Copyright Law Is Being Rewritten Right Now, and You Can Help


Copyrights are not just about protecting music, movies and software.  The Digital Millennium Copyright Act ("DMCA") provides a set of tools whereby content owners can punish individuals who merely circumvent any technological means that protect content (sometimes even content that the suing party doesn't even own).   There are a lot of reasons why this is (in my opinion) an unwise policy.  I have a paper coming out this Spring in the Marquette Law Review that goes over all of this in detail.  However, knowing that there were inevitable problems with such a regime, Congress allowed the Library of Congress and the Copyright Office to issue exemptions to this "anticircumvention" prohibition every three years.  That review process is just about to start.  If you are an affected party, I recommend you contact the Copyright Office in order to have your case heard.  If you would like help in this process, please feel free to reach out to me.

Read more on Wired here.



Using an All Writs order to force Apple to decrypt a phone doesn't change its technical impossibility.

Still irritated by Apple's newest version of iOS – the one that encrypts data in a way that makes even Apple unable to decrypt the data – the Department Of Justice is trying to make the impossible possible.  Using a a centuries old writ - the so-called All Writs Order – a Manhattan judge ordered an unnamed phone maker to provide reasonable technical assistance with law enforcement in decoding a locked phone.  As nice as that may be, in many cases, it will still be impossible.  Read the full article here.



Apple hires big lobbying firm to Represent them on IP and competition issues.

Undoubtedly, in light of Apple's push into wearables, and the very low rumors that Apple may move into other areas ( self-driving cars, anyone?), Apple has begun to hire big guns in the lobbying world.  Frankly, I cant help but see how this is anything but the future for tech companies across the spectrum.   Technology companies – and many non-tech startups, for that matter – are by their very nature disruptive.  They are looking for an opportunity to displace bigger players and promote new ways of doing business.  Companies like Uber and Airbnb will not be alone for very long in being scrutinized by regulatory agencies from the federal, state, and local level.  If the Internet Of Things really takes off as predicted, the regulators will not be able to resist themselves.  Increasingly, businesses of all sizes will need some access to the legislative process. 


Read the news item here.



Predictive policing with statistics in use by police

This article describes PredPol - a tool that allows police to use advanced data analysis/statistics to help determine when and where crime hotspots will occur.  While it is not quite the level of Minority Report (particularly for its notable lack of  telepathy), it is interesting to note that police departments are starting to employ this sort of technology.  This will undoubtedly have a host of constitutional implications down the road - for instance, at what point does predictive analytics start to impinge on privacy rights and the Fourth Amendment?



Cablevision Decides 2d Circuit Trumps SCOTUS: Releases Cloud DVRs

Recently, Cablevision announced that it would be releasing a cloud-based DVR for its customers.  Cablevision of course relies on the Second Circuit decision in Comcast to support its business model.  As evidence of this, the cloud-based DVR will store a separate copy of each program recorded for each user – massively wasteful, but technically necessary to comply with the Second Circuit's view of what passes muster under copyright law.  This is a fairly bold move, given the recent Aero decision from the Supreme Court where it held that streaming individual television broadcasts over the Internet to individual users constituted a "public performance." ( To any non-legal reader, this is a very technical term of art).  Personally, I find it hard to see how Aero won't create difficult precedent for Cablevision, and I'd be surprised if this didn't make its way up to the Supreme Court.  

For a great summary of the issue by Quartz, go here.



#AppleWatch Raises #Privacy and Security Concerns on Capitol Hill

Politico noted today that Apple has begun to make overtures to law makers on Capitol Hill in connection with the release of the Apple Watch and new iPhone 6.  The basis of such outreach is rooted in concerns over the soon-to-be-mass collection of user health data via the Apple Watch.  The Apple Watch will be capable of recording such metrics as heartbeats and steps taken -- and of course more data as developers begin releasing new apps for the device.  

Politico notes that such outreach is relatively new, an innovation (if we may call it that) of Tim Cook's leadership. As much as it may be disappointing that innovative companies need to worry about regulators, its heartening to see that CEO Cook is out in front of the politics as there will undoubtedly be privacy and cybersecurity legal issues connected with the device.  The reality of technology companies today is that they need to be involved with the law makers who will set the tone for the regulatory environment they will face in the future.  It will be interesting to watch the developments between Congress and Apple concerning the Apple Watch. 

