For those who are unfamiliar with the iPhone ecosystem, jailbreaking is iPhone user parlance for modifying the smartphone’s firmware so that it operates with applications (or “apps”) which are not sold through the Apple iTunes App Store. Jailbreaking opens up the ecosystem by enabling iPhone owners to run any apps they wish. Apple, citing reputational and user experience concerns, such as avoiding security breaches and malfunctions, as well as the need to protect app sellers on the App Store from unauthorized distribution of their works, has opposed jailbreaking and lobbied vigorously to maintain a closed ecosystem.

Of course, Apple has a vested interest in keeping the App Store the exclusive source of iPhone apps, as it frequently takes a cut of sales. Furthermore, according to the Electronic Frontier Foundation (EFF), which led the battle to legalize jailbreaking, Apple is somewhat puritanical about what apps may be featured on the App Store. In 2009, for example, Apple initially barred a Nine Inch Nails-themed app from the band’s front man Trent Reznor, as well as “Me So Holy,” an irreverent app that pastes a snapshot of the user’s face over the faces of hallowed religious figures.

The copyright issues involved in the rulemaking, while complex, are worth considering, since they raise cutting-edge issue of digital fair use that will become ever more germane as smartphones (and iPads) become our can’t-live-without, all-purpose personal computing, communication and multimedia devices.

Thou Shalt Not Circumvent, Except….

The so-called “anti-circumvention” provision of the Digital Millennium Copyright Act (DMCA), 17 U.S.C. §1201(a)(1), prohibits the circumvention of technological measures (also known as digital rights management or DRM) that “effectively control[] access” to copyrighted works. In this case, jailbreaking often requires the bypassing of software locks controlling access to the copyrighted iPhone firmware, the bootloader and operating system. Therefore, until now jailbreakers ran the risk of being sued for unlawful circumvention.

However, under the DMCA, the Library of Congress and the Copyright Office may hold rulemakings to create three-year exemptions permitting the circumvention of technological measures controlling access to certain classes of copyrighted works if users are likely to be adversely affected in their ability to make non-infringing uses of those works due to the circumvention prohibition. EFF sought such an exemption, as well as an exemption for DVD “ripping” and a renewal of the 2006 exemption allowing smartphone users to unlock their devices to work with a variety of wireless networks (Apple strikes again).

EFF ended up winning all three exemptions, with some limitations. While it made a number of arguments in favor of the right to jailbreak, the one that clearly resonated the most with the Register of Copyrights was that the modification of the firmware code (technically, the creation of a derivative work, one of the exclusive rights reserved to the copyright holder) to permit interoperability with unapproved apps is a fair use and, therefore, non-infringing.

Fair Use and the Quest for Interoperability

In evaluating the statutory factors of fair use analysis to reach this conclusion, the Register of Copyrights emphasized that the firmware modification is a private and non-commercial use (specifically, use on the very wireless handset owned by the user and for exactly the purpose the code was created, to operate applications) that does not injure Apple’s copyright interests as the owner of the code (though it does impinge on Apple’s interests as “a manufacturer and distributor of a device”). The ruling also noted that the DMCA embodies a statutory policy favoring uses that make software programs interoperable.

Looking at the nature of the work claimed to infringed, the Register of Copyrights observed that the firmware (basically, an operating system) was of a functional (as opposed to a creative) nature and was intended to enable the running of applications. With regard to the “amount and substantiality of the portion used in relation to the copyrighted work as a whole,” while reuse of the most of the original firmware is necessary to run apps, the Register of Copyrights did not give this factor much weight, since the modified code typically represents 50 bytes or less out of approximately 8 million bytes. Most tellingly, with regard to the final fair use factor, the effect of the use on the market for or value of the copyrighted work, jailbreaking does not involve or threaten the commercial exploitation of the firmware, which has no independent economic value apart from the iPhone. Once again Apple fell back on a reputational argument that allowing an exemption would jeopardize the integrity of its ecosystem. But, as the Register of Copyrights noted, this is not a concern that fair use analysis is meant to address.

The cell doors of iPhones and iPads have now been sprung open. However, as a cautionary note, app users should be aware that certain software upgrades provided by Apple will disable jailbroken phones, and failure to install these upgrades may void the user warranty. Still, there’s no question that horizons have widened for app users and developers alike, particularly in the iPad gold rush now currently underway.

