Category: Communication Media & Internet

How Risky Is Tossing Your Old Servers? Maybe $60,000,000 Fine

We all have them. Old computers sitting around in storage, never to be used again. Broken servers that have passed their prime. Laptops abandoned for their newer, shinier versions.

And what do you do with them? If these are business computers and you were considering tossing them into the trash can or hauling them to the landfill, you could be courting serious risk for your company. Improper disposal of data holders can lead to embarrassment, lawsuits and fines.

There are environmental issues, of course.  The FTC publishes a notice on disposal  of computers that states: “Most computers contain hazardous materials like heavy metals that can contaminate the earth and don’t belong in a landfill. So what are your options? You can recycle or donate your computer. Computer manufacturers, electronics stores, and other organizations have computer recycling or donation programs. Check out the Environmental Protection Agency’s Electronics Donation and Recycling page to learn about recycling or donating your computer.”

But the data exposure is another ballgame entirely. We were reminded of this fact last week when the Office of the Comptroller of the Currency, a lead regulator for national banks, fined Morgan Stanley Bank and its Private Bank $60 million for risk management issues related to the closing of two wealth management data centers.

The American Banker reported “The OCC found that the bank did not take proper precautions in dismantling and disposing of outgoing hardware that contained sensitive customer data and failed to properly supervise the vendors Morgan Stanley tasked with wiping customer data from the old equipment before it was resold.” The OCC reported in its press release on the fine, “Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.”

But the OCC investigation was not the only attack on Morgan Stanley’s computer disposal procedures arising from the decommissioning of these data centers. Two lawsuits have also been filed by Morgan Stanley clients and former clients who were notified that the data center closing placed their information at risk. The lawsuits claim that unencrypted private financial data remained on the decommissioned computers after they left the bank’s possession and that a software flaw left previously deleted data on the computer hard drives. These putative class action suits have not yet specified damages.

As Morgan Stanley can now attest, termination/destruction hygiene is a crucial part of any information technology program. And like many aspects of modern computing and ecommerce, if safe computer destruction is not part of your company’s core competence, then you are likely best served by hiring professionals to perform the task for you.  But make sure you know what you are getting.

Computer recycling, destruction and refurbishment involve a full removal of unencrypted data from the drives and storage units. We all know that simple deletion of an item, does not necessarily remove the item itself, just the ease of access to it – like boarding up the door of a house.  The house is still there, just harder to enter. Your vendor handling destruction should be able to attest to writing over the important drives or otherwise destroying the data or drives themselves.

As stated on the U.S. Homeland Security website, “Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.” Homeland Security promotes full physical destruction of the device to prevent others from retrieving sensitive information off of a decommissioned computer.

It also promotes overwriting, in which strings of one and zeros are written over the data to completely obliterate it.  The site suggests using either of the following:

  • Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.

  • Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.

Either of these options can help assure that your company meets its obligations for proper disposal of outdated computers.

The end of a computer’s life can be just as dangerous as its active use for exposing sensitive data. Your company needs a set of written policies and programs to establish that computers are remove in a legally compliant manner. Fines, lawsuits and significant customer conflict may follow if you don’t get this right.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles on tech, visit the National Law Review Communications, Media & Internet section.

Why Your Bio Picture Matters

I have been providing marketing advice to professionals for over 25 years (time flies when you are having fun!). I started my career on Wall Street, advising stockbrokers on promoting financial product to clients, then moved to the accounting world, working with CPAs on marketing their services and now I work with lawyers. Besides general marketing on behalf of the firm, I also work directly with the attorneys on their business development efforts and promotion

The first tool for promoting a professional services provider is their online bio. I started marketing professional services when websites were still the new thing. One of the first websites I designed included an audio component to the CPAs bios; the website later won an award for that unique feature. I wanted to have something “cool” and that made the accountants stand out more and overcome the stereotype that accountants were “kinda boring.” I remember the clients’ feedback that they liked to hear their advisor’s voice and not just see their picture in their bio, that it helped hearing what they had to say and connecting in a different way. It helped prospective clients make the decision to want to work with a particular accountant.

My advice to the professionals I worked with has always been to stand out, to have a unique feature that would make a professional be different than his or her competition. Not to look or sound like everyone else because it was the industry norm or what everyone else was doing. But to try to find something that will help connect to the audience, to the people that were eventually buying their services and to understand what they were looking for and what determined their ultimate decision.

Recently, I had to make the decision to choose a doctor for a delicate medical procedure. I had to move fast so I started doing research on the doctor that was recommended to me and that would soon have my life in his hands. Of course, the first place I landed was the hospital’s website. I liked his credentials, his training and experience but his picture was outdated and didn’t match his personality nor his credentials. Something about it put me off, although he was smiling in the picture and looked handsome. When I choose doctors, it is very important for me to have a connection with the person behind the credentials, to feel comfortable and safe. Probably, similar to how people usually choose other advisors as well but even more important.

