Commissioner’s investigation, see here.)  In early October, Facebook implemented a new tool to help users control what information applications can access, in response to criticisms that its privacy settings were too complicated.  And, after these latest disclosures, Facebook announced a “clarified” privacy policy stating that user IDs cannot leave an application.  In the event that a developer needs to share information with an advertiser or content provider, they must use an anonymous identifier. 

Whether or not these revised policies actually provide more protection to users’ privacy is yet to be seen.  However, it is probably not a stretch to say that the coming months will bring similar revelations and changes across the Web.  We will continue to monitor this and other developments in the ongoing debate over privacy on the internet. 

**Kate O’Donnell, who recently joined the Firm, assisted in the preparation of this article.

Most states and the federal government have specific laws that prohibit unlicensed gambling and lotteries, which are typically defined as “risk[ing] something of value upon the outcome of a contest of chance or a future contingent event not under his control or influence, upon an agreement or understanding that he will receive something of value in the event of a certain outcome” (See NY Penal Law – PEN§225.00 et seq.).  In fact, only state governments, where permitted, are allowed to run lotteries and many states outright prohibit them.  As a general matter, a lottery has three determinative, core elements: consideration (usually the payment of money), chance and prize.  Accordingly, for example, under California law Penal Code Sec. 319 , which is typical of most state anti-lottery laws, a contest or a sweepstakes becomes an illegal lottery when all three of these elements are present.  Therefore, in order to run a legal promotion (such as a sweepstakes or contest) one of the three elements of a lottery must be absent.

Sweepstakes generally enjoy an “exemption” of sorts from the lottery and gambling laws by virtue of the fact that there is no purchase required in order to enter (leading to the “NO PURCHASE NECESSARY” language that accompanies sweepstakes rules), thus eliminating the “risking something of value” element described above.  In contrast, a contest will often retain the consideration element but instead require some demonstration of skill from the participant, thus removing the core element of chance from equation.

Against this backdrop, the first slew of promotion-type apps taking advantage Apple’s revised developer terms have been sweepstakes as opposed to contests.  Specifically, these new applications are allowing entry into games where the winner is selected purely on a randomized basis, without having to demonstrate any skill in participating.  Therefore, laws applicable to the administration of sweepstakes, as opposed to contests, are at issue.

Historically, the largest legal hurdle and source of the most debate regarding the operation of sweepstakes has been over the removal of consideration from the equation.  Merely removing the requirement of an entry fee will not always satisfy the “no consideration” requirement as consideration can come in many forms, including the purchase of a product, an SMS text, subscription fees or otherwise engaging in activities that require substantial time or effort, such as completing an online survey, etc.  And even when some amount of consideration exists, promoters have generally avoided having their sweepstakes classified as unlawful lotteries by providing a universally-available, free alternative method of entry (“AME”) (such as a mail-in postcard, etc.) that provides equal treatment to entrants who use the AME.  Thus far, the sweepstakes applications available on the App Store (whether free or for a fee), such as “Scratch Off Now” from Thought Quarry LLC, which enables marketers to include their branding, messages and products on the app, are coupled with an AME on a corresponding website, allowing entrants the opportunity to participate in the sweepstakes without downloading the particular application.

However, providing an AME may not be enough, under some state laws, to make the promotion legal if the entrants that have paid consideration do not receive something of value for the payment.  An end user may not pay just for a chance to win a prize and state anti-gambling laws may be invoked (as is the case with online poker, sports betting and other forms internet-based gambling) if an end user is required to purchase (a) an app itself or (b) entry in a sweepstakes via such app and does not receive some value in return.  That “return value” needs to only be equivalent to the value paid for the app or the entry.  To take a recent example, paying entrants in a recent sweepstakes promotion tied to the Iron Man 2 movie release received a can of Dr. Pepper.

In addition to providing something of value to entrants, a sweepstakes can avoid classification as an illegal lottery if it clearly promotes the sale of “real” products or services, distinct from the game itself.  Accordingly, it is no surprise that Apple has limited its developers to creating “promotional” sweepstakes and contests. Even Facebook, which similarly allows third parties to run contests and promotions on its platform, continued to refine and post increasingly specific guidelines throughout the past year in an attempt to ensure that these gaming-style promotions are run in accordance with applicable law. In fact, Facebook now prohibits promotional sweepstakes that condition entry upon the purchase of a product, completion of a lengthy task, or other form of consideration.

