UC Berkeley, School of Information
IS 205: Information Law & Policy, Spring 2007
Professor Pamela Samuelson


Your grade for this course will be determined largely based on the quality of your work in the four writing assignments for this course. (The first assignment will be worth 10% of your grade; the next two assignments will be worth 15% each; the fourth assignment will be worth 35% of your grade; the other 25% will be based on your performance in class discussion and on the class listserv.) The due dates for these writing assignments are listed below. I am giving you advance notice about the nature and due dates for the assignments so that you can plan your schedule accordingly. I take deadlines very seriously. For each day any assignment is late, half a grade will be deducted from your score for that assignment.

You may find it helpful to read an essay on the papers part of my iSchool website which is entitled "Good Legal Writing: Of Orwell and Window Panes." I obviously wrote it when I was teaching full-time at a law school, but I have come to regard the advice and rules set forth in that essay as equally applicable to other professional writing, such as that done by graduates of Berkeley's iSchool.

Let me briefly summarize the key points:
1) have a point (that is, don't just describe a phenomenon or what others have said about it; have a point of view or a thesis about it, and don't make too many points in one paper); 2) get to the point with reasonable dispatch (that is, don't clutter up the essay with a lot of background material and only say what you really think at the very end); 3) structure your paper so that one point builds upon the next and each point leads to proving your point in a coherent and holistic way); 4) to accomplish 3), break your paper up into component parts, and develop each separately but in a way that builds toward a unified whole; subtitles are helpful; 5) adopt a measured and professional tone (as if you were being asked to give professional advice on the subject to someone you respect); and 6) be concrete and simplify where possible (e.g., give examples to illustrate your points, use concrete words instead of abstract ones, and try to communicate effectively by using simple words where they will do the job). Proper spelling and grammar are also expected of your writings.

Alex Dailey, the TA for this course, will be available to talk with you about your writing assignments. Those of you who are anxious because you don't have confidence in writing skills should feel comforted that help is at hand. You will be doing your career a huge favor by making use of the resources of this class to become a better writer. Like so many other things in life, writing is a learnable skill.

Assignment #1 is due by noon on Monday January 29:

The Congressional Internet Caucus Advisory Committee is hosting an all-day meeting on "The State of the Net" to discuss legal and policy issues that the 110th Congress may take up. The agenda for the program is available at http://internetcaucus.org/conference/2007/agenda.shtml. I have been invited to speak at the session on "User-Generated Content: Can Copyright Tolerate Mixing and Mashing?" This provides me with an opportunity to provide advice to Congressional staffers and possibly to some members of Congress who will be attending about what, if anything, Congress should do about copyright implications of user-generated content that makes use of copyrighted materials, such as sound recordings, television programs, or movies.

Your assignment is to advise me about what I should advise Congress. Should I, for example, say that all user-generated content should be considered fair use, that there should be a special new privilege for non-commercial user-generated content, that there should be a compulsory license to permit use of copyrighted materials for a small fee, or that Congress should hold hearings to monitor the remix culture? I will be surprised if any of you want to put remixers and mashers in jail, but please consider not just whatever perspective you might have as a user who generates content from copyrighted materials, but also the interests of individual authors and of publishers and entertainment industry firms that want to maintain reasonable control over their content. For those of you who haven't thought at all about copyright and the remix culture, an illustrative story about this can be found at http://www.abc.net.au/catapult/indepth/s1645533.htm.

Maximum word length for this essay: 500 words (or about 2 double-spaced pages).

Assignment 2

Assignment 2 will be another short paper (750 words) about licensing issues and will be due by noon on Friday March 2. Please submit an electronic copy to Alex.

It is common for software companies, especially database companies, to include clauses in their software licenses with customers that forbid publication of benchmark test results without prior written consent from the licensor. Oracle, for example, includes the following sentence in its license: "You may not.disclose results of any program benchmark test without our prior consent." SAP has a similar clause: "You may not disclose the results of any benchmark test.to any third party without SAP's prior written approval."

Assume for the sake of this assignment that software licenses are enforceable in general. The question is whether (or to what extent) these clauses should be enforceable as a matter of law and public policy. Please discuss both the pros and the cons of enforceability, but also make sure to answer the question (are they or aren't they?).

You may do research outside of the readings for this class, but an excellent paper can be written relying only on the reading materials in the coursepack. You should definitely cite to and show your mastery of the relevant reading materials in answering the question posed for this assignment.

Your paper should be no more than 750 words (roughly 3 double-spaced pages of text).

Assignment 3

Due: April 13 by 5pm
Word Limit: 750 words (not 1000, as originally indicated)
Please submit an electronic copy to Alex.