My first appointment with him was through a telemedicine/video call to discuss my diagnosis and the procedure he would perform and to schedule it. At first the video feature didn’t work and I thought it was his choice; which I found odd and fed into my initial discomfort when seeing his picture. Luckily, we both realized that it was actually a glitch and he offered to call me on Facetime – a nice touch on his part (as usually doctors keep their personal numbers private). I almost didn’t recognize the person from the picture on the hospital’s website! He looked so different and his personality was totally opposite from the reaction I had to the “professional” picture! He was warm, friendly, passionate about his skill, patient to answer questions and also had a very down to earth air and not the unapproachable demeanor some doctors portray. He was someone I would pick as a friend but also, someone I could trust that indeed he was a good doctor.

I also started digging deeper to learn more about him. I was hoping I could find pictures from his personal life or in other professional instances. And I did! Those pictures, similar to the video call, uncovered a different person than what his “professional” picture on the hospital’s website showed. Somebody I was so comfortable with putting my life in his hands that I didn’t need to go for a second opinion.

This doctor performed the procedure and all is well. Before being discharged from the hospital, I gave him my professional advice: to have his picture on the website replaced with a new one, to reflect his personality and what his patients need to see in him. I told him my feedback, which he was surprised to hear but seemed to really appreciate it. I couldn’t help the marketing professional in me.

I believe the same applies to any professional that relies on a bio with a picture to make a first impression on their audience. It is important to recognize what would connect them to their clients and potential clients.

Your bio picture does matter! It is a small tool in the marketing toolbox but it has a huge impact. After all, a picture is worth a thousand words!

© The National Law Forum. LLC
For more articles on legal marketing, visit the National Law Review law office management section. 

No Tricks, Just Treats When Working with Legal Media

Engaging with the media might seem more frightening than a haunted house, but working with journalists doesn’t have to be scary. As long as you’re adequately prepared, engaging with reporters can be an enjoyable experience that significantly bolsters your firm’s brand.

The key is to understand what journalists need and want for their legal news coverage, particularly as the state of the world and media industry continue to rapidly evolve. Notably, in the last seven months, the news has been changing so fast that what was important a few weeks ago — or even a few days ago — may no longer be significant to reporters and editors planning their future coverage.

Developing a Pitch 

When pitching an idea to the media, think about what does or does not make a good news story. Reporters receive hundreds of story ideas every day, and sometimes news that you find noteworthy unfortunately isn’t going to appeal to a bigger audience (e.g., too routine, too narrow in scope or lack of timeliness). Journalists look for pitches with issues their readers will care about and sources who can provide unique insights and angles into complicated issues. When reaching out to media personnel, think about how your matter, event, lateral hire or firm initiative fits into a larger trend or development, and provide this angle to reporters. Let them know of any distinctive elements or especially complex issues, and then sell them on why the item is relevant to their readers.

Rules of the Interview Process

Once you have secured an interview, set ground rules prior to the meeting or call about whether the conversation will be “on the record,” “on background” or “off the record” — and know the difference.

  • “On the record” means that the reporter may quote you and include your name and title.
  • “On background” means the reporter may use direct quotations but will attribute them to “a source familiar with the matter” or another agreed-upon designation that is clear enough to establish credibility but vague enough that it doesn’t reveal your identity.
  • “Off the record” means the reporter cannot quote you or use any of the information you provide without verifying it independently. These types of interviews grant sources anonymity and are typically used in connection with particularly sensitive stories. Be very careful, however, in these situations. Despite having your identity protected, the conversation isn’t really confidential. The best rule of thumb is to never tell a reporter anything that you are not willing to see in print – no matter what.

Generally, anytime you speak with a reporter, you are speaking on the record unless the reporter has agreed to a different arrangement.

After the ground rules are set, it’s not a good idea to try to switch them during the interview. That could become too confusing for both you and the reporter in terms of what is public information and what is confidential, which could lead to something being published that you didn’t want out in the open. Also, once something is said, it cannot be taken back, and it is fair game to be published. If you absolutely have to say something that should be kept private during an interview, confirm with the reporter before speaking that the upcoming statement is off the record.

Reporters are very unlikely to let you see a story before it publishes, but sometimes they will grant an interviewee quote review privileges if requested before the interview and if the publication schedule permits. But fast, tight deadlines are more of the norm these days, given the high volume of content being pushed out by publications, so not all outlets will be able to grant this request.