Yes, you heard that correctly. In the last few months, the federal government has brought indictments against several individuals under a 1986 anti-hacking statute, the Computer Fraud and Abuse Act (the “CFAA”), for engaging in otherwise legal online behavior that nevertheless violated website terms of use. The CFAA (18 U.S.C. §1030) imposes criminal and civil sanctions for access to a protected computer without authorization or exceeding the scope of authorization. The theory used by government prosecutors and private litigants is that the do’s and don’ts spelled out in website terms of use define the scope and limitations of permitted access. Any behavior contrary to such terms, then, renders the site access illegal. In the most common application of this theory, an action is brought against a data aggregator or other person for using bots (automated software programs) to access a public website whose terms of use prohibit access through “automated means.”

Cops Armed with Website Terms

Even apart from the argument that the CFAA was never intended to prevent non-invasive access to public websites, the EFF highlights another problem with this theory: it delegates to private website owners the ability to define what is and is not criminal behavior. As a Internet lawyer who has both written and reviewed many website terms of use and privacy policies over the years, I can appreciate the EFF’s concern that they are rife with arbitrary and one-sided clauses.

In United States v. Lowson, federal prosecutors brought an action in New Jersey against the operators of Wiseguys Tickets, Inc., which used bots to buy concert tickets on the Ticketmaster.com website for resale, contrary to the site terms of use which prohibited access by automated means. Although scalping is not illegal in New Jersey, the government justified its action by a supposed need to protect consumer access to tickets. The EFF has filed an amicus curiae (friend of the court) brief on behalf of the defendants in this case.

In United States v. Drew, the feds indicted a woman who created a false profile on MySpace and used it to communicate with a teenager, who later committed suicide. The EFF similarly filed an amicus brief for the defense, and the indictment was ultimately dismissed.

Facebook is using a similar theory in a civil suit against a company called Power Ventures. Power Ventures provides an add-on that enables Facebook users to aggregate their data over several social media sites. Facebook is alleging that Power Ventures violated California criminal law because the add-on utilizes a bot (in violation of the Facebook terms of use) to retrieve user data. (Never mind, as the EFF has wryly observed, that the bot is being deployed at the user’s initiative to obtain his or her own data.)

Confusion in the Law

I’ve been following these cybertrespass case for years, and on a number of occasions I’ve counseled data aggregators using bots and other aggregation tools to harvest factual and similar uncopyrightable data from publicly accessible websites. It’s an exceedingly common practice, part of the landscape of the Internet that we are coming to take for granted. Unfortunately, the law hasn’t kept pace with technological evolution and business practices. The authorities are conflicted, and while some cases set a high standard for proving damage or loss in common-law computer trespass and CFAA actions based on violation of website terms (for example, a substantial slowdown of the web server or exclusion of other users due to tens of thousands of pings from bots over a short period of time), other courts have left the door wide open for suits.

As the EFF has observed, the defendants in these cybertrespass cases (scalpers, an unfriendly adult tormenting a teenager online, a etc.) are not terribly sympathetic. In the first rash of civil cases in the early 2000’s, the defendant was generally a competitor of the plaintiff which used to bots to copy factual data (such as movie times) from the plaintiff’s site. On some level this may seem unfair, since a website operator makes an investment in time and resources to assemble and publish the information in the first place. On the other hand, where the copyright law does not grant protection in publicly available content, the purpose of the law is circumvented by engineering some other legal cause of action effectively to prevent the copying and republishing of this content. (Copyright protects creative expression, and raw factual data by itself lacks even the minimal creative quotient needed for copyright. The fact that it may be difficult to assemble is legally irrelevant.)

Finding a Balance

The bringing of criminal prosecutions for violating public website terms of use takes the confusion in the law to a frightening new level. Even if courts ultimately dismiss the indictments (as happened in the Drew case), the threat of prosecution can be expected to deter competition and chill the beneficial use of data aggregation tools to enable the free access and management of data on the Internet, including users’ own data. Furthermore, as the EFF has noted, innocent parties who do not read or do not understand the terms of use of the sites they are accessing may be caught in the cybertrespass dragnet.

While the use of bots to access and harvest data from protected areas of sites (such as third parties’ personal profiles designated as private and shielded by privacy settings) should be actionable and treated as a criminal offense under the CFAA, website operators should not look to the government to police users on the public areas of their sites. Rather, let them be responsible for enforcing their own terms of use under breach of contract law and provide evidence of actual, quantifiable damages from user access they don’t like.

