The FTC's highly questionable disclosure rules have been in effect for a bit over a month now, and it appears that even the FTC doesn't understand who they apply to or how they apply. And that's the problem. Apparently, someone noticed that actress Gwyneth Paltrow lavished praise on a resort in Marrakech, Morocco, and wondered if Paltrow had paid for her stay there -- noting that it was the grand opening of the place, with lots of stars -- and Hollywood publicists asked about this said there was "not a chance in hell" that someone like Paltrow paid to attend. In fact, they wonder if Paltrow was even paid for her "appearance." So, how do the FTC rules apply? She was pitching a place that most likely gave her something quite valuable for free. That should be disclosed, right? That was the whole point of the FTC rules, right? Well, maybe not. When asked about it, the FTC hemmed and hawed and claimed that "celebrity endorsements are different." Why? Because consumers might "understand that celebrities are always getting free stuff." Right, but wasn't the whole reason that these new disclosure rules were instituted in the first place that bloggers and others were supposedly (though, I believe it to be exaggerated) "always getting free stuff" too? Basically, these FTC rules sound like the sorts of things that are totally subjective, whereby the FTC can crack down on someone they don't like if they have nothing else to use, but will leave others untouched.

Oh boy. Here's a fun one. You had to expect that there would be more defamation lawsuits about Twitter following the first one involving Courtney Love, but this one is quite impressive, considering of all the twists and turns that must be followed. It involves some company promoting something called "The Cookie Diet" (which appears to be exactly what you would think) suing Kim Kardashian for libel. If you don't keep up with pop culture, Kim Kardashian is one of those people famous for being famous. The details of the lawsuit, though, are somewhat complex, and it's difficult to figure out who to side with in this trainwreck in progress (and, yes, it seems pretty likely that the whole thing is a publicity stunt for all involved, but that doesn't mean it's not worth covering).

So, basically, the story is that this "cookie diet" supposedly has some fans in Hollywood, and a variety of media have covered the story. Some of those media reports claimed that Kardashian (among many others) were fans of the diet. The Cookie Diet people -- like you would expect -- have a page on their website that links to news coverage, including a story (which they had nothing to do with) that said Kardashian used the diet. At some point, they also sent Kardashian's publicist a box of the cookies.

At some point towards the end of last year, Kardashian saw the link on the website and got upset, posting two Twitter messages saying the following:

• "Dr. Siegal's Cookie Diet is falsely promoting that I'm on this diet. NOT TRUE! I would never do this unhealthy diet! I do QuickTrim!"
• If this Dr. Siegal is lying about me being on this diet, what else are they lying about? Not cool!"

After that, her lawyers sent the Cookie Diet people a letter demanding that it remove the link to the story. It's unclear on what legal grounds the demand was made, as the diet company insists it had nothing to do with the story, did not supply the information and, in fact, had no knowledge that Kardashian had tried the diet. However, they did remove the link. It was only then that they noticed the Twitter messages and... then we get the lawsuit.

OK. So far we've already got some confusion about whether a link to a news article is actionable, combined with a Twitter libel claim. But then the story gets even more bizarre. You see, there's been a lot of talk lately about Kardashian being the most high profile client of some company that gets people to post sponsored Twitter messages. In fact, reports claim that some companies are paying her $10,000 per sponsored message. This may or may not be true, but if it is true, then the companies paying that money are likely getting seriously ripped off because they don't understand how Twitter works and how follower counts are grossly inflated.

So, what does this have to do with the cookies? Well, the cookie people are noting in the legal filing that Kardashian is paid to promote QuickTrim, but that she failed to note this. How does that become important? Well... you may recall last year's kerfuffle over the new FTC "guidelines" about paid endorsements online. While the cookie people don't specifically bring this up, it's certainly implied that Kardashian's paid sponsorship had something to do with her messages against the cookie people.

It's hard to see either side as being worth defending here, but sit back, grab a cookie and enjoy watching the legal arguments fly.