Keep in mind, though, that quote review is only used to confirm the accuracy of the quotations that will be attributed to you. It is not meant for re-writing for stylistic purposes and should not be misused as a fail-safe to fix imperfect statements.

Also before an interview, ask the reporter for the overall context of the piece and for specific questions that he or she wants to discuss so you can develop key messages to convey that are on brand with your firm. Repeat, reiterate and restate these talking points throughout the interview to increase the likelihood that your messaging is understood and incorporated into the article.

Conducting the Interview

During an interview, even if you are nervous, make a conscious effort to speak slowly and concisely, and focus on answering just the particular question at hand. Key messages can get lost in too much detail and technical information. It’s not the reporter’s job to make you look good, but you can make yourself look good by providing clear and thoughtful information.

It’s also a good idea to pause briefly to gather your thoughts before answering a question. If you don’t know the answer or don’t want to or can’t respond, be honest. It is okay not to answer every single question and legal reporters understand client confidentiality and permission issues. You can also try to point them to a colleague who is better suited to speak to a particular topic.

On the other hand, journalists look to lawyers for certain knowledge and experience. Reporters need to understand the full picture to write their best coverage, so don’t be afraid to educate or set the record straight on particularly complex matters or issues. But also know when to stop, and don’t keep talking just to fill silence.

Also, keep in mind that the world is increasingly becoming more digital — especially since most of us are now working from home — and short-form content continues to grow in popularity. Readers are accustomed to scanning feeds and digests for news that is delivered at a glance. When acting as a source for the media, it is valuable to be able to deliver succinct and pertinent comments for those journalists who do not have the word space for long articles.

Post-Publication 

After a story is published, be sure to let the reporter know if you are pleased with the piece and keep in contact to build the relationship. If an article contains factual mistakes or erroneous information, let the reporter know to fix it or print a correction. But recognize that, if there is any debate as to the accuracy of the material, the power over revisions ultimately remains with the journalist and his or her editor or publisher.

The fundamentals of working with the media are the same as they have always been, even with the changes in the world of journalism from the Internet and social media. Understanding these basics will go a long way to securing more media placements, strengthening your public relations initiatives and generating greater success for you and your firm.

© Copyright 2008-2020, Jaffe Associates
ARTICLE BY Rachel Sisserson of Jaffe
For more articles on the legal industry, visit the National Law Review Law Office Management section.

Privacy Tip #253 – Unemployment Fraud Claims Are Skyrocketing—What to Do if You Are a Victim?

I have received many questions this week on what to do if you are the victim of a fraudulent unemployment claim. It is unbelievable how many people I know who have become victims—yes—including myself.

It is disturbing that all of these fraudulent unemployment claims include the use of our full Social Security numbers. The other disturbing fact is that even if we have a security fraud alert or freeze on our credit accounts, those security freeze or fraud alerts don’t necessarily alert us in the event that a fraudulent unemployment claim is filed in our name.

The Federal Trade Commission (FTC) has recognized this rampant problem and issued tips this week to provide assistance to consumers who have been victimized by these fraudulent unemployment claim scams. The tips can be accessed here.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.
For more articles on privacy, visit the National Law Review Communications, Media & Internet section.

Mastering the Zoom Apology

A CEO, executive director, bar president, section chair or another leader has to apologize or speak about something very important. The stakes are high – and in this COVID-19 era, the apology is going to have to be done using Zoom or another virtual platform.

Under any circumstance, delivering an effective apology can be a daunting experience. It involves conveying the right words, in the right tone of voice, with the right facial expression. It requires authenticity combined with the ability to convince the individual (or group) you’re apologizing to that you really mean what you say — and that you are really sorry.

If you’re sincerely sorry, and you really feel sorrow, you may succumb to emotions that affect the message you’re trying to convey – a quavering voice, maybe some welling up, perhaps some tripping over your words. If those feelings are true and 100% authentic, it’s OK to express emotion.

But if you really don’t believe you were at fault, it may be challenging to keep a tone of resentment out of your voice and a steely look out of your eyes. In these situations, your apology will likely fail to convince anyone of your remorse and the whole exercise will have been for naught.

With the onsite of COVID-19, the ability to deliver an effective apology has become even more challenging. Why? Because most of them are now being delivered via Zoom or a comparable video platform.  Depending on the situation, the apologizer will be facing a small group, or potentially a throng of hundreds. The apology will be delivered to a camera lens instead of a live audience. Every flaw will be captured close-up. And your words will be captured for all eternity if the Zoom call is taped and uploaded to a website, to YouTube or any of the other platforms designed to share content throughout cyberspace.  It makes the prospect of going on live television seem a far better alternative – and very few individuals are well-equipped to undertake that experience.

