Is Your Iphone Spying on you (Again)?

In the latest installment of this seemingly ongoing tale, Google uncovered (for the second time in a month) security flaws in Apple’s iOS, which put thousands of users at risk of inadvertently installing spyware on their iPhones. For two years.

Google’s team of hackers – working on Project Zero – say the cyberattack occurred when Apple users visited a seemingly genuine webpage, with the spyware then installing itself on their phones. It was capable of then sending the user’s texts, emails, photos, real-time location,  contacts, account details (you get the picture) almost instantaneously back to the perpetrators of the hack (which some reports suggest was a nation state). The hack wasn’t limited to Apple apps either, with reports the malware was able to extract data from WhatsApp, GoogleMaps and Gmail.

For us, the scare factor goes beyond data from our smart devices inadvertently revealing secret locations, or being used against us in court – the data and information the cyberspies could have had access to could wreak absolute havoc on the everyday iPhone users’ (and, the people whose details they have in their phones) lives.

We’re talking about this in past tense because while it was only discovered by Project Zero recently, Apple reportedly fixed the vulnerability without much ado in February this year, by releasing a software update.

So how do you protect yourself from being spied on? It seems there’s no sure-fire way to entirely prevent yourself from becoming a victim, or, if you were a victim of this particular attack, to mitigate the damage. But, according to Apple,  “keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security”. We might not be ignoring those pesky “a new update is available for your phone” messages, anymore.


Copyright 2019 K & L Gates

ARTICLE BY Cameron Abbott and Allison Wallace of K&L Gates.
For more on device cyber-vulnerability, see the National Law Review Communications, Media & Internet law page.

Continued Efforts to Bolster Wireless Infrastructure as California Officials Brace for Wildfire Season

California has been plagued by devastating wildfires over the past two summers, with the 2018 Camp Fire the deadliest and most destructive on record. Now that summer has officially started in 2019, officials are bracing for a possible string of new fires, with Governor Gavin Newsom telling officials to “prepare for the worst” in a recent meeting with emergency managers. In a discussion of what to expect for future California wildfire seasons, Chris Field, the Perry L. McCarty Director of the Stanford Woods Institute for the Environment, stated:

The combination of climate change, increasing development in the wildland-urban interface, and fuel accumulation from decades of fire suppression dramatically increases the risk of fires that are large and catastrophic. Former California Governor Jerry Brown described the situation as a “new abnormal.” We need to recognize that, in California, we face the real risk that every fire season will be among the most destructive, or even the most destructive, on record.

Federal, state, and local officials, utilities, and residents, among many others, are now grappling with how to best prepare for this “new abnormal.” Efforts range from the U.S. Forest Service and the California Department of Forestry and Fire Protection’s fast-tracked forest management projects to Governor Newsom’s June 2019 proposal to create a $21 billion fund to compensate future wildfire victims. One big piece of the puzzle is strengthening wireless infrastructure to ensure that residents are connected to loved ones and vital services in the event of a disaster, particularly as the number of households without landlines continues to grow.

Senate Bill 670

As discussed in this blog previously, cellular service has a number of vulnerabilities that can cause it to falter during an emergency. During wildfires, one of the key risks for wireless infrastructure is physical damage and burning of underground and pole-mounted fiber lines. Gaps in cellular service can prevent residents from being able to reach 911 or receive crucial emergency notifications. This disruption of service is particularly dangerous in the face of a rapidly moving wildfire. Legislation aiming to address part of the problem is currently winding its waythrough the California legislature: Senate Bill 670, authored by State Senator Mike McGuire (D-Healdsburg).

The proposed legislation would require telecommunications companies to report outages impacting customers’ ability to access 911 or receive emergency notifications to the California Office of Emergency Services (Cal OES) within 60 minutes of discovering the outage. Cal OES would then forward this information to local first responders so that they can identify any residents cut off from service. In 2018, certain Butte County residents received no official warning of the coming Camp Fire due to damaged cellular towers, with Sonoma County residents facing similar problems in 2017. The gap in communications was compounded by ineffectual use of wireless alert systems at the local level. Senator McGuire also authored Senate Bill 833, establishing statewide emergency alert protocols and regulations, which former Governor Jerry Brown signed in September 2018.

