For those who are unfamiliar with the iPhone ecosystem, jailbreaking is iPhone user parlance for modifying the smartphone’s firmware so that it operates with applications (or “apps”) which are not sold through the Apple iTunes App Store. Jailbreaking opens up the ecosystem by enabling iPhone owners to run any apps they wish. Apple, citing reputational and user experience concerns, such as avoiding security breaches and malfunctions, as well as the need to protect app sellers on the App Store from unauthorized distribution of their works, has opposed jailbreaking and lobbied vigorously to maintain a closed ecosystem.

Of course, Apple has a vested interest in keeping the App Store the exclusive source of iPhone apps, as it frequently takes a cut of sales. Furthermore, according to the Electronic Frontier Foundation (EFF), which led the battle to legalize jailbreaking, Apple is somewhat puritanical about what apps may be featured on the App Store. In 2009, for example, Apple initially barred a Nine Inch Nails-themed app from the band’s front man Trent Reznor, as well as “Me So Holy,” an irreverent app that pastes a snapshot of the user’s face over the faces of hallowed religious figures.

The copyright issues involved in the rulemaking, while complex, are worth considering, since they raise cutting-edge issue of digital fair use that will become ever more germane as smartphones (and iPads) become our can’t-live-without, all-purpose personal computing, communication and multimedia devices.

Thou Shalt Not Circumvent, Except….

The so-called “anti-circumvention” provision of the Digital Millennium Copyright Act (DMCA), 17 U.S.C. §1201(a)(1), prohibits the circumvention of technological measures (also known as digital rights management or DRM) that “effectively control[] access” to copyrighted works. In this case, jailbreaking often requires the bypassing of software locks controlling access to the copyrighted iPhone firmware, the bootloader and operating system. Therefore, until now jailbreakers ran the risk of being sued for unlawful circumvention.

However, under the DMCA, the Library of Congress and the Copyright Office may hold rulemakings to create three-year exemptions permitting the circumvention of technological measures controlling access to certain classes of copyrighted works if users are likely to be adversely affected in their ability to make non-infringing uses of those works due to the circumvention prohibition. EFF sought such an exemption, as well as an exemption for DVD “ripping” and a renewal of the 2006 exemption allowing smartphone users to unlock their devices to work with a variety of wireless networks (Apple strikes again).

EFF ended up winning all three exemptions, with some limitations. While it made a number of arguments in favor of the right to jailbreak, the one that clearly resonated the most with the Register of Copyrights was that the modification of the firmware code (technically, the creation of a derivative work, one of the exclusive rights reserved to the copyright holder) to permit interoperability with unapproved apps is a fair use and, therefore, non-infringing.

Fair Use and the Quest for Interoperability

In evaluating the statutory factors of fair use analysis to reach this conclusion, the Register of Copyrights emphasized that the firmware modification is a private and non-commercial use (specifically, use on the very wireless handset owned by the user and for exactly the purpose the code was created, to operate applications) that does not injure Apple’s copyright interests as the owner of the code (though it does impinge on Apple’s interests as “a manufacturer and distributor of a device”). The ruling also noted that the DMCA embodies a statutory policy favoring uses that make software programs interoperable.

Looking at the nature of the work claimed to infringed, the Register of Copyrights observed that the firmware (basically, an operating system) was of a functional (as opposed to a creative) nature and was intended to enable the running of applications. With regard to the “amount and substantiality of the portion used in relation to the copyrighted work as a whole,” while reuse of the most of the original firmware is necessary to run apps, the Register of Copyrights did not give this factor much weight, since the modified code typically represents 50 bytes or less out of approximately 8 million bytes. Most tellingly, with regard to the final fair use factor, the effect of the use on the market for or value of the copyrighted work, jailbreaking does not involve or threaten the commercial exploitation of the firmware, which has no independent economic value apart from the iPhone. Once again Apple fell back on a reputational argument that allowing an exemption would jeopardize the integrity of its ecosystem. But, as the Register of Copyrights noted, this is not a concern that fair use analysis is meant to address.

