Legal and Privacy Considerations When Using Internet Tools for Targeted Marketing

Businesses often rely on targeted marketing methods to reach their relevant audiences. Instead of paying for, say, a television commercial to be viewed by people across all segments of society with varied purchasing interests and budgets, a business can use tools provided by social media platforms and other internet services to target those people most likely to be interested in its ads. These tools may make targeted advertising easy, but businesses must be careful when using them – along with their ease of use comes a risk of running afoul of legal rules and regulations.

Two ways that businesses target audiences are working with influencers who have large followings in relevant segments of the public (which may implicate false or misleading advertising issues) and using third-party “cookies” to track users’ browsing history (which may implicate privacy and data protection issues). Most popular social media platforms offer tools to facilitate the use of these targeting methods. These tools are likely indispensable for some businesses, and despite their risks, they can be deployed safely once the risks are understood.

Some Platform-Provided Targeted Marketing Tools May Implicate Privacy Issues
Google recently announced1 that it will not be deprecating third-party cookies, a reversal from its previous plan to phase out these cookies. “Cookies” are small pieces of code that track users’ activity online. “First-party” cookies often are necessary for the website to function properly. “Third-party” cookies are shared across websites and companies, essentially tracking users’ browsing behaviors to help advertisers target their relevant audiences.

In early 2020, Google announced2 that it would phase out third-party cookies, which are associated with privacy concerns because they track individual web-browsing activity and then share that data with other parties. Google’s 2020 announcement was a response to these concerns.

Fast forward about four and a half years, and Google reversed course. During that time, Google had introduced alternatives to third-party cookies, and companies had developed their own, often extensive, proprietary databases3 of information about their customers. However, none of these methods satisfied the advertising industry. Google then made the decision to keep third-party cookies. To address privacy concerns, Google said it would “introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time.”4

Many large platforms in addition to Google offer targeted advertising services via the use of third-party cookies. Can businesses use these services without any legal ramifications? Does the possibility for consumers to opt out mean that a user cannot be liable for privacy concerns if it relies on third-party cookies? The relevant cases have held that individual businesses still must be careful despite any opt-out and other built-in tools offered by these platforms.

Two recent cases from the Southern District of New York5 held that individual businesses that used “Meta Pixels” to track consumers may be liable for violations of the Video Privacy Protection Act (VPPA). 19 U.S.C. § 2710. Facebook defines a Meta Pixel6 as a “piece of code … that allows you to … make sure your ads are shown to the right people … drive more sales, [and] measure the results of your ads.” In other words, a Meta Pixel is essentially a cookie provided by Meta/Facebook that helps businesses target ads to relevant audiences.

As demonstrated by those two recent cases, businesses cannot rely on a platform’s program to ensure their ad targeting efforts do not violate the law. These violations may expose companies to enormous damages – VPPA cases often are brought as class actions and even a single violation may carry damages in excess of $2,500.

In those New York cases, the consumers had not consented to sharing information, but, even if they had, the consent may not suffice. Internet contracts, often included in a website’s Terms of Service, are notoriously difficult to enforce. For example, in one of those S.D.N.Y. cases, the court found that the arbitration clause to which subscribers had agreed was not effective to force arbitration in lieu of litigation for this matter. In addition, the type of consent and the information that websites need to provide before sharing information can be extensive and complicated, as recently reportedby my colleagues.

Another issue that companies may encounter when relying on widespread cookie offerings is whether the mode (as opposed to the content) of data transfer complies with all relevant privacy laws. For example, the Swedish Data Protection Agency recently found8 that a company had violated the European Union’s General Data Protection Regulation (GDPR) because the method of transfer of data was not compliant. In that case, some of the consumers had consented, but some were never asked for consent.

Some Platform-Provided Targeted Marketing Tools May Implicate False or Misleading Advertising Issues
Another method that businesses use to target their advertising to relevant consumers is to hire social media influencers to endorse their products. These partnerships between brands and influencers can be beneficial to both parties and to the audiences who are guided toward the products they want. These partnerships are also subject to pitfalls, including reputational pitfalls (a controversial statement by the influencer may negatively impact the reputation of the brand) and legal pitfalls.

The Federal Trade Commission (FTC) has issued guidelinesConcerning Use of Endorsements and Testimonials” in advertising, and published a brochure for influencers, “Disclosures 101 for Social Media Influencers,”10 that tells influencers how they must apply the guidelines to avoid liability for false or misleading advertising when they endorse products. A key requirement is that influencers must “make it obvious” when they have a “material connection” with the brand. In other words, the influencer must disclose that it is being paid (or gains other, non-monetary benefits) to make the endorsement.