You’ve probably sensed the hunger for an answer if you’ve read this blog at all over the past year. (And if you haven’t, we forgive you.) Everyone, including all nine Supreme Court justices, agreed that Bernard Bilski and Rand Warsaw’s patent application for a method of hedging weather-related risk in energy trading was properly denied by the Patent Office. That much was clear from the November 2009 oral arguments before the Court, in which the querulous justices peppered Bilski’s counsel with business method patent hypotheticals (speed dating, an 80%-effective method of keeping students awake during an antitrust class, a method of maximizing wealth by buying low and selling high, and horse whispering). The hypotheticals were only slightly more absurd than the reality with which businesses have been living since the Federal Circuit suggested in its 1998 ruling in State Street Bank v. Signature Financial Group that methods of conducting business could be patentable if they produced a “useful, concrete and tangible result.”

The Bilski/Warsaw “invention” did not pass the smell test. The question was why? Inquiring technologists and IP lawyers wanted to know.

Abstract Ideas

In the end, the Court splintered. All the justices agreed that Bilski’s patent application taught an abstract idea or principle, and as such, according to well-established precedent, was not eligible for patenting as a “process” under 35 U.S.C. §101. Abstract ideas or principles, laws or phenomena of nature (even if just discovered) and mental processes are not patent-eligible subject matter because they are seen as the basic tools of scientific and technological work, and courts are careful not to permit any single person or entity to preempt their use. (However, as the Court’s opinion noted, the application of such concepts to a known structure or process can be patentable if it is novel, useful, non-obvious when viewed against the prior art and supported by a full and particular description in the patent application.)

All of the justices also agreed that the Federal Circuit had overstepped its bounds by holding that the machine-or-transformation test, which grounded the patentability of processes in their connection to a particular machine or physical transformation) was the sole test for determining whether a process met the threshold requirement for patentability. However, in a true mindbender, they also all agreed that the machine-or-transformation is still relevant, as an “useful and important” clue or investigative tool (in the Court’s opinion) or as a “critical” tool (in Justice John Paul Stevens’ concurring opinion). Of course, the justices could not agree on exactly how the machine-or-transformation test was still important, useful, critical, awesome, etc. In the Court’s opinion, the justices drew a dichotomy between Industrial Age inventions and Information Age inventions and suggested that the machine-or-transformation test might be the proper standard for evaluating processes in the first category, but from my perspective, trying to puzzle out whether a client’s invention is more like a steam engine or a search engine doesn’t seem like a particularly helpful — or intellectually satisfying — inquiry. Ultimately, the Court did not articulate a standard, beyond trotting out the abstract idea trope as a lowest-common-denominator limiting principle.

What About Business Methods?

So where does that leave us? In limbo, dear techies. The lower courts will have to go back to the drawing board to devise new standards for evaluating software and Internet patents. The Bilski opinion — or more accurately, opinions (for there were several concurrences) — do provide a few tea leaves to read. Business method patents survive, but by the skin of their teeth. The Court’s opinion leaves open the possibility that some business methods may be patentable, although the majority is skeptical that they warrant “broad patentability”, and in his concurring opinion Justice John Paul Stevens (joined by Justices Sonia Sotomayor, Stephen Breyer, and Ruth Bader Ginsburg) argued strenuously that business methods should never be patentable.

The relevant part of the Court’s opinion (authored by Justice Anthony Kennedy and joined in by Chief Justice John Roberts as well as Justices Samuel Alito and Clarence Thomas) had this to say with regard to business method patents:

“Interpreting §101 to exclude all business methods simply because business method patents were rarely issued until modern times revives many of the previously discussed difficulties…. At the same time, some business method patents raise special problems in terms of vagueness and suspect validity…. The Information Age empowers people with new capacities to perform statistical analyses and mathematical calculations with a speed and sophistication that enable the design of protocols for more efficient performance of a vast number of business tasks. If a high enough bar is not set when considering patent applications of this sort, patent examiners and courts could be flooded with claims that would put a chill on creative endeavor and dynamic change.

