August 3, 2015

avatar

Android WebView security and the mobile advertising marketplace

Freedom to Tinker readers are probably aware of the current controversy over Google’s handling of ongoing security vulnerabilities in its Android WebView component. What sounds at first like a routine security problem turns out to have some deep challenges.  Let’s start by filling in some background and build up to the big problem they’re not talking about: Android advertising.
[Read more…]

avatar

Google Fights Genericide Claim (and Wins)

Google’s famous trademark in its name has just survived a challenger’s attempt to have it declared generic. In Elliott v. Google, a federal court in Arizona held last week that despite the public’s use of the word “googling” to mean “searching on the Internet,” the “Google” word mark still functions in the minds of consumers primarily to identify Google, the Mountain View-based Internet company, as the source of the search service associated with the “Google” mark. The plaintiff in the case argued that the public’s use of a trademark as a verb necessarily signifies that the mark has become generic. The court disagreed:

Verb use of a trademark is not fundamentally incapable of identifying a producer or denoting source. A mark can be used as a verb in a discriminate sense so as to refer to an activity with a particular product or service, e.g., “I will PHOTOSHOP the image” could mean the act of manipulating an image by using the trademarked Photoshop graphics editing software developed and sold by Adobe Systems. This discriminate mark-as-verb usage clearly performs the statutory source-denoting function of a trademark.

The court went on to explain that a problem arises for a mark owner only if mark-as-verb usage is indiscriminate, and the mark becomes referentially unmoored in the public’s mind from the mark owner’s product or service.

[Read more…]

avatar

Google Spain and the “Right to Be Forgotten”

The European Court of Justice (CJEU) has decided the Google Spain case, which involves the “right to be forgotten” on the Internet. The case was brought by Mario Costeja González, a lawyer who, back in 1998, had unpaid debts that resulted in the attachment and public auction of his real estate. Notices of the auctions, including Mr. Costeja’s name, were published in a Spanish newspaper that was later made available online. Google indexed the newspaper’s website, and links to pages containing the announcements appeared in search results when Mr. Costeja’s name was queried. After failing in his effort to have the newspaper publisher remove the announcements from its website, Mr. Costeja asked Google not to return search results relating to the auction. Google refused, and Mr. Costeja filed a complaint with Spanish data protection authorities, the AEPD. In 2010, the AEPD ordered Google to de-index the pages. In the same ruling, the AEPD declined to order the newspaper publisher to take any action concerning the primary content, because the publication of the information by the press was legally justified. In other words, it was legal in the AEPD’s view for the newspaper to publish the information but a violation of privacy law for Google to help people find it. Google appealed the AEPD’s decision, and the appeal was referred by the Spanish court to the CJEU for a decision on whether Google’s publication of the search results violates the EU Data Protection Directive.
[Read more…]

avatar

Your TV is spying on you, and what you can do about it

A recent UK observer with a packet sniffer noticed that his LG “smart” TV was sending all his viewing habits back to an LG server. This included filenames from an external USB disk. Add this atop observations that Samsung’s 2012-era “smart” TVs were riddled with security holes. (No word yet on the 2013 edition.)

What’s going on here? Mostly it’s just incompetence. Somebody thought it was a good idea to build these TVs with all these features and nobody ever said “maybe we need some security people on the design team to make sure we don’t have a problem”, much less “maybe all this data flowing from the TV to us constitutes a massive violation of our customers’ privacy that will land us in legal hot water.” The deep issue here is that it’s relatively easy to build something that works, but it’s significantly harder to build something that’s secure and respects privacy.
[Read more…]

avatar

A Good Day at the Googleplex

            Judge Chin has issued his decision in the Google Book Search case, and it’s a win for Google. For those of you who have been following the litigation, it’s been a long trip through the arcana of class certification. Today’s decision, however, finally gets to the merits of Google’s fair use defense under the Copyright Act. The outcome is not surprising in light of last year’s decision in the related HathiTrust case, which held that Google’s mass digitization of books on behalf of academic libraries to facilitate scholarship and research and to aid print-disabled library patrons is fair use. The Google Books case could have come out differently, however, given that Google, unlike an academic library, is a commercial enterprise and that the service it provides through Book Search reaches far beyond an academic audience. In addition, the amount of text that Google displays in Book Search results (multiple contextual “snippets” including the search term) is greater than the amount displayed by the HathiTrust (only the page numbers and number of hits per page for the search term). Both of those factors—the commercial or non-profit nature of the use and the amount of text displayed—are relevant to the fair use analysis.