Many social media platforms make it easy to disclose a material connection between a brand and an influencer – a built-in function allows influencers to simply click a check mark to disclose the existence of a material connection with respect to a particular video endorsement. The platform then displays a hashtag or other notification along with the video that says “#sponsored” or something similar. However, influencers cannot rely on these built-in notifications. The FTC brochure clearly states: “Don’t assume that a platform’s disclosure tool is good enough, but consider using it in addition to your own, good disclosure.”

Brands that sponsor influencer endorsements may easily find themselves on the hook if the influencer does not properly disclose that the influencer and the brand are materially connected. In some cases, the contract between the brand and influencer may pass any risk to the brand. In others, the influencer may be judgement proof, or the brand is an easier target for enforcement. And, unsurprisingly, the FTC has sent warning letters11 threatening high penalties to brands for influencer violations.

The Platform-Provided Tools May Be Deployed Safely
Despite risks involved in some platform-provided tools for targeted marketing, these tools are very useful, and businesses should continue to take advantage of them. However, businesses cannot rely on these widely available and easy-to-use tools but must ensure that their own policies and compliance programs protect them from liability.

The same warning about widely available social media tools and lessons for a business to protect itself are also true about other activities online, such as using platforms’ built-in “reposting” function (which may implicate intellectual property infringement issues) and using out-of-the-box website builders (which may implicate issues under the Americans with Disabilities Act). A good first step for a business to ensure legal compliance online is to understand the risks. An attorney experienced in internet law, privacy law and social media law can help.

_________________________________________________________________________________________________________________

1 https://privacysandbox.com/news/privacy-sandbox-update/

https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html

3 Businesses should ensure that they protect these databases as trade secrets. See my recent Insights at https://www.wilsonelser.com/sarah-fink/publications/relying-on-noncompete-clauses-may-not-be-the-best-defense-of-proprietary-data-when-employees-depart and https://www.wilsonelser.com/sarah-fink/publications/a-practical-approach-to-preserving-proprietary-competitive-data-before-and-after-a-hack

4 https://privacysandbox.com/news/privacy-sandbox-update/

5 Aldana v. GamesStop, Inc., 2024 U.S. Dist. Lexis 29496 (S.D.N.Y. Feb. 21, 2024); Collins v. Pearson Educ., Inc., 2024 U.S. Dist. Lexis 36214 (S.D.N.Y. Mar. 1, 2024)

6 https://www.facebook.com/business/help/742478679120153?id=1205376682832142

7 https://www.wilsonelser.com/jana-s-farmer/publications/new-york-state-attorney-general-issues-guidance-on-privacy-controls-and-web-tracking-technologies

See, e.g., https://www.dataguidance.com/news/sweden-imy-fines-avanza-bank-sek-15m-unlawful-transfer

9 https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255

10 https://www.ftc.gov/system/files/documents/plain-language/1001a-influencer-guide-508_1.pd

11 https://www.ftc.gov/system/files/ftc_gov/pdf/warning-letter-american-bev.pdf
https://www.ftc.gov/system/files/ftc_gov/pdf/warning-letter-canadian-sugar.pdf

A Lawyer’s Guide to Understanding AI Hallucinations in a Closed System

Understanding Artificial Intelligence (AI) and the possibility of hallucinations in a closed system is necessary for the use of any such technology by a lawyer. AI has made significant strides in recent years, demonstrating remarkable capabilities in various fields, from natural language processing to large language models to generative AI. Despite these advancements, AI systems can sometimes produce outputs that are unexpectedly inaccurate or even nonsensical – a phenomenon often referred to as “hallucinations.” Understanding why these hallucinations occur, especially in a closed systems, is crucial for improving AI reliability in the practice of law.

What are AI Hallucinations
AI hallucinations are instances where AI systems generate information that seems plausible but is incorrect or entirely fabricated. These hallucinations can manifest in various forms, such as incorrect responses to prompt, fabricated case details, false medical analysis or even imagined elements in an image.

The Nature of Closed Systems
A closed system in AI refers to a context where the AI operates with a fixed dataset and pre-defined parameters, without real-time interaction or external updates. In the area of legal practice this can include environments or legal AI tools which rely upon a selected universe of information from which to access such information as a case file database, saved case specific medical records, discovery responses, deposition transcripts and pleadings.

Causes of AI Hallucinations in Closed Systems
Closed systems, as opposed to open facing AI which can access the internet, rely entirely on the data they were trained on. If the data is incomplete, biased, or not representative of the real world the AI may fill gaps in its knowledge with incorrect information. This is particularly problematic when the AI encounters scenarios not-well presented in its training data. Similarly, if an AI tool is used incorrectly by way of misused data prompts, a closed system could result in incorrect or nonsensical outputs.

Overfitting
Overfitting occurs when the AI model learns the noise and peculiarities in the training data rather than the underlying patterns. In a closed system, where the training data can be limited and static, the model might generate outputs based on these peculiarities, leading to hallucinations when faced with new or slightly different inputs.