Needless to say, the risks are real for both social networking sites and device manufacturers housing applications, particularly when both virtual and credit card transactions are occurring on and through the sites and platforms, including where credit card data is maintained (e.g., purchasing raffle tickets via an iPad app where the credit card charged is on file with Apple via iTunes), as the potential exists for liability to extend beyond the app developer.  Ultimately, social networking sites and platform developers need to ensure that their marketing partners, sponsors and developers carefully structure their promotions and apps to comply with anti-gambling laws.

As always, we will keep an eye out for developments in this area of the law, particularly as the lucrative and viral nature of these promotions continue to expand exponentially across new media platforms and devices.

A testament to the significance of this concern is last week’s victory of the Office of the Privacy Commissioner of Canada.  Facebook was charged with violating Canada’s privacy laws, both with respect to the disclosure of personally identifiable information of Facebook users to over one million third party Facebook application developers, as well as keeping a user’s personal information indefinitely (including after deactivation of a user’s account).  Along with the attention of other social network providers, Canada’s investigation certainly elicited global attention, as it became the first country to legally examine Facebook’s privacy policies and procedures.  This investigation has also led the Canadian privacy commission to examine the privacy policies and practices of six other social networking sites.  The Privacy Commissioner’s chief complaint was that the way in which Facebook provides information about its privacy policies to its users is often confusing or incomplete.

As a result of the investigation, Facebook announced that it will implement new privacy safeguards and modify its privacy policy accordingly.  Among other things, Facebook has agreed to compel third-party developers to disclose to Facebook users the precise types of information they plan to access and use.  Under the current policy, users who want to utilize the third-party applications via their Facebook account are required to agree to share all of their data with such third party developers. 

The new procedures are intended to ensure that users are given the opportunity to consent to use of each type of personal information (such as date of birth, hometown, etc.), but more importantly have the ability to refrain from approving the use/disclosure of certain types of information while still being able to utilize the third party applications.  Facebook will also provide users clearer explanations and information in terms of deactivating their user accounts, specifically to make it clearer to users the difference between deactivation and deleting their information permanently.  Although Facebook plans to begin updating their privacy policy within the next month or so, implementing the technical changes will be performed over the course of the next year. 

While Facebook was the primary target of the investigation, we believe that the Canadian government’s actions, and Facebook’s response, will have a substantial ripple effect, with businesses carefully reconsidering their terms of use and privacy policies to ensure compliance with both the letter and spirit of privacy laws and regulations throughout the world. 

The program enables individuals and companies to register a Facebook URL with an address format of www.facebook.com/[username].  Applicant for usernames are generally allowed to choose them freely, without need to prove any connection or ownership to the name itself.  This wide-open nature raises potential concerns for intellectual property rights holders, particularly trademark owners, worried about unauthorized use of their trademarks in connection with the service. 

Facebook has sought to maintain as much of control over the usernames as possible, including the right to remove or reclaim a username at any time for any reason.  This strong proactive stance is probably partially motivated by a desire to preempt and prevent widespread buying or selling of usernames, and the cyber-squatting practices that follow.  (Such concerns are not unfounded; Facebook usernames are already up for sale on Assetize, an online website specializing in the buying and selling of online accounts.)

But back to the ownership issue–Can Facebook actually “own” a username that contains a registered and widely used trademark owned by someone else?  And if Facebook “owns” the username, what happens when a trademark owner seeks to register the username containing its mark?  Is “ownership” (i.e., title) to the username conveyed?  Or does Facebook license the username?  Take for example the username “facebook.com/burgerking”.  As of the date of this posting, Burger King has not yet registered the username, but if it does choose to register it, is it accurate to say that Facebook is transferring ownership over the username to Burger King?  Or is it licensing it?  Either way, how can Facebook transfer to Burger King something Burger King already owns?

Also, Facebook claims that when a Facebook account is cancelled, that account’s username will not become available to anyone else.  If Burger King registers for the user name, and then cancels it, can Facebook prevent Burger King from re-registering the user name if it later changes its mind?  In the end it is not clear or likely that Facebook can legitimately assert power over trademark holders when it comes to the use of their trademarks in the Usernames program. 

