Header graphic for print

TMT Perspectives

Insight & Commentary on Business, Legal and Policy Developments Affecting the Telecom, Media, and Technology Sectors

Prosecution of Retail Spyware App Publisher Raises Questions

Posted in Cybersecurity, Privacy, Technology

On October 7, 2014, federal prosecutors in Virginia charged Hammad Akbar with manufacturing, advertising, and selling to retail customers a mobile phone spyware application called “StealthGenie.[1] In issuing this Indictment, the Government applied an old law to new circumstances, which raises a host of questions.

  The Prosecution.  According to the Indictment, StealthGenie was marketed to persons wishing to monitor “spousal cheaters.”  When installed (requiring one-time access to a device such as a phone or computer) the app enables the person installing the app to intercept and record phone conversations and to obtain access to text messages and computer files, all without the knowledge of the owner.

The Government alleges that the app publisher broke the 1986 Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq. (the “ECPA” or “the Act”).  The ECPA expanded the 1968 “Wiretap Act,” which was largely designed to protect telephone conversations from unauthorized government access.[2] The ECPA extended those restrictions to computer files.

The Law.  Historically, the Act has been used for the purpose that was surely contemplated by its drafters: to prosecute the sale and use of hardware such as microphones and recorders used to capture voice communications.  See, e.g., United States v. Pritchard, 745 F.2d 1112 (7th Cir. 1984) (possession of tape recorder, amplifier and patch cords used to record room conversations sufficient to sustain a conviction under the Act); United States v. Wynn, 633 F Supp. 595 (C.D. Ill. 1986) (manufacturing, sale and advertisement of disguised listening devices prohibited under the Act); see also 2156 P.L. 90-351 (Apr. 29, 1968) (discussing the social harms caused by unauthorized surveillance and wiretapping).

Beginning in the 1990s, prosecutors took an expansive view of the term “electronic communications” to include television cable signals, and used the Act to prosecute the manufacturing, sale and use of so-called cable “descramblers” that allowed users to pirate cable television.  See, e.g., United States v. Crawford, 52 F.3d 1303 (5th Cir. 1995) (upholding conviction for manufacturing and selling devices for the unauthorized interception of cable television signals); United States v. Herring, 993 F.2d 784 (11th Cir. 1993) (same); United States v. Davis, 978 F.2d 415 (8th Cir. 1992) (same); United States v. Lande, 968 F.2d 907 (9th Cir. 1992) (same).  This creativity proved fruitful:  for a time, the Act was primarily used to prosecute cable television piracy and related crimes.[3]

New Era:  Challenges for Courts and Uncertainty for Software Manufacturers.   United States v. Akbar signals another era in prosecutions under the Act, this time based on an expansive view of the term “device.”  In the past, prosecutions under the Act involved the use of a physical device such as a covert microphone, tape recorder, or modified cable box.

But is a software application different from the types of physical devices that were traditionally subject to the Act?  Although a few courts in the civil context have evaluated application of the Act to software,[4] there is scant—if any—criminal case law addressing the issue of whether an application like StealthGenie constitutes a device for the purposes of the Act.[5]

Taken to its extreme, the Government’s novel view that a software program constitutes a device could lead to a proverbial slippery slope for the software industry.  If the Government’s interpretation stands, that means that manufacturers of digital products such as StealthGenie would face liability under the Act.  Given that the Government has already proven successful in expanding the definition of “electronic communications” to include cable signals, perhaps courts would also find that digital footprints such as cookies and browser histories are “electronic communications” subject to the Act.  It is well-known that companies such as Google and Facebook obtain and sell these kinds of consumer data without the end-user’s explicit knowledge or consent.  The Government’s approach to expand the Act to software applications could have far-reaching implications to the very business models upon which these companies reap their profits.

Also, although data privacy is currently a hot issue thanks to recent news of “hacked” celebrity photographs, as well as breaches or possible breaches of consumer information held by Staples, the Oregon Employment Department, and Home Depot (to name a few), the culprits in those situations are the thieves, not the manufacturer of the “crowbars” they used to “break in.”  Akbar has the potential to expand the scope of liability in these cases, as well.

