Vogel Internet, Information Technology and e-Discovery Blog : Texas Internet, Information Technology, eCommerce & E-Discovery Lawyer & Attorney Peter S. Vogel : Gardere Wynne Sewell Law Firm : Dallas TX

A recent report that the White House wants the FBI to have access to an individual’s Internet activity may help with investigation of terrorism or intelligence, but what about our expectation of privacy? Notwithstanding all of Mark Zuckerberg’s recent comments about privacy, last winter Zuckerberg he told a live audience that if he were to ‘create Facebook again today, user information would by default be public.’ Also Google CEO Eric Schmidt admitted in a CNBC interview that under the US Patriot Act that Google would turn over user information (which Google maintains for 18 months) without question. So maybe we have less privacy than we may think, but in the name of national security alone does it make sense for the White House/FBI to not even both getting a federal judge to issue a subpoena?

COMPANY PRIVACY: Social Engineer Defcon Contest

At the annual Defcon meetings (July 30-August 1) in Las Vegas there was a 3 day contest to see which Social Engineer could get the most company data from 30 companies. The FBI is not too happy, but after consulting lawyers from the Electronic Frontier Foundation the following contest rules were created:

Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.

Pre-Defcon you are allowed to gather any type of information you can glean from the WWW, their websites, Google searches and by using other passive information gathering techniques. You are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for “cheating”.

The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. The point system will be revealed during the Defcon event. All information should be stored in a professional looking report. 1 week prior to Defcon you will submit your dossiers for review to the judging panel.

Stay tuned to see how successful the Social Engineers were in getting information from these 30 companies. How easy will it be to get information? We all know the answer, pretty easy!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Ontario, CA Police Department (OPD) did not violate the 4th Amendment by reviewing text messages sent from a work pager. Apparently the OPD’s warrantless audit found Officer Quon had sent or received 456 messages, but only 57 were work-related. The OPD Computer Policy included the following provisions that the OPD “reserves the right to monitor and log all network activity including e-mail and Internet use, with or without notice. Users should have no expectation of privacy or confidentiality when using these resources.” The Court ruled that the “warrantless review of Quon’s pager transcript was reasonable … because it was motivated by a legitimate work-related purpose, and because it was not excessive in scope.” Today so many employees use cell phones and PDA provided by employers that surely the Supreme Court’s ruling will impact all employees, not just government employees.

Privacy Ruling in California Court

The Supreme Court ruling in the Quon case should also impact the May 26, 2010 ruling where US District Judge Margaret Morrow ruled that messages posted on Facebook and MySpace may not be subpoenaed. Based on the Supreme Court ruling in Quon, employees who post private messages on social media using their work computers, cell phones, or PDAs may not be able to claim privacy communications. The ruling in the Quon case is one more reason for Congress to review the 1986 Stored Communications Act given the use of social media communications. Stay tuned on how the Quon ruling will impact all businesses.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A Judge ruled that Facebook wall postings and MySpace comments may not be subpoenaed based on the 1986 Stored Communications Act which is the same statute before the US Supreme Court in Quon v. Arch Wireless. US District Judge Margaret Morrow’s May 26, 2010 37 page Order in Buckley H. Crispin v. Christian Audigier, Inc. et al reversed a ruling from an US Magistrate Judge that defendants in a copyright infringement case could not subpoena private message on Facebook MySpace. This ruling is particularly interesting since the April 7, 2010 White House Order that all postings on blogs and social media sites are public meetings under federal law. Clearly courts will be vexed by these complex issues as social media continues to grow and change communications. It is any wonder that the 1986 Stored Communications Act may need to be updated or totally replaced since clearly the courts and the White are not in synch?

Yahoo! Plans its Social Media

With 280 million email users it’s no wonder that Yahoo! will launch its social media services to allow exchange of comments, pictures, and the like. Given all the current issues with Facebook privacy and Google’s Buzz it’s no wonder that Yahoo! head of privacy claimed that “ We’ve been watching and trying to be thoughtful about our approach.” Clearly we will all be watching to see the impact of Yahoo! entry into social media, particularly as Yahoo! search engine decline in popularity in the US. Will email traffic overcome the lack of search engine traffic?

