Mobile Applications: An Update

man-coffee-cup-pen.jpgIn 2013, we wrote an article regarding legal issues for mobile applications (Apps). Since then, the number of mobile application downloads have increased by over 400%, and their functionalities have grown tremendously. In fact, Apps have become an essential part of the every-day life of many consumers. As Apps continue to evolve, lawsuits and investigations regarding them have multiplied.

The discussion below provides an update on the legal issues discussed in our 2013 article. While privacy issues have emerged at the forefront and tend to make headlines, developers also need to be aware of other recent developments that affect their ability to secure their intellectual property rights in the App and limit their liabilities.

1. Use of Open Source Software 

Most App developers use open source software (OSS) to develop their Apps. The open source software is licensed to them under an open source software license model, such as Apache, General Public License (GPL) and its various version, etc. Each license model has unique requirements, such as attribution, rights over derivative works, commercial use, non-discrimination with respect to platform etc. The importance of understanding and managing OSS license terms in the App development process is hi-lighted by OSS based lawsuits.

For example, in Versata v. Ameriprise, Versata developed and licensed its proprietary software, Distribution Channel Management (DCM), to Ameriprise. Ameriprise passed it on to its subcontractors, who decompiled it and developed a competing product. Versata sued Ameriprise claiming a breach of their license, but Ameriprise countered that since Versata’s software had been developed based on XimpleWare, a software that was licensed to Ameriprise on terms of the GPLv2 license (which requires that the source code of all derivative works be made available under the GPL license terms, upon distribution of the modified OSS), Ameriprise or its subcontractor could decompile and modify the software at will. Versata had failed to recognize that an open source software had been used in developing DCM, and had not integrated the GPL license terms in its own license of DCM. Following this allegation, XimpleWare Inc. sued Versata and its clients for breach of its license terms. Though the cases were settled in 2015, it highlights the importance of managing vendors who might use open source software in App development, as well as understanding and integrating open source software license terms that are used in the App development process.

2. Enforcement of Terms of Service or End User License Agreement

The Terms of Service (Terms) of an App defines the rights and liabilities of the App developer, owner and users. Typically, the App developer includes robust disclaimers for liability and other clauses to protect itself. However, none of this language would matter if the Terms are not conspicuously displayed in a way that would provide the end user an opportunity to read them. In recent years, courts have handed down many decisions holding “browsewrap” agreements unenforceable.  “Browsewrap” agreements are those where the user is not required to take any action to agree to the Terms, but instead gets bound by the Apps’ Terms automatically upon the use of the app.

For example, In Re Zappos, Customer Data Security Breach Litigation, the court invalidated Zappos’ arbitration clause and deemed its Terms of Use unenforceable since it was inconspicuously buried in the bottom of every Zappos.com webpage among many other links. The website never directed its user to the Terms of Use, essentially forcing them into agreements unwillingly. Similarly, in Mayer v. Kalanick, an anti-trust lawsuit where Uber intervened in a lawsuit against its founder, the court held that Uber could not enforce its arbitration clause because a user did not need to affirmatively click any box saying that he agreed to Uber’s Terms of Service. On the contrary, a user could sign up for Uber by clicking on the “Register” button without explicitly indicating his assent to the terms and conditions that included the arbitration provision. An Uber user could access Uber’s services without visiting the page hosting the browsewrap agreement or even knowing that such a web page exists.

3. End User Privacy

In recent years, there has been an increase in privacy related lawsuits and investigations against App developers due to the expansion in App functionality and data collection efforts. Users and consumer protection agencies are starting to pay more attention to the data collected and shared by Apps in search for privacy violations. Famously, Niantic, the maker of Pokemon Go, was sanctioned by the Federation of German Consumer Organizations since the game violated Germany’s privacy laws by retaining and sharing user data — including players’ location, recent web history, search terms and user messages. Likewise, Yelp was sued for its “friends’ finder” feature in its mobile applications, whereby the app accessed and uploaded contacts information from users’ phones without their express consent to its server.

Given the increasing scrutiny of privacy practices of App developers, which causes monetary as well as reputation harm, it is important for App developers to integrate privacy protections into their app development process and consider the privacy ramifications of data collection and sharing in the App.