Facebook’s terms of service do not help to clarify the matter.  They make no mention of the Usernames program.  On the other hand, Facebook’s “Help Center” does have a section devoted to answering common questions about the program.  When the program was launched, the Help Center materials contained a few scant paragraphs of information.  Since that time, it has become much more developed, but that initial lack of clarity exemplifies the legal ambiguity with which the initiative got off the ground.  The uncertainties surrounding the Usernames program may be of particular concern for businesses in light of their increasing reliance on Facebook as an avenue through which to connect with customers (and concerns about businesses’ dependence on Facebook are not new).

We will eventually see if Facebook’s experience with the Usernames program proves a cautionary tale as to the pitfalls of rolling out new programs without fully anticipating the potential legal issues.  As the Username feature develops and more companies become aware of it, Facebook may see both disputes and angry markholders multiply. 

This may turn into yet another cyber-battleground over trademarks.  Numerous trademark infringement claims have been brought against Google in connection with its search ad business.  The claims are based on Google’s sale of trademarked keywords through its AdWords program.  In large part, the plaintiffs have asserted that such sales constitute trademark infringement because consumers could be confused by links to competitors’ ads that pop up alongside a search for the plaintiff’s marks.  While Google suffered a litigation setback in April when the Second Circuit reversed a dismissal of a suit brought by Rescuecom Corp., two separate actions against Google, one by Daniel Jurin and the other by Ascentive LLC, were both recently dismissed.

We will continue to monitor these matters and keep an eye out for developments.  In the meantime, our group would be happy to discuss any specific questions you might have about the impact of Facebook’s Usernames program on your trademark portfolio and help you develop strategies to protect your intellectual property rights.

*  We would like to thank Yoshinori Sasao, a summer associate at the Firm, who assisted in preparing this article.

• The Performance Rights Act, which was approved by the House Judiciary Committee on May 13th, would levy fees on broadcasters for airing artists’ recordings. An indication of the heat generated by the debate over the PRA emerged this week when the musicFIRST Coalition, however, filed a complaint asking the FCC to investigate whether radio stations have been boycotting artists that support the PRA. The coalition’s filing accuses broadcasters of airing deceptive spots by portraying the proposed royalty as a “tax” and not airing musicFIRST’s own paid ad endorsements. While musicFIRST did not identify any specific station or broadcaster withholding airplay, the coalition alleged that several stations have refused to play an artist’s music based on his or her remarks or affiliation with endorsing the legislation. Spokesman Marty Machowsky said it would only identify specifics if the FCC initiates the proceeding and agrees to keep the information confidential.
• Facebook is now allowing users to select plain-language domain names for profile pages, which up until now, has been delineated by a string of letters and numbers. Facebook plans on allowing trademark holders to protect their marks and mediating all disputes internally. This, however, may not be enough to prevent lawsuits from occurring. Tim Cole, chief register liaison from the Internet Corporation for Assigned Names and Numbers, said that even careful mediation processes will not prevent skirmishes from breaking out. ICANN has been involved in quarrels over coveted web site names for more than a decade. We will be looking into this issue in depth in the coming week.
• The AACS Licensing Authority, which licenses AACS content protection scheme (DRM) used in high-definition Blu-ray discs, has included a provision in its Final Adopter Agreement which will lead to the eventual phase out of analog video output from hi-def discs. The goal of phasing out analog is to plug the “analog hole,” where digital content can be copied. The change, however, will not stop direct digital ripping. The efforts are being made in attempts to block means of casual copying, but may not be effective in thwarting commercial pirates.
• The second World Copyright Summit met in Washington, DC last week.  The conference agenda of four main points: New visions for creative industries, Challenges for creators and rights-owners in the digital era, Weather forecast on copyright climate, and Valuing the creative eco-system. Most of the concern was regarding copyright infringements on the Internet. The copyright owners and attendees also discussed the ongoing threat of internet privacy.

We would like to thank Jenny Liang, a summer associate with the Firm, who assisted in preparing this round-up.

