Several artists, frustrated with Artificially Intelligent (AI) image generators skirting copyright laws, are using similar image generators to produce images of Mickey Mouse and other copyrighted characters to challenge the current legal status of AI art. While an artist’s copyright in a work typically vests at the moment of fixation, including the right to prosecute copyright violation, AI-generated work complicates the issue by removing humans from the creative process. Courts have ruled that AI cannot hold copyright, which by corollary also means that AI-generated art sits in the public domain. This legal loophole has angered many professional artists whose art is used to train the AI. Many AI generators, such as Dall-E 2 and Midjourney, can render pieces in the style of a human artist, effectively automating the artist’s job.

Given Disney’s reputation for vigorously defending its intellectual property, these artists hope that monetizing these public-domain AI Mickeys on mugs and T-shirts will prompt a lawsuit. Ironically, provoking and losing a case in this vein may set a favorable precedent for the independent artist community. As AI becomes more advanced, society will likely need to address how increasingly intelligent and powerful AI can complicate and undermine existing law.

The FBI recently released a Public Service Announcement that all online shoppers should read.

The Announcement outlines a scary scheme by cyber criminals, who “are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.”

The cyber criminals purchase advertisements that appear in legitimate search engine results by using a domain that is similar to the real business. When a search is made for the legitimate business, the fake ads appear first in the search results. When a user clicks on the link, they are taken to a malicious website that spoofs the real one. The user is then prompted to download software that is malicious without their knowledge.

The FBI provides the following tips to respond to this threat:

The FBI recommends individuals take the following precautions:

  • Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Rather than search for a business or financial institution, type the business’s URL into an internet browser’s address bar to access the official website directly.
  • Use an ad blocking extension when performing internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.

Additionally, the FBI recommends businesses take the following precautions:

  • Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.
  • Educate users about spoofed websites and the importance of confirming destination URLs are correct.
  • Educate users about where to find legitimate downloads for programs provided by the business.

Governors of numerous states have issued Executive Orders in the past several weeks banning TikTok from government-issued devices and many have already implemented a ban, with others considering similar measures. There is also bi-partisan support of a ban in the Senate, which unanimously approved a bill last week that would ban the app from devices issued by federal agencies. There is already a ban prohibiting military personnel from downloading the app on government-issued devices.

The bans are in response to the national security concerns that TikTok poses to U.S. citizens [View related posts].

To date, 19 states have issued some sort of ban on the use of TikTok on government-issued devices, including some Executive Orders banning the use of TikTok statewide on all government-issued devices. Other state officials have implemented a ban within an individual state department, such as the Louisiana Secretary of State’s Office. In 2020, Nebraska was the first state to issue a ban. Other states that have banned TikTok use in some way are: South Dakota, North Dakota, Maryland, South Carolina, Texas, New Hampshire, Utah, Louisiana, West Virginia, Georgia, Oklahoma, Idaho, Iowa, Tennessee, Alabama, Virginia, and Montana.

Indiana’s Attorney General filed suit against TikTok alleging that the app collects and uses individuals’ sensitive and personal information, but deceives consumers into believing that the information is secure. We anticipate that both the federal government and additional state governments will continue to assess the risk and issue bans on its use in the next few weeks.

According to the National Security Agency, actors backed by the Chinese government are actively targeting a zero-day vulnerability in two commonly-used Citrix networking devices.

The exploit (CVE-2022-27518) affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool. Both devices are standard in mid-to-large enterprise networks. Analysts at the National Institute for Standards and Technology (NIST) categorize the exploit as ”critical,” the highest risk level, for its broad potential impact and ease of execution.

Citrix pushed out an emergency patch for the vulnerability last week and is urging customers using affected builds of Citrix ADC and Citrix Gateway to install the updates immediately. Compliance Officers and Chief Information Security Officers may wish to consider heeding this warning and apply the firmware patch to affected devices ASAP, outside of regular update cycles if necessary.

The federal government has implemented a program in which each household can order four free COVID-19 test kits through the United States Postal Service (USPS). This is a perfect opportunity for scammers to spoof the USPS site to try to obtain personal information from unwary users.

It is very easy to order the four tests, and all you have to provide to register for the tests to be sent to you is your name and your address. NOTHING ELSE.

If you land on a website that looks like a website offering the free COVID-19 tests through USPS, but which asks for any personal information (such as date of birth, driver’s license number, or Social Security number), you are being targeted by scammers trying to obtain your personal information for fraudulent purposes. To learn more about how to protect yourself from fraud and to obtain the official link for free COVID-19 tests, click here.

According to NBC News and Reuters, the United States Secret Service confirmed that hackers from APT41, a criminal cyber-hacking group linked to the Chinese Communist Party, stole “at least $20 million in U.S. Covid Relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states.”

According to the report, Chinese hackers were also behind other large data breaches that provided access to millions of Americans’ personal information to be “used by China for espionage purposes.” In addition, testimony before Congress has included that “every adult American has had all or most of their personal data stolen by the Chinese government.”

The Secret Service is diligently working to recapture the funds and has stated that it has “recovered about half of the stolen $20 million in the APT41 case.”