Concerns Regarding Power Supplies for Wireless Infrastructure

In May 2019, the Public Advocates Office (formerly the Office of Ratepayer Advocates), an independent organization within the California Public Utilities Commission (CPUC) that advocates on behalf of utility ratepayers, filed a legal motion urging the agency to act immediately to ensure that communication systems work during emergencies. As stated in a press release accompanying the motion:

[T]he Public Advocates Office seeks to better protect Californians during emergency situations by asserting that communication providers need to (1) ensure that calls and data be transmitted, without delay, during times of emergencies, (2) install backup generators or battery power at wireless facilities in high fire threat areas to reduce outages, (3) develop plans for alternative methods needed to support 9-1-1 call centers; (4) and take steps to improve their emergency alert and warning systems.

The Wireless Infrastructure Association has responded, pointing to regulatory hurdles inhibiting the expansion of cell sites to accommodate additional power sources and network redundancy. It has asked the Federal Communications Commission (FCC) to collaborate with local governments to prioritize and streamline the approval process.

FCC’s Examination of Disaster Response and Recovery

Meanwhile, the FCC, on June 13, 2019, held the first meeting for the recently re-chartered Broadband Deployment Advisory Committee (BDAC), which will examine, in part, ways to boost wireless infrastructure during disasters and other emergencies. The committee will study how to accelerate the deployment of high-speed broadband access, focused on the following three areas:

  • Disaster Response and Recovery Working Group. Measures to improve resiliency of broadband infrastructure before a disaster occurs, and strategies that can be used during and after the response to a disaster to minimize broadband network downtime.
  • Increasing Broadband Investment in Low-Income Communities Working Group. New ways to encourage the deployment of high-speed broadband infrastructure and services to low-income communities.
  • Broadband Infrastructure Deployment Job Skills and Training Opportunities Working Group. Ways to make more widely available and improve job skills training and development opportunities for the broadband infrastructure deployment workforce.

Working in tandem with the BDAC, the FCC, in November 2018, launched a re-examination of the Wireless Resiliency Cooperative Framework, a voluntary commitment by mobile carriers focused on restoring communications during disasters and other emergencies, originally approved in 2016. The move was a response to major disruptions in wireless service following Hurricane Michael in the Florida Panhandle, but it is intended as a broader examination of wireless services in the event of a disaster.

 

© 2010-2019 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more on mobile & wireless infrastructure, please see the Communications, Media & Internet page on the National Law Review.

No Means No

Researchers from the International Computer Science Institute found up to 1,325 Android applications (apps) gathering data from devices despite being explicitly denied permission.

The study looked at more than 88,000 apps from the Google Play store, and tracked data transfers post denial of permission. The 1,325 apps used tools, embedded within their code, that take personal data from Wi-Fi connections and metadata stored in photos.

Consent presents itself in different ways in the world of privacy. The GDPR is clear in defining consent as it pertains to user content. Recital 32 notes that “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data…” Consumers pursuant to the CCPA can opt-out of having their personal data sold.

The specificity of consent has always been a tricky subject.  For decades, companies have offered customers the right to either opt in or out of “marketing,” often in exchange for direct payments. Yet, the promises have been slickly unspecific, so that a consumer never really knows what particular choices are being selected.

Does the option include data collection, if so how much? Does it include email, text, phone, postal contacts for every campaign or just some? The GDPR’s specificity provision is supposed to address this problem. But companies are choosing to not offer these options or ignore the consumer’s choice altogether.

Earlier this decade, General Motors caused a media dust-up by admitting it would continue collecting information about specific drivers and vehicles even if those drivers refused the Onstar system or turned it off. Now that policy is built into the Onstar terms of service. GM owners are left without a choice on privacy, and are bystanders to their driving and geolocation data being collected and used.