• The Electronic Frontier Foundation released a “terms of service” tracker earlier this week. The tracker chronicles older and new terms of service agreements, side by side, and highlights changed provisions. The TOSBack.org site was created in part from an outgrowth of Facebook’s change in its service agreement in February that, under a broad interpretation, provided that Facebook with a license to its members’ uploaded content even after termination of membership. Following criticism in the media and by its members, Facebook backed down and provided for a termination of the license. But the episode revealed the difficulty end users have in evaluating how revised terms of service provisions can have real impact. The “terms of service” tracker currently tracks 44 sites, including Facebook, Google, WordPress, Data.gov, YouTube, GoDaddy, and eBay.
• For years, content providers have provided information to viewers for free by depending on advertising sales to support its websites. With the decline of the advertising market, advertisers have cut back on spending, forcing content providers to rethink their business model. Many websites are returning to previously used revenue models, including charging for premium services and selling real or virtual goods on its sites. GigaOM, a network of tech-oriented blogs, is one of the latest examples of this trend. GigaOM is charging for a premium subscription research service, which includes more content and analysis, while continuing to provide its basic content for free. We expect to see more business changes of this type in the future
• The increase in digital media possibilities has led traditional storefront retailers to make efforts to capitalize on digital space. Last September, Best Buy bought Napster for $121 million. Now, Best Buy is supplying capital for a new digital media investment fund managed by Fuse Capital. By doing so, Best Buy will be able to hedge its profit opportunities in this fast-changing economy with both its core retail business and its investments in digital media.
• Internet advertisers have been using trackers to follow around users. But now federal regulators are tracking the online advertisers around to ensure that they are being fair to consumers. According to Jessica Rich, the Assistant Director of the Federal Trade Commission’s Privacy & Identity Protection (USPIRG) arm, “[t]he FTC is concerned that data collection is disproportionate to the benefits that are achieved.” In December, the FTC released a draft of behavioral guidelines, calling for more transparency and user control, and allowing opt-ins for sensitive data. Few people actually opt out, however, even when given the opportunity. Yahoo told Congress last year that only 75,000 users a month even visited its privacy page to opt out of targeted ads. Microsoft’s Mike Hintze says that it is unrealistic and that if users are not going to bother to opt out, they are unlikely to opt in. He suggests that more consumer education is necessary, but most consumers just do not care.
• A recent study confirms DRM technology sometimes it makes pirates of even those who are attempting to make legal uses of content. DRM does not discriminate between preventing illegal versus legal uses. As a result, even users who want to use the content for legal purposes must violate anticircumvention laws and in essence become pirates to accomplish their goals. Advocates of the DRM technology assert that despite the inability to accommodate legal uses, there is not an anti-piracy solution that would be able to accommodate all possible legal exceptions. Unfortunately, this has left even legal content users forced to find other means, including piracy, to get around the DRM protection.

• According to a new research study by Nielson Online, social sites like Facebook have surpassed e-mail as the number one online activity, with two-thirds of the world’s population visiting social networking or blogging sites.  What’s more, the “stickiness” of these sites is expanding, with one of every 11 minutes spent online being devoted to social networking activities.  And, in a finding to confirm the frustration and consternation of many teenagers, the fastest growing audience on Facebook is the 35-49 age group.  Which may explain such Facebook groups as “Cool Parents Who Have Facebooks”, although we at digitalhhr can proudly say we have avoided joining that one.)
• In perhaps one more sign of the ubiquity of social networking sites, Citigroup is rolling out a MySpace-branded Visa credit card.  Its marketing pitch is geared to fiscal responsibility-a bit of an ironic twist considering Citibank’s own (mis)adventures in that area.  But Citibank is also trying to preach to its intended audience, providing bonus points to be used for concerts, movie premieres and music downloads, as well as the ability to earn points for donations and charitable deeds.  Citi has also adopted a “manifesto” including such planks as “The environment, the economy, our very security …They’re the consequences of people not thinking about consequences.” 
• In the coming weeks, members of the Online Publishers Association (OPA) such as ESPN, Forbes.com and iVillage plan to roll out new, flashier, in-your-face, ad display units aimed at grabbing visitor attention better than the average banner ad.  While enabling advertisers to get more creative with their online ads, the new formats will hopefully help publishers make more money from fewer ads, since an abundance of ad inventory has been depressing revenue. 
• Continuing the social networking news, Hulu quietly added a new social networking feature that allows users to add friends, recommend videos or shows to one another and leave messages for one another, a la Facebook.  The site, which just celebrated its 1st birthday has even more reason to celebrate.  In just one year, it has become the number two site among the top online video properties, with 9.5 million unique viewers in February viewing 308 million video streams. 
• Google introduced its Google Voice integrated phone service, which was built on top of technology developed by GrandCentral, a company acquired by Google in 2007.  With its host of features, Google seems to be aiming less at replacing any one telephone service-such as VoIP or voicemail transcription or conference calling-and more at insinuating itself in as many aspects of telecommunications services as possible. 