The cell doors of iPhones and iPads have now been sprung open. However, as a cautionary note, app users should be aware that certain software upgrades provided by Apple will disable jailbroken phones, and failure to install these upgrades may void the user warranty. Still, there’s no question that horizons have widened for app users and developers alike, particularly in the iPad gold rush now currently underway.

Yes, you heard that correctly. In the last few months, the federal government has brought indictments against several individuals under a 1986 anti-hacking statute, the Computer Fraud and Abuse Act (the “CFAA”), for engaging in otherwise legal online behavior that nevertheless violated website terms of use. The CFAA (18 U.S.C. §1030) imposes criminal and civil sanctions for access to a protected computer without authorization or exceeding the scope of authorization. The theory used by government prosecutors and private litigants is that the do’s and don’ts spelled out in website terms of use define the scope and limitations of permitted access. Any behavior contrary to such terms, then, renders the site access illegal. In the most common application of this theory, an action is brought against a data aggregator or other person for using bots (automated software programs) to access a public website whose terms of use prohibit access through “automated means.”

Cops Armed with Website Terms

Even apart from the argument that the CFAA was never intended to prevent non-invasive access to public websites, the EFF highlights another problem with this theory: it delegates to private website owners the ability to define what is and is not criminal behavior. As a Internet lawyer who has both written and reviewed many website terms of use and privacy policies over the years, I can appreciate the EFF’s concern that they are rife with arbitrary and one-sided clauses.

In United States v. Lowson, federal prosecutors brought an action in New Jersey against the operators of Wiseguys Tickets, Inc., which used bots to buy concert tickets on the Ticketmaster.com website for resale, contrary to the site terms of use which prohibited access by automated means. Although scalping is not illegal in New Jersey, the government justified its action by a supposed need to protect consumer access to tickets. The EFF has filed an amicus curiae (friend of the court) brief on behalf of the defendants in this case.

In United States v. Drew, the feds indicted a woman who created a false profile on MySpace and used it to communicate with a teenager, who later committed suicide. The EFF similarly filed an amicus brief for the defense, and the indictment was ultimately dismissed.

Facebook is using a similar theory in a civil suit against a company called Power Ventures. Power Ventures provides an add-on that enables Facebook users to aggregate their data over several social media sites. Facebook is alleging that Power Ventures violated California criminal law because the add-on utilizes a bot (in violation of the Facebook terms of use) to retrieve user data. (Never mind, as the EFF has wryly observed, that the bot is being deployed at the user’s initiative to obtain his or her own data.)

Confusion in the Law

I’ve been following these cybertrespass case for years, and on a number of occasions I’ve counseled data aggregators using bots and other aggregation tools to harvest factual and similar uncopyrightable data from publicly accessible websites. It’s an exceedingly common practice, part of the landscape of the Internet that we are coming to take for granted. Unfortunately, the law hasn’t kept pace with technological evolution and business practices. The authorities are conflicted, and while some cases set a high standard for proving damage or loss in common-law computer trespass and CFAA actions based on violation of website terms (for example, a substantial slowdown of the web server or exclusion of other users due to tens of thousands of pings from bots over a short period of time), other courts have left the door wide open for suits.

As the EFF has observed, the defendants in these cybertrespass cases (scalpers, an unfriendly adult tormenting a teenager online, a etc.) are not terribly sympathetic. In the first rash of civil cases in the early 2000’s, the defendant was generally a competitor of the plaintiff which used to bots to copy factual data (such as movie times) from the plaintiff’s site. On some level this may seem unfair, since a website operator makes an investment in time and resources to assemble and publish the information in the first place. On the other hand, where the copyright law does not grant protection in publicly available content, the purpose of the law is circumvented by engineering some other legal cause of action effectively to prevent the copying and republishing of this content. (Copyright protects creative expression, and raw factual data by itself lacks even the minimal creative quotient needed for copyright. The fact that it may be difficult to assemble is legally irrelevant.)

Finding a Balance

The bringing of criminal prosecutions for violating public website terms of use takes the confusion in the law to a frightening new level. Even if courts ultimately dismiss the indictments (as happened in the Drew case), the threat of prosecution can be expected to deter competition and chill the beneficial use of data aggregation tools to enable the free access and management of data on the Internet, including users’ own data. Furthermore, as the EFF has noted, innocent parties who do not read or do not understand the terms of use of the sites they are accessing may be caught in the cybertrespass dragnet.

