| | | | | |
Douglas Panzer
September 16, 2014

Hey Hey Hey, Robin Thicke! Drunk and High Doesn’t Obviate Copyright Infringement

Posted By Douglas Panzer @ 4:08 pm
Filed under: Civil Liability,Copyrights,Music,Sound Recordings

Robin Thicke has been pretty well skewered the last year. He’s been called a misogynist and folks have called his huge hit song “Blurred Lines” such colorful descriptors as “rapey” and “a rape song.” As I discussed a while back, he also got involved with litigation against the heirs of Marvin Gaye over whether the same song ripped off Marvin. And now, according to every news outlet under the sun (since this is the most important story around), Robin Thicke is piling on Robin Thicke, saying he was high and drunk all last year. He’s also adding to his own slimeball factor by throwing the super-talented Pharrell Williams under the bus in the Gaye family copyright litigation.

So what does this have to do with this blog?!

Well, Thicke seems to be trying to a) cast off any claim to authorship of the song despite his earlier statements to the contrary; and b) relieve himself of any culpability for copyright infringement by claiming that he was too wasted to consciously infringe Gaye’s copyright. There’s just one problem here…but it’s big. There is no such thing as innocent copyright infringement. Courts use the analogy that “you can’t unring a bell.” That is, once you’ve heard a song, you can’t un-hear it. So you may or may not have consciously or intentionally infringed a copyright by writing or recording a substantially similar song, but if the songs are substantially similar and the copyright in the earlier work is valid, you still infringed the copyright.

Copyright infringement requires two factors to be shown: 1) Ownership of a valid copyright. 2) Copying of the plaintiff’s copyrighted work by the defendant.

Direct, purposeful copying is very infrequently capable of demonstration. Therefore, the analysis of copying frequently relies on whether a) the defendant had access to the plaintiff’s work, and b) whether the two works are substantially similar. In this case, access is a slam dunk. Not only was “Got To Give It Up” a big hit for Marvin Gaye (which in and of itself would be enough to show access), but Thicke even mentioned the song in a Billboard interview last year, according to CNN. This will come down to the analysis of substantial similarity. If the similarity is there, those who wrote “Blurred Lines” and those who recorded it are liable for copyright infringement.

I guess Thicke announced himself as a substance abuser and burned his bridges with Pharrell for no good reason. Nice move.

See also:
Daily Beast calls Blurred Lines “rapey”

April 22, 2013

Dear General Counsel, Is Your Customer-Facing Website Storing Plain Text Login Credentials? (Part 1)

Your business relies on its website to provide information and service to customers and to increase the business’s own efficiency. What happens when that efficiency is stymied by a customer’s “senior moment”…the all-too-common forgotten password? If the answer is a reminder email to the customer containing his or her username and password in plain text, you may want to notify your insurance carrier and replenish your litigation counsel retainer.

Now, I’m not saying the practice of emailing usernames and passwords is a slamdunk path to civil or criminal liability. However, the risks associated with such a practice may be greater than you know and are undoubtedly greater than your business should be willing to subject itself. Perhaps customers manage their contact information or email subscriptions online. Perhaps you provide true e-commerce and store credit card information. In providing their information, your customers rely on your business to provide reasonable safeguards for the personal information you store about them and your business has a duty – in the truest legal sense of the word – to do so.

E-Mail: Just One Link in Your Non-Secure Communication Chain

Did you know that email is not a secure means of communication? It’s true. Of course, many readers will already know that the vast majority of email messages traverse the Internet as unencrypted messages; binary strings simply transmitted from sender to recipient without any form of obfuscation. Some small comfort may be found in knowing that the email programs used to send and receive these messages require usernames and passwords, but this does not remove the fact that the messages themselves, if intercepted, require no translation or decryption to reveal their full contents. If the message is intercepted, any private information contained therein is visible for all to read. But even the ability of your business to send plain text login credentials signals larger technical shortcomings.

Plain Text Means Something is Plain Wrong in the System Architecture

In order for a customer support system or representative to be able to retrieve a username/password combination and send it to the user, one of two scenarios must be at play: Either a) your tech folks are storing the information in your company’s database as plain text; or b) the login information, though stored encrypted, uses reversible encryption. In either case, your business is not using tech security best practices and arguably you are failing in your duty to safeguard private customer information. Heck, that practice doesn’t even comport with common state privacy laws’ definition of encryption.

Massachusetts statute 201 CMR 17.00 (that state’s data privacy law), for example, defines “Encrypted” as “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.” If your company’s customer-facing system can decrypt stored user credentials, there is at least one software developer who has seen the key or process while coding it. If your company’s email system can then send that decrypted information over standard email, there is likely at least one system administrator who can see those sent emails on your system. We’re up to two people who shouldn’t have access…shall I continue? What if – please don’t be the one reader whose company does this – your CSR’s can look up usernames and passwords in order to communicate them to customers? What’s the number now? By the letter of the law (at least Massachusetts’ law…which, by the way, is nearly identical to many others) your process may not even represent encryption at all since the process or key is arguably no longer confidential.

Do a Legal Review and Work With IT to Craft a Policy

In order to minimize the risk of data loss by and resulting negligence claims against the organization, it is incumbent upon counsel to apprise themselves of the practices used by their company with regard to login credential storage, encryption, communication and reset procedures. Find out what your tech people are doing now and work with them to craft a written policy for the future. Then, be sure to follow up at regular intervals to ensure compliance with the policy. Anything less may be less than due care.

Next Time: Is plain text credential storage criminal?


* indicates required