Apps can monitor people’s movements, finances, and health information. Because of these privacy risks, app platforms like Google and Apple make strict demands of developers including safe storage and processing of data. Seven years ago, Apple, whose app store has almost 1.8 million apps, issued a statement claiming that “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines.”

Studies like this remind us mere data subjects that some rules were made to be broken. And even engaging with devices that have become a necessity to us in our daily lives may cause us to share personal information. Even more, simply saying no to data collection does not seem to suffice.

It will be interesting to see over the next couple of years whether tighter option laws like the GDPR and the CCPA can not only cajole app developers to provide specific choices to their customers, and actually honor those choices.

 

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more on internet and data privacy concerns, see the National Law Review Communications, Media & Internet page.

Ericsson Offers FRAND – District Court Endorses Comparable Licenses, Rejects SSPPU Royalty Rate

On May 23, 2019, the court issued a declaratory judgment in the case of HTC v. EricssonNo. 18-cv-00243, pending in the United States District Court for the Eastern District of Texas (Judge Gilstrap). That judgment confirmed that Ericsson’s 4G standard-essential patents (“SEPs”) convey significant value to mobile handsets and held that Ericsson made an offer to HTC that complied with Ericsson’s obligations to license on fair, reasonable, and non-discriminatory (“FRAND”) terms. The decision, published on the heels of Judge Koh’s recent opinion in FTC v. Qualcomm, provides much-needed clarity to SEP owners by definitively rejecting the smallest-saleable patent practicing unit (“SSPPU”) royalty theory in favor of a real-world, market-based approach.

The Dispute

Ericsson owns a large portfolio of cellular patents essential to the 2G, 3G, and 4G standards that it licenses to handset makers worldwide. As a member of the ETSI standard setting organization, Ericsson agreed to license these patents on FRAND terms. Ericsson offered a license to HTC at a rate of $2.50 per 4G device, or 1% of the net device price with a $1 floor and $4 cap. HTC countered with a rate of $0.10 per 4G device. HTC sued Ericsson, claiming that Ericsson’s offered royalty rate was too high, and that Ericsson breached its FRAND commitment.

A jury trial was held in February 2019. HTC argued that a royalty base must be calculated based on the profit margin of the baseband processor (which HTC argued was the SSPPU) rather than the price of the device as a whole. Ericsson argued that HTC’s SSPPU approach dramatically undervalued 4G cellular technology and that Ericsson’s patents in particular were worth far more. After a five-day trial, the jury found that Ericsson’s offers did not breach Ericsson’s commitment to license on FRAND terms and conditions.

The Decision

Following the verdict, the district court also issued its findings of fact and conclusions of law in connection with ruling on Ericsson’s request for a declaratory judgment that it had complied with FRAND. This declaration reaffirmed the jury’s findings, while also addressing more fully some key questions.

First, the court stated unequivocally that the ETSI FRAND commitment does not require a company to license its SEPs based on the profit or cost of the baseband processor or SSPPU.The district court’s decision is consistent with Federal Circuit precedent, such as Ericsson v. D-Link, which holds that “courts must consider the facts of record when instructing the jury and should avoid rote reference to any particular damages formula.”

Second, the order went further to conclude that Ericsson’s 4G portfolio is worth significantly more than a royalty rate based on the profit margin or cost of the baseband processor in HTC’s phones (HTC’s “SSPPU”). Looking to industry-wide evidence, the court held that the value of cellular technology far exceeded a valuation based on the price or profit of a baseband processor. The court found that “Ericsson established, and HTC’s own experts conceded, that there are no examples in the industry of licenses that have been negotiated based on the profit margin, or even the cost, of a baseband processor” and that credible evidence supported a finding that “the profit margin, or even the cost, of the baseband processor is not reflective of the value conferred by Ericsson cellular essential patents.”