Extrapolation Error
AI models can generalize from their training data to handle new inputs. In a closed system, the lack of continuous learning and updated data may cause the model to make inaccurate extrapolations. For example, a language model might generate plausible sounding but factually incorrect information based upon incomplete context.

Implication of Hallucination for lawyers
For lawyers, AI hallucinations can have serious implications. Relying on AI- generated content without verification could possibly lead to the dissemination or reliance upon false information, which can grievously effect both a client and the lawyer. Lawyers have a duty to provide accurate and reliable advise, information and court filings. Using AI tools that can possibly produce hallucinations without proper checks could very well breach a lawyer’s ethical duty to her client and such errors could damage a lawyer’s reputation or standing. A lawyer must stay vigilant in her practice to safe guard against hallucinations. A lawyer should always verify any AI generated information against reliable sources and treat AI as an assistant, not a replacement. Attorney oversight of outputs especially in critical areas such as legal research, document drafting and case analysis is an ethical requirement.

Notably, the lawyer’s chose of AI tool is critical. A well vetted closed system allows for the tracing of the origin of output and a lawyer to maintain control over the source materials. In the instance of prompt-based data searches, with multiple task prompts, a comprehensive understanding of how the prompts were designed to be used and the proper use of same is also essential to avoid hallucinations in a closed system. Improper use of the AI tool, even in a closed system designed for legal use, can lead to illogical outputs or hallucinations. A lawyer who wishes to utilize AI tools should stay informed about AI developments and understand the limitations and capabilities of the tools used. Regular training and updates can provide a more effective use of AI tools and help to safeguard against hallucinations.

Take Away
AI hallucinations present a unique challenge for the legal profession, but with careful tool vetting, management and training a lawyer can safeguard against false outputs. By understanding the nature of hallucinations and their origins, implementing robust verification processes and maintaining human oversight, lawyers can harness the power of AI while upholding their commitment to accuracy and ethical practice.

Fourth Circuit Reverses $1 Billion Award for Vicarious Liability Claim for More than 10,000 Works

On January 12, 2021, the U.S. District Court for the Eastern District of Virginia awarded a group of music recording companies (the plaintiffs) a $1 billion verdict against Cox Communications (Cox). The Virginia court’s ruling found that Cox, an internet service provider (ISP), was contributorily and vicariously liable for copyright infringement committed by certain subscribers on its networks. The plaintiffs alleged that the ISP allowed the unauthorized downloading and distribution of more than 10,000 copyrighted works by Cox subscribers who had already received three or more notices of infringement. The district court in Virginia established that the “takedown” notices sent by the plaintiffs provided Cox with the requisite knowledge of its subscribers’ repeated infringement to substantiate their claim that Cox was contributorily liable, suggesting that Cox had sufficient specific knowledge of infringement to have done something about it.

The plaintiffs’ notice to Cox identified the IP address of the subscriber, as well as the time of infringement and the identification of the infringed work, which the plaintiffs argued was sufficiently specific knowledge for Cox to be able to identify the subscriber and to exercise its policy by suspending or terminating the infringing subscriber. This case proceeded to trial on two theories of secondary liability – vicarious and contributory copyright infringement. The plaintiffs argued that Cox failed to act on these known repeat infringers, and the jury found Cox liable for willful contributory infringement and vicarious infringement, ordering Cox to pay more than $99,000 for each of the infringed-upon works. Cox appealed the jury verdict.

On appeal, before the U.S. Court of Appeals for the Fourth Circuit, Cox raised several questions of law concerning the secondary liability for copyright infringement, as well as what constitutes a derivative work in the Internet Age.

Vicarious Infringement
The Fourth Circuit’s analysis first considered whether the district court erred in denying plaintiffs’ vicarious infringement claim. “A defendant may be held vicariously liable for a third party’s copyright infringement [if the defendant] (1) profits directly from the infringement and (2) has a right and ability to supervise the direct infringer.” See Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913, 930 n.9 (2005) (internal citations omitted). The Fourth Circuit found that the plaintiffs failed to establish the first element as a matter of law and thus found that the plaintiffs failed to establish that Cox was vicariously liable.

In reaching this decision, the Fourth Circuit turned to the landmark decision in Shapiro, Bernstein & Co., 316 F.2d 304 (2d Cir. 1963), a case on vicarious liability for infringing copyrighted music recordings. In Shapiro, a department store was sued for the selling of “bootleg” records by a concessionaire operating in its stores. The store had the right to supervise the concessionaire and employees, demonstrating its control over the infringement. There, the store received a certain percentage of every record sale, “whether ‘bootleg’ or legitimate,” giving it “a more definite financial interest” in the infringing sales.” Thus, the Shapiro court found that the financial gains were clearly spelled out from the bootleg sales and acts of infringement in Shapiro.