While the use of bots to access and harvest data from protected areas of sites (such as third parties’ personal profiles designated as private and shielded by privacy settings) should be actionable and treated as a criminal offense under the CFAA, website operators should not look to the government to police users on the public areas of their sites. Rather, let them be responsible for enforcing their own terms of use under breach of contract law and provide evidence of actual, quantifiable damages from user access they don’t like.

You’ve probably sensed the hunger for an answer if you’ve read this blog at all over the past year. (And if you haven’t, we forgive you.) Everyone, including all nine Supreme Court justices, agreed that Bernard Bilski and Rand Warsaw’s patent application for a method of hedging weather-related risk in energy trading was properly denied by the Patent Office. That much was clear from the November 2009 oral arguments before the Court, in which the querulous justices peppered Bilski’s counsel with business method patent hypotheticals (speed dating, an 80%-effective method of keeping students awake during an antitrust class, a method of maximizing wealth by buying low and selling high, and horse whispering). The hypotheticals were only slightly more absurd than the reality with which businesses have been living since the Federal Circuit suggested in its 1998 ruling in State Street Bank v. Signature Financial Group that methods of conducting business could be patentable if they produced a “useful, concrete and tangible result.”

The Bilski/Warsaw “invention” did not pass the smell test. The question was why? Inquiring technologists and IP lawyers wanted to know.

Abstract Ideas

In the end, the Court splintered. All the justices agreed that Bilski’s patent application taught an abstract idea or principle, and as such, according to well-established precedent, was not eligible for patenting as a “process” under 35 U.S.C. §101. Abstract ideas or principles, laws or phenomena of nature (even if just discovered) and mental processes are not patent-eligible subject matter because they are seen as the basic tools of scientific and technological work, and courts are careful not to permit any single person or entity to preempt their use. (However, as the Court’s opinion noted, the application of such concepts to a known structure or process can be patentable if it is novel, useful, non-obvious when viewed against the prior art and supported by a full and particular description in the patent application.)

All of the justices also agreed that the Federal Circuit had overstepped its bounds by holding that the machine-or-transformation test, which grounded the patentability of processes in their connection to a particular machine or physical transformation) was the sole test for determining whether a process met the threshold requirement for patentability. However, in a true mindbender, they also all agreed that the machine-or-transformation is still relevant, as an “useful and important” clue or investigative tool (in the Court’s opinion) or as a “critical” tool (in Justice John Paul Stevens’ concurring opinion). Of course, the justices could not agree on exactly how the machine-or-transformation test was still important, useful, critical, awesome, etc. In the Court’s opinion, the justices drew a dichotomy between Industrial Age inventions and Information Age inventions and suggested that the machine-or-transformation test might be the proper standard for evaluating processes in the first category, but from my perspective, trying to puzzle out whether a client’s invention is more like a steam engine or a search engine doesn’t seem like a particularly helpful — or intellectually satisfying — inquiry. Ultimately, the Court did not articulate a standard, beyond trotting out the abstract idea trope as a lowest-common-denominator limiting principle.

What About Business Methods?

So where does that leave us? In limbo, dear techies. The lower courts will have to go back to the drawing board to devise new standards for evaluating software and Internet patents. The Bilski opinion — or more accurately, opinions (for there were several concurrences) — do provide a few tea leaves to read. Business method patents survive, but by the skin of their teeth. The Court’s opinion leaves open the possibility that some business methods may be patentable, although the majority is skeptical that they warrant “broad patentability”, and in his concurring opinion Justice John Paul Stevens (joined by Justices Sonia Sotomayor, Stephen Breyer, and Ruth Bader Ginsburg) argued strenuously that business methods should never be patentable.

The relevant part of the Court’s opinion (authored by Justice Anthony Kennedy and joined in by Chief Justice John Roberts as well as Justices Samuel Alito and Clarence Thomas) had this to say with regard to business method patents:

“Interpreting §101 to exclude all business methods simply because business method patents were rarely issued until modern times revives many of the previously discussed difficulties…. At the same time, some business method patents raise special problems in terms of vagueness and suspect validity…. The Information Age empowers people with new capacities to perform statistical analyses and mathematical calculations with a speed and sophistication that enable the design of protocols for more efficient performance of a vast number of business tasks. If a high enough bar is not set when considering patent applications of this sort, patent examiners and courts could be flooded with claims that would put a chill on creative endeavor and dynamic change.