TOP FIVE PRIVACY PRACTICES TO ADOPT BASED ON FTC’S SETTLEMENT WITH UBER

pexels-photo-417418On May 12, 2014, an intruder was able to access sensitive personal information belonging to over 100,000 Uber drivers including names, driver license numbers, social security numbers, and bank account information. Uber did not detect this major breach until September 2014 and failed to notify Uber users until February 2015.

While Uber’s Privacy Policy provided that it implemented reasonable security measures to protect the personal information of Uber Riders and Drivers, a complaint and investigation by the Federal Trade Commission (FTC) against Uber demonstrated that they needed to take serious precautionary measures to protect consumer information. FTC’s recent settlement with Uber, which imposes a requirement of third party privacy audits for 20-years and a fine of $20 million, hi-lights a number of important guidelines that corporations collecting personal data can follow to reduce the risk of a data breach. Below are the top five privacy practices to adopt based on the FTC’s settlement with Uber:

  1. Implement Two factor authentication for internal access to personal information

Prior to the complaint, Uber stored all of its data in an Amazon S3 Datastore, a scalable cloud storage device that could be used to store and retrieve large amounts of data. The S3 Datastore preserves information in “buckets,” small virtual containers in which individual access controls can be applied. However, Uber used a single access key (or password) that provided full administrative access to all data which made it significantly easier to hack. Using a two factor authentication for internal access helps control who can access certain types of information as well as making it more difficult for an intruder to access confidential data.

  1. Closely monitor and audit employee access to consumer data

Similarly, FTC’s complaint against Uber noted all Uber employees could access all of consumer (through the single access key), regardless of their job functions. This left Uber more open to potential data breaches. Limiting employee access to data based on job functions and requirement to access such data greatly improves security.

  1. Encrypt Personal Information

In the complaint against Uber, as well as in the FTC’s settlement, one of the biggest critiques was that Uber stored all of the personal data in the S3 buckets in plain language, meaning that once a potential intruder got into the data storage the sensitive information of Uber riders and drivers was readily available to them. One of the easiest fixes is for Uber and other companies storing sensitive data to begin encrypting any personal information they receive when they place it in data storage, adding another layer of security protecting their customers.

  1. Implement and update internal privacy and security programs

Having a well-documented security program which identifies and addresses foreseeable risks, defines employee authorization to access data, and details strict authentication mechanisms, is important for companies to protect the risk to the data in their possession. Compliance with this policy needs to be continuously evaluated as companies innovate and launch new products, add employees, expand to new regions, reorganize internal processes, or even as new threats get detected.  Providing security training to employees is an important component of implementing the privacy policy. Up until the Uber decision, Uber employees received little to no training with regards to protecting client data and best industry security practices.

Prior to the complaint, Uber did not have a strong documented policy, nor did it have monitoring or evaluation of its privacy practices. Thus, a major part of the Uber settlement was the requirement that Uber undertake regular third-party evaluation to determine if it had successfully implemented effective safeguards for consumer data. For companies looking to take lessons from Uber, it is essential to be aware of the need for neutral evaluation and continual upkeep to reinforce privacy policy.

  1. Ensure your Privacy Policy is accurate

Between July 13 and July 15th, 2015 Uber disseminated a privacy policy that contained statements about using “standard, industry wide security practices… for protecting your information.” This overstatement of Uber’s security policies was part of a systemic issue in which Uber’s rhetoric and practices were not aligned. In response to these issues, Uber should have closely examined its privacy policies to make sure that the statements within them were accurate and if not, to adjust its own policies.

Similarly, in the months prior to the decision against Uber, the company continually misrepresented the scope of its privacy practices trying to assure its customers that their data was safe. Since Uber did not enforce the privacy standards it claimed to, this meant that a large part of the FTC’s settlement focused on evaluation and recordkeeping.  Corporations should align their statements with their actual privacy practices in order to both protect the privacy of their customers and remain compliant with the FTC.

Why a Will?

shutterstock_565493989

  • Last Will and Testament – A document by which a person directs his or his estate to distributed upon death.

Most people do not have a high level of interaction with the courts in their lifetime. Perhaps that’s why so few have set up a will. Incredibly, according to the statistics presented by Forbes magazine in 2014, more than half of Americans between ages 55 and 64 don’t have wills.These figures get more dismal as the age bracket examined becomes younger.

Many people think of wills as merely dividing up their money and land. As such, they don’t imagine they’ll need a will if they aren’t leaving behind six-figure bank accounts and multiple vacation homes. However, this notion is misguided.