It is unclear whether prosecutions like Akbar will be a successful, or whether courts will take a more restrictive view of the Act.  As the Luis court noted, “when existing laws are used in new ways, courts have struggled to determine whether, and in what circumstances” they should be applied to “modern and ever-evolving norms.”[6]


[1]     See United States v. Akbar, No. 14-cr-276 (E.D. Va. Oct. 7, 2014). On October 16, 2014, Akbar failed to appear for his arraignment, and a civil injunction was ordered to prevent continued advertisement and sale of the application.  See United States v. Akbar, No. 14-cv-1273 (E.D. Va. Oct. 16, 2014).

[2]     See 18 U.S.C. § 2512 (the Act) and 42 U.S.C. § 3711 (the Wiretap Act). The revised Act protects a broad range of electronic communications from unauthorized interception and makes illegal the “manufacture, possession, assembly and sale of devices designed for the purposes of surreptitious interception of wire, oral, or electronic communications.”  18 U.S.C. § 2512(1)(b).

[3]     See 129 A.L.R. Fed. 549 § 2(a).

[4]     See Havlicek v. Deep Software, Inc., No. 06-cv-211 (S.D. Oh. June 23, 2008) (dismissing third-party civil action brought against manufacturer of computer spyware software because 18 U.S.C. §2512 does not contemplate private causes of action and finding that the plain meaning of the word “device” refers to physical equipment and does not encompass software); see also Luis v. Zang, No. 12-cv-629 (S.D. Oh. March 5, 2013) (section 2512 of 18 U.S.C. does not contemplate private causes of action).

[5]     See United States v. Barrington, 648 F.3d 1178 (11th Cir. 2011) (upholding wire fraud convictions under 18 U.S.C. § 1343 based on individual’s use of “key-logging” software to infiltrate a university’s computer system and accepting the premise that the software constituted a “device” for sentencing enhancement purposes).

[6]     12-cv-629 at *4.

Perspectives on Marketing Corporate Social Responsibility

Posted in Advertising, Business Skills, Companies, Media

Although the runaway train known as Corporate Social Responsibility (CSR) has long since left the station and its global momentum is growing at an unprecedented rate, sufficient time remains for advertising and PR industry holdouts to consider hopping aboard, benefiting themselves and their constituencies in the process.

It remains surprising to see the lingering degree to which the breathtakingly explosive global growth of the CSR marketing movement is still apparently discounted, overlooked or simply dismissed by many in the industry, especially since the origins of CSR date back more than a century.

In the decade since David Vogel’s book The Market for Virtue: The Potential and Limits of Corporate Social Responsibility was published by The Brookings Institution, the global wave of interest in and adoption of CSR endeavors and related media campaigns has been unprecedented. Although the initial growth of CSR initiatives and related advertising campaigns may have been less reliant on choosing to do what seems ethical over what is most profitable in the near-term, the stampede to aggressively promote CSR endeavors as an integral part of corporate marketing strategies has served as a catalyst for embracing socially conscious business pursuits and as a foundational element in business self-regulation. Continue Reading

Medical Device Companies: Take Notice of Cyber Security Risks

Posted in Cybersecurity, Healthcare

There has been a groundswell of effort by the U.S. Government to address growing cybersecurity risks in industry sectors from finance to energy. This first week of National Cyber Security Awareness Month has brought with it a continuation of the Government’s effort to provide cybersecurity guidance to industry.  This most recent effort is focused on the medical device arena with the U.S. Department of Health and Human Service’s (“HHS”) release of a guidance document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

The goal of the HHS guidance document is to encourage medical device manufacturers to address cybersecurity issues early during design and development of the medical device.  With this in mind medical device manufactures can develop a set of controls to assure security and maintain functionality and safety of medical devices, to avoid potential risk of patient illness, injury or death.