On Wednesday, the Internet Safety Technical Task Force, led by The Berkman Center for Internet & Society at Harvard University, issued a report entitled “Enhancing Child Safety & Online Technologies.”  The report was compiled at the request of the Multi-State Working Group on Social Networking, comprised of 50 state Attorneys General.  The task force includes representatives from several well-known Internet social network and online service providers, including Google, AOL, Facebook and MTV Networks/Viacom.  The report, which was a year in the making, sought to determine the extent to which currently-available technology could help to address online safety risks to youths in the U.S., with a primary focus on social networking. 

The task force consulted with experts in the field of youth online safety and technology and sought input from the public upon which to base its findings.  Most significantly, eight leading social networking sites (including AOL, Bebo and Orkut (Google)) provided submissions to the task force detailing their efforts to enhance online safety for children, including the development and implementation of technologies focused on age and identity verification/authentication, filtering and auditing, text analysis and biometrics. 

While “cautiously optimistic” about the innovations they’ve observed, the task force cautioned against overreliance on technology, and noted that there is no one technological solution, or combination of solutions, that can provide complete online safety for minors.  Rather (and probably one of the more obvious solutions), the task force noted that the importance of parental oversight and education in use of the Internet must not be underestimated.  Ultimately the task force does not believe that the Attorneys General should endorse any one technology or set of technologies, but should work collaboratively with all stakeholders in pursuing a multi-faceted approach in protecting children from the risks of Internet usage.

Above all else, it is important to recognize that child safety, whether online or offline, in the virtual world or the real world, starts at home.  Putting that aside, it is definitely interesting to see social network providers coming around and taking a proactive role, particularly those that traditionally took a “hands-off” approach to filtering and monitoring the content on their sites and/or implementing security and safety procedures to protect minors. 

Power.com, a Rio de Jeneiro-based company, is also getting in on the action, with a solution that offers users the ability to view all of their social networks and synchronize friends lists, photos, updates, etc., on one platform.  Essentially, when a user logs in via Power.com they can access any of their social network pages with one click, and can simultaneously update the content of all their personal pages.  As of now, Power.com already supports Facebook, MySpace, Hi5, MSN Messenger and some others, and has its sights set on LinkedIn, Gmail, AOL and some other well-known social utilities.

While all of this one-stop-shop socializing seems appealing for a lot of reasons, (and I’m not suggesting otherwise), there are some real paradigm-shifting concerns to consider.  Privacy is obviously a big one (but that is an issue I will address in its own posting so stay tuned).  The more significant and relevant issue is the shift from a more traditional, territorial approach to ownership of end user data—where websites jealously guarded their relationships and connections with their subscribers and users–to the idea of data “portability” and the sharing of end user data across sites and among business partners.  For example, Facebook has detailed information about its users (e.g., their identities, likes, friends, etc.) but up until now that information has, for the most part, been solely of use from a targeting/marketing perspective. By creating an environment where a user can log in to websites with his or her Facebook profile and invite Facebook friends to share the experience on that site, the Facebook profile information can now be leveraged for the delivery of personalized advertising on the partner site.  Facebook gains from being able to monetize its information “off-site” and the partner gains from being able to harvest the Facebook information for targeted ad sales without having to collect the information itself.  Users may benefit from not having to provide their information to multiple sites across the Web.  There is also the added benefit (as pointed out by Facebook) of providing users with a single point of contact to control privacy settings.

While this sounds good in theory, it will definitely raise eyebrows when it comes to negotiating deals, particularly with respect to ownership issues and the conditions and limitations of the use of the information.  Some say these mere technical advancements won’t yet have a significant impact on how businesses approach social media, but I think it will be very interesting to see how quickly that will change.  Is everything better when its social? That remains to be seen.