A last will and testament is, generally, an individual’s last chance to give legally binding instructions for the disposition of his or her assets after death. If someone dies intestate (without a will) in the State of Washington, the state will make the decision regarding division of the deceased person’s property. Broadly speaking, the law requires that, in intestate estates, certain percentages of assets go to next of kin. (For example, 50% to the deceased person’s spouse and 50% to his or her children in equal shares). The laws do consider whether property items are community or separate property, but otherwise, no discretion is allowed.

If something unexpected happens, a will ensures that necessary funds go to those who require them. A comprehensive and well-crafted will can contain more than general provisions for your loved ones and their futures. Making a list in your will of items that have sentimental value to family members could avoid a fierce and expensive legal contest later. For example, Dr. Martin Luther King Jr.’s family settled the question of who had the rights to his Nobel Prize and personal travel bible in August 2016. As you may recall, he died in April 1968.

In very rare cases in which no will is found, and no heirs are found, the decedent’s assets may escheat to the State of Washington. This means the state will claim the assets for itself. Most likely, no individual would intentionally leave all of his or her property to the state.

Be aware that, during probate estate administration, debts must be considered. It is very important to consider how any debt will affect the calculations in setting up a will. Debts take precedent over the Decedent’s wishes in his or her will, meaning that generally the debts will be paid off first. The State of Washington lists, in order of priority, the payment of debts during a probate estate administration. [RCW 11.76.110]. For example, any taxes owed to American or foreign governments must be paid before any of the heirs’ claims will be paid. There are some exceptions of course.

It is absolutely critical that your last will and testament is drafted carefully and comprehensively, in order to gain the benefits of having such a document.Although this website will provide some basic information regarding a will and its suggested contents, use of this website is not a substitute for a lawyer; and of course, we do not represent you as your lawyer. Your issues and concerns are unique to you and should be considered carefully. If you have any questions, please consult the services of an attorney.

FCC’s Privacy regulation for Internet Service Providers Repealed

On March 28th, 2017, the House of Representatives repealed a Federal Communication Commission (FCC) regulation that would have required internet service providers (ISPs) to receive consumer consent before sharing their personal information (such as browsing histories, app usage, etc.) with third parties. While the implementation of some parts of the broader regulation around data security had already been suspended by the FCC before the vote, the restrictions on sharing personal information were to become effective in December 2017. Thus, though the repeal does not change much for consumer privacy from a practical standpoint, it does reverse the progress made under the Obama administration towards protecting consumer privacy.

The FCC chairman, Ajith Pai, has indicated that he is interested turning over the jurisdiction over ISPs to the Federal Trade Commission (FTC) because of its extensive history of regulating privacy practices. However, FTC’s authority to regulate privacy practices of broadband mobile providers such as AT&T was restricted by the ninth circuit in FTC v. AT&T Mobility in 2016, which held that “common carriers” are exempt from FTC’s regulation under Section 5 of the FTC Act (which prohibits “unfair and deceptive trade practices”) even when the act in question (data throttling, in this case) is not related its common carrier function. In order to turn over jurisdiction of ISPs to FTC, they would have to be re-classified to non-common carrier status, which would likely endanger the net neutrality rules implemented by the FCC.

In the absence of FCC or FTC regulation of ISPs, the privacy practices of these companies will continue to be regulated through various state consumer protection laws as implemented by the state attorneys’ general. Unfortunately, this means that there will be a patchwork of regulations and lack of clarity on the security and privacy standards for ISPs to follow.

Legal Issues for Mobile Applications

pexels-photo-261706.jpegMobile application (App) development is progressively becoming one of the largest and quickest revenue generators for small and start-up technology companies. A new report from MarksandMarkets pegs the mobile App revenue growth at $25 billion by 2015 (up from approx. $6.8 billion in 2010). It is estimated that about 50 million Apps will be downloaded by 2012.

However, given the recent spate of lawsuits and consumer complaints, legal protection and compliance are becoming ever more important issues for mobile application development companies. Though the laws governing Apps vary widely depending upon the consumer base, nature of content, and the business model utilized for developing the App, it is important to consider at least the following aspects of App development and marketing:

Intellectual Property Right (IPR) in the App Software

The IPR in the App software is a copyright that its author enjoys the moment he or she writes the code. The ownership of such copyright might be complicated if the App development has been outsourced to a vendor, achieved through a joint effort, or derived from an open source software (OSS). Where all or part of the development of the App has been outsourced, the vendor agreement should ensure that the party financing the App development has acquired all IPRs to the software through a properly drafted “work for hire” clause. In addition, it is important to bind the vendor with a non-disclosure agreement to ensure strict confidentiality while your App is being developed.