We've been having some discussions lately about the FTC's new guidelines for "disclosure," and some of our regular critics have been gleefully insisting that the reason I don't like those rules is because I don't disclose stuff, and I'm scared the FTC is going to crack down on the site. I find this pretty funny, because I am a huge believer in the importance of disclosing stuff, and on the rare occasion we've been in a situation where disclosure was necessary, we have no problem disclosing, even to the point that it's almost silly. Almost nothing in those rules impacts us directly. My real complaint with the rules is that the FTC rules aren't needed and raise serious First Amendment issues. First, most blogs and other social media efforts are conversational, not publishing, and a whole different set of social cues matter there. Second, anyone stupid enough not to disclose their affiliations on certain things is going to face pretty serious backlash when it comes out (as it certainly will).

Take, for example, the backlash today on the news that AT&T's chief lobbyist sent out an email to all AT&T employees urging them to protest any new net neutrality laws and hide their AT&T affiliation as they do so. AT&T has confirmed the email, which has numerous factual errors (and remember, I actually agree that net neutrality laws don't make sense). But, more importantly, the mainstream media is now calling AT&T out for this outrageous effort to have employees pretend they're not employees in protesting these rules.

Transparency on conflicts makes a lot of sense. It's something that people should do because it makes you more trustworthy -- not because the FTC threatens to fine you. The problem with the FTC rules is that it creates a weird chilling effect and threat of action on things where the rules aren't at all clear. As AT&T is learning today, trying to hide that kind of thing just creates a lot of backlash. It makes AT&T appear like it doesn't have a strong legitimate case, and needs to resort to underhanded techniques to make its argument.

Oh, and to make the FTC and our critics happy: Full Disclosure: I use AT&T DSL at home, and while I pay for it, a few years back there was a long outage, and AT&T agreed to give me a credit of $35 off my next bill. I also know some people who work at AT&T. My wife uses an iPhone, which I assume must run on AT&T's network, but it's provided by her employer (oh, crap, do I need to disclose who that is too?), and so we never see the bill -- so maybe the FTC thinks it's provided for free? I once sat on a panel with a representative from AT&T, and while I disagreed with him on most things policy-wise, I thought he was a nice guy, and at times I've talked to him about why AT&T should be more involved in online conversations (like this one!). Anything else?

As the FTC still wants to stick by its questionable guidelines concerning bloggers "endorsing" products, I found it interesting that the NY Times was profiling a new online service that more easily allows brands to sign endorsement deals with star athletes. Basically, they just need to fill out a few forms, and within hours, that athlete may be the face of the local car dealership. Now, I don't see anything wrong with this, but I'm curious as to why this is somehow okay, but when a blogger fails to mention that he or she got a book for free, the FTC will consider fining them? Does anyone actually believe that the star football player shops at the local Ford dealer?

While more disclosure is generally a good thing, the FTC's new guidelines for blogging disclosure have some pretty massive problems, and probably aren't legal. As more and more people are recognizing this -- and interviews with the FTC folks in charge of this suggest they either haven't put very much thought into this issue or they don't quite know how the world works outside of their government cocoon -- the backlash is growing. Now, the Internet Advertising Bureau (IAB) has stepped in with quite the open letter to the FTC, asking them to scrap the rules, while noting (snarkily) how impossible they are to follow, in practice:

So there I was last Saturday, about to send out on my Twitter feed -- which automatically updates my Facebook page and links to my personal blog -- a photograph of this wonderful baked halibut dish I'd just made as a surprise for my wife. I was in the middle of typing a rave review of the recipe, which I'd pulled from my favorite cookbook, Delicioso! The Regional Cooking of Spain by Penelope Casas. But before I could press the "post" button, I stopped and canceled the whole thing.

I remembered that the book was a freebie, sent to me by an editor at the Alfred A. Knopf publishing house 13 years ago. And I didn't want you guys to haul me into court and fine me for violating the rules you've just promulgated to muzzle social media.

While this may seem silly, it really does highlight the problems with the FTC's rules. They're totally unclear and absolutely could concern things like this. Getting a free book here or there happens all the time -- and the FTC actually claimed that if people don't return them, then they may face sanctions. That's ridiculous. Last month, we ran a fun contest for people to win free copies of a Kevin Smith book. If the winners from our comments mention that book anywhere online, do they need to mention they got the book for free? If they mention it to a friend, do they need to do the same thing? Because most of the time when posting stuff online, people really are just talking to their friends.

Again, it's not clear why people can't just sort this out themselves. People who post bogus reviews of things because someone pays them to, or because of something "free," are going to get called out on it eventually and lose their credibility. When people talk amongst friends, they don't reveal where they got the products they talk about, or if they happened to get a promotional sample -- and that's fine. While you can understand where the FTC is coming from, it really has gone overboard with these rules.