Third, the court determined that both of Ericsson’s offers to HTC—(1) $2.50 per 4G device or (2) 1% with a $1 floor and $4 cap—were fair, reasonable, and non-discriminatory. The court found that Ericsson’s “comparable licenses provide the best market-based evidence of the value of Ericsson’s SEPs and that Ericsson’s reliance on comparable licenses is a reliable method of establishing fair and reasonable royalty rates that is consistent with its FRAND commitment.” At trial, evidence was presented regarding Ericsson’s licenses with Apple, BLU, Coolpad, Doro, Fujitsu, Huawei, Kyocera, LG, Panasonic, Samsung, Sharp, Sony, and ZTE. The court noted that several of Ericsson’s licenses contained express terms that were “similar or substantially similar” to Ericsson’s offers to HTC and rejected the argument that Ericsson’s offers to HTC were discriminatory.

Why It Matters

Judge Gilstrap’s declaration represents an important development in FRAND case law that looks to industry practice and market evidence rather than untested licensing theories. It affirms that basing a rate on comparable licenses is an acceptable FRAND methodology.

The decision also rejects the SSPPU royalty theory. Some have read the recent FTC v. Qualcommopinion to suggest that a FRAND royalty must be structured as a percentage rate on a baseband processor. Judge Gilstrap’s declaration demonstrates why such a reading is incorrect.  First, the declaration explains that the ETSI FRAND commitment simply does not require a SSPPU royalty base. Second, even if one were to indulge the SSPPU approach, the SSPPU for many standard-essential patents is not limited to a baseband processor. Third, a wealth of market evidence shows that Ericsson’s patents (and standard-essential patents generally) are far more valuable than a baseband processor-based royalty would reflect.

© McKool Smith
This article was written by Nicholas Mathews from McKool Smith.

Can You Prohibit Employees From Using Cell Phones At Work?

With the prevalence of cell phones in today’s society, many companies struggle with how to manage employee time spent on personal mobile devices. But there are legal limits on what employers can do on this front. The National Labor Relations Board (NLRB) has taken the position that employees have a presumptive right, in most instances, under the National Labor Relations Act (NLRA) to use personal phones during breaks and other non-working times.

recent advice memo issued by the agency has reaffirmed its stance – even since the NLRB generally has taken a more lax view of employer personnel policies over the last year. At issue, in this case, was a company policy that limited employees’ use of personal cell phones in the workplace. The relevant analysis in the NLRB memo states:

“This [company’s] rule states that, because cell phones can present a ‘distraction in the workplace,’ resulting in ‘lost time and productivity,’ personal cell phones may be used for ‘work-related or critical, quality of life activities only.’ It defines ‘quality of life activities’ as including ‘communicating with service or health professionals who cannot be reached during a break or after business hours.’ The rule further states that ‘[o]ther cellular functions, such as text messaging and digital photography, are not to be used during working hours.’ This rule is unlawful because employees have a [NLRA] Section 7 right to communicate with each other through non-Employer monitored channels during lunch or break periods. Because the rule prohibits use of personal phones at all times, except for work-related or critical quality of life activities, it prohibits their use on those non-working times. The phrase regarding text messaging and digital photography is more limited, but still refers to ‘working hours,’ which the Board, in other contexts, has held includes non-work time during breaks. Although the employer has a legitimate interest in preventing distractions, lost time, and lost productivity, that interest is only relevant when employees are on work time. It, therefore, does not outweigh the employees’ Section 7 interest in communicating privately via their cell phones, during non-work time, about their terms and conditions of employment.” (emphasis added)

In other words, while an employer may be able to limit employee use of personal mobile devices during working time in order to minimize distractions, having a policy in place that is worded in a way that limits that activity during non-working time may run afoul of the NLRA.

This is another reminder for employers to ensure their policies are drafted in a way that conforms to applicable NLRB standards. A poorly drafted rule – even with the best intentions – can result in legal headaches for a company.

 

© 2019 BARNES & THORNBURG LLP
This post was written by David J. Pryzbylski of Barnes & Thornburg LLP.
Read more employer HR policies on the labor and employment type of law page.