When an App is developed through a partnership, each company owns the IPR only over the piece developed by it, in the absence of an agreement to the contrary. If each party involved in the development wants the ability to further exploit the App for commercial and non-commercial purposes, then the parties should execute an agreement of joint ownership of the App wherein which each party will be required to account to the other of the financial benefit derived from its use of the App.

A number of Apps today use open source software (according to a recent survey by Open Source, OSS is used in 88% of the Android phones and 41%of the IOS phones). IPR and end user licensing require special consideration in these Apps because the OSS licenses (GPL, LGPL, or Apache) have specific requirements for attribution, distribution, and non-discrimination with respect to the platform. Further, a single app might be developed using a combination of OSSs, each governed by a different license. A legally compliant launch of such an App requires (i) identifying the different components on the App software, the OSS license they are based on, and the compliance requirements for each license, (ii) drafting a terms of use statement that complies with all the required OSS license requirements, and (iii) identifying those components of the App software over which the developer can exert an exclusive IPR.

Intellectual Property Right in the Content

The App might use (i.e. display, reproduce, publish, modify, or make a derivative work of, etc.) copyrighted content such as images, videos, and sound recordings of others. Developers need to procure “rights clearance” from copyright owners in order to be protected against infringement claims. Clearance may exist for certain uses, such as in-store, but it is important to receive permission for use where such rights have not already been licensed.

Trademark issues might also arise if the App or its features are similar to a prior registered or otherwise recognized trademark. Trademark is a branding tool, and so the true test of infringement is whether the use of another’s trademark confuses the end user regarding the origin of the App. Thus, an App could infringe another trademark in a number of ways, including (i) if the name of the App is similar to an existing trademark, (ii) if the look, feel, and layout of you App is similar to that of a recognized mark, or (iii) if an existing trademark is used in the marketing or description of the App such that the end user is likely to be confused as to the source of the App. In order to avoid trademark infringement issues, the developer should identify the use of any prior trademarks in the App and inform the end user that the App is not sourced or endorsed by that trademark owner.

If the App allows for user contribution, then it is important to protect against vicarious liability from users who post infringing content. The Digital Millennium Copyright Act might help avoid such liability if the developer follows the requirements of its safe harbor clause, including (i) immediately removing the infringing material when a complaint is received or the App owner becomes aware of it, (ii) disabling repeat infringers from using the App, (iii) not receiving any direct financial benefit from the infringing activity, and (iv) adopting reasonable technical measures to avoid infringement.

Privacy and Data Collection Issues

As is evident from recent lawsuits against Apple for breach of privacy, data storage and privacy are becoming real concerns for end users. In Apple’s case specifically, the problem was that it was storing location based data of end users in an unencrypted form and using it for commercial purposes .While a monetary damage still needs to be established, failure to address end user’s privacy concerns could negatively impact the App’s consumer support and sale.

These concerns regarding privacy and data protection can be addressed by drafting effective terms of use and privacy policy statements that are reflective of the developer’s consumer base and privacy practices. The terms of use and privacy statements should at a minimum include, (i) what information is collected, (ii) how is it stored (iii) how is it used by the developer (iv) whether the information is shared with third parties, (v) how can the user opt out providing such information, and (vi) contact information for end user complaints of the user data. If the App does collect and share personal information, then the developer should get consent from the end user for doing so.

Additional considerations will arise if the App collects financial, personal, or health data, is targeted towards children, or further distributes this data to third parties, since specific laws govern the use of such information. For example, if the App is a game targeted towards children 13 and younger, then the App will have to comply with Children’s Online Privacy Protection Act. In addition, a number of states have their own regulations around privacy and data collection activities.

Jurisdiction

While the advice above has been provided only in reference to U.S. law, the App developer will need to consult and comply with laws in other countries where the App is being distributed. Consumer protection, privacy, and data protection laws in the U.S. differ widely from those in Europe, China, India, and other nations that might have heightened restrictions on such activity. If the App is being distributed in country apart from U.S., it is highly advisable to consult with an attorney or other expert in mobile and consumer laws of those countries.