Next, the Fourth Circuit recognized that courts have found that a defendant may possess a financial interest in a third party’s infringement of copyrighted music, even absent a strict correlation between each act of infringement and an added penny of profits. See Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996). In Fonovisa, the operator of a swap meet allowed vendors to sell infringing goods, and the operator collected “admission fees, concession stand sales, and parking fees” but no sales commission “from customers who want[ed] to buy the counterfeit recordings at bargain-basement prices.” The Fonovisa court found that the plaintiffs adequately showed a financial benefit from the swap meet owner and the sales of pirated recordings at the swap meet, which was a draw for customers. Thus, the infringing sales “enhance[d] the attractiveness of the venue of the potential customers, finding the swap meet operator had a financial interest in the infringement sufficient to state a claim for vicarious liability.”

The Fourth Circuit established that Shapiro and Fonovisa provided the steppingstones of the principles of copyright infringement to the internet and cyberspace and that Congress agreed that “receiving a one-time setup fee and flat periodic payment for service” from infringing and non-infringing users alike ordinarily “would not constitute a financial benefit directly attributable to the infringing activity.” Ellison v. Robertson, 357 F. 3d 1072, 1079 (9th Cir. 2004) (internal citations omitted). The Court also reviewed other court precedents, including A&M Records v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001), to show that increased pirated music drew in users as a direct financial interest for vicarious liability., but also notes that courts have found no evidence of a direct financial benefit between subscribers of American Online (AOL) and the availability of infringing content.’’ Ellison, 357 F.3d at 1079.

Against this backdrop, the Fourth Circuit held that to prove Cox was vicariously liable, the plaintiffs had to demonstrate that Cox profited from its subscribers’ infringing download and distribution of the plaintiffs’ copyrighted songs, which – given the evidence at trial – it did not. While the district court found it was enough that Cox repeatedly declined to cancel an ISP subscriber’s monthly subscription fee, the Fourth Circuit found this evidence to be insufficient. Instead, the Fourth Circuit found that the continued monthly payment fees for internet service, even by repeat infringers, was not a financial benefit flowing directly from the copyright infringement. Cox established that subscribers paid a flat fee even if all of its subscribers stopped infringing. Recognizing that an internet provider would necessarily lose money if it canceled subscriptions only demonstrates that service providers have a direct financial interest in providing subscribers with access to the internet only. Thus, the Fourth Circuit held that vicarious liability demands proof that the defendant profits directly from the acts of infringement for which it is being held accountable.

To rebut this, the plaintiffs claimed that the jury could infer that subscribers paid monthly membership fees based on the high volume of infringing content. The Fourth Circuit rejected this argument and found that the evidence was insufficient to prove that customers were drawn to Cox’s internet service or that they continued the service because they were specifically drawn to the opportunity to infringe the plaintiffs’ copyrights. The plaintiffs further asserted that subscribers were willing to pay more for the opportunity to infringe based on Cox’s tiered structure for internet access – but the plaintiffs fell short in proving this claim because no reasonable inference could be drawn that Cox subscribers paid more for faster internet to infringe on the copyrighted works. Ultimately, the Court found that the plaintiffs could not establish a causal connection between subscribers’ copyright infringement and Cox’s revenue for monthly subscriptions. Thus, the Fourth Circuit held that Cox was not liable for its subscribers’ copyright infringement and reversed the district court’s ruling on this theory. The court vacated the $1 billion damages award and remanded the case for a new trial on damages, holding that the jury’s finding of vicarious liability could have influenced its assessment of statutory damages.

Contributory Infringement
The Fourth Circuit then examined the remaining issue of contributory infringement. Under this theory, “one who, with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another is liable for the infringement, too.” Cox argued that the district court erred by taking away the factual determination from the jury that notices of past infringement established Cox’s knowledge that subscribers were substantially certain to infringe in the future. Cox had contracted with a third party to provide copyright violation notices to users and asserted that it used these notices as their safe harbor under the Digital Millennium Copyright Act to alert violators and to terminate access to users who were repeat infringers. Despite this, the Fourth Circuit ultimately agreed with the jury’s finding that Cox materially contributed to copyright infringement occurring on its network and that its conduct was culpable.

Therefore, a three-judge panel found that Cox was liable for willful copyright infringement but reversed the vicarious liability verdict and remanded a new trial on damages. The Fourth Circuit held that because Cox did not profit from its subscribers’ acts of infringement, a legal prerequisite for vicarious liability, Cox was not liable for damages under the vicarious liability theory.