In searching for a limiting principle, this Court’s precedents on the unpatentability of abstract ideas provide useful tools…. Indeed, if the Court of Appeals were to succeed in defining a narrower category or class of patent applications that claim to instruct how business should be conducted, and then rule that the category is unpatentable because, for instance, it represents an attempt to patent abstract ideas, this conclusion might well be in accord with controlling precedent…. But beyond this or some other limitation consistent with the statutory text, the Patent Act leaves open the possibility that there are at least some processes that can be fairly described as business methods that are within patentable subject matter under §101.”

As previously mentioned, four justices (include three who remain on the Court) have taken the position that business methods are not patentable under any circumstances. It is also worth noting that Justice Antonin Scalia did not join in the portion of the Court’s opinion (quoted above) upholding the theoretical patent-eligibility of business methods. Therefore, at least three, and perhaps four, sitting justices reject business method patents totally, with four others rejecting their “broad patentability” and recommending that a higher bar be set. Notably, too, all of the justices take a dim view of the State Street opinion, with the majority refusing to endorse its perceived blessing of business method patents and Justice Stevens’ concurrence calling it a “grave mistake.” Forget abortion, gun rights and church-state separation: given this volatile mix, Elena Kagan’s views on patent law may assume paramount importance.

What Do I Do Now?

So what should software and Internet clients take away from all of this? Don’t blow your legal dollars on patents if the essential value of your invention or product lies in its algorithm or the fact that it automates or expedites a general business process. Despite the Court’s rejection of the machine-or-transformation test as the exclusive standard for the patent eligibility of processes, the Patent Office will only be emboldened by Bilski to continue its aggressive stance against business methods and software and Internet patents whose claims are broad and general and have only an ethereal connection to hard technology.

In addition, established companies with ample litigation reserves that are approached by patent trolls wielding business method and general process patents should consider the value of an upraised middle finger. If one such company (possibly co-funded by other similarly situated targets) succeeds in getting the troll’s patent invalidated, the troll’s business is vaporized. Accordingly, trolls may choose their targets more carefully from now on, may be more hesitant to follow through on threatened infringement litigation, and may be willing to take a smaller license fee before moving on to the next target. However, because business method patents survive and Bilski provides no concrete guidance for what qualifies as a patent-eligible process, the troll threat is not eliminated.

Towards Patent Act 2.0

Was Bilski worth the wait? I’d have to say no. On the other hand, perhaps the justices can’t be blamed for agonizing over our intellectual property law’s failure to come to grips with non-traditional inventions and the marginalization of brick-and-mortar innovation ecosystems. It’s time, perhaps, for Congress to step in and give us a Patent Act for the post-industrial age.

* Bilski’s patent application for a method of hedging risk in commodities trading was properly rejected because the invention was nothing more than abstract principles and formulae, which are not subject matter eligible for patenting according to prior Supreme Court decisions.

* There is no reason to exclude categorically business methods from the scope of patent eligible subject matter. A business method can be a patentable “process” if it meets the other statutory requirements for patenting (novelty, usefulness, etc.).

The details of the 2009 data breaches and the security holes that enabled them are summarized in the FTC’s press release, which you can find here. The data breaches stemmed from two incidents. In the first one, an intruder used an automated password-guessing tool to enter an administrative password (a weak lower-case password consisting of a common dictionary term) on the site’s main login page. Using the password, the intruder reset several passwords and posted some of them on a website where they could be used by others. In the second incident, an intruder hacked a Twitter employee’s personal e-mail account and was able to derive an administrative password from similar passwords that were stored in plain-text. Twitter’s privacy policy at the relevant times used common boilerplate to describe its data security procedures:

“Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

It is important to note that Twitter never guaranteed the security of its site. Indeed, tech lawyers like myself routinely warn clients again calling their sites “secure” and making similar unqualified assurances. A cynic might remark that “weasel language” like Twitter’s is designed to stimulate a cozy feeling in users without committing the site to any concrete obligations or precautions.