The HHS guidance document has its foundation in the Framework for Improving Critical Infrastructure Cybersecurity released earlier this year (previous article at 7-8) and recommends that manufactures consider that framework’s core functions, namely “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”. In the context of the HHS guidance document these functions can be summarized as follows:

  • Identify: identify the risks associated with the device (e.g., is it a network connected device, does it have accessible data ports, where will it be used);
  • Protect: provide the appropriate level of security for the risk (e.g., limit access, use strengthened passwords, use physical locks) and provide justification for the chosen security functions;
  • Detect: implement device features that allow security compromises to be detected;
  • Respond: provide a response plan to end users regarding actions to take following detection of a cybersecurity breach; and
  • Recover: provide a method for retention and recovery of device configurations.

The HHS guidance document concludes with recommendations regarding what information manufactures should provide in their premarket medical device submission related to cybersecurity, including:

  • “hazard analysis, mitigations and design considerations” regarding the cybersecurity risks associated with your device;
  • a “traceability matrix” linking your cybersecurity controls to the considered risks;
  • a summary describing a plan for providing software updates and patches to maintain device safety and effectiveness;
  • a summary describing a plan to prevent introduction of malware from the point of origin to the point at which the device leaves the manufacturer’s control; and
  • device instructions for recommended cybersecurity controls in the given environment (e.g., use of firewalls or anti-virus software).

The HHS guidance recommends that this information should be provided in the following premarket submission: Premarket Notifications, De novo submissions,  Premarket Approval Applications, Product Development Protocols, and Humanitarian Device Exemption submissions.

While the HHS guidance document does not establish legally enforceable responsibilities, device manufactures should take notice.  A failure to pay heed may result in inadequate cybersecurity measures that most importantly may risk harm to patients, but also may damage the company’s reputation and create increased liability risks should a breach occur.

Net Neutrality: Back to Basics – Blocking Access to the Internet Can Be Entirely Rational

Posted in Companies, Competition Policy, FCC, Legal Developments, Net neutrality

The debate over net neutrality has been marked by extreme rhetoric. Those that support regulation designed to keep the Internet “free” and “open” assert that Internet access providers left to their own devices will interfere in the marketplace, thereby stifling innovation and competition.

This is a legitimate concern. A free and open marketplace will generally serve the public interest. Public interest types agree, but challenge whether the marketplace is free and open, particularly if the companies that transport your data to the Internet (telephone, cable and wireless companies) are free to limit your access. The response is that rational actors would not limit such access for fear of consumers’ responses.

The issues are complex, but it is worth taking a moment to note something simple: limiting access to the Internet can be an entirely rational business activity, even for the largest and most sophisticated consumer-oriented companies.

How do we know? Last week the FCC fined Marriott International (the hotel company) and Marriott Hotel Services (which manages hotels) US$600,000 for blocking their customers’ Wi-Fi hotspot access to the Internet. See the Consent Decree here. Continue Reading

Dollar General Goes Hostile – Manipulating Antitrust in High-Stakes Mergers

Posted in Antitrust, Companies, Competition Policy, FTC, Legal Developments, Mergers & Acquisitions, Transactions

On Friday, September 5, 2014, Family Dollar issued a press release that effectively foreclosed a friendly deal with Dollar General. On Wednesday, September 10, 2014, Dollar General said it would initiate a cash tender offer for Family Dollar. Dollar General has gone hostile. (See our previous blog on this matter.)

In Family Dollar’s release, Family Dollar outlines the reasons why a deal with Dollar General would raise more antitrust issues than a deal with Dollar Tree. These reasons include:

  • Family Dollar and Dollar Tree are deeply involved in an FTC investigation.
  • Family Dollar and Dollar General compete in far more than 1500 local geographic areas, the limit of the number of stores Dollar General would divest to close the deal.
  • Family Dollar and Dollar General price aggressively where they do compete, and less so where they do not, suggesting that they are in fact close substitutes. Dollar General’s CEO has made statements to this effect publicly.
  • The FTC would need to review over 20,000 local geographic markets, more than it has ever reviewed.