[Read more…]

avatar

Copyrights, Fundamental Rights, and the Constitution

There was a lot to take issue with in Scott Turow’s recent op-ed in The New York Times. Turow, who is currently President of the Authors Guild, took to The Times to criticize the Supreme Court’s decision in Kirtsaeng v. John Wiley & Sons, which brought physical books manufactured and sold abroad within the protective scope of copyright’s first sale doctrine. Turow cast the Court’s decision as another blow to authors’ rights, which, by his account, are being pitilessly washed away by the digital tides. He blames the usual suspects: e-books, Amazon.com, pirates, Google, and—this last one may surprise you—libraries. The coup de grace, he asserted, will be the extension of first sale rights to digital copies of books. (It may comfort him to know that the possibility of that happening is more remote following Redigi’s recent defeat in federal district court.)
[Read more…]

avatar

Google Publishes Data on Government Data and Takedown Requests

Citizens have long wondered how often their governments ask online service providers for data about users, and how often governments ask providers to take down content. Today Google took a significant step on this issue, unveiling a site reporting numbers on a country-by-country basis.

It’s important to understand what is and isn’t included in the data on the Google site. First, according to Google, the data excludes child porn, which Google tries to block proactively, worldwide.

Second, the site reports requests made by government, not by private individuals. (Court orders arising from private lawsuits are included, because the court issuing the order is an arm of government.) Because private requests are excluded, the number of removal requests is lower than you might expect — presumably removal requests from governments are much less common than those from private parties such as copyright owners.

Third, Google is reporting the number of requests received, and not the number of users affected. A single request might affect many users; or several requests might focus on a single user. So we can’t use this data to estimate the number of citizens affected in any particular country.

Another caveat is that Google reports the country whose government submitted the request to Google, but this may not always be the government that originated the request. Under Mutual Legal Assistance Treaties, signatory countries agree to pass on law enforcement data requests for other signatories under some circumstances. This might account for some of the United States data requests, for example, if other countries asked the U.S. government to make data requests to Google. We would expect there to be some such proxy requests, but we can’t tell from the reported data how many there were. (It’s not clear whether Google would always be able to distinguish these proxy requests from direct requests.)

With these caveats in mind, let’s look at the numbers. Notably, Brazil tops both the data-requests list and the takedown-requests list. The likely cause is the popularity of Orkut, Google’s social network product, in Brazil. India, where Orkut is also somewhat popular, appears relatively high on the list as well. Social networks often breed disputes about impersonation and defamation, which could lead a government to order release of information about who is using a particular account.

The U.S. ranks second on the data-requests list but is lower on the takedown-requests list. This is consistent with the current U.S. trend toward broader data gathering by law enforcement, along with the relatively strong protection of free speech in the U.S.

Finally, China is a big question mark. According to Google, the Chinese government claims that the relevant data is a state secret, so Google cannot release it. The Chinese government stands conspicuously alone in this respect, choosing to deny its citizens even this basic information about their government’s activities.

There’s a lot more information I’d like to see about government requests. How many citizens are affected? How many requests does Google comply with? What kinds of data do governments seek about Google users? And so on.

