Advertising Law

Sharing Is Caring? New Report Documents Apps Sharing User Data at High Rates

A new report has revealed that Apple and Android apps share information with third parties at high rates.

Testing 55 of the most popular Android and iOS free applications, researchers from the Massachusetts Institute of Technology, Harvard University, and Carnegie-Mellon University discovered that 73 percent of Android apps leaked user e-mail addresses, while 47 percent of iOS apps shared location data.

"We show that a significant proportion of apps share data from user inputs such as personal information or search terms with third parties without Android or iOS requiring a notification to the user," the researchers for the "Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps" report found.

To determine if data was being shared, the study looked for transmissions of personally identifiable information, search terms, and location data using a "man-in-the-middle" proxy to record HTTP and HTTPS traffic that occurred while the app was in use. On average, the Android apps sent potentially sensitive data to 3.1 third party domains; iOS apps had a slightly lower rate, with an average transmission to 2.6 third parties.

Comparing the two types of apps, the researchers said that Android apps were more likely to share personal information such as a user's name and e-mail address (73 percent), 16 percent of which passed along names and e-mail addresses. However, iOS apps shared geolocation data more often (at 47 percent) than Android apps (33 percent).

In the category of medical, health, and fitness apps, the study found that 3 out of 30 shared both search terms and other information supplied by users. For example, the Android app Drugs.com passed along searches for "herpes" to five third-party domains, the researchers found.

The most popular recipients of the data were Google.com (36 percent), Googleapis.com (18 percent), and Apple.com (17 percent). The study also found that 93 percent of the Android apps connected to a "mysterious domain" at safemovedm.com.

To read the report, click here.

Why it matters: The FTC has stressed that companies should adopt simplified privacy mechanisms that give consumers the option to decide what information is shared and that provide greater transparency into their products. In light of increasing federal, state and consumer scrutiny of the privacy and data sharing practices of mobile apps, the report underscores the need for companies to carefully consider how consumer data is shared.

back to top

DFS Battle Heads to Courtroom as Sites Sue New York AG to Keep Games Alive

The battle over daily fantasy sports (DFS) is now headed to the courtroom after New York's Attorney General sent cease and desist letters to two of the largest sites declaring them illegal and ordering them to halt operations in the state.

"DFS contests are neither harmless nor victimless," AG Eric Schneiderman wrote in his letters to DraftKings and Fan Duel. Both letters noted that "Daily Fantasy Sports are creating the same public health and economic concerns as other forms of gambling, including addiction," and that each company's advertisements "seriously mislead New York citizens about their prospects of winning."

Under New York state law, gambling occurs when a person "stakes or risks something of value upon the outcome of a contest of chance or a future contingent event not under his control or influence, upon an agreement or understanding that he will receive something of value in the event of a certain outcome."

The wagers on DraftKings and FanDuel "easily meet" this definition, the AG wrote. "DraftKings bettors make bets (styled as 'fees') that necessarily depend on the real-world performance of athletes and on numerous elements of chance. The winning bettors receive large cash prizes—and the company takes a 'rake' or a cut from each wager." He noted that Washington State reached the same legal conclusion under a similar statutory definition.

Schneiderman was careful to distinguish traditional fantasy sports, where participants conduct a comprehensive draft, compete over the course of a long season, and repeatedly adjust their teams. "They play for bragging rights or side wagers, and the Internet sites that host traditional fantasy sports receive most of their revenue from administrative fees and advertising, rather than profiting principally from gambling."

In noting the differences between traditional fantasy sports and DFS, the letter to DraftKings focused on the company's role in the wagering process. It stated that "sites hosting DFS are in active and full control of the wagering: DraftKings and similar sites set the prizes, control relevant variables (such as athlete 'salaries'), and profit directly from the wagering." It further stated that "DraftKings has clear knowledge and ongoing active supervision of the DFS wagering it offers. Moreover, unlike traditional fantasy sports, DFS is designed for instant gratification, stressing easy game play and no long-term strategy."