In effect, Family Dollar’s antitrust lawyers disagree with Dollar General’s antitrust lawyers, and the Family Dollar board has decided to believe their own counsel. Dollar General could not make any argument that would conclusively refute these assertions and thereby force the Family Dollar board to go with Dollar General.

Dollar General’s only recourse was the tender offer. The tender offer allows Dollar General to file notification and trigger an antitrust review of its own deal, independent of what Family Dollar may or may not do. It allows, or really forces, the FTC to focus on the Family Dollar/Dollar General transaction even to the exclusion of the Family Dollar/Dollar Tree transaction because of the unique timing issues under HSR associated with tender offers. It also eliminates a lot of the antitrust deal risk Dollar General wanted to avoid as suggested by their comments on the hell-or-high-water clause. Continue Reading

Dollar General Ups Its Offer (A Little) – Manipulating Antitrust in High-Stakes Mergers

Posted in Antitrust, Competition Policy, FTC, Legal Developments, Mergers & Acquisitions, Transactions

Last week, we suggested that Dollar General needs to offer a “hell or high water” clause and begin its response to a potential second request if it wants to eliminate antitrust as an issue in its bid to acquire Family Dollar. It looks like Dollar General has taken a more conservative, incremental step, in an effort to address the antitrust concerns of Family Dollar’s board. Dollar General has upped its bid for Family Dollar to $80 a share and included an offer to divest up to 1,500 stores. Dollar General has also apparently hired Richard Feinstein, a former Director of the FTC’s Bureau of Competition, to “independently review” Dollar General’s antitrust work. According to Feinstein, the Family Dollar/Dollar General transaction could be completed “on the terms previously proposed.”

Mr. Feinstein is an extremely well-regarded antitrust attorney with a great deal of experience, particularly as it relates to the application of antitrust, and the FTC’s version of antitrust, to this deal. Mr. Feinstein’s statement, while likely correct, is still just his opinion. There is nothing about his opinion that would render it inherently more compelling than that of whomever is advising Family Dollar. Under the business judgment rule, Family Dollar’s board is entitled to trust whichever advisor they feel is best. Hiring Mr. Feinstein will not move the dial.

Nor will increasing the number of stores Dollar General is willing to divest. A combination of Family Dollar and Dollar General will have approximately 20,000 stores. Fifteen hundred stores represents about seven percent of the total. A reasonable antitrust attorney could conclude that is simply not enough. The press is reporting that Dollar General has argued that the companies compete with a “host of retailers” like pharmacy chains, convenience stores, Walmart and Amazon. The FTC could take the view that there is a class of customer for whom brick-and-mortar dollar stores are the only close substitutes. As such, you would be looking at a very large Dollar General compared to a much smaller Dollar Tree. In that event, one might argue that, with the Family Dollar/Dollar General deal, one has a merger to duopoly with the dominant player significantly larger than the closest competitor. Irrespective of whether that’s true, the 1,500-store divestiture offer may not fix that problem. In that circumstance, Family Dollar’s antitrust attorney, and therefore its board, could reasonably conclude that the 1,500-store divestiture offer simply doesn’t address that concern, and therefore Dollar General’s bid remains inferior. Continue Reading

Next Steps for Dollar General – Manipulating Antitrust in High-Stakes Mergers

Posted in Antitrust, Companies, FTC, Legal Developments, Transactions

Dollar General said on August 28, 2014 that it is “fully” committed to the Family Dollar deal. Bloomberg is reporting that “people familiar with the matter” said last week that Family Dollar is willing to consider Dollar General’s offer if it agrees to sell as many stores as regulators would require (see our previous blog post on this matter). I also saw somewhere a suggestion that the dialogue with the agencies has already started. If so, there is now timing pressure on Dollar General to get that bid in. If Dollar Tree is able to get substantially down the path with the investigating agency, then the relative timing difference between the two bidders does in fact become an issue. The agency would have to start the process over with Dollar General, delaying consummation by a potentially significant amount. If there is a clear path to a deal with Dollar Tree at the agency, even at significantly less and without hell-or-high-water clause, the Family Tree board could quite legitimately conclude Dollar Tree is still the best mate.