Despite its limitations, Google’s site is a valuable step toward transparency about governments’ attempts to observe and control their citizens’ online activities. I hope other companies will follow suit, and that Google will keep pushing on this issue.

avatar

Google Threatens to Leave China

The big news today is Google’s carefully worded statement changing its policy toward China. Up to now, Google has run a China-specific site, google.cn, which censors results consistent with the demands of the Chinese government. Google now says it plans to offer only unfiltered service to Chinese customers. Presumably the Chinese government will not allow this and will respond by setting the Great Firewall to block Google. Google says it is willing to close its China offices (three offices, with several hundred employees, according to a Google spokesman) if necessary.

This looks like a significant turning point in relations between U.S. companies and the Chinese government.

Before announcing the policy change, the statement discusses a series of cyberattacks against Google which sought access to Google-hosted accounts of Chinese dissidents. Indeed, most of the statement is about the attacks, with the policy change tacked on the end.

Though the statement adopts a measured tone, it’s hard to escape the conclusion that Google is angry, presumably because it knows or strongly suspects that the Chinese government is responsible for the attacks. Perhaps there are other details, which aren’t public at this time, that further explain Google’s reaction.

Or maybe the attacks are just the straw that broke the camel’s back — that Google had already concluded that the costs of engagement in China were higher than expected, and the revenue lower.

Either way, the Chinese are unlikely to back down from this kind of challenge. Expect the Chinese government, backed by domestic public opinion, to react with defiance. Already the Chinese search engine Baidu has issued a statement fanning the flames.

We’ll see over the coming days and weeks how the other U.S. Internet companies react. It will be interesting, too, to see how the U.S. government reacts — it can’t be happy with the attacks, but how far will the White House be willing to go?

Please, chime in with your own opinions.

[UPDATE (Jan. 13): I struck the sentence about Baidu’s statement, because I now have reason to believe the translated statement I saw may not be genuine.]

avatar

Watching Google's Gatekeepers

Google’s legal team has extraordinary power to decide which videos can be seen by audiences around the world, according to Jeffrey Rosen’s piece, Google’s Gatekeepers in yesterday’s New York Times magazine. Google, of course, owns YouTube, which gives it the technical ability to block particular videos — though of course so many videos are submitted that it’s impractical to review them all in advance.

Some takedown requests are easy — content that is offensive and illegal (almost) everywhere will come own immediately once a complaint is received and processed. But Rosen focuses on more difficult cases, where a government asks YouTube to take down a video that expresses dissent or is otherwise inconvenient for that government. Sometimes these videos violate local laws, but more often their legal status is murky and in any case the laws in question may be contrary to widely accepted free speech principles.

Rosen worries that too much power to decide what can be seen is being concentrated in the hands of one company. He acknowledges that Google has behaved reasonably so far, but he worries about what might happen in the future.

I understand his point, but it’s hard to see an alternative that would be better in practice. If Google, as the owner of YouTube, is not going to have this power, then the power will have to be given to somebody else. Any nominations? I don’t have any.

What we’re left with, then, is Google making the decisions. But this doesn’t mean all of us are out in the cold, without influence. As consumers of Google’s services, we have a certain amount of leverage. And this is not just hypothetical — Google’s “don’t be evil” reputation contributes greatly to the value of its brand. The moment people think Google is misbehaving is the moment they’ll consider taking their business elsewhere.

As concerned members of the public — concerned customers, from Google’s viewpoint — there are things we can do to help keep Google honest. First, we can insist on transparency, that Google reveal what it is blocking and why. Rosen describes some transparency mechanisms that are in place, such as Google’s use of the Chilling Effects website.

Second, when we use Google’s services, we can try to minimize our switching costs, so that moving to an alternative service is a realistic possibility. The less we’re locked in to Google’s service, the less we’ll feel forced to keep using those services even if the company’s behavior changes. And of course we should think carefully about switching costs in all our technology decisions, even when larger policy issues aren’t at stake.

Finally, we can make sure that Google knows we care about free speech, and about its corporate behavior generally. This means criticizing them when they slip up, and praising them when they do well. Most of all, it means debating their decisions — which Rosen’s article helpfully invites us to do.