The Impact
The Fourth Circuit’s decision recognizes a new dawn breaking in copyright law, one that requires a causal connection between profit and/or financial gain and a defendant’s acts of infringement to prove vicarious liability in a copyright infringement claim under the Copyright Act. The plaintiffs attempted to bridge the financial gap between acknowledging access to infringing content through a monthly internet subscription and high-volume infringing acts. However, the Fourth Circuit found that this leap in logic was a step too far and reversed the award for vicarious liability for lack of evidence to find this missing connection between Cox subscribers and infringing plaintiffs’ content.

While this may be one route the courts may consider to reduce music piracy damages, it remains to be seen whether other courts will take this approach to determining that profit is the key element supporting other vicarious liability claims in cyberspace.

Clop Claims Zero-Day Attacks Against 130 Organizations

Russia-linked ransomware gang Clop has claimed that it has attacked over 130 organizations since late January, using a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, and was successful in stealing data from those organizations. The vulnerability is CVE-2023-0669, which allows attackers to execute remote code execution.

The manufacturer of GoAnywhere MFT notified customers of the vulnerability on February 1, 2023, and issued a patch for the vulnerability on February 7, 2023.

HC3 issued an alert on February 22, 2023, warning the health care sector about Clop targeting healthcare organizations and recommended:

  • Educate and train staff to reduce the risk of social engineering attacks via email and network access.
  • Assess enterprise risk against all potential vulnerabilities and prioritize implementing the security plan with the necessary budget, staff, and tools.
  • Develop a cybersecurity roadmap that everyone in the healthcare organization understands.

Security professionals are recommending that information technology professionals update machines to the latest GoAnywhere version and “stop exposing port 8000 (the internet location of the GoAnywhere MFT admin panel).”

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

Privacy Tip #358 – Bank Failures Give Hackers New Strategy for Attacks

Hackers are always looking for the next opportunity to launch attacks against unsuspecting victims. According to Cybersecurity Diveresearchers at Proofpoint recently observed “a phishing campaign designed to exploit the banking crisis with messages impersonating several cryptocurrencies.”

According to Cybersecurity Dive, cybersecurity firm Arctic Wolf has observed “an uptick in newly registered domains related to SVB since federal regulators took over the bank’s deposits…” and “expects some of those domains to serve as a hub for phishing attacks.”

This is the modus operandi of hackers. They use times of crises, when victims are vulnerable, to launch attacks. Phishing campaigns continue to be one of the top risks to organizations, and following the recent bank failures, everyone should be extra vigilant of urgent financial requests and emails spoofing financial institutions, and take additional measures, through multiple levels of authorization, when conducting financial transactions.

We anticipate increased activity following these recent financial failures attacking individuals and organizations. Communicating the increased risk to employees may be worth consideration.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

Lawyer Bot Short-Circuited by Class Action Alleging Unauthorized Practice of Law

Many of us are wondering how long it will take for ChatGPT, the revolutionary chatbot by OpenAI, to take our jobs. The answer: perhaps, not as soon as we fear!

On March 3, 2023, Chicago law firm Edelson P.C. filed a complaint against DoNotPay, self-described as “the world’s first robot lawyer.” Edelson may have short-circuited the automated barrister’s circuits by filing a lawsuit alleging the unauthorized practice of law.

DoNotPay is marketed as an AI program intended to assist users in need of legal services, but who do not wish to hire a lawyer. The organization was founded in 2015 to assist users in disputing parking tickets. Since then, DoNotPay’s services have expanded significantly. The company’s website offers to help users fight corporations, overcome bureaucratic obstacles, locate cash and “sue anyone.”

In spite of those lofty promises, Edelson’s complaint counters by pointing out certain deficiencies, stating, “[u]nfortunately for its customers, DoNotPay is not actually a robot, a lawyer, or a law firm. DoNotPay does not have a law degree, is not barred in any jurisdiction and is not supervised by any lawyer.”

The suit was brought by plaintiff Jonathan Faridian, who claims to have used DoNotPay for legal drafting projects, demand letters, one small claims court filing and drafting an employment discrimination complaint. Faridian’s complaint explains he was under the impression that he was purchasing legal documents from an attorney, only to later discover that the “substandard” outcomes generated did not comport with his expectations.

When asked for comment, DoNotPay’s representative denied Faridian’s allegations, explaining the organization intends to defend itself “vigorously.”

© 2023 Wilson Elser

Locking Tik Tok? White House Requires Removal of TikTok App from Federal IT

On February 28, the White House issuedmemorandum giving federal employees 30 days to remove the TikTok application from any government devices. This memo is the result of an act passed by Congress that requires the removal of TikTok from any federal information technology. The act responded to concerns that the Chinese government may use data from TikTok for intelligence gathering on Americans.

I’m Not a Federal Employee — Why Does It Matter?