But it’s unclear if/when Family Dollar and Dollar Tree have filed HSR, how much has been done, and how far along the parties are in coming to a consensus on a divestiture package with the agencies. I doubt that either Family Dollar or Dollar Tree has made much progress. Indeed, I suspect that Family Dollar and Dollar Tree are expecting a normal, slow, congenial-ish second request process and haven’t done much at all with the agencies. That could be an advantage for Dollar General.

If Dollar General is serious about pursuing a genuine bid for Family Dollar, Dollar General should consider starting to respond in earnest now to what they anticipate a second request would look like. Continue Reading

American Dumps Orbitz: An Antitrust Investigation to Follow?

Posted in Antitrust, Competition Policy, E-commerce

American Airlines (AA) issued a press release today stating that it and US Airways were withdrawing their fares from Orbitz and Orbitz-affiliated websites effective immediately. Orbitz’s shares were immediately down 5 percent. AA stated that it “ha[s] worked tirelessly with Orbitz to reach a deal with the economics that allow us to keep costs low and compete with low-cost carriers.” AA went on to say that “[w]hile [its] fares are no longer on Orbitz, there are a multitude of other options available for . . . consumers, including brick and mortar agencies, online travel agencies, and [its] own website.”

Unilateral refusals to deal are generally not illegal under the Sherman Act. A company is usually free to deal with whom it wishes. An exception may lie for a company with market power that engages in a profitable, long term course of dealing with a competitor, then abruptly terminates the relationship without reasonable justification. These so-called Aspen Skiing cases are not usually successful. Concerted refusals to deal can be per se illegal: an agreement between competitors not to deal with another competitor can violate the antitrust laws irrespective of the rationale. Parallel behavior, without an agreement, is not a per se violation of the Sherman Act, however. Continue Reading

Family Dollar to Merge with Dollar Tree – Manipulating Antitrust in High-Stakes Mergers

Posted in Antitrust, Companies, FTC, Legal Developments, Transactions

Family Dollar, a troubled discount store, is up for sale. They have entered an agreement to merge with Dollar Tree for US$8.5 billion. Recently, Dollar General, a competitor, offered US$9.7 billion. On August 21, 2014, Family Dollar’s board unanimously rejected Dollar General’s offer and reasserted their desire to go forward with Dollar Tree. The grounds were that Dollar General failed to address Family Dollar’s antitrust concerns. Somewhat ironically, this rationale has likely given Dollar General a roadmap to a bid that Family Dollar’s board couldn’t refuse without breaching their fiduciary duties.

Substantive antitrust issues rarely arise in mergers and acquisitions. When they do, they can have significant ramifications. The government can demand meaningful divestitures or even sue to block a deal. When considering competing bids, all other things being equal, a seller looking at a strategic and financial buyer should always pick the financial buyer. They will have no antitrust issues, and therefore no chance of delay or litigation. Potential strategic buyers must compensate sellers for the additional risk as well as shift some or all of this risk to themselves to produce a superior bid. Continue Reading

*Can* You Monopolize a Coffee Cartridge Market?

Posted in Antitrust, Companies, Competition Policy, Lawsuits, Legal Developments, Patent, Technology

Introduction

If you read our recent article discussing the allegations of monopolization in the replacement k-cup market, you may have detected a certain measure of skepticism about the antitrust claims’ potential for success. And you’d be correct. But does that skepticism extend to all aftermarkets? Do we mean to suggest that all aftermarket manufacturers are inefficient free-riders unworthy of the protection of the antitrust laws?

To some extent, yes, all aftermarket participants are free riding off the efforts of the original equipment manufacturer. After all, in an aftermarket, a third party is making a part for someone else’s device. But this articulation, if taken to its logical conclusion, would imply that an OEM should never face antitrust liability because all they are doing is driving out inefficient free-riders. That is not what we’re saying. OEMs can face antitrust liability for driving out aftermarket competitors. Continue Reading