There are so many “hot button” issues, it is hard to decide which ones to mention. So I’ll just mention the three that I find extremely interesting:

1. Network neutrality. The FCC issued regulations to prevent telcos and other ISPs from engaging in what supporters would call unfair and anticompetitive activities. On November 10, 2011, those regulations came up for a vote in the Senate. Republicans were attempting to overrule the regulations, but the Democrats were able to defeat the bill. Of course, that is only a temporary victory, since the regulations are also being challenged by Verizon in court, and if the Republicans take over the White House in the next election those regulations are likely to be thrown out.

2. Online sales tax. For many years, Amazon, and other online retailers have been able to avoid collecting sales taxes for their online sales. However, political pressure is mounting for Congress to change the law to compel these vendors to collect sales taxes. Much of this pressure is coming from states that are suffering with sagging tax revenues. If such a law passes, of course, there are bound to be constitutional challenges, eventually winding up in the U.S. Supreme Court.

3. Privacy and GPS devices. The U.S. Supreme Court recently heard oral arguments on whether the police can install a GPS device on a suspect’s car and “follow” him around by monitoring the device. Surprisingly, at least to me, the Supremes seemed receptive to the argument that such activities violated the Fourth Amendment. Next year’s decision will be interesting reading, particular if the Court upholds a right of privacy in these circumstances.

Let me know what your hot button issues for 2012.

The FTC previously reviewed the COPPA Rule in 2005 and retained it without change. In light of rapidly evolving technology and changes in the way children use and access the Internet, in 2010 the FTC initiated another review of the Rule on an accelerated schedule. On April 5, 2010, the FTC sought public comment on every aspect of the COPPA Rule, posing numerous questions for the public’s consideration. In addition, the FTC held a public roundtable and reviewed 70 comments received from industry representatives, advocacy groups, academics, technologists, and individual members of the public.

The Internet has clearly changed considerably since 2000 and it is clear that an updated Rule (if done properly) would be of enormous benefit both to parents (whose children are increasingly interacting with Internet on a daily basis) and website operators (who still seem to be unclear on how to comply with COPPA).

One of the most troublesome areas in complying with COPPA is the “verifiable parental consent” requirement. I am pleased to see that this is one area that the FTC is specifically looking at. Unfortunately, the FTC proposals appear to be increasing the burden on websites, not streamlining them as the proposal claims. The promulgation of the original Rule, with its “verifiable parental consent” requirement resulted in many child-oriented sites moving away from efforts by sites to “customize” the experience for each child-visitor, since the information required to do so fell within the strictures of COPPA. Instead, sites changed to provide the same “experience” to every child that came to them, which turned off a lot of kids.

As the number of interactive child-oriented sites decreased, many children starting exploring more adult-oriented sites that did not need to get “verifiable parental consent” as long as the site was not directed to children and the site operator did not ask for the age of the visitor. Under many lawyers’ reading of the COPPA, a Disney-sponsored site would be required to get consent to gather information from an eight year-old, but playboy.com would not. Certainly a perverse result!!

It will be interesting to see whether changes are actually made this time to the Rule, and whether those changes help or hurt websites that are directed at children.

What many people do not realize is that many newer cars (particularly those manufactured by GM and Ford) contain an “event data recorder” (a so-called “black box”) that is similar to those on airplanes. These devices generally are triggered by electronically-sensed problems in the engine (often called faults), a sudden change in wheel speed or airbag deployment, and store a variety of data, such as which seat belts were being worn at the time of the event and the vehicle’s speed, direction and location. The information contained in the black box can be invaluable in determining the cause of an accident.

The question is whether a driver (or car owner) has a legitimate expectation of privacy in the information stored in the black box or whether the police can download that information without a search warrant.

In a New York case, the court held that no search warrant was required for the recovery of black box data. In People v. Christmann, 3 Misc.3d 309, 776 N.Y.S.2d 437 (2004), the defendant was involved in a motor vehicle accident with a pedestrian. The police at the scene downloaded the data from the car’s black box without a warrant. The court held that exigent circumstances (“[e]vidence regarding the pre-accident conditions within Defendant’s automobile could easily be destroyed, either purposely or accidently, if the automobile was moved from the scene under its own power.” 3 Misc.3d at 315, 776 N.Y.S.2d at 441.) justified the data download at the scene without a warrant.