We recently saw a business executive deliver an apology via Zoom. It was clear the individual was apologizing under duress. The delivery was void of emotion. There was scant eye contact. Worse yet, the apologizer read from a prepared script. The term “hostage video” came to mind as we watched this individual struggle toward his concluding remarks. Technically, an apology was delivered. In actuality, it’s doubtful anyone’s opinion was altered by the words that were spoken. As part of a larger strategy to rehabilitate this individual’s reputation or standing, the undertaking was a failure.

Zoom apologies can be improved and can achieve the larger goal behind them – even those that are coerced.  Here are some recommendations to improve performance and enhance results.

Start with the right words.  This applies to all apologies, but especially those that will be memorialized online.  If someone is writing your apology for you, make sure it reflects the way you speak and the phrases you use. Don’t let someone else put words in your mouth that will be difficult for you to deliver. Especially to be avoided are words you don’t believe.

Ask someone familiar with the situation to review what’s been written. Do the words ring true? Can you deliver them with a straight face? Think back to the example a couple years ago when the CEO of United Airlines , Oscar Munoz, was forced to apologize for the police officers that dragged a paying passenger off one of its flights. “I apologize for having to re-accommodate that customer,”said Munoz – two days later. What does that even mean?. How satisfied do you think the affected passenger felt after receiving it? And what about the public, which now had just another reason to hold United Airlines in contempt?

Contrast the United Airlines situation with one that happened shortly after to an American Airlines passenger who was attempting to board a plane while holding two infants in her arms along with a stroller. An airline employee got into a shouting match with her and another passenger. Of course, the entire incident was caught on-camera with a mobile phone and uploaded to Facebook where it then went viral. Don’t remember that story? That’s because the president of United Airlines immediately issued an apology, an apology without equivocation. United Airlines’ story lasted weeks; American Airlines’ story lasted a day or two.

As you consider the content of your apology, beware of the false apology. “I’m sorry you feel that way,” is not an apology. Apologizing – without qualification – for what your or your organization did or the problems you caused is an authentic apology. The former will only make your victims more resentful and more inclined toward revenge or retribution. The latter may actually help you makes progress toward resolution of the problem your actions have caused. For a great short summary of the 12 kinds of fake apologies, read this article.

Get familiar with the medium.  No doubt you are using Zoom, Microsoft Teams or some other platform almost every day to conduct business. Staging an apology on Zoom requires a higher level of preparation. Make sure you are seated at the right height so you are looking straight into the camera and making eye contact with your audience. You want to be close enough to the camera to appear engaged, but not so close that you look as though you’re peering through a keyhole trying to intimidate your audience. Nor do you want to sit too far away, which gives the appearance that you are trying to distance yourself from your viewers – and perhaps subconsciously, from the issue at hand. Don’t let your eyes roam off-camera as though you’re looking for someone to rescue you. And, as anyone who has been media trained for a sit-down interview will also tell you, sit straight up and don’t swivel in your chair.

Set the stage. Lighting is critical to a good Zoom appearance. Avoid overhead lights that can create shadows on your face. Never sit in front of a bright window or other light source that will cast your face in darkness and likewise cast doubt on your character. Strive instead for a soft source of light to illuminate you from the front.  An inexpensive LED light can do the trick (for a few selections, click here).

Be very mindful of the background. What do the framed photos and art in the background say about you? If you’re apologizing for misspending someone else’s money, avoid pictures that show you in expensive vacation spots, enjoying the company of celebrities or otherwise telegraphing your bad financial management skills. Apologies should be delivered in neutral locations that will not generate envy, questions about your judgement or other distracting speculations about your personal life. Stick to pictures of the family, your pets, framed awards and other items that speak to your professionalism and values.

Lastly, make sure the door to the room you are Zooming in is closed and that those on the other side understand it is not to be opened until you do so. Spouses wandering in the background, small children climbing into your lap and a photobomb from the family pet will undercut the professionalism and solemnity you want for this critical communication.

Dress the part. What you wear for your Zoom apology should reflect the seriousness of the situation.  Dress at least one step up from the look you typically put on for day-to-day business meetings. At the same time, avoid an outfit that will make you visibly uncomfortable and distract from the important message you are delivering. Try to be rested before you confront the camera and do take a good look in the mirror before the session starts to make sure you are presenting yourself in the best light possible. And if you choose to wear shorts or sweat pants, you must make 100% certain they won’t be seen on the video, even inadvertedly.

Say it, don’t read it.  Apologies that are read from a piece of paper in your hand compel you to lose eye contact with the camera and your audience. If you can’t memorize your apology and deliver it without stumbling, consider attaching notes to your desktop screen (without blocking your camera) containing key phrases to prompt you through your delivery. Just be sure the type is large enough that you don’t need to tilt your head or squint to read it.