In searching for a limiting principle, this Court’s precedents on the unpatentability of abstract ideas provide useful tools…. Indeed, if the Court of Appeals were to succeed in defining a narrower category or class of patent applications that claim to instruct how business should be conducted, and then rule that the category is unpatentable because, for instance, it represents an attempt to patent abstract ideas, this conclusion might well be in accord with controlling precedent…. But beyond this or some other limitation consistent with the statutory text, the Patent Act leaves open the possibility that there are at least some processes that can be fairly described as business methods that are within patentable subject matter under §101.”

As previously mentioned, four justices (include three who remain on the Court) have taken the position that business methods are not patentable under any circumstances. It is also worth noting that Justice Antonin Scalia did not join in the portion of the Court’s opinion (quoted above) upholding the theoretical patent-eligibility of business methods. Therefore, at least three, and perhaps four, sitting justices reject business method patents totally, with four others rejecting their “broad patentability” and recommending that a higher bar be set. Notably, too, all of the justices take a dim view of the State Street opinion, with the majority refusing to endorse its perceived blessing of business method patents and Justice Stevens’ concurrence calling it a “grave mistake.” Forget abortion, gun rights and church-state separation: given this volatile mix, Elena Kagan’s views on patent law may assume paramount importance.

What Do I Do Now?

So what should software and Internet clients take away from all of this? Don’t blow your legal dollars on patents if the essential value of your invention or product lies in its algorithm or the fact that it automates or expedites a general business process. Despite the Court’s rejection of the machine-or-transformation test as the exclusive standard for the patent eligibility of processes, the Patent Office will only be emboldened by Bilski to continue its aggressive stance against business methods and software and Internet patents whose claims are broad and general and have only an ethereal connection to hard technology.

In addition, established companies with ample litigation reserves that are approached by patent trolls wielding business method and general process patents should consider the value of an upraised middle finger. If one such company (possibly co-funded by other similarly situated targets) succeeds in getting the troll’s patent invalidated, the troll’s business is vaporized. Accordingly, trolls may choose their targets more carefully from now on, may be more hesitant to follow through on threatened infringement litigation, and may be willing to take a smaller license fee before moving on to the next target. However, because business method patents survive and Bilski provides no concrete guidance for what qualifies as a patent-eligible process, the troll threat is not eliminated.

Towards Patent Act 2.0

Was Bilski worth the wait? I’d have to say no. On the other hand, perhaps the justices can’t be blamed for agonizing over our intellectual property law’s failure to come to grips with non-traditional inventions and the marginalization of brick-and-mortar innovation ecosystems. It’s time, perhaps, for Congress to step in and give us a Patent Act for the post-industrial age.

* Bilski’s patent application for a method of hedging risk in commodities trading was properly rejected because the invention was nothing more than abstract principles and formulae, which are not subject matter eligible for patenting according to prior Supreme Court decisions.

* There is no reason to exclude categorically business methods from the scope of patent eligible subject matter. A business method can be a patentable “process” if it meets the other statutory requirements for patenting (novelty, usefulness, etc.).

The details of the 2009 data breaches and the security holes that enabled them are summarized in the FTC’s press release, which you can find here. The data breaches stemmed from two incidents. In the first one, an intruder used an automated password-guessing tool to enter an administrative password (a weak lower-case password consisting of a common dictionary term) on the site’s main login page. Using the password, the intruder reset several passwords and posted some of them on a website where they could be used by others. In the second incident, an intruder hacked a Twitter employee’s personal e-mail account and was able to derive an administrative password from similar passwords that were stored in plain-text. Twitter’s privacy policy at the relevant times used common boilerplate to describe its data security procedures:

“Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

It is important to note that Twitter never guaranteed the security of its site. Indeed, tech lawyers like myself routinely warn clients again calling their sites “secure” and making similar unqualified assurances. A cynic might remark that “weasel language” like Twitter’s is designed to stimulate a cozy feeling in users without committing the site to any concrete obligations or precautions.