The FTC’s explanation of the charges against Twitter crystallizes its thinking and underlines the agency’s increasingly aggressive approach to regulating privacy and data security on the Internet and especially on social media sites:

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

There seems to be little question here that Twitter screwed up. The FTC’s complaint recites a litany of data security lapses that have been no-no’s for at least three or four years in the wake of the FTC’s prosecution of TJX for its data breaches and the advent of the Payment Card Industry Data Security Standard (PCI DSS). These no-no’s include Twitter’s failure to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
* prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* restrict access to administrative controls to employees whose jobs required it; and
* impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Again, it’s hard to argue Twitter didn’t screw up. However, this case demonstrates beyond a shadow of a doubt that the FTC will nail you for failing to use generally accepted data security best practices regardless of how you characterize your security measures in your privacy policy. In other words, saying that there are risks beyond your control no longer provides a get out of jail free card. Before the TJX case, the FTC targeted its wrath at sites that explicitly promised better security than they delivered. Now, however, there is an absolute minimum standard of data security: according to the FTC, inviting users to submit information which they can designate as private without complying with best practices is inherently misleading and deceptive. Furthermore, FTC scrutiny is no longer confined to privacy policies and “advertising” or “marketing” messages; the wording of social media categories, designations and preferences, such as privacy preferences, is now fair game.

Under the settlement Twitter is prohibited from misleading consumers about its data security practices for 20 years and must implement a comprehensive information security program, which will be audited by the FTC every other year. The FTC and Twitter, in other words, will be best buddies for years to come.

You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

The facts of the case are very simple. Brelyn Hammernick was a Minneapolis technical recruiter for the IT services firm TEKsystems who left to take a job with their competitor Horizontal Integrations. Ms. Hammernick used LinkedIn’s e-mail tool to communicate with her network, which included several current TEKsystems employees. Ms. Hammernick had signed a non-compete agreement with TEKsystems containing standard non-solicitation language that prohibited her from communicating with company employees to induce them to leave TEKsystems or work for a competitor. Yet, as several attorney bloggers have already commented, certain of Ms. Hammernick’s e-mails were clearly solicitations. The relevant paragraph from TEKsystems’ complaint alleges:

“Hammernick is soliciting TEKsystems’ Contract Employees and clients in the geographic area encompassed by the non-competition and non-solicitation provisions of the Hammernick Agreement. For example, Hammernick has communicated with at least 20 of TEKsystems’ Contract Employees using such electronic networking systems as “Linkedin.” Hammernick has, at a minimum, “connected” with the following TEKsystems’ employees through “Linkedin: Harold Osmundson, Steve Wicks, Kazim Merchant, Shawn Faber, Srujana Pasunuri, Shailaja Garishakurti, Kevin Jordahl, Mitha KC, Carl Boudreau, Tom Peterson, Seann Van Cleve, Bob Hasselman, Marcia Diterich, Bill Severson, Claude Wallander, and Brett Snaza. In her contacts with Tom Peterson, Hammernick asked Peterson if he was “still looking for opportunities.” She then stated that she ‘would love to have [you] come visit my new office and hear about some of the stuff we are working on.’”

You can also find a full reprint of the key e-mails, along with some trenchant commentary, on Dallas attorney Rob Radcliff’s blog here. (I don’t normally cite other law firms’ blogs, but I consider Mr. Radcliff’s post both informative and dead-on.)

What are the take-aways here?

1. No one seriously believes that the federal district court is going to treat LinkedIn communications as qualitatively different from traditional channels of solicitation, such as telephone calls, e-mails outside of the social media context, or in-person conversations. Doing something dumb on Web 2.0 is the same as doing something dumb on Web 1.0, which in turn is the same as doing something dumb using a telephone, telegraph or smoke signals.

2. As Mr. Radcliff notes in his blog, employers may find social media posts and communications of departed employees to be a font of useful evidence in employment-related litigation. Employers should also consider mentioning social media posts and communications as a specific example in employee agreements and materials prohibiting solicitation and other objectionable activities.

3. The TEKsystems case involves deliberate one-to-one communications through LinkedIn. A salient question, however, is whether posts or updates to one’s entire network or chosen group can violate non-solicitation obligations if the content is objectionable and certain recipients are still employees of the sender’s late, unlamented employer. Or, to put it differently, if you’ve signed a non-compete with non-solicit requirements, should you “un-friend” or “de-link” your former work colleagues? Simply updating your career profile should not be a problem, but you may want to think twice before blitzing your network or friends about all of the terrific opportunities you’re getting at your new employer.

4. Careless chatter on social media is a problem not only for departing employees, but also for their new employers, who (like Horizon Integrations in the TEKsystems case) may get named in the lawsuit if the objectionable behavior appears to work for their benefit.

Legally speaking, social media is no different from other forms of communication. However, just as e-mail did in the 1990’s, it has a tendency to invite informal, spontaneous and poorly considered actions from its users. Given the uncertain state of privacy on Facebook and other popular social media sites, expect to see a mountain of social media evidence building up in future litigation.