Practice and practice some more.  Ask someone you trust – ideally, someone who also understands Zoom – to hold a few sessions for the two of you so you can practice delivering your apology to a live audience. Ask your friend or colleague to give you a frank assessment. How do you look on camera? How is your delivery? Do you sound sincere, do you sound credible and, most important, do you sound sorry?

As we often tell clients, more often than not it’s not what you say, but the way you say it. Matching the right words with the performance techniques detailed above is the one-two punch that will make your apology believable.

© 2020 Hennes Communications. All rights reserved.
For more articles on the legal industry, visit the National Law Review Law Office Management section.

DHS Expands Use of Biometric Data in Immigration

Last week, the Department of Homeland Security (“DHS”) announced plans to expand the use of biometric data in determining family relationships for immigration purposes. A proposed rule with the new protocols for biometrics use is expected to be published soon. This rule is also said to allow more uses of new technology as they become available.

The Use of Biometric Data in Immigration

The proposed rule will give the DHS the authority to require biometrics use for every application, petition, or related immigration matter. The current practice by the United States Citizenship and Immigration Services (USCIS) requires biometrics only for applications that require background checks. This new rule is intended to give the DHS broad authority to use biometrics technology. The DHS can use voiceprints, iris scans, palm prints, and facial photos, as well as additional technologies developed in the future.

“As those technologies become available and can be incorporated as appropriate, it gives the agency the flexibility to utilize them. And then it also would give the agency the authority down the road, as new technologies become available and are reliable, secure, etc., to pivot to using those, as well,” said one USCIS official. And while children under age 14 are now generally exempt from the collection of biometric data, the proposed rule will also remove the age restriction.

DNA can be collected by the agency to verify a genetic relationship where establishing a genetic or familial relationship is a prima facie requirement of receiving an immigration benefit. Though the raw DNA will not be stored by the DHS, the test results will be saved in the immigrant’s Alien file, also known as the “A-file.” The A-file is the official file that the DHS maintains with all of the immigrant’s immigration and naturalization records. Any such information collected may be shared with law enforcement, but there is no procedural change in other agencies gaining access to the A-files.

Reactions From Immigration Leaders

The additional collection of biometric data will not result in an increase in existing filing fees, as the cost is covered under new filing fees set to go effect October 2, 2020. The DHS has emphasized that the biometrics rule is to be given top priority; nevertheless, it will undergo the standard review process.

This proposed rule quickly drew severe criticism from pro-immigration activists. Andrea Flores from the American Civil Liberties Union called it an “unprecedented” collection of personal information from immigrants and U.S. citizens. She said, “collecting a massive database of genetic blueprints won’t make us safer – it will simply make it easier for the government to surveil and target our communities and to bring us closer to a dystopian nightmare.”

DHS Acting Deputy Secretary Ken Cuccinelli welcomed the rule, stating that “leveraging readily available technology to verify the identity of an individual we are screening is responsible governing.” He added that “the collection of biometric information also guards against identity theft and thwarts fraudsters who are not who they claim to be.”

©2020 Norris McLaughlin P.A., All Rights Reserved
For more articles on DHS, visit the National Law Review Immigration section.

US Accessibility to WeChat and TikTok in Danger of Being Eliminated

Pursuant to Executive Orders 13942 and 13943, the US Department of Commerce (Commerce) published regulations identifying prohibited transactions related to TikTok and WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States. Certain prohibitions take effect on September 20, 2020 and others take effect on November 12, 2020.

As of midnight on Sunday, September 20, both apps will cease to be available for download in the US, and future patches and updates will not be available. The existing WeChat functionality in the US will start to degrade starting Monday, September 21. The TikTok application will begin to degrade on November 12 (unless a deal is reached with ByteDance to divest the US TikTok business before then).

Although WeChat Pay is not currently available in the US, however, the current Commerce rule signals that no payments may be initiated in the US over WeChat today or in the future.

The exchange between or among TikTok and WeChat mobile application users of personal or business information using the TikTok or WeChat mobile applications, to include the transferring and receiving of funds over the WeChat application is not prohibited.

Specifically, Commerce announced the following:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the US;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the US.

As of September 20, 2020, for WeChat, and as of November 12, 2020, for TikTok, the following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the US;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the US;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the US;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the US.

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the US government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted as to TikTok.

© Copyright 2020 Squire Patton Boggs (US) LLP
For more articles on TikTok, visit the National Law Review Communications, Media & Internet section.