I've already noted my general problems the FTC's new disclosure rules, but as others look into the details, the worse they seem and the more you realize the unintended consequences may be pretty bad. Jeff Jarvis makes some key points concerning how this could be seen as a restriction on free speech. And that's because the FTC seems to be viewing blog posts as if they are media, rather than straightforward communication. As we've pointed out in the past, for many, blogging is often no different than a conversation. It's not journalism. It's not reporting. It's having a discussion with people:

Second, the FTC assumes -- as media people do -- that the internet is a medium. It's not. It's a place where people talk. Most people who blog, as Pew found in a survey a few years ago, don't think they are doing anything remotely connected to journalism. I imagine that virtually no one on Facebook thinks they're making media. They're connecting. They're talking. So for the FTC to go after bloggers and social media -- as they explicitly do -- is the same as sending a government goon into Denny's to listen to the conversations in the corner booth and demand that you disclose that your Uncle Vinnie owns the pizzeria whose product you just endorsed.

As such, you could make a case that the new rules are an unconstitutional law hindering First Amendment guarantees on freedom of speech. As I noted originally, it seems like these things get sorted out in the marketplace of ideas -- whereby those who do something so stupid as to sell their "views" on things face the potential of a substantial loss in credibility. But suddenly demanding people reveal the sourcing of some product they mention in blogs leads to all sorts of silly results, amusingly mocked by Mark Cuban in a blog post, where he wonders what sorts of disclosures he'll have to make if he mentions a breakfast at IHOP where the managers comps the breakfast. And while he's mocking the overall situation, it's not so silly. You shouldn't have to confer with your lawyers to figure out how you mention any particular product, just because you got a freebie or a sample somewhere.

And, what's really scary? It appears that even the FTC isn't sure what the policy actually means, and hasn't thought through any of the unintended consequences or fuzzy borders.

Separately, Eric Goldman highlights another massive problem with the new guidelines that no one else seems to have picked up on yet: that in some cases it's the company providing the product that will be liable -- ridiculously blaming the company if a blogger makes claims about its products that are not true. As Goldman points out, there's no way the FTC would be successful in going after companies for that, as Section 230 clearly would protect the advertiser from bogus statements by someone else. But, even assuming that the FTC never considered the Section 230 issues, why would the FTC ever think it's reasonable to fine an advertiser for statements made by someone else?

Despite tons of feedback and discussion when the FTC first proposed these new rules a few months ago, it really feels like no one at the FTC put much time into actually thinking through what these sorts of rules would actually mean in the real world.

A bunch of folks have been sending in the fact that the FTC has (as was widely expected) approved new rules on "endorsements" or "testimonials," including a section on bloggers or "word-of-mouth marketers." The end goal here is definitely admirable, but I question whether or not this ruling really makes sense:

The revised Guides also add new examples to illustrate the long standing principle that "material connections" (sometimes payments or free products) between advertisers and endorsers -- connections that consumers would not expect -- must be disclosed. These examples address what constitutes an endorsement when the message is conveyed by bloggers or other "word-of-mouth" marketers. The revised Guides specify that while decisions will be reached on a case-by-case basis, the post of a blogger who receives cash or in-kind payment to review a product is considered an endorsement. Thus, bloggers who make an endorsement must disclose the material connections they share with the seller of the product or service.

Again, the concept is definitely admirable. There's long been a fear that companies are effectively bribing people with free stuff in order to get good reviews, and the FTC wants people to reveal that info. But... does that really make sense? It seems to me like this could just create a totally unnecessary minefield for anyone who blogs. And why is this focused on bloggers and word-of-mouth marketers? Almost all book and music reviews in the mainstream press involve the books and music being sent for free - and there's never been any question of impartiality of most of those reviews -- but why are they now left out of these rules? Is every blogger who reviews a book going to have to disclose where they got it? What about music? Many music bloggers are sent mp3s by the record labels. Do they need to reveal who sent them stuff? Does that really matter?