The White House Memo clearly covers all employees of federal agencies. However, it also covers any information technology used by a contractor who is using federal information technology.  As such, if you are a federal contractor using some sort of computer software or technology that is required by the U.S. government, you must remove TikTok in the next 30 days.

The limited exceptions to the removal mandate require federal government approval. The memo mentions national security interests and activities, law enforcement work, and security research as possible exceptions. However, there is a process to apply for an exception – it is not automatic.

Takeaways

Even if you are not a federal employee or a government contractor, this memo would be a good starting place to look back at your company’s social media policies and cell phone use procedures. Do you want TikTok (or any other social media app) on your devices? Many companies have found themselves in PR trouble due to lapses in enforcement of these types of rules. In addition, excessive use of social media in the workplace has been shown to be a drag on productivity.

© 2023 Bradley Arant Boult Cummings LLP

MAXIMUM PRESSURE: Stratics Networks Hit With Massive DOJ Complaint Related to RVM Use by Customers and The Heat is Really On Platforms Right Now

So just last month the covered the story of Phone Burner being absolutely destroyed by a recent FCC order directing carriers to stop carrying its traffic. It be came the most read story EVER on TCPAWorld.com.

This one might be even bigger.

Before I get to the punchline, bear with me for a second.

Ringless voicemail.

I have been saying for many years that these things are covered by the TCPA. The Courts have said it. The FCC has said it.

But the ringless voicemail providers, by and large, refused to get the message. As recently as late last year I still have people coming to me telling me that this platform or that service was telling them that the TCPA does not apply to ringless voicemail. And I have personally heard sales pitches within the last couple of years where a ringless voicemail provider told potential customers the TCPA does not apply to the technology.

Lies, lies and more lies. And I hate lies.

The argument for RVM not being covered by the TCPA is a dreadful one. Some lawyer–NOT ME– long ago prepared a white paper suggesting that because voicemail is a title III information service and not a title II communication service that, somehow, that means the direct drop process to leave a voicemail also wasn’t a communication. Its nuts. Totally irrational. And beyond that, it was just dumb.

There was a better rationale for the argument–that the messages traversed business class landlines and not cellular networks–but that argument, too, has been rejected in recent years.

Anyhoo, RVM are definitely covered by the TCPA and that is a fact that has been known for many years. But that did not stop one major RVM provider from–allegedly–allowing its users to blast folks without consent.

And here is where we get to the big news: On Friday the Department of Justice filed a massive complaint–on referral from the FTC–against a debt relief company that was allegedly violating the TSR by sending RVMs without consent and failing to include content required by the TSR in the message.

Please notice that the complaint was NOT just filed against the debt relief company. It was filed against Stratics Networks–the wholesale carrier that permitted the traffic and also, apparently, supplied the RVM platform that was used to send the messages. But the complaint was also filed against the intermediary VOIP service provider, Netlatitude, Inc.–and its president Kurt S. Hannigan personally (!),  that provided access to the debt relief company through Stratics (or perhaps vice versa.)

The actual wrongdoers were apparently a debt relief company called Tek Ventures, LLC, doing business as Provident Solutions and a marketing company hired by Provident–Atlas Marketing Partners, Inc.

A bunch of other players, including INDIVIDUALS are also named as the FTC and DOJ really came to play with a sledgehammer here.

Each of these companies (and people) are alleged to have done something a bit different wrong. And its worth seeing how the government is going after each member of the alleged illegal robocall ring.

Of most interest to me–and I suspect most of you–is the case against Stratics. Like Phone Burner, Stratics is a very well known platform out there. Big footprint. And it is perceived to be a fairly compliant player.

Out of the gate, some of the allegations of the Complaint seek to impose a MUCH broader set of requirements on a carrier than have ever been seen before. For instance, the DOJ complains:

  • Despite acknowledging in its terms and conditions of service that its customers must “obtain the prior written consent from each recipient to contact such recipient” “[w]here required by applicable law or regulation,” Stratics Networks did not have evidence of such consent and did not request or require that its customers submit such evidence;

  • Stratics Networks has access to the prerecorded messages its customers upload to its RVM platform and reserves the right to audit its customers’ accounts in its terms and conditions of service, but it does not conduct due diligence to ensure that the messages actually identified the seller or caller, or to prohibit the transmission of prerecorded messages that failed to do so, or to ensure that that the call recipient had given express consent to receive the call; and

  • Stratics did not “require[]” and “ensur[e] that users  obtain prior express written consent from recipients, scrub lists of uploaded phone numbers against the DNC Registry, or otherwise comply with the TSR as a condition of using the platform.

But, so what?

A carrier owes no duty to at law to review the content of messages sent over its network. Gees, it would be a huge violation of privacy if it did. And sure an RVM platform may have access to the voicemails that were uploaded but since when is it required to review those and provide compliance advice? That’s just plain nuts.