Based on my reading of the November 2009 oral argument transcript and my conversations with patent experts, we predict that (1) the Patent Office’s rejection of Bilski’s application for a method of hedging risk in commodities trading will be upheld, (2) the Federal Circuit’s machine-or-transformation test will be invalidated as unduly limiting given the statutory language and history, BUT (3) we may see a new definition of patentable subject matter based upon some ethereal concept of “technology.”

The Supreme Court will next release decisions on Tuesday, June 1. Given the importance of this ruling to our software and Internet clients, we will post a link to the opinion and a brief summary on this blog as soon as it is issued, to be followed by a full analysis not long afterward.

In my March 26 post “Guarding the Angels?”, I blogged about some troubling provisions in Senator Chris Dodd’s (D-Conn.) financial reform bill that would have subjected private offerings to angel investors to burdensome SEC review and state regulatory compliance obligations. Among other things, these provisions would have drastically raised the $200,000/year income and $1 million net worth thresholds for angels to qualify as “accredited investors,” which assures private offerings to such persons critical exemptions from federal and state securities laws.

No doubt this sounds like legal gobbledygook, but from the standpoint of a tech attorney whose practice is focused on aiding creative startups, the prospect was sobering. Since startup businesses, particularly in risky technology fields, generally do not have access to traditional bank financing, the addition of potentially tens or even hundreds of thousands of dollars in legal and compliance costs as well as 120 days or more of delay to the angel funding process could have devastated innovative startups and job creation at a time of 9.9% national unemployment. This was a classic case of our political aristocracy in Washington not having had the “Mommy, where do jobs come from?” conversation.

Fortunately, Senate Amendment 4056, approved by the Banking Committee on May 17, while not a perfect fix, largely vitiates the problematic anti-angel Sections 412 and 926 of the Dodd bill. For this we have to thank Senator Dodd himself, as well as Senators Scott Brown (R-MA), Maria Cantwell (D-WA), Mark Warner (D-VA), Kit Bond (R-MO) and Mark Begich (D-AK), although the real heroes were the startups themselves (including my colleagues in Philly Startup Leaders), who organized nationally to petition our elected representatives to remember our critical role in the economy at a time of worldwide economic crisis.

S.A. 4056 gets rid of the SEC review requirement and threat of exposure to state securities compliance requirements and keeps the accredited investor income and net worth thresholds fixed at their current levels for a period of four years, after which they will be subject to SEC review and possible adjustment. This eliminates the immediate danger to startup funding.

In their press release, the Senate sponsors of the amendment hit exactly the right note: whatever went wrong with Wall Street in 2008, startups and angel investors had nothing to do with it, so the government should lay off. However, at the same time it is disconcerting to realize how close we came to killing the goose the lays the golden eggs. Venture capitalists are few and highly selective; small angel investments are the primary vehicle for injecting seed capital into startups. How many future Googles, Facebooks and Microsofts might never have gotten off the ground? How much precious development money would have padded the pockets of securities lawyers? It seems that many senators were not even aware of the implications of their monstrosity. True regulatory reform requires transparency and patience for debate, as well as a willingness to forego dramatic political gestures in favor of targeted (i.e., boring) fixes that are narrowly tailored to diagnosable problems. Above all, it involves reading the freakin’ bill. Fortunately, our citizen-capitalists were on the ball.

The facts of Stengart are simple. Ms. Stengart brought an employment discrimination suit against her home-nursing company employer, Loving Care (great name, that) and exchanged e-mails with her attorney through a web-based personal Yahoo account that she accessed from a company-issued laptop. In the course of the discovery process the employer’s counsel imaged the laptop’s hard drive and found the e-mails, but did not promptly notify Ms. Stengart’s counsel and turn over the e-mails, as required by New Jersey’s attorney ethics rules. Although the employer purportedly maintained an Internet use policy that indicated “e-mail” and Internet use was the company’s property and could be monitored, the policy was poorly drafted and internally inconsistent, stating at the same time that occasional personal use of work computers was permitted.

