Are Trademarks a Data Security Alternative to Sad, Weak, Outdated Copyrights?

If you’ve been on the web for a while, you’ve seen an advertisement that looks like the user interface of the website you’re viewing- or maybe an ad that has a false close button, and clicking it just navigates you to the advertised page. These are blatant ways to trick consumers into taking actions they don’t want to take. Sometimes, these inadvertent actions can create security vulnerabilities such as malware.

Despite all of the focus on applying copyright law to the internet, I wonder if there are hints of trademark and trade dress protections that could become relevant to data privacy issues. I will cautiously, even timidly, explore a few of those possibilities (which several others have explored over the last few years).

I. Trademarks: When it Comes to Data Privacy, Accept No Imitations.

Trademarks have a simple purpose: to let consumers know the origin of a good or service. Trademarks are often a word, phrase, or image (logo), but can also be a sound or smell (on rare occasion, it can get a bit more abstract ).

A major category of trademark infringement is counterfeiting. That $20 “ROLEX” watch from the guy in the alley? That’s a counterfeit (sorry), and one of the legal issues involved in the sale of that watch is the use of a trademark without the legal right to use it. There haven’t been a lot of counterfeit websites on the internet, especially since SSL and other authentication processes got better. However, there are plenty of imitation apps and games. One of the reasons such apps and games fail and are quickly removed from distribution is that they infringe trademarks.

However, some countries do not have the same standards regarding trademark (or copyright) enforcement. Consider an imitation League of Legends game, lampooned here. At the end of the video, the player says “Oh, and it’s also a virus,” as his security software reports malware after playing the game. This humorously underscores the point that many infringing* products pose a security and privacy threat. Using trademark law to limit the proliferation of readily accessible, easily confused programs is a valuable practice in maintaining computer security for consumers.

II. Trade Dress: No One Really “Owns” That Icon… But You Know Who Owns That Icon.

Trade dress is a sort of sub-category of trademarks. It’s rarely talked about or used, but it can be thought of as the totality of design and aesthetics that go into a product, place, or service that make consumers identify the source. Color palette, patterns, shapes, and other factors go into the evaluation of trade dress. Crucially (and perhaps fatally), elements of a trade dress must be considered “non-functional.”  For example, the major case in trade dress concerned a Tex-Mex restaurant that used the same colors and layout of another Tex-Mex restaurant.

Here’s the controversial idea I think deserves consideration: Could misleading, camouflaged web content be considered an infringement of trade dress? (Think of the kinds of ads that make you believe you’re not clicking on an ad, but rather some piece of actual content on the site- especially regarding navigation buttons that match the navigation icons of the site.)

The reason I look to trade dress for a solution is that icons and interfaces, even stylized ones, are not subject to trademark, copyright, or patent protections. Furthermore, websites are increasingly treated as the digital equivalent of stores and offices of businesses- so much so that designs and layouts can come to be the trade dress of that business. Thus, there is a gap in the legal protection of user interfaces, and a need to cover that gap.

(Treating websites as subject to trade dress might have the added benefit of discouraging UX and UI designers from fiddling with the location and arrangement of navigation tools every other month just to justify their paycheck. And that’s the kind of change this world really needs.)

Conclusion: Trademark Protection is Already Working, Trade Dress is Still Vague and Untested

Trademark law is already quietly making the digital ecosystem a little bit safer by eschewing threatening knock-off games and apps. I think there’s a case to be made for applying trade dress to websites and UIs, but it would be a novel application and courts may be hesitant to apply the law so creatively.

 

* “300 Heroes” Infringes both copyrights and trademarks, but it’s the funniest example.

 

Keep Data Secret, Keep Data Safe.

Privacy and Security are two different words, so it is reasonable to ask if there is a difference between “Data privacy” and “Data Security.” The terms seem to be used interchangeably a lot, but I think there is a difference that affects how we think about the issues and that guides how we approach solutions to protecting information.

The standard industry analysis is that Data Security is “confidentiality, integrity, and availability,” while Data Privacy is about the “appropriate use” of the data (I think this is better understood as asking “are only the right people seeing the data?”).

If you’ve seen the movie (and you should have), you remember this moment:

When Gandalf leaves Frodo with the One Ring, he admonishes him: “Keep it Secret. Keep it Safe.” Is this one instruction, or two? Are safety and security of a thing the same thing, or two different dimensions of protection?

  1. Secrecy as Privacy.

One of the most interesting discussions I had in law school began with a professor asking “What good is Privacy?” Some academics and jurists, like Judge Posner, have challenged privacy as inefficient; it is the right of criminals to hide their activities and avoid detection or evade conviction by concealing evidence. Advocates of this position assert that non-criminals do not need privacy, while privacy greatly advances the efforts of criminals.

However, privacy is also how we keep information away from criminals. In the digital world, information is everything, so keeping information away from criminals prevents harm. While non-criminals might not fear other non-criminals accessing financial information, certainly they would not want criminals to have the tools to access their bank accounts.