The FTC’s explanation of the charges against Twitter crystallizes its thinking and underlines the agency’s increasingly aggressive approach to regulating privacy and data security on the Internet and especially on social media sites:

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

There seems to be little question here that Twitter screwed up. The FTC’s complaint recites a litany of data security lapses that have been no-no’s for at least three or four years in the wake of the FTC’s prosecution of TJX for its data breaches and the advent of the Payment Card Industry Data Security Standard (PCI DSS). These no-no’s include Twitter’s failure to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
* prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* restrict access to administrative controls to employees whose jobs required it; and
* impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Again, it’s hard to argue Twitter didn’t screw up. However, this case demonstrates beyond a shadow of a doubt that the FTC will nail you for failing to use generally accepted data security best practices regardless of how you characterize your security measures in your privacy policy. In other words, saying that there are risks beyond your control no longer provides a get out of jail free card. Before the TJX case, the FTC targeted its wrath at sites that explicitly promised better security than they delivered. Now, however, there is an absolute minimum standard of data security: according to the FTC, inviting users to submit information which they can designate as private without complying with best practices is inherently misleading and deceptive. Furthermore, FTC scrutiny is no longer confined to privacy policies and “advertising” or “marketing” messages; the wording of social media categories, designations and preferences, such as privacy preferences, is now fair game.

Under the settlement Twitter is prohibited from misleading consumers about its data security practices for 20 years and must implement a comprehensive information security program, which will be audited by the FTC every other year. The FTC and Twitter, in other words, will be best buddies for years to come.

You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

The facts of the case are very simple. Brelyn Hammernick was a Minneapolis technical recruiter for the IT services firm TEKsystems who left to take a job with their competitor Horizontal Integrations. Ms. Hammernick used LinkedIn’s e-mail tool to communicate with her network, which included several current TEKsystems employees. Ms. Hammernick had signed a non-compete agreement with TEKsystems containing standard non-solicitation language that prohibited her from communicating with company employees to induce them to leave TEKsystems or work for a competitor. Yet, as several attorney bloggers have already commented, certain of Ms. Hammernick’s e-mails were clearly solicitations. The relevant paragraph from TEKsystems’ complaint alleges:

“Hammernick is soliciting TEKsystems’ Contract Employees and clients in the geographic area encompassed by the non-competition and non-solicitation provisions of the Hammernick Agreement. For example, Hammernick has communicated with at least 20 of TEKsystems’ Contract Employees using such electronic networking systems as “Linkedin.” Hammernick has, at a minimum, “connected” with the following TEKsystems’ employees through “Linkedin: Harold Osmundson, Steve Wicks, Kazim Merchant, Shawn Faber, Srujana Pasunuri, Shailaja Garishakurti, Kevin Jordahl, Mitha KC, Carl Boudreau, Tom Peterson, Seann Van Cleve, Bob Hasselman, Marcia Diterich, Bill Severson, Claude Wallander, and Brett Snaza. In her contacts with Tom Peterson, Hammernick asked Peterson if he was “still looking for opportunities.” She then stated that she ‘would love to have [you] come visit my new office and hear about some of the stuff we are working on.’”

You can also find a full reprint of the key e-mails, along with some trenchant commentary, on Dallas attorney Rob Radcliff’s blog here. (I don’t normally cite other law firms’ blogs, but I consider Mr. Radcliff’s post both informative and dead-on.)

What are the take-aways here?

1. No one seriously believes that the federal district court is going to treat LinkedIn communications as qualitatively different from traditional channels of solicitation, such as telephone calls, e-mails outside of the social media context, or in-person conversations. Doing something dumb on Web 2.0 is the same as doing something dumb on Web 1.0, which in turn is the same as doing something dumb using a telephone, telegraph or smoke signals.

2. As Mr. Radcliff notes in his blog, employers may find social media posts and communications of departed employees to be a font of useful evidence in employment-related litigation. Employers should also consider mentioning social media posts and communications as a specific example in employee agreements and materials prohibiting solicitation and other objectionable activities.