Since the California Privacy Protection Agency (CPPA) released its draft regulations pursuant to the California Privacy Rights Act (CPRA), the biggest gripe from businesses has been the website tracking opt-out requirements. Recognition of opt-out requests from consumers could potentially cost companies some significant dollars.

The CPRA amends the California Consumer Privacy Act of 2020 and goes into effect on January 1, 2023. One of the amendments included a new consumer right to opt-out of cross-context behavioral advertising (i.e., the ability to request that a website not track the user across time or across websites). There are many ways in which a consumer can opt-out of this sharing of data. One way could be to click on an opt-out button or link on a specific website. Another way could be to download an app, use a specific browser or platform (such as Global Privacy Control (GPC)) to automatically emit opt-out signals for every website visited. However, if a consumer uses GPC but does not turn off the universal opt-out signal, and then visits a website where the consumer actively and knowingly participates in an opt-in rewards program, it remains unclear on how a business should proceed in response to that signal.

Without more clarity under the CPRA regulations on how companies should respond on a TECHNICAL LEVEL, it may be difficult to achieve full compliance with consumers’ opt-out choices. This means that the potential for a violation and subsequent liability will increase beginning in the new year.

The CPPA has not wavered on its ‘do not track’ requirement, saying that a plain reading of the CPRA indicates flexibility for site-specific opt-out links. As currently written, the draft regulations would not require businesses to add opt-out links on their websites if they in fact do process opt-out signals from external apps in a “frictionless” manner. A “frictionless” manner means that the business does not:

  1.  Charge a fee for recognizing an opt-out signal
  2.  Change the consumer experience with the product or service
  3.  Display pop-ups, notifications, graphics, etc., in response to the signal

Businesses that should include opt-out links on their websites process external ‘do not track’ signals in a “non-frictionless” manner, which means that the signal is processed in a way that could change the user experience. Even the use of “non-frictionless” (which essentially means “with friction”) convolutes the issue and creates confusion among companies that are trying to comply before the end of the year. We will continue to watch for updates on the final regulations and further technical guidance on ‘do not track’ signals and consumer choice when it comes to the same

The Shanghai Data Exchange, launched in November 2021, is reportedly gearing up to go international. The announcement came from the 2022 Global Data Ecosystem Conference, held in Singapore this November. The Shanghai Data Exchange aims to build “a data factor market” and “promote data capitalization.” Or, in plain terms, it wants to create a stock exchange for personal data.

If that sounds dystopian, don’t lose hope yet. Several states, most prominently California, have recently passed laws that give consumers the right to opt out of having their data sold to third parties. Vermont has gone further by becoming the first state to regulate data brokering as an industry. Still, data brokering is obscenely lucrative, with some market projections expecting the data brokering industry to hit $365.71 billion dollars by 2029. The market is ripe for this type of international data exchange, with traders buying, selling, and investing in personal data as a commodity. Lawmakers, and the American people, will likely need to continue grappling with how to protect privacy in the face of this burgeoning powerhouse. 

The Federal Communications Commission (FCC) will categorically ban devices over national security concerns for the first time in history. Per a new order, the FCC will prohibit the import and sale of devices produced by Huawei and ZTE, and restrict the use of several other Chinese-produced devices for government and critical infrastructure purposes. Huawei and ZTE are electronic device manufacturers based in China with reportedly strong ties to the Chinese Communist Party, leading to high-profile data privacy and security concerns. In an official statement, FCC Commissioner Brendan Carr stated that these devices may allow hackers to “exploit backdoors in our electronics systems to obtain sensitive information and exploit that access to endanger America’s interests.” Commissioner Carr has publicly stated that TikTok should also be banned in the U.S. due to similar national security concerns.

Under the Secure Equipment Act of 2021, the FCC can grant and deny equipment authorizations for electronic communication equipment to be used on federally-regulated frequency bands. This order, passed unanimously by the Commissioners, will also empower the FCC to revoke previously-granted authorizations. Additionally, the order may not be the last federal action against a Chinese-based company. Carr ended his statement by calling on the FCC to address “insecure applications” (including TikTok) that send sensitive data “back to Beijing.”

A 34-page class action was filed against Blackhawk Network for a data breach that occurred on MyPrepaidCenter.com in September of this year. The plaintiffs allege that Blackhawk Network’s failure to prevent or detect this incident was “particularly egregious” since it operates a website where consumers can activate and manage prepaid gift cards, which requires collection of lots of sensitive and high-risk data.

The incident involved unencrypted and unredacted names, email addresses, telephone numbers, and payment card data (such as card numbers, expiration dates, and CVV codes). The complaint states that Blackhawk had “blocked” the impacted prepaid cards, but did not address the data involved in the breach.

The plaintiffs further allege that as a result of this incident and Blackhawk’s failure to prevent or detect the incident, MyPrepaidCenter.com users have and will incur “real and imminent harm” such as unauthorized credit card charges, theft of their personal information, loss of use and access to financial accounts, loss of time, and future risks related to the unauthorized access to their data by cybercriminals.

This incident comes shortly after Blackhawk Network announced a similar breach in August 2020, when it detected suspicious activity on GiftCards.com. The action identifies the class as all users who were impacted by the September 2022 breach, including all individuals who received notification from Blackhawk.