More Google Wi-Fi Woes – Now Canada

Recent reports now indicate that the Privacy Commissioner of Canada started an investigation about Google collection of Wi-Fi network data. Since Germany, France, Italy, and the Czech Republic are investigating Canada’s entry into the fray is no surprise. Google’s defense that other companies including Skyhook and organizations like the German Fraunhofer Institute does not seem to be much help at this juncture. The outcome of the Wi-Fi privacy issues may also impact Google maps which are tied together.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

To the surprise of many Google confirmed that since 2006 its Street View Cars captured WiFi network information in addition to Street View Photos. Google uses this WiFi network information to improve location-based services like search and maps. Specifically Google confessed that the WiFi information collected was:

WiFi networks broadcast information that identifies the network and how that network operates. That includes SSID data (i.e. the network name) and MAC address (a unique number given to a device like a WiFi router). Networks also send information to other computers that are using the network, called payload data, but Google does not collect or store payload data.

Not surprising that Google claims that its collection and use of the WiFi data was legal, done by other companies including Skyhook and organizations like the German Fraunhofer Institute. Around the world a number of privacy groups have been unhappy about Google Street View Photos and now new privacy concerns issues abound regarding Google’s collection of WiFi network data.

Destruction of Google’s Irish WiFi Data

Even though Google claim it is completely legal on May 14, 2010 the Irish Data Protection Authority asked Google to delete its WiFi network data collected in Ireland. So on May 16th the destruction of this WiFi network data was confirmed by a third party consultant. However one might wonder how the consultant could confirm that all the data was actually destroyed without reviewing Google computer networks, which is probably impossible to do.

Germany and Australia Want Answers

German prosecutors are investigating whether Google violated privacy laws and Google posted a blog that the Data Protection Authority in Hamburg, German requested an audit of Google’s WiFi data.  Also privacy groups in Australia want Google to know more. Clearly Google’s collection and use of private WiFi network information helps us better understand how little privacy we all have.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

A report that a number of privacy groups filed a complaint with the FTC to investigate includes this quote “Internet ad exchanges… are basically markets for eyeballs on the Web. Advertisers bid against each other in real-time for the ability to direct a message at a single Web surfer. The trades take 50 milliseconds to complete.” The April 8, 2010 complaint was filed by the Center for Digital Democracy, US PIRG, and the World Privacy Forum against Google, Yahoo, PubMatic, TARGUSinfo, MediaMath, eXelate, Rubicon Project, AppNexus, Rocket Fuel, and others. Among other allegations in the complaint is a “massive and stealth data collection apparatus.” How much privacy to we really have?

Privacy in Social Media

Seems like an interesting overlap with my recent blog about the fact that the FTC is already dealing with EPIC’s complaint that Google’s new Buzz significantly breached “consumers' expectations of privacy” at the same time that Google acquired Social Media Optimization company Aardvark. Since it is the job of the FTC to protect consumer privacy it will be interesting to see how both of these disputes evolve.

Hearst Said to Be in Talks for Web-Marketing Agency iCrossing

More interesting news is that Hearst might take over iCrossing.  iCrossing is one of the leading Search Engine Optimization (SEO) companies with a who’s who customer list including: Adobe, Bank of America, BMW, Epson, Fairmont Hotels, Mary Kay, MasterCard, Office Depot, and Toyota. Hearst is:

“one of the nation's largest diversified media companies. Its major interests include magazine, newspaper and business publishing, cable networks, television and radio broadcasting, internet businesses, TV production and distribution, newspaper features distribution and real estate.”

So the addition of SEO power for Hearst will make an interesting future for everyone. Not to mention the impact on Social Media Optimization that Google and others possess we can expect the FTC investigations to prove very interesting.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

For purposes of dealing with web 2.0 the White House Memo released on April 7, 2010 about social media specifically states that “interactive meeting tools—including but not limited to public conference calls, webinars, blogs, discussion boards, forums, message boards, chat sessions, social networks, and online communities—to be equivalent to in-person public meetings.” The White House Memo is a follow-up to President Obama’s January 21, 2009 (day after the President was sworn-in) “calling for the establishment of ‘a system of transparency, public participation, and collaboration.’” Fascinating development that blogs, Facebook, LinkedIn, Twitter, MySpace, Yelp, and the like are public meetings which means that one should expect little privacy from use of these online services.

Majority of Government Agencies Use Social Networks

This report states that a majority of government agencies now use social networks is hardly a news flash, but put in context of the White House’s Memo that use of social networks are public meetings may change the public view of how they communicate. Of the 400+ million Facebook members of an estimated 70% are outside the US, and one may wonder how communications across international borders impacts the declaration that social media is public meetings.