Irish Data Case Against Facebook Could Complicate All Data Transfers to the US

Will the EU finally deny the right to transfer any personal data from its shores to the United States? Its privacy decisions have been inching closer to this determination for years, and an Irish case against Facebook may tip the balance.

For fifteen years, personal data being sent from the European Union (“EU”) to the United States were accepted under “Safe Harbor” principles. The Safe Harbor emerged in part to the EU’s 1995 Data Protection Directive being implemented and concerns that with the emergence of the internet, that the United States could not guarantee a sufficient level of protection for European citizens’ personal data.

In 2013, however, the Safe Harbor was challenged, due to Edward Snowden’s intelligence leak which indicated a significant American government surveillance program. The challenge to the Safe Harbor was rooted in the belief that the information of EU citizens stored in the US would be at risk of government surveillance. An Austrian citizen, Maximilian Schrems (“Schrems”), filed a complaint against Facebook with the Irish Data Protection Commission (“DPC”). The DPC declined to investigate the complaint, because the data transfer at issue was in adherence with the Safe Harbor.

Schrems proceeded to challenge the Irish DPC’s refusal to investigate the complaint in court. The Irish High Court referred this challenge to the Court of Justice of the European Union (“CJEU”).  Facebook, like many companies, relied on the Safe Harbor to process and transfer EU personal data. In October 2015, the CJEU declared the Safe Harbor invalid. In response, the United States and EU replaced the Safe Harbor with the U.S.-EU Privacy Shield, in order to allow companies to continue to transfer EU citizen’s personal data to the United States while still complying with the requirements outlined by the CJEU in the Schrems decision.

Recently, the CJEU invalidated the Privacy Shield mechanism for transferring data between the EU and United States. The basis for the decision was once again governmental access to personal data. The recent decision (“Schrems II”) preserved an alternate legal mechanism for companies, Standard Contractual Clauses (“SCC”), when the data exporter puts in place appropriate safeguards to ensure a high level of protection for data subjects. Some local European data authority decisions and recent actions by the DPC against Facebook created concern around the use of SCCs as well.

In the DPC’s annual report last year, it disclosed that it had launched 8 investigations involving Facebook for GDPR violations.  A September 9, 2020 article in the Wall Street Journal reported that the DPC had issued Facebook a preliminary order to suspend transfers of EU personal data to the United States.

A spokesman for the Commission declined to comment on the report. Ireland’s data regulator has sent Facebook a preliminary order to stop transferring user data from the EU to the U.S. Though the DPC did not provide comment, Facebook stated that the DPC had “commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers.” Facebook is also seeking judicial review of the Irish Data Protection Commission’s preliminary decision because the SCC is a widely accepted tool for transferring EU data to the United States, sans Safe Harbor or Privacy Shield. This legal challenge will be significant to monitor as it has the potential to implicate every transfer of EU personal data to the United States going forward.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles on data, visit the National Law Review Communications, Media & Internet section.

App Developer Chronicles His Saga With Apple’s ‘Anti-Competitive’ App Store

In January 2018 Apple investors complained publicly about the lack of parental controls on their popular devices. At one point even CEO Tim Cook expressed concern about the addictive nature of social media. Vancouver-based app entrepreneur Justin Payeur saw this as validation for the Boomerang Parental Control app he was developing.

What is really needed, apparently, is an app to move apps through the Apple Store app approval process. Reasons for rejecting and requiring changes to the app were numerous, varied, changing, and frustrating. The whole ordeal can drag out for years. That was Payeur’s experience as he chronicled it in an open letter on the Boomerang blog, complete with the text of email exchanges with the Apple app review team and emails to Tim Cook. The most consistent bone Apple picked with the app was that private consumer data could be shared or compromised. Developers aren’t so sure about that. Apple also didn’t like an app that controlled or shut off Apple’s own apps, like Safari, based on parents’ settings.

In June 2018 Payeur was first told that the app didn’t comply with one or more of the App Review Guidelines. He was informed that more time was needed for review and that the use of Mobile Device Management (MDM) was no longer allowed. After some fixes, he was told via message that the app still installed MDM profiles for unapproved purposes. “Specifically, your app blocks or restricts access to third-party apps using MDM,” Apple said. Payeur appealed and was again rejected because, he was told, installing MDM profiles for parental controls was not appropriate for the App Store: “Apps may only use public APIs and must run on the currently shipping OS.”

Payeur continued to log his ping-pong journey with Apple that continued through 2019. During that time Apple requested more information and more time to review. Apple offered vague new reasons for rejecting versions of the app, e.g. “false information and features.” and also cited improper mention of Android because that violates Apple’s metadata guidelines.