However, a recent California case, People v. Xinos, 192 Cal. App. 4th 637, 121 Cal. Rptr. 3d 496 (2011), review filed (Mar. 21, 2011), the court came to the opposite conclusion. In Xinos, the defendant was convicted of vehicular manslaughter, based in significant part on the data contained in an event data recorder (also called a “sensing and diagnostic module” or “SDM”) in his car. The defendant had filed a suppression motion regarding the SDM data, claiming that the downloading of the data without a warrant violated his Fourth Amendment rights. The lower court had rejected the motion. On appeal, however, the court reversed.

After an accident in which a pedestrian was killed, the defendant’s car was towed to a police impound lot. A year after the accident, at the request of the District Attorney’s Office, and without obtaining a warrant, police went to the impound lot and:

downloaded the data contained in the vehicle’s SDM. They accomplished the download using a cable connected to the diagnostic link connector (DLC), which was located underneath the vehicle’s dash area on the driver’s side. An SDM receives data from various inputs related to the vehicle’s restraint systems, seat belt pretensioners and airbags. The data includes information regarding engine speed, vehicle speed and deceleration, throttle percentage, braking, airbag deployment, and the restraint system. . . .
Using software, [the police] produced a crash data retrieval (CDR) report. It showed information captured during the five seconds before defendant’s vehicle experienced a change in velocity. It disclosed the vehicle’s speed during the five seconds before the incident. The data indicated that there had been brake activation but the braking “could just be covering the pedal” and was not necessarily hard braking.

Id. at 647, 121 Cal. Rptr. at 502-03.

In the trial court, the prosecutor argued that “no search warrant was required because defendant had no reasonable expectation of privacy in the SDM’s data, analogizing to electronic beepers and emphasizing the diminished expectation of privacy in vehicles. The People maintained that the year delay in conducting the download was immaterial.” Id. at 651, 121 Cal. Rptr. at 505. The trial court held that there was no Fourth Amendment violation:

In this matter the Court is satisfied that the police were permitted to conduct tests and discover data because the vehicle was an instrumentality of the crime of vehicular manslaughter as well as hit-and-run. Therefore, the retrieval of the data in the SDM was not a search within the meaning of the Fourth Amendment. Id.

It further stated that, even if downloading the information was “not a test or a diagnostic event” and it was a search, the search fell “within the automobile exception to the warrant requirement because the police officers had probable cause to believe that evidence pertaining to the crime was contained in the SDM.” Id. at 651, 121 Cal. Rptr. at 505.

The appellate court disagreed:

This case is fundamentally distinguishable from the cases where technology is used to allow law enforcement to capture information that a person is knowingly exposing to the public. . . .
[I]n this case, defendant could not have claimed any reasonable expectation of privacy with respect to governmental observations, including those using enhanced technology, of his driving on public roads. We are more familiar with the examples of law enforcement measuring vehicular speed with radar guns or recording failures to stop at red lights with automated cameras. But in this case, the government was not making any observations of conduct exposed to the public view. Here, defendant’s own vehicle was internally producing data for its safe operation. That exceedingly precise data was not being exposed to the public or being conveyed to any other person.

Id. at 654, 121 Cal. Rptr. at 508. The appellate court found no probable cause for the download:

[T]he scope of a legitimate warrantless search of a vehicle under the automobile exception “is defined by the object of the search and the places in which there is probable cause to believe that it may be found.” The scope of a warrantless search authorized by the automobile exception is “no broader and no narrower than a magistrate could legitimately authorize by warrant.” Moreover, probable cause to conduct a warrantless search must exist at the time the warrantless search is executed.
[I]n this case, the prosecution failed to show that the objective facts known to the police officers at the time of the download constituted probable cause to search the SDM for evidence of crime. The download occurred long after the collision and criminal investigation. The officers who conducted the download were merely complying with an unexplained request of the D.A.’s Office and believed no relevant data would be found. The download of the data was not supported by probable cause.

Id. at 661, 121 Cal. Rptr. at 513. Nor did the court find the SDM data to be lawfully seized evidence of a crime:

The Attorney General has not cited any Fourth Amendment authority permitting new intrusions into any internal part or component of a vehicle simply because the vehicle was seized as evidence. . . . The retrieval of raw data from a vehicle’s SDM not believed by police to hold any evidence of crime is not a reexamination or closer look at areas of a vehicle already reasonably believed to be or contain evidence of a crime; it is a new and different intrusion. The prosecution failed to show in this case that the download of data was justified by the circumstances warranting seizure of the vehicle and examination of its condition. Further, the download of raw data from a SDM does not qualify as a scientific test, similar to DNA or ballistics testing since downloading is merely the copying or retrieval of electronic data or information.