Think Your Cellphone Usage is Private? Think Again

In a closely-watched case out of Miami, the Eleventh Circuit Court of Appeals redefined the zone of privacy for cell phone users. As the Tech World was focused on Miami for the second annual eMerge conference, the court issued an opinion permitting prosecutors to obtain records from mobile carriers—without a search warrant—allowing the tracking of an individual’s movements through his or her cell phone’s interaction with cell towers.

In U.S. v. Davis, the Eleventh Circuit, sitting en banc, considered the appeal of Quartavious Davis who was convicted by a Miami jury of participating in seven armed robberies. At trial, the prosecution presented accomplice and eye witness testimony that Davis was involved in seven separate armed robberies in a two-month period. The prosecutors also introduced historical cell tower records obtained from Davis’ mobile carrier for the time period spanning the robberies. The records contained a history of numbers dialed by Davis and the cell tower that connected each call. The prosecutors called a police officer that was able to pinpoint on a map the exact location of each robbery and—using the data obtained from Davis’ mobile carrier—the location of the cell tower that connected Davis’ calls around the time of each robbery. While Davis’ location was not precise, the evidence gave the government a basis to argue that the calls to and from Davis’ cell phone were connected through cell tower locations near the robbery locations. Several witnesses testified that Davis used his cell phone around the time of the robberies. These facts allowed the prosecutors to assert that Davis was necessarily near the locations of the robberies at the times they occurred.

The government acquired Davis’ mobile carrier’s records pursuant to the Stored Communications Act (the “SCA”), under which a governmental entity may require a telephone service provider to disclose “a record … pertaining to a subscriber to or a customer of such service (not including the contents of communications) … if a court of competent jurisdiction” finds “specific and articulable fact showing that there are reasonable grounds to believe” that the records sought are “relevant and material to an ongoing investigation.” Importantly, the government is not required to show probable cause—as it would to obtain a search warrant—before a court will issue an order mandating the release of the records.

Following the guilty jury verdict, Davis appealed on the grounds that that the government violated his Fourth Amendment rights by obtaining his mobile carrier’s records without a search warrant and a showing of probable cause.

The Eleventh Circuit rejected Davis’ arguments on two independent grounds. First, the court held that the government’s acquisition of Davis’ mobile carrier’s records did not constitute a search for purposes of the Fourth Amendment. The court reasoned that Davis did not have ownership or possession of the records, and, moreover, Davis did not have a reasonable expectation of privacy in records of the transmissions between his cell phone and his mobile carrier’s cell phone towers—particularly given that it was information captured in the mobile carrier’s records. Second, the court found that even if the government’s acquisition of the mobile carrier’s records did constitute a search under the Fourth Amendment, the government’s acquisition of the information was nonetheless reasonable because the government relied upon and adhered to the strictures of the SCA.

The full implications of the Davis case still remain to be seen, but the case raises important questions about privacy interests in respect of information transmitted over the airwaves and through the internet. For example—and as several judges concurring with the court’s opinion pointed out—what differentiates a third-party internet site’s tracking of a user’s movements on its site through the use of cookies from a mobile carrier’s tracking of a user’s location? One thing that we can say for certain is that as Miami continues to develop as an incubator for technology, start-ups and innovation, the Davis case certainly will not be the last word from our courts on the intersection of privacy and technology.

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

California’s New Kill-Switch Law Targets Smartphone Thieves

Morgan Lewis

California legislators recently signed Senate Bill 962 into law, which requires manufacturers to install kill-switches on smartphones sold in California that are made on or after July 1, 2015. A kill-switch allows a smartphone owner to remotely disable the device via a wireless command, which renders the device inoperable to unauthorized users. This new law was passed on August 25 to deter smartphone theft in California.

Although manufacturers must include the kill-switch on smartphones, consumers will have the option to disable it as long as the consumer is informed that the function is designed to protect him or her from unauthorized use of the phone.