Yelp and the Business of Extortion 2.0

This recently filed class action suit accuses Yelp of extortion to get bad comments removed from Yelp and lower rankings by reviewers. It remains to be seen whether this case will succeed, but if Yelp is considered a public meeting by the White House it makes one wonder how extortion fits in. Not to mention that the 50 million a day of tweets on Twitter are considered public meetings, even though at least 14,000 are followers of a Doonesbury’s cartoon character Roland Hedley! Web 2.0 is definitely taking us in interesting directions!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent report that Web 2.0 (Facebook, Twiter, MySapce, et al) continues to encourage friends to share private information at an alarming rate is hardly a surprise. Research at a number of universities demonstrates that things are probably worse than most people image. For instance, the 2009 paper entitled “Predicting Social Security numbers from public data” from Carnegie Mellon explained how easy it is to predict patterns of data that leads to accurate predictions of Social Security numbers (SSNs) and birth dates from public data. Cyber thieves are taking advantage of the personal information on the Internet as we are well aware.

Electronic Health Records (EHRs)

To make matters more interesting the expansion of EHRs over the next four years will expose more personal medical information on the Internet. The US deadline of 2015 implementing all EHRs may sound great to some, but we should be concerned about how well that personal information is protected. Actually the EHRs may make the personal information a bigger target to cyber thieves. Recent warning about cyber threats from the FBI and DHS should make us all uneasy.

SSNs Used for Personal Identification

As many of us remember for many years health insurance companies used SSNs for their insureds’ account numbers and a number of states used SSNs for drivers’ license numbers.  So there are millions of historic records on US citizens that include SSNs. As a matter of fact, millions of Internet court records include divorce decrees, motions, and affidavits with SSNs, drivers’ license numbers, credit card numbers, and bank account numbers. Many states now limit posting of this personal information on the Internet, but records from the past abound with personal information. Given our open government view of open records laws which sprang forth after Watergate in 1972 most people think government and court records should be open, but a hidden danger lurks in protecting personal information within those court records.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent interview Mark Zukerberg “told a live audience …that if he were to create Facebook again today, user information would by default be public, not private as it was for years until the company changed dramatically in December.” Without question Facebook and social networking have changed Internet users’ perceptions of what should be private and not.

Google CEO Schmidt Comments about Privacy
 

The Electronic Frontier Foundation recently reported:
 

When asked during an interview for CNBC's recent "Inside the Mind of Google" special about whether users should be sharing information with Google as if it were a "trusted friend," Schmidt responded, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
 

Schmidt went to say that under the US Patriot Act the US government may obtain information from Google which they routinely retain. Many Google users are unaware that Google retains each and every search for 18 months. So I guess his advice should make people stop and think.

Privacy – What Do Law Students Think?

When I first started teaching the Law of e Commerce at SMU Dedman School of Law in 2000 privacy was a very important and hot topic. A few years ago the CyberProf listserv did an informal survey of those of us who teach the Law of eCommerce and/or the Internet regarding how our students felt about privacy in 2000 and in 2008. Not much of a surprise that law students in 2008 seemed to care a lot less about privacy. My guess is that social networking, Facebook, MySpace, Twitter, texting, et al have been the big drivers of this change in attitude regarding privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a 5-4 ruling the Ohio Supreme Court now requires a search warrant to search cell phone content which the American Civil Liberties Union of Ohio calls a landmark decision as this appears to be a case of first impression. The defendant’s cell phone was searched without a warrant after he was arrested on drug charges based on a police sting operation. At trial the defendant claimed a violation of the 4th Amendment that although the police had the right to take his cell, the police did not have the right to search the contents of the cell. A decision to appeal to the US Supreme Court is pending.

US Supreme Court Agrees to Consider Text Messages

This week the Supreme Court agreed to consider the privacy claims of police officers text messages in City of Ontario v. Quon. The question before the Supreme Court is whether the city employees are entitled to privacy of the text messages stored at Arch Wireless’ servers since the city provided the text services to the officers as part of their jobs. Each officer received 25,000 characters a month as an allowance and the officers paid for any overages. The city paid no attention to the text messages until it discovered that officer Jeff Quon (who paid for characters above the allowance) had sent sexually explicit messages that were clearly personal and not business related. The question in this case is also a claim of violation of the 4th Amendment.