DraftKings compounded the problem by promoting DFS like a lottery, Schneiderman wrote. It represented to New Yorkers that the game is "a path to easy riches that anyone can win," with ads such as: "It's the simplest way of winning life-changing piles of cash," and "The giant check is no myth … BECOME A MILLIONAIRE!" The AG's investigation found that just the top one percent of winners receive the vast majority of DraftKings' winnings.

The letters ordered the companies to "cease and desist from illegally accepting wagers in New York State as part of its DFS contests."

Wasting no time, DraftKings and FanDuel requested that a New York state court halt the enforcement of the cease and desist order and provide a declaration that their DFS operations are legal in the state. DraftKings' complaint characterized the AG's actions as a "shocking overreach" and a "misreading" of New York's gambling law.

New York's Attorney General "has unleashed an irresponsible, irrational and illegal campaign to destroy a legitimate industry," according to the complaint filed by DraftKings. "To ban an entire industry from the State, without even once informing these companies that such a thing was possible or affording them any opportunity to be heard, violates the most basic tenets of fairness and due process."

The companies' efforts were halted when New York Supreme Court Judge Manuel Mendez denied requests for a temporary restraining order and set a date for a subsequent hearing on the matter.

The New York AG's investigation began with news reports that employees of DraftKings and FanDuel regularly played on each other's sites and won significant amounts of money. Although the companies said their workers did nothing wrong, the allegations of insider trading prompted the companies to ban employees from participating in DFS.

The revelations triggered several investigations by state Attorneys General, the Federal Bureau of Investigation, and letters from lawmakers. Consumer class actions suits were also filed. The Nevada Gaming Control Board had earlier declared that DFS is a form of gambling under state law requiring a license. In the hopes of staving off some of the controversy, the industry agreed to establish a self-regulatory body tasked with creating a program of ethics and integrity.

To read the AG's cease and desist letter to DraftKings, click here.

To read the AG's cease and desist letter to FanDuel, click here.

To read the complaint in In the Matter of the Application of DraftKings v. Schneiderman, click here.

To read the complaint in FanDuel v. Schneiderman, click here.

Why it matters: The New York lawsuit is just the latest salvo in the ongoing battle over DFS and represents just one front for engagement. In the days following AG Schneiderman's cease and desist letter, his Massachusetts counterpart said she considered DFS to be a form of gambling and noted that the state's investigation into the industry is ongoing while a state lawmaker in California requested that AG Kamala Harris take a closer look at DFS.

back to top

First Data Security Action Yields $595,000 Fine From FCC

In the agency's first data security enforcement action against a cable operator, the Federal Communications Commission fined Cox Communications $595,000 for an August 2014 data breach where a hacker gained access to customer data, including names, e-mail addresses, and driver's license numbers, among other information.

An investigation by the FCC's Enforcement Bureau revealed that a hacker impersonated a Cox IT worker and convinced a customer service representative and company contractor to enter account IDs and passwords on a phishing site that provided the hacker access to the customer database. Some of the customers' information was later posted online—including social media sites—and the hacker changed some customers' account passwords.

"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," FCC Enforcement Bureau Chief Travis LeBlanc said in a statement. "This investigation shows the real harm that can be done by a digital identity thief."

Cox's data security systems at the time of the breach were lacking, the agency said, and the company failed to properly protect the confidentiality of its customers' proprietary and personally identifiable information. Further, Cox did not report the breach to the FCC as required by law.

To settle the charges, Cox agreed to pay a $595,000 civil penalty and adopt a comprehensive plan that includes FCC oversight for a seven-year period. The company must adopt a written information security program, conduct annual system audits and penetration testing, designate a senior corporate manager who is a certified privacy professional, implement a more robust data breach response plan, provide privacy and security training to third party vendors and employees, implement multifactor authentication, and establish internal threat monitoring.

Cox also promised to notify affected customers of the breach and provide them with one year of free credit monitoring.

To read the FCC's order in In the Matter of Cox Communications, click here.