Id. at 663, 121 Cal. Rptr. at 515.

Clearly, the two cases can be factually distinguished. The New York case involved a download of data immediately after the accident versus the year delay in Xinos. The more important issue, however, is whether a driver has a legitimate expectation of privacy in the black box data at all, and if so, when a warrant based on probably cause should be required. As black boxes become ubiquitous in new cars, this issue is bound to be before the courts again.

It’s advice that also applies in the technology field. Just because we can develop certain technologies, doesn’t mean we should do so. Think of chemical weapons. World leaders have decided that such weapons should not be produced or deployed, even though we have the ability to do so.

It also should be applied in the tech law field. Particularly where we are dealing with technology that can invade people’s privacy. Two lines of cases come to mind. The first line of cases, including United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008), cert. denied, __ U.S. __, 129 S. Ct. 1312 (2009), have held that the government has the right to search a computer or any other electronic device possessed by a person at the border – without a warrant or probable cause. The cases have held that warrantless border searches are permissible because the government has an absolute right to regulate what crosses its borders. The fact that the government can conduct such warrantless border searches, however, does not mean that it should.

A second example are the recent cases upholding the warrantless use of GPS devices on cars. In United States v. Pineda-Moreno, 591 F.3d 1212 (9th Cir. 2010) and Foltz v. Commonwealth (Va. App. Ct. Sept. 7, 2010), the courts held that because there is no reasonable expectation of privacy in where a car is driven (since it can be observed by anyone on the street), there is no Fourth Amendment violation in attaching a GPS device to the vehicle and remotely monitoring the location and route taken by the vehicle without a warrant based on probable cause. Despite the fact that:

“The police had no policy regarding the use of GPS devices, in part because the devices were not used particularly often. The police did not predetermine how long they would track appellant. The police also did not develop a policy to avoid following the van into private areas.”

the Virginia court found no violation of the defendant’s rights.

In both of these examples, the courts have found that the government can engage in the conduct at issue without violating the Fourth Amendment. But the more important question is whether our government should be engaging in such conduct. While the Fourth Amendment provides a baseline for government conduct, it should be viewed as a minimum standard for individual rights, and not a maximum.

Congress has the right to require a higher standard from the government if it believes that our society requires the government to be held to such higher standard. We saw that happen in the passage of the Electronic Communications Privacy Act of 1986 (ECPA). The Act continued the federal law that regulated law enforcement’s use of wiretapping technology, despite the fact that the U.S. Supreme Court had previously held that warrantless wiretapping was not a violation of the Fourth Amendment as long as law enforcement did not physically trespass on the suspect’s property. See Olmstead v. United States, 277 U.S. 438 (1928).

The ECPA updated the prior wiretapping statute by adding electronic communications (e.g., e-mails) to the class of protected communications. Despite the fact that courts have held that there is no reasonable expectation of privacy under the Fourth Amendment in e-mails (since the recipient can disclose the contents of the e-mail to others), courts have recognized that the ECPA establishes a higher standard that law enforcement must meet before intercepting e-mails in transit or retrieving them from storage.

In enacting the ECPA, Congress decided that even though the government can wiretap telephone conversations and e-mails with impunity under the Fourth Amendment, it should not be allowed to do so unless it meets the ECPA’s higher standard.

Congress could and should do the same thing with warrantless border searches of electronic devices and the use of GPS devices. Unfortunately, in this political climate it is unlikely to happen.

It’s too bad they won’t take my father’s advice.

The first ten years of my practice saw a need to learn copyright law, while the second ten years required a working knowledge of patent and trademark law, and some privacy law, with a little international trade law thrown in for good measure (including U.S. export control laws and regulations). It was also the time when state and federal legislators were beginning to craft a specialized field of computer crime laws.

By the late 1980s there was a convergence of sorts between the computer and entertainment industries, primarily through videogames and CD-ROM titles. As a result, computer lawyers needed to learn about how the entertainment industry worked – again, primarily in the contracting area — but also with regard to trademarks, Hollywood guilds and unions (e.g., SAG, DGA) and right of publicity issues. It also required computer lawyers to learn a lot more about copyright and contract law in areas that had previously been limited to entertainment lawyers.