The New Jersey Supreme Court held that, given the lack of clarity in the policy that appeared to invite some personal activity, and the fact that the policy did not refer specifically to employer monitoring of password-protected, web-based e-mail usage, Ms. Stengart had not been adequately placed on notice of her employer’s claimed right to monitor. Therefore, under the New Jersey constitutional and common law of privacy, she retained an objectively and subjectively reasonable expectation of privacy in her Yahoo account (i.e., that it fell outside the scope of the monitoring described in the Internet use policy), which Loving Care violated when its lawyers retrieved her private e-mails. Furthermore, the Court held — and this is the kicker — even if the employer’s policy had been totally clear that her Yahoo account usage could be monitored, it would not be enforceable to destroy Ms. Stengart’s attorney-client privilege in the e-mails with her lawyer.

The Court neatly summed up its views on Internet use policies at the end of the opinion:

“Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy…. For example, an employee who spends long stretches of the workday getting personal, confidential legal advice from a private lawyer may be disciplined for violating a policy permitting only occasional personal use of the Internet. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual — that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system — would not be enforceable.”

Until now, courts examining the issue of whether employees have privacy rights in personal online communications sent from work computers have largely deferred to employer Internet use policies that reserved broad monitoring rights. It is not particularly surprising that the New Jersey judiciary, with its more liberal policy preferences and insistence on the sanctity of the attorney-client privilege, has diverged from more employer-friendly, freedom-of-contract regimes like Pennsylvania in establishing limits on what employers can peek at with Internet use policies. Still, the Stengart case does provide some useful guidelines for how employers (in New Jersey and elsewhere) can structure their Internet use policies to avoid the loss of productivity and liability risks associated with uncontrolled employee web surfing, Facebook usage, etc., while at the same time avoiding a tort claim for invasion of privacy.

1. Specifically discuss whether and how employee access of password-protected, web-based e-mail accounts may be monitored. In other words, don’t make the mistake of the employer in Stengart and assume that references to “e-mail” usage will be interpreted to cover personal Yahoo and gmail accounts as well as messages sent via the company’s official e-mail system. So, for example, you should mention that e-mails from personal web accounts might be stored on the hard drive of the employer’s computer. Also consider giving similar examples with respect to personal activity on restricted areas of social media sites when accessed from work. Greater clarity and specificity about monitoring of password-protected account usage could also help prevent a Stored Communications Act violation as well as liability for invasion of privacy.

2. Don’t send mixed messages concerning personal Internet usage at work. The New Jersey Supreme Court indicated that an employer has the right to prohibit the use of work computers and Internet access for personal reasons and to discipline or terminate employees who violate this policy. For cultural reasons many employers have resisted taking such a draconian line up to now, but it may be time to consider drawing a line in the sand if productivity loss is a major concern. If an employer is willing to tolerate limited personal usage of company IT resources (subject to the restrictions in the policy and any blocking of particular sites that the employer considers a distraction), the policy needs to be absolutely clear that even allowed personal communications may still be monitored and stored. Bottom line for employers: tell your employees that if they consider something really private or sensitive, they should do it at home using their own computer.

3. Be consistent in applying the policy. This is a logical corollary of #2, i.e., don’t send mixed messages. Inconsistent application of an IT use policy landed the city of Ontario, California before the U.S. Supreme Court on April 19. In City of Ontario v. Quon, a SWAT team member was issued a department pager under a use policy that clearly indicated everything could be monitored. However, a supervisor allegedly assured Quon that personal text messages would not be reviewed as long as the employee paid for any overages. Needless to say, they were. The question before the Court is whether the supervisor’s statements, which deviated from the IT use policy, were enough to give Quon a reasonable expectation of privacy in the personal texts. Based on the transcript of the oral arguments, the justices seem skeptical (more so, perhaps, than the New Jersey Supreme Court might be). Their decision will be forthcoming in the next few weeks. However, the real take-away here is the case should never have happened. Make sure that all employees, including (and especially) managers confirm receipt of, and are knowledgeable about, your company’s Internet use policy (for example, it can be discussed in employee information security training). A well-drafted policy should describe the business interests underlying it and the company’s seriousness in promoting those interests, and should identify a contact person who can address any questions or issues concerning the policy. The company should also cultivate a culture of compliance (if you’ll forgive the alliteration) so that no one is perceived as exempt; selective application and enforcement can lead not only to privacy-related liability but discrimination claims too.

Now that employee privacy is more than just a rallying cry for plaintiffs’ lawyers, consider whether your Internet use policy could use a little loving care.