Read the full article here.



#Privacy and paternity issues arise out of innocent genetic testing through #23andme kits is a service that allows for individuals to receive their own genetic profile.  There has been legal issues surrounding the sale of some of its kits -- notably FDA concerns surrounding the medical advice that emerges from such test ( see Reuters ).  One individual documented his story about how his gift of 23andme genetic testing kits to his parents led to him discovering a half-brother no one knew about and, ultimately, the dissolution of his family.   Its a fascinating issue because it involves, on the one hand, a host of privacy concerns surrounding adoption, health and the like, and on the other, one's right to learn about their own body.   The family search opt-in service that they offer, though opt-in, may yet run afoul of state or federal regulations and legislation.  It will be interesting to see how these sorts of issues around commercially available genetic testing develop.  Read the full article here.




Never Intercept Your Ex-Spouse's Email!

Venkat Balasubramani notes an interesting case that continues the line of cases that strongly recommend one against eavesdropping on an a (soon-to-be-)ex-spouse's email account.  Ex-Husband lost a summary judgment motion trying to dismiss the claims brought under the Wiretap Act and Stored Communications Act.  As the couple was separating, husband set up an auto-forward on wife's email account.  After the divorce wife assumed control of the cable and email account.  Years later, wife came to realize that the forwarder had been in place and brought the suit.  Moral of the story: do not, under any circumstance, put yourself in a position to monitor a spouse's email when separating or divorcing!


Read the full article here.



Section 230 Immunity and "Truncating" content

Professor Eric Goldman noted an interesting case in California involving the alteration of content and the applicability of the CDA's §230 immunity.  Section 230 provides:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

The case at hand, Hardin v. PDX, a California case, involves a software manufacturer, PDX, who allegedly "truncates" the information associated with a software program that transmits drug prescription information.  On the one hand, as a mere intermediary of the information, PDX would appear to qualify for §230 immunity.  However, since PDX designed its software so that the prescription information could be altered to omit warnings, the California courts found no immunity applied under §230.  Professor Goldman joined with five other law professors in urging the California Supreme Court to review the case.  

You can read Professor Goldman's post on the case here.




Twitter, Twitpic and Trademarks

Twitpic is going out of business.  Their claim is that Twitter's threatened revocation of API access in exchange for discontinuing Twitpic's trademark application is the reason.  However, one doesn't need a trademark in order to do business.  Click through for the full article:



NetNeutrality, or Destroying Internet Innovation and Investment?

When worrying about the tug-of-war between the big content providers (Google, Netflix, etc.) and the bandwidth providers (Comcast, Verizon, etc.) that captures consumers in its wake, its easy to forget that there is a poignant innovation interest at stake as well.  

Cato notes this tension and discusses the downsides of regulating the internet as a utility in its recent post: Net Neutrality — or Destroying Internet Innovation and Investment?



Apple hacks were from weak passwords

Apple issues a statement earlier today that the leaked photos from celebrity iCloud accounts were the result of password attacks, and not a vulnerability in iCloud itself.  After 40 hours of researching the issue, Apple claims that the breach was the result of targeted password guessing.  

Read the release here.



The Difference Between the Innovator and the Traditionalist

Forbes put up an article today highlighting the difference between the "innovator" personality and the "traditionalist" personality.  It provides an interesting set of comparisons. One that I found most resonant is that the innovator is fine operating without prestige, perhaps on the fringes of a field, until his contributions are recognized and (hopefully) remunerated.  

Read the full article here.



Privacy Rights and Online Advertising Keywords - A Wisconsin Perspective

(note: I co-wrote this article with Fernando M. Pinguelo[1])

            Recently, the Wisconsin Court of Appeals declared that using a competitor’s name as a keyword for online advertising does not run afoul of the relevant state law that guarantees a “right of privacy.”[2]  In 2009, Wisconsin law firm Cannon & Dunphy (“Cannon”) began to use the words “Habush” and “Rottier” as keywords when purchasing online advertising through Google, Yahoo!, and Bing.  By doing so, Cannon ensured that web users searching for their competitor’s law firm, Habush Habush & Rottier (“Habush”), would see Cannon’s sponsored advertisement appear above the organic search results.   Habush sued on the grounds that such use of their name violated a “right of privacy” codified in Wisconsin statute § 995.50.