Privacy is an element of security, but it is not the same thing as security. One of the best ways to keep a secret is for people to not know you have a secret; people don’t rob vaults they don’t know exist. However, you wouldn’t leave your valuables unguarded and rely solely on the hope that no one ever finds out about them. Security is always a prudent consideration. (Though there might be interesting strategic choices in minimizing security to maximize secrecy…)

  1. Safety as Security.

I thought it was a little odd that the US government considers “integrity” one of three prongs of data security. “Confidentiality” makes sense (see the point on secrecy), and “availability” is an often over-looked part of security. Your money would be very safe if you shot your life savings into space, but that’s the kind of security plan we might call “not thought through to step two.” But why would the reliability and accuracy of the data be part of the security of the data? We don’t evaluate the security of a bank value on the basis of whether the currency it protects is undermined by inflation or monetary policy decisions.

I think this prong shows one of the dissimilarities between physical security and cybersecurity. We are rarely concerned about the sabotage of physical things we protect, just as we are not often concerned about physical objects being copied (as data can be copied). Data is subject to minor alterations that can corrupt it to render it unreadable or unsafe to use. In some cases, the fact of the data being shared might render the data less valuable (particularly for military intelligence).

  1. So, Gandalf has a pretty good privacy policy. By keeping a Ring secret, it is easier to keep safe; by recognizing the difference between safety and secrecy, he is able to give Frodo a more robust policy to guard the fate of Middle Earth.

Of course, if Gollum yelps out “SHIRE! BAGGINS!” the data will be compromised and new measures and methods will become necessary… But “The Fellowship of Data Protection” is a blog post for another day.

Child[ren] of Light [in Fiber Optic Cables]: Battling the Monster of Data Vulnerability

I. Like so many other gamers, I usually have some complaints about a game- some buggy feature in the UI, some design choice that manages to annoy me throughout the entire game, repetitive  music that grates on my nerves, etc. It doesn’t mean the game is bad, but just that I see some room for improvement. I don’t know how I would improve Child of Light. It has a wonderful story, beautiful art, fun and interesting combat, characters I can care about, and not much else. I think that was one of the strongest points of the game—its leanness. The developers did not burden the game with extra fluff; they edified the game down to what was essential, and worked to make that as excellent as they could. The only thing that I didn’t love about the game was that I had to play it through Uplay (after buying and installing it through Steam). The absurdity and frustration of one game distribution platform directing me to another game distribution platform occupied my mind as I played the opening levels of Child of Light. As I played a coming-of-age tale about a loss of innocence and the fight to defend oneself and loved ones in a hostile world, I saw the obvious comparison to the coming-of-age of cyberspace, and the fight to defend data and identity in a hostile world. The first point I thought of was how efforts to protect against piracy are often misguided, but I then thought about data protection more generally.

II. The young protagonist, Aurora, grows through her battles in a dangerous world. Coming-of-age stories are about the loss of protection and the discovery of vulnerability in a dangerous and unforgiving world. The internet has had its own coming-of-age progress. It is grown from a nascent state of limited, careful users who protected and cared for it to being used by billions of people every day, with billions of dollars spent maintaining and attempting to control or harness it in one way or another. From businesses who use the internet to conduct business, to businesses whose business is conducting internet through cables and wireless transmissions, to government agencies to anarchist hackers, everyone wants to govern the data of the internet.

III. So, in response to the rising threat of hackers and errors, passwords and encryption became ubiquitous. But despite putting a deadbolt on the door, the data frequently seeps through cracks at the hinges or under a window left slightly ajar. Think about the ways our “data” escapes our control:

– Large-scale Database hacks (PlayStation Network, HomeDepot, Target, AT&T, Steam, etc.)

– Private, small hacks (phishing scams, ATM card readers, discarded paper mail, keylogging)

– Third party purchases of data.

-We carelessly or inadvertently publish our own data without realizing it, or thinking about the consequences.

We don’t hear about a lot of people losing their data because of weak personal  passwords. In the 80s and 90s (and sometimes beyond), most films that depicted some kind of cybersecurity breach showed someone sneaking into a researched area and guessing (or using a previously obtained) a password.  I have a constant background fear for my data, but not because I think someone might guess one of my passwords. It’s because my data is already out there, entrusted to dozens of companies.

IV. In Child of Light, combat allows for either physical or magical attacks. Each character has corresponding defensive stats for each kind of attack: physical resistance and magical resistance (nothing new for the RPG genre); high physical resistances do nothing to protect against magical attacks. In the same way, my setting an extremely strong, 28-character login for my laptop does not protect my credit card information from getting stolen from the servers of Steam or AT&T or AcmeCorp. (Hopefully, their hash functions do!)

As we come of age, we learn to lock doors to houses and cars, and exercise basic, sound judgment about safety in public. People need to become educated about cybersecurity. Everyone, from the most average consumer purchasing on Amazon, to network and IT administrators of large corporations and government offices, needs to think about what the real threats are and what measures are helpful and productive in protecting data. Given the way data has been compromised in the last two years, I am inclined to think that monthly password changes with the usual set of enormously restrictive requirements is not always the best or most pertinent protection.