Further, the fact that Stratics required consent for users of its platform is plenty. Folks use AUPs and disclosures to assure their platforms are not being misused. Since when does the law require them to actually possess consent–or “require” and “ensure” compliance– before allowing someone to use their network? Since never. And its just nuts for the FTC and DOJ to suggest otherwise.

Outside of really extreme cases, a carrier is still just a carrier. And a platform is still just a platform. Sure there can be times when these companies are so involved with messages–or know (we’ll get to that) of abuses–such that they are responsible as if they had sent them. But in the ordinary course these folks have NO DUTY to ensure…. anything.

So I’m a bit perturbed by the insinuation that these allegations, alone, make Stratics blameworthy. They speak to duties that do not exist in the law. If the DOJ and FTC doesn’t like the current state of the law they should take it up with Congress (or, in the case of the FTC, start an NPRM process, hint hint.)

But other allegations are more damaging–particularly those related to the knowledge Stratics had about the use of its platform. And, here again, we see the ITG playing a big role.

Per the Complaint, “Stratics Networks received numerous Traceback Requests from USTelecom’s ITG alerting it to suspected illegal robocall traffic delivered via Stratics Networks’ RVM platform service and seeking its assistance in identifying the source(s) (i.e., upstream carrier or originating end-user) of these “likely illegal” robocalls, including over 30 such requests between August 2019 and February 2021.”

Now 30 requests may seem like a lot, but you have to keep in mind how active the ITG is. They’re firing off a ton of “tickets” every single day. So I’m not convinced that 30 tickets over a year and a half is really that big of a deal. Plus, these tickets are directed at the content of user messages traversing the Stratics network–it does not mean that any of these were actually Stratics customers. (BTW, the DOJ was kind enough to name a bunch of the ticket sources: “Atlas Marketing, Telecord, Telesero, Health Innovations, National Homebuyers, Elite Processing, Deltracon, Technest Limited, Shamoon Ahmad, Progressive Promoting, Nitzke Enterprize, Care Advocacy Solutions, and PubClub.” Hope your name isn’t in there!)

So, again, I don’t love the government’s case so far. But it does get stronger. For instance:

  • In some instances, even when Stratics Networks did identify the RVM customers responsible for these illegal robocalls, Stratics Networks allowed these RVM customers to open additional accounts and/or continue utilizing its RVM platform service for several weeks or months without suspending or terminating their RVM accounts.

  • In some instances, Stratics Networks did not suspend these RVM customers’ accounts until after it received a civil investigative demand from the FTC in November 2020 inquiring about prerecorded messages delivered using its RVM platform service.

Ok, now the government is getting closer. The case law is reasonably clear that where a carrier or platform knows of illegal traffic on its network it does need to take some action to prevent it. If Stratics allowed customers who were committing violations to open new accounts or run new campaigns that could be a problem, unless it did extra heightened diligence to assure compliance.

But now, the big allegations:

  • Several of US Telecom’s ITG’s Traceback Requests to Stratics Networks concerned robocalls delivered over Stratics Networks’ RVM platform as part of the Atlas Defendants’ debt relief telemarketing campaign, including Traceback Requests Stratics Networks received between April and June 2020. These Traceback Requests indicated that they concerned a “DebtReduction-Hardship” or “DebtReduction CoronaHardship” campaign, and they noted that the robocalls delivered prerecorded messages offering preapproved loans and did not identify the caller.

  • Notwithstanding Stratics Networks’ representation to US Telecom’s ITG in response to a April 29, 2020 traceback request that it “ha[d] taken immediate action and triggered a full investigation” into the Traceback Request and “also suspended traffic,” Stratics Networks permitted Atlas Marketing to continue using its RVM platform service to deliver millions more robocalls for over five more months;

  • After April 29, 2020, Stratics Networks permitted Atlas Marketing to use its RVM service to deliver more than 23 million additional ringless voicemail robocalls to American consumers.

Ok so Stratics allowed 23 million voicemails by Atlas after telling the ITG it would suspend its traffic. Now that could be a problem. Especially if those 23MM voicemails violated the TSR and TCPA (although that fact is, perhaps tellingly, left out of the complaint.)

Notice the timing here also. ITG tickets went out in April, 2020. A CID followed in October, 2020. And then the complaint was filed in February, 2023 two and a half years later.

So all of you carriers and platforms that have received ITG tickets followed by CIDs, keep this in mind. Even if a year or more has passed, the FTC might still be working the case.

So what did Netlatitude do wrong? Well this appears to be a volume play. Specifically the FTC is concerned that Netlatitude allowed Atlas to send “136,000 robocalls” using Stratics Networks’ SIP termination service on just two days in September 2020.

Again, I kind of want to shrug at that. While high volume traffic can be a red flag, there is ZERO requirement a carrier decline to carry traffic merely because there might be a lot of it.