Web 2.0 Communications

Given what people post on social networking sites like Facebook, MySpace, and LinkedIn it is a wonder that many folks expect much privacy today. Courts will continue to be confronted with perplexing issues regarding the use of the Internet and this will never be less complex, but as I  blogged this week Judges in Florida should not be social network friends with lawyers who appear before them in cases even though lawyers may contribute to their election campaigns. As web 2.0 expands one easily images that the courts will have to reconsider how the 1789 written Constitution applies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Behavior Advertising

A recent privacy blog discussed the February 2009 Federal Trade Commission Staff Report entitled “Self-Regulatory Principles For Online Behavioral Advertising,” and the opt-out questions posed by Congress are at the heart of whether new Internet privacy laws are required. The Internet economy, and certainly Google is chief example, are dependent upon the current behavioral advertising model and surely will be impacted by a change in the privacy laws in the US.

eMail Surveillance

Most US citizens believe that their emails are private. However employee privacy regarding emails in the workplace (not personal webmail) may be misplaced since in the US emails are private to employers and in the EU, Canada, and other countries emails are private to the employees. Nevertheless there are more questions being asked in Congress about how many e-mails are being collected in the name of security. The recent report that National Security Agency exceed its authority by intercepting emails and phone calls continues to be debated in Congress. Given President Obama’s cybersecurity agenda it will be interesting to see how the US congress can reconcile the expectation of personal privacy and need for Internet security. These debates will continue as the Internet evolves. Stay tuned for more.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After a three-year study a panel (of former military leaders and IT professionals) from the National Academy of Sciences reported that the US has no clear military policies for cyberattacks. Notwithstanding a recent blog about the NSA exceeding its authority to intercept email, we are not much safer from cyberattacks. One would have to live under a rock to have not noticed the significant number of system breaches. As a matter of fact as pointed out in other blogs, LexisNexis just warned 32,000 individuals about data breaches that personal information may have been improperly accessed in a credit card scheme as far back as 2004.

Proposed Federal Legislation to Update FISMA

The US Congress will be considering an update to FISMA (the Federal Information Security Management Act) called the "U.S. Information and Communications Enhancement Act of 2009." This proposed Act will create hacker squads to test defenses of agency networks, and the agencies will be required to show how they can effectively detect and respond to cyberattacks. Currently there are only about five federal agencies who conduct this type of testing.

Cyberattacks From Within

A former Sysadmin (System Administrator) recently pled guilty to a charge of cyber extortion by threatening his former employer and faces up to five years in prison and a fine of $250,000. After the Sysadmin was terminated last year he complained about the severance and threatened to cause extensive damage to his former employer’s systems. Apparently he left many back doors in the systems he managed that allowed him to enter and cause havoc, which of course as a Sysadmin he had the authority to do so.

How Safe Should We Feel?

Hopefully the US should get control of cyber security because it seems patently obvious to the most casual observer that at this time the US is extremely vulnerable. Maybe spending the US should $19 Billion on cyber security rather than on Electronic Health Records (EHR) since the US is so dependent on the use of the Internet today, and the US’s dependence on the Internet will only increase. Cyber safety is more critical than EHR.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A report that the National Security Agency (NSA) exceeded its authority by intercepting emails and phone calls of Americans make some people feel safer, and others wary. Many speculate that these massive email and phone call interceptions are systematic and intentional. For instance the Electronic Privacy Information Center (EPIC) and Electronic Frontier Foundation (EFF) have been following NSA’s activities for some time and are alarmed at NSA’s actions.

US Patriot Act

In the wake of September 11 terrorist attacks on October 26, 2001 President Bush signed the US Patriot Act after passing both houses of Congress in less than one day. The US Patriot Act gave the federal government unparalleled power to search emails and private communications without many checks and balances in the name of protection from terrorists. The US Patriot Act was renewed in 2005 substantially without major change. Congress and US citizens want certain protections, but EPIC and EFF are concerned that the US Patriot Act is too broad.

Increased in Criminal Data Breaches

Reports that there have been a significant increase in data breaches by organized crime is hardly surprise, but it seems that NSA’s efforts in searching emails and phone calls have not really paid off to make our Internet a safer place in which to conduct business. Last year there were more than 100 confirmed data breaches involving roughly 285 million consumer records, most of which occurred from sites overseas. There needs to be a balance between safety from bad guys and protection of civil liberties.
 

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

A video about personal information was recorded in October, 2008 and was posted on WatchIT’s website  which is one of many educational programs available.  Please take a look to see which programs can help your business.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Facebook claims to have more than 120 million active members and it is the 4th most trafficked site in the world. Of course there are many other popular social network sites including LinkedIn and MySpace to name a few, and only to make things more interesting a recent report indicates that more than half of MySpace visitors are 35 or older. Not much of a surprise that more mature individuals are getting into social networking as the Internet evolves.

What about the Content?