Since the 1990s we have seen the subject matter of computer law expand rapidly. We have had to learn telecommunications law, expand our knowledge of trademark law to deal with domain name issues, cope with the ever-expanding body of federal and state laws that deal with the financial laws and regulations underpinning e-commerce, privacy issues, cybercrimes, and a host of other fields that computer lawyers (now called IT lawyers) never thought they would need to deal with.

Now, cloud computing may require us to learn another body of law – admiralty law. Google has recently filed patent applications for ocean-going data centers that would be housed on large merchant ships and could be moored off-shore or sail blissfully in international waters – avoiding the problems arising from pesky local or national laws. These ships would generate their own power, provide their own cooling, have Internet connectivity (presumably from satellites or undersea cables) and generally be subject to no country’s laws. But underlying this concept is still the fact that we are dealing with ships. And ships are subject to both national and international laws – namely admiralty laws.

Dang. Just when I thought I was done learning new laws, I now find myself having to delve into the esoteric area of admiralty law. Ships containing data centers are no different than, and are subject to the same laws as, any other ship. Thus, they are subject to such things as piracy, salvage and seizure (arrest). Yet their cargoes may be infinitely more valuable than any previous ship that has ever plied international waters – the data of thousands or tens of thousands of corporations, millions of individuals, and numerous governments from around the world. How much would that cargo be worth if it fell into the hands of Somali pirates? And what if the assets of even one customer (or the ship owner itself) were subject to a seizure (arrest) order, and the entire ship was seized and the computers taken off the grid?

Far fetched? It was only a couple of months ago that the FBI, looking for assets of a company that had allegedly defraud the local telephone company, raided and seized all of the servers in several Dallas-based data centers – putting all of the data centers’ customers, not just the target of the seizure, out of business. Now multiply that by thousands of customers whose access to their data could be lost if the ship on which their servers and data are housed is arrested under existing admiralty law.

So to all of you IT lawyers representing clients that have or will be entering into cloud computing “solutions” to their data processing needs – start boning up on your admiralty law. It looks like you’re going to need it.

The four courses being offered and the instructors are:

Comparative Electronic Commerce Law and Regulations
Instructor: Dr. Julia Hornle, Queen Mary College of Law, University of London

Comparative Information Privacy Law and Regulations
Professor Ian Walden, Queen Mary College of Law, University of London

Drafting Information Technology Agreements
Professor Michael D. Scott, Southwestern Law School (me)

International Cybercrimes
Professor Susan Brenner, University of Dayton School of Law

The program will run June 21, 2009-July 24, 2009 and is open to any law student from an ABA-accredited law school in the United States, Canadian law students and other law students who can demonstrate English language proficiency. The brochure is available here.

If you are a law student, a law professor, or someone who knows a law student who might be interested in the program, please let them know about it. Due to limited classroom space, the program is limited to 48 students. Students will be admitted to the program on a rolling basis starting in January 2009, so early application is essential. The application is available here.

This is the first summer abroad program to focus exclusively on international IT law, and will provide students an opportunity to learn how IT law is developing in the United States, Europe and elsewhere in the world. The program, which will run from June 21, 2009, to July 25, 2009 (5 weeks), will offer students the opportunity to earn six units of credit by selecting among four courses taught by an exceptional faculty of UK and US law professors:

• International/Comparative E-Commerce Law
• International/Comparative Information Privacy Law
• Drafting Information Technology Agreements, and
• Current Developments in International Internet Law.

The program will take advantage of its location in London — a major business, commercial and legal center — through field trips to a variety of local institutions, as well as guest lectures and visits with some of the city’s leading IT law practitioners. Classes will meet four days a week, allowing students ample opportunity to explore London and other European cities. The program meets all ABA requirements for Foreign Summer Programs.

If you are a law professor who would like to get more information for his/her students or a law student interested in the program, please contact me at mdscott@swlaw.edu.

You can set up Twitter on your computer at work, or at home. I personally use an application called “Twhirl” which just sits on my desktop and receives “tweets” in real time, but there are other services as well.

More important for a lawyer, you can set up Twitter on your cellphone or PDA to receive “tweets” even when you are not in front of your computer. There are three legal microblogging services that have started on Twitter (and that I contribute to), which you may find of interest:

Internet Law microblog
Copyright Law microblog
Privacy Law microblog

Each of these microblogs sends short tweets on new developments in their area of law. Each tweet contains a short blurb and a link. There are generally no more than 3-5 tweets per day, so it shouldn’t overwhelm you with messages.

If you think one or more of these microblogs might be useful in your practice, just join Twitter.com and go to any or all of the links above and click on “follow”. It’s that simple.