‘The timing was suspect’

“We did not use any private APIs or any framework in unintended uses,” Payeur wrote in his January 2020 open letter. “So our internal conclusion … was simple: Apple wanted us out of the App Store …” He said the timing was suspect; Apple was about to launch iOS 12 with screen time controls.

Abandoning development of the app for child devices, Boomerang focused on the parent mode because many of its customers were parents with iPhones and kids with Androids, or the other way around. Revenues for the app tanked and users didn’t like it.

Then the press lit a fire.

In December 2018 it was a TechCrunch piece about the challenges facing third-party developers of iOS parental control apps. In April 2019 the New York Times wrote about Apple’s anti-competitive approach to these apps, to which Apple responded that several of the rejected apps posed privacy risks. Payeur found other developers experienced the same treatment from Apple.

One of those developers was OurPact, a competitor to Boomerang in the parental control app arena. In an article published on Medium.com in May 2019, OurPact also detailed its interactions with Apple, which were very similar to what Boomerang experienced. OurPact also was met with Apple’s alleged privacy concerns. OurPact was unconvinced. According to the developer, Apple stated that “its own MDM technology, used by millions, poses risks to user privacy and can be abused by hackers. This stands in contradiction to the fact that MDM technology was initially developed by Apple to ensure security of private data on remotely managed devices.”

“Apple alone issues certificates to third parties to communicate with their MDM servers, and Apple themselves are responsible for sending all MDM commands to user devices.” OurPact went on to say, “OurPact does not have access to any of this private information via MDM. It is impossible for us, hackers, or anybody else to obtain it. Apple is the only one who has access to and uses this data.”

In June 2019 Boomerang was invited to re-submit its parental control app and was told there was a new Mobile Device Management Capability form to complete. The updated app was approved with MDM, but before it was released Apple again said the app violated the rules. This time it was because the app contained Google Analytics, which could grab sensitive data, Apple maintained.

“This was false,” Payeur said. He fixed the app, pushed the update, then was told the app was in violation for using Google Firebase, which Apple again said risked disclosure of sensitive information. After more back and forth and more waiting, his appeal was rejected. When he removed any analytics, Boomerang Parental Control was approved in October 2019.

Are you sensing a pattern?

However, Apple changed its policies yet again, saying the app was not permitted to block Safari and the App Store itself. Apple was requiring “supervised mode” used by governments and large organizations, but the app timed out these applications based on parental controls, or when parents wanted the only browser on their kids’ phones to be the SPIN Safe Brower. The Boomerang app no longer has these features.

Today, Payeur says that parents are not aware that iOS includes screen time features because it’s buried in the device settings. Parents still have a mix of devices in their families, of course.

“Apple has shown that they will change their minds if there is negative press about them. These are some of the reasons why we continue to recommend Android devices for your kids first smartphone (and you can still control them from your iPhone!). … Any way you slice it, Apple continues to be anti-competitive,” Payeur wrote.

You might think it would be unwise for the owner of a small business to come out so vehemently against such a dominant player. So many developers count on their Apple relationship and the broad distribution it offers through its monopoly on apps on Apple devices to generate revenue. When it comes to Payeur, he told the MoginRubin Blog that he figures he has little to lose since he has turned his attention to Android and only updates his existing Apple apps.

“They neutered our app through all their guideline changes,” he said. “And people (parents) are unhappy that they can’t access on their iPhones the same or similar features that we offer on Android.”

“There are a lot of app developers and they are not multi-million businesses,” Payeur told us. “We provide these apps to do good. That was the biggest frustration. Apple labeled us as bad players with their user privacy angle. That rubbed me the wrong way. At no point did we create our service to [mine and sell user data]. We used Apple’s own technology, not ours, that’s used across the world. We got creative to create parental controls. They weren’t being up front.”

‘One of the most beloved companies in the world.’

The people at OurPact also addressed the David and Goliath nature of the playing field. They said they respect Apple as “one of the most beloved companies in the world,” but they “made a mistake” and “sometimes truth has to be spoken to power,” OurPact wrote. “Given that there are no privacy issues with properly vetted MDM apps like OurPact being on the App Store, we humbly request that we are reinstated and allowed to continue providing our million users with the service they love and depend on. If Apple truly believes that parents should have tools to manage their children’s device usage, and are committed to providing a competitive, innovative app ecosystem, then they will also provide open APIs for developers to utilize.”

Boomerang and OurPact are part of a group of developers who are calling for a Screen Time API, a cross-platform API that would allow developers to provide apps that monitor and control time spent on devices. “It aims to provide a generic API that can be used for a wide range of use cases, from personal health to remote parental controls to social media monitoring. It also aims to do this in a way that is respectful of the device owners privacy, by not providing more information than is necessary and using the platforms permissions system to access data.” The document they published shows how the API would look for iOS, MacOS and tvOS.