            Wisconsin recognizes a "right of privacy," and when that right is "unreasonably invaded" an injunction, compensatory damages, and attorneys’ fees can be imposed.[3]  Under the statute "invasion of privacy" includes "[t]he use, for advertising purposes or for purposes of trade, of the name, portrait or picture of any living person, without having first obtained the written consent of the person[.]"[4]

            Cannon attempted to focus the argument on whether or not its "use" was "unreasonable" under the statute.[5] The court refused to consider the additional concept of "unreasonable invasion," stating that “this framing of the issue needlessly complicates resolution of this particular dispute.”[6]  Instead, its sole consideration was whether purchasing online advertising based on a competitor’s name was in fact a "use" contemplated by the drafters of § 995.50.[7]

            Habush’s essential claim was that a § 995.50 “use” means any employment of a name or image for the purpose of exploiting its commercial value.[8]  This interpretation of “use” would push the Wisconsin privacy statute closer to the “right of privacy” found in the Restatement of Torts,[9] where the name, image, or persona are protectable, as a sort of property right, from appropriation for another’s “use or benefit.”  According to Habush, because only incidental “uses” were not covered by the statute, and because Cannon “used” the name of Habush for economic benefit Cannon’s “use” was not merely incidental and was therefore violative of § 995.50.[10] 

            Under Cannon’s contrary view, to violate the statute, the “use” had to be one that was visible to the public.[11]  An example would be incorporating a person’s name or image into an advertisement that was presented to the public at large.  Reviewing similar privacy rights in other states, the court found that every instance required a publicly visible “use” of a protected name or image.[12]

Adopting Cannon’s view, the court held that “non-visible” types of “use,” such as in keyword advertising with search engines, were not what the drafters of § 995.50 meant to include in their definition of the word.    In reaching this conclusion, the court analogized the function of keyword advertising to that of billboard advertising and office location in the physical world.[13]  If Cannon had decided to open a branch office next to Habush in order to divert some of Habush’s foot traffic to its own office, there would be no violation of § 995.50.  Similarly, if Cannon had leased billboard space directly across from Habush in order to siphon off potential customers, there would be no violation.  But under Habush’s unavailing interpretation of § 995.50, such “uses” would be violative.

The court held that Cannon’s business strategy, even though intended to take advantage of Habush’s name, did not run afoul of the statute because the claimed “use” was merely an attempt to juxtapose Cannon with Habush in the minds of web searchers.  Thus, the “use” of the name in purchasing online advertising was more about proximity and less about attempting to incorporate or capitalize on the value of Habush’s name directly. 

            It is important to note that the court did not decide to permit all “non-visible” types of use.[14]  Rather, the court explicitly limited the application of this rule to covering the use of names in the context of Internet keyword advertisements and left open the question of whether it would apply to other contested uses.


Key Takeaways:

- Purchasing online advertising based on a competitor’s name will not be considered a forbidden “use” for the purposes of Wisconsin law under § 995.50.  It is important to note that this decision was handed down by a single intermediate appellate court and is thus new law subject to further interpretation.  In particular, this decision is still be subject to review by the Wisconsin Supreme Court.

- This decision is strictly limited to the use of names for online keyword advertising, such as ads purchased through services like Google’s Adwords, Yahoo!, and Bing.

- The court declined to rule on whether there was in fact an additional requirement related to “unreasonable” uses of such names. Thus, it is possible that uses of names in other contexts are protectable because they can be shown to be not “unreasonable.”  On the other hand, it is possible that the “unreasonable” language in § 995.50 will not ultimately constitute an element.


[1] Fernando M. Pinguelo, a Partner and Chair of the firm’s Cyber Security & Data Protection Law Group, is a U.S.-based trial lawyer who devotes his practice to complex business lawsuits with an emphasis on cyber, international, employment, and intellectual property law. To learn more about Mr. Pinguelo visit or email  Kristian Stout is a partner of A&S Technologies, a software development firm, and a J.D. candidate from the Rutgers School of Law. To contact Mr. Stout email  

[2] Habush v. Cannon, No. 2011AP1769, 2013 WL 627251 (Wis. Ct. App. Feb. 21, 2013).