3. The TEKsystems case involves deliberate one-to-one communications through LinkedIn. A salient question, however, is whether posts or updates to one’s entire network or chosen group can violate non-solicitation obligations if the content is objectionable and certain recipients are still employees of the sender’s late, unlamented employer. Or, to put it differently, if you’ve signed a non-compete with non-solicit requirements, should you “un-friend” or “de-link” your former work colleagues? Simply updating your career profile should not be a problem, but you may want to think twice before blitzing your network or friends about all of the terrific opportunities you’re getting at your new employer.

4. Careless chatter on social media is a problem not only for departing employees, but also for their new employers, who (like Horizon Integrations in the TEKsystems case) may get named in the lawsuit if the objectionable behavior appears to work for their benefit.

Legally speaking, social media is no different from other forms of communication. However, just as e-mail did in the 1990’s, it has a tendency to invite informal, spontaneous and poorly considered actions from its users. Given the uncertain state of privacy on Facebook and other popular social media sites, expect to see a mountain of social media evidence building up in future litigation.

Still, if a major part of your business is a website or software application (including iPhone and Facebook apps), it’s well worth the time and (minimal) expense to put in place at least a simple contract with your developers. This contract should get signed BEFORE the developer begins any substantial work on the project

What you get with a solid developer contract

Why do you need a properly written contract with your developer?

1. Confidentiality. Ideas have legs — muscular marathon runner’s legs — and you don’t want your developer to walk the idea for your new website or app across the street. It’s difficult to protect still-inchoate ideas and requirements (as opposed to completed designs, specifications or prototypes) under intellectual property law, since bare ideas in the process of formulation are not copyrightable or patentable. Moreover, the allowance rate for business method patents is extremely low (presently under 10%), and the cost of prosecuting patents is typically tens of thousands of dollars, so you should not count on being able to patent your website, program or app even at a more advanced stage of development. What this means is that, besides avoiding disclosures except where strictly necessary, contract protection (i.e., a non-disclosure or “NDA” clause) is your best bet to protect your idea as it is being developed.

2. Intellectual Property Ownership. Even if a bare idea is probably unprotectable, at some point the development of your idea is going to lead to the creation of protectable intellectual property. In the context of web or software development, this could be some or all of the following: (1) code, web design, graphics, images, text and other creative content (all of which can be copyrighted), (2) logos, slogans, catchy domain names and similar branding features (which can be trademarked), (3) look and feel (which is potentially protectable as trade dress), and (4) in rare cases, patentable inventions (if your site, program or app does something new, useful and non-obvious in light of the current state of the art).

It is a widely held but mistaken belief that if you pay a contractor to do something for you, you automatically own all IP rights in the work product because it is a “work made for hire.” (In fact, even attorneys often make this mistake, as I was reminded when I was a reviewing an IP asset purchase agreement drafted by opposing counsel the other day.) “Work made for hire” is a copyright concept only; furthermore, with outside contractors, it applies only to select types of specially commissioned works like atlases, parts of motion pictures or other audiovisual works, tests and instructional texts, which are generally irrelevant to the context we are discussing — and even then, a written agreement stating that the works are “made for hire” is still required!

In plain English, what all this boils down to is: you don’t own it (even if you paid for it) unless there is a contract that says you do. To be legally effective, the contract must also assign all relevant copyrights, patent rights and other IP to your startup. Without such a contract, you only get a license (i.e., a narrow right to use), the developer still owns any copyrights and patents, and it is free to use or commercialize this IP elsewhere. Potential investors and acquirors looking at your startup will want to see that you have IP ownership buttoned down. If you don’t own your product, watch out.

3. Getting What You’re Paying For. In development parlance, this refers to scope and specifications: you are paying X for the developer to build you Y, with Y being fleshed out in as much detail as possible in the contract. The importance of getting this nailed down is best illustrated by a common horror story: Client goes to Developer and asks Developer to build a site with A, B and C features and functionality. Developer says sure, no sweat; it’ll cost you $5,000, half up front and half on completion.