ARTICLE BY

 
OF 

California District Court Holds that Providing Cellphone Number for an Online Purchase Constitutes “Prior Express Consent” Under TCPA – Telephone Consumer Protection Act

DrinkerBiddle

 

A federal district court in California recently ruled that a consumer who voluntarily provided a cellphone number in order to complete an online purchase gave “prior express consent” to receive a text message from the business’s vendors under the TCPA. See Baird v. Sabre, Inc., No. CV 13-999 SVW, 2014 WL 320205 (C.D. Cal. Jan. 28, 2014).

In Baird, the plaintiff booked flights through the Hawaiian Airlines website. In order to complete her purchase, the plaintiff provided her cellphone number. Several weeks later she received a text message from the airline’s vendor, Sabre, Inc., inviting the plaintiff to receive flight notification services by replying “yes.” The plaintiff did not respond and no further messages were sent. The plaintiff sued the vendor claiming that it violated the TCPA by sending the single text message.

The central issue in Baird was whether, by providing her cellphone number to the airline, the plaintiff gave “prior express consent” to receive autodialed calls from the vendor under the TCPA. In 1992, the FCC promulgated TCPA implementing rules, including a ruling that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 7 F.C.C.R. 8752, 8769 ¶ 31 (1992) (“1992 FCC Order”). In support of this ruling, the FCC cited to a House Report stating that when a person provides their phone number to a business, “the called party has in essence requested the contact by providing the caller with their telephone number for use in normal business communications.” Id. (citing H.R.Rep. No. 102–317, at 13 (1991)).

The court found that, while the 1992 FCC Order “is not a model of clarity,” it shows that the “FCC intended to provide a definition of the term ‘prior express consent.’” Id. at *5. Under that definition, the court held that the plaintiff consented to being contacted on her cellphone by an automated dialing machine when she provided the number to Hawaiian Airlines during the online reservation process. Id. at *6. Under the existing TCPA jurisprudence, a text message is a “call.” Id. at *1. Furthermore, although the plaintiff only provided her cellphone number to the airline (and not to Sabre, Inc., the vendor), the court concluded that “[n]o reasonable consumer could believe that consenting to be contacted by an airline company about a scheduled flight requires that all communications be made by direct employees of the airline, but never by any contractors performing services for the airline.” Id. at *6. The Judge was likewise unmoved by the fact that the plaintiff was required to provide a phone number (though not necessarily a cellphone number) to complete the online ticket purchase. Indeed, the court observed that the affirmative act of providing her cellphone number was an inherently “voluntary” act and that, had the plaintiff objected, she could simply have chosen not to fly Hawaiian Airlines. Id.

Baird does not address the October 2013 TCPA regulatory amendments that require “prior express written consent” for certain types of calls made to cellular phones and residential lines (a topic that previously has been covered on this blog). See 47 CFR § 64.1200(a)(2), (3) (emphasis added). “Prior express written consent” is defined as “an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial prerecorded voice, and the telephone number to which the signatory authorized such advertisements or telemarketing messages to be delivered.” 47 CFR § 64.1200(f)(8). Whether the Baird rationale would help in a “prior express written consent” case likely would depend on the underlying facts such as whether the consumer/plaintiff agreed when making a purchase to be contacted by the merchant at the phone number provided, and whether the consumer/plaintiff provided an electronic signature. See 47 CFR § 64.1200(f)(8)(ii).

Nonetheless, Baird is a significant win for the TCPA defense bar and significantly reduces TCPA risk for the defendants making non-telemarketing calls (or texts) to cellphones using an automated dialer (for which “prior express consent” is the principal affirmative defense). If that cellphone number is given by the consumer voluntarily (and, given the expansive logic of Baird, we wonder when it could be considered “coerced”), the defendant has obtained express consent. Baird leaves open a number of questions worth watching, including how far removed the third-party contractor can be from the company to whom a cellphone number was voluntarily provided. Judge Wilson seemed to think it was obvious to the consumer that a third-party might be utilized by an airline to provide flight status information, but how far does that go? We’ll be watching.

Article By:

Of:

Drinker Biddle & Reath LLP