The real question, from my standpoint, is whether or not the FTC is really needed here. If someone is constantly blogging positively about stuff they get for free, they put their own credibility at risk, as people realize that the products aren't actually very good. It seems like the type of situation that sorts itself out. Those who are constantly pushing products for questionable reasons hurt themselves and soon no one trusts them. Does the FTC really need to be involved in that process? In the meantime, I'm suddenly glad that we don't do reviews on this site for the most part. I do occasionally mention or review books, but I guess I'll have to mention when I buy those books vs. when I'm sent them for free (it's about 50/50), which seems pretty pointless.

Defenders of the patent system quite frequently point out that one of the main benefits (some claim the only benefit) of the patent system is "disclosure." That is, because the patent system requires you to disclose your patent, the patent system is quite helpful in spreading ideas. This is a myth that's easily debunked on a few points. First, it only really makes sense to get patent protection if you know the idea will get disclosed or figured out anyway. In those cases, the disclosure via the patent system is meaningless, since the info would have gotten out anyway. Second, these days, thanks to "willful infringement" tripling the damages you pay, many corporations tell employees not to look at relevant patents, as it only opens up more liability. Third, many patent lawyers are taught to write claims that are as broad and vague as possible while still getting approved. This way, the patent can be construed to cover much more than the actual invention.

Now, Slashdot points us to a Microsoft employee admitting that looking at patents is a total waste because they never actually disclose anything useful:

When using existing libraries, services, tools, and methods from outside Microsoft, we must be respectful of licenses, copyrights, and patents. Generally, you want to carefully research licenses and copyrights (your contact in Legal and Corporate Affairs can help), and never search, view, or speculate about patents. I was confused by this guidance till I wrote and reviewed one of my own patents. The legal claims section -- the only section that counts -- was indecipherable by anyone but a patent attorney. Ignorance is bliss and strongly recommended when it comes to patents.

Of course, technically, a patent is supposed to be written so that someone skilled in the art can replicate the invention from the patent alone. But, when even patent holders can't understand their own patents, it's quite clear that reality doesn't match up with the theory here. So, the next time you hear a patent system defender claiming the importance of disclosure, it might be worth pointing out that one of the biggest patent holding companies in the world instructs its own employees to ignore patents, because you can't actually learn anything from them in the first place.

The EFF tried to get the gag order lifted off the three MIT students who had planned a presentation on how Boston's subway system was vulnerable to some hacks. However, a judge has left the gag order in place, saying that it will be discussed at a hearing next Tuesday. He also ordered the students to hand over more information.

There's been a long debate in the security community about what is proper "disclosure." There are some who believe that you should wait until a vulnerability is fixed before disclosing it, while others believe that only by disclosing it are people really motivated to fix the vulnerability. However, most of those debates haven't taken place in court -- so this particular case should be quite interesting for those who are involved in security research, no matter which side of the "disclosure" debate you fall on.

Aaron Massey has a good write-up of the DNS vulnerability that was discovered by security researcher Dan Kaminsky and leaked onto the Internet this week. In a nutshell, a flaw in the design of the DNS protocol (which translates domain names like "techdirt.com" to IP addresses) will make it possible for malicious individuals to invisibly redirect web traffic from legitimate sites to sites of the attacker's choosing. This is a huge deal because a ton of online applications and services depend on reliable DNS for their security. You might think you're visiting your bank's website, but if your DNS server isn't patched you could really be sending your password to hackers in Russia. Kaminsky tells Wired that fewer than half of the DNS servers on the Internet were patched when the details of the vulnerability leaked, so it's a real problem. If your ISP hasn't patched its DNS servers, you can protect yourself by switching to OpenDNS until they do so.

There's a long-running argument in computer security circles about the best way to release information about security vulnerabilities, with a lot of security professionals favoring immediate, public disclosure of all vulnerabilities. Kaminsky chose not to go the public disclosure route because he felt this bug was too serious to take the risk of its being misused. Kaminsky approached the major DNS vendors in March, and managed to keep the details secret long enough for them to develop fixes for their products. Then, on July 8, Kaminsky announced the simultaneous release of these fixes, while still keeping the details of the vulnerability secret. (The fixes worked in a general enough way that they didn't give away the details of the vulnerability.) He had been intending to keep it secret until August 8, so that systems administrators would have a full month to prepare their networks. Unfortunately, the information leaked out on Monday, leading to a scramble to patch the remaining DNS servers before exploits start showing up. Given the scope of the patching effort (16 people from various organizations were invited to the secret March summit among DNS vendors), I think it's pretty impressive that the details didn't leak out earlier.