Global concerns.

Apple’s management of its store hasn’t just raised concerns in the U.S.

The European Commission recently began investigating whether Apple is fairly applying its rules. The investigations follow separate complaints by Spotify and by an e-book/audiobook distributor on the impact of the App Store rules on competition in music streaming and e-books/audiobooks. Margrethe Vestager, the EC’s competition policy chief, said, “Apple sets the rules for the distribution of apps to users of iPhones and iPads. It appears that Apple obtained a ‘gatekeeper’ role when it comes to the distribution of apps and content to users of Apple’s popular devices. We need to ensure that Apple’s rules do not distort competition in markets where Apple is competing with other app developers ….”

Even in Russia, not exactly a bastion for ethical behavior, Apple’s conduct came to the attention of the country’s Federal Antimonopoly Service when Russian antivirus software developer Kaspersky complained in March 2019. According to CNET and ZDNet, the Russian regulator last month found Apple abuses its power over iOS apps because iPhone and iPad owners must install them from Apple’s App Story. “Kaspersky alleged that it was forced to remove features like app control and Safari browser blocking from its Safe Kids iOS app to reduce its ability to compete with Apple’s own usage-monitoring Screen Time feature,” CNET reported. The irony of a Russian agency charging anyone with abusing power shouldn’t be lost on anyone.

Back in the USA, The Washington Post published an article last year titled, “How Apple uses its App Store to copy the best ideas.” In it, the paper wrote, “Developers have come to accept that, without warning, Apple can make their work obsolete by announcing a new app or feature that uses or incorporates their ideas. Some apps have simply buckled under the pressure, in some cases shutting down.”

Asked about this article, Payeur told us in an email, “The tough part is that apps are making money. Apple copies them and offers the same or similar functionality for free, built into their platform. It’s tough to compete with ‘good enough.’”

It’s especially tough when you’re developing apps on your own dime and can’t predict the changing rules of the game.

Edited by Tom Hagy for MoginRubin LLP.

© MoginRubin LLP
For more articles on Apple, visit the National Law Review Communications, Media & Internet section.

Uncle Sam Wants to Protect Blockchain Technology

On August 27, 2020, the head of the U.S. Department of Justice’s Antitrust Division (“DOJ”), Makan Delrahim, spoke at the Thirteenth Annual Conference on Innovation Economics and emphasized that one of the DOJ’s top priorities is to protect innovation and ensure that antitrust laws do not act as an impediment to the burgeoning cryptocurrency market.  COVID-19 has illuminated the importance of innovative solutions, as businesses develop new ways to operate during the pandemic. In particular, Delrahim highlighted blockchain as an innovative technology that the DOJ seeks to protect because of its potential to topple existing monopoly structures.

Blockchain technology is essentially a shared ledger of information and transactions that is distributed across a number of computers on the network, the ledger updates with every transaction on each computer and is viewable by anyone with access to that particular blockchain at any time.  In traditional networking solutions, the company that owns or controls the network infrastructure (the intermediary) may be able to raise the cost of doing business on the network as it becomes larger.  In contrast, blockchain technology can operate a network without a centralized intermediary, resulting in potentially lower networking costs and limiting the concentration of market power.

Although blockchain technology offers tremendous value, Delrahim also underscored the potential for abuse.  He noted that those with current market power could use blockchain technology in an anti-competitive manner. This is particularly a concern with closed or permissioned blockchain networks where only insiders are allowed to operate a computer on the network. For example, seafood harvesters could collusively condition access to a permissioned blockchain, which tracks useful supply chain data, on agreeing to certain prices or output.  Such collusive activity would cause tremendous harm to competition and consumers.

In an effort to combat such potentially anticompetitive activities, Delrahim noted that the DOJ is taking proactive measures to understand how emerging technologies work and how they can affect competition. The Antitrust Division has implemented a new initiative to train its attorneys and economists in innovative technologies such as blockchain technology, machine learning, and artificial intelligence, to prepare itself for monopolists who may take advantage of these new technologies.

Delrahim’s speech is an acknowledgement that the DOJ looks favorably on innovative technologies, in particular blockchain solutions.  The DOJ wants to protect and promote the growth of these technologies by combating anticompetitive behavior.  Delrahim’s speech is also an important signal that the DOJ is focused on potentially anti-competitive applications of blockchain technology.  Any group of firms that are considering working together in developing a blockchain technology solution in their industry should take appropriate precautions to make sure their activities do not constitute a violation of U.S. anti-trust laws.

© Polsinelli PC, Polsinelli LLP in California
For more articles on Cryptocurrency, visit the National Law Review Communications, Media & Internet section.