Why it matters: The FCC's first data security enforcement action against a cable operator does not look to be its last. "Consumers of cable and satellite services are entitled to have their personal information protected," according to the FCC order. "Inadequate security of subscribers' personal information can result in real world consequences for those customers, who are put at risk of financial and digital identity theft. In the wrong hands, a customer's sensitive personal information could also be used to take control of a customer's real accounts, to change the passwords on those accounts, to expose the customer's personal information on the web, and to harass or embarrass the customer through social media."

back to top

Parody of Copyrighted Work Entitled to Copyright Protection

The parody of a copyrighted work is entitled to its own copyright protection, the Second Circuit Court of Appeals has ruled in reviewing a stage production based upon the movie Point Break.

Playwright Jaime Keeling created a stage adaptation of the 1991 Hollywood movie Point Break starring Keanu Reeves and Patrick Swayze called Point Break Live! The PBL parody parallels the characters and plot elements from the movie and almost exclusively uses selected dialogue from the film.

To this material, however, Keeling added jokes, props, exaggerated staging, and humorous theatrical devices intended to transform the plot of the drama into an "irreverent, interactive theatrical experience."

Keeling executed an agreement with a production company owned by Eve Hars to stage a run of PBL in 2007. Hars came to believe that Keeling did not lawfully own any rights to the PBL parody play and continued to produce it after the contract expired and without payment to Keeling for four years, even after Keeling filed for copyright protection in the play.

Asserting claims for copyright infringement, breach of contract, and tortious interference, Keeling filed suit against Hars in 2010. After Hars filed an unsuccessful motion to dismiss and successive unsuccessful motions for summary judgment, the case proceeded to a five-day jury trial in 2012. Ultimately, jurors returned a verdict in Keeling's favor in the amount of $250,000, finding that her use of material from the film was fair use in the way of a parody, that she solely owned the copyright to the parody play, and that the defendants infringed her copyright. Hars appealed.

The Second Circuit Court of Appeals affirmed.

The panel explained that Keeling's contributions to the work—consisting of individually non-copyrightable elements—were sufficient to support a copyright in the parody.

Although the Copyright Act principally offers protection for original works of authorship and authors may retain the exclusive rights to derivative works, if "a work employs preexisting copyrighted material lawfully—as in the case of a 'fair use'—nothing in the statute prohibits the extension of" copyright protection, the panel said.

"It is not the invocation of fair use that provides the work copyright protection, and perhaps thinking so has created some confusion on the part of the defendant," the court said. "It is the originality of the derivative work that makes it protectable, and fair use serves only to render lawful the derivative work, such that it may acquire—as would other lawful derivative works—such protection."

This interpretation of the Copyright Act "is consistent with the animating policy behind the fair use doctrine—to fulfill copyright's core purpose of promoting development in arts and science," the panel added. "Without any possibility of copyright protection against infringement for her original fair-use parody, playwrights like Keeling might be dissuaded from creating at all."

The court rejected Hars' argument that Keeling's original contributions were insufficient to warrant copyright protection because they were simply stage directions and theatrical devices. Recognizing that the Copyright Act explicitly protects compilations, the panel concluded Keeling's efforts exceeded the low creativity threshold to warrant protection.

"To be sure, Hars is correct that Keeling could not copyright the commonly used individual stage directions and theatrical devices—e.g., the concept of drafting an audience member to play the lead, the reliance on cue cards, or the use of squirt guns—which together comprise PBL's jokes," the court wrote. "But Keeling has never sought to do so." Instead, the creative contribution and resulting copyright was the original way in which she selected, coordinated, and arranged the elements of her work to create new parodic meaning, the court said.

A challenge to the district court's jury instructions similarly failed and the panel affirmed the verdict in favor of Keeling.

To read the decision in Keeling v. Hars, click here.

Why it matters: Contrary to typical fair use cases that examine the scope of the fair use defense in light of challenges brought by copyright holders, this case focuses on rights afforded to those who invoke fair use to protect their own works that include borrowed material. The Second Circuit's ruling is noteworthy in defining the scope of protection that one may assert to protect a work that incorporates the work of others.

back to top

manatt-black

ATTORNEY ADVERTISING

pursuant to New York DR 2-101(f)

© 2021 Manatt, Phelps & Phillips, LLP.

All rights reserved