Developer labors for a month before realizing that he seriously underbid the project, which is far more complicated than he had considered. So he stops work and informs Client: sorry, I can’t possibly make a profit on this deal, but because I’m a warm-hearted stand-up guy, I’ll agree to just keep the $2,500 you’ve already paid, even though I’ve done $6,000 of work. For this largesse I welcome any comparisons to Gandhi you care to make. Client, who is out $2,500 and doesn’t have a website, is not inclined to award any Nobel Peace Prizes.

Developers may cry foul at this narrative. The common argument I hear from developers is that clients think developing a website is like rehabbing a bathroom, i.e., the client knows what it wants and parameters of the project are fixed at the outset, so there is no scope creep. In contrast, the argument continues, development clients actually DON’T know what they want. Their requirements are constantly in flux, and they require endless rounds of revisions.

Fair enough. But this doesn’t undermine the case for a contract. Quite the opposite, it means a contract is urgently needed by both parties to manage expectations. The contracting process is an opportunity for both sides to crystallize and refine those expectations before money is spent — what will the basic functionality/features be? what platform will the site run on? how many rounds of revisions are included? what will additional revisions cost? And so on.

The idea is that scope is reduced to writing as much as possible at the discussion stage instead of during the thick of development (and ideally a process is defined to handle any requested changes in scope). If it is impossible or impractical to draft detailed functional specifications at this stage, they can be a deliverable to be approved by the client later. (For complex or expensive sites or programs, the parties may end up splitting the risk by handling functional specification development and actual coding as two separate projects, each covered by its own scope definition and cost parameters, with the client having the option whether or not to proceed to stage 2.)

4. Getting It When You Need It. Launch is everything to startups. If a site or program isn’t ready or isn’t debugged by the time desired, this creates all sorts of risks — risk of the competition getting a jump on you, risk of seed capital running out, cash flow risk if an expected stream of revenue is postponed, reputational risk if you’ve heavily promoted the launch and then have nothing (or nothing respectable) to launch. A well-drafted development contract, therefore, should include key deliverable milestones along with delivery dates, and payments should be tied to successful achievement of these milestones in order to incentivize developer performance. A meaningful portion of the development fee (a third or more) should be payable only after final delivery and successful completion of user acceptance testing.

5. Legal Stuff. This is the part that startups really hate, but it can be critical if a dispute arises (as it frequently does). Say a Philly client hires a developer in California to build a site for $10,000. The parties sign a contract, and the developer takes the client’s up-front payment of $5,000. The developer then absolutely does nothing and greets the client’s increasingly anguished entreaties with an upraised middle finger.

It doesn’t take a tech lawyer like me to tell you the developer breached the contract. But how does the client left in the lurch get a remedy? The contract says nothing about where disputes will be litigated (venue) or which state’s law will apply to the interpretation and enforcement of the contract (choice of law). The answer is that the client hires a California litigator at $500/hr to fight over these issues, as well as over the underlying breach-of-contract issue, and after spending $100,000+ in legal fees (and traveling to California to testify), after three to five years the client may get its $5,000 back or perhaps a court order forcing the developer to finish the site.

Obviously this is a losing economic proposition for any client, and it would be insane to sue, despite the legal merits of the case. On the other hand, let’s say the contract had provided that the law of enforcement would be Pennsylvania’s, that any litigation must take place in Philadelphia, and that the party prevailing in any litigation would be entitled to be reimbursed for its legal fees, in addition to any recoverable damages. The costs and risks of enforcement are now working in the client’s favor; it can now bring the suit in Philly, representing itself pro se if necessary, and force the wrongful party (the developer) to pay both sides’ litigation costs, which is a big stick indeed. Of course, there may still be reasons why litigation is not advisable (for example, the client would still need to get a California court to enforce the Philly court’s judgment, and the developer may not have sufficient assets to pay the client’s legal fees and damages, which defeats the whole purpose). However, the client’s ability to raise at least a credible threat of litigation, together with the possibility of much higher costs for the developer, thoroughly changes the dynamics of the dispute and gives the client greater leverage.

Avoiding the 15-Page Monstrosity

If you think that adequately addressing these considerations requires a 15-page contract which would take months to negotiate and consume thousands of dollars in legal fees, you’d be wrong. All of this can be easily hammered out in relatively simple language taking up a couple of pages. Legal fees should be minimal if you’re dealing with an attorney who knows technology and is used to working with startups (otherwise, you may very well get the 15-page monstrosity).