Assume that after graduating from the University of Michigan iSchool, Joe Broom is offered a job at Sprocket, a start-up game company that has been secretly developing a MMORPG code-named "Grom." Because the pay is good, the people are fun, and the work sounds dynamic and engaging, Joe decides to take the job. When Joe accepts the offer, he signs an employment contract containing clauses stating that any intellectual property he develops while working for the firm belongs to it and that he agrees not to work for a competitor of Sprocket's for one year after leaving its employ. He is told that everyone in the firm has signed the same agreement. In addition, Joe will be eligible for stock options in the firm after one year of employment with Sprocket.

Because there are only 10 employees in the company, Joe does many different tasks, including project management, user-interface design, data modeling, and business development.

Before launching Grom, Sprocket decides that a part of its platform will be open so that users will be able to share information externally about their activities in-world and to allow them to create add-on modules to enhance their enjoyment of the game. To do this, Sprocket begins developing an application program interface (API) that allows third party software to interact with user content metadata in the game itself, through a documented public-facing interface.

Over beer and pizza several months into the job, Joe and his best friend at Sprocket, Todd Albert, realize there will be a lucrative secondary market for an online service to aggregate user meta-data, such as profiles and inventory listings, as well as user-created modules into an online aggregation service. Late at night and on weekends, Joe and Todd develop a third-party site to hook into the Grom API on which Todd has been working internally.

Much of the work Joe and Todd do on this project happens in Sprocket's office after hours on their work computers. Sometimes Joe and Todd get together on weekends in the city at a cafe (laptops in tow) to go over their plans. They decide to keep the project quiet until after the Grom launch date to see how popular the game becomes before investing a lot of personal money on publicity and scaling the infrastructure.

When Sprocket launches Grom, it gets outstanding reviews in game magazines and the blogosphere and subscriptions pick up very fast. One month later, on a Friday afternoon, Joe and Todd launch their site, which they called "Metagrom." To their delight and surprise, it gets over 10,000 subscribers over the weekend, many of whom add profiles and game metadata to the Metagrom site.

The next Monday, the CEO of Sprocket calls Joe and Todd to his office.

Your paper should discuss whether Joe and Todd have misappropriated any intellectual property rights owned by Sprocket and/or whether Joe or Todd have breached their employment agreements with the firm. Please cite to and be informed by some of the readings assigned for the class in answering these two questions. (You have till April 13 to do this, but you might find it a good idea to do this assignment sooner while your memories of our discussions of employer/employee default rules are still fresh.)

Assignment 4

Due: May 4 by 5pm
Word Range and Limit: 2500-3000
Please submit an electronic copy to Alex.

This assignment concerns information privacy and security issues. California Civil Code 1798.82 (the text of which is reproduced below) requires companies doing business in California and state agencies to notify individuals about security breaches affecting data about them that are in the entity's possession. Security breaches may occur in a number of ways, such as when hackers break into the entities' computers, when data are inadvertently sent out via email or posted on a website, or when someone leaves a laptop loaded with personal data in an Internet café.

During the current session of Congress, Senator Patrick Leahy introduced Senate Bill 495, Title III, Subtitle B, of which deals with data security breach notification. It is similar to the California law in some ways, but different in some respects. (This legislation can easily be found at http://www.thomas.loc.gov/cgi-bin/bdquery/z?110:s.495:.) The major difference between the CA law and S. 495 is that notice of a breach need not be given if the entity performs a risk assessment and determines that there is no significant risk that the security breach will result in harm to individuals.

Please write a research paper that recommends to a member of Congress about whether he or she should support legislation that is exactly like the California law (only applicable to all U.S. businesses and agencies) or that is modeled on Title III of S. 495. You can address your paper either to the member of Congress from the district in which you vote or someone else in Congress whom you would like to influence. This research report may be tendered either on your own behalf or on behalf of some organization (real or imagined) whose views on this legislation should be considered as part of the legislative debate.

For this assignment, you will be expected to do research and to cite research sources in a standard citation format. (Alex and I will help you with citation formats.) Chris Hoofnagle, who is a Senior Research Fellow at the high tech clinic at Boalt, has provided a set of readings pertinent to this project which will be available on a password-protected place on the iSchool website at https://courses.ischool.berkeley.edu/i205/s07/. In addition to these sources, you may find it helpful to do research using the Lexis database. Among the scholars and activists whose work you might want to cite are: Jim Dempsey, Jerry Kang, Deirdre Mulligan, Marc Rotenberg, Paul Schwartz, and Daniel Solove. CA Civ. Code 1798.82 provides:

(a) Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(b) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

(d) For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(1) Social security number
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to individual's financial account.

(f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(g) For purposes of this section, "notice" may be provided by one of the following methods:

(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following:
(A) E-mail notice when the person or business has an e-mail address for the subject persons.
(B) Conspicuous posting of the notice on the Web site page of the person or business, if the person or business maintains one.
(C) Notification to major statewide media.

(h) Notwithstanding subdivision (g), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.