Netlatitude also apparently received several ITG tickets but it is not clear that they had anything to do with Atlas. So I am very fuzzy as to why Netlatitude is in the case–except that Stratics apparently pointed the finger at Netlatitude and its President.

As to the debt relief companies, the claims here are wide and varied. First, there is a claim of straight consumer deception. They allegedly promised consumers they’d be out of debt in two years and that monthly payments would be used in a way that turned out not to be true. Ok. Makes sense.

Next they allegedly sent voicemails that did not identify the sender and sent calls to numbers on the DNC list without consent. Again, pretty straightforward.

They also allegedly received a fee prior to providing debt relief, which is also not permitted. So… if true, open and shut case. I think.

In the end the government is asking for a bunch of stuff. Most damaging for Stratics is the injunctive relief provision:

A. Enter a permanent injunction to prevent future violations of the TSR and the FTC Act by Defendants;

B. Award monetary and other relief within the Court’s power to grant;

C. Award Plaintiff monetary civil penalties for every violation of the Telemarketing Sales Rule; and

D. Award Plaintiff such other and additional relief the Court may determine to
be just and proper

Lots of big take aways here. We already knew that carriers and platforms can’t turn a blind eye to bad traffic on their networks, but in this case the government seeks to go much further and impose duties on these companies to “require” and “ensure” only lawful traffic traverses their networks. That is just craziness and I think a lot of carriers will fold up shop if they suddenly become strictly liable for misconduct on their networks. Indeed, just 8 years ago carriers were completely beyond liability for traffic on their network and now they are to be treated as always liable for it? That is unfair and absurd.

Obviously those of you in the debt relief game need to pay careful attention here as well. NO cheating allowed. If you make a representation it has to be true. And don’t charge that fee up front–can get you into trouble.

Notice also that NONE of these claims are brought under the TCPA. But some could have been. The TCPA also prevents the use of RVMs to to cell phones without the proper level of consent. And the TCPA bans solicitations to residential numbers on the DNC list. I presume the DOJ didn’t want to tangle with any additional issues here–or perhaps the FTC did not want to tread on the FCC’s toes by moving into TCPA issues. Unclear to me.

But what IS clear to me is that this complaint is a huge deal and should really have every carrier and platform out there asking itself what the future may hold…

Read the complaint here: Complaint Against Stratics, et al.

© 2023 Troutman Firm

SUPERBOWL CIPA SUNDAY: Does Samsung’s Website Chat Feature Violate CIPA?

Happy CIPA and Super Bowl Sunday TCPA World!

So, Samsung is under the spotlight with a new CIPA case brought by a self-proclaimed “tester.” You know like Rosa Parks?? Back to that in a bit.

The California Invasion of Privacy Act (“CIPA”) prohibits both wiretapping and eavesdropping of electronic communications without the consent of all parties to the communication. The Plaintiff’s bar is zoning in to CIPA with the Javier ruling.

If you recall, Javier found that “[T]hough written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’ Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *1 (9th Cir. 2022).

Here, Plaintiff Garcia claims that Defendant both wiretaps the conversations of all website visitors and allows a third party to eavesdrop on the conversations in real time during transmission. Garcia v. Samsung Electronics America, Inc.

To enable the wiretapping, Plaintiff claims that Defendant has covertly embedded software code that functions as a device and contrivance into its website that automatically intercepts, records and creates transcripts of all conversations using the website chat feature.

To enable the eavesdropping, Defendant allows at least one independent third-party vendor to secretly intercept (during transmission and in real time), eavesdrop upon, and store transcripts of Defendant’s chat communications with unsuspecting website visitors – even when such conversations are private and deeply personal.

But Plaintiff currently proceeds in an individual action but if Samsung does not take appropriate steps to fully remedy the harm caused by its wrongful conduct, then Garcia will file an amended Complaint on behalf of a class of similarly aggrieved consumers.

Now back to Civil Rights.

According to this Complaint, Garcia is like Rosa Parks, you know, the civil rights activist. Why?

Well, because “Civil rights icon Rosa Parks was acting as a “tester” when she initiated the Montgomery Bus Boycott in 1955, as she voluntarily subjected herself to an illegal practice to obtain standing to challenge the practice in Court.”

Because Wiretapping and civil rights are similar right??

Disgusted.

The Plaintiff’s bar has no problem muddying the waters to appeal to the courts.

Do better.

CIPA is some dangerous stuff. Websites use chat features to engage with consumers all the time. It seems like it is easier to communicate via chat or text than to sit on a call waiting for an agent – assuming you get an agent. But maybe not?

Stay safe out there TCPA World!

Til next time Countess!! back to the game, GO EAGLES!!! #Phillyproud

© 2023 Troutman Firm

Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.