Your startup doesn’t need a perfect agreement with every conceivable bell and whistle; the perfect should never become the enemy of the good. But the basic issues I have described need to be covered. It’s no exaggeration to say that the costs of not obtaining basic protection, in terms of both money paid out to developers and lost future opportunities for your startup, are likely to vastly exceed the legal fees.

And, developers — this is for your own good too. Think about helping your clients by creating a simple contract template with some moderated version of these basic protections for the client built in, along with protections against scope creep and whatever payment terms you need for your business. Contrary to popular belief, contracts aren’t just (or even primarily) for hypothetical future litigation — if drafted well, they are litigation-preventers and value-enhancers, allowing projects to glide to completion along a pathway of smoothly aligned expectations.

Based on my reading of the November 2009 oral argument transcript and my conversations with patent experts, we predict that (1) the Patent Office’s rejection of Bilski’s application for a method of hedging risk in commodities trading will be upheld, (2) the Federal Circuit’s machine-or-transformation test will be invalidated as unduly limiting given the statutory language and history, BUT (3) we may see a new definition of patentable subject matter based upon some ethereal concept of “technology.”

The Supreme Court will next release decisions on Tuesday, June 1. Given the importance of this ruling to our software and Internet clients, we will post a link to the opinion and a brief summary on this blog as soon as it is issued, to be followed by a full analysis not long afterward.

In my March 26 post “Guarding the Angels?”, I blogged about some troubling provisions in Senator Chris Dodd’s (D-Conn.) financial reform bill that would have subjected private offerings to angel investors to burdensome SEC review and state regulatory compliance obligations. Among other things, these provisions would have drastically raised the $200,000/year income and $1 million net worth thresholds for angels to qualify as “accredited investors,” which assures private offerings to such persons critical exemptions from federal and state securities laws.

No doubt this sounds like legal gobbledygook, but from the standpoint of a tech attorney whose practice is focused on aiding creative startups, the prospect was sobering. Since startup businesses, particularly in risky technology fields, generally do not have access to traditional bank financing, the addition of potentially tens or even hundreds of thousands of dollars in legal and compliance costs as well as 120 days or more of delay to the angel funding process could have devastated innovative startups and job creation at a time of 9.9% national unemployment. This was a classic case of our political aristocracy in Washington not having had the “Mommy, where do jobs come from?” conversation.

Fortunately, Senate Amendment 4056, approved by the Banking Committee on May 17, while not a perfect fix, largely vitiates the problematic anti-angel Sections 412 and 926 of the Dodd bill. For this we have to thank Senator Dodd himself, as well as Senators Scott Brown (R-MA), Maria Cantwell (D-WA), Mark Warner (D-VA), Kit Bond (R-MO) and Mark Begich (D-AK), although the real heroes were the startups themselves (including my colleagues in Philly Startup Leaders), who organized nationally to petition our elected representatives to remember our critical role in the economy at a time of worldwide economic crisis.

S.A. 4056 gets rid of the SEC review requirement and threat of exposure to state securities compliance requirements and keeps the accredited investor income and net worth thresholds fixed at their current levels for a period of four years, after which they will be subject to SEC review and possible adjustment. This eliminates the immediate danger to startup funding.

In their press release, the Senate sponsors of the amendment hit exactly the right note: whatever went wrong with Wall Street in 2008, startups and angel investors had nothing to do with it, so the government should lay off. However, at the same time it is disconcerting to realize how close we came to killing the goose the lays the golden eggs. Venture capitalists are few and highly selective; small angel investments are the primary vehicle for injecting seed capital into startups. How many future Googles, Facebooks and Microsofts might never have gotten off the ground? How much precious development money would have padded the pockets of securities lawyers? It seems that many senators were not even aware of the implications of their monstrosity. True regulatory reform requires transparency and patience for debate, as well as a willingness to forego dramatic political gestures in favor of targeted (i.e., boring) fixes that are narrowly tailored to diagnosable problems. Above all, it involves reading the freakin’ bill. Fortunately, our citizen-capitalists were on the ball.