[3] Wis. Stat. Ann. § 995.50(a).

[4] Wis. Stat. Ann. § 995.50(b).

[5] Habush, ¶10.

[6] Id. at ¶14.

[7] Id. at ¶12.

[8] Id. at ¶¶13,14.

[9] Restatement of Torts § 652C states that “One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy.”

[10] Habush v. Cannon, No. 2011AP1769, 2013 WL 627251 at ¶19.

[11] Id. at ¶21.

[12] Id. at ¶22.

[13] Id. at ¶26.

[14] Id. at ¶30.



An Analysis of the President’s Cybersecurity Executive Order

Note: This is a cross-post on 


            On February 12, 2013, President Obama issued an Executive Order titled “Improving Critical Infrastructure Cybersecurity” (“EO”).  The EO was created in response to “repeated cyber intrusions into critical infrastructure.”[1] Army General Keith B. Alexander describes the EO as a step in the direction of hardening the nation’s networks across both the government and private sector.[2]  According to General Alexander, the fact that mostly private businesses own the nation’s infrastructure creates a crucial need to share data between the government agencies in a position to gather information on cyber threats and the private companies operating the infrastructure.[3]

The EO chiefly aims to do two things: (1) improve the information sharing facilities between government agencies and the operators of “critical infrastructure,”[4] and (2) create a voluntary “Cybersecurity Framework” for the operators of “critical infrastructure.”[5] 


Cybersecurity Information Sharing

            Section 4 of the EO requires that the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence provide the timely production of known cyber threats to specifically targeted entities.  Under some circumstances, those agency heads are also empowered to disclose classified reports to the targeted entities, so long as the disclosure is consistent with “the need to protect national security information.”  Finally, Section 4 expands the existing “Enhanced Cybersecurity Services” program to cover any “critical infrastructure sector” where, previously, it had been restricted to companies within the “Defense Industrial Base.”[6]


Cybersecurity Framework

            Section 7 of the EO provides that within one year, the Secretary of Commerce through the Director of the National Institutes of Standards and Technology (“NIST”) is directed to establish a “Cybersecurity Framework”  (“Framework”). This Framework is to be a set of “standards, methodologies, procedures, and processes” that in effect will work to reduce cyber threats.  To the “fullest extent possible,” the Framework shall incorporate voluntary consensus standards and industry best practices.  Among the industry standards and best practices that NIST is currently considering as part of the Framework are encryption and key management, asset identification and management, and security engineering practices.[7]

            The goal of the Framework is to provide operators of “critical infrastructure” with “prioritized, flexible, repeatable, performance-based, and cost-effective” approaches to identification and mitigation of cyber threats. The adoption of this framework will be subject to an open public review and comment process.


Who Is Affected?

            For the purposes of the EO, a “critical infrastructure” is a real or virtual asset that is so vital to the United States that impairment of the asset would have a “debilitating impact on security, national economic security, national public health, or safety.”  However, although the purpose of the Framework is that the operators of this infrastructure actually adopt it, according to Section 8, such adoption will be voluntary. 

It is important to note that the definition of  “critical infrastructure” reads quite broadly and could be construed to cover anything from an electricity utility to Google’s Gmail service.  Further, many of the important terms in the section are left undefined, and are ostensibly up to the discretion of the Director of NIST.  Notably among those undefined terms are “debilitating” and “economic security” – terms which once known could have dramatic effects on companies managing “critical infrastructures” that are seeking to be compliant with the Framework.

NIST has begun work on the Framework.  In a recent press release, NIST suggests that the sorts of “critical infrastructure” referred to are “power plants and financial, transportation and communications systems.”[8] Nonetheless, the actual interpretation of “critical infrastructure” will not be known until the Framework is finally implemented.

According to NIST, the Framework ultimately will “not dictate ‘one-size-fits-all’ solutions, but will instead enable innovation by providing guidance that is technology neutral and recognizes the different needs and challenges within and among critical infrastructure sectors.”[9]



[1] Executive Order: Improving Critical Infrastructure Cybersecurity (“EO”), Section 1.


[3] Ibid.

[4] EO, Section 4.

[5] EO, Sections 7  & 8.

[6] See



[9] Ibid.