The terms of use vary between Facebook and other social network sites, but one common provision in the terms of use is that the users grant these sites a worldwide license to the user content that is irrevocable, perpetual, non-exclusive, transferrable, royalty free to use, copy, or just anything they want. Facebook also limits its liability to the amount of monies paid (if any) or $1000. Even users of Google Apps grant Google a license to their content.

Web Universal ID?

Facebook recently announced Facebook Connect which is an Universal ID that will allow its users to only logon once and then navigate to third party sites. Not much of a surprise that Google, Yahoo!, and MySpace are also developing similar technology. However, it seems that either few individuals don’t care or understand that they are providing Facebook, MySpace, Google, and the all the rest with licenses to their personal content. Regardless of what users understand the growth of the social networking websites will be based on increased data from their users’ content which will generate more online advertising revenues.
 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

A recent a Google announcement of Wiki services in Google to improve the search experience and allow users to rank search results has a number of individuals questioning exactly what’s going on. Just like most wiki projects, this project did not in a straight line. Apparently this new service came from a Google Wiki Search Team rather than Google Labs.

How does the new Google Wiki work?

The new Google Wiki will allow users to conduct searches, and then permits them to reorder or delete certain results. That way when users return for future visits to Google they get their search results in the order they want. Only the user has access to their own search results with its Google Wiki reorganization, so they can keep this private.

What’s really going on?

Some skeptics complain that Google’s run out of ideas and that they are fixing something that wasn’t broken. Maybe, but perhaps there’s more method to this madness – since users’ can control the priority of their search results, won’t Google have even more powerful advertising data about users? Google users are more likely to spend more time on Google, which can only help Google’s business. Privacy of personal information should be a major concern to Google users since Google will have a personal insight about search priority of search results, not to mention the deleted search results. Stay tuned for future developments!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While most IT professionals are well aware of the evolution of Internet 2.0 computing services which offer on-line applications and large storage, in many ways this seems like an evolution of time-sharing from the 1960s when the likes of General Electric offered remote computing services to dumb terminals. Now Cloud Computing is one of the hot buzz words describing Software as a Service (SaaS) (sort of an updated term for ASPs- Application Service Providers) coupled with large amounts of storage. Major players are offering these services including IBM’s Blue Cloud,  Amazon’s S3, Google’s Apps, and Salesforce’s CRM. These Cloud Computing services allow users to collaboratively work on projects over the Internet using proprietary and open source applications. 

Collaboration is Great

One of the great benefits of using Cloud Computing like wiki tools is allowing collaboration, and many large companies including IBM, Microsoft, and Oracle use collaboration tools to develop new technologies. It is hard to believe that Wikipedia started in 2001 and now has more than 2.5 million English articles since it reached a major milestone of 1 million articles in March of 2006. Clearly there are many other wiki success stories, but yet still skeptics about the accuracy and authenticity of the content.

How Secure is the Data?

Virtually no one reads the Click Agreement terms or Terms of Service when accessing Internet sites, downloading software, or registering on a website, nor do business people generally consult their attorneys about these Click Agreement terms or Terms of Service. So is any wonder that the vendors generally provide the services “as is,” without warranties and limit their liability and damages, and make jurisdiction and venue as inconvenient as possible to the user? Probably not, but when there are service outages that even the Service Level Agreements offer a reimbursement for down time, but not consequential damages. Another major concern is privacy of data since such laws such as HIPAA and the EU Data Directive restrict use of certain person information, and yet depending on how the Cloud Computing provider operates, these data privacy issues can be lost.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Congressional hearings reveal that Internet companies routinely track behavior of visitors to websites, and as a result Congress is considering legislation to help personal privacy. Currently the Federal Trade Commission allows for self-regulation by websites, and websites need not have privacy policies, but if there are privacy policies the FTC expects adherence. Otherwise the FTC levies fines.
 

Unfortunately few Internet users ever bother to review the Privacy Policies of the websites that they visit, because if they did perhaps Congress would not be so shocked. Google and other major players retain data on visitors for 18 months, and even the EU recently was considering restricting the data retention to only 12 months (not that the 6 months additional data would change the fact that the ISPs were capturing information for their own purposes). Since the federal government allowed Google to purchase DoubleClick clearly everyone was aware of where Google was headed but to take advantage and use personal information about the Internet traffic.
 

Tracking information about web traffic is not bad, but when personal identifiable information is compromised consumers react. A number of major players submitted letters to the House Committee including AOL, Charter Communications, Earthlink, Time Warner Cable, and Yahoo! to name a few.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link